From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web12.9902.1631283891682544478 for ; Fri, 10 Sep 2021 07:24:51 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@ibm.com header.s=pp1 header.b=jPcY2qzq; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 18AEE64G036611; Fri, 10 Sep 2021 10:24:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pp1; bh=qBDcvNyxIl/8zB6OCDcHw56axuvq17PY+OH4B3gpXoA=; b=jPcY2qzqx7iw73GuyogmqiTFM9tukRC4giT9UfxsqIqRoi6nN3uZwwebOEz8kzSra3cP 2Ytzgz53ewX51V39Au89s5Wm/BA3c0bccwupbYG3xhpd7nQ3iQXqFfWdcgPRjnpSJOYe CD8cay723w0Yspx2jMk5Z1f6l8rAoe/PyDbjEeoXTaXYklhKZULzwU6y6yXY/w31ikE5 SFenoQrZ/tHyoMKnR2E4QH5vvWOLVyClAZ++xhm/gb3d3X0kL7Tjs0LD98ulf3JJTDmO 7pSBECCXJMwEGrgNLAbzxyQZ7IVOg9XExx6gn5Bxvfs9jPFNEE9jPX0i3rAlXuTTOP8f Dg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3b08xhg7x7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Sep 2021 10:24:50 -0400 Received: from m0098404.ppops.net (m0098404.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 18AEEugi041164; Fri, 10 Sep 2021 10:24:50 -0400 Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186]) by mx0a-001b2d01.pphosted.com with ESMTP id 3b08xhg7ws-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Sep 2021 10:24:50 -0400 Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1]) by ppma03wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 18AEHa79004763; Fri, 10 Sep 2021 14:24:49 GMT Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by ppma03wdc.us.ibm.com with ESMTP id 3axcnqy3fd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Sep 2021 14:24:49 +0000 Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 18AEOmnb45416724 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Sep 2021 14:24:48 GMT Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1E418136055; Fri, 10 Sep 2021 14:24:48 +0000 (GMT) Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 59C09136053; Fri, 10 Sep 2021 14:24:47 +0000 (GMT) Received: from [9.47.158.152] (unknown [9.47.158.152]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP; Fri, 10 Sep 2021 14:24:47 +0000 (GMT) Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform hierarchy To: devel@edk2.groups.io, stefanb@linux.vnet.ibm.com Cc: mhaeuser@posteo.de, spbrogan@outlook.com, marcandre.lureau@redhat.com, kraxel@redhat.com, jiewen.yao@intel.com References: <20210909173538.2380673-1-stefanb@linux.vnet.ibm.com> From: "Stefan Berger" Message-ID: <187817cf-5490-7563-077f-a4ff420a8c8f@linux.ibm.com> Date: Fri, 10 Sep 2021 10:24:45 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: <20210909173538.2380673-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 1NybwZrSxVVXM2hDR0AuYz2yN86nqzdM X-Proofpoint-ORIG-GUID: PyeGB7EPRwGjCUPYy1rYAsLT5T3Q9KQR X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-09-10_04:2021-09-09,2021-09-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 suspectscore=0 impostorscore=0 mlxscore=0 adultscore=0 malwarescore=0 mlxlogscore=999 spamscore=0 clxscore=1015 phishscore=0 bulkscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109030001 definitions=main-2109100081 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-001b2d01.pphosted.com id 18AEE64G036611 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 9/9/21 1:35 PM, Stefan Berger wrote: > This series imports code from the edk2-platforms project related to > disabling the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf > aspects of the following bugs: > > https://bugzilla.tianocore.org/show_bug.cgi?id=3D3510 > https://bugzilla.tianocore.org/show_bug.cgi?id=3D3499 > > I have patched the .dsc files and successfully test-built with most of > them. Some I could not build because they failed for other reasons > unrelated to this series. > > I tested the changes with QEMU on x86 following the build of > OvmfPkgX64.dsc. > > Neither one of the following commands should work anymore on first > try when run on Linux: > > With IBM tss2 tools: > tsshierarchychangeauth -hi p -pwdn newpass > > With Intel tss2 tools: > tpm2_changeauth -c platform newpass While disabling the platform hierarchy works, the unfortunate problem is=20 now that the signal to disable the TPM 2 platform hierarchy is received=20 before handling the physical presence interface (PPI) opcodes, which is=20 bad because some of the opcodes will not go through. The question now is=20 what is wrong? Are the PPI opcodes handled too late or the signal is=20 sent to early or is it the wrong signal? Event =3D EfiCreateProtocolNotifyEvent ( =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 &gEfi= DxeSmmReadyToLockProtocolGuid, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 TPL_C= ALLBACK, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 SmmRe= adyToLockEventCallBack, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 NULL, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 &Regi= stration =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ); =C2=A0=C2=A0 Stefan > > Regards, > Stefan > > v7: > - Ditched ARM support in this series > - Using Tcg2PlatformDxe and Tcg2PlaformPei from edk2-platforms now > and revised most of the patches > > v6: > - Removed unnecessary entries in .dsc files > - Added support for S3 resume failure case > - Assigned unique FILE_GUID to NULL implementation > > v5: > - Modified patch 1 copies the code from edk2-platforms > - Modified patch 2 fixes bugs in the code > - Modified patch 4 introduces required PCD > > v4: > - Fixed and simplified code imported from edk2-platforms > > v3: > - Referencing Null implementation on Bhyve and Xen platforms > - Add support in Arm > > > Stefan Berger (9): > SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from > edk2-platforms > SecurityPkg/TPM: Fix bugs in imported PeiDxeTpmPlatformHierarchyLib > SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from edk2-platforms > SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable > SecurityPkg: Introduce new PCD PcdRandomizePlatformHierarchy > OvmfPkg: Reference new Tcg2PlatformDxe in the build system for > compilation > SecurityPkg/Tcg: Import Tcg2PlatformPei from edk2-platforms > SecurityPkg/Tcg: Make Tcg2PlatformPei buildable > OvmfPkg: Reference new Tcg2PlatformPei in the build system > > OvmfPkg/AmdSev/AmdSevX64.dsc | 8 + > OvmfPkg/AmdSev/AmdSevX64.fdf | 2 + > OvmfPkg/OvmfPkgIa32.dsc | 8 + > OvmfPkg/OvmfPkgIa32.fdf | 2 + > OvmfPkg/OvmfPkgIa32X64.dsc | 8 + > OvmfPkg/OvmfPkgIa32X64.fdf | 2 + > OvmfPkg/OvmfPkgX64.dsc | 8 + > OvmfPkg/OvmfPkgX64.fdf | 2 + > .../Include/Library/TpmPlatformHierarchyLib.h | 27 ++ > .../PeiDxeTpmPlatformHierarchyLib.c | 255 +++++++++++++++++= + > .../PeiDxeTpmPlatformHierarchyLib.inf | 44 +++ > SecurityPkg/SecurityPkg.dec | 6 + > .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 85 ++++++ > .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 43 +++ > .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 107 ++++++++ > .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 51 ++++ > 16 files changed, 658 insertions(+) > create mode 100644 SecurityPkg/Include/Library/TpmPlatformHierarchyLi= b.h > create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/= PeiDxeTpmPlatformHierarchyLib.c > create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/= PeiDxeTpmPlatformHierarchyLib.inf > create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c > create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.in= f > create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c > create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.in= f >