[RFC PATCH 1/7] SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms


Stefan Berger <stefanb@...>
 

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
.../Include/Library/TpmPlatformHierarchyLib.h | 27 ++
.../PeiDxeTpmPlatformHierarchyLib.c | 266 ++++++++++++++++++
.../PeiDxeTpmPlatformHierarchyLib.inf | 45 +++
3 files changed, 338 insertions(+)
create mode 100644 SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h
create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDx=
eTpmPlatformHierarchyLib.c
create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDx=
eTpmPlatformHierarchyLib.inf

diff --git a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h b/Securi=
tyPkg/Include/Library/TpmPlatformHierarchyLib.h
new file mode 100644
index 0000000000..a872fa09dc
--- /dev/null
+++ b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h
@@ -0,0 +1,27 @@
+/** @file=0D
+ TPM Platform Hierarchy configuration library.=0D
+=0D
+ This library provides functions for customizing the TPM's Platform Hie=
rarchy=0D
+ Authorization Value (platformAuth) and Platform Hierarchy Authorizatio=
n=0D
+ Policy (platformPolicy) can be defined through this function.=0D
+=0D
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>=0D
+Copyright (c) Microsoft Corporation.<BR>=0D
+SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+=0D
+**/=0D
+=0D
+#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_=0D
+#define _TPM_PLATFORM_HIERARCHY_LIB_H_=0D
+=0D
+/**=0D
+ This service will perform the TPM Platform Hierarchy configuration at t=
he SmmReadyToLock event.=0D
+=0D
+**/=0D
+VOID=0D
+EFIAPI=0D
+ConfigureTpmPlatformHierarchy (=0D
+ VOID=0D
+ );=0D
+=0D
+#endif=0D
diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPla=
tformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/Pei=
DxeTpmPlatformHierarchyLib.c
new file mode 100644
index 0000000000..9812ab99ab
--- /dev/null
+++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHi=
erarchyLib.c
@@ -0,0 +1,266 @@
+/** @file=0D
+ TPM Platform Hierarchy configuration library.=0D
+=0D
+ This library provides functions for customizing the TPM's Platform Hie=
rarchy=0D
+ Authorization Value (platformAuth) and Platform Hierarchy Authorizatio=
n=0D
+ Policy (platformPolicy) can be defined through this function.=0D
+=0D
+ Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>=0D
+ Copyright (c) Microsoft Corporation.<BR>=0D
+ SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+=0D
+ @par Specification Reference:=0D
+ https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-g=
uidance/=0D
+**/=0D
+=0D
+#include <Uefi.h>=0D
+=0D
+#include <Library/BaseMemoryLib.h>=0D
+#include <Library/DebugLib.h>=0D
+#include <Library/MemoryAllocationLib.h>=0D
+#include <Library/PcdLib.h>=0D
+#include <Library/RngLib.h>=0D
+#include <Library/Tpm2CommandLib.h>=0D
+#include <Library/Tpm2DeviceLib.h>=0D
+=0D
+//=0D
+// The authorization value may be no larger than the digest produced by th=
e hash=0D
+// algorithm used for context integrity.=0D
+//=0D
+#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE=0D
+=0D
+UINT16 mAuthSize;=0D
+=0D
+/**=0D
+ Generate high-quality entropy source through RDRAND.=0D
+=0D
+ @param[in] Length Size of the buffer, in bytes, to fill with.=0D
+ @param[out] Entropy Pointer to the buffer to store the entropy da=
ta.=0D
+=0D
+ @retval EFI_SUCCESS Entropy generation succeeded.=0D
+ @retval EFI_NOT_READY Failed to request random data.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+RdRandGenerateEntropy (=0D
+ IN UINTN Length,=0D
+ OUT UINT8 *Entropy=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ UINTN BlockCount;=0D
