sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add TPM2 support defined in trusted computing group.

Browse Source 
TCG EFI Protocol Specification for TPM Family 2.0 Revision 1.0 Version 9 at http://www.trustedcomputinggroup.org/resources/tcg_efi_protocol_specification
TCG Physical Presence Interface Specification Version 1.30, Revision 00.52 at http://www.trustedcomputinggroup.org/resources/tcg_physical_presence_interface_specification

Add Tcg2XXX, similar file/directory as TrEEXXX. Old TrEE driver/library can be deprecated.
1) Add Tcg2Pei/Dxe/Smm driver to log event and provide services.
2) Add Dxe/Pei/SmmTcg2PhysicalPresenceLib to support TCG PP.
3) Update Tpm2 library to use TCG2 protocol instead of TrEE protocol.

Test Win8/Win10 with SecureBoot enabled, PCR7 shows bound.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: "Yao, Jiewen" <Jiewen.Yao@intel.com>
Reviewed-by: "Zhang, Chao B" <chao.b.zhang@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18219 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
Yao, Jiewen
2015-08-13 08:24:17 +00:00
committed by jyao1
parent 59b226d6d7
commit 1abfa4ce48
62 changed files with 9524 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1245
SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c Normal file
View File

File diff suppressed because it is too large Load Diff

69
SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf Normal file
View File

@@ -0,0 +1,69 @@
## @file
# Executes TPM 2.0 requests from OS or BIOS
#
# This library will check and execute TPM 2.0 request from OS or BIOS. The request may
# ask for user confirmation before execution.
#
# Caution: This module requires additional review when modified.
# This driver will have external input - variable.
# This external input must be validated carefully to avoid security issue.
#
# Copyright (c) 2013 - 2015, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = DxeTcg2PhysicalPresenceLib
MODULE_UNI_FILE = DxeTcg2PhysicalPresenceLib.uni
FILE_GUID = 7E507A86-DE8B-4AD3-BC4C-0498389098D3
MODULE_TYPE = DXE_DRIVER
VERSION_STRING = 1.0
LIBRARY_CLASS = Tcg2PhysicalPresenceLib|DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SAL_DRIVER UEFI_APPLICATION UEFI_DRIVER
#
# The following information is for reference only and not required by the build tools.
#
# VALID_ARCHITECTURES = IA32 X64 IPF EBC
#
[Sources]
DxeTcg2PhysicalPresenceLib.c
PhysicalPresenceStrings.uni
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
SecurityPkg/SecurityPkg.dec
[LibraryClasses]
MemoryAllocationLib
UefiLib
UefiBootServicesTableLib
UefiDriverEntryPoint
UefiRuntimeServicesTableLib
BaseMemoryLib
DebugLib
PrintLib
HiiLib
HobLib
Tpm2CommandLib
Tcg2PpVendorLib
[Protocols]
gEfiTcg2ProtocolGuid ## CONSUMES
gEdkiiVariableLockProtocolGuid ## CONSUMES
[Guids]
## CONSUMES ## HII
## SOMETIMES_PRODUCES ## Variable:L"Tcg2PhysicalPresence"
## SOMETIMES_CONSUMES ## Variable:L"Tcg2PhysicalPresence"
## SOMETIMES_PRODUCES ## Variable:L"Tcg2PhysicalPresenceFlags"
## SOMETIMES_CONSUMES ## Variable:L"Tcg2PhysicalPresenceFlags"
gEfiTcg2PhysicalPresenceGuid

BIN
SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.uni Normal file
View File

Binary file not shown.

BIN
SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/PhysicalPresenceStrings.uni Normal file
View File

Binary file not shown.

148
SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
View File

@@ -9,10 +9,10 @@
DxeTpm2MeasureBootLibImageRead() function will make sure the PE/COFF image content
read is within the image buffer.
TrEEMeasurePeImage() function will accept untrusted PE/COFF image and validate its
Tcg2MeasurePeImage() function will accept untrusted PE/COFF image and validate its
data structure within this image buffer before use.
TrEEMeasureGptTable() function will receive untrusted GPT partition table, and parse
Tcg2MeasureGptTable() function will receive untrusted GPT partition table, and parse
partition data carefully.
Copyright (c) 2013 - 2015, Intel Corporation. All rights reserved.<BR>
@@ -28,7 +28,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <PiDxe.h>
#include <Protocol/TrEEProtocol.h>
#include <Protocol/Tcg2Protocol.h>
#include <Protocol/BlockIo.h>
#include <Protocol/DiskIo.h>
#include <Protocol/DevicePathToText.h>
@@ -51,15 +51,15 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
//
// Flag to check GPT partition. It only need be measured once.
//
BOOLEAN mTrEEMeasureGptTableFlag = FALSE;
UINTN mTrEEMeasureGptCount = 0;
VOID *mTrEEFileBuffer;
UINTN mTrEEImageSize;
BOOLEAN mTcg2MeasureGptTableFlag = FALSE;
UINTN mTcg2MeasureGptCount = 0;
VOID *mTcg2FileBuffer;
UINTN mTcg2ImageSize;
//
// Measured FV handle cache
//
EFI_HANDLE mTrEECacheMeasuredHandle = NULL;
MEASURED_HOB_DATA *mTrEEMeasuredHobData = NULL;
EFI_HANDLE mTcg2CacheMeasuredHandle = NULL;
MEASURED_HOB_DATA *mTcg2MeasuredHobData = NULL;
/**
Reads contents of a PE/COFF image in memory buffer.
@@ -96,11 +96,11 @@ DxeTpm2MeasureBootLibImageRead (
}
EndPosition = FileOffset + *ReadSize;
if (EndPosition > mTrEEImageSize) {
*ReadSize = (UINT32)(mTrEEImageSize - FileOffset);
if (EndPosition > mTcg2ImageSize) {
*ReadSize = (UINT32)(mTcg2ImageSize - FileOffset);
}
if (FileOffset >= mTrEEImageSize) {
if (FileOffset >= mTcg2ImageSize) {
*ReadSize = 0;
}
@@ -115,7 +115,7 @@ DxeTpm2MeasureBootLibImageRead (
Caution: This function may receive untrusted input.
The GPT partition table is external input, so this function should parse partition data carefully.
@param TreeProtocol Pointer to the located TREE protocol instance.
@param Tcg2Protocol Pointer to the located TCG2 protocol instance.
@param GptHandle Handle that GPT partition was installed.
@retval EFI_SUCCESS Successfully measure GPT table.
@@ -126,8 +126,8 @@ DxeTpm2MeasureBootLibImageRead (
**/
EFI_STATUS
EFIAPI
TrEEMeasureGptTable (
IN EFI_TREE_PROTOCOL *TreeProtocol,
Tcg2MeasureGptTable (
IN EFI_TCG2_PROTOCOL *Tcg2Protocol,
IN EFI_HANDLE GptHandle
)
{
@@ -139,11 +139,11 @@ TrEEMeasureGptTable (
UINT8 *EntryPtr;
UINTN NumberOfPartition;
UINT32 Index;
TrEE_EVENT *TreeEvent;
EFI_TCG2_EVENT *Tcg2Event;
EFI_GPT_DATA *GptData;
UINT32 EventSize;
if (mTrEEMeasureGptCount > 0) {
if (mTcg2MeasureGptCount > 0) {
return EFI_SUCCESS;
}
@@ -212,19 +212,19 @@ TrEEMeasureGptTable (
//
EventSize = (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions)
+ NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry);
TreeEvent = (TrEE_EVENT *) AllocateZeroPool (EventSize + sizeof (TrEE_EVENT) - sizeof(TreeEvent->Event));
if (TreeEvent == NULL) {
Tcg2Event = (EFI_TCG2_EVENT *) AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof(Tcg2Event->Event));
if (Tcg2Event == NULL) {
FreePool (PrimaryHeader);
FreePool (EntryPtr);
return EFI_OUT_OF_RESOURCES;
}
TreeEvent->Size = EventSize + sizeof (TrEE_EVENT) - sizeof(TreeEvent->Event);
TreeEvent->Header.HeaderSize = sizeof(TrEE_EVENT_HEADER);
TreeEvent->Header.HeaderVersion = TREE_EVENT_HEADER_VERSION;
TreeEvent->Header.PCRIndex = 5;
TreeEvent->Header.EventType = EV_EFI_GPT_EVENT;
GptData = (EFI_GPT_DATA *) TreeEvent->Event;
Tcg2Event->Size = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof(Tcg2Event->Event);
Tcg2Event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
Tcg2Event->Header.PCRIndex = 5;
Tcg2Event->Header.EventType = EV_EFI_GPT_EVENT;
GptData = (EFI_GPT_DATA *) Tcg2Event->Event;
//
// Copy the EFI_PARTITION_TABLE_HEADER and NumberOfPartition
@@ -251,20 +251,20 @@ TrEEMeasureGptTable (
//
// Measure the GPT data
//
Status = TreeProtocol->HashLogExtendEvent (
TreeProtocol,
Status = Tcg2Protocol->HashLogExtendEvent (
Tcg2Protocol,
0,
(EFI_PHYSICAL_ADDRESS) (UINTN) (VOID *) GptData,
(UINT64) EventSize,
TreeEvent
Tcg2Event
);
if (!EFI_ERROR (Status)) {
mTrEEMeasureGptCount++;
mTcg2MeasureGptCount++;
}
FreePool (PrimaryHeader);
FreePool (EntryPtr);
FreePool (TreeEvent);
FreePool (Tcg2Event);
return Status;
}
@@ -277,7 +277,7 @@ TrEEMeasureGptTable (
PE/COFF image is external input, so this function will validate its data structure
within this image buffer before use.
@param[in] TreeProtocol Pointer to the located TREE protocol instance.
@param[in] Tcg2Protocol Pointer to the located TCG2 protocol instance.
@param[in] ImageAddress Start address of image buffer.
@param[in] ImageSize Image size
@param[in] LinkTimeBase Address that the image is loaded into memory.
@@ -292,8 +292,8 @@ TrEEMeasureGptTable (
**/
EFI_STATUS
EFIAPI
TrEEMeasurePeImage (
IN EFI_TREE_PROTOCOL *TreeProtocol,
Tcg2MeasurePeImage (
IN EFI_TCG2_PROTOCOL *Tcg2Protocol,
IN EFI_PHYSICAL_ADDRESS ImageAddress,
IN UINTN ImageSize,
IN UINTN LinkTimeBase,
@@ -302,7 +302,7 @@ TrEEMeasurePeImage (
)
{
EFI_STATUS Status;
TrEE_EVENT *TreeEvent;
EFI_TCG2_EVENT *Tcg2Event;
EFI_IMAGE_LOAD_EVENT *ImageLoad;
UINT32 FilePathSize;
UINT32 EventSize;
@@ -315,33 +315,33 @@ TrEEMeasurePeImage (
// Determine destination PCR by BootPolicy
//
EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
TreeEvent = AllocateZeroPool (EventSize + sizeof (TrEE_EVENT) - sizeof(TreeEvent->Event));
if (TreeEvent == NULL) {
Tcg2Event = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof(Tcg2Event->Event));
if (Tcg2Event == NULL) {
return EFI_OUT_OF_RESOURCES;
}
TreeEvent->Size = EventSize + sizeof (TrEE_EVENT) - sizeof(TreeEvent->Event);
TreeEvent->Header.HeaderSize = sizeof(TrEE_EVENT_HEADER);
TreeEvent->Header.HeaderVersion = TREE_EVENT_HEADER_VERSION;
ImageLoad = (EFI_IMAGE_LOAD_EVENT *) TreeEvent->Event;
Tcg2Event->Size = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof(Tcg2Event->Event);
Tcg2Event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
ImageLoad = (EFI_IMAGE_LOAD_EVENT *) Tcg2Event->Event;
switch (ImageType) {
case EFI_IMAGE_SUBSYSTEM_EFI_APPLICATION:
TreeEvent->Header.EventType = EV_EFI_BOOT_SERVICES_APPLICATION;
TreeEvent->Header.PCRIndex = 4;
Tcg2Event->Header.EventType = EV_EFI_BOOT_SERVICES_APPLICATION;
Tcg2Event->Header.PCRIndex = 4;
break;
case EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER:
TreeEvent->Header.EventType = EV_EFI_BOOT_SERVICES_DRIVER;
TreeEvent->Header.PCRIndex = 2;
Tcg2Event->Header.EventType = EV_EFI_BOOT_SERVICES_DRIVER;
Tcg2Event->Header.PCRIndex = 2;
break;
case EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER:
TreeEvent->Header.EventType = EV_EFI_RUNTIME_SERVICES_DRIVER;
TreeEvent->Header.PCRIndex = 2;
Tcg2Event->Header.EventType = EV_EFI_RUNTIME_SERVICES_DRIVER;
Tcg2Event->Header.PCRIndex = 2;
break;
default:
DEBUG ((
EFI_D_ERROR,
"TrEEMeasurePeImage: Unknown subsystem type %d",
"Tcg2MeasurePeImage: Unknown subsystem type %d",
ImageType
));
goto Finish;
@@ -358,12 +358,12 @@ TrEEMeasurePeImage (
//
// Log the PE data
//
Status = TreeProtocol->HashLogExtendEvent (
TreeProtocol,
Status = Tcg2Protocol->HashLogExtendEvent (
Tcg2Protocol,
PE_COFF_IMAGE,
ImageAddress,
ImageSize,
TreeEvent
Tcg2Event
);
if (Status == EFI_VOLUME_FULL) {
//
@@ -375,7 +375,7 @@ TrEEMeasurePeImage (
}
Finish:
FreePool (TreeEvent);
FreePool (Tcg2Event);
return Status;
}
@@ -428,9 +428,9 @@ DxeTpm2MeasureBootHandler (
IN BOOLEAN BootPolicy
)
{
EFI_TREE_PROTOCOL *TreeProtocol;
EFI_TCG2_PROTOCOL *Tcg2Protocol;
EFI_STATUS Status;
TREE_BOOT_SERVICE_CAPABILITY ProtocolCapability;
EFI_TCG2_BOOT_SERVICE_CAPABILITY ProtocolCapability;
EFI_DEVICE_PATH_PROTOCOL *DevicePathNode;
EFI_DEVICE_PATH_PROTOCOL *OrigDevicePathNode;
EFI_HANDLE Handle;
@@ -441,26 +441,26 @@ DxeTpm2MeasureBootHandler (
EFI_PHYSICAL_ADDRESS FvAddress;
UINT32 Index;
Status = gBS->LocateProtocol (&gEfiTrEEProtocolGuid, NULL, (VOID **) &TreeProtocol);
Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);
if (EFI_ERROR (Status)) {
//
// TrEE protocol is not installed. So, TPM2 is not present.
// Tcg2 protocol is not installed. So, TPM2 is not present.
// Don't do any measurement, and directly return EFI_SUCCESS.
//
DEBUG ((EFI_D_INFO, "DxeTpm2MeasureBootHandler - TrEE - %r\n", Status));
DEBUG ((EFI_D_INFO, "DxeTpm2MeasureBootHandler - Tcg2 - %r\n", Status));
return EFI_SUCCESS;
}
ProtocolCapability.Size = (UINT8) sizeof (ProtocolCapability);
Status = TreeProtocol->GetCapability (
TreeProtocol,
Status = Tcg2Protocol->GetCapability (
Tcg2Protocol,
&ProtocolCapability
);
if (EFI_ERROR (Status) || (!ProtocolCapability.TrEEPresentFlag)) {
if (EFI_ERROR (Status) || (!ProtocolCapability.TPMPresentFlag)) {
//
// TPM device doesn't work or activate.
//
DEBUG ((EFI_D_ERROR, "DxeTpm2MeasureBootHandler (%r) - TrEEPresentFlag - %x\n", Status, ProtocolCapability.TrEEPresentFlag));
DEBUG ((EFI_D_ERROR, "DxeTpm2MeasureBootHandler (%r) - TPMPresentFlag - %x\n", Status, ProtocolCapability.TPMPresentFlag));
return EFI_SUCCESS;
}
@@ -475,7 +475,7 @@ DxeTpm2MeasureBootHandler (
//
DevicePathNode = OrigDevicePathNode;
Status = gBS->LocateDevicePath (&gEfiBlockIoProtocolGuid, &DevicePathNode, &Handle);
if (!EFI_ERROR (Status) && !mTrEEMeasureGptTableFlag) {
if (!EFI_ERROR (Status) && !mTcg2MeasureGptTableFlag) {
//
// Find the gpt partion on the given devicepath
//
@@ -508,13 +508,13 @@ DxeTpm2MeasureBootHandler (
//
// Measure GPT disk.
//
Status = TrEEMeasureGptTable (TreeProtocol, Handle);
DEBUG ((EFI_D_INFO, "DxeTpm2MeasureBootHandler - TrEEMeasureGptTable - %r\n", Status));
Status = Tcg2MeasureGptTable (Tcg2Protocol, Handle);
DEBUG ((EFI_D_INFO, "DxeTpm2MeasureBootHandler - Tcg2MeasureGptTable - %r\n", Status));
if (!EFI_ERROR (Status)) {
//
// GPT disk check done.
//
mTrEEMeasureGptTableFlag = TRUE;
mTcg2MeasureGptTableFlag = TRUE;
}
}
FreePool (OrigDevicePathNode);
@@ -553,7 +553,7 @@ DxeTpm2MeasureBootHandler (
//
ApplicationRequired = TRUE;
if (mTrEECacheMeasuredHandle != Handle && mTrEEMeasuredHobData != NULL) {
if (mTcg2CacheMeasuredHandle != Handle && mTcg2MeasuredHobData != NULL) {
//
// Search for Root FV of this PE image
//
@@ -577,12 +577,12 @@ DxeTpm2MeasureBootHandler (
ApplicationRequired = FALSE;
for (Index = 0; Index < mTrEEMeasuredHobData->Num; Index++) {
if(mTrEEMeasuredHobData->MeasuredFvBuf[Index].BlobBase == FvAddress) {
for (Index = 0; Index < mTcg2MeasuredHobData->Num; Index++) {
if(mTcg2MeasuredHobData->MeasuredFvBuf[Index].BlobBase == FvAddress) {
//
// Cache measured FV for next measurement
//
mTrEECacheMeasuredHandle = Handle;
mTcg2CacheMeasuredHandle = Handle;
ApplicationRequired = TRUE;
break;
}
@@ -598,8 +598,8 @@ DxeTpm2MeasureBootHandler (
goto Finish;
}
mTrEEImageSize = FileSize;
mTrEEFileBuffer = FileBuffer;
mTcg2ImageSize = FileSize;
mTcg2FileBuffer = FileBuffer;
//
// Measure PE Image
@@ -645,15 +645,15 @@ DxeTpm2MeasureBootHandler (
//
// Measure PE image into TPM log.
//
Status = TrEEMeasurePeImage (
TreeProtocol,
Status = Tcg2MeasurePeImage (
Tcg2Protocol,
(EFI_PHYSICAL_ADDRESS) (UINTN) FileBuffer,
FileSize,
(UINTN) ImageContext.ImageAddress,
ImageContext.ImageType,
DevicePathNode
);
DEBUG ((EFI_D_INFO, "DxeTpm2MeasureBootHandler - TrEEMeasurePeImage - %r\n", Status));
DEBUG ((EFI_D_INFO, "DxeTpm2MeasureBootHandler - Tcg2MeasurePeImage - %r\n", Status));
}
//
@@ -692,7 +692,7 @@ DxeTpm2MeasureBootLibConstructor (
GuidHob = GetFirstGuidHob (&gMeasuredFvHobGuid);
if (GuidHob != NULL) {
mTrEEMeasuredHobData = GET_GUID_HOB_DATA (GuidHob);
mTcg2MeasuredHobData = GET_GUID_HOB_DATA (GuidHob);
}
return RegisterSecurity2Handler (

2
SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
View File

@@ -61,7 +61,7 @@
gZeroGuid ## SOMETIMES_CONSUMES ## GUID
[Protocols]
gEfiTrEEProtocolGuid ## SOMETIMES_CONSUMES
gEfiTcg2ProtocolGuid ## SOMETIMES_CONSUMES
gEfiFirmwareVolumeBlockProtocolGuid ## SOMETIMES_CONSUMES
gEfiBlockIoProtocolGuid ## SOMETIMES_CONSUMES
gEfiDiskIoProtocolGuid ## SOMETIMES_CONSUMES

36
SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c
View File

@@ -1,7 +1,7 @@
/** @file
This library is used by other modules to measure data to TPM.
Copyright (c) 2012 - 2013, Intel Corporation. All rights reserved. <BR>
Copyright (c) 2012 - 2015, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -15,7 +15,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <PiDxe.h>
#include <Protocol/TcgService.h>
#include <Protocol/TrEEProtocol.h>
#include <Protocol/Tcg2Protocol.h>
#include <Library/BaseMemoryLib.h>
#include <Library/MemoryAllocationLib.h>
@@ -120,37 +120,37 @@ Tpm20MeasureAndLogData (
)
{
EFI_STATUS Status;
EFI_TREE_PROTOCOL *TreeProtocol;
TrEE_EVENT *TreeEvent;
EFI_TCG2_PROTOCOL *Tcg2Protocol;
EFI_TCG2_EVENT *Tcg2Event;
//
// TrEEPresentFlag is checked in HashLogExtendEvent
// TPMPresentFlag is checked in HashLogExtendEvent
//
Status = gBS->LocateProtocol (&gEfiTrEEProtocolGuid, NULL, (VOID **) &TreeProtocol);
Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);
if (EFI_ERROR (Status)) {
return Status;
}
TreeEvent = (TrEE_EVENT *) AllocateZeroPool (LogLen + sizeof (TrEE_EVENT));
if(TreeEvent == NULL) {
Tcg2Event = (EFI_TCG2_EVENT *) AllocateZeroPool (LogLen + sizeof (EFI_TCG2_EVENT));
if(Tcg2Event == NULL) {
return EFI_OUT_OF_RESOURCES;
}
TreeEvent->Size = (UINT32)LogLen + sizeof (TrEE_EVENT) - sizeof(TreeEvent->Event);
TreeEvent->Header.HeaderSize = sizeof(TrEE_EVENT_HEADER);
TreeEvent->Header.HeaderVersion = TREE_EVENT_HEADER_VERSION;
TreeEvent->Header.PCRIndex = PcrIndex;
TreeEvent->Header.EventType = EventType;
CopyMem (&TreeEvent->Event[0], EventLog, LogLen);
Tcg2Event->Size = (UINT32)LogLen + sizeof (EFI_TCG2_EVENT) - sizeof(Tcg2Event->Event);
Tcg2Event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
Tcg2Event->Header.PCRIndex = PcrIndex;
Tcg2Event->Header.EventType = EventType;
CopyMem (&Tcg2Event->Event[0], EventLog, LogLen);
Status = TreeProtocol->HashLogExtendEvent (
TreeProtocol,
Status = Tcg2Protocol->HashLogExtendEvent (
Tcg2Protocol,
0,
(EFI_PHYSICAL_ADDRESS)(UINTN)HashData,
HashDataLen,
TreeEvent
Tcg2Event
);
FreePool (TreeEvent);
FreePool (Tcg2Event);
return Status;
}

2
SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
View File

@@ -46,4 +46,4 @@
[Protocols]
gEfiTcgProtocolGuid ## SOMETIMES_CONSUMES
gEfiTrEEProtocolGuid ## SOMETIMES_CONSUMES
gEfiTcg2ProtocolGuid ## SOMETIMES_CONSUMES

12
SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterCommon.c
View File

@@ -1,7 +1,7 @@
/** @file
Ihis is BaseCrypto router support function.
Copyright (c) 2013, Intel Corporation. All rights reserved. <BR>
Copyright (c) 2013 - 2015, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -19,7 +19,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Library/DebugLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/HashLib.h>
#include <Protocol/TrEEProtocol.h>
#include <Protocol/Tcg2Protocol.h>
typedef struct {
EFI_GUID Guid;
@@ -27,10 +27,10 @@ typedef struct {
} TPM2_HASH_MASK;
TPM2_HASH_MASK mTpm2HashMask[] = {
{HASH_ALGORITHM_SHA1_GUID, TREE_BOOT_HASH_ALG_SHA1},
{HASH_ALGORITHM_SHA256_GUID, TREE_BOOT_HASH_ALG_SHA256},
{HASH_ALGORITHM_SHA384_GUID, TREE_BOOT_HASH_ALG_SHA384},
{HASH_ALGORITHM_SHA512_GUID, TREE_BOOT_HASH_ALG_SHA512},
{HASH_ALGORITHM_SHA1_GUID, HASH_ALG_SHA1},
{HASH_ALGORITHM_SHA256_GUID, HASH_ALG_SHA256},
{HASH_ALGORITHM_SHA384_GUID, HASH_ALG_SHA384},
{HASH_ALGORITHM_SHA512_GUID, HASH_ALG_SHA512},
};
/**

27
SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c
View File

@@ -3,7 +3,7 @@
hash handler registerd, such as SHA1, SHA256.
Platform can use PcdTpm2HashMask to mask some hash engines.
Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved. <BR>
Copyright (c) 2013 - 2015, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -44,6 +44,7 @@ HashStart (
{
HASH_HANDLE *HashCtx;
UINTN Index;
UINT32 HashMask;
if (mHashInterfaceCount == 0) {
return EFI_UNSUPPORTED;
@@ -53,7 +54,10 @@ HashStart (
ASSERT (HashCtx != NULL);
for (Index = 0; Index < mHashInterfaceCount; Index++) {
mHashInterface[Index].HashInit (&HashCtx[Index]);
HashMask = Tpm2GetHashMaskFromAlgo (&mHashInterface[Index].HashGuid);
if ((HashMask & PcdGet32 (PcdTpm2HashMask)) != 0) {
mHashInterface[Index].HashInit (&HashCtx[Index]);
}
}
*HashHandle = (HASH_HANDLE)HashCtx;
@@ -80,6 +84,7 @@ HashUpdate (
{
HASH_HANDLE *HashCtx;
UINTN Index;
UINT32 HashMask;
if (mHashInterfaceCount == 0) {
return EFI_UNSUPPORTED;
@@ -88,7 +93,10 @@ HashUpdate (
HashCtx = (HASH_HANDLE *)HashHandle;
for (Index = 0; Index < mHashInterfaceCount; Index++) {
mHashInterface[Index].HashUpdate (HashCtx[Index], DataToHash, DataToHashLen);
HashMask = Tpm2GetHashMaskFromAlgo (&mHashInterface[Index].HashGuid);
if ((HashMask & PcdGet32 (PcdTpm2HashMask)) != 0) {
mHashInterface[Index].HashUpdate (HashCtx[Index], DataToHash, DataToHashLen);
}
}
return EFI_SUCCESS;
@@ -119,6 +127,7 @@ HashCompleteAndExtend (
HASH_HANDLE *HashCtx;
UINTN Index;
EFI_STATUS Status;
UINT32 HashMask;
if (mHashInterfaceCount == 0) {
return EFI_UNSUPPORTED;
@@ -128,9 +137,12 @@ HashCompleteAndExtend (
ZeroMem (DigestList, sizeof(*DigestList));
for (Index = 0; Index < mHashInterfaceCount; Index++) {
mHashInterface[Index].HashUpdate (HashCtx[Index], DataToHash, DataToHashLen);
mHashInterface[Index].HashFinal (HashCtx[Index], &Digest);
Tpm2SetHashToDigestList (DigestList, &Digest);
HashMask = Tpm2GetHashMaskFromAlgo (&mHashInterface[Index].HashGuid);
if ((HashMask & PcdGet32 (PcdTpm2HashMask)) != 0) {
mHashInterface[Index].HashUpdate (HashCtx[Index], DataToHash, DataToHashLen);
mHashInterface[Index].HashFinal (HashCtx[Index], &Digest);
Tpm2SetHashToDigestList (DigestList, &Digest);
}
}
FreePool (HashCtx);
@@ -192,6 +204,7 @@ RegisterHashInterfaceLib (
{
UINTN Index;
UINT32 HashMask;
UINT32 BiosSupportedHashMask;
//
// Check allow
@@ -204,6 +217,8 @@ RegisterHashInterfaceLib (
if (mHashInterfaceCount >= sizeof(mHashInterface)/sizeof(mHashInterface[0])) {
return EFI_OUT_OF_RESOURCES;
}
BiosSupportedHashMask = PcdGet32 (PcdTcg2HashAlgorithmBitmap);
PcdSet32 (PcdTcg2HashAlgorithmBitmap, BiosSupportedHashMask | HashMask);
//
// Check duplication

