Re: [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib


Yao, Jiewen
 

Hi Bret
I saw PR failure - https://github.com/tianocore/edk2/pull/2066

Thank you

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Bret
Barkelew
Sent: Thursday, October 14, 2021 1:33 AM
To: devel@edk2.groups.io
Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
Subject: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add
Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib

Used to provision and maintain certain HW-defined NV spaces.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2994

Signed-off-by: Bret Barkelew <bret.barkelew@microsoft.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Qi Zhang <qi1.zhang@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
---
SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122
++++++++++++++++++++
SecurityPkg/Include/Library/Tpm2CommandLib.h | 22 ++++
2 files changed, 144 insertions(+)

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
index 87572de20164..275cb1683f51 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
@@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#define RC_NV_UndefineSpace_authHandle (TPM_RC_H + TPM_RC_1)

#define RC_NV_UndefineSpace_nvIndex (TPM_RC_H + TPM_RC_2)



+#define RC_NV_UndefineSpaceSpecial_nvIndex (TPM_RC_H + TPM_RC_1)

+

#define RC_NV_Read_authHandle (TPM_RC_H + TPM_RC_1)

#define RC_NV_Read_nvIndex (TPM_RC_H + TPM_RC_2)

#define RC_NV_Read_size (TPM_RC_P + TPM_RC_1)

@@ -74,6 +76,20 @@ typedef struct {
TPMS_AUTH_RESPONSE AuthSession;

} TPM2_NV_UNDEFINESPACE_RESPONSE;



+typedef struct {

+ TPM2_COMMAND_HEADER Header;

+ TPMI_RH_NV_INDEX NvIndex;

+ TPMI_RH_PLATFORM Platform;

+ UINT32 AuthSessionSize;

+ TPMS_AUTH_COMMAND AuthSession;

+} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;

+

+typedef struct {

+ TPM2_RESPONSE_HEADER Header;

+ UINT32 AuthSessionSize;

+ TPMS_AUTH_RESPONSE AuthSession;

+} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;

+

typedef struct {

TPM2_COMMAND_HEADER Header;

TPMI_RH_NV_AUTH AuthHandle;

@@ -506,6 +522,112 @@ Done:
return Status;

}



+/**

+ This command allows removal of a platform-created NV Index that has
TPMA_NV_POLICY_DELETE SET.

+

+ @param[in] NvIndex The NV Index.

+ @param[in] IndexAuthSession Auth session context for the Index
auth/policy

+ @param[in] PlatAuthSession Auth session context for the Platform
auth/policy

+

+ @retval EFI_SUCCESS Operation completed successfully.

+ @retval EFI_NOT_FOUND The command was returned successfully, but
NvIndex is not found.

+ @retval EFI_UNSUPPORTED Selected NvIndex does not support deletion
through this call.

+ @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current
policy session.

+ @retval EFI_INVALID_PARAMETER The command was unsuccessful.

+ @retval EFI_DEVICE_ERROR The command was unsuccessful.

+**/

+EFI_STATUS

+EFIAPI

+Tpm2NvUndefineSpaceSpecial (

+ IN TPMI_RH_NV_INDEX NvIndex,

+ IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,

+ IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL

+ )

+{

+ EFI_STATUS Status;

+ TPM2_NV_UNDEFINESPACESPECIAL_COMMAND SendBuffer;

+ TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE RecvBuffer;

+ UINT32 SendBufferSize;

+ UINT32 RecvBufferSize;

+ UINT8 *Buffer;

+ UINT32 IndexAuthSize, PlatAuthSize;

+ TPM_RC ResponseCode;

+

+ //

+ // Construct command

+ //

+ SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);

+ SendBuffer.Header.commandCode =
SwapBytes32(TPM_CC_NV_UndefineSpaceSpecial);

+

+ SendBuffer.NvIndex = SwapBytes32 (NvIndex);

+ SendBuffer.Platform = SwapBytes32 (TPM_RH_PLATFORM);

+

+ //

+ // Marshall the Auth Sessions for the two handles.

