[PATCH v1 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
Used to provision and maintain certain HW-defined NV spaces.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2994 Signed-off-by: Bret Barkelew <bret.barkelew@...> Cc: Jiewen Yao <jiewen.yao@...> Cc: Jian J Wang <jian.j.wang@...> Cc: Qi Zhang <qi1.zhang@...> Cc: Rahul Kumar <rahul1.kumar@...> --- SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122 +++++++++++++++++= +++ SecurityPkg/Include/Library/Tpm2CommandLib.h | 22 ++++ 2 files changed, 144 insertions(+) diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityP= kg/Library/Tpm2CommandLib/Tpm2NVStorage.c index 87572de20164..7931fade9190 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c @@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #define RC_NV_UndefineSpace_authHandle (TPM_RC_H + TPM_RC_1)=0D #define RC_NV_UndefineSpace_nvIndex (TPM_RC_H + TPM_RC_2)=0D =0D +#define RC_NV_UndefineSpaceSpecial_nvIndex (TPM_RC_H + TPM_RC_1)=0D +=0D #define RC_NV_Read_authHandle (TPM_RC_H + TPM_RC_1)=0D #define RC_NV_Read_nvIndex (TPM_RC_H + TPM_RC_2)=0D #define RC_NV_Read_size (TPM_RC_P + TPM_RC_1)=0D @@ -74,6 +76,20 @@ typedef struct { TPMS_AUTH_RESPONSE AuthSession;=0D } TPM2_NV_UNDEFINESPACE_RESPONSE;=0D =0D +typedef struct {=0D + TPM2_COMMAND_HEADER Header;=0D + TPMI_RH_NV_INDEX NvIndex;=0D + TPMI_RH_PLATFORM Platform;=0D + UINT32 AuthSessionSize;=0D + TPMS_AUTH_COMMAND AuthSession;=0D +} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;=0D +=0D +typedef struct {=0D + TPM2_RESPONSE_HEADER Header;=0D + UINT32 AuthSessionSize;=0D + TPMS_AUTH_RESPONSE AuthSession;=0D +} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;=0D +=0D typedef struct {=0D TPM2_COMMAND_HEADER Header;=0D TPMI_RH_NV_AUTH AuthHandle;=0D @@ -506,6 +522,112 @@ Done: return Status;=0D }=0D =0D +/**=0D + This command removes an index from the TPM.=0D +=0D + @param[in] NvIndex The NV Index.=0D + @param[in] IndexAuthSession Auth session context for the Index auth/= policy=0D + @param[in] PlatAuthSession Auth session context for the Platform au= th/policy=0D +=0D + @retval EFI_SUCCESS Operation completed successfully.=0D + @retval EFI_NOT_FOUND The command was returned successfully, b= ut NvIndex is not found.=0D + @retval EFI_UNSUPPORTED Selected NvIndex does not support deleti= on through this call.=0D + @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current po= licy session.=0D + @retval EFI_INVALID_PARAMETER The command was unsuccessful.=0D + @retval EFI_DEVICE_ERROR The command was unsuccessful.=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +Tpm2NvUndefineSpaceSpecial (=0D + IN TPMI_RH_NV_INDEX NvIndex,=0D + IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,=0D + IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL=0D + )=0D +{=0D + EFI_STATUS Status;=0D + TPM2_NV_UNDEFINESPACESPECIAL_COMMAND SendBuffer;=0D + TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE RecvBuffer;=0D + UINT32 SendBufferSize;=0D + UINT32 RecvBufferSize;=0D + UINT8 *Buffer;=0D + UINT32 IndexAuthSize, PlatAuthSize;=0D + TPM_RC ResponseCode;=0D +=0D + //=0D + // Construct command=0D + //=0D + SendBuffer.Header.tag =3D SwapBytes16(TPM_ST_SESSIONS);=0D + SendBuffer.Header.commandCode =3D SwapBytes32(TPM_CC_NV_UndefineSpaceSpe= cial);=0D +=0D + SendBuffer.NvIndex =3D SwapBytes32 (NvIndex);=0D + SendBuffer.Platform =3D SwapBytes32 (TPM_RH_PLATFORM);=0D +=0D + //=0D + // Marshall the Auth Sessions for the two handles.=0D + Buffer =3D (UINT8 *)&SendBuffer.AuthSession;=0D + // IndexAuthSession=0D + IndexAuthSize =3D CopyAuthSessionCommand (IndexAuthSession, Buffer);=0D + Buffer +=3D IndexAuthSize;=0D + // PlatAuthSession=0D + PlatAuthSize =3D CopyAuthSessionCommand (PlatAuthSession, Buffer);=0D + Buffer +=3D PlatAuthSize;=0D + // AuthSessionSize=0D + SendBuffer.AuthSessionSize =3D SwapBytes32(IndexAuthSize + PlatAuthSize)= ;=0D +=0D + // Update total command size.=0D + SendBufferSize =3D (UINT32)(Buffer - (UINT8 *)&SendBuffer);=0D + SendBuffer.Header.paramSize =3D SwapBytes32 (SendBufferSize);=0D +=0D + //=0D + // send Tpm command=0D + //=0D + RecvBufferSize =3D sizeof (RecvBuffer);=0D + Status =3D Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &Rec= vBufferSize, (UINT8 *)&RecvBuffer);=0D + if (EFI_ERROR (Status)) {=0D + goto Done;=0D + }=0D +=0D + if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {=0D + DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize Erro= r - %x\n", RecvBufferSize));=0D + Status =3D EFI_DEVICE_ERROR;=0D + goto Done;=0D + }=0D +=0D + ResponseCode =3D SwapBytes32(RecvBuffer.Header.responseCode);=0D + if (ResponseCode !=3D TPM_RC_SUCCESS) {=0D + DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode - %x\n= ", SwapBytes32(RecvBuffer.Header.responseCode)));=0D + }=0D + switch (ResponseCode) {=0D + case TPM_RC_SUCCESS:=0D + // return data=0D + break;=0D + case TPM_RC_ATTRIBUTES:=0D + case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:=0D + Status =3D EFI_UNSUPPORTED;=0D + break;=0D + case TPM_RC_NV_AUTHORIZATION:=0D + Status =3D EFI_SECURITY_VIOLATION;=0D + break;=0D + case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: // TPM_RC_NV_DE= FINED:=0D + Status =3D EFI_NOT_FOUND;=0D + break;=0D + case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:=0D + Status =3D EFI_INVALID_PARAMETER;=0D + break;=0D + default:=0D + Status =3D EFI_DEVICE_ERROR;=0D + break;=0D + }=0D +=0D +Done:=0D + //=0D + // Clear AuthSession Content=0D + //=0D + ZeroMem (&SendBuffer, sizeof(SendBuffer));=0D + ZeroMem (&RecvBuffer, sizeof(RecvBuffer));=0D + return Status;=0D +} // Tpm2NvUndefineSpaceSpecial()=0D +=0D /**=0D This command reads a value from an area in NV memory previously defined = by TPM2_NV_DefineSpace().=0D =0D diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h b/SecurityPkg/Inc= lude/Library/Tpm2CommandLib.h index ee8eb622951c..8d7b4998d98d 100644 --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h @@ -364,6 +364,28 @@ Tpm2NvUndefineSpace ( IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL=0D );=0D =0D +/**=0D + This command removes an index from the TPM.=0D +=0D + @param[in] NvIndex The NV Index.=0D + @param[in] IndexAuthSession Auth session context for the Index auth/= policy=0D + @param[in] PlatAuthSession Auth session context for the Platform au= th/policy=0D +=0D + @retval EFI_SUCCESS Operation completed successfully.=0D + @retval EFI_NOT_FOUND The command was returned successfully, b= ut NvIndex is not found.=0D + @retval EFI_UNSUPPORTED Selected NvIndex does not support deleti= on through this call.=0D + @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current po= licy session.=0D + @retval EFI_INVALID_PARAMETER The command was unsuccessful.=0D + @retval EFI_DEVICE_ERROR The command was unsuccessful.=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +Tpm2NvUndefineSpaceSpecial (=0D + IN TPMI_RH_NV_INDEX NvIndex,=0D + IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,=0D + IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL=0D + );=0D +=0D /**=0D This command reads a value from an area in NV memory previously defined = by TPM2_NV_DefineSpace().=0D =0D --=20 2.31.1.windows.1 |
|