[edk2-devel] [PATCH v4 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms
Sean
spbrogan at outlook.com
Thu Aug 12 20:59:06 UTC 2021
This seems like a bad place for a general purpose lib that many other
platforms may take a dependency on.
In v1 this was SecurityPkg. OvmfPkg is a platform package and therefore
not a good place to define broad interfaces.
What caused this to move here?
Thanks
Sean
On 8/12/2021 9:59 AM, Stefan Berger wrote:
> Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms. Fix some bugs
> from the original code and simplify parts of it.
>
> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
> ---
> .../Include/Library/TpmPlatformHierarchyLib.h | 27 +++
> .../PeiDxeTpmPlatformHierarchyLib.c | 200 ++++++++++++++++++
> .../PeiDxeTpmPlatformHierarchyLib.inf | 40 ++++
> 3 files changed, 267 insertions(+)
> create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
> create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
> create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
>
> diff --git a/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
> new file mode 100644
> index 0000000000..a872fa09dc
> --- /dev/null
> +++ b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
> @@ -0,0 +1,27 @@
> +/** @file
> + TPM Platform Hierarchy configuration library.
> +
> + This library provides functions for customizing the TPM's Platform Hierarchy
> + Authorization Value (platformAuth) and Platform Hierarchy Authorization
> + Policy (platformPolicy) can be defined through this function.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) Microsoft Corporation.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_
> +#define _TPM_PLATFORM_HIERARCHY_LIB_H_
> +
> +/**
> + This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
> +
> +**/
> +VOID
> +EFIAPI
> +ConfigureTpmPlatformHierarchy (
> + VOID
> + );
> +
> +#endif
> diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
> new file mode 100644
> index 0000000000..a0dc848abd
> --- /dev/null
> +++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
> @@ -0,0 +1,200 @@
> +/** @file
> + TPM Platform Hierarchy configuration library.
> +
> + This library provides functions for customizing the TPM's Platform Hierarchy
> + Authorization Value (platformAuth) and Platform Hierarchy Authorization
> + Policy (platformPolicy) can be defined through this function.
> +
> + Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> + Copyright (c) Microsoft Corporation.<BR>
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> + @par Specification Reference:
> + https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
> +**/
> +
> +#include <Uefi.h>
> +
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/RngLib.h>
> +#include <Library/Tpm2CommandLib.h>
> +#include <Library/Tpm2DeviceLib.h>
> +
> +//
> +// The authorization value may be no larger than the digest produced by the hash
> +// algorithm used for context integrity.
> +//
> +
> +UINT16 mAuthSize;
> +
> +/**
> + Generate high-quality entropy source through RDRAND.
> +
> + @param[in] Length Size of the buffer, in bytes, to fill with.
> + @param[out] Entropy Pointer to the buffer to store the entropy data.
> +
> + @retval EFI_SUCCESS Entropy generation succeeded.
> + @retval EFI_NOT_READY Failed to request random data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +RdRandGenerateEntropy (
> + IN UINTN Length,
> + OUT UINT8 *Entropy
> + )
> +{
> + EFI_STATUS Status;
> + UINTN BlockCount;
> + UINT64 Seed[2];
> + UINT8 *Ptr;
> +
> + Status = EFI_NOT_READY;
> + BlockCount = Length / sizeof(Seed);
> + Ptr = (UINT8 *)Entropy;
> +
> + //
> + // Generate high-quality seed for DRBG Entropy
> + //
> + while (BlockCount > 0) {
> + Status = GetRandomNumber128 (Seed);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> + CopyMem (Ptr, Seed, sizeof(Seed));
> +
> + BlockCount--;
> + Ptr = Ptr + sizeof(Seed);
> + }
> +
> + //
> + // Populate the remained data as request.
> + //
> + Status = GetRandomNumber128 (Seed);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> + CopyMem (Ptr, Seed, (Length % sizeof(Seed)));
> +
> + return Status;
> +}
> +
> +/**
> + This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value
> + and limits an authValue to being no larger than the largest digest produced by a TPM.
