* [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu
@ 2020-02-26 19:05 Ard Biesheuvel
2020-02-26 19:05 ` [PATCH v3 1/9] OvmfPkg/Tcg2ConfigPei: introduce a signalling PPI to depex on Ard Biesheuvel
` (9 more replies)
0 siblings, 10 replies; 18+ messages in thread
From: Ard Biesheuvel @ 2020-02-26 19:05 UTC (permalink / raw)
To: devel
Cc: Ard Biesheuvel, lersek, eric.auger, philmd, marcandre.lureau,
stefanb, leif
Wire up the various existing pieces so that we can implement measured
boot on ArmVirtQemu based on the TPM support in QEMU, just like it has
been implemented for x86 in OvmfPkg.
The main difference is that on ARM, we first need to discover the TPM base
address from the device tree provided by QEMU, as well as the PSCI method
used to perform a cold reset.
Changes since v2:
- add Laszlo's ack to patches #2 and #4
- add PcdTpm2SupportEnabled PCD declarations to all individual platforms in
ArmVirtPkg, even though only ArmVirtQemu really needs it
- split patch #5 into several patches
Changes since v1:
- use a separate ResetSystemLib instance based on on-demand parsing of the
DT, and expose it via the ResetSystem PPI to other client PEIMs
- add Laszlo's ack to #1
- incorporate Laszlo's review feedback across the board
Code can also be found at:
https://github.com/ardbiesheuvel/edk2/tree/armvirt-tpm
Cc: lersek@redhat.com
Cc: eric.auger@redhat.com
Cc: philmd@redhat.com
Cc: marcandre.lureau@redhat.com
Cc: stefanb@linux.ibm.com
Cc: leif@nuviainc.com
Ard Biesheuvel (9):
OvmfPkg/Tcg2ConfigPei: introduce a signalling PPI to depex on
ArmVirtPkg/PlatformPeiLib: make PcdLib dependency explicit in .INF
ArmVirtPkg/PlatformPeiLib: discover the TPM base address from the DT
ArmVirtPkg: implement ArmVirtPsciResetSystemPeiLib
ArmVirtPkg/ArmVirtQemu: add ResetSystem PEIM for upcoming TPM2 support
ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI phase
ArmVirtPkg/ArmVirtQemu: enable the DXE phase TPM2 support module
ArmVirtPkg/ArmVirtQemu: enable the TPM2 configuration module
ArmVirtPkg/ArmVirtQemu: enable TPM2 based measured boot
ArmVirtPkg/ArmVirtPkg.dec | 6 +
ArmVirtPkg/ArmVirtQemu.dsc | 74 ++++++
ArmVirtPkg/ArmVirtQemu.fdf | 6 +
ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 10 +
ArmVirtPkg/ArmVirtQemuKernel.dsc | 6 +
ArmVirtPkg/ArmVirtXen.dsc | 6 +
.../ArmVirtPsciResetSystemPeiLib.c | 232 ++++++++++++++++++
.../ArmVirtPsciResetSystemPeiLib.inf | 39 +++
.../Library/PlatformPeiLib/PlatformPeiLib.c | 101 +++++++-
.../Library/PlatformPeiLib/PlatformPeiLib.inf | 20 +-
OvmfPkg/OvmfPkg.dec | 5 +
OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 6 +-
12 files changed, 496 insertions(+), 15 deletions(-)
create mode 100644 ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.c
create mode 100644 ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
--
2.17.1
^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH v3 1/9] OvmfPkg/Tcg2ConfigPei: introduce a signalling PPI to depex on
2020-02-26 19:05 [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu Ard Biesheuvel
@ 2020-02-26 19:05 ` Ard Biesheuvel
2020-02-26 19:05 ` [PATCH v3 2/9] ArmVirtPkg/PlatformPeiLib: make PcdLib dependency explicit in .INF Ard Biesheuvel
` (8 subsequent siblings)
9 siblings, 0 replies; 18+ messages in thread
From: Ard Biesheuvel @ 2020-02-26 19:05 UTC (permalink / raw)
To: devel
Cc: Ard Biesheuvel, lersek, eric.auger, philmd, marcandre.lureau,
stefanb, leif
On ARM systems, the TPM does not live at a fixed address, and so we
need the platform to discover it first. So introduce a PPI that signals
that the TPM address has been discovered and recorded in the appropriate
PCD, and make Tcg2ConfigPei depex on it when built for ARM or AARCH64.
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
OvmfPkg/OvmfPkg.dec | 5 +++++
OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 6 +++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 4c5b6511cb97..30faecb7a5c8 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -87,6 +87,11 @@ [Guids]
gEfiLegacyBiosGuid = {0x2E3044AC, 0x879F, 0x490F, {0x97, 0x60, 0xBB, 0xDF, 0xAF, 0x69, 0x5F, 0x50}}
gEfiLegacyDevOrderVariableGuid = {0xa56074db, 0x65fe, 0x45f7, {0xbd, 0x21, 0x2d, 0x2b, 0xdd, 0x8e, 0x96, 0x52}}
+[Ppis]
+ # PPI whose presence in the PPI database signals that the TPM base address
+ # has been discovered and recorded
+ gOvmfTpmDiscoveredPpiGuid = {0xb9a61ad0, 0x2802, 0x41f3, {0xb5, 0x13, 0x96, 0x51, 0xce, 0x6b, 0xd5, 0x75}}
+
[Protocols]
gVirtioDeviceProtocolGuid = {0xfa920010, 0x6785, 0x4941, {0xb6, 0xec, 0x49, 0x8c, 0x57, 0x9f, 0x16, 0x0a}}
gXenBusProtocolGuid = {0x3d3ca290, 0xb9a5, 0x11e3, {0xb7, 0x5d, 0xb8, 0xac, 0x6f, 0x7d, 0x65, 0xe6}}
diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
index e34cd6210611..55684ba045b3 100644
--- a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+++ b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
@@ -25,6 +25,7 @@ [Sources]
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
+ OvmfPkg/OvmfPkg.dec
SecurityPkg/SecurityPkg.dec
[LibraryClasses]
@@ -43,5 +44,8 @@ [Ppis]
[Pcd]
gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid ## PRODUCES
-[Depex]
+[Depex.IA32, Depex.X64]
TRUE
+
+[Depex.ARM, Depex.AARCH64]
+ gOvmfTpmDiscoveredPpiGuid
--
2.17.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v3 2/9] ArmVirtPkg/PlatformPeiLib: make PcdLib dependency explicit in .INF
2020-02-26 19:05 [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu Ard Biesheuvel
2020-02-26 19:05 ` [PATCH v3 1/9] OvmfPkg/Tcg2ConfigPei: introduce a signalling PPI to depex on Ard Biesheuvel
@ 2020-02-26 19:05 ` Ard Biesheuvel
2020-02-26 19:05 ` [PATCH v3 3/9] ArmVirtPkg/PlatformPeiLib: discover the TPM base address from the DT Ard Biesheuvel
` (7 subsequent siblings)
9 siblings, 0 replies; 18+ messages in thread
From: Ard Biesheuvel @ 2020-02-26 19:05 UTC (permalink / raw)
To: devel
Cc: Ard Biesheuvel, lersek, eric.auger, philmd, marcandre.lureau,
stefanb, leif
We currently include PcdLib.h in PlatformPeiLib, without declaring
this dependency in its .INF description. Since all the PCDs we use
resolve to fixed type in practice, this does not really matter at
the moment, but since we will be adding dynamic PCD references in
a subsequent patch, let's make the PcdLib dependency explicit, so
that its dispatch is guaranteed to be ordered correctly with respect
to the provider of the dynamic PCD PPI.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
---
ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf | 1 +
1 file changed, 1 insertion(+)
diff --git a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
index 46db117ac28e..5428040f121d 100644
--- a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
+++ b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
@@ -29,6 +29,7 @@ [LibraryClasses]
DebugLib
HobLib
FdtLib
+ PcdLib
[FixedPcd]
gArmTokenSpaceGuid.PcdFvSize
--
2.17.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v3 3/9] ArmVirtPkg/PlatformPeiLib: discover the TPM base address from the DT
2020-02-26 19:05 [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu Ard Biesheuvel
2020-02-26 19:05 ` [PATCH v3 1/9] OvmfPkg/Tcg2ConfigPei: introduce a signalling PPI to depex on Ard Biesheuvel
2020-02-26 19:05 ` [PATCH v3 2/9] ArmVirtPkg/PlatformPeiLib: make PcdLib dependency explicit in .INF Ard Biesheuvel
@ 2020-02-26 19:05 ` Ard Biesheuvel
2020-02-27 7:41 ` [edk2-devel] " Laszlo Ersek
2020-02-26 19:05 ` [PATCH v3 4/9] ArmVirtPkg: implement ArmVirtPsciResetSystemPeiLib Ard Biesheuvel
` (6 subsequent siblings)
9 siblings, 1 reply; 18+ messages in thread
From: Ard Biesheuvel @ 2020-02-26 19:05 UTC (permalink / raw)
To: devel
Cc: Ard Biesheuvel, lersek, eric.auger, philmd, marcandre.lureau,
stefanb, leif
Introduce a boolean PCD that tells us whether TPM support is enabled
in the build, and if it is, record the TPM base address in the existing
routine that traverses the device tree in the platform PEIM.
