Re: [EXTERNAL] [edk2-devel] Missing TPM 2 related call to Tpm2HierarchyChangeAuth


Stefan Berger
 


On 7/27/21 12:25 PM, Yao, Jiewen wrote:

Oops. Sorry for late response.

 

The code is NOT in EDKII, but EDKII-platform as example. https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel/MinPlatformPkg/Tcg

 

We allow a platform having its own implementation. That is why it is NOT in EDKII.


How do edk2 and edk2-platform relate? Do we need to copy code form one to the other ?

   Stefan


 

Thank you

Yao Jiewen

 

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Bret Barkelew via groups.io
Sent: Wednesday, July 28, 2021 12:11 AM
To: devel@edk2.groups.io; stefanb@...; Yao, Jiewen <jiewen.yao@...>; Jeremiah Cox <jerecox@...>; Michael Kubacki <Michael.Kubacki@...>
Cc: Marc-André Lureau <marcandre.lureau@...>
Subject: Re: [EXTERNAL] [edk2-devel] Missing TPM 2 related call to Tpm2HierarchyChangeAuth

 

Adding @Jeremiah

 

Jeremiah, weren’t you or @Michael shopping this change to MinPlatform?

 

- Bret

 

From: Stefan Berger via groups.io
Sent: Monday, July 26, 2021 7:48 AM
To: Yao, Jiewen; devel@edk2.groups.io
Cc: Marc-André Lureau
Subject: [EXTERNAL] [edk2-devel] Missing TPM 2 related call to Tpm2HierarchyChangeAuth

 

Hello!

   The TPM 2 code in EDK2 is missing an important call to
Tpm2HierarchyChangeAuth for the platform hierarchy. We have to set the
password of that hierarchy and discard the password. See also specs
section 11:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrustedcomputinggroup.org%2Fwp-content%2Fuploads%2FTCG_PCClient_PFP_r1p05_v22_02dec2020.pdf&amp;data=04%7C01%7Cbret.barkelew%40microsoft.com%7Cf2a2262eee2c44b3760c08d95044601a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629077356686202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&amp;sdata=N7VQIw87rHqUAFQ54TvhNwcsPFEwJzdZQ9JZrmX1S4E%3D&amp;reserved=0

"Platform Firmware MUST protect access to the Platform Hierarchy and
prevent access to the platform hierarchy by
non-manufacturer-controlled components.  "

I was wondering where we could put that call so it's invoked after the
user has possibly interacted with the menu and before passing control to
the next stage such as boot loader.

Regards,

   Stefan





 

Join devel@edk2.groups.io to automatically receive all group messages.