5
SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
View File

@@ -5,7 +5,7 @@
# hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to
# mask some hash engines.
#
# Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR>
# Copyright (c) 2013 - 2015, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
@@ -48,5 +48,6 @@
PcdLib
[Pcd]
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES
gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap ## CONSUMES

27
SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c
View File

@@ -3,7 +3,7 @@
hash handler registerd, such as SHA1, SHA256.
Platform can use PcdTpm2HashMask to mask some hash engines.
Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved. <BR>
Copyright (c) 2013 - 2015, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -72,6 +72,7 @@ HashStart (
HASH_INTERFACE_HOB *HashInterfaceHob;
HASH_HANDLE *HashCtx;
UINTN Index;
UINT32 HashMask;
HashInterfaceHob = InternalGetHashInterface ();
if (HashInterfaceHob == NULL) {
@@ -86,7 +87,10 @@ HashStart (
ASSERT (HashCtx != NULL);
for (Index = 0; Index < HashInterfaceHob->HashInterfaceCount; Index++) {
HashInterfaceHob->HashInterface[Index].HashInit (&HashCtx[Index]);
HashMask = Tpm2GetHashMaskFromAlgo (&HashInterfaceHob->HashInterface[Index].HashGuid);
if ((HashMask & PcdGet32 (PcdTpm2HashMask)) != 0) {
HashInterfaceHob->HashInterface[Index].HashInit (&HashCtx[Index]);
}
}
*HashHandle = (HASH_HANDLE)HashCtx;
@@ -114,6 +118,7 @@ HashUpdate (
HASH_INTERFACE_HOB *HashInterfaceHob;
HASH_HANDLE *HashCtx;
UINTN Index;
UINT32 HashMask;
HashInterfaceHob = InternalGetHashInterface ();
if (HashInterfaceHob == NULL) {
@@ -127,7 +132,10 @@ HashUpdate (
HashCtx = (HASH_HANDLE *)HashHandle;
for (Index = 0; Index < HashInterfaceHob->HashInterfaceCount; Index++) {
HashInterfaceHob->HashInterface[Index].HashUpdate (HashCtx[Index], DataToHash, DataToHashLen);
HashMask = Tpm2GetHashMaskFromAlgo (&HashInterfaceHob->HashInterface[Index].HashGuid);
if ((HashMask & PcdGet32 (PcdTpm2HashMask)) != 0) {
HashInterfaceHob->HashInterface[Index].HashUpdate (HashCtx[Index], DataToHash, DataToHashLen);
}
}
return EFI_SUCCESS;
@@ -159,6 +167,7 @@ HashCompleteAndExtend (
HASH_HANDLE *HashCtx;
UINTN Index;
EFI_STATUS Status;
UINT32 HashMask;
HashInterfaceHob = InternalGetHashInterface ();
if (HashInterfaceHob == NULL) {
@@ -173,9 +182,12 @@ HashCompleteAndExtend (
ZeroMem (DigestList, sizeof(*DigestList));
for (Index = 0; Index < HashInterfaceHob->HashInterfaceCount; Index++) {
HashInterfaceHob->HashInterface[Index].HashUpdate (HashCtx[Index], DataToHash, DataToHashLen);
HashInterfaceHob->HashInterface[Index].HashFinal (HashCtx[Index], &Digest);
Tpm2SetHashToDigestList (DigestList, &Digest);
HashMask = Tpm2GetHashMaskFromAlgo (&HashInterfaceHob->HashInterface[Index].HashGuid);
if ((HashMask & PcdGet32 (PcdTpm2HashMask)) != 0) {
HashInterfaceHob->HashInterface[Index].HashUpdate (HashCtx[Index], DataToHash, DataToHashLen);
HashInterfaceHob->HashInterface[Index].HashFinal (HashCtx[Index], &Digest);
Tpm2SetHashToDigestList (DigestList, &Digest);
}
}
FreePool (HashCtx);
@@ -245,6 +257,7 @@ RegisterHashInterfaceLib (
HASH_INTERFACE_HOB *HashInterfaceHob;
HASH_INTERFACE_HOB LocalHashInterfaceHob;
UINT32 HashMask;
UINT32 BiosSupportedHashMask;
//
// Check allow
@@ -266,6 +279,8 @@ RegisterHashInterfaceLib (
if (HashInterfaceHob->HashInterfaceCount >= HASH_COUNT) {
return EFI_OUT_OF_RESOURCES;
}
BiosSupportedHashMask = PcdGet32 (PcdTcg2HashAlgorithmBitmap);
PcdSet32 (PcdTcg2HashAlgorithmBitmap, BiosSupportedHashMask | HashMask);
//
// Check duplication

5
SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
View File

@@ -5,7 +5,7 @@
# hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to
# mask some hash engines.
#
# Copyright (c) 2013, Intel Corporation. All rights reserved.<BR>
# Copyright (c) 2013 - 2015, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
@@ -49,5 +49,6 @@
HobLib
[Pcd]
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES
gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap ## CONSUMES

11
SecurityPkg/Library/HashLibTpm2/HashLibTpm2.c
View File

@@ -1,7 +1,7 @@
/** @file
Ihis library uses TPM2 device to calculation hash.
Copyright (c) 2013, Intel Corporation. All rights reserved. <BR>
Copyright (c) 2013 - 2015, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -20,7 +20,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Library/MemoryAllocationLib.h>
#include <Library/HashLib.h>
#include <Library/PcdLib.h>
#include <Protocol/TrEEProtocol.h>
typedef struct {
TPM_ALG_ID AlgoId;
@@ -28,10 +27,10 @@ typedef struct {
} TPM2_HASH_MASK;
TPM2_HASH_MASK mTpm2HashMask[] = {
{TPM_ALG_SHA1, TREE_BOOT_HASH_ALG_SHA1},
{TPM_ALG_SHA256, TREE_BOOT_HASH_ALG_SHA256},
{TPM_ALG_SHA384, TREE_BOOT_HASH_ALG_SHA384},
{TPM_ALG_SHA512, TREE_BOOT_HASH_ALG_SHA512},
{TPM_ALG_SHA1, HASH_ALG_SHA1},
{TPM_ALG_SHA256, HASH_ALG_SHA256},
{TPM_ALG_SHA384, HASH_ALG_SHA384},
{TPM_ALG_SHA512, HASH_ALG_SHA512},
};
/**

59
SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.c Normal file
View File

@@ -0,0 +1,59 @@
/** @file
Get TPM 2.0 physical presence information.
This library will get TPM 2.0 physical presence information.
Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include <PiPei.h>
#include <Guid/Tcg2PhysicalPresenceData.h>
#include <Ppi/ReadOnlyVariable2.h>
#include <Library/DebugLib.h>
#include <Library/PeiServicesLib.h>
#include <Library/PeiServicesTablePointerLib.h>
#include <Library/Tcg2PhysicalPresenceLib.h>
/**
Return TPM2 ManagementFlags set by PP interface.
@retval ManagementFlags TPM2 Management Flags.
**/
UINT32
EFIAPI
Tcg2PhysicalPresenceLibGetManagementFlags (
VOID
)
{
EFI_STATUS Status;
EFI_PEI_READ_ONLY_VARIABLE2_PPI *VariablePpi;
EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags;
UINTN DataSize;
Status = PeiServicesLocatePpi (&gEfiPeiReadOnlyVariable2PpiGuid, 0, NULL, (VOID **) &VariablePpi);
ASSERT_EFI_ERROR (Status);
DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE_FLAGS);
Status = VariablePpi->GetVariable (
VariablePpi,
TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid,
NULL,
&DataSize,
&PpiFlags
);
if (EFI_ERROR (Status)) {
PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT;
}
return PpiFlags.PPFlags;
}

52
SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.inf Normal file
View File

@@ -0,0 +1,52 @@
## @file
# Get TPM 2.0 physical presence information.
#
# This library will get TPM 2.0 physical presence information.
#
# Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = PeiTcg2PhysicalPresenceLib
MODULE_UNI_FILE = PeiTcg2PhysicalPresenceLib.uni
FILE_GUID = AB82E7BE-0970-480b-93EB-3D332B89F99E
MODULE_TYPE = PEIM
VERSION_STRING = 1.0
LIBRARY_CLASS = Tcg2PhysicalPresenceLib|PEIM
#
# The following information is for reference only and not required by the build tools.
#
# VALID_ARCHITECTURES = IA32 X64 IPF EBC
#
[Sources]
PeiTcg2PhysicalPresenceLib.c
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
SecurityPkg/SecurityPkg.dec
[LibraryClasses]
DebugLib
PeiServicesLib
PeiServicesTablePointerLib
[Guids]
## SOMETIMES_CONSUMES ## Variable:L"PhysicalPresenceFlags"
gEfiTcg2PhysicalPresenceGuid
[Ppis]
gEfiPeiReadOnlyVariable2PpiGuid ## CONSUMES
[Depex]
gEfiPeiReadOnlyVariable2PpiGuid

BIN
SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.uni Normal file
View File

Binary file not shown.

314
SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c Normal file
View File

@@ -0,0 +1,314 @@
/** @file
Handle TPM 2.0 physical presence requests from OS.
This library will handle TPM 2.0 physical presence request from OS.
Caution: This module requires additional review when modified.
This driver will have external input - variable.
This external input must be validated carefully to avoid security issue.
Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction() and Tcg2PhysicalPresenceLibGetUserConfirmationStatusFunction()
will receive untrusted input and do validation.
Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include <PiSmm.h>
#include <Guid/Tcg2PhysicalPresenceData.h>
#include <Protocol/SmmVariable.h>
#include <Library/DebugLib.h>
#include <Library/Tcg2PpVendorLib.h>
#include <Library/SmmServicesTableLib.h>
EFI_SMM_VARIABLE_PROTOCOL *mTcg2PpSmmVariable;
/**
The handler for TPM physical presence function:
Return TPM Operation Response to OS Environment.
This API should be invoked in OS runtime phase to interface with ACPI method.
@param[out] MostRecentRequest Most recent operation request.
@param[out] Response Response to the most recent operation request.
@return Return Code for Return TPM Operation Response to OS Environment.
**/
UINT32
EFIAPI
Tcg2PhysicalPresenceLibReturnOperationResponseToOsFunction (
OUT UINT32 *MostRecentRequest,
OUT UINT32 *Response
)
{
EFI_STATUS Status;
UINTN DataSize;
EFI_TCG2_PHYSICAL_PRESENCE PpData;
DEBUG ((EFI_D_INFO, "[TPM2] ReturnOperationResponseToOsFunction\n"));
//
// Get the Physical Presence variable
//
DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE);
Status = mTcg2PpSmmVariable->SmmGetVariable (
TCG2_PHYSICAL_PRESENCE_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid,
NULL,
&DataSize,
&PpData
);
if (EFI_ERROR (Status)) {
*MostRecentRequest = 0;
*Response = 0;
DEBUG ((EFI_D_ERROR, "[TPM2] Get PP variable failure! Status = %r\n", Status));
return TCG_PP_RETURN_TPM_OPERATION_RESPONSE_FAILURE;
}
*MostRecentRequest = PpData.LastPPRequest;
*Response = PpData.PPResponse;
return TCG_PP_RETURN_TPM_OPERATION_RESPONSE_SUCCESS;
}
/**
The handler for TPM physical presence function:
Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
This API should be invoked in OS runtime phase to interface with ACPI method.
Caution: This function may receive untrusted input.
@param[in] OperationRequest TPM physical presence operation request.
@param[in] RequestParameter TPM physical presence operation request parameter.
@return Return Code for Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
**/
UINT32
EFIAPI
Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction (
IN UINT32 OperationRequest,
IN UINT32 RequestParameter
)
{
EFI_STATUS Status;
UINTN DataSize;
EFI_TCG2_PHYSICAL_PRESENCE PpData;
EFI_TCG2_PHYSICAL_PRESENCE_FLAGS Flags;
DEBUG ((EFI_D_INFO, "[TPM2] SubmitRequestToPreOSFunction, Request = %x, %x\n", OperationRequest, RequestParameter));
//
// Get the Physical Presence variable
//
DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE);
Status = mTcg2PpSmmVariable->SmmGetVariable (
TCG2_PHYSICAL_PRESENCE_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid,
NULL,
&DataSize,
&PpData
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM2] Get PP variable failure! Status = %r\n", Status));
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
}
if ((OperationRequest > TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) &&
(OperationRequest < TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) ) {
//
// This command requires UI to prompt user for Auth data.
//
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED;
}
if (PpData.PPRequest != OperationRequest) {
PpData.PPRequest = (UINT8)OperationRequest;
PpData.PPRequestParameter = RequestParameter;
DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE);
Status = mTcg2PpSmmVariable->SmmSetVariable (
TCG2_PHYSICAL_PRESENCE_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
DataSize,
&PpData
);
}
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n", Status));
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
}
if (OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE_FLAGS);
Status = mTcg2PpSmmVariable->SmmGetVariable (
TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid,
NULL,
&DataSize,
&Flags
);
if (EFI_ERROR (Status)) {
Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT;
}
return Tcg2PpVendorLibSubmitRequestToPreOSFunction (OperationRequest, Flags.PPFlags, RequestParameter);
}
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_SUCCESS;
}
/**
The handler for TPM physical presence function:
Get User Confirmation Status for Operation.
This API should be invoked in OS runtime phase to interface with ACPI method.
Caution: This function may receive untrusted input.
@param[in] OperationRequest TPM physical presence operation request.
@return Return Code for Get User Confirmation Status for Operation.
**/
UINT32
EFIAPI
Tcg2PhysicalPresenceLibGetUserConfirmationStatusFunction (
IN UINT32 OperationRequest
)
{
EFI_STATUS Status;
UINTN DataSize;
EFI_TCG2_PHYSICAL_PRESENCE PpData;
EFI_TCG2_PHYSICAL_PRESENCE_FLAGS Flags;
BOOLEAN RequestConfirmed;
DEBUG ((EFI_D_INFO, "[TPM2] GetUserConfirmationStatusFunction, Request = %x\n", OperationRequest));
//
// Get the Physical Presence variable
//
DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE);
Status = mTcg2PpSmmVariable->SmmGetVariable (
TCG2_PHYSICAL_PRESENCE_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid,
NULL,
&DataSize,
&PpData
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM2] Get PP variable failure! Status = %r\n", Status));
return TCG_PP_GET_USER_CONFIRMATION_BLOCKED_BY_BIOS_CONFIGURATION;
}
//
// Get the Physical Presence flags
//
DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE_FLAGS);
Status = mTcg2PpSmmVariable->SmmGetVariable (
TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid,
NULL,
&DataSize,
&Flags
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM2] Get PP flags failure! Status = %r\n", Status));
return TCG_PP_GET_USER_CONFIRMATION_BLOCKED_BY_BIOS_CONFIGURATION;
}
RequestConfirmed = FALSE;
switch (OperationRequest) {
case TCG2_PHYSICAL_PRESENCE_CLEAR:
case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR:
case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR_2:
case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR_3:
if ((Flags.PPFlags & TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CLEAR) == 0) {
RequestConfirmed = TRUE;
}
break;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_CLEAR_TRUE:
RequestConfirmed = TRUE;
break;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_CLEAR_FALSE:
break;
case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
if ((Flags.PPFlags & TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_PCRS) == 0) {
RequestConfirmed = TRUE;
}
break;
case TCG2_PHYSICAL_PRESENCE_CHANGE_EPS:
if ((Flags.PPFlags & TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_EPS) == 0) {
RequestConfirmed = TRUE;
}
break;
case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS:
RequestConfirmed = TRUE;
break;
default:
if (OperationRequest <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) {
RequestConfirmed = TRUE;
} else {
if (OperationRequest < TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
return TCG_PP_GET_USER_CONFIRMATION_NOT_IMPLEMENTED;
}
}
break;
}
if (OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
return Tcg2PpVendorLibGetUserConfirmationStatusFunction (OperationRequest, Flags.PPFlags);
}
if (RequestConfirmed) {
return TCG_PP_GET_USER_CONFIRMATION_ALLOWED_AND_PPUSER_NOT_REQUIRED;
} else {
return TCG_PP_GET_USER_CONFIRMATION_ALLOWED_AND_PPUSER_REQUIRED;
}
}
/**
The constructor function register UNI strings into imageHandle.
It will ASSERT() if that operation fails and it will always return EFI_SUCCESS.
@param ImageHandle The firmware allocated handle for the EFI image.
@param SystemTable A pointer to the EFI System Table.
@retval EFI_SUCCESS The constructor successfully added string package.
@retval Other value The constructor can't add string package.
**/
EFI_STATUS
EFIAPI
Tcg2PhysicalPresenceLibConstructor (
IN EFI_HANDLE ImageHandle,
IN EFI_SYSTEM_TABLE *SystemTable
)
{
EFI_STATUS Status;
//
// Locate SmmVariableProtocol.
//
Status = gSmst->SmmLocateProtocol (&gEfiSmmVariableProtocolGuid, NULL, (VOID**)&mTcg2PpSmmVariable);
ASSERT_EFI_ERROR (Status);
return EFI_SUCCESS;
}

56
SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf Normal file
View File

@@ -0,0 +1,56 @@
## @file
# Handle TPM 2.0 physical presence requests from OS.
#
# This library will handle TPM 2.0 physical presence request from OS.
#
# Caution: This module requires additional review when modified.
# This driver will have external input - variable.
# This external input must be validated carefully to avoid security issue.
#
# Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = SmmTcg2PhysicalPresenceLib
MODULE_UNI_FILE = SmmTcg2PhysicalPresenceLib.uni
FILE_GUID = AAE02741-858B-4964-9887-CA870489D944
MODULE_TYPE = DXE_SMM_DRIVER
VERSION_STRING = 1.0
LIBRARY_CLASS = Tcg2PhysicalPresenceLib|DXE_SMM_DRIVER
CONSTRUCTOR = Tcg2PhysicalPresenceLibConstructor
#
# The following information is for reference only and not required by the build tools.
#
# VALID_ARCHITECTURES = IA32 X64 IPF EBC
#
[Sources]
SmmTcg2PhysicalPresenceLib.c
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
SecurityPkg/SecurityPkg.dec
[LibraryClasses]
DebugLib
Tcg2PpVendorLib
SmmServicesTableLib
[Guids]
## SOMETIMES_PRODUCES ## Variable:L"PhysicalPresence"
## SOMETIMES_CONSUMES ## Variable:L"PhysicalPresence"
## SOMETIMES_CONSUMES ## Variable:L"PhysicalPresenceFlags"
gEfiTcg2PhysicalPresenceGuid
[Depex]
gEfiSmmVariableProtocolGuid

BIN
SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.uni Normal file
View File

Binary file not shown.

133
SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.c Normal file
View File

@@ -0,0 +1,133 @@
/** @file
NULL Tcg2 PP Vendor library instance that does not support any vendor specific PPI.
Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include <Library/DebugLib.h>
#include <Library/Tcg2PpVendorLib.h>
/**
Check and execute the requested physical presence command.
This API should be invoked in BIOS boot phase to process pending request.
Caution: This function may receive untrusted input.
If OperationRequest < 128, then ASSERT().
@param[in] PlatformAuth platform auth value. NULL means no platform auth change.
@param[in] OperationRequest TPM physical presence operation request.
@param[in, out] ManagementFlags BIOS TPM Management Flags.
@param[out] ResetRequired If reset is required to vendor settings in effect.
True, it indicates the reset is required.
False, it indicates the reset is not required.
@return TPM Operation Response to OS Environment.
**/
UINT32
EFIAPI
Tcg2PpVendorLibExecutePendingRequest (
IN TPM2B_AUTH *PlatformAuth, OPTIONAL
IN UINT32 OperationRequest,
IN OUT UINT32 *ManagementFlags,
OUT BOOLEAN *ResetRequired
)
{
ASSERT (OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION);
return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
}
/**
Check if there is a valid physical presence command request.
This API should be invoked in BIOS boot phase to process pending request.
Caution: This function may receive untrusted input.
If OperationRequest < 128, then ASSERT().
@param[in] OperationRequest TPM physical presence operation request.
@param[in] ManagementFlags BIOS TPM Management Flags.
@param[out] RequestConfirmed If the physical presence operation command required user confirm from UI.
True, it indicates the command doesn't require user confirm.
False, it indicates the command need user confirm from UI.
@retval TRUE Physical Presence operation command is valid.
@retval FALSE Physical Presence operation command is invalid.
**/
BOOLEAN
EFIAPI
Tcg2PpVendorLibHasValidRequest (
IN UINT32 OperationRequest,
IN UINT32 ManagementFlags,
OUT BOOLEAN *RequestConfirmed
)
{
ASSERT (OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION);
return FALSE;
}
/**
The callback for TPM vendor specific physical presence which is called for
Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
This API should be invoked in OS runtime phase to interface with ACPI method.
Caution: This function may receive untrusted input.
If OperationRequest < 128, then ASSERT().
@param[in] OperationRequest TPM physical presence operation request.
@param[in] ManagementFlags BIOS TPM Management Flags.
@param[in] RequestParameter Extra parameter from the passed package.
@return Return Code for Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
**/
UINT32
EFIAPI
Tcg2PpVendorLibSubmitRequestToPreOSFunction (
IN UINT32 OperationRequest,
IN UINT32 ManagementFlags,
IN UINT32 RequestParameter
)
{
ASSERT (OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION);
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED;
}
/**
The callback for TPM vendor specific physical presence which is called for
Get User Confirmation Status for Operation.
This API should be invoked in OS runtime phase to interface with ACPI method.
Caution: This function may receive untrusted input.
If OperationRequest < 128, then ASSERT().
@param[in] OperationRequest TPM physical presence operation request.
@param[in] ManagementFlags BIOS TPM Management Flags.
@return Return Code for Get User Confirmation Status for Operation.
**/
UINT32
EFIAPI
Tcg2PpVendorLibGetUserConfirmationStatusFunction (
IN UINT32 OperationRequest,
IN UINT32 ManagementFlags
)
{
ASSERT (OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION);
return TCG_PP_GET_USER_CONFIRMATION_NOT_IMPLEMENTED;
}

37
SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf Normal file
View File

@@ -0,0 +1,37 @@
## @file
# NULL Tcg PP Vendor library instance that does not support any vendor specific PPI
#
# Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = Tcg2PpVendorLibNull
MODULE_UNI_FILE = Tcg2PpVendorLibNull.uni
FILE_GUID = 51924AE9-BE81-4820-94BA-7C9546E702D0
MODULE_TYPE = DXE_DRIVER
VERSION_STRING = 1.0
LIBRARY_CLASS = Tcg2PpVendorLib|DXE_RUNTIME_DRIVER DXE_SMM_DRIVER DXE_DRIVER
#
# The following information is for reference only and not required by the build tools.
#
# VALID_ARCHITECTURES = IA32 X64 IPF EBC
#
[Sources]
Tcg2PpVendorLibNull.c
[Packages]
MdePkg/MdePkg.dec
SecurityPkg/SecurityPkg.dec
[LibraryClasses]
DebugLib

BIN
SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.uni Normal file
View File

Binary file not shown.

125
SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.c Normal file
View File

@@ -0,0 +1,125 @@
/** @file
Ihis library is TPM2 TCG2 protocol lib.
Copyright (c) 2013, Intel Corporation. All rights reserved. <BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/Tpm2DeviceLib.h>
#include <Protocol/Tcg2Protocol.h>
#include <IndustryStandard/Tpm20.h>
EFI_TCG2_PROTOCOL *mTcg2Protocol = NULL;
/**
This service enables the sending of commands to the TPM2.
@param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
@param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
@param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
@param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
@retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
@retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
@retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
**/
EFI_STATUS
EFIAPI
Tpm2SubmitCommand (
IN UINT32 InputParameterBlockSize,
IN UINT8 *InputParameterBlock,
IN OUT UINT32 *OutputParameterBlockSize,
IN UINT8 *OutputParameterBlock
)
{
EFI_STATUS Status;
TPM2_RESPONSE_HEADER *Header;
if (mTcg2Protocol == NULL) {
Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &mTcg2Protocol);
if (EFI_ERROR (Status)) {
//
// Tcg2 protocol is not installed. So, TPM2 is not present.
//
DEBUG ((EFI_D_ERROR, "Tpm2SubmitCommand - Tcg2 - %r\n", Status));
return EFI_NOT_FOUND;
}
}
//
// Assume when Tcg2 Protocol is ready, RequestUseTpm already done.
//
Status = mTcg2Protocol->SubmitCommand (
mTcg2Protocol,
InputParameterBlockSize,
InputParameterBlock,
*OutputParameterBlockSize,
OutputParameterBlock
);
if (EFI_ERROR (Status)) {
return Status;
}
Header = (TPM2_RESPONSE_HEADER *)OutputParameterBlock;
*OutputParameterBlockSize = SwapBytes32 (Header->paramSize);
return EFI_SUCCESS;
}
/**
This service requests use TPM2.
@retval EFI_SUCCESS Get the control of TPM2 chip.
@retval EFI_NOT_FOUND TPM2 not found.
@retval EFI_DEVICE_ERROR Unexpected device behavior.
**/
EFI_STATUS
EFIAPI
Tpm2RequestUseTpm (
VOID
)
{
EFI_STATUS Status;
if (mTcg2Protocol == NULL) {
Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &mTcg2Protocol);
if (EFI_ERROR (Status)) {
//
// Tcg2 protocol is not installed. So, TPM2 is not present.
//
DEBUG ((EFI_D_ERROR, "Tpm2RequestUseTpm - Tcg2 - %r\n", Status));
return EFI_NOT_FOUND;
}
}
//
// Assume when Tcg2 Protocol is ready, RequestUseTpm already done.
//
return EFI_SUCCESS;
}
/**
This service register TPM2 device.
@param Tpm2Device TPM2 device
@retval EFI_SUCCESS This TPM2 device is registered successfully.
@retval EFI_UNSUPPORTED System does not support register this TPM2 device.
@retval EFI_ALREADY_STARTED System already register this TPM2 device.
**/
EFI_STATUS
EFIAPI
Tpm2RegisterTpm2DeviceLib (
IN TPM2_DEVICE_INTERFACE *Tpm2Device
)
{
return EFI_UNSUPPORTED;
}

46
SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf Normal file
View File

@@ -0,0 +1,46 @@
## @file
# Provides function interfaces to communicate with TPM 2.0 device
#
# This library helps to use TPM 2.0 device in library function API
# based on TPM2 protocol.
#
# Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = Tpm2DeviceLibTcg2
MODULE_UNI_FILE = Tpm2DeviceLibTcg2.uni
FILE_GUID = A1B0B230-67DC-431E-A94A-A96AF1EBE637
MODULE_TYPE = DXE_DRIVER
VERSION_STRING = 1.0
LIBRARY_CLASS = Tpm2DeviceLib|DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SAL_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
#
# The following information is for reference only and not required by the build tools.
#
# VALID_ARCHITECTURES = IA32 X64 IPF
#
[Sources]
Tpm2DeviceLibTcg2.c
[Packages]
MdePkg/MdePkg.dec
SecurityPkg/SecurityPkg.dec
[LibraryClasses]
BaseLib
BaseMemoryLib
DebugLib
UefiBootServicesTableLib
[Protocols]
gEfiTcg2ProtocolGuid ## CONSUMES

BIN
SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.uni Normal file
View File

Binary file not shown.