[EXTERNAL] [edk2-devel] Missing TPM 2 related call to Tpm2HierarchyChangeAuth

Stefan Berger stefanb at linux.ibm.com
Tue Jul 27 20:43:18 UTC 2021 

On 7/27/21 12:25 PM, Yao, Jiewen wrote:
> Oops. Sorry for late response. The code is NOT in EDKII, but 
> EDKII-platform as example. 
> https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel/MinPlatformPkg/Tcg 
> We allow a platform having its own implementation. That is why 
> ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
>
> Oops. Sorry for late response.
>
> The code is NOT in EDKII, but EDKII-platform as example. 
> https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel/MinPlatformPkg/Tcg 
> <https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel/MinPlatformPkg/Tcg>
>
> We allow a platform having its own implementation. That is why it is 
> NOT in EDKII.
>

How do edk2 and edk2-platform relate? Do we need to copy code form one 
to the other ?

    Stefan


> Thank you
>
> Yao Jiewen
>
> *From:* devel at edk2.groups.io <devel at edk2.groups.io> *On Behalf Of 
> *Bret Barkelew via groups.io
> *Sent:* Wednesday, July 28, 2021 12:11 AM
> *To:* devel at edk2.groups.io; stefanb at linux.ibm.com; Yao, Jiewen 
> <jiewen.yao at intel.com>; Jeremiah Cox <jerecox at microsoft.com>; Michael 
> Kubacki <Michael.Kubacki at microsoft.com>
> *Cc:* Marc-André Lureau <marcandre.lureau at redhat.com>
> *Subject:* Re: [EXTERNAL] [edk2-devel] Missing TPM 2 related call to 
> Tpm2HierarchyChangeAuth
>
> Adding @Jeremiah <mailto:jerecox at microsoft.com>…
>
> Jeremiah, weren’t you or @Michael 
> <mailto:Michael.Kubacki at microsoft.com> shopping this change to 
> MinPlatform?
>
> - Bret
>
> *From: *Stefan Berger via groups.io 
> <mailto:stefanb=linux.ibm.com at groups.io>
> *Sent: *Monday, July 26, 2021 7:48 AM
> *To: *Yao, Jiewen <mailto:jiewen.yao at intel.com>; devel at edk2.groups.io 
> <mailto:devel at edk2.groups.io>
> *Cc: *Marc-André Lureau <mailto:marcandre.lureau at redhat.com>
> *Subject: *[EXTERNAL] [edk2-devel] Missing TPM 2 related call to 
> Tpm2HierarchyChangeAuth
>
> Hello!
>
>    The TPM 2 code in EDK2 is missing an important call to
> Tpm2HierarchyChangeAuth for the platform hierarchy. We have to set the
> password of that hierarchy and discard the password. See also specs
> section 11:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrustedcomputinggroup.org%2Fwp-content%2Fuploads%2FTCG_PCClient_PFP_r1p05_v22_02dec2020.pdf&data=04%7C01%7Cbret.barkelew%40microsoft.com%7Cf2a2262eee2c44b3760c08d95044601a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629077356686202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=N7VQIw87rHqUAFQ54TvhNwcsPFEwJzdZQ9JZrmX1S4E%3D&reserved=0 
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrustedcomputinggroup.org%2Fwp-content%2Fuploads%2FTCG_PCClient_PFP_r1p05_v22_02dec2020.pdf&data=04%7C01%7Cbret.barkelew%40microsoft.com%7Cf2a2262eee2c44b3760c08d95044601a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629077356686202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=N7VQIw87rHqUAFQ54TvhNwcsPFEwJzdZQ9JZrmX1S4E%3D&reserved=0>
>
> "Platform Firmware MUST protect access to the Platform Hierarchy and
> prevent access to the platform hierarchy by
> non-manufacturer-controlled components.  "
>
> I was wondering where we could put that call so it's invoked after the
> user has possibly interacted with the menu and before passing control to
> the next stage such as boot loader.
>
> Regards,
>
>    Stefan
>
>
>
>
>
> 
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78257): https://edk2.groups.io/g/devel/message/78257
Mute This Topic: https://groups.io/mt/84485285/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/edk2-devel-archive/attachments/20210727/29d5af48/attachment.htm>

More information about the edk2-devel-archive mailing list