Can you please make these changes in V3? MinPlatformPkg\MinPlatformPkg.dsc * It seems like a library class override section for Tcg2PlatformDxe is not necessary. Can the TpmPlatformAuthLib library class simply be assigned in the [LibraryClasses] section?
MinPlatformPkg\Tcg\Tcg2PlatformDxe\Tcg2PlatformDxe.c * I suggest using "SmmReadyToLock" instead of "ReadyToLock" throughout the file. * Can you please check again if all library classes included are required for this implementation? For example, I don't see usage of MemoryAllocationLib in the file. MinPlatformPkg\Include\Library\TpmPlatformAuthLib\TpmPlatformAuthLib.h * Please add a file description to the copyright header. * ReadyToBoot is not the actual event the function is being invoked upon. So TpmPlatformAuthReadyToBootHandler ( ) is not accurate. The function is also not directly a notification handler (the function signature does not reflect that of a handler) so keeping "Handler" in the name is somewhat misleading. Some suggestions are: 1. TpmPlatformAuthAtSmmReadyToLock ( ) -> Keeps the event point in the name 2. ConfigureTpmPlatformAuthAtSmmReadyToLock ( ) -> More descriptive; keeps event point in the name 3. ConfigureTpmPlatformAuth ( ) -> More succinct; allows flexibility for invocation Unless there's a strong reason to associate the functionality with SmmReadyToLock, I suggest #3 (or your own name). MinPlatformPkg\Tcg\Tcg2PlatformPei\Tcg2PlatformPei.c * It doesn't seem these changes are directly related to the rest of the patch? Could it be a separate patch? MinPlatformPkg\Tcg\Library\TpmPlatformAuthLib\TpmPlatformAuthlib.inf * The constructor doesn't do anything. Is it actually needed? * Typo in function name: TpmPlatformAuthLibContructor MinPlatformPkg\Tcg\Library\TpmPlatformAuthLib\TpmPlatformAuthlib.c * The function description for TpmPlatformAuthLibConstructor ( ) references parameters that don't actually exist in the implementation. Thanks, Michael > -----Original Message----- > From: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cu...@intel.com> > Sent: Monday, November 11, 2019 1:43 AM > To: devel@edk2.groups.io > Cc: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cu...@intel.com>; > Kubacki, Michael A <michael.a.kuba...@intel.com>; Chiu, Chasel > <chasel.c...@intel.com>; Desimone, Nathaniel L > <nathaniel.l.desim...@intel.com>; Gao, Liming <liming....@intel.com> > Subject: [edk2-platforms][Patch V2] MinPlatformPkg: Library for customizing > TPM platform auth > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2331 > > In V2: > + Kept callback function and registration in Tcg2PlatformDxe module. > + New library defining API function: TpmPlatformAuthReadyToBootHandler > for configuring the TPM's Platform Hierachy. This is now called > through Tcg2PlatformDxe's ReadyToLockEventCallBack. > + Ported GetAuthSize fix to both Tcg2PlatformPei and MinPlatform's > TpmPlatformAuthLib instance. > > In order to enable some TPM use cases BIOS should enable to customize the > configuration of the TPM platform, provisioning of endorsement, platform > and storage hierarchy. > > Cc: Michael Kubacki <michael.a.kuba...@intel.com> > Cc: Chasel Chiu <chasel.c...@intel.com> > Cc: Nate DeSimone <nathaniel.l.desim...@intel.com> > Cc: Liming Gao <liming....@intel.com> > > Signed-off-by: Rodrigo Gonzalez del Cueto > <rodrigo.gonzalez.del.cu...@intel.com> > --- > .../Include/Library/TpmPlatformAuthLib.h | 24 ++ > .../Intel/MinPlatformPkg/MinPlatformPkg.dec | 2 + > .../Intel/MinPlatformPkg/MinPlatformPkg.dsc | 5 +- > .../TpmPlatformAuthLib/TpmPlatformAuthLib.c | 229 > ++++++++++++++++++ > .../TpmPlatformAuthLib/TpmPlatformAuthLib.inf | 49 ++++ > .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 161 ++---------- > .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 6 +- > .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 100 +++++--- > 8 files changed, 402 insertions(+), 174 deletions(-) create mode 100644 > Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformAuthLib.h > create mode 100644 > Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformAuthLib/TpmPlatfo > rmAuthLib.c > create mode 100644 > Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformAuthLib/TpmPlatfo > rmAuthLib.inf > > diff --git > a/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformAuthLib.h > b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformAuthLib.h > new file mode 100644 > index 00000000..f33b67b0 > --- /dev/null > +++ > b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformAuthLib.h > @@ -0,0 +1,24 @@ > +/** @file++Copyright (c) 2019, Intel Corporation. All rights > reserved.<BR>+SPDX-License-Identifier: BSD-2-Clause- > Patent++**/++#ifndef _TPM_PLATFORM_AUTH_LIB_H_+#define > _TPM_PLATFORM_AUTH_LIB_H_++#include <PiDxe.h>+#include > <Uefi.h>++/**+ This service will perform the TPM Platform Auth > configuration at the ReadyToBoot > event.++**/+VOID+EFIAPI+TpmPlatformAuthReadyToBootHandler (+ > VOID+ );++#endifdiff --git > a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec > b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec > index a851021c..fc5979db 100644 > --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec > +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec > @@ -62,6 +62,8 @@ BoardInitLib|Include/Library/BoardInitLib.h > MultiBoardInitSupportLib|Include/Library/MultiBoardInitSupportLib.h > SecBoardInitLib|Include/Library/SecBoardInitLib.h > +TpmPlatformAuthLib|Include/Library/TpmPlatformAuthLib.h+ > TestPointLib|Include/Library/TestPointLib.h > TestPointCheckLib|Include/Library/TestPointCheckLib.h diff --git > a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc > b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc > index 5f9363ff..fbfd1e5d 100644 > --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc > +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc > @@ -185,7 +185,10 @@ > !if gMinPlatformPkgTokenSpaceGuid.PcdTpm2Enable == TRUE > MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf- > MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf+ > MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {+ > <LibraryClasses>+ > TpmPlatformAuthLib|MinPlatformPkg/Tcg/Library/TpmPlatformAuthLib/Tp > mPlatformAuthLib.inf+ } !endif [BuildOptions]diff --git > a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformAuthLib/TpmPlat > formAuthLib.c > b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformAuthLib/TpmPlat > formAuthLib.c > new file mode 100644 > index 00000000..8ac780e1 > --- /dev/null > +++ > b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformAuthLib/TpmPl > +++ atformAuthLib.c > @@ -0,0 +1,229 @@ > +/** @file+ TPM Platform Auth configuration library.++ Copyright (c) > 2019, Intel Corporation. All rights reserved.<BR>+ SPDX-License-Identifier: > BSD-2-Clause-Patent++ @par Specification Reference:+ > https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning- > guidance/+**/++#include <PiDxe.h>++#include > <Library/DebugLib.h>+#include <Library/BaseMemoryLib.h>+#include > <Library/UefiRuntimeServicesTableLib.h>+#include > <Library/UefiBootServicesTableLib.h>+#include > <Library/MemoryAllocationLib.h>+#include > <Library/Tpm2CommandLib.h>+#include <Library/RngLib.h>+#include > <Library/UefiLib.h>+#include <Protocol/DxeSmmReadyToLock.h>++//+// > The authorization value may be no larger than the digest produced by the > hash+// algorithm used for context integrity.+//+#define > MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE++/**+ Generate > high-quality entropy source through RDRAND.++ @param[in] Length > Size of the buffer, in bytes, to fill with.+ @param[out] Entropy > Pointer to > the buffer to store the entropy data.++ @retval EFI_SUCCESS Entropy > generation succeeded.+ @retval EFI_NOT_READY Failed to request > random data.++**/+EFI_STATUS+EFIAPI+RdRandGenerateEntropy (+ IN > UINTN Length,+ OUT UINT8 *Entropy+ )+{+ EFI_STATUS Status;+ > UINTN BlockCount;+ UINT64 Seed[2];+ UINT8 *Ptr;++ Status = > EFI_NOT_READY;+ BlockCount = Length / 64;+ Ptr = (UINT8 *)Entropy;++ > //+ // Generate high-quality seed for DRBG Entropy+ //+ while (BlockCount > > 0) {+ Status = GetRandomNumber128 (Seed);+ if (EFI_ERROR (Status)) > {+ return Status;+ }+ CopyMem (Ptr, Seed, 64);++ BlockCount--;+ > Ptr > = Ptr + 64;+ }++ //+ // Populate the remained data as request.+ //+ > Status > = GetRandomNumber128 (Seed);+ if (EFI_ERROR (Status)) {+ return > Status;+ }+ CopyMem (Ptr, Seed, (Length % 64));++ return Status;+}++/**+ > This function returns the maximum size of TPM2B_AUTH; this structure is > used for an authorization value+ and limits an authValue to being no larger > than the largest digest produced by a TPM.++ @param[out] AuthSize > Tpm2 Auth size++ @retval EFI_SUCCESS Auth size returned.+ > @retval EFI_DEVICE_ERROR Can not return platform auth due to > device error.++**/+EFI_STATUS+EFIAPI+GetAuthSize (+ OUT UINT16 > *AuthSize+ )+{+ EFI_STATUS Status;+ TPML_PCR_SELECTION Pcrs;+ > UINTN Index;+ UINT16 DigestSize;++ Status = > EFI_SUCCESS;++ while (mAuthSize == 0) {++ mAuthSize = > SHA1_DIGEST_SIZE;+ ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));+ > Status = Tpm2GetCapabilityPcrs (&Pcrs);++ if (EFI_ERROR (Status)) {+ > DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));+ break;+ }++ > DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));++ > for (Index = 0; Index < Pcrs.count; Index++) {+ DEBUG ((DEBUG_ERROR, > "alg - %x\n", Pcrs.pcrSelections[Index].hash));++ switch > (Pcrs.pcrSelections[Index].hash) {+ case TPM_ALG_SHA1:+ DigestSize > = SHA1_DIGEST_SIZE;+ break;+ case TPM_ALG_SHA256:+ > DigestSize = SHA256_DIGEST_SIZE;+ break;+ case TPM_ALG_SHA384:+ > DigestSize = SHA384_DIGEST_SIZE;+ break;+ case TPM_ALG_SHA512:+ > DigestSize = SHA512_DIGEST_SIZE;+ break;+ case > TPM_ALG_SM3_256:+ DigestSize = SM3_256_DIGEST_SIZE;+ break;+ > default:+ DigestSize = SHA1_DIGEST_SIZE;+ break;+ }++ > if > (DigestSize > mAuthSize) {+ mAuthSize = DigestSize;+ }+ }+ > break;+ > }++ *AuthSize = mAuthSize;+ return Status;+}++/**+ Set PlatformAuth to > random value.+**/+VOID+RandomizePlatformAuth (+ VOID+ )+{+ > EFI_STATUS Status;+ UINT16 > AuthSize;+ UINT32 > Index;+ UINT8 *Rand;+ UINTN > RandSize;+ > TPM2B_AUTH NewPlatformAuth;++ //+ // Send > Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being > null+ //++ GetAuthSize (&AuthSize);++ ZeroMem > (NewPlatformAuth.buffer, AuthSize);+ NewPlatformAuth.size = > AuthSize;++ //+ // Allocate one buffer to store random data.+ //+ RandSize > = MAX_NEW_AUTHORIZATION_SIZE;+ Rand = AllocatePool (RandSize);++ > RdRandGenerateEntropy (RandSize, Rand);+ CopyMem > (NewPlatformAuth.buffer, Rand, AuthSize);++ FreePool (Rand);++ //+ // > Send Tpm2HierarchyChangeAuth command with the new Auth value+ //+ > Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, > &NewPlatformAuth);+ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth > Result: - %r\n", Status));+ ZeroMem (NewPlatformAuth.buffer, AuthSize);+ > ZeroMem (Rand, RandSize);+}++/**+ This service defines the configuration > of the Platform Hierarchy Authorization Value (platformAuth)+ and Platform > Hierarchy Authorization Policy > (platformPolicy)++**/+VOID+EFIAPI+TpmPlatformAuthReadyToBootHandle > r (+ )+{+ EFI_STATUS Status;+ VOID *Interface;++ //+ // Send > Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being > null+ //+ RandomizePlatformAuth ();+}++/**+ The library constructor.++ > @param ImageHandle The firmware allocated handle for the EFI image.+ > @param SystemTable A pointer to the EFI System Table.++ @retval > EFI_SUCCESS The function always return > EFI_SUCCESS.+**/+EFI_STATUS+EFIAPI+TpmPlatformAuthLibContructor (+ > )+{+ return EFI_SUCCESS;+}diff --git > a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformAuthLib/TpmPlat > formAuthLib.inf > b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformAuthLib/TpmPlat > formAuthLib.inf > new file mode 100644 > index 00000000..8a36f35e > --- /dev/null > +++ > b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformAuthLib/TpmPl > +++ atformAuthLib.inf > @@ -0,0 +1,49 @@ > +### @file+#+# TPM Platform Auth configuration library.+#+# Copyright (c) > 2019, Intel Corporation. All rights reserved.<BR>+#+# SPDX-License- > Identifier: BSD-2-Clause-Patent+#+###++[Defines]+ INF_VERSION > = 0x00010005+ BASE_NAME = TpmPlatformAuthLib+ FILE_GUID > = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73+ MODULE_TYPE = > DXE_DRIVER+ VERSION_STRING = 1.0+ LIBRARY_CLASS > = > TpmPlatformAuthLib+ CONSTRUCTOR = > TpmPlatformAuthLibContructor++[LibraryClasses]+ MemoryAllocationLib+ > BaseLib+ UefiBootServicesTableLib+ UefiDriverEntryPoint+ > UefiRuntimeServicesTableLib+ BaseMemoryLib+ DebugLib+ > Tpm2CommandLib+ Tpm2DeviceLib+ RngLib+ UefiLib++[Packages]+ > MdePkg/MdePkg.dec+ MdeModulePkg/MdeModulePkg.dec+ > SecurityPkg/SecurityPkg.dec+ CryptoPkg/CryptoPkg.dec++[Sources]+ > TpmPlatformAuthLib.c++[Protocols]+ > gEfiDxeSmmReadyToLockProtocolGuid ## SOMETIMES_CONSUMES ## > NOTIFY++[Guids]+ gEfiEventExitBootServicesGuid ## > SOMETIMES_CONSUMES ## Event++[Depex]+ gEfiTcg2ProtocolGuiddiff --git > a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c > b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c > index d0d88b2e..8fb5725c 100644 > --- > a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c > +++ > b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe. > +++ c > @@ -1,8 +1,8 @@ > /** @file- Platform specific TPM2 component.+ Platform specific TPM2 > component for configuring the Platform Hierarchy. -Copyright (c) 2017, Intel > Corporation. All rights reserved.<BR>-SPDX-License-Identifier: BSD-2-Clause- > Patent+ Copyright (c) 2017 - 2019, Intel Corporation. All rights > reserved.<BR>+ SPDX-License-Identifier: BSD-2-Clause-Patent **/ @@ - > 13,138 +13,15 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #include <Library/UefiRuntimeServicesTableLib.h> #include > <Library/UefiBootServicesTableLib.h> #include > <Library/MemoryAllocationLib.h>-#include <Library/Tpm2CommandLib.h>- > #include <Library/RngLib.h> #include <Library/UefiLib.h>+#include > <Library/TpmPlatformAuthLib.h> #include > <Protocol/DxeSmmReadyToLock.h> -#define > MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE- /**- Generate > high-quality entropy source through RDRAND.-- @param[in] Length Size > of the buffer, in bytes, to fill with.- @param[out] Entropy Pointer > to the > buffer to store the entropy data.-- @retval EFI_SUCCESS Entropy > generation succeeded.- @retval EFI_NOT_READY Failed to request > random data.--**/-EFI_STATUS-EFIAPI-RdRandGenerateEntropy (- IN > UINTN Length,- OUT UINT8 *Entropy- )-{- EFI_STATUS Status;- > UINTN BlockCount;- UINT64 Seed[2];- UINT8 *Ptr;+ This > callback > function will run at the ReadyToLock event. - Status = EFI_NOT_READY;- > BlockCount = Length / 64;- Ptr = (UINT8 *)Entropy;-- //- // Generate high- > quality seed for DRBG Entropy- //- while (BlockCount > 0) {- Status = > GetRandomNumber128(Seed);- if (EFI_ERROR(Status)) {- return Status;- > }- CopyMem(Ptr, Seed, 64);-- BlockCount--;- Ptr = Ptr + 64;- }-- > //- // > Populate the remained data as request.- //- Status = > GetRandomNumber128(Seed);- if (EFI_ERROR(Status)) {- return Status;- }- > CopyMem(Ptr, Seed, (Length % 64));-- return Status;-}--/**- Set > PlatformAuth to random value.-**/-VOID-RandomizePlatformAuth (- VOID- > )-{- EFI_STATUS Status;- UINT16 > AuthSize;- > TPML_PCR_SELECTION Pcrs;- UINT32 > Index;- UINT8 > *Rand;- UINTN RandSize;- TPM2B_AUTH > NewPlatformAuth;-- //- // Send Tpm2HierarchyChange Auth with random > value to avoid PlatformAuth being null- //- ZeroMem(&Pcrs, > sizeof(TPML_PCR_SELECTION));- AuthSize = > MAX_NEW_AUTHORIZATION_SIZE;-- Status = > Tpm2GetCapabilityPcrs(&Pcrs);- if (EFI_ERROR(Status)) {- > DEBUG((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));- } else {- for > (Index = 0; Index < Pcrs.count; Index++) {- switch > (Pcrs.pcrSelections[Index].hash) {- case TPM_ALG_SHA1:- AuthSize = > SHA1_DIGEST_SIZE;- break;- case TPM_ALG_SHA256:- AuthSize = > SHA256_DIGEST_SIZE;- break;- case TPM_ALG_SHA384:- > AuthSize = > SHA384_DIGEST_SIZE;- break;- case TPM_ALG_SHA512:- > AuthSize = > SHA512_DIGEST_SIZE;- break;- case TPM_ALG_SM3_256:- > AuthSize > = SM3_256_DIGEST_SIZE;- break;- }- }- }-- > ZeroMem(NewPlatformAuth.buffer, AuthSize);- NewPlatformAuth.size = > AuthSize;-- //- // Allocate one buffer to store random data.- //- > RandSize = > MAX_NEW_AUTHORIZATION_SIZE;- Rand = AllocatePool(RandSize);-- > RdRandGenerateEntropy(RandSize, Rand);- > CopyMem(NewPlatformAuth.buffer, Rand, AuthSize);-- FreePool(Rand);-- > //- // Send Tpm2HierarchyChangeAuth command with the new Auth value- > //- Status = Tpm2HierarchyChangeAuth(TPM_RH_PLATFORM, NULL, > &NewPlatformAuth);- DEBUG((DEBUG_INFO, "Tpm2HierarchyChangeAuth > Result: - %r\n", Status));- ZeroMem(NewPlatformAuth.buffer, AuthSize);- > ZeroMem(Rand, RandSize);-}--/**- This is the Event call back function to > notify the Library the system is entering- run time phase.+ Configuration > of > the TPM's Platform Hierarchy Authorization Value (platformAuth)+ and > Platform Hierarchy Authorization Policy (platformPolicy) can be defined > through this function. @param Event Pointer to this event @param > Context Event hanlder private data@@ -172,22 +49,20 @@ > ReadyToLockEventCallBack ( > return ; } - //- // Send Tpm2HierarchyChange Auth with random value > to > avoid PlatformAuth being null- //- RandomizePlatformAuth();+ > TpmPlatformAuthReadyToBootHandler (); gBS->CloseEvent (Event); } /**- > The driver's entry point.+ The driver's entry point. Will register a > function for > callback during ReadyToLock event to+ configure the TPM's platform > authorization. - @param[in] ImageHandle The firmware allocated handle for > the EFI image.- @param[in] SystemTable A pointer to the EFI System > Table.+ @param[in] ImageHandle The firmware allocated handle for the EFI > image.+ @param[in] SystemTable A pointer to the EFI System Table. - > @retval EFI_SUCCESS The entry point is executed successfully.- @retval > other Some error occurs when executing this entry point.+ @retval > EFI_SUCCESS The entry point is executed successfully.+ @retval other > Some error occurs when executing this entry point. **/ EFI_STATUS > EFIAPI@@ -196,17 +71,19 @@ Tcg2PlatformDxeEntryPoint ( > IN EFI_SYSTEM_TABLE *SystemTable ) {- VOID > *Registration;- EFI_EVENT Event;+ VOID *Registration;+ > EFI_EVENT Event; - Event = EfiCreateProtocolNotifyEvent (+ Event = > EfiCreateProtocolNotifyEvent ( > &gEfiDxeSmmReadyToLockProtocolGuid, TPL_CALLBACK, > ReadyToLockEventCallBack, NULL, &Registration > );+ > ASSERT (Event != NULL); return EFI_SUCCESS; }+diff --git > a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.in > f > b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.in > f > index e8ab5f35..921f7ac6 100644 > --- > a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.in > f > +++ > b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe. > +++ inf > @@ -28,16 +28,14 @@ > UefiRuntimeServicesTableLib BaseMemoryLib