From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web08.657.1631566649768104838 for ; Mon, 13 Sep 2021 13:57:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=cTL7tqxU; spf=none, err=permanent DNS error (domain: linux.vnet.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.vnet.ibm.com) Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.0.43) with SMTP id 18DJhGml006009; Mon, 13 Sep 2021 16:57:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding; s=pp1; bh=BOfw5QXpc3U4XHaZ7UElueE99uAtkaUuNRYd4rReY3Y=; b=cTL7tqxUjKzKjM4pK1r3lysbz5hx0VofGwT9xGMkEoDTkJYlIYMj3UB1bEOqlba1+mhD lgkv2FZKUdNMew2CveCVK58gjfkfn0V9utnaWuUkrWHShOSC/JL8+ciz3nM2sNGVDJOg d20q4W+QyIvwkZl0KcqNEaf5SkkVfy+P4kPAv19kSbgx0BH5QFCo25rSKlSmzh8FEndL 70qIAEp0vvcTYpdVowYKTYvKoGd2NZX0S0XXoI3ITLt1eXtuhLIgxFC2t3vwv06q95Ua fspvSoCHyV67yU97qJVTq5htcBglm95jHs7NE79S0rR69D49nXTChCMzY66IL8IQfSW6 1g== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3b2aa5w995-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 13 Sep 2021 16:57:29 -0400 Received: from m0098404.ppops.net (m0098404.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 18DKY01X022145; Mon, 13 Sep 2021 16:57:28 -0400 Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com with ESMTP id 3b2aa5w98t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 13 Sep 2021 16:57:28 -0400 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 18DKphcW027723; Mon, 13 Sep 2021 20:57:27 GMT Received: from b01cxnp23034.gho.pok.ibm.com (b01cxnp23034.gho.pok.ibm.com [9.57.198.29]) by ppma01dal.us.ibm.com with ESMTP id 3b0m3c3q83-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 13 Sep 2021 20:57:27 +0000 Received: from b01ledav005.gho.pok.ibm.com (b01ledav005.gho.pok.ibm.com [9.57.199.110]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 18DKvQRo43057432 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 13 Sep 2021 20:57:26 GMT Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D6DA6AE064; Mon, 13 Sep 2021 20:57:26 +0000 (GMT) Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BDC60AE062; Mon, 13 Sep 2021 20:57:26 +0000 (GMT) Received: from sbct-2.pok.ibm.com (unknown [9.47.158.152]) by b01ledav005.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 13 Sep 2021 20:57:26 +0000 (GMT) From: "Stefan Berger" To: devel@edk2.groups.io Cc: mhaeuser@posteo.de, spbrogan@outlook.com, marcandre.lureau@redhat.com, kraxel@redhat.com, jiewen.yao@intel.com, Stefan Berger Subject: [RFC PATCH v1 0/4] OvmfPkg: Disable the TPM 2 platform hierarchy Date: Mon, 13 Sep 2021 16:57:18 -0400 Message-Id: <20210913205722.2553473-1-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 9ixD87HJi8WVtfjt0vBT7B-gWsDEmYLE X-Proofpoint-ORIG-GUID: gLxvFUyZigwSVjdbyqhr_X7QwsUZ0pBd X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.687,Hydra:6.0.235,FMLib:17.0.607.475 definitions=2020-10-13_15,2020-10-13_02,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxlogscore=636 priorityscore=1501 spamscore=0 clxscore=1015 mlxscore=0 impostorscore=0 bulkscore=0 adultscore=0 suspectscore=0 malwarescore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109030001 definitions=main-2109130102 Content-Transfer-Encoding: 8bit This series of patches adds support for disabling the TPM 2 platform hierarchy to Ovmf. To be able to do this we have to handle TPM 2 physical presence interface (PPI) opcodes before the TPM 2 platform hierarchy is disabled otherwise TPM 2 commands that are sent due to the PPI opcodes may fail if the platform hierarchy is already disabled. Therefore, we need to invoke the handler function Tcg2PhysicalPresenceLibProcessRequest from within PlatformBootManagerBeforeConsole. Since handling of PPI opcodes may require interaction with the user, we also move PlatformInitializeConsole to before the handling of PPI codes so that the keyboard is available when needed. The PPI handling code will activate the default consoles only if it requires user interaction. The question to answer at this point is whether the rearragement of functions is correct or what an alternative should look like. There are other BdsPlatform files that may need similar changes in a later revision of this series. Regards, Stefan Stefan Berger (4): OvmfPkg/TPM PPI: Connect default consoles for user interaction OvmfPkg: Handle TPM 2 physical presence codes much earlier OvmfPkg: Reference new Tcg2PlatformDxe in the build system for compilation OvmfPkg: Reference new Tcg2PlatformPei in the build system OvmfPkg/AmdSev/AmdSevX64.dsc | 8 ++++++++ OvmfPkg/AmdSev/AmdSevX64.fdf | 2 ++ .../PlatformBootManagerLib/BdsPlatform.c | 17 +++++++++-------- .../DxeTcg2PhysicalPresenceLib.c | 4 ++++ OvmfPkg/OvmfPkgIa32.dsc | 8 ++++++++ OvmfPkg/OvmfPkgIa32.fdf | 2 ++ OvmfPkg/OvmfPkgIa32X64.dsc | 8 ++++++++ OvmfPkg/OvmfPkgIa32X64.fdf | 2 ++ OvmfPkg/OvmfPkgX64.dsc | 8 ++++++++ OvmfPkg/OvmfPkgX64.fdf | 2 ++ 10 files changed, 53 insertions(+), 8 deletions(-) -- 2.31.1