From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=marcandre.lureau@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id BE5FA21E08289 for ; Wed, 7 Mar 2018 07:51:38 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 935A64072444; Wed, 7 Mar 2018 15:57:51 +0000 (UTC) Received: from localhost (ovpn-112-24.ams2.redhat.com [10.36.112.24]) by smtp.corp.redhat.com (Postfix) with ESMTP id D9D4D7C4A; Wed, 7 Mar 2018 15:57:46 +0000 (UTC) From: marcandre.lureau@redhat.com To: edk2-devel@lists.01.org Cc: pjones@redhat.com, jiewen.yao@intel.com, stefanb@linux.vnet.ibm.com, lersek@redhat.com, qemu-devel@nongnu.org, javierm@redhat.com, =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Wed, 7 Mar 2018 16:57:38 +0100 Message-Id: <20180307155746.18526-1-marcandre.lureau@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Wed, 07 Mar 2018 15:57:51 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Wed, 07 Mar 2018 15:57:51 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'marcandre.lureau@redhat.com' RCPT:'' Subject: [PATCH v2 0/8] RFC: ovmf: preliminary TPM2 support X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 15:51:39 -0000 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Marc-André Lureau Hi, The following series adds basic TPM2 support for OVMF-on-QEMU (I haven't tested TPM1, for lack of interest). It links with the modules to initializes the device in PEI phase, and do measurements (both PEI and DXE). The Tcg2Dxe module provides the Tcg2 protocol which allows the guest to access the measurement log and other facilities. DxeTpm2MeasureBootLib seems to do its job at measuring images that are not measured in PEI phase (such as PCI PXE rom) Tcg2ConfigDxe is not included due to its integration with edk2 own PPI implementation which conflicts with qemu design. PPI design is still being discussed & experimented at this point. Linux guests seem to work fine. But windows guest generally complains about the lack of PPI interface (most HLK tests require it, tpm.msc admin interactions too). I haven't done "real" use-cases tests, as I lack experience with TPM usage. Any help appreciated to test the TPM. I build edk2 with: $ build -DTPM2_ENABLE -DSECURE_BOOT_ENABLE -DMEM_VARSTORE_EMU_ENABLE=FALSE I test with qemu & swtpm/libtpms (tpm2 branches, swtpm_setup.sh --tpm2 --tpm-state tpmstatedir) $ swtpm socket --tpmstate tpmstatedir --ctrl type=unixio,path=tpmsock --tpm2 & $ qemu .. -chardev socket,id=chrtpm,path=tpmsock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-crb,tpmdev=tpm0 Thanks Github tree: https://github.com/elmarco/edk2/tree/tpm2 (tpm2-v2 tag) Related bug: https://bugzilla.tianocore.org/show_bug.cgi?id=594 v2: - the series can now be applied to master directly, thanks to dropping PeiReadOnlyVariable requirement - remove the HOB list workaround, the main fix is now upstream. Add a preliminary patch to complete it. - removed traces of TPM1.2 support - add own OvmfPkg Tcg2ConfigPei, which performs only TPM2 detection - make PcdTpmInstanceGuid default all-bits-zero - drop unneeded Pcd values - explain why SHA1 is still nice to have (for 1.2 log format) - drop Tcg2ConfigDxe - more detailed commit messages, thanks to Laszlo explanations! - rebased TODO: - modify Ia32 and Ia32X64 builds Marc-André Lureau (8): SecurityPkg: also clear HashInterfaceHob.SupportedHashMask SecurityPkg/Tcg2Pei: drop PeiReadOnlyVariable from Depex MdeModulePkg: fix REGISITER -> REGISTER ovmf: simplify SecurityStubDxe.inf inclusion ovmf: add OvmfPkg Tcg2ConfigPei module ovmf: link with Tcg2Pei module ovmf: link with Tcg2Dxe module ovmf: add DxeTpm2MeasureBootLib MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 18 +-- MdeModulePkg/Core/Pei/Image/Image.c | 4 +- MdeModulePkg/Core/Pei/PeiMain.h | 2 +- MdeModulePkg/Core/Pei/PeiMain/PeiMain.c | 2 +- OvmfPkg/OvmfPkgIa32.dsc | 6 +- OvmfPkg/OvmfPkgIa32X64.dsc | 6 +- OvmfPkg/OvmfPkgX64.dsc | 49 ++++++- OvmfPkg/OvmfPkgX64.fdf | 9 ++ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 57 ++++++++ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeim.c | 124 ++++++++++++++++++ OvmfPkg/Tcg/Tcg2Config/TpmDetection.c | 46 +++++++ .../HashLibBaseCryptoRouterPei.c | 1 + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 1 - 13 files changed, 299 insertions(+), 26 deletions(-) create mode 100644 OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf create mode 100644 OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeim.c create mode 100644 OvmfPkg/Tcg/Tcg2Config/TpmDetection.c -- 2.16.2.346.g9779355e34