If a TPM is found, install the gOvmfTpmDiscoveredPpiGuid signalling PPI
that will unlock the dispatch of OvmfPkg's Tcg2ConfigPei. If TPM2
support is enabled in the build but no TPM2 device is found, install the
gPeiTpmInitializationDonePpiGuid PPI, which is normally installed by
Tcg2ConfigPei if no TPM2 is found, but in our case Tcg2ConfigPei will
never run so let's do it here instead.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
ArmVirtPkg/ArmVirtPkg.dec | 6 ++
ArmVirtPkg/ArmVirtQemu.dsc | 5 +
ArmVirtPkg/ArmVirtQemuKernel.dsc | 6 ++
ArmVirtPkg/ArmVirtXen.dsc | 6 ++
ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c | 101 ++++++++++++++++++--
ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf | 19 +++-
6 files changed, 129 insertions(+), 14 deletions(-)
diff --git a/ArmVirtPkg/ArmVirtPkg.dec b/ArmVirtPkg/ArmVirtPkg.dec
index a019cc269d10..08ddd68a863e 100644
--- a/ArmVirtPkg/ArmVirtPkg.dec
+++ b/ArmVirtPkg/ArmVirtPkg.dec
@@ -36,6 +36,12 @@ [Guids.common]
[Protocols]
gFdtClientProtocolGuid = { 0xE11FACA0, 0x4710, 0x4C8E, { 0xA7, 0xA2, 0x01, 0xBA, 0xA2, 0x59, 0x1B, 0x4C } }
+[PcdsFeatureFlag]
+ #
+ # Feature Flag PCD that defines whether TPM2 support is enabled
+ #
+ gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|FALSE|BOOLEAN|0x00000004
+
[PcdsFixedAtBuild, PcdsPatchableInModule]
#
# This is the physical address where the device tree is expected to be stored
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 7ae6702ac1f0..7d05415d0f93 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -237,6 +237,11 @@ [PcdsDynamicDefault.common]
gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0
gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE
+ #
+ # TPM2 support
+ #
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0
+
[PcdsDynamicHii]
gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 3b0f04967a4b..720f8fa78b3d 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -172,6 +172,12 @@ [PcdsFixedAtBuild.common]
gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|3
[PcdsPatchableInModule.common]
+ # we need to provide a resolution for this PCD that supports PcdSet64()
+ # being called from ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c,
+ # even though that call will be compiled out on this platform as it does
+ # not (and cannot) support the TPM2 driver stack
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0
+
#
# This will be overridden in the code
#
diff --git a/ArmVirtPkg/ArmVirtXen.dsc b/ArmVirtPkg/ArmVirtXen.dsc
index 1b42a9a81323..baa21f389947 100644
--- a/ArmVirtPkg/ArmVirtXen.dsc
+++ b/ArmVirtPkg/ArmVirtXen.dsc
@@ -95,6 +95,12 @@ [PcdsFixedAtBuild.common]
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvModeEnable|TRUE
[PcdsPatchableInModule.common]
+ # we need to provide a resolution for this PCD that supports PcdSet64()
+ # being called from ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c,
+ # even though that call will be compiled out on this platform as it does
+ # not (and cannot) support the TPM2 driver stack
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0
+
#
# This will be overridden in the code
#
diff --git a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c
index 0a1469550db0..8b5b3dd5dc1c 100644
--- a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c
+++ b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c
@@ -1,7 +1,7 @@
/** @file
*
* Copyright (c) 2011-2014, ARM Limited. All rights reserved.
-* Copyright (c) 2014, Linaro Limited. All rights reserved.
+* Copyright (c) 2014-2020, Linaro Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-2-Clause-Patent
*
@@ -13,11 +13,24 @@
#include <Library/DebugLib.h>
#include <Library/HobLib.h>
#include <Library/PcdLib.h>
+#include <Library/PeiServicesLib.h>
#include <libfdt.h>
#include <Guid/EarlyPL011BaseAddress.h>
#include <Guid/FdtHob.h>
+STATIC CONST EFI_PEI_PPI_DESCRIPTOR mTpm2DiscoveredPpi = {
+ EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
+ &gOvmfTpmDiscoveredPpiGuid,
+ NULL
+};
+
+STATIC CONST EFI_PEI_PPI_DESCRIPTOR mTpm2InitializationDonePpi = {
+ EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
+ &gPeiTpmInitializationDonePpiGuid,
+ NULL
+};
+
EFI_STATUS
EFIAPI
PlatformPeim (
@@ -31,14 +44,18 @@ PlatformPeim (
UINT64 *FdtHobData;
UINT64 *UartHobData;
INT32 Node, Prev;
+ INT32 Parent, Depth;
CONST CHAR8 *Compatible;
CONST CHAR8 *CompItem;
CONST CHAR8 *NodeStatus;
INT32 Len;
+ INT32 RangesLen;
INT32 StatusLen;
CONST UINT64 *RegProp;
+ CONST UINT32 *RangesProp;
UINT64 UartBase;
-
+ UINT64 TpmBase;
+ EFI_STATUS Status;
Base = (VOID*)(UINTN)PcdGet64 (PcdDeviceTreeInitialBaseAddress);
ASSERT (Base != NULL);
@@ -58,18 +75,18 @@ PlatformPeim (
ASSERT (UartHobData != NULL);
*UartHobData = 0;
- //
- // Look for a UART node
- //
- for (Prev = 0;; Prev = Node) {
- Node = fdt_next_node (Base, Prev, NULL);
+ TpmBase = 0;
+
+ for (Prev = Depth = 0;; Prev = Node) {
+ Node = fdt_next_node (Base, Prev, &Depth);
if (Node < 0) {
break;
}
- //
- // Check for UART node
- //
+ if (Depth == 1) {
+ Parent = Node;
+ }
+
Compatible = fdt_getprop (Base, Node, "compatible", &Len);
//
@@ -93,10 +110,74 @@ PlatformPeim (
*UartHobData = UartBase;
break;
+ } else if (FeaturePcdGet (PcdTpm2SupportEnabled) &&
+ AsciiStrCmp (CompItem, "tcg,tpm-tis-mmio") == 0) {
+
+ RegProp = fdt_getprop (Base, Node, "reg", &Len);
+ ASSERT (Len == 8 || Len == 16);
+ if (Len == 8) {
+ TpmBase = fdt32_to_cpu (RegProp[0]);
+ } else if (Len == 16) {
+ TpmBase = fdt64_to_cpu (ReadUnaligned64 ((UINT64 *)RegProp));
+ }
+
+ if (Depth > 1) {
+ //
+ // QEMU/mach-virt may put the TPM on the platform bus, in which case
+ // we have to take its 'ranges' property into account to translate the
+ // MMIO address. This consists of a <child base, parent base, size>
+ // tuple, where the child base and the size use the same number of
+ // cells as the 'reg' property above, and the parent base uses 2 cells
+ //
+ RangesProp = fdt_getprop (Base, Parent, "ranges", &RangesLen);
+ ASSERT (RangesProp != NULL);
+
+ //
+ // a plain 'ranges' attribute without a value implies a 1:1 mapping
+ //
+ if (RangesLen != 0) {
+ //
+ // assume a single translated range with 2 cells for the parent base
+ //
+ if (RangesLen != Len + 2 * sizeof (UINT32)) {
+ DEBUG ((DEBUG_WARN,
+ "%a: 'ranges' property has unexpected size %d\n",
+ __FUNCTION__, RangesLen));
+ break;
+ }
+
+ if (Len == 8) {
+ TpmBase -= fdt32_to_cpu (RangesProp[0]);
+ } else {
+ TpmBase -= fdt64_to_cpu (ReadUnaligned64 ((UINT64 *)RangesProp));
+ }
+
+ //
+ // advance RangesProp to the parent bus address
+ //
+ RangesProp = (UINT32 *)((UINT8 *)RangesProp + Len / 2);
+ TpmBase += fdt64_to_cpu (ReadUnaligned64 ((UINT64 *)RangesProp));
+ }
+ }
+ break;
}
}
}
+ if (FeaturePcdGet (PcdTpm2SupportEnabled)) {
+ if (TpmBase != 0) {
+ DEBUG ((DEBUG_INFO, "%a: TPM @ 0x%lx\n", __FUNCTION__, TpmBase));
+
+ Status = (EFI_STATUS)PcdSet64S (PcdTpmBaseAddress, TpmBase);
+ ASSERT_EFI_ERROR (Status);
+
+ Status = PeiServicesInstallPpi (&mTpm2DiscoveredPpi);
+ } else {
+ Status = PeiServicesInstallPpi (&mTpm2InitializationDonePpi);
+ }
+ ASSERT_EFI_ERROR (Status);
+ }
+
BuildFvHob (PcdGet64 (PcdFvBaseAddress), PcdGet32 (PcdFvSize));
return EFI_SUCCESS;
diff --git a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
index 5428040f121d..3f97ef080520 100644
--- a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
+++ b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
@@ -1,7 +1,7 @@
#/** @file
#
# Copyright (c) 2011-2015, ARM Limited. All rights reserved.
-# Copyright (c) 2014, Linaro Limited. All rights reserved.
+# Copyright (c) 2014-2020, Linaro Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -11,7 +11,7 @@ [Defines]
INF_VERSION = 0x00010005
BASE_NAME = PlatformPeiLib
FILE_GUID = 59C11815-F8DA-4F49-B4FB-EC1E41ED1F06
- MODULE_TYPE = SEC
+ MODULE_TYPE = BASE
VERSION_STRING = 1.0
LIBRARY_CLASS = PlatformPeiLib
@@ -21,15 +21,21 @@ [Sources]
[Packages]
ArmPkg/ArmPkg.dec
ArmVirtPkg/ArmVirtPkg.dec
- MdePkg/MdePkg.dec
- MdeModulePkg/MdeModulePkg.dec
EmbeddedPkg/EmbeddedPkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ MdePkg/MdePkg.dec
+ OvmfPkg/OvmfPkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[FeaturePcd]
+ gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled
[LibraryClasses]
DebugLib
HobLib
FdtLib
PcdLib
+ PeiServicesLib
[FixedPcd]
gArmTokenSpaceGuid.PcdFvSize
@@ -38,6 +44,11 @@ [FixedPcd]
[Pcd]
gArmTokenSpaceGuid.PcdFvBaseAddress
gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress ## SOMETIMES_PRODUCES
+
+[Ppis]
+ gOvmfTpmDiscoveredPpiGuid ## SOMETIMES_PRODUCES
+ gPeiTpmInitializationDonePpiGuid ## SOMETIMES_PRODUCES
[Guids]
gEarlyPL011BaseAddressGuid
--
2.17.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v3 4/9] ArmVirtPkg: implement ArmVirtPsciResetSystemPeiLib
2020-02-26 19:05 [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu Ard Biesheuvel
` (2 preceding siblings ...)
2020-02-26 19:05 ` [PATCH v3 3/9] ArmVirtPkg/PlatformPeiLib: discover the TPM base address from the DT Ard Biesheuvel
@ 2020-02-26 19:05 ` Ard Biesheuvel
2020-02-26 19:05 ` [PATCH v3 5/9] ArmVirtPkg/ArmVirtQemu: add ResetSystem PEIM for upcoming TPM2 support Ard Biesheuvel
` (5 subsequent siblings)
9 siblings, 0 replies; 18+ messages in thread
From: Ard Biesheuvel @ 2020-02-26 19:05 UTC (permalink / raw)
To: devel
Cc: Ard Biesheuvel, lersek, eric.auger, philmd, marcandre.lureau,
stefanb, leif
Implement a ArmVirtPkg specific version of the PSCI ResetSystemLib that
is usable in the PEI phase, as the existing one relies on the FDT client
protocol, making it unsuitable.
Note that accessing the device tree passed by QEMU via its initial base
address is guaranteed to be safe at any time during the PEI phase, so we
can defer discovery of the PSCI method until the time the reset library
is actually invoked (which is rarely)
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Laszlo Ersek <lersek@redhat.com>
---
ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.c | 232 ++++++++++++++++++++
ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf | 39 ++++
2 files changed, 271 insertions(+)
diff --git a/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.c b/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.c
new file mode 100644
index 000000000000..394a04e3c384
--- /dev/null
+++ b/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.c
@@ -0,0 +1,232 @@
+/** @file
+ Reset System lib using PSCI hypervisor or secure monitor calls
+
+ Copyright (c) 2008 - 2009, Apple Inc. All rights reserved.<BR>
+ Copyright (c) 2013, ARM Ltd. All rights reserved.<BR>
+ Copyright (c) 2014-2020, Linaro Ltd. All rights reserved.<BR>
+ Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiPei.h>
+
+#include <libfdt.h>
+#include <Library/ArmHvcLib.h>
+#include <Library/ArmSmcLib.h>
+#include <Library/BaseLib.h>
+#include <Library/DebugLib.h>
+#include <Library/HobLib.h>
+#include <Library/ResetSystemLib.h>
+
+#include <IndustryStandard/ArmStdSmc.h>
+
+typedef enum {
+ PsciMethodUnknown,
+ PsciMethodSmc,
+ PsciMethodHvc,
+} PSCI_METHOD;
+
+STATIC
+PSCI_METHOD
+DiscoverPsciMethod (
+ VOID
+ )
+{
+ VOID *DeviceTreeBase;
+ INT32 Node, Prev;
+ INT32 Len;
+ CONST CHAR8 *Compatible;
+ CONST CHAR8 *CompatibleItem;
+ CONST VOID *Prop;
+
+ DeviceTreeBase = (VOID*)(UINTN)PcdGet64 (PcdDeviceTreeInitialBaseAddress);
+ ASSERT (fdt_check_header (DeviceTreeBase) == 0);
+
+ //
+ // Enumerate all FDT nodes looking for the PSCI node and capture the method
+ //
+ for (Prev = 0;; Prev = Node) {
+ Node = fdt_next_node (DeviceTreeBase, Prev, NULL);
+ if (Node < 0) {
+ break;
+ }
+
+ Compatible = fdt_getprop (DeviceTreeBase, Node, "compatible", &Len);
+ if (Compatible == NULL) {
+ continue;
+ }
+
+ //
+ // Iterate over the NULL-separated items in the compatible string
+ //
+ for (CompatibleItem = Compatible; CompatibleItem < Compatible + Len;
+ CompatibleItem += 1 + AsciiStrLen (CompatibleItem)) {
+
+ if (AsciiStrCmp (CompatibleItem, "arm,psci-0.2") != 0) {
+ continue;
+ }
+
+ Prop = fdt_getprop (DeviceTreeBase, Node, "method", NULL);
+ if (!Prop) {
+ DEBUG ((DEBUG_ERROR, "%a: Missing PSCI method property\n",
+ __FUNCTION__));
+ return PsciMethodUnknown;
+ }
+
+ if (AsciiStrnCmp (Prop, "hvc", 3) == 0) {
+ return PsciMethodHvc;
+ } else if (AsciiStrnCmp (Prop, "smc", 3) == 0) {
+ return PsciMethodSmc;
+ } else {
+ DEBUG ((DEBUG_ERROR, "%a: Unknown PSCI method \"%a\"\n", __FUNCTION__,
+ Prop));
+ return PsciMethodUnknown;
+ }
+ }
+ }
+ return PsciMethodUnknown;
+}
+
+STATIC
+VOID
+PerformPsciAction (
+ IN UINTN Arg0
+ )
+{
+ ARM_SMC_ARGS ArmSmcArgs;
+ ARM_HVC_ARGS ArmHvcArgs;
+
+ ArmSmcArgs.Arg0 = Arg0;
+ ArmHvcArgs.Arg0 = Arg0;
+
+ switch (DiscoverPsciMethod ()) {
+ case PsciMethodHvc:
+ ArmCallHvc (&ArmHvcArgs);
+ break;
+
+ case PsciMethodSmc:
+ ArmCallSmc (&ArmSmcArgs);
+ break;
+
+ default:
+ DEBUG ((DEBUG_ERROR, "%a: no PSCI method defined\n", __FUNCTION__));
+ ASSERT (FALSE);
+ }
+}
+
+/**
+ This function causes a system-wide reset (cold reset), in which
+ all circuitry within the system returns to its initial state. This type of reset
+ is asynchronous to system operation and operates without regard to
+ cycle boundaries.
+
+ If this function returns, it means that the system does not support cold reset.
+**/
+VOID
+EFIAPI
+ResetCold (
+ VOID
+ )
+{
+ // Send a PSCI 0.2 SYSTEM_RESET command
+ PerformPsciAction (ARM_SMC_ID_PSCI_SYSTEM_RESET);
+}
+
+/**
+ This function causes a system-wide initialization (warm reset), in which all processors
+ are set to their initial state. Pending cycles are not corrupted.
+
+ If this function returns, it means that the system does not support warm reset.
+**/
+VOID
+EFIAPI
+ResetWarm (
+ VOID
+ )
+{
+ // Map a warm reset into a cold reset
+ ResetCold ();
+}
+
+/**
+ This function causes the system to enter a power state equivalent
+ to the ACPI G2/S5 or G3 states.
+
+ If this function returns, it means that the system does not support shutdown reset.
+**/
+VOID
+EFIAPI
+ResetShutdown (
+ VOID
+ )
+{
+ // Send a PSCI 0.2 SYSTEM_OFF command
+ PerformPsciAction (ARM_SMC_ID_PSCI_SYSTEM_OFF);
+}
+
+/**
+ This function causes a systemwide reset. The exact type of the reset is
+ defined by the EFI_GUID that follows the Null-terminated Unicode string passed
+ into ResetData. If the platform does not recognize the EFI_GUID in ResetData
+ the platform must pick a supported reset type to perform.The platform may
+ optionally log the parameters from any non-normal reset that occurs.
+
+ @param[in] DataSize The size, in bytes, of ResetData.
+ @param[in] ResetData The data buffer starts with a Null-terminated string,
+ followed by the EFI_GUID.
+**/
+VOID
+EFIAPI
+ResetPlatformSpecific (
+ IN UINTN DataSize,
+ IN VOID *ResetData
+ )
+{
+ // Map the platform specific reset as reboot
+ ResetCold ();
+}
+
+/**
+ The ResetSystem function resets the entire platform.
