From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <heyi.guo@linaro.org>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=2607:f8b0:400e:c01::231; helo=mail-pl0-x231.google.com;
 envelope-from=heyi.guo@linaro.org; receiver=edk2-devel@lists.01.org 
Received: from mail-pl0-x231.google.com (mail-pl0-x231.google.com
 [IPv6:2607:f8b0:400e:c01::231])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 2044621BADAB2
 for <edk2-devel@lists.01.org>; Sun, 12 Aug 2018 18:07:21 -0700 (PDT)
Received: by mail-pl0-x231.google.com with SMTP id w14-v6so6208705plp.6
 for <edk2-devel@lists.01.org>; Sun, 12 Aug 2018 18:07:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=from:date:to:cc:subject:message-id:references:mime-version
 :content-disposition:content-transfer-encoding:in-reply-to
 :user-agent; bh=ryzr718MUddBVaT2UntOz4eOw0gU4ukMMRQf5KUS3fQ=;
 b=BmjdbhK1JK8s4dIZl3RNcKt39ICALlaA3XOzhHBgLdfAHU/hJauw/yzZWthKxx7AhO
 +fcxPu+0n2F1jcuOLvKFU6SgnVkzIklIRB2xky8pRAhZWxL87JV5krLwsYTEbNp76K8/
 mEQY5SImkpkoFDIy33kFpRhwESj38UBNY4tb8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:date:to:cc:subject:message-id:references
 :mime-version:content-disposition:content-transfer-encoding
 :in-reply-to:user-agent;
 bh=ryzr718MUddBVaT2UntOz4eOw0gU4ukMMRQf5KUS3fQ=;
 b=OJklsPx9NyYuMD9hIxXQRqRQ74xhQbdKMbPjX6nSNoMQifGIRvr2FPpaEU8cpnTsTy
 EtXPd6erCI4EGdENQuu4e9JdXvs3ZTq/+7li+d0FKyIHo5mpFZ12e2tymNdoYlN7xCof
 Y2kwLbUNBVKJYpPDYvtRQf+mpHOkcTQ1AQn1kkQQ8Y6tJZLuNby9KNnVwemKrAb1BDUz
 4XDQrq51usCHE0/j5VZ7tr8pwE+IqoSIsgS1gjYDZ3usoXgM751+2hAaCjRQC+fnXxFy
 +lrpRqkwF3EBOx0Z6cFNBPiopSR4CeAhv5xvjD5TUZIyBhhV6oVt/gxvF/JaAGIl3UBg
 tyng==
X-Gm-Message-State: AOUpUlG2DCJBou122JcRDGW4HoWYSLfaJVr8f813RRYMdQRTenZukRiY
 7jwlGFMrnxnybOaCkSjj4jSU2dCEVjo=
X-Google-Smtp-Source: AA+uWPz6W4z4U1F/oh7jWaHqdF+VQZ6diXjecDj7JbSNSydRfy6riSkgWHkCKGa7Bic23+fVQ0Sfcw==
X-Received: by 2002:a17:902:4906:: with SMTP id
 u6-v6mr14656014pld.44.1534122441441; 
 Sun, 12 Aug 2018 18:07:21 -0700 (PDT)
Received: from ecs-e536.expressvpn ([45.62.52.63])
 by smtp.gmail.com with ESMTPSA id b18-v6sm19165618pgk.15.2018.08.12.18.07.19
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sun, 12 Aug 2018 18:07:20 -0700 (PDT)
From: heyi.guo@linaro.org
X-Google-Original-From: g00179230@ecs-e536.expressvpn
Date: Mon, 13 Aug 2018 09:07:15 +0800
To: "Yao, Jiewen" <jiewen.yao@intel.com>
Cc: "heyi.guo@linaro.org" <heyi.guo@linaro.org>,
 "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>,
 "Zhang, Chao B" <chao.b.zhang@intel.com>
Message-ID: <20180813010715.GA1974@ecs-e536.expressvpn>
References: <20180810084950.GA32368@ecs-e536.expressvpn>
 <67261275-360A-40ED-A668-AF1265A39AFD@intel.com>
MIME-Version: 1.0
In-Reply-To: <67261275-360A-40ED-A668-AF1265A39AFD@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Subject: Re: Question about SecurityPkg/DxeTcg2PhysicalPresenceLib
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2018 01:07:23 -0000
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Is there any work around if we don't have such trusted console on available
hardware platforms? Is there any example implementation which we can refer to?

Thanks,

Heyi

On Fri, Aug 10, 2018 at 09:12:46AM +0000, Yao, Jiewen wrote:
> by design a platform need define a trusted console and only connect this trusted console before endofdxe 
> 
> thank you!
> Yao, Jiewen
> 
> 
> > 在 2018年8月10日，下午4:50，"heyi.guo@linaro.org" <heyi.guo@linaro.org> 写道：
> > 
> > Hi folks,
> > 
> > The function Tcg2PhysicalPresenceLibProcessRequest in DxeTcg2PhysicalPresenceLib
> > requires to be invoked after console is ready, and in the function it will call
> > VariableLockProtocol->RequestToLock(), while variable RequestToLock() requires
> > to be called before "End Of Dxe" event, or else it will return ACCESS_DENIED. 
> > 
> > However, in PI spec 1.6, section 5.1.2.1 "End of DXE Event", it says "Prior to
> > connecting consoles, the platform should signal the event 'End of DXE'". So
> > there seems to be contradiction between these implementations and PI spec.
> > 
> > If we follow below work flow:
> > End of DXE -> connect console -> Tcg2PhysicalPresenceLibProcessRequest() ->
> > Variable RequestToLock() -> we will get ACCESS_DENIED.
> > 
> > Please advise,
> > 
> > Thanks,
> > 
> > Heyi