[edk2-platforms][PATCH v2 4/4] MinPlatformPkg/TpmPlatformHierarchyLib: Add disable support


Michael Kubacki
 

From: Michael Kubacki <michael.kubacki@...>

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D3411

Adds a new PCD (PcdRandomizePlatformHierarchy) to MinPlatformPkg.dec
that allows a platform integrator to choose whether to randomize
or disable the TPM platform hierarchy. The current behavior to
randomize the platform hierachy is preserved in the default PCD
value. In the randomization case, the platform auth is randomized
and then it is "forgotten" to prevent future platform access.

The ConfigureTpmPlatformHierarchy() implementation is updated to
configure the TPM platform hierarchy based on the value of the
new PCD.

Co-authored-by: Jeremiah Cox <jerecox@...>
Cc: Chasel Chiu <chasel.chiu@...>
Cc: Nate DeSimone <nathaniel.l.desimone@...>
Cc: Liming Gao <gaoliming@...>
Cc: Eric Dong <eric.dong@...>
Signed-off-by: Michael Kubacki <michael.kubacki@...>
---
Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/=
PeiDxeTpmPlatformHierarchyLib.c | 63 ++++++++++++++++++--
Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec =
| 1 +
Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/=
PeiDxeTpmPlatformHierarchyLib.inf | 6 ++
3 files changed, 66 insertions(+), 4 deletions(-)

diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformH=
ierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformP=
kg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLi=
b.c
index fa590089f0a0..9812ab99abf5 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarch=
yLib/PeiDxeTpmPlatformHierarchyLib.c
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarch=
yLib/PeiDxeTpmPlatformHierarchyLib.c
@@ -6,6 +6,7 @@
Policy (platformPolicy) can be defined through this function.
=20
Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) Microsoft Corporation.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
=20
@par Specification Reference:
@@ -17,8 +18,10 @@
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
#include <Library/MemoryAllocationLib.h>
+#include <Library/PcdLib.h>
#include <Library/RngLib.h>
#include <Library/Tpm2CommandLib.h>
+#include <Library/Tpm2DeviceLib.h>
=20
//
// The authorization value may be no larger than the digest produced by =
the hash
@@ -194,6 +197,51 @@ RandomizePlatformAuth (
ZeroMem (Rand, RandSize);
}
=20
+/**
+ Disable the TPM platform hierarchy.
+
+ @retval EFI_SUCCESS The TPM was disabled successfully.
+ @retval Others An error occurred attempting to disable th=
e TPM platform hierarchy.
+
+**/
+EFI_STATUS
+DisableTpmPlatformHierarchy (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+
+ // Make sure that we have use of the TPM.
+ Status =3D Tpm2RequestUseTpm ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEf=
iCallerBaseName, __FUNCTION__, Status));
+ ASSERT_EFI_ERROR (Status);
+ return Status;
+ }
+
+ // Let's do what we can to shut down the hierarchies.
+
+ // Disable the PH NV.
+ // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but =
TPM parts have
+ // been known to store the EK cert in the PH NV. If we=
disable it, the
+ // EK cert will be unreadable.
+
+ // Disable the PH.
+ Status =3D Tpm2HierarchyControl (
+ TPM_RH_PLATFORM, // AuthHandle
+ NULL, // AuthSession
+ TPM_RH_PLATFORM, // Hierarchy
+ NO // State
+ );
+ DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH =3D %r\n", gEfiCallerBas=
eName, __FUNCTION__, Status));
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCalle=
rBaseName, __FUNCTION__, Status));
+ ASSERT_EFI_ERROR (Status);
+ }
+
+ return Status;
+}
+
/**
This service defines the configuration of the Platform Hierarchy Auth=
orization Value (platformAuth)
and Platform Hierarchy Authorization Policy (platformPolicy)
@@ -204,8 +252,15 @@ EFIAPI
ConfigureTpmPlatformHierarchy (
)
{
- //
- // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAu=
th being null
- //
- RandomizePlatformAuth ();
+ if (PcdGetBool (PcdRandomizePlatformHierarchy)) {
+ //
+ // Send Tpm2HierarchyChange Auth with random value to avoid Platform=
Auth being null
+ //
+ RandomizePlatformAuth ();
+ } else {
+ //
+ // Disable the hierarchy entirely (do not randomize it)
+ //
+ DisableTpmPlatformHierarchy ();
+ }
}
diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec b/Platform/=
Intel/MinPlatformPkg/MinPlatformPkg.dec
index 947431470a1f..bcb42f0ef9e6 100644
--- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
+++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
@@ -244,6 +244,7 @@ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic=
, PcdsDynamicEx]
gMinPlatformPkgTokenSpaceGuid.PcdPciNoExtendedConfigSpace |FALSE|BO=
OLEAN|0x4001004C
gMinPlatformPkgTokenSpaceGuid.PcdPciResourceAssigned |FALSE|BO=
OLEAN|0x4001004D
gMinPlatformPkgTokenSpaceGuid.PcdPciSegmentCount |0x1 |=
UINT8|0x4001004E
+ gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy |TRUE |BO=
OLEAN|0x4001004F
=20
gMinPlatformPkgTokenSpaceGuid.PcdAcpiPm1AEventBlockAddress|0x1800|UINT=
16|0x00010035
gMinPlatformPkgTokenSpaceGuid.PcdAcpiPm1BEventBlockAddress|0x0000|UINT=
16|0x00010036
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformH=
ierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/Platform/Intel/MinPlatfor=
mPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchy=
Lib.inf
index 7165cda31357..b7a7fb0a088d 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarch=
yLib/PeiDxeTpmPlatformHierarchyLib.inf
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarch=
yLib/PeiDxeTpmPlatformHierarchyLib.inf
@@ -26,14 +26,20 @@ [LibraryClasses]
BaseMemoryLib
DebugLib
MemoryAllocationLib
+ PcdLib
RngLib
Tpm2CommandLib
+ Tpm2DeviceLib
=20
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
SecurityPkg/SecurityPkg.dec
CryptoPkg/CryptoPkg.dec
+ MinPlatformPkg/MinPlatformPkg.dec
=20
[Sources]
PeiDxeTpmPlatformHierarchyLib.c
+
+[Pcd]
+ gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
--=20
2.28.0.windows.1

Join devel@edk2.groups.io to automatically receive all group messages.