diff --git a/0014-SecurityPkg-add-TIS-sanity-check-tpm2.patch b/0014-SecurityPkg-add-TIS-sanity-check-tpm2.patch new file mode 100644 index 0000000..a08011a --- /dev/null +++ b/0014-SecurityPkg-add-TIS-sanity-check-tpm2.patch @@ -0,0 +1,35 @@ +From cb0ffbcd86756a47696b6e24e19552d2bcc4238a Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 26 Apr 2023 14:37:13 +0200 +Subject: [PATCH 14/16] SecurityPkg: add TIS sanity check (tpm2) + +The code blindly assumes a TIS interface is present in case both CRB and +FIFO checks fail. Check the InterfaceType for TIS instead and only +return Tpm2PtpInterfaceTis in case it matches, Tpm2PtpInterfaceMax +otherwise. + +Signed-off-by: Gerd Hoffmann +--- + SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c +index 1f9ac5ab5a30..eac9f0e29941 100644 +--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c ++++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c +@@ -464,7 +464,11 @@ Tpm2GetPtpInterface ( + return Tpm2PtpInterfaceFifo; + } + +- return Tpm2PtpInterfaceTis; ++ if (InterfaceId.Bits.InterfaceType == PTP_INTERFACE_IDENTIFIER_INTERFACE_TYPE_TIS) { ++ return Tpm2PtpInterfaceTis; ++ } ++ ++ return Tpm2PtpInterfaceMax; + } + + /** +-- +2.40.0 + diff --git a/0015-SecurityPkg-add-TIS-sanity-check-tpm12.patch b/0015-SecurityPkg-add-TIS-sanity-check-tpm12.patch new file mode 100644 index 0000000..2030b7d --- /dev/null +++ b/0015-SecurityPkg-add-TIS-sanity-check-tpm12.patch @@ -0,0 +1,34 @@ +From 54ae30cea7731b9949b7e503401f732f1e95e930 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 26 Apr 2023 14:38:34 +0200 +Subject: [PATCH 15/16] SecurityPkg: add TIS sanity check (tpm12) + +The code blindly assumes a TIS interface is present in case both CRB and +FIFO checks fail. Check the InterfaceType for TIS instead and only +return PtpInterfaceTis in case it matches, PtpInterfaceMax otherwise. + +Signed-off-by: Gerd Hoffmann +--- + SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12Tis.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12Tis.c b/SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12Tis.c +index 51f43591287a..d2b79a274084 100644 +--- a/SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12Tis.c ++++ b/SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12Tis.c +@@ -91,7 +91,11 @@ Tpm12GetPtpInterface ( + return PtpInterfaceFifo; + } + +- return PtpInterfaceTis; ++ if (InterfaceId.Bits.InterfaceType == PTP_INTERFACE_IDENTIFIER_INTERFACE_TYPE_TIS) { ++ return PtpInterfaceTis; ++ } ++ ++ return PtpInterfaceMax; + } + + /** +-- +2.40.0 + diff --git a/edk2.spec b/edk2.spec index 7d1277b..e0b5de4 100644 --- a/edk2.spec +++ b/edk2.spec @@ -96,6 +96,8 @@ Patch0010: 0010-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch Patch0011: 0011-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch Patch0012: 0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch Patch0013: 0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch +Patch0014: 0014-SecurityPkg-add-TIS-sanity-check-tpm2.patch +Patch0015: 0015-SecurityPkg-add-TIS-sanity-check-tpm12.patch # python3-devel and libuuid-devel are required for building tools.