From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2607:f8b0:400e:c01::231; helo=mail-pl0-x231.google.com; envelope-from=heyi.guo@linaro.org; receiver=edk2-devel@lists.01.org Received: from mail-pl0-x231.google.com (mail-pl0-x231.google.com [IPv6:2607:f8b0:400e:c01::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 2044621BADAB2 for ; Sun, 12 Aug 2018 18:07:21 -0700 (PDT) Received: by mail-pl0-x231.google.com with SMTP id w14-v6so6208705plp.6 for ; Sun, 12 Aug 2018 18:07:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:date:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=ryzr718MUddBVaT2UntOz4eOw0gU4ukMMRQf5KUS3fQ=; b=BmjdbhK1JK8s4dIZl3RNcKt39ICALlaA3XOzhHBgLdfAHU/hJauw/yzZWthKxx7AhO +fcxPu+0n2F1jcuOLvKFU6SgnVkzIklIRB2xky8pRAhZWxL87JV5krLwsYTEbNp76K8/ mEQY5SImkpkoFDIy33kFpRhwESj38UBNY4tb8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=ryzr718MUddBVaT2UntOz4eOw0gU4ukMMRQf5KUS3fQ=; b=OJklsPx9NyYuMD9hIxXQRqRQ74xhQbdKMbPjX6nSNoMQifGIRvr2FPpaEU8cpnTsTy EtXPd6erCI4EGdENQuu4e9JdXvs3ZTq/+7li+d0FKyIHo5mpFZ12e2tymNdoYlN7xCof Y2kwLbUNBVKJYpPDYvtRQf+mpHOkcTQ1AQn1kkQQ8Y6tJZLuNby9KNnVwemKrAb1BDUz 4XDQrq51usCHE0/j5VZ7tr8pwE+IqoSIsgS1gjYDZ3usoXgM751+2hAaCjRQC+fnXxFy +lrpRqkwF3EBOx0Z6cFNBPiopSR4CeAhv5xvjD5TUZIyBhhV6oVt/gxvF/JaAGIl3UBg tyng== X-Gm-Message-State: AOUpUlG2DCJBou122JcRDGW4HoWYSLfaJVr8f813RRYMdQRTenZukRiY 7jwlGFMrnxnybOaCkSjj4jSU2dCEVjo= X-Google-Smtp-Source: AA+uWPz6W4z4U1F/oh7jWaHqdF+VQZ6diXjecDj7JbSNSydRfy6riSkgWHkCKGa7Bic23+fVQ0Sfcw== X-Received: by 2002:a17:902:4906:: with SMTP id u6-v6mr14656014pld.44.1534122441441; Sun, 12 Aug 2018 18:07:21 -0700 (PDT) Received: from ecs-e536.expressvpn ([45.62.52.63]) by smtp.gmail.com with ESMTPSA id b18-v6sm19165618pgk.15.2018.08.12.18.07.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 12 Aug 2018 18:07:20 -0700 (PDT) From: heyi.guo@linaro.org X-Google-Original-From: g00179230@ecs-e536.expressvpn Date: Mon, 13 Aug 2018 09:07:15 +0800 To: "Yao, Jiewen" Cc: "heyi.guo@linaro.org" , "edk2-devel@lists.01.org" , "Zhang, Chao B" Message-ID: <20180813010715.GA1974@ecs-e536.expressvpn> References: <20180810084950.GA32368@ecs-e536.expressvpn> <67261275-360A-40ED-A668-AF1265A39AFD@intel.com> MIME-Version: 1.0 In-Reply-To: <67261275-360A-40ED-A668-AF1265A39AFD@intel.com> User-Agent: Mutt/1.5.24 (2015-08-30) Subject: Re: Question about SecurityPkg/DxeTcg2PhysicalPresenceLib X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2018 01:07:23 -0000 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Is there any work around if we don't have such trusted console on available hardware platforms? Is there any example implementation which we can refer to? Thanks, Heyi On Fri, Aug 10, 2018 at 09:12:46AM +0000, Yao, Jiewen wrote: > by design a platform need define a trusted console and only connect this trusted console before endofdxe > > thank you! > Yao, Jiewen > > > > 在 2018年8月10日,下午4:50,"heyi.guo@linaro.org" 写道: > > > > Hi folks, > > > > The function Tcg2PhysicalPresenceLibProcessRequest in DxeTcg2PhysicalPresenceLib > > requires to be invoked after console is ready, and in the function it will call > > VariableLockProtocol->RequestToLock(), while variable RequestToLock() requires > > to be called before "End Of Dxe" event, or else it will return ACCESS_DENIED. > > > > However, in PI spec 1.6, section 5.1.2.1 "End of DXE Event", it says "Prior to > > connecting consoles, the platform should signal the event 'End of DXE'". So > > there seems to be contradiction between these implementations and PI spec. > > > > If we follow below work flow: > > End of DXE -> connect console -> Tcg2PhysicalPresenceLibProcessRequest() -> > > Variable RequestToLock() -> we will get ACCESS_DENIED. > > > > Please advise, > > > > Thanks, > > > > Heyi