+
+ @param[in] ResetType The type of reset to perform.
+ @param[in] ResetStatus The status code for the reset.
+ @param[in] DataSize The size, in bytes, of ResetData.
+ @param[in] ResetData For a ResetType of EfiResetCold, EfiResetWarm, or EfiResetShutdown
+ the data buffer starts with a Null-terminated string, optionally
+ followed by additional binary data. The string is a description
+ that the caller may use to further indicate the reason for the
+ system reset.
+**/
+VOID
+EFIAPI
+ResetSystem (
+ IN EFI_RESET_TYPE ResetType,
+ IN EFI_STATUS ResetStatus,
+ IN UINTN DataSize,
+ IN VOID *ResetData OPTIONAL
+ )
+{
+ switch (ResetType) {
+ case EfiResetWarm:
+ ResetWarm ();
+ break;
+
+ case EfiResetCold:
+ ResetCold ();
+ break;
+
+ case EfiResetShutdown:
+ ResetShutdown ();
+ return;
+
+ case EfiResetPlatformSpecific:
+ ResetPlatformSpecific (DataSize, ResetData);
+ return;
+
+ default:
+ return;
+ }
+}
diff --git a/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf b/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
new file mode 100644
index 000000000000..3a65706e8dc6
--- /dev/null
+++ b/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
@@ -0,0 +1,39 @@
+#/** @file
+# Reset System lib using PSCI hypervisor or secure monitor calls
+#
+# Copyright (c) 2008, Apple Inc. All rights reserved.<BR>
+# Copyright (c) 2014-2020, Linaro Ltd. All rights reserved.<BR>
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+#
+#**/
+
+[Defines]
+ INF_VERSION = 1.27
+ BASE_NAME = ArmVirtPsciResetSystemPeiLib
+ FILE_GUID = 551cfb98-c185-41a3-86bf-8cdb7e2a530c
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = ResetSystemLib|PEIM
+
+[Sources]
+ ArmVirtPsciResetSystemPeiLib.c
+
+[Packages]
+ ArmPkg/ArmPkg.dec
+ ArmVirtPkg/ArmVirtPkg.dec
+ EmbeddedPkg/EmbeddedPkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ MdePkg/MdePkg.dec
+
+[LibraryClasses]
+ ArmSmcLib
+ ArmHvcLib
+ BaseLib
+ DebugLib
+ FdtLib
+ HobLib
+
+[Pcd]
+ gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
--
2.17.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v3 5/9] ArmVirtPkg/ArmVirtQemu: add ResetSystem PEIM for upcoming TPM2 support
2020-02-26 19:05 [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu Ard Biesheuvel
` (3 preceding siblings ...)
2020-02-26 19:05 ` [PATCH v3 4/9] ArmVirtPkg: implement ArmVirtPsciResetSystemPeiLib Ard Biesheuvel
@ 2020-02-26 19:05 ` Ard Biesheuvel
2020-02-27 8:06 ` [edk2-devel] " Laszlo Ersek
2020-02-26 19:05 ` [PATCH v3 6/9] ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI phase Ard Biesheuvel
` (4 subsequent siblings)
9 siblings, 1 reply; 18+ messages in thread
From: Ard Biesheuvel @ 2020-02-26 19:05 UTC (permalink / raw)
To: devel
Cc: Ard Biesheuvel, lersek, eric.auger, philmd, marcandre.lureau,
stefanb, leif
As a first step in gradually adding TPM2 support to ArmVirtQemu, add
the TPM2_ENABLE configurable to the [Defines] section, and if it is
set, add the ResetSystem PEIM to the build, along with the library
class references that we will need to support it:
- wire ArmVirtPsciResetSystemPeiLib into the ResetSystem PEIM itself,
which will be in charge of performing the actual reset
- add PeiResetSystemLib as the common ResetSystemLib resolution for
PEIM class modules, so that other PEIMs will invoke the PPI
published by the ResetSystem PEIM.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
ArmVirtPkg/ArmVirtQemu.dsc | 14 ++++++++++++++
ArmVirtPkg/ArmVirtQemu.fdf | 4 ++++
2 files changed, 18 insertions(+)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 7d05415d0f93..d1757cdba671 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -29,6 +29,7 @@ [Defines]
#
DEFINE TTY_TERMINAL = FALSE
DEFINE SECURE_BOOT_ENABLE = FALSE
+ DEFINE TPM2_ENABLE = FALSE
#
# Network definition
@@ -77,6 +78,10 @@ [LibraryClasses.common]
[LibraryClasses.common.PEIM]
ArmVirtMemInfoLib|ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoPeiLib.inf
+!if $(TPM2_ENABLE) == TRUE
+ ResetSystemLib|MdeModulePkg/Library/PeiResetSystemLib/PeiResetSystemLib.inf
+!endif
+
[LibraryClasses.common.DXE_DRIVER]
ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
@@ -100,6 +105,8 @@ [PcdsFeatureFlag.common]
gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
+ gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE)
+
[PcdsFixedAtBuild.common]
!if $(ARCH) == AARCH64
gArmTokenSpaceGuid.PcdVFPEnabled|1
@@ -266,6 +273,13 @@ [Components.common]
MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
+!if $(TPM2_ENABLE) == TRUE
+ MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf {
+ <LibraryClasses>
+ ResetSystemLib|ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
+ }
+!endif
+
MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf {
<LibraryClasses>
NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
diff --git a/ArmVirtPkg/ArmVirtQemu.fdf b/ArmVirtPkg/ArmVirtQemu.fdf
index 2c8936a1ae15..f55918d26b06 100644
--- a/ArmVirtPkg/ArmVirtQemu.fdf
+++ b/ArmVirtPkg/ArmVirtQemu.fdf
@@ -113,6 +113,10 @@ [FV.FVMAIN_COMPACT]
INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
+!if $(TPM2_ENABLE) == TRUE
+ INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf
+!endif
+
FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
SECTION FV_IMAGE = FVMAIN
--
2.17.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v3 6/9] ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI phase
2020-02-26 19:05 [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu Ard Biesheuvel
` (4 preceding siblings ...)
2020-02-26 19:05 ` [PATCH v3 5/9] ArmVirtPkg/ArmVirtQemu: add ResetSystem PEIM for upcoming TPM2 support Ard Biesheuvel
@ 2020-02-26 19:05 ` Ard Biesheuvel
2020-02-27 8:24 ` [edk2-devel] " Laszlo Ersek
2020-02-26 19:05 ` [PATCH v3 7/9] ArmVirtPkg/ArmVirtQemu: enable the DXE phase TPM2 support module Ard Biesheuvel
` (3 subsequent siblings)
9 siblings, 1 reply; 18+ messages in thread
From: Ard Biesheuvel @ 2020-02-26 19:05 UTC (permalink / raw)
To: devel
Cc: Ard Biesheuvel, lersek, eric.auger, philmd, marcandre.lureau,
stefanb, leif
Incorporate the PEI components and the associated library class
resolutions and PCD declarations to enable TPM2 support in the
PEI phase.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
ArmVirtPkg/ArmVirtQemu.dsc | 20 ++++++++++++++++++++
ArmVirtPkg/ArmVirtQemu.fdf | 2 ++
2 files changed, 22 insertions(+)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index d1757cdba671..8950116dacab 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -75,11 +75,17 @@ [LibraryClasses.common]
PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf
PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf
+!if $(TPM2_ENABLE) == TRUE
+ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+!endif
+
[LibraryClasses.common.PEIM]
ArmVirtMemInfoLib|ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoPeiLib.inf
!if $(TPM2_ENABLE) == TRUE
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
ResetSystemLib|MdeModulePkg/Library/PeiResetSystemLib/PeiResetSystemLib.inf
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
!endif
[LibraryClasses.common.DXE_DRIVER]
@@ -248,6 +254,10 @@ [PcdsDynamicDefault.common]
# TPM2 support
#
gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0
+!if $(TPM2_ENABLE) == TRUE
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0
+!endif
[PcdsDynamicHii]
gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
@@ -278,6 +288,16 @@ [Components.common]
<LibraryClasses>
ResetSystemLib|ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
}
+ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+ SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
+ <LibraryClasses>
+ HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+ }
!endif
MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf {
diff --git a/ArmVirtPkg/ArmVirtQemu.fdf b/ArmVirtPkg/ArmVirtQemu.fdf
index f55918d26b06..b5e2253295fe 100644
--- a/ArmVirtPkg/ArmVirtQemu.fdf
+++ b/ArmVirtPkg/ArmVirtQemu.fdf
@@ -115,6 +115,8 @@ [FV.FVMAIN_COMPACT]
!if $(TPM2_ENABLE) == TRUE
INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf
+ INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+ INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
!endif
FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
--
2.17.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v3 7/9] ArmVirtPkg/ArmVirtQemu: enable the DXE phase TPM2 support module
2020-02-26 19:05 [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu Ard Biesheuvel
` (5 preceding siblings ...)
2020-02-26 19:05 ` [PATCH v3 6/9] ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI phase Ard Biesheuvel
@ 2020-02-26 19:05 ` Ard Biesheuvel
2020-02-27 9:28 ` [edk2-devel] " Laszlo Ersek
2020-02-26 19:05 ` [PATCH v3 8/9] ArmVirtPkg/ArmVirtQemu: enable the TPM2 configuration module Ard Biesheuvel
` (2 subsequent siblings)
9 siblings, 1 reply; 18+ messages in thread
From: Ard Biesheuvel @ 2020-02-26 19:05 UTC (permalink / raw)
To: devel
Cc: Ard Biesheuvel, lersek, eric.auger, philmd, marcandre.lureau,
stefanb, leif
Enable the TPM2 support module in the DXE phase, and the associated
libraries and PCDs that it requires. This will be wired into the
measured boot support code in a subsequent patch.
Note that Tcg2Dxe.inf is added to ArmVirtQemuFvMain.fdf.inc, which
is shared with other platforms in ArmVirtPkg, but as those will not
set the TPM2_ENABLE define, this change does not affect them.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
ArmVirtPkg/ArmVirtQemu.dsc | 23 ++++++++++++++++++++
ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 7 ++++++
2 files changed, 30 insertions(+)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 8950116dacab..9fe5ab37611c 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -77,6 +77,8 @@ [LibraryClasses.common]
!if $(TPM2_ENABLE) == TRUE
Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+ Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
+ TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
!endif
[LibraryClasses.common.PEIM]
@@ -91,6 +93,10 @@ [LibraryClasses.common.PEIM]
[LibraryClasses.common.DXE_DRIVER]
ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
+!if $(TPM2_ENABLE) == TRUE
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+!endif
+
[LibraryClasses.common.UEFI_DRIVER]
UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf
@@ -469,6 +475,23 @@ [Components.common]
MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+ #
+ # TPM2 support
+ #
+!if $(TPM2_ENABLE) == TRUE
+ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+ <LibraryClasses>
+ HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+ }
+!endif
+
#
# ACPI Support
#
diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
index 31f615a9d0f9..63247fd10058 100644
--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
@@ -182,3 +182,10 @@ [FV.FvMain]
# Ramdisk support
#
INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+
+ #
+ # TPM2 support
+ #
+!if $(TPM2_ENABLE) == TRUE
+ INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+!endif
--
2.17.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v3 8/9] ArmVirtPkg/ArmVirtQemu: enable the TPM2 configuration module
2020-02-26 19:05 [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu Ard Biesheuvel
` (6 preceding siblings ...)
2020-02-26 19:05 ` [PATCH v3 7/9] ArmVirtPkg/ArmVirtQemu: enable the DXE phase TPM2 support module Ard Biesheuvel
@ 2020-02-26 19:05 ` Ard Biesheuvel
2020-02-27 9:39 ` Laszlo Ersek
2020-02-26 19:05 ` [PATCH v3 9/9] ArmVirtPkg/ArmVirtQemu: enable TPM2 based measured boot Ard Biesheuvel
2020-03-04 8:51 ` [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu Ard Biesheuvel
9 siblings, 1 reply; 18+ messages in thread
From: Ard Biesheuvel @ 2020-02-26 19:05 UTC (permalink / raw)
To: devel
Cc: Ard Biesheuvel, lersek, eric.auger, philmd, marcandre.lureau,
stefanb, leif
Enable the DXE phase component that publishes the HII pages and
associated logic to enable TPM2 parameters to be configured by
the user via the setup menu.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
ArmVirtPkg/ArmVirtQemu.dsc | 9 +++++++++
ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 3 +++
2 files changed, 12 insertions(+)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 9fe5ab37611c..7cb2d1b42fb8 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -30,6 +30,7 @@ [Defines]
DEFINE TTY_TERMINAL = FALSE
DEFINE SECURE_BOOT_ENABLE = FALSE
DEFINE TPM2_ENABLE = FALSE
+ DEFINE TPM2_CONFIG_ENABLE = FALSE
#
# Network definition
@@ -268,6 +269,11 @@ [PcdsDynamicDefault.common]
[PcdsDynamicHii]
gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
+!if $(TPM2_CONFIG_ENABLE) == TRUE
+ gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
+!endif
+
################################################################################
#
# Components Section - list of all EDK II Modules needed by this Platform
@@ -490,6 +496,9 @@ [Components.common]
NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
}
+!if $(TPM2_CONFIG_ENABLE) == TRUE
+ SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!endif
!endif
#
diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
index 63247fd10058..d481e4b2b8fb 100644
--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
@@ -188,4 +188,7 @@ [FV.FvMain]
#
!if $(TPM2_ENABLE) == TRUE
INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+!if $(TPM2_CONFIG_ENABLE) == TRUE
+ INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!endif
!endif
--
2.17.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH v3 9/9] ArmVirtPkg/ArmVirtQemu: enable TPM2 based measured boot
2020-02-26 19:05 [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu Ard Biesheuvel
` (7 preceding siblings ...)
2020-02-26 19:05 ` [PATCH v3 8/9] ArmVirtPkg/ArmVirtQemu: enable the TPM2 configuration module Ard Biesheuvel
@ 2020-02-26 19:05 ` Ard Biesheuvel
2020-02-27 9:42 ` Laszlo Ersek
2020-03-04 8:51 ` [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu Ard Biesheuvel
9 siblings, 1 reply; 18+ messages in thread
From: Ard Biesheuvel @ 2020-02-26 19:05 UTC (permalink / raw)
To: devel
Cc: Ard Biesheuvel, lersek, eric.auger, philmd, marcandre.lureau,
stefanb, leif
Now that all the TPM2 related plumbing is in place, we can add the
final piece that performs the measurements of loaded images into
the appropriate PCRs.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
ArmVirtPkg/ArmVirtQemu.dsc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 7cb2d1b42fb8..a0d179a72b2a 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -346,6 +346,9 @@ [Components.common]
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
<LibraryClasses>
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!if $(TPM2_ENABLE) == TRUE
+ NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+!endif
}
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
--
2.17.1
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [edk2-devel] [PATCH v3 3/9] ArmVirtPkg/PlatformPeiLib: discover the TPM base address from the DT
2020-02-26 19:05 ` [PATCH v3 3/9] ArmVirtPkg/PlatformPeiLib: discover the TPM base address from the DT Ard Biesheuvel
@ 2020-02-27 7:41 ` Laszlo Ersek
0 siblings, 0 replies; 18+ messages in thread
From: Laszlo Ersek @ 2020-02-27 7:41 UTC (permalink / raw)
To: devel, ard.biesheuvel; +Cc: eric.auger, philmd, marcandre.lureau, stefanb, leif
On 02/26/20 20:05, Ard Biesheuvel wrote:
> Introduce a boolean PCD that tells us whether TPM support is enabled
> in the build, and if it is, record the TPM base address in the existing
> routine that traverses the device tree in the platform PEIM.
>
> If a TPM is found, install the gOvmfTpmDiscoveredPpiGuid signalling PPI
> that will unlock the dispatch of OvmfPkg's Tcg2ConfigPei. If TPM2
> support is enabled in the build but no TPM2 device is found, install the
> gPeiTpmInitializationDonePpiGuid PPI, which is normally installed by
> Tcg2ConfigPei if no TPM2 is found, but in our case Tcg2ConfigPei will
> never run so let's do it here instead.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
> ArmVirtPkg/ArmVirtPkg.dec | 6 ++
> ArmVirtPkg/ArmVirtQemu.dsc | 5 +
> ArmVirtPkg/ArmVirtQemuKernel.dsc | 6 ++
> ArmVirtPkg/ArmVirtXen.dsc | 6 ++
> ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c | 101 ++++++++++++++++++--
> ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf | 19 +++-
> 6 files changed, 129 insertions(+), 14 deletions(-)
Thanks for the update!
Acked-by: Laszlo Ersek <lersek@redhat.com>
Laszlo
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [edk2-devel] [PATCH v3 5/9] ArmVirtPkg/ArmVirtQemu: add ResetSystem PEIM for upcoming TPM2 support
2020-02-26 19:05 ` [PATCH v3 5/9] ArmVirtPkg/ArmVirtQemu: add ResetSystem PEIM for upcoming TPM2 support Ard Biesheuvel
@ 2020-02-27 8:06 ` Laszlo Ersek
0 siblings, 0 replies; 18+ messages in thread
From: Laszlo Ersek @ 2020-02-27 8:06 UTC (permalink / raw)
To: devel, ard.biesheuvel; +Cc: eric.auger, philmd, marcandre.lureau, stefanb, leif
On 02/26/20 20:05, Ard Biesheuvel wrote:
> As a first step in gradually adding TPM2 support to ArmVirtQemu, add
> the TPM2_ENABLE configurable to the [Defines] section, and if it is
> set, add the ResetSystem PEIM to the build, along with the library
> class references that we will need to support it:
> - wire ArmVirtPsciResetSystemPeiLib into the ResetSystem PEIM itself,
> which will be in charge of performing the actual reset
> - add PeiResetSystemLib as the common ResetSystemLib resolution for
> PEIM class modules, so that other PEIMs will invoke the PPI
> published by the ResetSystem PEIM.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
> ArmVirtPkg/ArmVirtQemu.dsc | 14 ++++++++++++++
> ArmVirtPkg/ArmVirtQemu.fdf | 4 ++++
> 2 files changed, 18 insertions(+)
>
> diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
> index 7d05415d0f93..d1757cdba671 100644
> --- a/ArmVirtPkg/ArmVirtQemu.dsc
> +++ b/ArmVirtPkg/ArmVirtQemu.dsc
> @@ -29,6 +29,7 @@ [Defines]
> #
> DEFINE TTY_TERMINAL = FALSE
> DEFINE SECURE_BOOT_ENABLE = FALSE
> + DEFINE TPM2_ENABLE = FALSE
>
> #
> # Network definition
> @@ -77,6 +78,10 @@ [LibraryClasses.common]
> [LibraryClasses.common.PEIM]
> ArmVirtMemInfoLib|ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoPeiLib.inf
>
> +!if $(TPM2_ENABLE) == TRUE
> + ResetSystemLib|MdeModulePkg/Library/PeiResetSystemLib/PeiResetSystemLib.inf
> +!endif
> +
> [LibraryClasses.common.DXE_DRIVER]
> ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
>
> @@ -100,6 +105,8 @@ [PcdsFeatureFlag.common]
>
> gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
>
> + gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE)
> +
> [PcdsFixedAtBuild.common]
> !if $(ARCH) == AARCH64
> gArmTokenSpaceGuid.PcdVFPEnabled|1
> @@ -266,6 +273,13 @@ [Components.common]
>
> MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
>
> +!if $(TPM2_ENABLE) == TRUE
> + MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf {
> + <LibraryClasses>
> + ResetSystemLib|ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
> + }
> +!endif
> +
> MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf {
> <LibraryClasses>
> NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
> diff --git a/ArmVirtPkg/ArmVirtQemu.fdf b/ArmVirtPkg/ArmVirtQemu.fdf
> index 2c8936a1ae15..f55918d26b06 100644
> --- a/ArmVirtPkg/ArmVirtQemu.fdf
> +++ b/ArmVirtPkg/ArmVirtQemu.fdf
> @@ -113,6 +113,10 @@ [FV.FVMAIN_COMPACT]
> INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
> INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
>
> +!if $(TPM2_ENABLE) == TRUE
> + INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf
> +!endif
> +
> FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
> SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
> SECTION FV_IMAGE = FVMAIN
>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [edk2-devel] [PATCH v3 6/9] ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI phase
2020-02-26 19:05 ` [PATCH v3 6/9] ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI phase Ard Biesheuvel
@ 2020-02-27 8:24 ` Laszlo Ersek
2020-02-27 8:34 ` Ard Biesheuvel
0 siblings, 1 reply; 18+ messages in thread
From: Laszlo Ersek @ 2020-02-27 8:24 UTC (permalink / raw)
To: devel, ard.biesheuvel; +Cc: eric.auger, philmd, marcandre.lureau, stefanb, leif
On 02/26/20 20:05, Ard Biesheuvel wrote:
> Incorporate the PEI components and the associated library class
> resolutions and PCD declarations to enable TPM2 support in the
> PEI phase.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
> ArmVirtPkg/ArmVirtQemu.dsc | 20 ++++++++++++++++++++
> ArmVirtPkg/ArmVirtQemu.fdf | 2 ++
> 2 files changed, 22 insertions(+)
>
> diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
> index d1757cdba671..8950116dacab 100644
> --- a/ArmVirtPkg/ArmVirtQemu.dsc
> +++ b/ArmVirtPkg/ArmVirtQemu.dsc
> @@ -75,11 +75,17 @@ [LibraryClasses.common]
> PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf
> PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf
>
> +!if $(TPM2_ENABLE) == TRUE
> + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> +!endif
> +
> [LibraryClasses.common.PEIM]
> ArmVirtMemInfoLib|ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoPeiLib.inf
>
> !if $(TPM2_ENABLE) == TRUE
> + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> ResetSystemLib|MdeModulePkg/Library/PeiResetSystemLib/PeiResetSystemLib.inf
> + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
> !endif
>
> [LibraryClasses.common.DXE_DRIVER]
> @@ -248,6 +254,10 @@ [PcdsDynamicDefault.common]
> # TPM2 support
> #
> gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0
> +!if $(TPM2_ENABLE) == TRUE
> + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
> + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0
> +!endif
>
> [PcdsDynamicHii]
> gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
> @@ -278,6 +288,16 @@ [Components.common]
> <LibraryClasses>
> ResetSystemLib|ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
> }
> + OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
> + <LibraryClasses>
> + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> + }
> !endif
>
> MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf {
> diff --git a/ArmVirtPkg/ArmVirtQemu.fdf b/ArmVirtPkg/ArmVirtQemu.fdf
> index f55918d26b06..b5e2253295fe 100644
> --- a/ArmVirtPkg/ArmVirtQemu.fdf
> +++ b/ArmVirtPkg/ArmVirtQemu.fdf
> @@ -115,6 +115,8 @@ [FV.FVMAIN_COMPACT]
>
> !if $(TPM2_ENABLE) == TRUE
> INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf
> + INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> + INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
> !endif
>
> FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
>
I'm OK with this patch; I have two requests:
(1) Please add the following to the commit message:
-----
This patch ports (parts of) the following OvmfPkg commits to ArmVirtQemu:
- 6cf1880fb5b6 ("OvmfPkg: add customized Tcg2ConfigPei clone",
2018-03-09)
- 4672a4892867 ("OvmfPkg: include Tcg2Pei module", 2018-03-09)
- b9130c866dc0 ("OvmfPkg: link Sha384 and Sha512 support into Tcg2Pei
and Tcg2Dxe", 2018-08-16)
- 5d3ef15da7c3 ("OvmfPkg: link SM3 support into Tcg2Pei and Tcg2Dxe",
2019-07-19)
-----
(2) I don't understand why PcdTpm2HashMask is necessary, especially that
it diverges from the "SecurityPkg.dec" default. Please either drop the
PCD, or (more likely) add a sentence to the commit message explaining
why we're setting it to zero (unlike in OVMF).
With those addressed:
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Thanks!
Laszlo
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [edk2-devel] [PATCH v3 6/9] ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI phase
2020-02-27 8:24 ` [edk2-devel] " Laszlo Ersek
@ 2020-02-27 8:34 ` Ard Biesheuvel
0 siblings, 0 replies; 18+ messages in thread
From: Ard Biesheuvel @ 2020-02-27 8:34 UTC (permalink / raw)
To: edk2-devel-groups-io, Laszlo Ersek
Cc: Auger Eric, Philippe Mathieu-Daudé, Marc-André Lureau,
Stefan Berger, Leif Lindholm
On Thu, 27 Feb 2020 at 09:24, Laszlo Ersek <lersek@redhat.com> wrote:
>
> On 02/26/20 20:05, Ard Biesheuvel wrote:
> > Incorporate the PEI components and the associated library class
> > resolutions and PCD declarations to enable TPM2 support in the
> > PEI phase.
> >
> > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> > ---
> > ArmVirtPkg/ArmVirtQemu.dsc | 20 ++++++++++++++++++++
> > ArmVirtPkg/ArmVirtQemu.fdf | 2 ++
> > 2 files changed, 22 insertions(+)
> >
> > diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
> > index d1757cdba671..8950116dacab 100644
> > --- a/ArmVirtPkg/ArmVirtQemu.dsc
> > +++ b/ArmVirtPkg/ArmVirtQemu.dsc
> > @@ -75,11 +75,17 @@ [LibraryClasses.common]
> > PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf
> > PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf
> >
> > +!if $(TPM2_ENABLE) == TRUE
> > + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> > +!endif
> > +
> > [LibraryClasses.common.PEIM]
> > ArmVirtMemInfoLib|ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoPeiLib.inf
> >
> > !if $(TPM2_ENABLE) == TRUE
> > + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> > ResetSystemLib|MdeModulePkg/Library/PeiResetSystemLib/PeiResetSystemLib.inf
> > + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
> > !endif
> >
> > [LibraryClasses.common.DXE_DRIVER]
> > @@ -248,6 +254,10 @@ [PcdsDynamicDefault.common]
> > # TPM2 support
> > #
> > gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0
> > +!if $(TPM2_ENABLE) == TRUE
> > + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
> > + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0
> > +!endif
> >
> > [PcdsDynamicHii]
> > gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
> > @@ -278,6 +288,16 @@ [Components.common]
> > <LibraryClasses>
> > ResetSystemLib|ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
> > }
> > + OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> > + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
> > + <LibraryClasses>
> > + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
> > + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> > + NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> > + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> > + NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> > + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> > + }
> > !endif
> >
> > MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf {
> > diff --git a/ArmVirtPkg/ArmVirtQemu.fdf b/ArmVirtPkg/ArmVirtQemu.fdf
> > index f55918d26b06..b5e2253295fe 100644
> > --- a/ArmVirtPkg/ArmVirtQemu.fdf
> > +++ b/ArmVirtPkg/ArmVirtQemu.fdf
> > @@ -115,6 +115,8 @@ [FV.FVMAIN_COMPACT]
> >
> > !if $(TPM2_ENABLE) == TRUE
> > INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf
> > + INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> > + INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
> > !endif
> >
> > FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
> >
>
> I'm OK with this patch; I have two requests:
>
> (1) Please add the following to the commit message:
>
> -----
> This patch ports (parts of) the following OvmfPkg commits to ArmVirtQemu:
> - 6cf1880fb5b6 ("OvmfPkg: add customized Tcg2ConfigPei clone",
> 2018-03-09)
> - 4672a4892867 ("OvmfPkg: include Tcg2Pei module", 2018-03-09)
> - b9130c866dc0 ("OvmfPkg: link Sha384 and Sha512 support into Tcg2Pei
> and Tcg2Dxe", 2018-08-16)
> - 5d3ef15da7c3 ("OvmfPkg: link SM3 support into Tcg2Pei and Tcg2Dxe",
> 2019-07-19)
> -----
>
OK
> (2) I don't understand why PcdTpm2HashMask is necessary, especially that
> it diverges from the "SecurityPkg.dec" default. Please either drop the
> PCD, or (more likely) add a sentence to the commit message explaining
> why we're setting it to zero (unlike in OVMF).
>
I'm not sure about OVMF, but according to SecurityPkg.dec's
description of this PCD (line 455):
# If all the bits are clear, that means hash algorithm is
determined by current Active PCR Banks.<BR>
which seems like a reasonable default, rather than going through the
logic of SyncPcrAllocationsAndPcrMask() in Tcg2Pei, and essentially
end up doing the same.
I'll add a comment to the PCD declaration to clarify this.
> With those addressed:
>
> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
>
> Thanks!
> Laszlo
>
>
>
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [edk2-devel] [PATCH v3 7/9] ArmVirtPkg/ArmVirtQemu: enable the DXE phase TPM2 support module
2020-02-26 19:05 ` [PATCH v3 7/9] ArmVirtPkg/ArmVirtQemu: enable the DXE phase TPM2 support module Ard Biesheuvel
@ 2020-02-27 9:28 ` Laszlo Ersek
0 siblings, 0 replies; 18+ messages in thread
From: Laszlo Ersek @ 2020-02-27 9:28 UTC (permalink / raw)
To: devel, ard.biesheuvel; +Cc: eric.auger, philmd, marcandre.lureau, stefanb, leif
On 02/26/20 20:05, Ard Biesheuvel wrote:
> Enable the TPM2 support module in the DXE phase, and the associated
> libraries and PCDs that it requires. This will be wired into the
> measured boot support code in a subsequent patch.
>
> Note that Tcg2Dxe.inf is added to ArmVirtQemuFvMain.fdf.inc, which
> is shared with other platforms in ArmVirtPkg, but as those will not
> set the TPM2_ENABLE define, this change does not affect them.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
> ArmVirtPkg/ArmVirtQemu.dsc | 23 ++++++++++++++++++++
> ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 7 ++++++
> 2 files changed, 30 insertions(+)
>
> diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
> index 8950116dacab..9fe5ab37611c 100644
> --- a/ArmVirtPkg/ArmVirtQemu.dsc
> +++ b/ArmVirtPkg/ArmVirtQemu.dsc
> @@ -77,6 +77,8 @@ [LibraryClasses.common]
>
> !if $(TPM2_ENABLE) == TRUE
> Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> + Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
This should not be needed. Or more precisely, not like this.
In OvmfPkg, Marc-André added TPM2 PPI support in the following series
(which was separately building upon the initial TPM2 enablement):
[edk2] [PATCH v3 0/4] RFC: ovmf: Add support for TPM Physical Presence interface
http://mid.mail-archive.com/20180518122304.31020-1-marcandre.lureau@redhat.com
1 fe280ecbee11 OvmfPkg: add Tcg2PhysicalPresenceLibNull when !TPM2_ENABLE
2 909ac65af113 OvmfPkg/IndustryStandard: add QemuTpm.h header
3 b9777bb42e4f OvmfPkg: add Tcg2PhysicalPresenceLibQemu
4 8d65d3b25e35 OvmfPkg/PlatformBootManagerLib: process TPM PPI request
The above lib class resolution mirrors commit#3 from those.
But it only really makes sense if, in the end, we intend to add a
Tcg2PhysicalPresenceLibProcessRequest() call to the
PlatformBootManagerLib instance (see commit#4).
The present ArmVirtQemu patch generally mirrors OVMF commit 0c0a50d6b3ff
("OvmfPkg: include Tcg2Dxe module", 2018-03-09), from the initial TPM2
enablement work. In that commit, the Tcg2PhysicalPresenceLib class was
resolved to the
SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
instance only. (And then later it was udpated by commit#3, from the TPM2
PPI series.)
Now... I guess it does make sense to mirror OVMF's lib class resolution
here, even if we don't port the rest of the PPI stuff to ArmVirtQemu at
this time; such as commit#1 and commit #4. (Note: I do agree we
shouldn't port the PPI stuff now.)
(1) So ultimtely my request is to add the following to the commit
message:
--------
This patch ports (parts of) the following OvmfPkg commits to
ArmVirtQemu:
- 0c0a50d6b3ff ("OvmfPkg: include Tcg2Dxe module", 2018-03-09)
- b9777bb42e4f ("OvmfPkg: add Tcg2PhysicalPresenceLibQemu", 2018-05-22)
-- only to match OVMF's current lib class resolutions
--------
> + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
(2) I agree this is necessary, but it should come in differently. Please
see OvmfPkg commit 1ec05b81e59f ("OvmfPkg: use DxeTpmMeasurementLib if
and only if TPM2_ENABLE", 2019-07-04).
The gist is that, going forward, the TpmMeasurementLib resolution should
depend on TPM2_ENABLE only, in ArmVirtQemu as well. But currently we
have a SECURE_BOOT_ENABLE-dependent resolution in "ArmVirt.dsc.inc".
Therefore,
(2a) Please add another patch, before this one, replacing the current
TpmMeasurementLib resolution in "ArmVirt.dsc.inc" with an
*unconditional* resolution to TpmMeasurementLibNull.
Please mention commit 1ec05b81e59f ("OvmfPkg: use DxeTpmMeasurementLib
if and only if TPM2_ENABLE", 2019-07-04) in the commit message.
(2b) Please add yet another patch, to move / triplicate that
(unconditional) TpmMeasurementLib Null resolution from the
"ArmVirt.dsc.inc" file, to the individual DSC files,
(2c) and in the current patch, please conditionalize the
TpmMeasurementLib resolution, solely based on TPM2_ENABLE,
(2d) also in the current patch, please also mention the commit below, in
the commit message section that I request above in (1):
------
- 1ec05b81e59f ("OvmfPkg: use DxeTpmMeasurementLib if and only if
TPM2_ENABLE", 2019-07-04)
------
> !endif
>
> [LibraryClasses.common.PEIM]
> @@ -91,6 +93,10 @@ [LibraryClasses.common.PEIM]
> [LibraryClasses.common.DXE_DRIVER]
> ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
>
> +!if $(TPM2_ENABLE) == TRUE
> + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
> +!endif
> +
> [LibraryClasses.common.UEFI_DRIVER]
> UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf
>
> @@ -469,6 +475,23 @@ [Components.common]
> MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
> MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
>
> + #
> + # TPM2 support
> + #
> +!if $(TPM2_ENABLE) == TRUE
> + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
> + <LibraryClasses>
> + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
> + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
> + NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> + }
> +!endif
> +
> #
> # ACPI Support
> #
(3) Looks good; please extend the commit message block (1) with the
following references:
- b9130c866dc0 ("OvmfPkg: link Sha384 and Sha512 support into Tcg2Pei
and Tcg2Dxe", 2018-08-16)
- 5d3ef15da7c3 ("OvmfPkg: link SM3 support into Tcg2Pei and Tcg2Dxe",
2019-07-19)
... So ultimately, block (1) should refer to *five* commits:
------------
This patch ports (parts of) the following OvmfPkg commits to
ArmVirtQemu:
- 0c0a50d6b3ff ("OvmfPkg: include Tcg2Dxe module", 2018-03-09)
- b9777bb42e4f ("OvmfPkg: add Tcg2PhysicalPresenceLibQemu", 2018-05-22)
-- only to match OVMF's current lib class resolutions
- 1ec05b81e59f ("OvmfPkg: use DxeTpmMeasurementLib if and only if
TPM2_ENABLE", 2019-07-04)
- b9130c866dc0 ("OvmfPkg: link Sha384 and Sha512 support into Tcg2Pei
and Tcg2Dxe", 2018-08-16)
- 5d3ef15da7c3 ("OvmfPkg: link SM3 support into Tcg2Pei and Tcg2Dxe",
2019-07-19)
------------
> diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
> index 31f615a9d0f9..63247fd10058 100644
> --- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
> +++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
> @@ -182,3 +182,10 @@ [FV.FvMain]
> # Ramdisk support
> #
> INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
> +
> + #
> + # TPM2 support
> + #
> +!if $(TPM2_ENABLE) == TRUE
> + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
> +!endif
>
(4) Can you hoist this addition please, so that it follow
"UsbMassStorageDxe.inf"? Because that would reflect the DSC listing
order more closely.
Thanks!
