From: marcandre.lureau@redhat.com
To: edk2-devel@lists.01.org
Cc: pjones@redhat.com, jiewen.yao@intel.com,
stefanb@linux.vnet.ibm.com, lersek@redhat.com,
qemu-devel@nongnu.org, javierm@redhat.com,
"Marc-André Lureau" <marcandre.lureau@redhat.com>
Subject: [PATCH v3 0/7] ovmf: preliminary TPM2 support
Date: Fri, 9 Mar 2018 14:09:11 +0100 [thread overview]
Message-ID: <20180309130918.734-1-marcandre.lureau@redhat.com> (raw)
From: Marc-André Lureau <marcandre.lureau@redhat.com>
Hi,
The following series adds basic TPM2 support for OVMF-on-QEMU (I
haven't tested TPM1, for lack of interest). It links with the modules
to initializes the device in PEI phase, and do measurements (both PEI
and DXE). The Tcg2Dxe module provides the Tcg2 protocol which allows
the guest to access the measurement log and other facilities.
DxeTpm2MeasureBootLib seems to do its job at measuring images that are
not measured in PEI phase (such as PCI PXE rom)
Tcg2ConfigDxe is not included due to its integration with edk2 own PPI
implementation which conflicts with qemu design. PPI design is still
being discussed & experimented at this point.
Linux guests seem to work fine. But windows guest generally complains
about the lack of PPI interface (most HLK tests require it, tpm.msc
admin interactions too). I haven't done "real" use-cases tests, as I
lack experience with TPM usage. Any help appreciated to test the TPM.
I build edk2 with:
$ build -DTPM2_ENABLE -DSECURE_BOOT_ENABLE -DMEM_VARSTORE_EMU_ENABLE=FALSE
I test with qemu & swtpm/libtpms (tpm2 branches, swtpm_setup.sh --tpm2 --tpm-state tpmstatedir)
$ swtpm socket --tpmstate tpmstatedir --ctrl type=unixio,path=tpmsock --tpm2 &
$ qemu .. -chardev socket,id=chrtpm,path=tpmsock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-crb,tpmdev=tpm0
Thanks
Github tree:
https://github.com/elmarco/edk2/tree/tpm2 (tpm2-v2 tag)
Related bug:
https://bugzilla.tianocore.org/show_bug.cgi?id=594
v3: after Laszlo review
- many simplifications to "add customized Tcg2ConfigPei clone" patch
- various move of fdf/dsc sections
- modify Ia32 & Ia32x64 fdf/dsc too
- modify commit messages
- add r-b tags
v2:
- the series can now be applied to master directly, thanks to dropping
PeiReadOnlyVariable requirement
- remove the HOB list workaround, the main fix is now upstream. Add a
preliminary patch to complete it.
- removed traces of TPM1.2 support
- add own OvmfPkg Tcg2ConfigPei, which performs only TPM2 detection
- make PcdTpmInstanceGuid default all-bits-zero
- drop unneeded Pcd values
- explain why SHA1 is still nice to have (for 1.2 log format)
- drop Tcg2ConfigDxe
- more detailed commit messages, thanks to Laszlo explanations!
- rebased
TODO:
- modify Ia32 and Ia32X64 builds
Marc-André Lureau (7):
SecurityPkg/Tcg2Pei: drop PeiReadOnlyVariable from Depex
MdeModulePkg/Core/Pei: fix REGISITER -> REGISTER typo
OvmfPkg: simplify SecurityStubDxe.inf inclusion
OvmfPkg: add customized Tcg2ConfigPei clone
OvmfPkg: include Tcg2Pei module
OvmfPkg: include Tcg2Dxe module
OvmfPkg: plug DxeTpm2MeasureBootLib into SecurityStubDxe
MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 18 ++--
MdeModulePkg/Core/Pei/Image/Image.c | 4 +-
MdeModulePkg/Core/Pei/PeiMain.h | 2 +-
MdeModulePkg/Core/Pei/PeiMain/PeiMain.c | 2 +-
OvmfPkg/OvmfPkgIa32.dsc | 49 ++++++++++-
OvmfPkg/OvmfPkgIa32.fdf | 9 ++
OvmfPkg/OvmfPkgIa32X64.dsc | 49 ++++++++++-
OvmfPkg/OvmfPkgIa32X64.fdf | 9 ++
OvmfPkg/OvmfPkgX64.dsc | 49 ++++++++++-
OvmfPkg/OvmfPkgX64.fdf | 9 ++
OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 53 ++++++++++++
OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeim.c | 84 +++++++++++++++++++
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 1 -
13 files changed, 312 insertions(+), 26 deletions(-)
create mode 100644 OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
create mode 100644 OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeim.c
--
2.16.2.346.g9779355e34
next reply other threads:[~2018-03-09 13:03 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-09 13:09 marcandre.lureau [this message]
2018-03-09 13:09 ` [PATCH v3 1/7] SecurityPkg/Tcg2Pei: drop PeiReadOnlyVariable from Depex marcandre.lureau
2018-03-09 16:04 ` Laszlo Ersek
2018-03-09 13:09 ` [PATCH v3 2/7] MdeModulePkg/Core/Pei: fix REGISITER -> REGISTER typo marcandre.lureau
2018-03-09 13:09 ` [PATCH v3 3/7] OvmfPkg: simplify SecurityStubDxe.inf inclusion marcandre.lureau
2018-03-09 13:09 ` [PATCH v3 4/7] OvmfPkg: add customized Tcg2ConfigPei clone marcandre.lureau
2018-03-09 16:35 ` Laszlo Ersek
2018-03-09 13:09 ` [PATCH v3 5/7] OvmfPkg: include Tcg2Pei module marcandre.lureau
2018-03-09 16:40 ` Laszlo Ersek
2018-03-09 13:09 ` [PATCH v3 6/7] OvmfPkg: include Tcg2Dxe module marcandre.lureau
2018-03-09 16:45 ` Laszlo Ersek
2018-03-09 13:09 ` [PATCH v3 7/7] OvmfPkg: plug DxeTpm2MeasureBootLib into SecurityStubDxe marcandre.lureau
2018-03-09 16:51 ` Laszlo Ersek
2018-03-09 13:59 ` [PATCH v3 0/7] ovmf: preliminary TPM2 support Marc-André Lureau
2018-03-09 18:38 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180309130918.734-1-marcandre.lureau@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox