diff options
| author | CoprDistGit <infra@openeuler.org> | 2023-10-30 11:56:48 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2023-10-30 11:56:48 +0000 |
| commit | 1dae37b163e1e08e719ac06fa86b3414b4ddfb2b (patch) | |
| tree | d6c29b92e733448b00701f46c85d08ecc4a5fbbb /0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch | |
| parent | 8a55803b9ffda4b5bd4f5bbb9767a617620266ae (diff) | |
automatic import of edk2openeuler22.03_LTS
Diffstat (limited to '0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch')
| -rw-r--r-- | 0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch | 378 |
1 files changed, 378 insertions, 0 deletions
diff --git a/0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch b/0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch new file mode 100644 index 0000000..0fce38a --- /dev/null +++ b/0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch @@ -0,0 +1,378 @@ +From 6642e762e1cedae30a08e28c456de2372bda7766 Mon Sep 17 00:00:00 2001 +From: Stefan Berger <stefanb@linux.vnet.ibm.com> +Date: Mon, 13 Sep 2021 22:20:57 +0800 +Subject: [PATCH 1/8] SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c + from edk2-platforms + +Import PeiDxeTpmPlatformHierarchyLib from edk2-platforms without any +modifications. + +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> +--- + .../Include/Library/TpmPlatformHierarchyLib.h | 27 ++ + .../PeiDxeTpmPlatformHierarchyLib.c | 266 ++++++++++++++++++ + .../PeiDxeTpmPlatformHierarchyLib.inf | 45 +++ + 3 files changed, 338 insertions(+) + create mode 100644 SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h + create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c + create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf + +diff --git a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h +new file mode 100644 +index 0000000000..a872fa09dc +--- /dev/null ++++ b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h +@@ -0,0 +1,27 @@ ++/** @file
++ TPM Platform Hierarchy configuration library.
++
++ This library provides functions for customizing the TPM's Platform Hierarchy
++ Authorization Value (platformAuth) and Platform Hierarchy Authorization
++ Policy (platformPolicy) can be defined through this function.
++
++Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
++Copyright (c) Microsoft Corporation.<BR>
++SPDX-License-Identifier: BSD-2-Clause-Patent
++
++**/
++
++#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_
++#define _TPM_PLATFORM_HIERARCHY_LIB_H_
++
++/**
++ This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
++
++**/
++VOID
++EFIAPI
++ConfigureTpmPlatformHierarchy (
++ VOID
++ );
++
++#endif
+diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +new file mode 100644 +index 0000000000..9812ab99ab +--- /dev/null ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +@@ -0,0 +1,266 @@ ++/** @file
++ TPM Platform Hierarchy configuration library.
++
++ This library provides functions for customizing the TPM's Platform Hierarchy
++ Authorization Value (platformAuth) and Platform Hierarchy Authorization
++ Policy (platformPolicy) can be defined through this function.
++
++ Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
++ Copyright (c) Microsoft Corporation.<BR>
++ SPDX-License-Identifier: BSD-2-Clause-Patent
++
++ @par Specification Reference:
++ https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
++**/
++
++#include <Uefi.h>
++
++#include <Library/BaseMemoryLib.h>
++#include <Library/DebugLib.h>
++#include <Library/MemoryAllocationLib.h>
++#include <Library/PcdLib.h>
++#include <Library/RngLib.h>
++#include <Library/Tpm2CommandLib.h>
++#include <Library/Tpm2DeviceLib.h>
++
++//
++// The authorization value may be no larger than the digest produced by the hash
++// algorithm used for context integrity.
++//
++#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
++
++UINT16 mAuthSize;
++
++/**
++ Generate high-quality entropy source through RDRAND.
++
++ @param[in] Length Size of the buffer, in bytes, to fill with.
++ @param[out] Entropy Pointer to the buffer to store the entropy data.
++
++ @retval EFI_SUCCESS Entropy generation succeeded.
++ @retval EFI_NOT_READY Failed to request random data.
++
++**/
++EFI_STATUS
++EFIAPI
++RdRandGenerateEntropy (
++ IN UINTN Length,
++ OUT UINT8 *Entropy
++ )
++{
++ EFI_STATUS Status;
++ UINTN BlockCount;
++ UINT64 Seed[2];
++ UINT8 *Ptr;
++
++ Status = EFI_NOT_READY;
++ BlockCount = Length / 64;
++ Ptr = (UINT8 *)Entropy;
++
++ //
++ // Generate high-quality seed for DRBG Entropy
++ //
++ while (BlockCount > 0) {
++ Status = GetRandomNumber128 (Seed);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++ CopyMem (Ptr, Seed, 64);
++
++ BlockCount--;
++ Ptr = Ptr + 64;
++ }
++
++ //
++ // Populate the remained data as request.
++ //
++ Status = GetRandomNumber128 (Seed);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++ CopyMem (Ptr, Seed, (Length % 64));
++
++ return Status;
++}
++
++/**
++ This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value
++ and limits an authValue to being no larger than the largest digest produced by a TPM.
++
++ @param[out] AuthSize Tpm2 Auth size
++
++ @retval EFI_SUCCESS Auth size returned.
++ @retval EFI_DEVICE_ERROR Can not return platform auth due to device error.
