[EXTERNAL] [edk2-devel] Missing TPM 2 related call to Tpm2HierarchyChangeAuth

Yao, Jiewen jiewen.yao at intel.com
Tue Jul 27 16:25:55 UTC 2021 

Oops. Sorry for late response.

The code is NOT in EDKII, but EDKII-platform as example. https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel/MinPlatformPkg/Tcg

We allow a platform having its own implementation. That is why it is NOT in EDKII.

Thank you
Yao Jiewen

From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of Bret Barkelew via groups.io
Sent: Wednesday, July 28, 2021 12:11 AM
To: devel at edk2.groups.io; stefanb at linux.ibm.com; Yao, Jiewen <jiewen.yao at intel.com>; Jeremiah Cox <jerecox at microsoft.com>; Michael Kubacki <Michael.Kubacki at microsoft.com>
Cc: Marc-André Lureau <marcandre.lureau at redhat.com>
Subject: Re: [EXTERNAL] [edk2-devel] Missing TPM 2 related call to Tpm2HierarchyChangeAuth

Adding @Jeremiah<mailto:jerecox at microsoft.com>...

Jeremiah, weren't you or @Michael<mailto:Michael.Kubacki at microsoft.com> shopping this change to MinPlatform?

- Bret

From: Stefan Berger via groups.io<mailto:stefanb=linux.ibm.com at groups.io>
Sent: Monday, July 26, 2021 7:48 AM
To: Yao, Jiewen<mailto:jiewen.yao at intel.com>; devel at edk2.groups.io<mailto:devel at edk2.groups.io>
Cc: Marc-André Lureau<mailto:marcandre.lureau at redhat.com>
Subject: [EXTERNAL] [edk2-devel] Missing TPM 2 related call to Tpm2HierarchyChangeAuth

Hello!

   The TPM 2 code in EDK2 is missing an important call to
Tpm2HierarchyChangeAuth for the platform hierarchy. We have to set the
password of that hierarchy and discard the password. See also specs
section 11:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrustedcomputinggroup.org%2Fwp-content%2Fuploads%2FTCG_PCClient_PFP_r1p05_v22_02dec2020.pdf&data=04%7C01%7Cbret.barkelew%40microsoft.com%7Cf2a2262eee2c44b3760c08d95044601a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629077356686202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=N7VQIw87rHqUAFQ54TvhNwcsPFEwJzdZQ9JZrmX1S4E%3D&reserved=0

"Platform Firmware MUST protect access to the Platform Hierarchy and
prevent access to the platform hierarchy by
non-manufacturer-controlled components.  "

I was wondering where we could put that call so it's invoked after the
user has possibly interacted with the menu and before passing control to
the next stage such as boot loader.

Regards,

   Stefan









-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78231): https://edk2.groups.io/g/devel/message/78231
Mute This Topic: https://groups.io/mt/84485285/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/edk2-devel-archive/attachments/20210727/a74405dd/attachment.htm>

More information about the edk2-devel-archive mailing list