sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add TPM2 support defined in trusted computing group.

Browse Source 
TCG EFI Protocol Specification for TPM Family 2.0 Revision 1.0 Version 9 at http://www.trustedcomputinggroup.org/resources/tcg_efi_protocol_specification
TCG Physical Presence Interface Specification Version 1.30, Revision 00.52 at http://www.trustedcomputinggroup.org/resources/tcg_physical_presence_interface_specification

Add Tcg2XXX, similar file/directory as TrEEXXX. Old TrEE driver/library can be deprecated.
1) Add Tcg2Pei/Dxe/Smm driver to log event and provide services.
2) Add Dxe/Pei/SmmTcg2PhysicalPresenceLib to support TCG PP.
3) Update Tpm2 library to use TCG2 protocol instead of TrEE protocol.

Test Win8/Win10 with SecureBoot enabled, PCR7 shows bound.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: "Yao, Jiewen" <Jiewen.Yao@intel.com>
Reviewed-by: "Zhang, Chao B" <chao.b.zhang@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18219 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
Yao, Jiewen
2015-08-13 08:24:17 +00:00
committed by jyao1
parent 59b226d6d7
commit 1abfa4ce48
62 changed files with 9524 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
SecurityPkg/Include/Guid/Tcg2ConfigHii.h Normal file
View File

@@ -0,0 +1,25 @@
/** @file
GUIDs used as HII FormSet and HII Package list GUID in Tcg2Config driver.
Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials are licensed and made available under
the terms and conditions of the BSD License that accompanies this distribution.
The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php.
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef __TCG2_CONFIG_HII_GUID_H__
#define __TCG2_CONFIG_HII_GUID_H__
#define TCG2_CONFIG_FORM_SET_GUID \
{ \
0x6339d487, 0x26ba, 0x424b, { 0x9a, 0x5d, 0x68, 0x7e, 0x25, 0xd7, 0x40, 0xbc } \
}
extern EFI_GUID gTcg2ConfigFormSetGuid;
#endif

47
SecurityPkg/Include/Guid/Tcg2PhysicalPresenceData.h Normal file
View File

@@ -0,0 +1,47 @@
/** @file
Define the variable data structures used for TCG2 physical presence.
The TPM2 request from firmware or OS is saved to variable. And it is
cleared after it is processed in the next boot cycle. The TPM2 response
is saved to variable.
Copyright (c) 2015, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef __TCG2_PHYSICAL_PRESENCE_DATA_GUID_H__
#define __TCG2_PHYSICAL_PRESENCE_DATA_GUID_H__
#define EFI_TCG2_PHYSICAL_PRESENCE_DATA_GUID \
{ \
0xaeb9c5c1, 0x94f1, 0x4d02, { 0xbf, 0xd9, 0x46, 0x2, 0xdb, 0x2d, 0x3c, 0x54 } \
}
#define TCG2_PHYSICAL_PRESENCE_VARIABLE L"Tcg2PhysicalPresence"
typedef struct {
UINT8 PPRequest; ///< Physical Presence request command.
UINT32 PPRequestParameter; ///< Physical Presence request Parameter.
UINT8 LastPPRequest;
UINT32 PPResponse;
} EFI_TCG2_PHYSICAL_PRESENCE;
//
// This variable is used to save TCG2 Management Flags and corresponding operations.
// It should be protected from malicious software (e.g. Set it as read-only variable).
//
#define TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE L"Tcg2PhysicalPresenceFlags"
typedef struct {
UINT32 PPFlags;
} EFI_TCG2_PHYSICAL_PRESENCE_FLAGS;
extern EFI_GUID gEfiTcg2PhysicalPresenceGuid;
#endif

9
SecurityPkg/Include/Guid/TcgEventHob.h
View File

@@ -1,5 +1,5 @@
/** @file
Defines the HOB GUID used to pass a TCG_PCR_EVENT from a TPM PEIM to
Defines the HOB GUID used to pass a TCG_PCR_EVENT or TCG_PCR_EVENT2 from a TPM PEIM to
a TPM DXE Driver. A GUIDed HOB is generated for each measurement
made in the PEI Phase.
@@ -27,6 +27,13 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
extern EFI_GUID gTcgEventEntryHobGuid;
#define EFI_TCG_EVENT2_HOB_GUID \
{ \
0xd26c221e, 0x2430, 0x4c8a, { 0x91, 0x70, 0x3f, 0xcb, 0x45, 0x0, 0x41, 0x3f } \
}
extern EFI_GUID gTcgEvent2EntryHobGuid;
///
/// The Global ID of a GUIDed HOB used to record TPM device error.
///

160
SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h Normal file
View File

@@ -0,0 +1,160 @@
/** @file
Ihis library is intended to be used by BDS modules.
This library will execute TPM2 request.
Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef _TCG2_PHYSICAL_PRESENCE_LIB_H_
#define _TCG2_PHYSICAL_PRESENCE_LIB_H_
#include <IndustryStandard/Tpm20.h>
#include <IndustryStandard/TcgPhysicalPresence.h>
#include <Protocol/Tcg2Protocol.h>
//
// UEFI TCG2 library definition bit of the BIOS TPM Management Flags
//
// BIT0 is reserved
#define TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CLEAR BIT1
// BIT2 is reserved
#define TCG2_LIB_PP_FLAG_RESET_TRACK BIT3
#define TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_TURN_ON BIT4
#define TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_TURN_OFF BIT5
#define TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_EPS BIT6
#define TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_PCRS BIT7
//
// UEFI TCG2 library definition bit of the BIOS Information Flags
//
#define TCG2_BIOS_INFORMATION_FLAG_HIERACHY_CONTROL_STORAGE_DISABLE BIT8
#define TCG2_BIOS_INFORMATION_FLAG_HIERACHY_CONTROL_ENDORSEMENT_DISABLE BIT9
//
// UEFI TCG2 library definition bit of the BIOS Storage Management Flags
//
#define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID BIT16
#define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID BIT17
//
// Default value
//
#define TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT (TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_TURN_OFF | \
TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CLEAR | \
TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_EPS | \
TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_PCRS)
/**
Check and execute the pending TPM request.
The TPM request may come from OS or BIOS. This API will display request information and wait
for user confirmation if TPM request exists. The TPM request will be sent to TPM device after
the TPM request is confirmed, and one or more reset may be required to make TPM request to
take effect.
This API should be invoked after console in and console out are all ready as they are required
to display request information and get user input to confirm the request.
@param PlatformAuth platform auth value. NULL means no platform auth change.
**/
VOID
EFIAPI
Tcg2PhysicalPresenceLibProcessRequest (
IN TPM2B_AUTH *PlatformAuth OPTIONAL
);
/**
Check if the pending TPM request needs user input to confirm.
The TPM request may come from OS. This API will check if TPM request exists and need user
input to confirmation.
@retval TRUE TPM needs input to confirm user physical presence.
@retval FALSE TPM doesn't need input to confirm user physical presence.
**/
BOOLEAN
EFIAPI
Tcg2PhysicalPresenceLibNeedUserConfirm (
VOID
);
/**
Return TPM2 ManagementFlags set by PP interface.
@retval ManagementFlags TPM2 Management Flags.
**/
UINT32
EFIAPI
Tcg2PhysicalPresenceLibGetManagementFlags (
VOID
);
/**
The handler for TPM physical presence function:
Return TPM Operation Response to OS Environment.
This API should be invoked in OS runtime phase to interface with ACPI method.
@param[out] MostRecentRequest Most recent operation request.
@param[out] Response Response to the most recent operation request.
@return Return Code for Return TPM Operation Response to OS Environment.
**/
UINT32
EFIAPI
Tcg2PhysicalPresenceLibReturnOperationResponseToOsFunction (
OUT UINT32 *MostRecentRequest,
OUT UINT32 *Response
);
/**
The handler for TPM physical presence function:
Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
This API should be invoked in OS runtime phase to interface with ACPI method.
Caution: This function may receive untrusted input.
@param[in] OperationRequest TPM physical presence operation request.
@param[in] RequestParameter TPM physical presence operation request parameter.
@return Return Code for Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
**/
UINT32
EFIAPI
Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction (
IN UINT32 OperationRequest,
IN UINT32 RequestParameter
);
/**
The handler for TPM physical presence function:
Get User Confirmation Status for Operation.
This API should be invoked in OS runtime phase to interface with ACPI method.
Caution: This function may receive untrusted input.
@param[in] OperationRequest TPM physical presence operation request.
@return Return Code for Get User Confirmation Status for Operation.
**/
UINT32
EFIAPI
Tcg2PhysicalPresenceLibGetUserConfirmationStatusFunction (
IN UINT32 OperationRequest
);
#endif

129
SecurityPkg/Include/Library/Tcg2PpVendorLib.h Normal file
View File

@@ -0,0 +1,129 @@
/** @file
Ihis library is to support TCG PC Client Platform Physical Presence Interface Specification
Family "2.0" part, >= 128 Vendor Specific PPI Operation.
The Vendor Specific PPI operation may change TPM state, BIOS TPM management
flags, and may need additional boot cycle.
Caution: This function may receive untrusted input.
Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef _TCG2_PP_VENDOR_LIB_H_
#define _TCG2_PP_VENDOR_LIB_H_
#include <IndustryStandard/Tpm20.h>
#include <Protocol/Tcg2Protocol.h>
#include <Library/Tcg2PhysicalPresenceLib.h>
/**
Check and execute the requested physical presence command.
This API should be invoked in BIOS boot phase to process pending request.
Caution: This function may receive untrusted input.
If OperationRequest < 128, then ASSERT().
@param[in] PlatformAuth platform auth value. NULL means no platform auth change.
@param[in] OperationRequest TPM physical presence operation request.
@param[in, out] ManagementFlags BIOS TPM Management Flags.
@param[out] ResetRequired If reset is required to vendor settings in effect.
True, it indicates the reset is required.
False, it indicates the reset is not required.
@return TPM Operation Response to OS Environment.
**/
UINT32
EFIAPI
Tcg2PpVendorLibExecutePendingRequest (
IN TPM2B_AUTH *PlatformAuth, OPTIONAL
IN UINT32 OperationRequest,
IN OUT UINT32 *ManagementFlags,
OUT BOOLEAN *ResetRequired
);
/**
Check if there is a valid physical presence command request.
This API should be invoked in BIOS boot phase to process pending request.
Caution: This function may receive untrusted input.
If OperationRequest < 128, then ASSERT().
@param[in] OperationRequest TPM physical presence operation request.
@param[in] ManagementFlags BIOS TPM Management Flags.
@param[out] RequestConfirmed If the physical presence operation command required user confirm from UI.
True, it indicates the command doesn't require user confirm.
False, it indicates the command need user confirm from UI.
@retval TRUE Physical Presence operation command is valid.
@retval FALSE Physical Presence operation command is invalid.
**/
BOOLEAN
EFIAPI
Tcg2PpVendorLibHasValidRequest (
IN UINT32 OperationRequest,
IN UINT32 ManagementFlags,
OUT BOOLEAN *RequestConfirmed
);
/**
The callback for TPM vendor specific physical presence which is called for
Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
This API should be invoked in OS runtime phase to interface with ACPI method.
Caution: This function may receive untrusted input.
If OperationRequest < 128, then ASSERT().
@param[in] OperationRequest TPM physical presence operation request.
@param[in] ManagementFlags BIOS TPM Management Flags.
@param[in] RequestParameter Extra parameter from the passed package.
@return Return Code for Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
**/
UINT32
EFIAPI
Tcg2PpVendorLibSubmitRequestToPreOSFunction (
IN UINT32 OperationRequest,
IN UINT32 ManagementFlags,
IN UINT32 RequestParameter
);
/**
The callback for TPM vendor specific physical presence which is called for
Get User Confirmation Status for Operation.
This API should be invoked in OS runtime phase to interface with ACPI method.
Caution: This function may receive untrusted input.
If OperationRequest < 128, then ASSERT().
@param[in] OperationRequest TPM physical presence operation request.
@param[in] ManagementFlags BIOS TPM Management Flags.
@return Return Code for Get User Confirmation Status for Operation.
**/
UINT32
EFIAPI
Tcg2PpVendorLibGetUserConfirmationStatusFunction (
IN UINT32 OperationRequest,
IN UINT32 ManagementFlags
);
#endif