Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform hierarchy

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Stefan Berger" <stefanb@linux.ibm.com>
To: devel@edk2.groups.io, stefanb@linux.vnet.ibm.com
Cc: mhaeuser@posteo.de, spbrogan@outlook.com,
	marcandre.lureau@redhat.com, kraxel@redhat.com,
	jiewen.yao@intel.com
Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform hierarchy
Date: Fri, 10 Sep 2021 10:24:45 -0400	[thread overview]
Message-ID: <187817cf-5490-7563-077f-a4ff420a8c8f@linux.ibm.com> (raw)
In-Reply-To: <20210909173538.2380673-1-stefanb@linux.vnet.ibm.com>


On 9/9/21 1:35 PM, Stefan Berger wrote:
> This series imports code from the edk2-platforms project related to
> disabling the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf
> aspects of the following bugs:
>
> https://bugzilla.tianocore.org/show_bug.cgi?id=3510
> https://bugzilla.tianocore.org/show_bug.cgi?id=3499
>
> I have patched the .dsc files and successfully test-built with most of
> them. Some I could not build because they failed for other reasons
> unrelated to this series.
>
> I tested the changes with QEMU on x86 following the build of
> OvmfPkgX64.dsc.
>
> Neither one of the following commands should work anymore on first
> try when run on Linux:
>
> With IBM tss2 tools:
> tsshierarchychangeauth -hi p -pwdn newpass
>
> With Intel tss2 tools:
> tpm2_changeauth -c platform newpass


While disabling the platform hierarchy works, the unfortunate problem is 
now that the signal to disable the TPM 2 platform hierarchy is received 
before handling the physical presence interface (PPI) opcodes, which is 
bad because some of the opcodes will not go through. The question now is 
what is wrong? Are the PPI opcodes handled too late or the signal is 
sent to early or is it the wrong signal?

Event = EfiCreateProtocolNotifyEvent (
             &gEfiDxeSmmReadyToLockProtocolGuid,
             TPL_CALLBACK,
             SmmReadyToLockEventCallBack,
             NULL,
             &Registration
             );

    Stefan

>
> Regards,
>    Stefan
>
> v7:
>   - Ditched ARM support in this series
>   - Using Tcg2PlatformDxe and Tcg2PlaformPei from edk2-platforms now
>     and revised most of the patches
>
> v6:
>   - Removed unnecessary entries in .dsc files
>   - Added support for S3 resume failure case
>   - Assigned unique FILE_GUID to NULL implementation
>
> v5:
>   - Modified patch 1 copies the code from edk2-platforms
>   - Modified patch 2 fixes bugs in the code
>   - Modified patch 4 introduces required PCD
>
> v4:
>   - Fixed and simplified code imported from edk2-platforms
>
> v3:
>   - Referencing Null implementation on Bhyve and Xen platforms
>   - Add support in Arm
>
>
> Stefan Berger (9):
>    SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
>      edk2-platforms
>    SecurityPkg/TPM: Fix bugs in imported PeiDxeTpmPlatformHierarchyLib
>    SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from edk2-platforms
>    SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable
>    SecurityPkg: Introduce new PCD PcdRandomizePlatformHierarchy
>    OvmfPkg: Reference new Tcg2PlatformDxe in the build system for
>      compilation
>    SecurityPkg/Tcg: Import Tcg2PlatformPei from edk2-platforms
>    SecurityPkg/Tcg: Make Tcg2PlatformPei buildable
>    OvmfPkg: Reference new Tcg2PlatformPei in the build system
>
>   OvmfPkg/AmdSev/AmdSevX64.dsc                  |   8 +
>   OvmfPkg/AmdSev/AmdSevX64.fdf                  |   2 +
>   OvmfPkg/OvmfPkgIa32.dsc                       |   8 +
>   OvmfPkg/OvmfPkgIa32.fdf                       |   2 +
>   OvmfPkg/OvmfPkgIa32X64.dsc                    |   8 +
>   OvmfPkg/OvmfPkgIa32X64.fdf                    |   2 +
>   OvmfPkg/OvmfPkgX64.dsc                        |   8 +
>   OvmfPkg/OvmfPkgX64.fdf                        |   2 +
>   .../Include/Library/TpmPlatformHierarchyLib.h |  27 ++
>   .../PeiDxeTpmPlatformHierarchyLib.c           | 255 ++++++++++++++++++
>   .../PeiDxeTpmPlatformHierarchyLib.inf         |  44 +++
>   SecurityPkg/SecurityPkg.dec                   |   6 +
>   .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c     |  85 ++++++
>   .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf   |  43 +++
>   .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c     | 107 ++++++++
>   .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf   |  51 ++++
>   16 files changed, 658 insertions(+)
>   create mode 100644 SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h
>   create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
>   create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
>   create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
>   create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
>   create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c
>   create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
>

next prev parent reply	other threads:[~2021-09-10 14:24 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-09 17:35 [PATCH v7 0/9] Ovmf: Disable the TPM2 platform hierarchy Stefan Berger
2021-09-09 17:35 ` [PATCH v7 1/9] SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms Stefan Berger
2021-09-09 17:35 ` [PATCH v7 2/9] SecurityPkg/TPM: Fix bugs in imported PeiDxeTpmPlatformHierarchyLib Stefan Berger
2021-09-09 17:35 ` [PATCH v7 3/9] SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from edk2-platforms Stefan Berger
2021-09-09 17:35 ` [PATCH v7 4/9] SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable Stefan Berger
2021-09-09 17:35 ` [PATCH v7 5/9] SecurityPkg: Introduce new PCD PcdRandomizePlatformHierarchy Stefan Berger
2021-09-09 17:35 ` [PATCH v7 6/9] OvmfPkg: Reference new Tcg2PlatformDxe in the build system for compilation Stefan Berger
2021-09-09 17:35 ` [PATCH v7 7/9] SecurityPkg/Tcg: Import Tcg2PlatformPei from edk2-platforms Stefan Berger
2021-09-09 17:35 ` [PATCH v7 8/9] SecurityPkg/Tcg: Make Tcg2PlatformPei buildable Stefan Berger
2021-09-09 17:35 ` [PATCH v7 9/9] OvmfPkg: Reference new Tcg2PlatformPei in the build system Stefan Berger
2021-09-10 14:24 ` Stefan Berger [this message]
2021-09-10 15:32   ` [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform hierarchy Yao, Jiewen
2021-09-10 16:15     ` Stefan Berger
2021-09-11  2:38       ` Yao, Jiewen
2021-09-11  2:46         ` Yao, Jiewen
2021-09-12  0:42           ` Stefan Berger
2021-09-12  0:45             ` Yao, Jiewen
2021-09-12  1:52               ` Stefan Berger
2021-09-13 14:51           ` Stefan Berger
     [not found]     ` <16A38214549AD34A.16479@groups.io>
2021-09-10 20:47       ` Stefan Berger
2021-09-13  7:08 ` Yao, Jiewen
     [not found] ` <16A44FFF7B7DEB00.6211@groups.io>
2021-09-13  9:31   ` [edk2-devel] " Yao, Jiewen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=187817cf-5490-7563-077f-a4ff420a8c8f@linux.ibm.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox