[PATCH v1 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib


Bret Barkelew
 

Used to provision and maintain certain HW-defined NV spaces.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2994

Signed-off-by: Bret Barkelew <bret.barkelew@microsoft.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Qi Zhang <qi1.zhang@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
---
SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122 +++++++++++++++++=
+++
SecurityPkg/Include/Library/Tpm2CommandLib.h | 22 ++++
2 files changed, 144 insertions(+)

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityP=
kg/Library/Tpm2CommandLib/Tpm2NVStorage.c
index 87572de20164..7931fade9190 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
@@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#define RC_NV_UndefineSpace_authHandle (TPM_RC_H + TPM_RC_1)=0D
#define RC_NV_UndefineSpace_nvIndex (TPM_RC_H + TPM_RC_2)=0D
=0D
+#define RC_NV_UndefineSpaceSpecial_nvIndex (TPM_RC_H + TPM_RC_1)=0D
+=0D
#define RC_NV_Read_authHandle (TPM_RC_H + TPM_RC_1)=0D
#define RC_NV_Read_nvIndex (TPM_RC_H + TPM_RC_2)=0D
#define RC_NV_Read_size (TPM_RC_P + TPM_RC_1)=0D
@@ -74,6 +76,20 @@ typedef struct {
TPMS_AUTH_RESPONSE AuthSession;=0D
} TPM2_NV_UNDEFINESPACE_RESPONSE;=0D
=0D
+typedef struct {=0D
+ TPM2_COMMAND_HEADER Header;=0D
+ TPMI_RH_NV_INDEX NvIndex;=0D
+ TPMI_RH_PLATFORM Platform;=0D
+ UINT32 AuthSessionSize;=0D
+ TPMS_AUTH_COMMAND AuthSession;=0D
+} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;=0D
+=0D
+typedef struct {=0D
+ TPM2_RESPONSE_HEADER Header;=0D
+ UINT32 AuthSessionSize;=0D
+ TPMS_AUTH_RESPONSE AuthSession;=0D
+} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;=0D
+=0D
typedef struct {=0D
TPM2_COMMAND_HEADER Header;=0D
TPMI_RH_NV_AUTH AuthHandle;=0D
@@ -506,6 +522,112 @@ Done:
return Status;=0D
}=0D
=0D
+/**=0D
+ This command removes an index from the TPM.=0D
+=0D
+ @param[in] NvIndex The NV Index.=0D
+ @param[in] IndexAuthSession Auth session context for the Index auth/=
policy=0D
+ @param[in] PlatAuthSession Auth session context for the Platform au=
th/policy=0D
+=0D
+ @retval EFI_SUCCESS Operation completed successfully.=0D
+ @retval EFI_NOT_FOUND The command was returned successfully, b=
ut NvIndex is not found.=0D
+ @retval EFI_UNSUPPORTED Selected NvIndex does not support deleti=
on through this call.=0D
+ @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current po=
licy session.=0D
+ @retval EFI_INVALID_PARAMETER The command was unsuccessful.=0D
+ @retval EFI_DEVICE_ERROR The command was unsuccessful.=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+Tpm2NvUndefineSpaceSpecial (=0D
+ IN TPMI_RH_NV_INDEX NvIndex,=0D
+ IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,=0D
+ IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ TPM2_NV_UNDEFINESPACESPECIAL_COMMAND SendBuffer;=0D
+ TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE RecvBuffer;=0D
+ UINT32 SendBufferSize;=0D
+ UINT32 RecvBufferSize;=0D
+ UINT8 *Buffer;=0D
+ UINT32 IndexAuthSize, PlatAuthSize;=0D
+ TPM_RC ResponseCode;=0D
+=0D
+ //=0D
+ // Construct command=0D
+ //=0D
+ SendBuffer.Header.tag =3D SwapBytes16(TPM_ST_SESSIONS);=0D
+ SendBuffer.Header.commandCode =3D SwapBytes32(TPM_CC_NV_UndefineSpaceSpe=
cial);=0D
+=0D
+ SendBuffer.NvIndex =3D SwapBytes32 (NvIndex);=0D
+ SendBuffer.Platform =3D SwapBytes32 (TPM_RH_PLATFORM);=0D
+=0D
+ //=0D
+ // Marshall the Auth Sessions for the two handles.=0D
+ Buffer =3D (UINT8 *)&SendBuffer.AuthSession;=0D
+ // IndexAuthSession=0D
+ IndexAuthSize =3D CopyAuthSessionCommand (IndexAuthSession, Buffer);=0D
+ Buffer +=3D IndexAuthSize;=0D
+ // PlatAuthSession=0D
+ PlatAuthSize =3D CopyAuthSessionCommand (PlatAuthSession, Buffer);=0D
+ Buffer +=3D PlatAuthSize;=0D
+ // AuthSessionSize=0D
+ SendBuffer.AuthSessionSize =3D SwapBytes32(IndexAuthSize + PlatAuthSize)=
;=0D
+=0D
+ // Update total command size.=0D
+ SendBufferSize =3D (UINT32)(Buffer - (UINT8 *)&SendBuffer);=0D
+ SendBuffer.Header.paramSize =3D SwapBytes32 (SendBufferSize);=0D
+=0D
+ //=0D
+ // send Tpm command=0D
+ //=0D
+ RecvBufferSize =3D sizeof (RecvBuffer);=0D
+ Status =3D Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &Rec=
vBufferSize, (UINT8 *)&RecvBuffer);=0D
+ if (EFI_ERROR (Status)) {=0D
+ goto Done;=0D
+ }=0D
+=0D
+ if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {=0D
+ DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize Erro=
r - %x\n", RecvBufferSize));=0D
+ Status =3D EFI_DEVICE_ERROR;=0D
+ goto Done;=0D
+ }=0D
+=0D
+ ResponseCode =3D SwapBytes32(RecvBuffer.Header.responseCode);=0D
+ if (ResponseCode !=3D TPM_RC_SUCCESS) {=0D
+ DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode - %x\n=
", SwapBytes32(RecvBuffer.Header.responseCode)));=0D
+ }=0D
+ switch (ResponseCode) {=0D
+ case TPM_RC_SUCCESS:=0D
+ // return data=0D
+ break;=0D
+ case TPM_RC_ATTRIBUTES:=0D
+ case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:=0D
+ Status =3D EFI_UNSUPPORTED;=0D
+ break;=0D
+ case TPM_RC_NV_AUTHORIZATION:=0D
+ Status =3D EFI_SECURITY_VIOLATION;=0D
+ break;=0D
+ case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: // TPM_RC_NV_DE=
FINED:=0D
+ Status =3D EFI_NOT_FOUND;=0D
+ break;=0D
+ case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:=0D
+ Status =3D EFI_INVALID_PARAMETER;=0D
+ break;=0D
+ default:=0D
+ Status =3D EFI_DEVICE_ERROR;=0D
+ break;=0D
+ }=0D
+=0D
+Done:=0D
+ //=0D
+ // Clear AuthSession Content=0D
+ //=0D
+ ZeroMem (&SendBuffer, sizeof(SendBuffer));=0D
+ ZeroMem (&RecvBuffer, sizeof(RecvBuffer));=0D
+ return Status;=0D
+} // Tpm2NvUndefineSpaceSpecial()=0D
+=0D
/**=0D
This command reads a value from an area in NV memory previously defined =
by TPM2_NV_DefineSpace().=0D
=0D
diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h b/SecurityPkg/Inc=
lude/Library/Tpm2CommandLib.h
index ee8eb622951c..8d7b4998d98d 100644
--- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
+++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
@@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL=0D
);=0D
=0D
+/**=0D
+ This command removes an index from the TPM.=0D
+=0D
+ @param[in] NvIndex The NV Index.=0D
+ @param[in] IndexAuthSession Auth session context for the Index auth/=
policy=0D
+ @param[in] PlatAuthSession Auth session context for the Platform au=
th/policy=0D
+=0D
+ @retval EFI_SUCCESS Operation completed successfully.=0D
+ @retval EFI_NOT_FOUND The command was returned successfully, b=
ut NvIndex is not found.=0D
+ @retval EFI_UNSUPPORTED Selected NvIndex does not support deleti=
on through this call.=0D
+ @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current po=
licy session.=0D
+ @retval EFI_INVALID_PARAMETER The command was unsuccessful.=0D
+ @retval EFI_DEVICE_ERROR The command was unsuccessful.=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+Tpm2NvUndefineSpaceSpecial (=0D
+ IN TPMI_RH_NV_INDEX NvIndex,=0D
+ IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,=0D
+ IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL=0D
+ );=0D
+=0D
/**=0D
This command reads a value from an area in NV memory previously defined =
by TPM2_NV_DefineSpace().=0D
=0D
--=20
2.31.1.windows.1

Join devel@edk2.groups.io to automatically receive all group messages.