From nobody Sun Feb  8 12:38:37 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+76003+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+76003+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.microsoft.com
ARC-Seal: i=1; a=rsa-sha256; t=1622684335; cv=none;
	d=zohomail.com; s=zohoarc;
	b=SKyGJUS2vY0LwcLuJp0no9No0+Mrf7NUTCZpCLgvv0JEfATL6zzrdTZIF3wxFPn31yrCS+JvZp3NgxKDCElLzeVd2T5Dltup8EdH9+y7DVvmjiD1GjEQqZj/D6Fa/Ou0NueoCw0yC4FJ3TKv928g5nS2tFyhZtq0KwLjdc2+6hE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1622684335;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=QH3FzTKs6TuaGDjNE5pTqqUpH4OZwo0W3KrcT+fAyEo=;
	b=Fvq5s14wOwT3aaT7DWmJWgkNtyBX/2kvTX+6ZNSrR9m3mjTliU3uAQGKol3l1rSHeaJIUHH33AhOlBWqdzaqcSTVSB0hogYqFfuAVmfUPWa15e48Wp4GVyeSyhvxbwnYKZG/eHseCjFqaVkZC2OUH6yQnxze6g+nrhi+acIsvEQ=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+76003+1787277+3901457@groups.io;
	dmarc=fail header.from=<mikuback@linux.microsoft.com> (p=none dis=none)
 header.from=<mikuback@linux.microsoft.com>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 162268433585732.62249325469804;
 Wed, 2 Jun 2021 18:38:55 -0700 (PDT)
Return-Path: <bounce+27952+76003+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id 7A7gYY1788612x4VfIG9wNxm;
 Wed, 02 Jun 2021 18:38:54 -0700
X-Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182])
 by mx.groups.io with SMTP id smtpd.web10.2206.1622684334067544839
 for <devel@edk2.groups.io>;
 Wed, 02 Jun 2021 18:38:54 -0700
X-Received: from localhost.localdomain (unknown [167.220.2.74])
	by linux.microsoft.com (Postfix) with ESMTPSA id 9DE5820B7178;
	Wed,  2 Jun 2021 18:38:53 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9DE5820B7178
From: "Michael Kubacki" <mikuback@linux.microsoft.com>
To: devel@edk2.groups.io
Cc: Michael Kubacki <michael.kubacki@microsoft.com>,
	Chasel Chiu <chasel.chiu@intel.com>,
	Nate DeSimone <nathaniel.l.desimone@intel.com>,
	Liming Gao <gaoliming@byosoft.com.cn>,
	Eric Dong <eric.dong@intel.com>
Subject: [edk2-devel] [edk2-platforms][PATCH v1 2/2]
 MinPlatformPkg/TpmPlatformHierarchyLib: Disable TPM platform hierarchy
Date: Wed,  2 Jun 2021 18:38:18 -0700
Message-Id: <20210603013818.1248-3-mikuback@linux.microsoft.com>
In-Reply-To: <20210603013818.1248-1-mikuback@linux.microsoft.com>
References: <20210603013818.1248-1-mikuback@linux.microsoft.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,mikuback@linux.microsoft.com
X-Gm-Message-State: txyBts1bRLXIGlXWAnbOZC98x1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1622684334;
 bh=eoun+FSqtDDYe3zn4lW5U/n21PIOduvJDwCtkagBndI=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=sbC7adFGSsPEkYMp7i4ekNXNCXfEjEvbYbSPMaNNHId8H/BL/cABh0snHMWrzKn5kwj
 MS0Z9o3H6gafduBn2/64Wqt7tv3R8+r9BvDSe/k/3omE8ByTRR8LEBbKswikVyVyjmTjj
 eYMRnka9Qqc46Zj7pSI2NMfBemVLeYS2JP4=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Type: text/plain; charset="utf-8"

From: Jeremiah Cox <jerecox@microsoft.com>

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D3411

Updates the current ConfigureTpmPlatformHierarchy() implementation
to instruct the TPM to disable the platform hierarchy to prevent
later boot/OS code from accessing TPM platform features. This
modifies the current behavior which instead randomizes the platform
auth and then "forgets" it to prevent future platform feature access.

Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com>
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Eric Dong <eric.dong@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
---
 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatf=
ormHierarchyLib.c | 51 ++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchy=
Lib/TpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Library/T=
pmPlatformHierarchyLib/TpmPlatformHierarchyLib.c
index 41ddb26f4046..bc1dce9b1c51 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tpm=
PlatformHierarchyLib.c
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tpm=
PlatformHierarchyLib.c
@@ -18,6 +18,7 @@
 #include <Library/BaseMemoryLib.h>
 #include <Library/UefiBootServicesTableLib.h>
 #include <Library/MemoryAllocationLib.h>
+#include <Library/Tpm2DeviceLib.h>
 #include <Library/Tpm2CommandLib.h>
 #include <Library/RngLib.h>
 #include <Library/UefiLib.h>
@@ -197,6 +198,51 @@ RandomizePlatformAuth (
   ZeroMem (Rand, RandSize);
 }
=20
+/**
+  Disable the TPM platform hierarchy.
+
+  @retval   EFI_SUCCESS       The TPM was disabled successfully.
+  @retval   Others            An error occurred attempting to disable the =
TPM platform hierarchy.
+
+**/
+EFI_STATUS
+DisableTpmPlatformHierarchy (
+  VOID
+  )
+{
+  EFI_STATUS  Status;
+
+  // Make sure that we have use of the TPM.
+  Status =3D Tpm2RequestUseTpm ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiC=
allerBaseName, __FUNCTION__, Status));
+    ASSERT_EFI_ERROR (Status);
+    return Status;
+  }
+
+  // Let's do what we can to shut down the hierarchies.
+
+  // Disable the PH NV.
+  // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TP=
M parts have
+  //                 been known to store the EK cert in the PH NV. If we d=
isable it, the
+  //                 EK cert will be unreadable.
+
+  // Disable the PH.
+  Status =3D  Tpm2HierarchyControl (
+              TPM_RH_PLATFORM,     // AuthHandle
+              NULL,                // AuthSession
+              TPM_RH_PLATFORM,     // Hierarchy
+              NO                   // State
+              );
+  DEBUG ((DEBUG_VERBOSE, "%a:%a() -  Disable PH =3D %r\n", gEfiCallerBaseN=
ame, __FUNCTION__, Status));
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a:%a() -  Disable PH Failed! %r\n", gEfiCallerB=
aseName, __FUNCTION__, Status));
+    ASSERT_EFI_ERROR (Status);
+  }
+
+  return Status;
+}
+
 /**
    This service defines the configuration of the Platform Hierarchy Author=
ization Value (platformAuth)
    and Platform Hierarchy Authorization Policy (platformPolicy)
@@ -211,4 +257,9 @@ ConfigureTpmPlatformHierarchy (
   // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth=
 being null
   //
   RandomizePlatformAuth ();
+
+  //
+  // Disable the hierarchy entirely (do not randomize it)
+  //
+  DisableTpmPlatformHierarchy ();
 }
--=20
2.28.0.windows.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#76003): https://edk2.groups.io/g/devel/message/76003
Mute This Topic: https://groups.io/mt/83274495/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-