diff --git a/0018-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch b/0018-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch new file mode 100644 index 0000000000000000000000000000000000000000..0fce38aa7846e709b0eb6b946b7514a824780139 --- /dev/null +++ b/0018-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch @@ -0,0 +1,378 @@ +From 6642e762e1cedae30a08e28c456de2372bda7766 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:20:57 +0800 +Subject: [PATCH 1/8] SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c + from edk2-platforms + +Import PeiDxeTpmPlatformHierarchyLib from edk2-platforms without any +modifications. + +Signed-off-by: Stefan Berger +--- + .../Include/Library/TpmPlatformHierarchyLib.h | 27 ++ + .../PeiDxeTpmPlatformHierarchyLib.c | 266 ++++++++++++++++++ + .../PeiDxeTpmPlatformHierarchyLib.inf | 45 +++ + 3 files changed, 338 insertions(+) + create mode 100644 SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h + create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c + create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf + +diff --git a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h +new file mode 100644 +index 0000000000..a872fa09dc +--- /dev/null ++++ b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h +@@ -0,0 +1,27 @@ ++/** @file ++ TPM Platform Hierarchy configuration library. ++ ++ This library provides functions for customizing the TPM's Platform Hierarchy ++ Authorization Value (platformAuth) and Platform Hierarchy Authorization ++ Policy (platformPolicy) can be defined through this function. ++ ++Copyright (c) 2019, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation.
++SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++**/ ++ ++#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_ ++#define _TPM_PLATFORM_HIERARCHY_LIB_H_ ++ ++/** ++ This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event. ++ ++**/ ++VOID ++EFIAPI ++ConfigureTpmPlatformHierarchy ( ++ VOID ++ ); ++ ++#endif +diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +new file mode 100644 +index 0000000000..9812ab99ab +--- /dev/null ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +@@ -0,0 +1,266 @@ ++/** @file ++ TPM Platform Hierarchy configuration library. ++ ++ This library provides functions for customizing the TPM's Platform Hierarchy ++ Authorization Value (platformAuth) and Platform Hierarchy Authorization ++ Policy (platformPolicy) can be defined through this function. ++ ++ Copyright (c) 2019, Intel Corporation. All rights reserved.
++ Copyright (c) Microsoft Corporation.
++ SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++ @par Specification Reference: ++ https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/ ++**/ ++ ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++// ++// The authorization value may be no larger than the digest produced by the hash ++// algorithm used for context integrity. ++// ++#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE ++ ++UINT16 mAuthSize; ++ ++/** ++ Generate high-quality entropy source through RDRAND. ++ ++ @param[in] Length Size of the buffer, in bytes, to fill with. ++ @param[out] Entropy Pointer to the buffer to store the entropy data. ++ ++ @retval EFI_SUCCESS Entropy generation succeeded. ++ @retval EFI_NOT_READY Failed to request random data. ++ ++**/ ++EFI_STATUS ++EFIAPI ++RdRandGenerateEntropy ( ++ IN UINTN Length, ++ OUT UINT8 *Entropy ++ ) ++{ ++ EFI_STATUS Status; ++ UINTN BlockCount; ++ UINT64 Seed[2]; ++ UINT8 *Ptr; ++ ++ Status = EFI_NOT_READY; ++ BlockCount = Length / 64; ++ Ptr = (UINT8 *)Entropy; ++ ++ // ++ // Generate high-quality seed for DRBG Entropy ++ // ++ while (BlockCount > 0) { ++ Status = GetRandomNumber128 (Seed); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ CopyMem (Ptr, Seed, 64); ++ ++ BlockCount--; ++ Ptr = Ptr + 64; ++ } ++ ++ // ++ // Populate the remained data as request. ++ // ++ Status = GetRandomNumber128 (Seed); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ CopyMem (Ptr, Seed, (Length % 64)); ++ ++ return Status; ++} ++ ++/** ++ This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value ++ and limits an authValue to being no larger than the largest digest produced by a TPM. ++ ++ @param[out] AuthSize Tpm2 Auth size ++ ++ @retval EFI_SUCCESS Auth size returned. ++ @retval EFI_DEVICE_ERROR Can not return platform auth due to