DebugLib- > Tpm2CommandLib- Tpm2DeviceLib- RngLib UefiLib+ TpmPlatformAuthLib > [Packages] MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.dec+ > MinPlatformPkg/MinPlatformPkg.dec SecurityPkg/SecurityPkg.dec- > CryptoPkg/CryptoPkg.dec [Sources] Tcg2PlatformDxe.cdiff --git > a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c > b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c > index 3a2d7d31..c52547e4 100644 > --- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c > +++ > b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei. > +++ c > @@ -1,7 +1,8 @@ > /** @file+ Platform specific TPM2 component for configuring the Platform > Hierarchy. -Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>- > SPDX-License-Identifier: BSD-2-Clause-Patent+ Copyright (c) 2017 - 2019, > Intel Corporation. All rights reserved.<BR>+ SPDX-License-Identifier: > BSD-2- > Clause-Patent **/ @@ -72,52 +73,97 @@ RdRandGenerateEntropy ( > } /**- Set PlatformAuth to random value.+ This function returns the > maximum size of TPM2B_AUTH; this structure is used for an authorization > value+ and limits an authValue to being no larger than the largest digest > produced by a TPM.++ @param[out] AuthSize Tpm2 Auth size++ > @retval EFI_SUCCESS Auth size returned.+ @retval > EFI_DEVICE_ERROR Can not return platform auth due to device > error.+ > **/-VOID-RandomizePlatformAuth (- > VOID+EFI_STATUS+EFIAPI+GetAuthSize (+ OUT UINT16 *AuthSize ) {- > EFI_STATUS Status;- UINT16 > AuthSize;- > TPML_PCR_SELECTION Pcrs;- UINT32 > Index;- UINT8 > *Rand;- UINTN RandSize;- TPM2B_AUTH > NewPlatformAuth;+ EFI_STATUS Status;+ TPML_PCR_SELECTION > Pcrs;+ UINTN Index;+ UINT16 DigestSize; - > //- // Send > Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being > null- //- ZeroMem(&Pcrs, sizeof(TPML_PCR_SELECTION));- AuthSize = > MAX_NEW_AUTHORIZATION_SIZE;+ Status = EFI_SUCCESS;++ while > (mAuthSize == 0) {++ mAuthSize = SHA1_DIGEST_SIZE;+ ZeroMem (&Pcrs, > sizeof (TPML_PCR_SELECTION));+ Status = Tpm2GetCapabilityPcrs > (&Pcrs);++ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, > "Tpm2GetCapabilityPcrs fail!\n"));+ break;+ }++ DEBUG > ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count)); - Status = > Tpm2GetCapabilityPcrs(&Pcrs);- if (EFI_ERROR(Status)) {- > DEBUG((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));- } else { for > (Index = 0; Index < Pcrs.count; Index++) {+ DEBUG ((DEBUG_ERROR, "alg - > %x\n", Pcrs.pcrSelections[Index].hash));+ switch > (Pcrs.pcrSelections[Index].hash) { case TPM_ALG_SHA1:- AuthSize = > SHA1_DIGEST_SIZE;+ DigestSize = SHA1_DIGEST_SIZE; break; > case > TPM_ALG_SHA256:- AuthSize = SHA256_DIGEST_SIZE;+ DigestSize = > SHA256_DIGEST_SIZE; break; case TPM_ALG_SHA384:- > AuthSize = > SHA384_DIGEST_SIZE;+ DigestSize = SHA384_DIGEST_SIZE; break; > case TPM_ALG_SHA512:- AuthSize = SHA512_DIGEST_SIZE;+ > DigestSize = SHA512_DIGEST_SIZE; break; case TPM_ALG_SM3_256:- > AuthSize = SM3_256_DIGEST_SIZE;+ DigestSize = > SM3_256_DIGEST_SIZE;+ break;+ default:+ DigestSize = > SHA1_DIGEST_SIZE; break; }++ if (DigestSize > mAuthSize) {+ > mAuthSize = DigestSize;+ } }+ break; } + *AuthSize = > mAuthSize;+ > return Status;+}++/**+ Set PlatformAuth to random > value.+**/+VOID+RandomizePlatformAuth (+ VOID+ )+{+ EFI_STATUS > Status;+ UINT16 AuthSize;+ UINT32 > Index;+ > UINT8 *Rand;+ UINTN > RandSize;+ TPM2B_AUTH > NewPlatformAuth;++ //+ // Send Tpm2HierarchyChange Auth with random > value to avoid PlatformAuth being null+ //++ GetAuthSize (&AuthSize);+ > ZeroMem(NewPlatformAuth.buffer, AuthSize); NewPlatformAuth.size = > AuthSize; -- > 2.22.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50389): https://edk2.groups.io/g/devel/message/50389 Mute This Topic: https://groups.io/mt/52588899/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-