+ Buffer = (UINT8 *)&SendBuffer.AuthSession;

+ // IndexAuthSession

+ IndexAuthSize = CopyAuthSessionCommand (IndexAuthSession, Buffer);

+ Buffer += IndexAuthSize;

+ // PlatAuthSession

+ PlatAuthSize = CopyAuthSessionCommand (PlatAuthSession, Buffer);

+ Buffer += PlatAuthSize;

+ // AuthSessionSize

+ SendBuffer.AuthSessionSize = SwapBytes32(IndexAuthSize + PlatAuthSize);

+

+ // Update total command size.

+ SendBufferSize = (UINT32)(Buffer - (UINT8 *)&SendBuffer);

+ SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);

+

+ //

+ // send Tpm command

+ //

+ RecvBufferSize = sizeof (RecvBuffer);

+ Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer,
&RecvBufferSize, (UINT8 *)&RecvBuffer);

+ if (EFI_ERROR (Status)) {

+ goto Done;

+ }

+

+ if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {

+ DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize
Error - %x\n", RecvBufferSize));

+ Status = EFI_DEVICE_ERROR;

+ goto Done;

+ }

+

+ ResponseCode = SwapBytes32(RecvBuffer.Header.responseCode);

+ if (ResponseCode != TPM_RC_SUCCESS) {

+ DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode -
%x\n", SwapBytes32(RecvBuffer.Header.responseCode)));

+ }

+ switch (ResponseCode) {

+ case TPM_RC_SUCCESS:

+ // return data

+ break;

+ case TPM_RC_ATTRIBUTES:

+ case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:

+ Status = EFI_UNSUPPORTED;

+ break;

+ case TPM_RC_NV_AUTHORIZATION:

+ Status = EFI_SECURITY_VIOLATION;

+ break;

+ case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: //
TPM_RC_NV_DEFINED:

+ Status = EFI_NOT_FOUND;

+ break;

+ case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:

+ Status = EFI_INVALID_PARAMETER;

+ break;

+ default:

+ Status = EFI_DEVICE_ERROR;

+ break;

+ }

+

+Done:

+ //

+ // Clear AuthSession Content

+ //

+ ZeroMem (&SendBuffer, sizeof(SendBuffer));

+ ZeroMem (&RecvBuffer, sizeof(RecvBuffer));

+ return Status;

+}

+

/**

This command reads a value from an area in NV memory previously defined by
TPM2_NV_DefineSpace().



diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h
b/SecurityPkg/Include/Library/Tpm2CommandLib.h
index ee8eb622951c..92967662ce96 100644
--- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
+++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
@@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL

);



+/**

+ This command allows removal of a platform-created NV Index that has
TPMA_NV_POLICY_DELETE SET.

+

+ @param[in] NvIndex The NV Index.

+ @param[in] IndexAuthSession Auth session context for the Index
auth/policy

+ @param[in] PlatAuthSession Auth session context for the Platform
auth/policy

+

+ @retval EFI_SUCCESS Operation completed successfully.

+ @retval EFI_NOT_FOUND The command was returned successfully, but
NvIndex is not found.

+ @retval EFI_UNSUPPORTED Selected NvIndex does not support deletion
through this call.

+ @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current
policy session.

+ @retval EFI_INVALID_PARAMETER The command was unsuccessful.

+ @retval EFI_DEVICE_ERROR The command was unsuccessful.

+**/

+EFI_STATUS

+EFIAPI

+Tpm2NvUndefineSpaceSpecial (

+ IN TPMI_RH_NV_INDEX NvIndex,

+ IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,

+ IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL

+ );

+

/**

This command reads a value from an area in NV memory previously defined by
TPM2_NV_DefineSpace().



--
2.31.1.windows.1



-=-=-=-=-=-=
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#81922): https://edk2.groups.io/g/devel/message/81922
Mute This Topic: https://groups.io/mt/86293842/1772286
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [jiewen.yao@intel.com]
-=-=-=-=-=-=

Join devel@edk2.groups.io to automatically receive all group messages.