[EXTERNAL] [edk2-devel] Missing TPM 2 related call to Tpm2HierarchyChangeAuth
Stefan Berger
stefanb at linux.ibm.com
Wed Jul 28 14:54:24 UTC 2021
I now filed this bug:
https://bugzilla.tianocore.org/show_bug.cgi?id=3510
Stefan
On 7/28/21 10:38 AM, Michael Kubacki wrote:
> The main commit of the series Bret mentioned (in edk2-platforms) is here:
>
> https://github.com/tianocore/edk2-platforms/commit/bfabeef4c9a63374784bd19f18a869aa2769e011
>
>
> Regards,
> Michael
>
> On 7/27/2021 12:25 PM, Yao, Jiewen wrote:
>> Oops. Sorry for late response.
>>
>> The code is NOT in EDKII, but EDKII-platform as example.
>> https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel/MinPlatformPkg/Tcg
>> <https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel/MinPlatformPkg/Tcg>
>>
>>
>> We allow a platform having its own implementation. That is why it is
>> NOT in EDKII.
>>
>> Thank you
>>
>> Yao Jiewen
>>
>> *From:* devel at edk2.groups.io <devel at edk2.groups.io> *On Behalf Of
>> *Bret Barkelew via groups.io
>> *Sent:* Wednesday, July 28, 2021 12:11 AM
>> *To:* devel at edk2.groups.io; stefanb at linux.ibm.com; Yao, Jiewen
>> <jiewen.yao at intel.com>; Jeremiah Cox <jerecox at microsoft.com>; Michael
>> Kubacki <Michael.Kubacki at microsoft.com>
>> *Cc:* Marc-André Lureau <marcandre.lureau at redhat.com>
>> *Subject:* Re: [EXTERNAL] [edk2-devel] Missing TPM 2 related call to
>> Tpm2HierarchyChangeAuth
>>
>> Adding @Jeremiah <mailto:jerecox at microsoft.com>…
>>
>> Jeremiah, weren’t you or @Michael
>> <mailto:Michael.Kubacki at microsoft.com> shopping this change to
>> MinPlatform?
>>
>> - Bret
>>
>> *From: *Stefan Berger via groups.io
>> <mailto:stefanb=linux.ibm.com at groups.io>
>> *Sent: *Monday, July 26, 2021 7:48 AM
>> *To: *Yao, Jiewen <mailto:jiewen.yao at intel.com>; devel at edk2.groups.io
>> <mailto:devel at edk2.groups.io>
>> *Cc: *Marc-André Lureau <mailto:marcandre.lureau at redhat.com>
>> *Subject: *[EXTERNAL] [edk2-devel] Missing TPM 2 related call to
>> Tpm2HierarchyChangeAuth
>>
>> Hello!
>>
>> The TPM 2 code in EDK2 is missing an important call to
>> Tpm2HierarchyChangeAuth for the platform hierarchy. We have to set the
>> password of that hierarchy and discard the password. See also specs
>> section 11:
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrustedcomputinggroup.org%2Fwp-content%2Fuploads%2FTCG_PCClient_PFP_r1p05_v22_02dec2020.pdf&data=04%7C01%7Cbret.barkelew%40microsoft.com%7Cf2a2262eee2c44b3760c08d95044601a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629077356686202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=N7VQIw87rHqUAFQ54TvhNwcsPFEwJzdZQ9JZrmX1S4E%3D&reserved=0
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrustedcomputinggroup.org%2Fwp-content%2Fuploads%2FTCG_PCClient_PFP_r1p05_v22_02dec2020.pdf&data=04%7C01%7Cbret.barkelew%40microsoft.com%7Cf2a2262eee2c44b3760c08d95044601a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629077356686202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=N7VQIw87rHqUAFQ54TvhNwcsPFEwJzdZQ9JZrmX1S4E%3D&reserved=0>
>>
>>
>> "Platform Firmware MUST protect access to the Platform Hierarchy and
>> prevent access to the platform hierarchy by
>> non-manufacturer-controlled components. "
>>
>> I was wondering where we could put that call so it's invoked after the
>> user has possibly interacted with the menu and before passing control to
>> the next stage such as boot loader.
>>
>> Regards,
>>
>> Stefan
>>
>>
>>
>>
>>
>>
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78289): https://edk2.groups.io/g/devel/message/78289
Mute This Topic: https://groups.io/mt/84485285/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list