public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: Stefan Berger <stefanb@linux.ibm.com>
Cc: devel@edk2.groups.io, "James Bottomley" <jejb@linux.ibm.com>,
	"Min Xu" <min.m.xu@intel.com>,
	"Jordan Justen" <jordan.l.justen@intel.com>,
	"Erdem Aktas" <erdemaktas@google.com>,
	"Ard Biesheuvel" <ardb+tianocore@kernel.org>,
	"Marc-André Lureau" <marcandre.lureau@redhat.com>,
	"Jiewen Yao" <jiewen.yao@intel.com>,
	"Tom Lendacky" <thomas.lendacky@amd.com>,
	"Brijesh Singh" <brijesh.singh@amd.com>
Subject: Re: [PATCH 0/4] OvmfPkg: rework TPM configuration.
Date: Fri, 22 Oct 2021 09:01:37 +0200	[thread overview]
Message-ID: <20211022070137.jn5nngecb6hbptvd@sirius.home.kraxel.org> (raw)
In-Reply-To: <7052ea1f-8bed-f556-8882-685718c91195@linux.ibm.com>

On Thu, Oct 21, 2021 at 12:13:51PM -0400, Stefan Berger wrote:
> A few more comments to this series:
> 
> - Is there a use case where TPM2_ENABLE_CONFIG is disabled, meaning where
> there should not be a TPM 2 menu entry? It's worth considering dropping this
> option because a user does need to have control over certain aspects of the
> TPM 2 configuration.

I happily drop the option if it doesn't make sense.  I've already
wondered why it is there but assumed there is some valid reason for
it and left it as-is.

> - Should it be possible to enable TPM 1.2 independent of TPM 2? For me it's
> fine as-is since TPM 2 is mostly used these days...

Exactly.  With the world moving to TPM 2 building OVMF with TPM 1.2 only
looks pointless to me.

> - I would drop patch 4 if it means that an active SHA1 bank doesn't get PCR
> extensions (haven't tested yet). swtpm_setup currently sets up a swtpm with
> active SHA1 and SHA256 PCR banks ( https://github.com/stefanberger/swtpm/blob/master/src/swtpm_setup/swtpm_setup.c#L65
> ). We can change this for swtpm v0.7.0 to only activate the SHA256 bank, if
> that's what is needed here. However, this doesn't prevent a user to activate
> the SHA1 PCR bank either via PPI 'request' file or UEFI TPM menu and when it
> is active it must get PCR extensions.

With SHA1 being considered broken we want avoid SHA1 being used.
Ideally by removing support it altogether.  In case this is not possible
for backward compatibility reasons at least have it disabled by default.

So swtpm_setup not enabling the SHA1 bank by default is certainly a good
idea and a move into the right direction (independent from the patch #4
discussion).

Didn't do much testing yet to see whenever removing SHA1 support
altogether trips up operating systems.

> - Since TPM 1.2 is still supported we need to add a TPM menu for it as well
> using this patch here. I would put this under the TPM1_ENABLE config option
> since having TPM 1.2 support without a menu is quite useless. I can send a
> patch for this once this series has gone through.

I can pick this up for v2 if you don't mind.

take care,
  Gerd


  reply	other threads:[~2021-10-22  7:01 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-21 12:19 [PATCH 0/4] OvmfPkg: rework TPM configuration Gerd Hoffmann
2021-10-21 12:20 ` [PATCH 1/4] OvmfPkg: move tcg configuration to dsc and fdf include files Gerd Hoffmann
2021-10-21 14:12   ` [edk2-devel] " Stefan Berger
2021-10-21 12:20 ` [PATCH 2/4] OvmfPkg: create Tcg2ConfigPeiCompat12.inf Gerd Hoffmann
2021-10-21 14:46   ` [edk2-devel] " Stefan Berger
2021-10-22  6:31     ` Gerd Hoffmann
2021-10-22 13:29       ` Stefan Berger
2021-10-21 12:20 ` [PATCH 3/4] OvmfPkg: rework TPM configuration Gerd Hoffmann
2021-10-21 15:44   ` Stefan Berger
2021-10-22  6:30     ` Gerd Hoffmann
2021-10-21 12:20 ` [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option Gerd Hoffmann
2021-10-21 13:24   ` Stefan Berger
2021-10-22  6:39     ` Gerd Hoffmann
2021-10-22 10:50       ` Stefan Berger
2021-10-22 11:37         ` Gerd Hoffmann
2021-10-22 11:49         ` James Bottomley
2021-10-22 11:57           ` Stefan Berger
2021-10-22 12:40             ` James Bottomley
2021-10-22 13:13               ` Stefan Berger
2021-10-22 14:17                 ` James Bottomley
2021-10-22 14:52                   ` [edk2-devel] " Stefan Berger
2021-10-22 15:01                     ` James Bottomley
2021-10-22 15:48                       ` Stefan Berger
2021-10-22 16:50                         ` James Bottomley
2021-10-21 16:13 ` [PATCH 0/4] OvmfPkg: rework TPM configuration Stefan Berger
2021-10-22  7:01   ` Gerd Hoffmann [this message]
2021-10-22 10:46     ` [edk2-devel] " Stefan Berger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211022070137.jn5nngecb6hbptvd@sirius.home.kraxel.org \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox