From nobody Fri Dec 19 20:15:31 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76145+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76145+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.microsoft.com ARC-Seal: i=1; a=rsa-sha256; t=1623081943; cv=none; d=zohomail.com; s=zohoarc; b=Qt1i5LkQWvxMgN165DHhL+O1QDkHQymilrXXtqB/x40FTEyyOSlRAOXeXHRPxtVHxW7ahdfq6CfUEOw2CL92dVM5Z0xz3oILAkXoXT0RoZTwHsea1vi/BGDo5bIdmk87H/SycVg3HO5jLvDQ3OL90UuisHmZiVTANVIlwlld0Nw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623081943; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=uGk0ET+k/RyXx833RCfwebhnV3suECTFlMBq909KobA=; b=aWJvavoiUpxd9ygCBquMK7WUmDfNyPChpsnqt0/zFY4rhNGNt0eO52H05Wmn1E7mlXQbEZWFqRgVBBAX4mi6yWBIavOcLnkZXblQuhpJ2L3Em4R5vWdSuFOLSsP1jyQJdOhUOCaO/Xlx29q/mQgGlkQd6gANK/e/0+9wSzMGL1U= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76145+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 16230819432991001.3482175253018; Mon, 7 Jun 2021 09:05:43 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id OXEqYY1788612xYU0wNtnNSs; Mon, 07 Jun 2021 09:05:42 -0700 X-Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web11.406.1623081937317592836 for ; Mon, 07 Jun 2021 09:05:37 -0700 X-Received: from localhost.localdomain (unknown [167.220.2.74]) by linux.microsoft.com (Postfix) with ESMTPSA id EC7D820B83EF; Mon, 7 Jun 2021 09:05:36 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com EC7D820B83EF From: "Michael Kubacki" To: devel@edk2.groups.io Cc: Jeremiah Cox , Chasel Chiu , Nate DeSimone , Liming Gao , Eric Dong Subject: [edk2-devel] [edk2-platforms][PATCH v2 4/4] MinPlatformPkg/TpmPlatformHierarchyLib: Add disable support Date: Mon, 7 Jun 2021 12:05:06 -0400 Message-Id: <20210607160506.2411-5-mikuback@linux.microsoft.com> In-Reply-To: <20210607160506.2411-1-mikuback@linux.microsoft.com> References: <20210607160506.2411-1-mikuback@linux.microsoft.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,mikuback@linux.microsoft.com X-Gm-Message-State: yKvexmdRcLtvBlU9wRVHlCqWx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1623081942; bh=APd44oQ7JVat0nD15v9wUf/d73N3dMPHTmPEejdZboU=; h=Cc:Date:From:Reply-To:Subject:To; b=ke42pvPdzkEevZFig+8Pjer9sKc2VFGgoWHXnyO2P918GHBB7Z9zEkL4PLdDkWQDMfR EhEx3BUdBKY5vKCFYIiSvZ+czfBoJcFNLUcRw1KrZqe1IAn1/Z8WibiJfCHcEh8SFGHV4 wUHA6NB6uUPJTSUs8A69Lpy5urim8mzrIJo= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" From: Michael Kubacki REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D3411 Adds a new PCD (PcdRandomizePlatformHierarchy) to MinPlatformPkg.dec that allows a platform integrator to choose whether to randomize or disable the TPM platform hierarchy. The current behavior to randomize the platform hierachy is preserved in the default PCD value. In the randomization case, the platform auth is randomized and then it is "forgotten" to prevent future platform access. The ConfigureTpmPlatformHierarchy() implementation is updated to configure the TPM platform hierarchy based on the value of the new PCD. Co-authored-by: Jeremiah Cox Cc: Chasel Chiu Cc: Nate DeSimone Cc: Liming Gao Cc: Eric Dong Signed-off-by: Michael Kubacki --- Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/Pe= iDxeTpmPlatformHierarchyLib.c | 63 ++++++++++++++++++-- Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec = | 1 + Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/Pe= iDxeTpmPlatformHierarchyLib.inf | 6 ++ 3 files changed, 66 insertions(+), 4 deletions(-) diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHie= rarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/T= cg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c index fa590089f0a0..9812ab99abf5 100644 --- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyL= ib/PeiDxeTpmPlatformHierarchyLib.c +++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyL= ib/PeiDxeTpmPlatformHierarchyLib.c @@ -6,6 +6,7 @@ Policy (platformPolicy) can be defined through this function. =20 Copyright (c) 2019, Intel Corporation. All rights reserved.