> +
> + @param[out] AuthSize Tpm2 Auth size
> +
> + @retval EFI_SUCCESS Auth size returned.
> + @retval EFI_DEVICE_ERROR Can not return platform auth due to device error.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +GetAuthSize (
> + OUT UINT16 *AuthSize
> + )
> +{
> + EFI_STATUS Status;
> + TPML_PCR_SELECTION Pcrs;
> + UINTN Index;
> + UINT16 DigestSize;
> +
> + Status = EFI_SUCCESS;
> +
> + while (mAuthSize == 0) {
> +
> + mAuthSize = SHA1_DIGEST_SIZE;
> + ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
> + Status = Tpm2GetCapabilityPcrs (&Pcrs);
> +
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
> + break;
> + }
> +
> + DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
> +
> + for (Index = 0; Index < Pcrs.count; Index++) {
> + DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
> +
> + switch (Pcrs.pcrSelections[Index].hash) {
> + case TPM_ALG_SHA1:
> + DigestSize = SHA1_DIGEST_SIZE;
> + break;
> + case TPM_ALG_SHA256:
> + DigestSize = SHA256_DIGEST_SIZE;
> + break;
> + case TPM_ALG_SHA384:
> + DigestSize = SHA384_DIGEST_SIZE;
> + break;
> + case TPM_ALG_SHA512:
> + DigestSize = SHA512_DIGEST_SIZE;
> + break;
> + case TPM_ALG_SM3_256:
> + DigestSize = SM3_256_DIGEST_SIZE;
> + break;
> + default:
> + DigestSize = SHA1_DIGEST_SIZE;
> + break;
> + }
> +
> + if (DigestSize > mAuthSize) {
> + mAuthSize = DigestSize;
> + }
> + }
> + break;
> + }
> +
> + *AuthSize = mAuthSize;
> + return Status;
> +}
> +
> +/**
> + Set PlatformAuth to random value.
> +**/
> +VOID
> +RandomizePlatformAuth (
> + VOID
> + )
> +{
> + EFI_STATUS Status;
> + UINT16 AuthSize;
> + TPM2B_AUTH NewPlatformAuth;
> +
> + //
> + // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
> + //
> +
> + GetAuthSize (&AuthSize);
> +
> + NewPlatformAuth.size = AuthSize;
> +
> + //
> + // Create the random bytes in the destination buffer
> + //
> +
> + RdRandGenerateEntropy (NewPlatformAuth.size, NewPlatformAuth.buffer);
> +
> + //
> + // Send Tpm2HierarchyChangeAuth command with the new Auth value
> + //
> + Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
> + DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
> + ZeroMem (NewPlatformAuth.buffer, AuthSize);
> +}
> +
> +/**
> + This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
> + and Platform Hierarchy Authorization Policy (platformPolicy)
> +
> +**/
> +VOID
> +EFIAPI
> +ConfigureTpmPlatformHierarchy (
> + )
> +{
> + RandomizePlatformAuth ();
> +}
> diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> new file mode 100644
> index 0000000000..a413e02302
> --- /dev/null
> +++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> @@ -0,0 +1,40 @@
> +### @file
> +#
> +# TPM Platform Hierarchy configuration library.
> +#
> +# This library provides functions for customizing the TPM's Platform Hierarchy
> +# Authorization Value (platformAuth) and Platform Hierarchy Authorization
> +# Policy (platformPolicy) can be defined through this function.
> +#
> +# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) Microsoft Corporation.<BR>
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +###
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = PeiDxeTpmPlatformHierarchyLib
> + FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
> + MODULE_TYPE = PEIM
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + RngLib
> + Tpm2CommandLib
> + Tpm2DeviceLib
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> + SecurityPkg/SecurityPkg.dec
> + CryptoPkg/CryptoPkg.dec
> +
> +[Sources]
> + PeiDxeTpmPlatformHierarchyLib.c
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#79208): https://edk2.groups.io/g/devel/message/79208
Mute This Topic: https://groups.io/mt/84845083/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list