using tpm on ovmf

using tpm on ovmf

[Michał Zegan]

[-- Attachment #1.1: Type: text/plain, Size: 129 bytes --]

Hello,
I have ovmf with TPM2_ENABLE and tpm seems to be supported. However, is
it possible to configure it from the ui?




[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: using tpm on ovmf

[Laszlo Ersek]

Hi Michał,

(adding Marc-André and Stefan)

On 12/16/18 23:59, Michał Zegan wrote:
> Hello,
> I have ovmf with TPM2_ENABLE and tpm seems to be supported. However, is
> it possible to configure it from the ui?

No, it isn't.

TPM configuration is platform specific. The example driver in

  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf

which contains visual forms, for the setup UI to display, is just that,
an example, that a platform might incorporate and/or customize. The INF
file states, "NOTE: This module is only for reference only, each
platform should have its own setup page."

Please see one of the past discussions in the thread at:

http://mid.mail-archive.com/20180223132311.26555-7-marcandre.lureau@redhat.com

That patch was dropped (as I requested), and instead, the end result is
commit 6cf1880fb5b6 ("OvmfPkg: add customized Tcg2ConfigPei clone",
2018-03-09); the commit message should hopefully describe the
configuration method well enough.


Regarding PPI (physical presence interface) operations, those are
supported through the firmware UI. That is, if you queue a number of TPM
ops while the OS runs, and you reboot from within the OS, then the
firmware gives you a UI to confirm those TPM ops.

Thanks,
Laszlo