device error. ++ ++**/ ++EFI_STATUS ++EFIAPI ++GetAuthSize ( ++ OUT UINT16 *AuthSize ++ ) ++{ ++ EFI_STATUS Status; ++ TPML_PCR_SELECTION Pcrs; ++ UINTN Index; ++ UINT16 DigestSize; ++ ++ Status = EFI_SUCCESS; ++ ++ while (mAuthSize == 0) { ++ ++ mAuthSize = SHA1_DIGEST_SIZE; ++ ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION)); ++ Status = Tpm2GetCapabilityPcrs (&Pcrs); ++ ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n")); ++ break; ++ } ++ ++ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count)); ++ ++ for (Index = 0; Index < Pcrs.count; Index++) { ++ DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash)); ++ ++ switch (Pcrs.pcrSelections[Index].hash) { ++ case TPM_ALG_SHA1: ++ DigestSize = SHA1_DIGEST_SIZE; ++ break; ++ case TPM_ALG_SHA256: ++ DigestSize = SHA256_DIGEST_SIZE; ++ break; ++ case TPM_ALG_SHA384: ++ DigestSize = SHA384_DIGEST_SIZE; ++ break; ++ case TPM_ALG_SHA512: ++ DigestSize = SHA512_DIGEST_SIZE; ++ break; ++ case TPM_ALG_SM3_256: ++ DigestSize = SM3_256_DIGEST_SIZE; ++ break; ++ default: ++ DigestSize = SHA1_DIGEST_SIZE; ++ break; ++ } ++ ++ if (DigestSize > mAuthSize) { ++ mAuthSize = DigestSize; ++ } ++ } ++ break; ++ } ++ ++ *AuthSize = mAuthSize; ++ return Status; ++} ++ ++/** ++ Set PlatformAuth to random value. ++**/ ++VOID ++RandomizePlatformAuth ( ++ VOID ++ ) ++{ ++ EFI_STATUS Status; ++ UINT16 AuthSize; ++ UINT8 *Rand; ++ UINTN RandSize; ++ TPM2B_AUTH NewPlatformAuth; ++ ++ // ++ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null ++ // ++ ++ GetAuthSize (&AuthSize); ++ ++ ZeroMem (NewPlatformAuth.buffer, AuthSize); ++ NewPlatformAuth.size = AuthSize; ++ ++ // ++ // Allocate one buffer to store random data. ++ // ++ RandSize = MAX_NEW_AUTHORIZATION_SIZE; ++ Rand = AllocatePool (RandSize); ++ ++ RdRandGenerateEntropy (RandSize, Rand); ++ CopyMem (NewPlatformAuth.buffer, Rand, AuthSize); ++ ++ FreePool (Rand); ++ ++ // ++ // Send Tpm2HierarchyChangeAuth command with the new Auth value ++ // ++ Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth); ++ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status)); ++ ZeroMem (NewPlatformAuth.buffer, AuthSize); ++ ZeroMem (Rand, RandSize); ++} ++ ++/** ++ Disable the TPM platform hierarchy. ++ ++ @retval EFI_SUCCESS The TPM was disabled successfully. ++ @retval Others An error occurred attempting to disable the TPM platform hierarchy. ++ ++**/ ++EFI_STATUS ++DisableTpmPlatformHierarchy ( ++ VOID ++ ) ++{ ++ EFI_STATUS Status; ++ ++ // Make sure that we have use of the TPM. ++ Status = Tpm2RequestUseTpm (); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status)); ++ ASSERT_EFI_ERROR (Status); ++ return Status; ++ } ++ ++ // Let's do what we can to shut down the hierarchies. ++ ++ // Disable the PH NV. ++ // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM parts have ++ // been known to store the EK cert in the PH NV. If we disable it, the ++ // EK cert will be unreadable. ++ ++ // Disable the PH. ++ Status = Tpm2HierarchyControl ( ++ TPM_RH_PLATFORM, // AuthHandle ++ NULL, // AuthSession ++ TPM_RH_PLATFORM, // Hierarchy ++ NO // State ++ ); ++ DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH = %r\n", gEfiCallerBaseName, __FUNCTION__, Status)); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status)); ++ ASSERT_EFI_ERROR (Status); ++ } ++ ++ return Status; ++} ++ ++/** ++ This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth) ++ and Platform Hierarchy Authorization Policy (platformPolicy) ++ ++**/ ++VOID ++EFIAPI ++ConfigureTpmPlatformHierarchy ( ++ ) ++{ ++ if (PcdGetBool (PcdRandomizePlatformHierarchy)) { ++ // ++ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null ++ // ++ RandomizePlatformAuth (); ++ } else { ++ // ++ // Disable the hierarchy entirely (do not randomize it) ++ // ++ DisableTpmPlatformHierarchy (); ++ } ++} +diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +new file mode 100644 +index 0000000000..b7a7fb0a08 +--- /dev/null ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +@@ -0,0 +1,45 @@ ++### @file ++# ++# TPM Platform Hierarchy configuration library. ++# ++# This library provides functions for customizing the TPM's Platform Hierarchy ++# Authorization Value (platformAuth) and Platform Hierarchy Authorization ++# Policy (platformPolicy) can be defined through this function. ++# ++# Copyright (c) 2019, Intel Corporation. All rights reserved.