+ Copyright (c) Microsoft Corporation.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 @par Specification Reference: @@ -17,8 +18,10 @@ #include #include #include +#include #include #include +#include =20 // // The authorization value may be no larger than the digest produced by th= e hash @@ -194,6 +197,51 @@ RandomizePlatformAuth ( ZeroMem (Rand, RandSize); } =20 +/** + Disable the TPM platform hierarchy. + + @retval EFI_SUCCESS The TPM was disabled successfully. + @retval Others An error occurred attempting to disable the = TPM platform hierarchy. + +**/ +EFI_STATUS +DisableTpmPlatformHierarchy ( + VOID + ) +{ + EFI_STATUS Status; + + // Make sure that we have use of the TPM. + Status =3D Tpm2RequestUseTpm (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiC= allerBaseName, __FUNCTION__, Status)); + ASSERT_EFI_ERROR (Status); + return Status; + } + + // Let's do what we can to shut down the hierarchies. + + // Disable the PH NV. + // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TP= M parts have + // been known to store the EK cert in the PH NV. If we d= isable it, the + // EK cert will be unreadable. + + // Disable the PH. + Status =3D Tpm2HierarchyControl ( + TPM_RH_PLATFORM, // AuthHandle + NULL, // AuthSession + TPM_RH_PLATFORM, // Hierarchy + NO // State + ); + DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH =3D %r\n", gEfiCallerBaseN= ame, __FUNCTION__, Status)); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerB= aseName, __FUNCTION__, Status)); + ASSERT_EFI_ERROR (Status); + } + + return Status; +} + /** This service defines the configuration of the Platform Hierarchy Author= ization Value (platformAuth) and Platform Hierarchy Authorization Policy (platformPolicy) @@ -204,8 +252,15 @@ EFIAPI ConfigureTpmPlatformHierarchy ( ) { - // - // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth= being null - // - RandomizePlatformAuth (); + if (PcdGetBool (PcdRandomizePlatformHierarchy)) { + // + // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAu= th being null + // + RandomizePlatformAuth (); + } else { + // + // Disable the hierarchy entirely (do not randomize it) + // + DisableTpmPlatformHierarchy (); + } } diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec b/Platform/In= tel/MinPlatformPkg/MinPlatformPkg.dec index 947431470a1f..bcb42f0ef9e6 100644 --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec @@ -244,6 +244,7 @@ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, = PcdsDynamicEx] gMinPlatformPkgTokenSpaceGuid.PcdPciNoExtendedConfigSpace |FALSE|BOOL= EAN|0x4001004C gMinPlatformPkgTokenSpaceGuid.PcdPciResourceAssigned |FALSE|BOOL= EAN|0x4001004D gMinPlatformPkgTokenSpaceGuid.PcdPciSegmentCount |0x1 |UI= NT8|0x4001004E + gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy |TRUE |BOOL= EAN|0x4001004F =20 gMinPlatformPkgTokenSpaceGuid.PcdAcpiPm1AEventBlockAddress|0x1800|UINT16= |0x00010035 gMinPlatformPkgTokenSpaceGuid.PcdAcpiPm1BEventBlockAddress|0x0000|UINT16= |0x00010036 diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHie= rarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/Platform/Intel/MinPlatformPkg= /Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf index 7165cda31357..b7a7fb0a088d 100644 --- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyL= ib/PeiDxeTpmPlatformHierarchyLib.inf +++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyL= ib/PeiDxeTpmPlatformHierarchyLib.inf @@ -26,14 +26,20 @@ [LibraryClasses] BaseMemoryLib DebugLib MemoryAllocationLib + PcdLib RngLib Tpm2CommandLib + Tpm2DeviceLib =20 [Packages] MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.dec SecurityPkg/SecurityPkg.dec CryptoPkg/CryptoPkg.dec + MinPlatformPkg/MinPlatformPkg.dec =20 [Sources] PeiDxeTpmPlatformHierarchyLib.c + +[Pcd] + gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy --=20 2.28.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76145): https://edk2.groups.io/g/devel/message/76145 Mute This Topic: https://groups.io/mt/83373868/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-