From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.groups.io with SMTP id smtpd.web08.4816.1634884254520073099 for ; Thu, 21 Oct 2021 23:30:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=IQ49JwJn; spf=pass (domain: redhat.com, ip: 170.10.129.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1634884253; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=mlE4lCr4c+0YHiV9n6nBoborBHqPQL6puLQJKVC/dA8=; b=IQ49JwJnL8Wb1ztvO44poHxQWD2BIGYUFvTgMBKeSCQKN9otppF9+ayUq95qEk1mLuQT4m B2htPRKLRpr9lq3AgxLAb8M9teIFOGwtAjPCb1lmx1U1Pkfb5nseGFfJBBA65AE0SyAuqB sf90dVpoo2ip8TwPf0IJw90YOsDhjZ0= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-101-VYm0LzuJMVC26c1nX45y-A-1; Fri, 22 Oct 2021 02:30:48 -0400 X-MC-Unique: VYm0LzuJMVC26c1nX45y-A-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 96E5D802682; Fri, 22 Oct 2021 06:30:46 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.192.23]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2E61819D9F; Fri, 22 Oct 2021 06:30:43 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 775A51800393; Fri, 22 Oct 2021 08:30:41 +0200 (CEST) Date: Fri, 22 Oct 2021 08:30:41 +0200 From: "Gerd Hoffmann" To: Stefan Berger Cc: devel@edk2.groups.io, James Bottomley , Min Xu , Jordan Justen , Erdem Aktas , Ard Biesheuvel , =?utf-8?Q?Marc-Andr=C3=A9?= Lureau , Jiewen Yao , Tom Lendacky , Brijesh Singh Subject: Re: [PATCH 3/4] OvmfPkg: rework TPM configuration Message-ID: <20211022063041.3yr4rzxy6mt3ifeo@sirius.home.kraxel.org> References: <20211021122003.2008499-1-kraxel@redhat.com> <20211021122003.2008499-4-kraxel@redhat.com> <1f8cc7bb-64ee-df01-142e-aba039bd59e0@linux.ibm.com> MIME-Version: 1.0 In-Reply-To: <1f8cc7bb-64ee-df01-142e-aba039bd59e0@linux.ibm.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=kraxel@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Oct 21, 2021 at 11:44:54AM -0400, Stefan Berger wrote: > > On 10/21/21 8:20 AM, Gerd Hoffmann wrote: > > Rename TPM_ENABLE to TPM2_ENABLE and TPM_CONFIG_ENABLE to > > TPM2_CONFIG_ENABLE so they are in line with the ArmVirtPkg > > config option names. > > > > Add separate TPM1_ENABLE option for TPM 1.2 support. > > > I tested this on Fedora and attached a TPM 1.2 to the VM after a build > **without** TPM1_ENABLE. When I run this here inside the VM > > cat /sys/devices/pnp0/00\:04/prcs > > I get measurements in PCRs 0-9 hinting that the TPM 1.2 support isn't > entirely disabled but somehow it's still measuring into those > firmware-related PCRs. It is due to this here: > > + # has no effect unless TPM2_ENABLE == TRUE > + DEFINE TPM1_ENABLE = TRUE > > > If you set this to FALSE then it removes TPM 1.2 support if TPM1_ENABLE is > not passed. Yes, that is intentional. By default (when you don't explicitly set TPM1_ENABLE) behavior doesn't change and TPM 1.2 support continues to be available like it is the case without this series applied. When you think it is better to flip the default instead of being conservative I happily change it in v2. take care, Gerd