++
++**/
++EFI_STATUS
++EFIAPI
++GetAuthSize (
++ OUT UINT16 *AuthSize
++ )
++{
++ EFI_STATUS Status;
++ TPML_PCR_SELECTION Pcrs;
++ UINTN Index;
++ UINT16 DigestSize;
++
++ Status = EFI_SUCCESS;
++
++ while (mAuthSize == 0) {
++
++ mAuthSize = SHA1_DIGEST_SIZE;
++ ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
++ Status = Tpm2GetCapabilityPcrs (&Pcrs);
++
++ if (EFI_ERROR (Status)) {
++ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
++ break;
++ }
++
++ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
++
++ for (Index = 0; Index < Pcrs.count; Index++) {
++ DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
++
++ switch (Pcrs.pcrSelections[Index].hash) {
++ case TPM_ALG_SHA1:
++ DigestSize = SHA1_DIGEST_SIZE;
++ break;
++ case TPM_ALG_SHA256:
++ DigestSize = SHA256_DIGEST_SIZE;
++ break;
++ case TPM_ALG_SHA384:
++ DigestSize = SHA384_DIGEST_SIZE;
++ break;
++ case TPM_ALG_SHA512:
++ DigestSize = SHA512_DIGEST_SIZE;
++ break;
++ case TPM_ALG_SM3_256:
++ DigestSize = SM3_256_DIGEST_SIZE;
++ break;
++ default:
++ DigestSize = SHA1_DIGEST_SIZE;
++ break;
++ }
++
++ if (DigestSize > mAuthSize) {
++ mAuthSize = DigestSize;
++ }
++ }
++ break;
++ }
++
++ *AuthSize = mAuthSize;
++ return Status;
++}
++
++/**
++ Set PlatformAuth to random value.
++**/
++VOID
++RandomizePlatformAuth (
++ VOID
++ )
++{
++ EFI_STATUS Status;
++ UINT16 AuthSize;
++ UINT8 *Rand;
++ UINTN RandSize;
++ TPM2B_AUTH NewPlatformAuth;
++
++ //
++ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
++ //
++
++ GetAuthSize (&AuthSize);
++
++ ZeroMem (NewPlatformAuth.buffer, AuthSize);
++ NewPlatformAuth.size = AuthSize;
++
++ //
++ // Allocate one buffer to store random data.
++ //
++ RandSize = MAX_NEW_AUTHORIZATION_SIZE;
++ Rand = AllocatePool (RandSize);
++
++ RdRandGenerateEntropy (RandSize, Rand);
++ CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
++
++ FreePool (Rand);
++
++ //
++ // Send Tpm2HierarchyChangeAuth command with the new Auth value
++ //
++ Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
++ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
++ ZeroMem (NewPlatformAuth.buffer, AuthSize);
++ ZeroMem (Rand, RandSize);
++}
++
++/**
++ Disable the TPM platform hierarchy.
++
++ @retval EFI_SUCCESS The TPM was disabled successfully.
++ @retval Others An error occurred attempting to disable the TPM platform hierarchy.
++
++**/
++EFI_STATUS
++DisableTpmPlatformHierarchy (
++ VOID
++ )
++{
++ EFI_STATUS Status;
++
++ // Make sure that we have use of the TPM.
++ Status = Tpm2RequestUseTpm ();
++ if (EFI_ERROR (Status)) {
++ DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
++ ASSERT_EFI_ERROR (Status);
++ return Status;
++ }
++
++ // Let's do what we can to shut down the hierarchies.
++
++ // Disable the PH NV.
++ // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM parts have
++ // been known to store the EK cert in the PH NV. If we disable it, the
++ // EK cert will be unreadable.
++
++ // Disable the PH.
++ Status = Tpm2HierarchyControl (
++ TPM_RH_PLATFORM, // AuthHandle
++ NULL, // AuthSession
++ TPM_RH_PLATFORM, // Hierarchy
++ NO // State
++ );
++ DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH = %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
++ if (EFI_ERROR (Status)) {
++ DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
++ ASSERT_EFI_ERROR (Status);
++ }
++
++ return Status;
++}
++
++/**
++ This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
++ and Platform Hierarchy Authorization Policy (platformPolicy)
++
++**/
++VOID
++EFIAPI
++ConfigureTpmPlatformHierarchy (
++ )
++{
++ if (PcdGetBool (PcdRandomizePlatformHierarchy)) {
++ //
++ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
++ //
++ RandomizePlatformAuth ();
++ } else {
++ //
++ // Disable the hierarchy entirely (do not randomize it)
++ //
++ DisableTpmPlatformHierarchy ();
++ }
++}
+diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +new file mode 100644 +index 0000000000..b7a7fb0a08 +--- /dev/null ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +@@ -0,0 +1,45 @@ ++### @file
++#
++# TPM Platform Hierarchy configuration library.
++#
++# This library provides functions for customizing the TPM's Platform Hierarchy
++# Authorization Value (platformAuth) and Platform Hierarchy Authorization
++# Policy (platformPolicy) can be defined through this function.
++#
++# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
++# Copyright (c) Microsoft Corporation.<BR>
++#
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++#
++###
++
++[Defines]
++ INF_VERSION = 0x00010005
++ BASE_NAME = PeiDxeTpmPlatformHierarchyLib
++ FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
++ MODULE_TYPE = PEIM
++ VERSION_STRING = 1.0
++ LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
++
++[LibraryClasses]
++ BaseLib
++ BaseMemoryLib
++ DebugLib
++ MemoryAllocationLib
++ PcdLib
++ RngLib
++ Tpm2CommandLib
++ Tpm2DeviceLib
++
++[Packages]
++ MdePkg/MdePkg.dec
++ MdeModulePkg/MdeModulePkg.dec
++ SecurityPkg/SecurityPkg.dec
++ CryptoPkg/CryptoPkg.dec
++ MinPlatformPkg/MinPlatformPkg.dec
++
++[Sources]
++ PeiDxeTpmPlatformHierarchyLib.c
++
++[Pcd]
++ gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
+-- +2.27.0 + |