public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH v2 0/8] RFC: ovmf: preliminary TPM2 support
@ 2018-03-07 15:57 marcandre.lureau
  2018-03-07 15:57 ` [PATCH v2 1/8] SecurityPkg: also clear HashInterfaceHob.SupportedHashMask marcandre.lureau
                   ` (8 more replies)
  0 siblings, 9 replies; 36+ messages in thread
From: marcandre.lureau @ 2018-03-07 15:57 UTC (permalink / raw)
  To: edk2-devel
  Cc: pjones, jiewen.yao, stefanb, lersek, qemu-devel, javierm,
	Marc-André Lureau

From: Marc-André Lureau <marcandre.lureau@redhat.com>

Hi,

The following series adds basic TPM2 support for OVMF-on-QEMU (I
haven't tested TPM1, for lack of interest). It links with the modules
to initializes the device in PEI phase, and do measurements (both PEI
and DXE). The Tcg2Dxe module provides the Tcg2 protocol which allows
the guest to access the measurement log and other facilities.

DxeTpm2MeasureBootLib seems to do its job at measuring images that are
not measured in PEI phase (such as PCI PXE rom)

Tcg2ConfigDxe is not included due to its integration with edk2 own PPI
implementation which conflicts with qemu design. PPI design is still
being discussed & experimented at this point.

Linux guests seem to work fine. But windows guest generally complains
about the lack of PPI interface (most HLK tests require it, tpm.msc
admin interactions too). I haven't done "real" use-cases tests, as I
lack experience with TPM usage. Any help appreciated to test the TPM.

I build edk2 with:

$ build -DTPM2_ENABLE -DSECURE_BOOT_ENABLE  -DMEM_VARSTORE_EMU_ENABLE=FALSE

I test with qemu & swtpm/libtpms (tpm2 branches, swtpm_setup.sh --tpm2 --tpm-state tpmstatedir)

$ swtpm socket --tpmstate tpmstatedir --ctrl type=unixio,path=tpmsock  --tpm2 &
$ qemu .. -chardev socket,id=chrtpm,path=tpmsock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-crb,tpmdev=tpm0

Thanks

Github tree:
https://github.com/elmarco/edk2/tree/tpm2 (tpm2-v2 tag)

Related bug:
https://bugzilla.tianocore.org/show_bug.cgi?id=594

v2:
- the series can now be applied to master directly, thanks to dropping
  PeiReadOnlyVariable requirement
- remove the HOB list workaround, the main fix is now upstream. Add a
  preliminary patch to complete it.
- removed traces of TPM1.2 support
- add own OvmfPkg Tcg2ConfigPei, which performs only TPM2 detection
- make PcdTpmInstanceGuid default all-bits-zero
- drop unneeded Pcd values
- explain why SHA1 is still nice to have (for 1.2 log format)
- drop Tcg2ConfigDxe
- more detailed commit messages, thanks to Laszlo explanations!
- rebased

TODO:
- modify Ia32 and Ia32X64 builds

Marc-André Lureau (8):
  SecurityPkg: also clear HashInterfaceHob.SupportedHashMask
  SecurityPkg/Tcg2Pei: drop PeiReadOnlyVariable from Depex
  MdeModulePkg: fix REGISITER -> REGISTER
  ovmf: simplify SecurityStubDxe.inf inclusion
  ovmf: add OvmfPkg Tcg2ConfigPei module
  ovmf: link with Tcg2Pei module
  ovmf: link with Tcg2Dxe module
  ovmf: add DxeTpm2MeasureBootLib

 MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c |  18 +--
 MdeModulePkg/Core/Pei/Image/Image.c           |   4 +-
 MdeModulePkg/Core/Pei/PeiMain.h               |   2 +-
 MdeModulePkg/Core/Pei/PeiMain/PeiMain.c       |   2 +-
 OvmfPkg/OvmfPkgIa32.dsc                       |   6 +-
 OvmfPkg/OvmfPkgIa32X64.dsc                    |   6 +-
 OvmfPkg/OvmfPkgX64.dsc                        |  49 ++++++-
 OvmfPkg/OvmfPkgX64.fdf                        |   9 ++
 OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf      |  57 ++++++++
 OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeim.c       | 124 ++++++++++++++++++
 OvmfPkg/Tcg/Tcg2Config/TpmDetection.c         |  46 +++++++
 .../HashLibBaseCryptoRouterPei.c              |   1 +
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf           |   1 -
 13 files changed, 299 insertions(+), 26 deletions(-)
 create mode 100644 OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
 create mode 100644 OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeim.c
 create mode 100644 OvmfPkg/Tcg/Tcg2Config/TpmDetection.c

-- 
2.16.2.346.g9779355e34



^ permalink raw reply	[flat|nested] 36+ messages in thread

end of thread, other threads:[~2018-03-12  4:54 UTC | newest]

Thread overview: 36+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-03-07 15:57 [PATCH v2 0/8] RFC: ovmf: preliminary TPM2 support marcandre.lureau
2018-03-07 15:57 ` [PATCH v2 1/8] SecurityPkg: also clear HashInterfaceHob.SupportedHashMask marcandre.lureau
2018-03-08  0:35   ` Zhang, Chao B
2018-03-08  0:48     ` Zeng, Star
2018-03-08 11:40   ` Laszlo Ersek
2018-03-07 15:57 ` [PATCH v2 2/8] SecurityPkg/Tcg2Pei: drop PeiReadOnlyVariable from Depex marcandre.lureau
2018-03-07 16:04   ` Yao, Jiewen
2018-03-08  0:36   ` Zhang, Chao B
2018-03-09 13:05     ` Marc-André Lureau
2018-03-09 15:05       ` Laszlo Ersek
2018-03-08 11:41   ` Laszlo Ersek
2018-03-07 15:57 ` [PATCH v2 3/8] MdeModulePkg: fix REGISITER -> REGISTER marcandre.lureau
2018-03-08 11:59   ` Laszlo Ersek
2018-03-08 12:08     ` Zeng, Star
2018-03-07 15:57 ` [PATCH v2 4/8] ovmf: simplify SecurityStubDxe.inf inclusion marcandre.lureau
2018-03-08 16:35   ` Laszlo Ersek
2018-03-07 15:57 ` [PATCH v2 5/8] ovmf: add OvmfPkg Tcg2ConfigPei module marcandre.lureau
2018-03-08 17:46   ` Laszlo Ersek
2018-03-08 18:10     ` Laszlo Ersek
2018-03-07 15:57 ` [PATCH v2 6/8] ovmf: link with Tcg2Pei module marcandre.lureau
2018-03-08 18:20   ` Laszlo Ersek
2018-03-08 18:33     ` Laszlo Ersek
2018-03-07 15:57 ` [PATCH v2 7/8] ovmf: link with Tcg2Dxe module marcandre.lureau
2018-03-08 19:14   ` Laszlo Ersek
2018-03-07 15:57 ` [PATCH v2 8/8] ovmf: add DxeTpm2MeasureBootLib marcandre.lureau
2018-03-08 19:54   ` Laszlo Ersek
2018-03-08 19:56     ` Laszlo Ersek
2018-03-09  0:39     ` Yao, Jiewen
2018-03-09  0:47       ` Yao, Jiewen
2018-03-09 10:26       ` Laszlo Ersek
2018-03-09 11:37         ` Yao, Jiewen
2018-03-08 12:31 ` [PATCH v2 0/8] RFC: ovmf: preliminary TPM2 support Shi, Steven
2018-03-08 13:59   ` Marc-André Lureau
2018-03-09  3:03     ` Shi, Steven
2018-03-09 13:54       ` Stefan Berger
2018-03-12  5:00         ` Shi, Steven

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox