From: Chiang-Chris <chris.chi...@intel.com> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4612
Remove PeiDxeTpmPlatformHierarchyLib in Tcg/Library Signed-off-by: Chiang-Chris <chris.chi...@intel.com> Cc: Chasel Chiu <chasel.c...@intel.com> Cc: Nate DeSimone <nathaniel.l.desim...@intel.com> Cc: Liming Gao <gaolim...@byosoft.com.cn> Cc: Eric Dong <eric.d...@intel.com> --- Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc | 2 +- Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc | 2 +- Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc | 1 - Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c | 266 -------------------- Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf | 45 ---- 5 files changed, 2 insertions(+), 314 deletions(-) diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc index 260f3b94c5..b469938823 100644 --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc @@ -66,7 +66,7 @@ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf [LibraryClasses.common.DXE_DRIVER] - TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf [LibraryClasses.common.DXE_SMM_DRIVER] SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableLib.inf diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc index 595f0ee490..7afbb2900f 100644 --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc @@ -52,7 +52,7 @@ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterPei.inf HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.inf - TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf FspMeasurementLib|IntelFsp2WrapperPkg/Library/BaseFspMeasurementLib/BaseFspMeasurementLib.inf FspWrapperPlatformMultiPhaseLib|IntelFsp2WrapperPkg/Library/BaseFspWrapperPlatformMultiPhaseLibNull/BaseFspWrapperPlatformMultiPhaseLibNull.inf diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc index 087fa48dd0..ee5d211128 100644 --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc @@ -203,7 +203,6 @@ MinPlatformPkg/Test/TestPointStubDxe/TestPointStubDxe.inf MinPlatformPkg/Test/TestPointDumpApp/TestPointDumpApp.inf - MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c deleted file mode 100644 index 9812ab99ab..0000000000 --- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +++ /dev/null @@ -1,266 +0,0 @@ -/** @file - TPM Platform Hierarchy configuration library. - - This library provides functions for customizing the TPM's Platform Hierarchy - Authorization Value (platformAuth) and Platform Hierarchy Authorization - Policy (platformPolicy) can be defined through this function. - - Copyright (c) 2019, Intel Corporation. All rights reserved.<BR> - Copyright (c) Microsoft Corporation.<BR> - SPDX-License-Identifier: BSD-2-Clause-Patent - - @par Specification Reference: - https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/ -**/ - -#include <Uefi.h> - -#include <Library/BaseMemoryLib.h> -#include <Library/DebugLib.h> -#include <Library/MemoryAllocationLib.h> -#include <Library/PcdLib.h> -#include <Library/RngLib.h> -#include <Library/Tpm2CommandLib.h> -#include <Library/Tpm2DeviceLib.h> - -// -// The authorization value may be no larger than the digest produced by the hash -// algorithm used for context integrity. -// -#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE - -UINT16 mAuthSize; - -/** - Generate high-quality entropy source through RDRAND. - - @param[in] Length Size of the buffer, in bytes, to fill with. - @param[out] Entropy Pointer to the buffer to store the entropy data. - - @retval EFI_SUCCESS Entropy generation succeeded. - @retval EFI_NOT_READY Failed to request random data. - -**/ -EFI_STATUS -EFIAPI -RdRandGenerateEntropy ( - IN UINTN Length, - OUT UINT8 *Entropy - ) -{ - EFI_STATUS Status; - UINTN BlockCount; - UINT64 Seed[2]; - UINT8 *Ptr; - - Status = EFI_NOT_READY; - BlockCount = Length / 64; - Ptr = (UINT8 *)Entropy; - - // - // Generate high-quality seed for DRBG Entropy - // - while (BlockCount > 0) { - Status = GetRandomNumber128 (Seed); - if (EFI_ERROR (Status)) { - return Status; - } - CopyMem (Ptr, Seed, 64); - - BlockCount--; - Ptr = Ptr + 64; - } - - // - // Populate the remained data as request. - // - Status = GetRandomNumber128 (Seed); - if (EFI_ERROR (Status)) { - return Status; - } - CopyMem (Ptr, Seed, (Length % 64)); - - return Status; -} - -/** - This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value - and limits an authValue to being no larger than the largest digest produced by a TPM. - - @param[out] AuthSize Tpm2 Auth size - - @retval EFI_SUCCESS Auth size returned. - @retval EFI_DEVICE_ERROR Can not return platform auth due to device error. - -**/ -EFI_STATUS -EFIAPI -GetAuthSize ( - OUT UINT16 *AuthSize - ) -{ - EFI_STATUS Status; - TPML_PCR_SELECTION Pcrs; - UINTN Index; - UINT16 DigestSize; - - Status = EFI_SUCCESS; - - while (mAuthSize == 0) { - - mAuthSize = SHA1_DIGEST_SIZE; - ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION)); - Status = Tpm2GetCapabilityPcrs (&Pcrs); - - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n")); - break; - } - - DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count)); - - for (Index = 0; Index < Pcrs.count; Index++) { - DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash)); - - switch (Pcrs.pcrSelections[Index].hash) { - case TPM_ALG_SHA1: - DigestSize = SHA1_DIGEST_SIZE; - break; - case TPM_ALG_SHA256: - DigestSize = SHA256_DIGEST_SIZE; - break; - case TPM_ALG_SHA384: - DigestSize = SHA384_DIGEST_SIZE; - break; - case TPM_ALG_SHA512: - DigestSize = SHA512_DIGEST_SIZE; - break; - case TPM_ALG_SM3_256: - DigestSize = SM3_256_DIGEST_SIZE; - break; - default: - DigestSize = SHA1_DIGEST_SIZE; - break; - } - - if (DigestSize > mAuthSize) { - mAuthSize = DigestSize; - } - } - break; - } - - *AuthSize = mAuthSize; - return Status; -} - -/** - Set PlatformAuth to random value. -**/ -VOID -RandomizePlatformAuth ( - VOID - ) -{ - EFI_STATUS Status; - UINT16 AuthSize; - UINT8 *Rand; - UINTN RandSize; - TPM2B_AUTH NewPlatformAuth; - - // - // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null - // - - GetAuthSize (&AuthSize); - - ZeroMem (NewPlatformAuth.buffer, AuthSize); - NewPlatformAuth.size = AuthSize; - - // - // Allocate one buffer to store random data. - // - RandSize = MAX_NEW_AUTHORIZATION_SIZE; - Rand = AllocatePool (RandSize); - - RdRandGenerateEntropy (RandSize, Rand); - CopyMem (NewPlatformAuth.buffer, Rand, AuthSize); - - FreePool (Rand); - - // - // Send Tpm2HierarchyChangeAuth command with the new Auth value - // - Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth); - DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status)); - ZeroMem (NewPlatformAuth.buffer, AuthSize); - ZeroMem (Rand, RandSize); -} - -/** - Disable the TPM platform hierarchy. - - @retval EFI_SUCCESS The TPM was disabled successfully. - @retval Others An error occurred attempting to disable the TPM platform hierarchy. - -**/ -EFI_STATUS -DisableTpmPlatformHierarchy ( - VOID - ) -{ - EFI_STATUS Status; - - // Make sure that we have use of the TPM. - Status = Tpm2RequestUseTpm (); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status)); - ASSERT_EFI_ERROR (Status); - return Status; - } - - // Let's do what we can to shut down the hierarchies. - - // Disable the PH NV. - // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM parts have - // been known to store the EK cert in the PH NV. If we disable it, the - // EK cert will be unreadable. - - // Disable the PH. - Status = Tpm2HierarchyControl ( - TPM_RH_PLATFORM, // AuthHandle - NULL, // AuthSession - TPM_RH_PLATFORM, // Hierarchy - NO // State - ); - DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH = %r\n", gEfiCallerBaseName, __FUNCTION__, Status)); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status)); - ASSERT_EFI_ERROR (Status); - } - - return Status; -} - -/** - This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth) - and Platform Hierarchy Authorization Policy (platformPolicy) - -**/ -VOID -EFIAPI -ConfigureTpmPlatformHierarchy ( - ) -{ - if (PcdGetBool (PcdRandomizePlatformHierarchy)) { - // - // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null - // - RandomizePlatformAuth (); - } else { - // - // Disable the hierarchy entirely (do not randomize it) - // - DisableTpmPlatformHierarchy (); - } -} diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf deleted file mode 100644 index b7a7fb0a08..0000000000 --- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +++ /dev/null @@ -1,45 +0,0 @@ -### @file -# -# TPM Platform Hierarchy configuration library. -# -# This library provides functions for customizing the TPM's Platform Hierarchy -# Authorization Value (platformAuth) and Platform Hierarchy Authorization -# Policy (platformPolicy) can be defined through this function. -# -# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR> -# Copyright (c) Microsoft Corporation.<BR> -# -# SPDX-License-Identifier: BSD-2-Clause-Patent -# -### - -[Defines] - INF_VERSION = 0x00010005 - BASE_NAME = PeiDxeTpmPlatformHierarchyLib - FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73 - MODULE_TYPE = PEIM - VERSION_STRING = 1.0 - LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER - -[LibraryClasses] - BaseLib - BaseMemoryLib - DebugLib - MemoryAllocationLib - PcdLib - RngLib - Tpm2CommandLib - Tpm2DeviceLib - -[Packages] - MdePkg/MdePkg.dec - MdeModulePkg/MdeModulePkg.dec - SecurityPkg/SecurityPkg.dec - CryptoPkg/CryptoPkg.dec - MinPlatformPkg/MinPlatformPkg.dec - -[Sources] - PeiDxeTpmPlatformHierarchyLib.c - -[Pcd] - gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy -- 2.43.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#112056): https://edk2.groups.io/g/devel/message/112056 Mute This Topic: https://groups.io/mt/102974261/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-