+ UINT64 Seed[2];=0D
+ UINT8 *Ptr;=0D
+=0D
+ Status =3D EFI_NOT_READY;=0D
+ BlockCount =3D Length / 64;=0D
+ Ptr =3D (UINT8 *)Entropy;=0D
+=0D
+ //=0D
+ // Generate high-quality seed for DRBG Entropy=0D
+ //=0D
+ while (BlockCount > 0) {=0D
+ Status =3D GetRandomNumber128 (Seed);=0D
+ if (EFI_ERROR (Status)) {=0D
+ return Status;=0D
+ }=0D
+ CopyMem (Ptr, Seed, 64);=0D
+=0D
+ BlockCount--;=0D
+ Ptr =3D Ptr + 64;=0D
+ }=0D
+=0D
+ //=0D
+ // Populate the remained data as request.=0D
+ //=0D
+ Status =3D GetRandomNumber128 (Seed);=0D
+ if (EFI_ERROR (Status)) {=0D
+ return Status;=0D
+ }=0D
+ CopyMem (Ptr, Seed, (Length % 64));=0D
+=0D
+ return Status;=0D
+}=0D
+=0D
+/**=0D
+ This function returns the maximum size of TPM2B_AUTH; this structure is =
used for an authorization value=0D
+ and limits an authValue to being no larger than the largest digest produ=
ced by a TPM.=0D
+=0D
+ @param[out] AuthSize Tpm2 Auth size=0D
+=0D
+ @retval EFI_SUCCESS Auth size returned.=0D
+ @retval EFI_DEVICE_ERROR Can not return platform auth due to=
device error.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+GetAuthSize (=0D
+ OUT UINT16 *AuthSize=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ TPML_PCR_SELECTION Pcrs;=0D
+ UINTN Index;=0D
+ UINT16 DigestSize;=0D
+=0D
+ Status =3D EFI_SUCCESS;=0D
+=0D
+ while (mAuthSize =3D=3D 0) {=0D
+=0D
+ mAuthSize =3D SHA1_DIGEST_SIZE;=0D
+ ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));=0D
+ Status =3D Tpm2GetCapabilityPcrs (&Pcrs);=0D
+=0D
+ if (EFI_ERROR (Status)) {=0D
+ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));=0D
+ break;=0D
+ }=0D
+=0D
+ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));=0D
+=0D
+ for (Index =3D 0; Index < Pcrs.count; Index++) {=0D
+ DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));=
=0D
+=0D
+ switch (Pcrs.pcrSelections[Index].hash) {=0D
+ case TPM_ALG_SHA1:=0D
+ DigestSize =3D SHA1_DIGEST_SIZE;=0D
+ break;=0D
+ case TPM_ALG_SHA256:=0D
+ DigestSize =3D SHA256_DIGEST_SIZE;=0D
+ break;=0D
+ case TPM_ALG_SHA384:=0D
+ DigestSize =3D SHA384_DIGEST_SIZE;=0D
+ break;=0D
+ case TPM_ALG_SHA512:=0D
+ DigestSize =3D SHA512_DIGEST_SIZE;=0D
+ break;=0D
+ case TPM_ALG_SM3_256:=0D
+ DigestSize =3D SM3_256_DIGEST_SIZE;=0D
+ break;=0D
+ default:=0D
+ DigestSize =3D SHA1_DIGEST_SIZE;=0D
+ break;=0D
+ }=0D
+=0D
+ if (DigestSize > mAuthSize) {=0D
+ mAuthSize =3D DigestSize;=0D
+ }=0D
+ }=0D
+ break;=0D
+ }=0D
+=0D
+ *AuthSize =3D mAuthSize;=0D
+ return Status;=0D
+}=0D
+=0D
+/**=0D
+ Set PlatformAuth to random value.=0D
+**/=0D
+VOID=0D
+RandomizePlatformAuth (=0D
+ VOID=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ UINT16 AuthSize;=0D
+ UINT8 *Rand;=0D
+ UINTN RandSize;=0D
+ TPM2B_AUTH NewPlatformAuth;=0D
+=0D
+ //=0D
+ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth=
being null=0D
+ //=0D
+=0D
+ GetAuthSize (&AuthSize);=0D
+=0D
+ ZeroMem (NewPlatformAuth.buffer, AuthSize);=0D
+ NewPlatformAuth.size =3D AuthSize;=0D
+=0D
+ //=0D
+ // Allocate one buffer to store random data.=0D
+ //=0D
+ RandSize =3D MAX_NEW_AUTHORIZATION_SIZE;=0D
+ Rand =3D AllocatePool (RandSize);=0D
+=0D
+ RdRandGenerateEntropy (RandSize, Rand);=0D
+ CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);=0D
+=0D
+ FreePool (Rand);=0D
+=0D
+ //=0D
+ // Send Tpm2HierarchyChangeAuth command with the new Auth value=0D
+ //=0D
+ Status =3D Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformA=
uth);=0D
+ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));=
=0D
+ ZeroMem (NewPlatformAuth.buffer, AuthSize);=0D
+ ZeroMem (Rand, RandSize);=0D
+}=0D
+=0D
+/**=0D
+ Disable the TPM platform hierarchy.=0D
+=0D
+ @retval EFI_SUCCESS The TPM was disabled successfully.=0D
+ @retval Others An error occurred attempting to disable the =
TPM platform hierarchy.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+DisableTpmPlatformHierarchy (=0D
+ VOID=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+=0D
+ // Make sure that we have use of the TPM.=0D
+ Status =3D Tpm2RequestUseTpm ();=0D
+ if (EFI_ERROR (Status)) {=0D
+ DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiC=
allerBaseName, __FUNCTION__, Status));=0D
+ ASSERT_EFI_ERROR (Status);=0D
+ return Status;=0D
+ }=0D
+=0D
+ // Let's do what we can to shut down the hierarchies.=0D
+=0D
+ // Disable the PH NV.=0D
+ // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TP=
M parts have=0D
+ // been known to store the EK cert in the PH NV. If we d=
isable it, the=0D
+ // EK cert will be unreadable.=0D
+=0D
+ // Disable the PH.=0D
+ Status =3D Tpm2HierarchyControl (=0D
+ TPM_RH_PLATFORM, // AuthHandle=0D
+ NULL, // AuthSession=0D
+ TPM_RH_PLATFORM, // Hierarchy=0D
+ NO // State=0D
+ );=0D
+ DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH =3D %r\n", gEfiCallerBaseN=
ame, __FUNCTION__, Status));=0D
+ if (EFI_ERROR (Status)) {=0D
+ DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerB=
aseName, __FUNCTION__, Status));=0D
+ ASSERT_EFI_ERROR (Status);=0D
+ }=0D
+=0D
+ return Status;=0D
+}=0D
+=0D
+/**=0D
+ This service defines the configuration of the Platform Hierarchy Author=
ization Value (platformAuth)=0D
+ and Platform Hierarchy Authorization Policy (platformPolicy)=0D
+=0D
+**/=0D
+VOID=0D
+EFIAPI=0D
+ConfigureTpmPlatformHierarchy (=0D
+ )=0D
+{=0D
+ if (PcdGetBool (PcdRandomizePlatformHierarchy)) {=0D
+ //=0D
+ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAu=
th being null=0D
+ //=0D
+ RandomizePlatformAuth ();=0D
+ } else {=0D
+ //=0D
+ // Disable the hierarchy entirely (do not randomize it)=0D
+ //=0D
+ DisableTpmPlatformHierarchy ();=0D
+ }=0D
+}=0D
diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPla=
tformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/P=
eiDxeTpmPlatformHierarchyLib.inf
new file mode 100644
index 0000000000..b7a7fb0a08
--- /dev/null
+++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHi=
erarchyLib.inf
@@ -0,0 +1,45 @@
+### @file=0D
+#=0D
+# TPM Platform Hierarchy configuration library.=0D
+#=0D
+# This library provides functions for customizing the TPM's Platform Hie=
rarchy=0D
+# Authorization Value (platformAuth) and Platform Hierarchy Authorizatio=
n=0D
+# Policy (platformPolicy) can be defined through this function.=0D
+#=0D
+# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>=0D
+# Copyright (c) Microsoft Corporation.<BR>=0D
+#=0D
+# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+#=0D
+###=0D
+=0D
+[Defines]=0D
+ INF_VERSION =3D 0x00010005=0D
+ BASE_NAME =3D PeiDxeTpmPlatformHierarchyLib=0D
+ FILE_GUID =3D 7794F92C-4E8E-4E57-9E4A-49A0764C7D73=
=0D
+ MODULE_TYPE =3D PEIM=0D
+ VERSION_STRING =3D 1.0=0D
+ LIBRARY_CLASS =3D TpmPlatformHierarchyLib|PEIM DXE_DRIV=
ER=0D
+=0D
+[LibraryClasses]=0D
+ BaseLib=0D
+ BaseMemoryLib=0D
+ DebugLib=0D
+ MemoryAllocationLib=0D
+ PcdLib=0D
+ RngLib=0D
+ Tpm2CommandLib=0D
+ Tpm2DeviceLib=0D
+=0D
+[Packages]=0D
+ MdePkg/MdePkg.dec=0D
+ MdeModulePkg/MdeModulePkg.dec=0D
+ SecurityPkg/SecurityPkg.dec=0D
+ CryptoPkg/CryptoPkg.dec=0D
+ MinPlatformPkg/MinPlatformPkg.dec=0D
+=0D
+[Sources]=0D
+ PeiDxeTpmPlatformHierarchyLib.c=0D
+=0D
+[Pcd]=0D
+ gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy=0D
--=20
2.31.1