Laszlo
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH v3 8/9] ArmVirtPkg/ArmVirtQemu: enable the TPM2 configuration module
2020-02-26 19:05 ` [PATCH v3 8/9] ArmVirtPkg/ArmVirtQemu: enable the TPM2 configuration module Ard Biesheuvel
@ 2020-02-27 9:39 ` Laszlo Ersek
0 siblings, 0 replies; 18+ messages in thread
From: Laszlo Ersek @ 2020-02-27 9:39 UTC (permalink / raw)
To: Ard Biesheuvel, devel; +Cc: eric.auger, philmd, marcandre.lureau, stefanb, leif
On 02/26/20 20:05, Ard Biesheuvel wrote:
> Enable the DXE phase component that publishes the HII pages and
> associated logic to enable TPM2 parameters to be configured by
> the user via the setup menu.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
> ArmVirtPkg/ArmVirtQemu.dsc | 9 +++++++++
> ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 3 +++
> 2 files changed, 12 insertions(+)
>
> diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
> index 9fe5ab37611c..7cb2d1b42fb8 100644
> --- a/ArmVirtPkg/ArmVirtQemu.dsc
> +++ b/ArmVirtPkg/ArmVirtQemu.dsc
> @@ -30,6 +30,7 @@ [Defines]
> DEFINE TTY_TERMINAL = FALSE
> DEFINE SECURE_BOOT_ENABLE = FALSE
> DEFINE TPM2_ENABLE = FALSE
> + DEFINE TPM2_CONFIG_ENABLE = FALSE
>
> #
> # Network definition
> @@ -268,6 +269,11 @@ [PcdsDynamicDefault.common]
> [PcdsDynamicHii]
> gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
>
> +!if $(TPM2_CONFIG_ENABLE) == TRUE
> + gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
> + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
> +!endif
> +
> ################################################################################
> #
> # Components Section - list of all EDK II Modules needed by this Platform
> @@ -490,6 +496,9 @@ [Components.common]
> NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> }
> +!if $(TPM2_CONFIG_ENABLE) == TRUE
> + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> +!endif
> !endif
>
> #
> diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
> index 63247fd10058..d481e4b2b8fb 100644
> --- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
> +++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
> @@ -188,4 +188,7 @@ [FV.FvMain]
> #
> !if $(TPM2_ENABLE) == TRUE
> INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
> +!if $(TPM2_CONFIG_ENABLE) == TRUE
> + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> +!endif
> !endif
>
(1) Please mention the following in the commit message:
-------
This patch ports (parts of) the following commits to ArmVirtQemu:
- 3103389043bd ("OvmfPkg: Add TCG2 Configuration menu to the Device
Manager menu", 2019-02-11)
- cf3ad972a210 ("OvmfPkg: reorganize TPM2 support in DSC/FDF files",
2020-01-09)
- f55477fe2d62 ("OvmfPkg: use HII type PCDs for TPM2 config related
variables", 2020-01-09)
-------
With that:
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Thanks!
Laszlo
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH v3 9/9] ArmVirtPkg/ArmVirtQemu: enable TPM2 based measured boot
2020-02-26 19:05 ` [PATCH v3 9/9] ArmVirtPkg/ArmVirtQemu: enable TPM2 based measured boot Ard Biesheuvel
@ 2020-02-27 9:42 ` Laszlo Ersek
0 siblings, 0 replies; 18+ messages in thread
From: Laszlo Ersek @ 2020-02-27 9:42 UTC (permalink / raw)
To: Ard Biesheuvel, devel; +Cc: eric.auger, philmd, marcandre.lureau, stefanb, leif
On 02/26/20 20:05, Ard Biesheuvel wrote:
> Now that all the TPM2 related plumbing is in place, we can add the
> final piece that performs the measurements of loaded images into
> the appropriate PCRs.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
> ArmVirtPkg/ArmVirtQemu.dsc | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
> index 7cb2d1b42fb8..a0d179a72b2a 100644
> --- a/ArmVirtPkg/ArmVirtQemu.dsc
> +++ b/ArmVirtPkg/ArmVirtQemu.dsc
> @@ -346,6 +346,9 @@ [Components.common]
> MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
> <LibraryClasses>
> NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> +!if $(TPM2_ENABLE) == TRUE
> + NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
> +!endif
> }
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
>
(1) Please state in the commit message:
This patch ports commit d5a002aba0aa ("OvmfPkg: plug
DxeTpm2MeasureBootLib into SecurityStubDxe", 2018-03-09) to ArmVirtQemu.
With that:
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Thanks!
Laszlo
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu
2020-02-26 19:05 [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu Ard Biesheuvel
` (8 preceding siblings ...)
2020-02-26 19:05 ` [PATCH v3 9/9] ArmVirtPkg/ArmVirtQemu: enable TPM2 based measured boot Ard Biesheuvel
@ 2020-03-04 8:51 ` Ard Biesheuvel
9 siblings, 0 replies; 18+ messages in thread
From: Ard Biesheuvel @ 2020-03-04 8:51 UTC (permalink / raw)
To: edk2-devel-groups-io
Cc: Laszlo Ersek, Auger Eric, Philippe Mathieu-Daudé,
Marc-André Lureau, Stefan Berger, Leif Lindholm
On Wed, 26 Feb 2020 at 20:05, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>
> Wire up the various existing pieces so that we can implement measured
> boot on ArmVirtQemu based on the TPM support in QEMU, just like it has
> been implemented for x86 in OvmfPkg.
>
> The main difference is that on ARM, we first need to discover the TPM base
> address from the device tree provided by QEMU, as well as the PSCI method
> used to perform a cold reset.
>
> Changes since v2:
> - add Laszlo's ack to patches #2 and #4
> - add PcdTpm2SupportEnabled PCD declarations to all individual platforms in
> ArmVirtPkg, even though only ArmVirtQemu really needs it
> - split patch #5 into several patches
>
> Changes since v1:
> - use a separate ResetSystemLib instance based on on-demand parsing of the
> DT, and expose it via the ResetSystem PPI to other client PEIMs
> - add Laszlo's ack to #1
> - incorporate Laszlo's review feedback across the board
>
> Code can also be found at:
> https://github.com/ardbiesheuvel/edk2/tree/armvirt-tpm
>
> Cc: lersek@redhat.com
> Cc: eric.auger@redhat.com
> Cc: philmd@redhat.com
> Cc: marcandre.lureau@redhat.com
> Cc: stefanb@linux.ibm.com
> Cc: leif@nuviainc.com
>
> Ard Biesheuvel (9):
> OvmfPkg/Tcg2ConfigPei: introduce a signalling PPI to depex on
> ArmVirtPkg/PlatformPeiLib: make PcdLib dependency explicit in .INF
> ArmVirtPkg/PlatformPeiLib: discover the TPM base address from the DT
> ArmVirtPkg: implement ArmVirtPsciResetSystemPeiLib
> ArmVirtPkg/ArmVirtQemu: add ResetSystem PEIM for upcoming TPM2 support
> ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI phase
> ArmVirtPkg/ArmVirtQemu: enable the DXE phase TPM2 support module
> ArmVirtPkg/ArmVirtQemu: enable the TPM2 configuration module
> ArmVirtPkg/ArmVirtQemu: enable TPM2 based measured boot
>
Merged as edk2-stable202002..0980779a9ddc
Thanks all
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2020-03-04 8:51 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-02-26 19:05 [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu Ard Biesheuvel
2020-02-26 19:05 ` [PATCH v3 1/9] OvmfPkg/Tcg2ConfigPei: introduce a signalling PPI to depex on Ard Biesheuvel
2020-02-26 19:05 ` [PATCH v3 2/9] ArmVirtPkg/PlatformPeiLib: make PcdLib dependency explicit in .INF Ard Biesheuvel
2020-02-26 19:05 ` [PATCH v3 3/9] ArmVirtPkg/PlatformPeiLib: discover the TPM base address from the DT Ard Biesheuvel
2020-02-27 7:41 ` [edk2-devel] " Laszlo Ersek
2020-02-26 19:05 ` [PATCH v3 4/9] ArmVirtPkg: implement ArmVirtPsciResetSystemPeiLib Ard Biesheuvel
2020-02-26 19:05 ` [PATCH v3 5/9] ArmVirtPkg/ArmVirtQemu: add ResetSystem PEIM for upcoming TPM2 support Ard Biesheuvel
2020-02-27 8:06 ` [edk2-devel] " Laszlo Ersek
2020-02-26 19:05 ` [PATCH v3 6/9] ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI phase Ard Biesheuvel
2020-02-27 8:24 ` [edk2-devel] " Laszlo Ersek
2020-02-27 8:34 ` Ard Biesheuvel
2020-02-26 19:05 ` [PATCH v3 7/9] ArmVirtPkg/ArmVirtQemu: enable the DXE phase TPM2 support module Ard Biesheuvel
2020-02-27 9:28 ` [edk2-devel] " Laszlo Ersek
2020-02-26 19:05 ` [PATCH v3 8/9] ArmVirtPkg/ArmVirtQemu: enable the TPM2 configuration module Ard Biesheuvel
2020-02-27 9:39 ` Laszlo Ersek
2020-02-26 19:05 ` [PATCH v3 9/9] ArmVirtPkg/ArmVirtQemu: enable TPM2 based measured boot Ard Biesheuvel
2020-02-27 9:42 ` Laszlo Ersek
2020-03-04 8:51 ` [PATCH v3 0/9] ArmVirtPkg: implement measured boot for ArmVirtQemu Ard Biesheuvel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox