Re: [edk2] SecurityPkg: TPM2_SetPrimaryPolicy command

[Stefan.Kaeser]

Hi Jiewen
You are right, use case 1 is about TPM2 Field Upgrade in UEFI BIOS environment.

Additionally to TPM2_SetPrimaryPolicy command it would be good to have TPM2 
commands that can be used to authorize the platformPolicy in a TPM_SE_POLICY 
session. The minimum set of commands for platformPolicy authorization consists 
of TPM2_StartAuthSession, TPM2_FlushContext, TPM2_PolicyCommandCode and 
TPM2_PolicySecret. Nevertheless, the more policy commands are available (there 
are 17 in the spec) the more advanced the platformPolicy can be.

Would you think it makes sense to also add listed policy commands?

Thank you
Stefan

From: Yao, Jiewen [mailto:jiewen....@intel.com]
Sent: Tuesday, November 18, 2014 4:39 PM
To: edk2-devel@lists.sourceforge.net
Subject: Re: [edk2] SecurityPkg: TPM2_SetPrimaryPolicy command

HI Stefan
Thanks for detail info.

If I understand correctly, it is for TPM2 Field Upgrade in UEFI BIOS 
environment. A tool as UEFI application will be developed, to consume those 
TPM2 commands. When IHV release a new TPM2 image, OEM can run this tool to 
update TPM2 chip.
I think it makes sense to add TPM2_SetPrimaryPolicy() to reduce effort.

BTW: I guess TPM2_FieldUpgradeStart() and TPM2_FieldUpgradeData() are also 
needed. Am I right?

Thank you
Yao Jiewen

From: stefan.kae...@infineon.com<mailto:stefan.kae...@infineon.com> 
[mailto:stefan.kae...@infineon.com]
Sent: Tuesday, November 18, 2014 9:56 PM
To: edk2-devel@lists.sourceforge.net<mailto:edk2-devel@lists.sourceforge.net>
Subject: Re: [edk2] SecurityPkg: TPM2_SetPrimaryPolicy command

Hi Jiewen,
Thanks for your reply. I'll try to describe the 2 use cases shortly:
1 - Firmware upgrade:
platformPolicy authorizes firmware upgrade (see Part3, chapter 27.1). That 
means OEM/BIOS (owner of platformPolicy) controls whether firmware can be 
upgraded or not. OEM/BIOS needs to set a platformPolicy if it wants to (allow 
someone to) upgrade firmware. OEM/BIOS can create platformPolicy offline and 
set it with TPM2_SetPrimaryPolicy command. Next someone needs to call 
TPM2_StartAuthSession to start a TPM_SE_POLICY session and authorize it with 
TPM2_Policy* commands according to platformPolicy. Then firmware upgrade can be 
done based on the authorized policy session.
You can find more information in Part1, chapter 12.5 and Part3, chapter 27.1.

2 - Delegation:
Knowledge of platformAuth allows to perform the following operations (see 
Part1, chapter 13.3) amongst others:
- allocation of TPM NV memory
- PCR configuration
- control of the availability of any key hierarchies
- change of the PPS, SPS, and EPS and reset of associated authorization values 
and policy
OEM/BIOS can delegate these rights to other entities (like TPM_RH_OWNER etc.) 
by setting a corresponding platformPolicy with TPM2_SetPrimaryPolicy.

About additional missing commands:
>From my point of view TPM2_StartAuthSession and policy commands 
>(TPM2_PolicyCommandCode, TPM2_PolicySecret) would also be helpful for use case 
>1.

