[EXTERNAL] [edk2-devel] Missing TPM 2 related call to Tpm2HierarchyChangeAuth
Michael Kubacki
mikuback at linux.microsoft.com
Wed Jul 28 14:38:35 UTC 2021
The main commit of the series Bret mentioned (in edk2-platforms) is here:
https://github.com/tianocore/edk2-platforms/commit/bfabeef4c9a63374784bd19f18a869aa2769e011
Regards,
Michael
On 7/27/2021 12:25 PM, Yao, Jiewen wrote:
> Oops. Sorry for late response.
>
> The code is NOT in EDKII, but EDKII-platform as example.
> https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel/MinPlatformPkg/Tcg
> <https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel/MinPlatformPkg/Tcg>
>
> We allow a platform having its own implementation. That is why it is NOT
> in EDKII.
>
> Thank you
>
> Yao Jiewen
>
> *From:* devel at edk2.groups.io <devel at edk2.groups.io> *On Behalf Of *Bret
> Barkelew via groups.io
> *Sent:* Wednesday, July 28, 2021 12:11 AM
> *To:* devel at edk2.groups.io; stefanb at linux.ibm.com; Yao, Jiewen
> <jiewen.yao at intel.com>; Jeremiah Cox <jerecox at microsoft.com>; Michael
> Kubacki <Michael.Kubacki at microsoft.com>
> *Cc:* Marc-André Lureau <marcandre.lureau at redhat.com>
> *Subject:* Re: [EXTERNAL] [edk2-devel] Missing TPM 2 related call to
> Tpm2HierarchyChangeAuth
>
> Adding @Jeremiah <mailto:jerecox at microsoft.com>…
>
> Jeremiah, weren’t you or @Michael <mailto:Michael.Kubacki at microsoft.com>
> shopping this change to MinPlatform?
>
> - Bret
>
> *From: *Stefan Berger via groups.io <mailto:stefanb=linux.ibm.com at groups.io>
> *Sent: *Monday, July 26, 2021 7:48 AM
> *To: *Yao, Jiewen <mailto:jiewen.yao at intel.com>; devel at edk2.groups.io
> <mailto:devel at edk2.groups.io>
> *Cc: *Marc-André Lureau <mailto:marcandre.lureau at redhat.com>
> *Subject: *[EXTERNAL] [edk2-devel] Missing TPM 2 related call to
> Tpm2HierarchyChangeAuth
>
> Hello!
>
> The TPM 2 code in EDK2 is missing an important call to
> Tpm2HierarchyChangeAuth for the platform hierarchy. We have to set the
> password of that hierarchy and discard the password. See also specs
> section 11:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrustedcomputinggroup.org%2Fwp-content%2Fuploads%2FTCG_PCClient_PFP_r1p05_v22_02dec2020.pdf&data=04%7C01%7Cbret.barkelew%40microsoft.com%7Cf2a2262eee2c44b3760c08d95044601a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629077356686202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=N7VQIw87rHqUAFQ54TvhNwcsPFEwJzdZQ9JZrmX1S4E%3D&reserved=0
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrustedcomputinggroup.org%2Fwp-content%2Fuploads%2FTCG_PCClient_PFP_r1p05_v22_02dec2020.pdf&data=04%7C01%7Cbret.barkelew%40microsoft.com%7Cf2a2262eee2c44b3760c08d95044601a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629077356686202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=N7VQIw87rHqUAFQ54TvhNwcsPFEwJzdZQ9JZrmX1S4E%3D&reserved=0>
>
> "Platform Firmware MUST protect access to the Platform Hierarchy and
> prevent access to the platform hierarchy by
> non-manufacturer-controlled components. "
>
> I was wondering where we could put that call so it's invoked after the
> user has possibly interacted with the menu and before passing control to
> the next stage such as boot loader.
>
> Regards,
>
> Stefan
>
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78288): https://edk2.groups.io/g/devel/message/78288
Mute This Topic: https://groups.io/mt/84485285/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list