++# Copyright (c) Microsoft Corporation.
++# ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++# ++### ++ ++[Defines] ++ INF_VERSION = 0x00010005 ++ BASE_NAME = PeiDxeTpmPlatformHierarchyLib ++ FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73 ++ MODULE_TYPE = PEIM ++ VERSION_STRING = 1.0 ++ LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER ++ ++[LibraryClasses] ++ BaseLib ++ BaseMemoryLib ++ DebugLib ++ MemoryAllocationLib ++ PcdLib ++ RngLib ++ Tpm2CommandLib ++ Tpm2DeviceLib ++ ++[Packages] ++ MdePkg/MdePkg.dec ++ MdeModulePkg/MdeModulePkg.dec ++ SecurityPkg/SecurityPkg.dec ++ CryptoPkg/CryptoPkg.dec ++ MinPlatformPkg/MinPlatformPkg.dec ++ ++[Sources] ++ PeiDxeTpmPlatformHierarchyLib.c ++ ++[Pcd] ++ gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy +-- +2.27.0 + diff --git a/0019-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch b/0019-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch new file mode 100644 index 0000000000000000000000000000000000000000..e250097ddf91b67f558b84c7bfcf794841df7b51 --- /dev/null +++ b/0019-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch @@ -0,0 +1,121 @@ +From da8e34ff10bff3bff14c0bc5ee1f2e3f3d72428f Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:20:58 +0800 +Subject: [PATCH 2/8] SecurityPkg/TPM: Fix bugs in imported + PeiDxeTpmPlatformHierarchyLib + +Fix some bugs in the original PeiDxeTpmPlatformHierarchyLib.c. + +Signed-off-by: Stefan Berger +Reviewed-by: Jiewen Yao +--- + .../PeiDxeTpmPlatformHierarchyLib.c | 23 +++++-------------- + .../PeiDxeTpmPlatformHierarchyLib.inf | 5 ++-- + 2 files changed, 8 insertions(+), 20 deletions(-) + +diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +index 9812ab99ab..d82a0ae1bd 100644 +--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +@@ -18,7 +18,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -27,7 +26,6 @@ + // The authorization value may be no larger than the digest produced by the hash + // algorithm used for context integrity. + // +-#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE + + UINT16 mAuthSize; + +@@ -54,7 +52,7 @@ RdRandGenerateEntropy ( + UINT8 *Ptr; + + Status = EFI_NOT_READY; +- BlockCount = Length / 64; ++ BlockCount = Length / sizeof(Seed); + Ptr = (UINT8 *)Entropy; + + // +@@ -65,10 +63,10 @@ RdRandGenerateEntropy ( + if (EFI_ERROR (Status)) { + return Status; + } +- CopyMem (Ptr, Seed, 64); ++ CopyMem (Ptr, Seed, sizeof(Seed)); + + BlockCount--; +- Ptr = Ptr + 64; ++ Ptr = Ptr + sizeof(Seed); + } + + // +@@ -78,7 +76,7 @@ RdRandGenerateEntropy ( + if (EFI_ERROR (Status)) { + return Status; + } +- CopyMem (Ptr, Seed, (Length % 64)); ++ CopyMem (Ptr, Seed, (Length % sizeof(Seed))); + + return Status; + } +@@ -164,8 +162,6 @@ RandomizePlatformAuth ( + { + EFI_STATUS Status; + UINT16 AuthSize; +- UINT8 *Rand; +- UINTN RandSize; + TPM2B_AUTH NewPlatformAuth; + + // +@@ -174,19 +170,13 @@ RandomizePlatformAuth ( + + GetAuthSize (&AuthSize); + +- ZeroMem (NewPlatformAuth.buffer, AuthSize); + NewPlatformAuth.size = AuthSize; + + // +- // Allocate one buffer to store random data. ++ // Create the random bytes in the destination buffer + // +- RandSize = MAX_NEW_AUTHORIZATION_SIZE; +- Rand = AllocatePool (RandSize); +- +- RdRandGenerateEntropy (RandSize, Rand); +- CopyMem (NewPlatformAuth.buffer, Rand, AuthSize); + +- FreePool (Rand); ++ RdRandGenerateEntropy (NewPlatformAuth.size, NewPlatformAuth.buffer); + + // + // Send Tpm2HierarchyChangeAuth command with the new Auth value +@@ -194,7 +184,6 @@ RandomizePlatformAuth ( + Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth); + DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status)); + ZeroMem (NewPlatformAuth.buffer, AuthSize); +- ZeroMem (Rand, RandSize); + } + + /** +diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +index b7a7fb0a08..7bf666794f 100644 +--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +@@ -1,6 +1,5 @@ +-### @file +-# +-# TPM Platform Hierarchy configuration library. ++## @file ++# TPM Platform Hierarchy configuration library. + # + # This library provides functions for customizing the TPM's Platform Hierarchy + # Authorization Value (platformAuth) and Platform Hierarchy Authorization +-- +2.27.0 + diff --git a/0020-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch b/0020-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch new file mode 100644 index 0000000000000000000000000000000000000000..480ab1dfb06c05118568fa074c7d675be915a88c --- /dev/null +++ b/0020-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch @@ -0,0 +1,161 @@ +From 4f998a6c11ca05dc19bafe54ecd43ed74bd2cb3c Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:20:59 +0800 +Subject: [PATCH 3/8] SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from + edk2-platforms + +Import Tcg2PlatformDxe from edk2-platforms without any modifications. + +Signed-off-by: Stefan Berger +Reviewed-by: Jiewen Yao +--- + .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 85 +++++++++++++++++++ + .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 44 ++++++++++ + 2 files changed, 129 insertions(+) + create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c + create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf + +diff --git a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c +new file mode 100644 +index 0000000000..150cf748ff +--- /dev/null ++++ b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c +@@ -0,0 +1,85 @@ ++/** @file ++ Platform specific TPM2 component for configuring the Platform Hierarchy. ++ ++ Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.
++ SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++**/ ++ ++#include ++ ++#include ++#include ++#include ++#include ++#include ++ ++/** ++ This callback function will run at the SmmReadyToLock event. ++ ++ Configuration of the TPM's Platform Hierarchy Authorization Value (platformAuth) ++ and Platform Hierarchy Authorization Policy (platformPolicy) can be defined through this function. ++ ++ @param Event Pointer to this event ++ @param Context Event hanlder private data ++ **/ ++VOID ++EFIAPI ++SmmReadyToLockEventCallBack ( ++ IN EFI_EVENT Event, ++ IN VOID *Context ++ ) ++{ ++ EFI_STATUS Status; ++ VOID *Interface; ++ ++ // ++ // Try to locate it because EfiCreateProtocolNotifyEvent will trigger it once when registration. ++ // Just return if it is not found. ++ // ++ Status = gBS->LocateProtocol ( ++ &gEfiDxeSmmReadyToLockProtocolGuid, ++ NULL, ++ &Interface ++ ); ++ if (EFI_ERROR (Status)) { ++ return ; ++ } ++ ++ ConfigureTpmPlatformHierarchy (); ++ ++ gBS->CloseEvent (Event); ++} ++ ++/** ++ The driver's entry point. Will register a function for callback during SmmReadyToLock event to ++ configure the TPM's platform authorization. ++ ++ @param[in] ImageHandle The firmware allocated handle for the EFI image. ++ @param[in] SystemTable A pointer to the EFI System Table. ++ ++ @retval EFI_SUCCESS The entry point is executed successfully. ++ @retval other Some error occurs when executing this entry point. ++**/ ++EFI_STATUS ++EFIAPI ++Tcg2PlatformDxeEntryPoint ( ++ IN EFI_HANDLE ImageHandle, ++ IN EFI_SYSTEM_TABLE *SystemTable ++ ) ++{ ++ VOID *Registration; ++ EFI_EVENT Event; ++ ++ Event = EfiCreateProtocolNotifyEvent ( ++ &gEfiDxeSmmReadyToLockProtocolGuid, ++ TPL_CALLBACK, ++ SmmReadyToLockEventCallBack, ++ NULL, ++ &Registration ++ ); ++ ++ ASSERT (Event != NULL); ++ ++ return EFI_SUCCESS; ++} +diff --git a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +new file mode 100644 +index 0000000000..af29c1cd98 +--- /dev/null ++++ b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +@@ -0,0 +1,44 @@ ++### @file ++# Platform specific TPM2 component. ++# ++# Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.
++# ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++# ++### ++ ++[Defines] ++ INF_VERSION = 0x00010017 ++ BASE_NAME = Tcg2PlatformDxe ++ FILE_GUID = 5CAB08D5-AD8F-4d8b-B828-D17A8D9FE977 ++ VERSION_STRING = 1.0 ++ MODULE_TYPE = DXE_DRIVER ++ ENTRY_POINT = Tcg2PlatformDxeEntryPoint ++# ++# The following information is for reference only and not required by the build tools. ++# ++# VALID_ARCHITECTURES = IA32 X64 IPF ++# ++ ++[LibraryClasses] ++ BaseLib ++ UefiBootServicesTableLib ++ UefiDriverEntryPoint ++ DebugLib ++ UefiLib ++ TpmPlatformHierarchyLib ++ ++[Packages] ++ MdePkg/MdePkg.dec ++ MdeModulePkg/MdeModulePkg.dec ++ MinPlatformPkg/MinPlatformPkg.dec ++ SecurityPkg/SecurityPkg.dec ++ ++[Sources] ++ Tcg2PlatformDxe.c ++ ++[Protocols] ++ gEfiDxeSmmReadyToLockProtocolGuid ## SOMETIMES_CONSUMES ## NOTIFY ++ ++[Depex] ++ gEfiTcg2ProtocolGuid +-- +2.27.0 + diff --git a/0021-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch b/0021-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch new file mode 100644 index 0000000000000000000000000000000000000000..b6bcac817d23eaa48c3c01ac443823cf3e1d4ddb --- /dev/null +++ b/0021-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch @@ -0,0 +1,63 @@ +From edaa95dc147509a6c84225d70476c7dd9179cb57 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:21:00 +0800 +Subject: [PATCH 4/8] SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable and fix + style issues + +Signed-off-by: Stefan Berger +Reviewed-by: Jiewen Yao +--- + SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h | 4 ++-- + .../PeiDxeTpmPlatformHierarchyLib.c | 2 +- + SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 3 +-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h +index a872fa09dc..8d61a4867b 100644 +--- a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h ++++ b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h +@@ -11,8 +11,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ + +-#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_ +-#define _TPM_PLATFORM_HIERARCHY_LIB_H_ ++#ifndef TPM_PLATFORM_HIERARCHY_LIB_H_ ++#define TPM_PLATFORM_HIERARCHY_LIB_H_ + + /** + This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event. +diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +index d82a0ae1bd..0bb04a20fc 100644 +--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +@@ -233,7 +233,7 @@ DisableTpmPlatformHierarchy ( + + /** + This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth) +- and Platform Hierarchy Authorization Policy (platformPolicy) ++ and Platform Hierarchy Authorization Policy (platformPolicy). + + **/ + VOID +diff --git a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +index af29c1cd98..635302fe6f 100644 +--- a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf ++++ b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +@@ -1,4 +1,4 @@ +-### @file ++## @file + # Platform specific TPM2 component. + # + # Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.
+@@ -31,7 +31,6 @@ + [Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec +- MinPlatformPkg/MinPlatformPkg.dec + SecurityPkg/SecurityPkg.dec + + [Sources] +-- +2.27.0 + diff --git a/0022-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch b/0022-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch new file mode 100644 index 0000000000000000000000000000000000000000..6b096da5164edc18eff9184a47d6d4e4ad73965b --- /dev/null +++ b/0022-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch @@ -0,0 +1,53 @@ +From 0282acbc3dee92ee04f1a212ca3f4c77e8b97207 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:21:01 +0800 +Subject: [PATCH 5/8] SecurityPkg: Introduce new PCD + PcdRandomizePlatformHierarchy + +Introduce the new PCD +gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy. +We need it for TpmPlatformHierarchyLib. + +Signed-off-by: Stefan Berger +Reviewed-by: Jiewen Yao +--- + .../PeiDxeTpmPlatformHierarchyLib.inf | 3 +-- + SecurityPkg/SecurityPkg.dec | 6 ++++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +index 7bf666794f..efe560e7ff 100644 +--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +@@ -35,10 +35,9 @@ + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + CryptoPkg/CryptoPkg.dec +- MinPlatformPkg/MinPlatformPkg.dec + + [Sources] + PeiDxeTpmPlatformHierarchyLib.c + + [Pcd] +- gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy ++ gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy +diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec +index 5335cc5397..276ea6e2dd 100644 +--- a/SecurityPkg/SecurityPkg.dec ++++ b/SecurityPkg/SecurityPkg.dec +@@ -291,6 +291,12 @@ + # @Prompt Physical presence of the platform operator. + gEfiSecurityPkgTokenSpaceGuid.PcdTpmPhysicalPresence|TRUE|BOOLEAN|0x00010001 + ++ ## Indicates whether the TPM2 platform hierarchy will be disabled by using ++ # a random password or by disabling the hierarchy ++ # TRUE - A random password will be used ++ # FALSE - The hierarchy will be disabled ++ gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy|TRUE|BOOLEAN|0x00010024 ++ + [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] + ## Indicates whether TPM physical presence is locked during platform initialization. + # Once it is locked, it can not be unlocked for TPM life time.

+-- +2.27.0 + diff --git a/0023-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch b/0023-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch new file mode 100644 index 0000000000000000000000000000000000000000..38acd0ec1e1e72ed9cd921d00649bdb6df36a69d --- /dev/null +++ b/0023-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch @@ -0,0 +1,191 @@ +From ede5db34ee1e35c16cf016b974046b1c499c19a6 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:21:03 +0800 +Subject: [PATCH 6/8] SecurityPkg/Tcg: Import Tcg2PlatformPei from + edk2-platforms + +Import Tcg2PlatformPei from edk2-platforms without any modifications. + +Signed-off-by: Stefan Berger +Reviewed-by: Jiewen Yao +--- + .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 107 ++++++++++++++++++ + .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 52 +++++++++ + 2 files changed, 159 insertions(+) + create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c + create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf + +diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c +new file mode 100644 +index 0000000000..66ec75ad0e +--- /dev/null ++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c +@@ -0,0 +1,107 @@ ++/** @file ++ ++Copyright (c) 2017, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation.
++SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++**/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE ++ ++/** ++ This function handles PlatformInit task at the end of PEI ++ ++ @param[in] PeiServices Pointer to PEI Services Table. ++ @param[in] NotifyDesc Pointer to the descriptor for the Notification event that ++ caused this function to execute. ++ @param[in] Ppi Pointer to the PPI data associated with this function. ++ ++ @retval EFI_SUCCESS The function completes successfully ++ @retval others ++**/ ++EFI_STATUS ++EFIAPI ++PlatformInitEndOfPei ( ++ IN CONST EFI_PEI_SERVICES **PeiServices, ++ IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDescriptor, ++ IN VOID *Ppi ++ ) ++{ ++ VOID *TcgEventLog; ++ ++ // ++ // Try to get TcgEventLog in S3 to see if S3 error is reported. ++ // ++ TcgEventLog = GetFirstGuidHob(&gTcgEventEntryHobGuid); ++ if (TcgEventLog == NULL) { ++ TcgEventLog = GetFirstGuidHob(&gTcgEvent2EntryHobGuid); ++ } ++ ++ if (TcgEventLog == NULL) { ++ // ++ // no S3 error reported ++ // ++ return EFI_SUCCESS; ++ } ++ ++ // ++ // If there is S3 error on TPM_SU_STATE and success on TPM_SU_CLEAR, ++ // configure the TPM Platform Hierarchy. ++ // ++ ConfigureTpmPlatformHierarchy (); ++ ++ return EFI_SUCCESS; ++} ++ ++static EFI_PEI_NOTIFY_DESCRIPTOR mEndOfPeiNotifyList = { ++ (EFI_PEI_PPI_DESCRIPTOR_NOTIFY_CALLBACK | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST), ++ &gEfiEndOfPeiSignalPpiGuid, ++ (EFI_PEIM_NOTIFY_ENTRY_POINT)PlatformInitEndOfPei ++}; ++ ++/** ++ Main entry ++ ++ @param[in] FileHandle Handle of the file being invoked. ++ @param[in] PeiServices Pointer to PEI Services table. ++ ++ @retval EFI_SUCCESS Install function successfully. ++ ++**/ ++EFI_STATUS ++EFIAPI ++Tcg2PlatformPeiEntryPoint ( ++ IN EFI_PEI_FILE_HANDLE FileHandle, ++ IN CONST EFI_PEI_SERVICES **PeiServices ++ ) ++{ ++ EFI_STATUS Status; ++ EFI_BOOT_MODE BootMode; ++ ++ Status = PeiServicesGetBootMode (&BootMode); ++ ASSERT_EFI_ERROR(Status); ++ ++ if (BootMode != BOOT_ON_S3_RESUME) { ++ return EFI_SUCCESS; ++ } ++ ++ // ++ // Performing PlatformInitEndOfPei after EndOfPei PPI produced ++ // ++ Status = PeiServicesNotifyPpi (&mEndOfPeiNotifyList); ++ ++ return Status; ++} +diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +new file mode 100644 +index 0000000000..579f09b940 +--- /dev/null ++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +@@ -0,0 +1,52 @@ ++### @file ++# ++# Copyright (c) 2017, Intel Corporation. All rights reserved.
++# ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++# ++### ++ ++[Defines] ++ INF_VERSION = 0x00010017 ++ BASE_NAME = Tcg2PlatformPei ++ FILE_GUID = 47727552-A54B-4A84-8CC1-BFF23E239636 ++ VERSION_STRING = 1.0 ++ MODULE_TYPE = PEIM ++ ENTRY_POINT = Tcg2PlatformPeiEntryPoint ++ ++# ++# The following information is for reference only and not required by the build tools. ++# ++# VALID_ARCHITECTURES = IA32 X64 IPF EBC ++# ++ ++[LibraryClasses] ++ PcdLib ++ BaseMemoryLib ++ MemoryAllocationLib ++ PeiServicesLib ++ PeimEntryPoint ++ DebugLib ++ Tpm2DeviceLib ++ Tpm2CommandLib ++ TpmPlatformHierarchyLib ++ RngLib ++ ++[Packages] ++ MdePkg/MdePkg.dec ++ SecurityPkg/SecurityPkg.dec ++ MinPlatformPkg/MinPlatformPkg.dec ++ ++[Sources] ++ Tcg2PlatformPei.c ++ ++[Guids] ++ gTcgEventEntryHobGuid ++ gTcgEvent2EntryHobGuid ++ ++[Ppis] ++ gEfiEndOfPeiSignalPpiGuid ++ ++[Depex] ++ gEfiTpmDeviceSelectedGuid ++ +-- +2.27.0 + diff --git a/0024-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch b/0024-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch new file mode 100644 index 0000000000000000000000000000000000000000..3a51c880c88c97e2203214b0a16e06e704fc3232 --- /dev/null +++ b/0024-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch @@ -0,0 +1,63 @@ +From 5134d284aafd4816e265b5c551ee32d6eb43bbc8 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:21:04 +0800 +Subject: [PATCH 7/8] SecurityPkg/Tcg: Make Tcg2PlatformPei buildable and fix + style issues + +Signed-off-by: Stefan Berger +Reviewed-by: Jiewen Yao +--- + SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 11 ++++++----- + SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 4 ++-- + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c +index 66ec75ad0e..21d2c1433d 100644 +--- a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c ++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c +@@ -1,4 +1,5 @@ + /** @file ++ Configure TPM 2 platform hierarchy on TPM state resume failure on S3 resume + + Copyright (c) 2017, Intel Corporation. All rights reserved.
+ Copyright (c) Microsoft Corporation.
+@@ -24,12 +25,12 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + /** + This function handles PlatformInit task at the end of PEI + +- @param[in] PeiServices Pointer to PEI Services Table. +- @param[in] NotifyDesc Pointer to the descriptor for the Notification event that +- caused this function to execute. +- @param[in] Ppi Pointer to the PPI data associated with this function. ++ @param[in] PeiServices Pointer to PEI Services Table. ++ @param[in] NotifyDescriptor Pointer to the descriptor for the Notification event that ++ caused this function to execute. ++ @param[in] Ppi Pointer to the PPI data associated with this function. + +- @retval EFI_SUCCESS The function completes successfully ++ @retval EFI_SUCCESS The function completes successfully + @retval others + **/ + EFI_STATUS +diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +index 579f09b940..6f57de025b 100644 +--- a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf ++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +@@ -1,4 +1,5 @@ +-### @file ++## @file ++# Configure TPM 2 platform hierarchy on TPM state resume failure on S3 resume + # + # Copyright (c) 2017, Intel Corporation. All rights reserved.
+ # +@@ -35,7 +36,6 @@ + [Packages] + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec +- MinPlatformPkg/MinPlatformPkg.dec + + [Sources] + Tcg2PlatformPei.c +-- +2.27.0 + diff --git a/0025-SecurityPkg-Add-references-to-header-and-inf-files-t.patch b/0025-SecurityPkg-Add-references-to-header-and-inf-files-t.patch new file mode 100644 index 0000000000000000000000000000000000000000..beb2c1fac4bd786b1eeb2204944dd8fe5a3c711e --- /dev/null +++ b/0025-SecurityPkg-Add-references-to-header-and-inf-files-t.patch @@ -0,0 +1,68 @@ +From e031b8396ba1ad059f7c1dc6e28e9fc4ca6aaae9 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:21:06 +0800 +Subject: [PATCH 8/8] SecurityPkg: Add references to header and inf files to + SecurityPkg + +Signed-off-by: Stefan Berger +Reviewed-by: Jiewen Yao +--- + SecurityPkg/SecurityPkg.dec | 4 ++++ + SecurityPkg/SecurityPkg.dsc | 12 ++++++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec +index 276ea6e2dd..beffd08772 100644 +--- a/SecurityPkg/SecurityPkg.dec ++++ b/SecurityPkg/SecurityPkg.dec +@@ -68,6 +68,10 @@ + # + Tcg2PhysicalPresenceLib|Include/Library/Tcg2PhysicalPresenceLib.h + ++ ## @libraryclass Handle TPM 2.0 platform hierarchy configuration ++ # ++ TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h ++ + ## @libraryclass Provides interfaces about TCG storage generic command. + # + TcgStorageCoreLib|Include/Library/TcgStorageCoreLib.h +diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc +index a2eeadda7a..8d5371295a 100644 +--- a/SecurityPkg/SecurityPkg.dsc ++++ b/SecurityPkg/SecurityPkg.dsc +@@ -211,6 +211,8 @@ + + SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf + ++ SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++ + # + # TCG Storage. + # +@@ -272,6 +274,11 @@ + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf + } + ++ SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf { ++ ++ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++ } ++ + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { + + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf +@@ -288,6 +295,11 @@ + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf + } + ++ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { ++ ++ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++ } ++ + # + # Hash2 + # +-- +2.27.0 + diff --git a/edk2.spec b/edk2.spec index cfaccc117b41a57ef7b6d632620a948266690c9c..a4e9fd280b57955df597ec7a9af9208a9aff9d87 100644 --- a/edk2.spec +++ b/edk2.spec @@ -5,7 +5,7 @@ Name: edk2 Version: %{stable_date} -Release: 7 +Release: 8 Summary: EFI Development Kit II License: BSD-2-Clause-Patent URL: https://github.com/tianocore/edk2 @@ -31,6 +31,14 @@ Patch0016: 0014-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch Patch0017: 0015-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch Patch0018: 0016-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch Patch0019: 0017-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch +Patch0020: 0018-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch +Patch0021: 0019-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch +Patch0022: 0020-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch +Patch0023: 0021-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch +Patch0024: 0022-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch +Patch0025: 0023-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch +Patch0026: 0024-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch +Patch0027: 0025-SecurityPkg-Add-references-to-header-and-inf-files-t.patch BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python2 @@ -226,6 +234,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Fri Jan 28 2021 Jinhua Cao - 202002-8 +- fix CVE-2021-38576 + * Thu Dec 2 2021 Jinhua Cao - 202002-7 - fix CVE-2021-28216