Thank you
Stefan

Part1: 
http://www.trustedcomputinggroup.org/files/static_page_files/8C56AE3E-1A4B-B294-D0F43097156A55D8/TPM%20Rev%202.0%20Part%201%20-%20Architecture%2001.16.pdf
Part3: 
http://www.trustedcomputinggroup.org/files/static_page_files/8C68ADA8-1A4B-B294-D0FC06D3773F7DAA/TPM%20Rev%202.0%20Part%203%20-%20Commands%2001.16-code.pdf



-----Original Message-----
From: Yao, Jiewen [mailto:jiewen....@intel.com]
Sent: Thursday, November 13, 2014 11:42 PM
To: edk2-devel@lists.sourceforge.net<mailto:edk2-devel@lists.sourceforge.net>
Subject: Re: [edk2] SecurityPkg: TPM2_SetPrimaryPolicy command



Hi Stefan

I think it might OK to add commands to Tpm2CommandLib, as long as there is 
valid usage.

Would you please help to describe more on a whole picture on below 2 cases?

E.g. Why and how TPM firmware upgrade use this command in BIOS? Why and how OEM 
delegate TPM_RH_PLATFORM role, and for which TPM command, as example?



Do you think TPM2_SetPrimaryPolicy is only missing command, or there are more 
needed in above 2 cases? Like TPM2_CreatePrimary?



Thank you

Yao Jiewen



-----Original Message-----

From: stefan.kae...@infineon.com<mailto:stefan.kae...@infineon.com> 
[mailto:stefan.kae...@infineon.com]

Sent: Friday, November 14, 2014 12:10 AM

To: edk2-devel@lists.sourceforge.net<mailto:edk2-devel@lists.sourceforge.net>

Subject: [edk2] SecurityPkg: TPM2_SetPrimaryPolicy command



Hello!

Would it be possible to add the command TPM2_SetPrimaryPolicy to 
Tpm2CommandLib? The command is required to set platformPolicy and use cases are:

*       OEM/BIOS sets platformPolicy to authorize TPM firmware upgrade.

*       OEM/BIOS delegates the TPM_RH_PLATFORM role for a specific TPM command.



For further information on the command please refer to chapter 24.3 in 
http://www.trustedcomputinggroup.org/files/static_page_files/8C68ADA8-1A4B-B294-D0FC06D3773F7DAA/TPM%20Rev%202.0%20Part%203%20-%20Commands%2001.16-code.pdf.



Regards,

Stefan



Stefan Käser



Infineon Technologies AG

CCS TI SWT SW PC

Staff Engineer Software Development

Phone: +49 (0)821 25851 65

Fax:     +49 (0)821 25851 40

stefan.kae...@infineon.com<mailto:stefan.kae...@infineon.com<mailto:stefan.kae...@infineon.com%3cmailto:stefan.kae...@infineon.com>>



***** VISIT US AT: http://www.infineon.com ***** Infineon Technologies AG 
Chairman of the Supervisory Board: Wolfgang Mayrhuber Management Board: Dr. 
Reinhard Ploss (CEO), Dominik Asam, Arunjai Mittal Registered Office: Neubiberg 
Commercial Register: München HRB 126492



This e-mail and any attachments are confidential. They are intended solely for 
the attention and use of the named addressee(s). If you are not the named 
addressee(s) you must not use, disclose, retain or reproduce all or any part of 
the information contained in this e-mail or any attachments. Any unauthorized 
use or disclosure may be unlawful. If you have received this e-mail by mistake, 
please inform the sender immediately and delete it and all copies from your 
system and destroy any hard copies of it.









------------------------------------------------------------------------------

Comprehensive Server Monitoring with Site24x7.

Monitor 10 servers for $9/Month.

Get alerted through email, SMS, voice calls or mobile push notifications.

Take corrective actions from your mobile device.

http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk

_______________________________________________

edk2-devel mailing list

edk2-devel@lists.sourceforge.net<mailto:edk2-devel@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/edk2-devel



------------------------------------------------------------------------------

Comprehensive Server Monitoring with Site24x7.

Monitor 10 servers for $9/Month.

Get alerted through email, SMS, voice calls or mobile push notifications.

Take corrective actions from your mobile device.

http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk

_______________________________________________

edk2-devel mailing list

edk2-devel@lists.sourceforge.net<mailto:edk2-devel@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/edk2-devel

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel