Add TPM2 support defined in trusted computing group.
TCG EFI Protocol Specification for TPM Family 2.0 Revision 1.0 Version 9 at http://www.trustedcomputinggroup.org/resources/tcg_efi_protocol_specification TCG Physical Presence Interface Specification Version 1.30, Revision 00.52 at http://www.trustedcomputinggroup.org/resources/tcg_physical_presence_interface_specification Add Tcg2XXX, similar file/directory as TrEEXXX. Old TrEE driver/library can be deprecated. 1) Add Tcg2Pei/Dxe/Smm driver to log event and provide services. 2) Add Dxe/Pei/SmmTcg2PhysicalPresenceLib to support TCG PP. 3) Update Tpm2 library to use TCG2 protocol instead of TrEE protocol. Test Win8/Win10 with SecureBoot enabled, PCR7 shows bound. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <Jiewen.Yao@intel.com> Reviewed-by: "Zhang, Chao B" <chao.b.zhang@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18219 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
25
SecurityPkg/Include/Guid/Tcg2ConfigHii.h
Normal file
25
SecurityPkg/Include/Guid/Tcg2ConfigHii.h
Normal file
@@ -0,0 +1,25 @@
|
||||
/** @file
|
||||
GUIDs used as HII FormSet and HII Package list GUID in Tcg2Config driver.
|
||||
|
||||
Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
|
||||
This program and the accompanying materials are licensed and made available under
|
||||
the terms and conditions of the BSD License that accompanies this distribution.
|
||||
The full text of the license may be found at
|
||||
http://opensource.org/licenses/bsd-license.php.
|
||||
|
||||
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
|
||||
**/
|
||||
|
||||
#ifndef __TCG2_CONFIG_HII_GUID_H__
|
||||
#define __TCG2_CONFIG_HII_GUID_H__
|
||||
|
||||
#define TCG2_CONFIG_FORM_SET_GUID \
|
||||
{ \
|
||||
0x6339d487, 0x26ba, 0x424b, { 0x9a, 0x5d, 0x68, 0x7e, 0x25, 0xd7, 0x40, 0xbc } \
|
||||
}
|
||||
|
||||
extern EFI_GUID gTcg2ConfigFormSetGuid;
|
||||
|
||||
#endif
|
47
SecurityPkg/Include/Guid/Tcg2PhysicalPresenceData.h
Normal file
47
SecurityPkg/Include/Guid/Tcg2PhysicalPresenceData.h
Normal file
@@ -0,0 +1,47 @@
|
||||
/** @file
|
||||
Define the variable data structures used for TCG2 physical presence.
|
||||
The TPM2 request from firmware or OS is saved to variable. And it is
|
||||
cleared after it is processed in the next boot cycle. The TPM2 response
|
||||
is saved to variable.
|
||||
|
||||
Copyright (c) 2015, Intel Corporation. All rights reserved. <BR>
|
||||
This program and the accompanying materials
|
||||
are licensed and made available under the terms and conditions of the BSD License
|
||||
which accompanies this distribution. The full text of the license may be found at
|
||||
http://opensource.org/licenses/bsd-license.php
|
||||
|
||||
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
|
||||
**/
|
||||
|
||||
#ifndef __TCG2_PHYSICAL_PRESENCE_DATA_GUID_H__
|
||||
#define __TCG2_PHYSICAL_PRESENCE_DATA_GUID_H__
|
||||
|
||||
#define EFI_TCG2_PHYSICAL_PRESENCE_DATA_GUID \
|
||||
{ \
|
||||
0xaeb9c5c1, 0x94f1, 0x4d02, { 0xbf, 0xd9, 0x46, 0x2, 0xdb, 0x2d, 0x3c, 0x54 } \
|
||||
}
|
||||
|
||||
#define TCG2_PHYSICAL_PRESENCE_VARIABLE L"Tcg2PhysicalPresence"
|
||||
|
||||
typedef struct {
|
||||
UINT8 PPRequest; ///< Physical Presence request command.
|
||||
UINT32 PPRequestParameter; ///< Physical Presence request Parameter.
|
||||
UINT8 LastPPRequest;
|
||||
UINT32 PPResponse;
|
||||
} EFI_TCG2_PHYSICAL_PRESENCE;
|
||||
|
||||
//
|
||||
// This variable is used to save TCG2 Management Flags and corresponding operations.
|
||||
// It should be protected from malicious software (e.g. Set it as read-only variable).
|
||||
//
|
||||
#define TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE L"Tcg2PhysicalPresenceFlags"
|
||||
typedef struct {
|
||||
UINT32 PPFlags;
|
||||
} EFI_TCG2_PHYSICAL_PRESENCE_FLAGS;
|
||||
|
||||
extern EFI_GUID gEfiTcg2PhysicalPresenceGuid;
|
||||
|
||||
#endif
|
||||
|
@@ -1,5 +1,5 @@
|
||||
/** @file
|
||||
Defines the HOB GUID used to pass a TCG_PCR_EVENT from a TPM PEIM to
|
||||
Defines the HOB GUID used to pass a TCG_PCR_EVENT or TCG_PCR_EVENT2 from a TPM PEIM to
|
||||
a TPM DXE Driver. A GUIDed HOB is generated for each measurement
|
||||
made in the PEI Phase.
|
||||
|
||||
@@ -27,6 +27,13 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
|
||||
extern EFI_GUID gTcgEventEntryHobGuid;
|
||||
|
||||
#define EFI_TCG_EVENT2_HOB_GUID \
|
||||
{ \
|
||||
0xd26c221e, 0x2430, 0x4c8a, { 0x91, 0x70, 0x3f, 0xcb, 0x45, 0x0, 0x41, 0x3f } \
|
||||
}
|
||||
|
||||
extern EFI_GUID gTcgEvent2EntryHobGuid;
|
||||
|
||||
///
|
||||
/// The Global ID of a GUIDed HOB used to record TPM device error.
|
||||
///
|
||||
|
160
SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h
Normal file
160
SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h
Normal file
@@ -0,0 +1,160 @@
|
||||
/** @file
|
||||
Ihis library is intended to be used by BDS modules.
|
||||
This library will execute TPM2 request.
|
||||
|
||||
Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
|
||||
This program and the accompanying materials
|
||||
are licensed and made available under the terms and conditions of the BSD License
|
||||
which accompanies this distribution. The full text of the license may be found at
|
||||
http://opensource.org/licenses/bsd-license.php
|
||||
|
||||
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
|
||||
**/
|
||||
|
||||
#ifndef _TCG2_PHYSICAL_PRESENCE_LIB_H_
|
||||
#define _TCG2_PHYSICAL_PRESENCE_LIB_H_
|
||||
|
||||
#include <IndustryStandard/Tpm20.h>
|
||||
#include <IndustryStandard/TcgPhysicalPresence.h>
|
||||
#include <Protocol/Tcg2Protocol.h>
|
||||
|
||||
//
|
||||
// UEFI TCG2 library definition bit of the BIOS TPM Management Flags
|
||||
//
|
||||
// BIT0 is reserved
|
||||
#define TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CLEAR BIT1
|
||||
// BIT2 is reserved
|
||||
#define TCG2_LIB_PP_FLAG_RESET_TRACK BIT3
|
||||
#define TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_TURN_ON BIT4
|
||||
#define TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_TURN_OFF BIT5
|
||||
#define TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_EPS BIT6
|
||||
#define TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_PCRS BIT7
|
||||
|
||||
//
|
||||
// UEFI TCG2 library definition bit of the BIOS Information Flags
|
||||
//
|
||||
#define TCG2_BIOS_INFORMATION_FLAG_HIERACHY_CONTROL_STORAGE_DISABLE BIT8
|
||||
#define TCG2_BIOS_INFORMATION_FLAG_HIERACHY_CONTROL_ENDORSEMENT_DISABLE BIT9
|
||||
|
||||
//
|
||||
// UEFI TCG2 library definition bit of the BIOS Storage Management Flags
|
||||
//
|
||||
#define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID BIT16
|
||||
#define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID BIT17
|
||||
|
||||
//
|
||||
// Default value
|
||||
//
|
||||
#define TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT (TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_TURN_OFF | \
|
||||
TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CLEAR | \
|
||||
TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_EPS | \
|
||||
TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_PCRS)
|
||||
|
||||
/**
|
||||
Check and execute the pending TPM request.
|
||||
|
||||
The TPM request may come from OS or BIOS. This API will display request information and wait
|
||||
for user confirmation if TPM request exists. The TPM request will be sent to TPM device after
|
||||
the TPM request is confirmed, and one or more reset may be required to make TPM request to
|
||||
take effect.
|
||||
|
||||
This API should be invoked after console in and console out are all ready as they are required
|
||||
to display request information and get user input to confirm the request.
|
||||
|
||||
@param PlatformAuth platform auth value. NULL means no platform auth change.
|
||||
**/
|
||||
VOID
|
||||
EFIAPI
|
||||
Tcg2PhysicalPresenceLibProcessRequest (
|
||||
IN TPM2B_AUTH *PlatformAuth OPTIONAL
|
||||
);
|
||||
|
||||
/**
|
||||
Check if the pending TPM request needs user input to confirm.
|
||||
|
||||
The TPM request may come from OS. This API will check if TPM request exists and need user
|
||||
input to confirmation.
|
||||
|
||||
@retval TRUE TPM needs input to confirm user physical presence.
|
||||
@retval FALSE TPM doesn't need input to confirm user physical presence.
|
||||
|
||||
**/
|
||||
BOOLEAN
|
||||
EFIAPI
|
||||
Tcg2PhysicalPresenceLibNeedUserConfirm (
|
||||
VOID
|
||||
);
|
||||
|
||||
/**
|
||||
Return TPM2 ManagementFlags set by PP interface.
|
||||
|
||||
@retval ManagementFlags TPM2 Management Flags.
|
||||
**/
|
||||
UINT32
|
||||
EFIAPI
|
||||
Tcg2PhysicalPresenceLibGetManagementFlags (
|
||||
VOID
|
||||
);
|
||||
|
||||
/**
|
||||
The handler for TPM physical presence function:
|
||||
Return TPM Operation Response to OS Environment.
|
||||
|
||||
This API should be invoked in OS runtime phase to interface with ACPI method.
|
||||
|
||||
@param[out] MostRecentRequest Most recent operation request.
|
||||
@param[out] Response Response to the most recent operation request.
|
||||
|
||||
@return Return Code for Return TPM Operation Response to OS Environment.
|
||||
**/
|
||||
UINT32
|
||||
EFIAPI
|
||||
Tcg2PhysicalPresenceLibReturnOperationResponseToOsFunction (
|
||||
OUT UINT32 *MostRecentRequest,
|
||||
OUT UINT32 *Response
|
||||
);
|
||||
|
||||
|
||||
/**
|
||||
The handler for TPM physical presence function:
|
||||
Submit TPM Operation Request to Pre-OS Environment and
|
||||
Submit TPM Operation Request to Pre-OS Environment 2.
|
||||
|
||||
This API should be invoked in OS runtime phase to interface with ACPI method.
|
||||
|
||||
Caution: This function may receive untrusted input.
|
||||
|
||||
@param[in] OperationRequest TPM physical presence operation request.
|
||||
@param[in] RequestParameter TPM physical presence operation request parameter.
|
||||
|
||||
@return Return Code for Submit TPM Operation Request to Pre-OS Environment and
|
||||
Submit TPM Operation Request to Pre-OS Environment 2.
|
||||
**/
|
||||
UINT32
|
||||
EFIAPI
|
||||
Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction (
|
||||
IN UINT32 OperationRequest,
|
||||
IN UINT32 RequestParameter
|
||||
);
|
||||
|
||||
/**
|
||||
The handler for TPM physical presence function:
|
||||
Get User Confirmation Status for Operation.
|
||||
|
||||
This API should be invoked in OS runtime phase to interface with ACPI method.
|
||||
|
||||
Caution: This function may receive untrusted input.
|
||||
|
||||
@param[in] OperationRequest TPM physical presence operation request.
|
||||
|
||||
@return Return Code for Get User Confirmation Status for Operation.
|
||||
**/
|
||||
UINT32
|
||||
EFIAPI
|
||||
Tcg2PhysicalPresenceLibGetUserConfirmationStatusFunction (
|
||||
IN UINT32 OperationRequest
|
||||
);
|
||||
|
||||
#endif
|
129
SecurityPkg/Include/Library/Tcg2PpVendorLib.h
Normal file
129
SecurityPkg/Include/Library/Tcg2PpVendorLib.h
Normal file
@@ -0,0 +1,129 @@
|
||||
/** @file
|
||||
Ihis library is to support TCG PC Client Platform Physical Presence Interface Specification
|
||||
Family "2.0" part, >= 128 Vendor Specific PPI Operation.
|
||||
|
||||
The Vendor Specific PPI operation may change TPM state, BIOS TPM management
|
||||
flags, and may need additional boot cycle.
|
||||
|
||||
Caution: This function may receive untrusted input.
|
||||
|
||||
Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
|
||||
This program and the accompanying materials
|
||||
are licensed and made available under the terms and conditions of the BSD License
|
||||
which accompanies this distribution. The full text of the license may be found at
|
||||
http://opensource.org/licenses/bsd-license.php
|
||||
|
||||
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
|
||||
**/
|
||||
|
||||
#ifndef _TCG2_PP_VENDOR_LIB_H_
|
||||
#define _TCG2_PP_VENDOR_LIB_H_
|
||||
|
||||
#include <IndustryStandard/Tpm20.h>
|
||||
#include <Protocol/Tcg2Protocol.h>
|
||||
#include <Library/Tcg2PhysicalPresenceLib.h>
|
||||
|
||||
/**
|
||||
Check and execute the requested physical presence command.
|
||||
|
||||
This API should be invoked in BIOS boot phase to process pending request.
|
||||
|
||||
Caution: This function may receive untrusted input.
|
||||
|
||||
If OperationRequest < 128, then ASSERT().
|
||||
|
||||
@param[in] PlatformAuth platform auth value. NULL means no platform auth change.
|
||||
@param[in] OperationRequest TPM physical presence operation request.
|
||||
@param[in, out] ManagementFlags BIOS TPM Management Flags.
|
||||
@param[out] ResetRequired If reset is required to vendor settings in effect.
|
||||
True, it indicates the reset is required.
|
||||
False, it indicates the reset is not required.
|
||||
|
||||
@return TPM Operation Response to OS Environment.
|
||||
**/
|
||||
UINT32
|
||||
EFIAPI
|
||||
Tcg2PpVendorLibExecutePendingRequest (
|
||||
IN TPM2B_AUTH *PlatformAuth, OPTIONAL
|
||||
IN UINT32 OperationRequest,
|
||||
IN OUT UINT32 *ManagementFlags,
|
||||
OUT BOOLEAN *ResetRequired
|
||||
);
|
||||
|
||||
/**
|
||||
Check if there is a valid physical presence command request.
|
||||
|
||||
This API should be invoked in BIOS boot phase to process pending request.
|
||||
|
||||
Caution: This function may receive untrusted input.
|
||||
|
||||
If OperationRequest < 128, then ASSERT().
|
||||
|
||||
@param[in] OperationRequest TPM physical presence operation request.
|
||||
@param[in] ManagementFlags BIOS TPM Management Flags.
|
||||
@param[out] RequestConfirmed If the physical presence operation command required user confirm from UI.
|
||||
True, it indicates the command doesn't require user confirm.
|
||||
False, it indicates the command need user confirm from UI.
|
||||
|
||||
@retval TRUE Physical Presence operation command is valid.
|
||||
@retval FALSE Physical Presence operation command is invalid.
|
||||
**/
|
||||
BOOLEAN
|
||||
EFIAPI
|
||||
Tcg2PpVendorLibHasValidRequest (
|
||||
IN UINT32 OperationRequest,
|
||||
IN UINT32 ManagementFlags,
|
||||
OUT BOOLEAN *RequestConfirmed
|
||||
);
|
||||
|
||||
/**
|
||||
The callback for TPM vendor specific physical presence which is called for
|
||||
Submit TPM Operation Request to Pre-OS Environment and
|
||||
Submit TPM Operation Request to Pre-OS Environment 2.
|
||||
|
||||
This API should be invoked in OS runtime phase to interface with ACPI method.
|
||||
|
||||
Caution: This function may receive untrusted input.
|
||||
|
||||
If OperationRequest < 128, then ASSERT().
|
||||
|
||||
@param[in] OperationRequest TPM physical presence operation request.
|
||||
@param[in] ManagementFlags BIOS TPM Management Flags.
|
||||
@param[in] RequestParameter Extra parameter from the passed package.
|
||||
|
||||
@return Return Code for Submit TPM Operation Request to Pre-OS Environment and
|
||||
Submit TPM Operation Request to Pre-OS Environment 2.
|
||||
**/
|
||||
UINT32
|
||||
EFIAPI
|
||||
Tcg2PpVendorLibSubmitRequestToPreOSFunction (
|
||||
IN UINT32 OperationRequest,
|
||||
IN UINT32 ManagementFlags,
|
||||
IN UINT32 RequestParameter
|
||||
);
|
||||
|
||||
/**
|
||||
The callback for TPM vendor specific physical presence which is called for
|
||||
Get User Confirmation Status for Operation.
|
||||
|
||||
This API should be invoked in OS runtime phase to interface with ACPI method.
|
||||
|
||||
Caution: This function may receive untrusted input.
|
||||
|
||||
If OperationRequest < 128, then ASSERT().
|
||||
|
||||
@param[in] OperationRequest TPM physical presence operation request.
|
||||
@param[in] ManagementFlags BIOS TPM Management Flags.
|
||||
|
||||
@return Return Code for Get User Confirmation Status for Operation.
|
||||
**/
|
||||
UINT32
|
||||
EFIAPI
|
||||
Tcg2PpVendorLibGetUserConfirmationStatusFunction (
|
||||
IN UINT32 OperationRequest,
|
||||
IN UINT32 ManagementFlags
|
||||
);
|
||||
|
||||
#endif
|
Reference in New Issue
Block a user