[PATCH v2 0/5] OvmfPkg: rework TPM configuration.

[PATCH v2 0/5] OvmfPkg: rework TPM configuration.

[Gerd Hoffmann]

Allows to enable/disable TPM 1.2 support in OVMF.
Allows to enable SHA-1 support for TPM hashing.

v2:
 - drop TPM_CONFIG_ENABLE config option.
 - don't add SHA1 config option.
 - add config menu for tpm 1.2

Gerd Hoffmann (5):
  OvmfPkg: move tcg configuration to dsc and fdf include files
  OvmfPkg: drop TPM_CONFIG_ENABLE
  OvmfPkg: create Tcg12ConfigPei.inf
  OvmfPkg: rework TPM configuration
  OvmfPkg: add TPM 1.2 config menu

 OvmfPkg/OvmfTpmComponentsDxe.dsc.inc          | 29 ++++++
 OvmfPkg/OvmfTpmComponentsPei.dsc.inc          | 26 ++++++
 OvmfPkg/OvmfTpmDefines.dsc.inc                |  8 ++
 OvmfPkg/OvmfTpmLibs.dsc.inc                   | 16 ++++
 OvmfPkg/OvmfTpmLibsDxe.dsc.inc                | 10 +++
 OvmfPkg/OvmfTpmLibsPeim.dsc.inc               | 11 +++
 OvmfPkg/OvmfTpmPcds.dsc.inc                   |  7 ++
 OvmfPkg/OvmfTpmPcdsHii.dsc.inc                |  8 ++
 OvmfPkg/OvmfTpmSecurityStub.dsc.inc           | 10 +++
 OvmfPkg/AmdSev/AmdSevX64.dsc                  | 85 +++---------------
 OvmfPkg/OvmfPkgIa32.dsc                       | 88 +++----------------
 OvmfPkg/OvmfPkgIa32X64.dsc                    | 85 +++---------------
 OvmfPkg/OvmfPkgX64.dsc                        | 85 +++---------------
 OvmfPkg/AmdSev/AmdSevX64.fdf                  | 17 +---
 OvmfPkg/OvmfPkgIa32.fdf                       | 17 +---
 OvmfPkg/OvmfPkgIa32X64.fdf                    | 17 +---
 OvmfPkg/OvmfPkgX64.fdf                        | 17 +---
 .../{Tcg2ConfigPei.inf => Tcg12ConfigPei.inf} | 11 +--
 OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf      | 11 +--
 OvmfPkg/OvmfTpmDxe.fdf.inc                    | 13 +++
 OvmfPkg/OvmfTpmPei.fdf.inc                    | 15 ++++
 .../.azurepipelines/Ubuntu-GCC5.yml           |  6 +-
 .../.azurepipelines/Windows-VS2019.yml        |  6 +-
 OvmfPkg/PlatformCI/ReadMe.md                  |  2 +-
 24 files changed, 215 insertions(+), 385 deletions(-)
 create mode 100644 OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmComponentsPei.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmDefines.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmLibs.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmLibsDxe.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmLibsPeim.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmPcds.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmPcdsHii.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmSecurityStub.dsc.inc
 copy OvmfPkg/Tcg/Tcg2Config/{Tcg2ConfigPei.inf => Tcg12ConfigPei.inf} (82%)
 create mode 100644 OvmfPkg/OvmfTpmDxe.fdf.inc
 create mode 100644 OvmfPkg/OvmfTpmPei.fdf.inc

-- 
2.31.1

[PATCH v2 1/5] OvmfPkg: move tcg configuration to dsc and fdf include files

[Gerd Hoffmann]

With this in place the tpm configuration is not duplicated for each of
our four ovmf config variants (ia32, ia32x64, x64, amdsev) and it is
easier to keep them all in sync when updating the tpm configuration.

No functional change.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 28 +++++++++
 OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 22 +++++++
 OvmfPkg/OvmfTpmDefines.dsc.inc       |  6 ++
 OvmfPkg/OvmfTpmLibs.dsc.inc          | 14 +++++
 OvmfPkg/OvmfTpmLibsDxe.dsc.inc       |  8 +++
 OvmfPkg/OvmfTpmLibsPeim.dsc.inc      |  9 +++
 OvmfPkg/OvmfTpmPcds.dsc.inc          |  7 +++
 OvmfPkg/OvmfTpmPcdsHii.dsc.inc       |  8 +++
 OvmfPkg/OvmfTpmSecurityStub.dsc.inc  |  8 +++
 OvmfPkg/AmdSev/AmdSevX64.dsc         | 85 ++++-----------------------
 OvmfPkg/OvmfPkgIa32.dsc              | 88 ++++------------------------
 OvmfPkg/OvmfPkgIa32X64.dsc           | 85 ++++-----------------------
 OvmfPkg/OvmfPkgX64.dsc               | 85 ++++-----------------------
 OvmfPkg/AmdSev/AmdSevX64.fdf         | 17 +-----
 OvmfPkg/OvmfPkgIa32.fdf              | 17 +-----
 OvmfPkg/OvmfPkgIa32X64.fdf           | 17 +-----
 OvmfPkg/OvmfPkgX64.fdf               | 17 +-----
 OvmfPkg/OvmfTpmDxe.fdf.inc           | 12 ++++
 OvmfPkg/OvmfTpmPei.fdf.inc           | 11 ++++
 19 files changed, 185 insertions(+), 359 deletions(-)
 create mode 100644 OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmComponentsPei.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmDefines.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmLibs.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmLibsDxe.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmLibsPeim.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmPcds.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmPcdsHii.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmSecurityStub.dsc.inc
 create mode 100644 OvmfPkg/OvmfTpmDxe.fdf.inc
 create mode 100644 OvmfPkg/OvmfTpmPei.fdf.inc

diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
new file mode 100644
index 000000000000..d5c2586118f1
--- /dev/null
+++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
@@ -0,0 +1,28 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+    <LibraryClasses>
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+  }
+!if $(TPM_CONFIG_ENABLE) == TRUE
+  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!endif
+  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
+    <LibraryClasses>
+      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+  }
+  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+    <LibraryClasses>
+      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+  }
+!endif
diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
new file mode 100644
index 000000000000..99fa7c13b3e7
--- /dev/null
+++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
@@ -0,0 +1,22 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
+    <LibraryClasses>
+      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+  }
+  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
+    <LibraryClasses>
+      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+  }
+!endif
diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc
new file mode 100644
index 000000000000..51da7508b307
--- /dev/null
+++ b/OvmfPkg/OvmfTpmDefines.dsc.inc
@@ -0,0 +1,6 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+  DEFINE TPM_ENABLE              = FALSE
+  DEFINE TPM_CONFIG_ENABLE       = FALSE
diff --git a/OvmfPkg/OvmfTpmLibs.dsc.inc b/OvmfPkg/OvmfTpmLibs.dsc.inc
new file mode 100644
index 000000000000..50100f2c0371
--- /dev/null
+++ b/OvmfPkg/OvmfTpmLibs.dsc.inc
@@ -0,0 +1,14 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
+  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
+  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+!else
+  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
+  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+!endif
diff --git a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
new file mode 100644
index 000000000000..67d5027abaea
--- /dev/null
+++ b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
@@ -0,0 +1,8 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+!endif
diff --git a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
new file mode 100644
index 000000000000..4e84e3dcaaeb
--- /dev/null
+++ b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
@@ -0,0 +1,9 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+!endif
diff --git a/OvmfPkg/OvmfTpmPcds.dsc.inc b/OvmfPkg/OvmfTpmPcds.dsc.inc
new file mode 100644
index 000000000000..0e7f83c04bd7
--- /dev/null
+++ b/OvmfPkg/OvmfTpmPcds.dsc.inc
@@ -0,0 +1,7 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
+!endif
diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
new file mode 100644
index 000000000000..164bc9c7fca0
--- /dev/null
+++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
@@ -0,0 +1,8 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
+  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
+!endif
diff --git a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
new file mode 100644
index 000000000000..4bd4066843ef
--- /dev/null
+++ b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
@@ -0,0 +1,8 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+!endif
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 5ee54451169b..d145b491fb44 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -32,8 +32,8 @@ [Defines]
   # -D FLAG=VALUE
   #
   DEFINE SOURCE_DEBUG_ENABLE     = FALSE
-  DEFINE TPM_ENABLE              = FALSE
-  DEFINE TPM_CONFIG_ENABLE       = FALSE
+
+!include OvmfPkg/OvmfTpmDefines.dsc.inc
 
   #
   # Shell can be useful for debugging but should not be enabled for production
@@ -203,16 +203,7 @@ [LibraryClasses]
   SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
   OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
 
-!if $(TPM_ENABLE) == TRUE
-  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
-  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
-  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
-  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
-!else
-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
-  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-!endif
+!include OvmfPkg/OvmfTpmLibs.dsc.inc
 
 [LibraryClasses.common]
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -286,11 +277,7 @@ [LibraryClasses.common.PEIM]
   PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
 
-!if $(TPM_ENABLE) == TRUE
-  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
-!endif
+!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
 
   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
 
@@ -371,10 +358,8 @@ [LibraryClasses.common.DXE_DRIVER]
   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
   QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
-!if $(TPM_ENABLE) == TRUE
-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
-!endif
+
+!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
 
 [LibraryClasses.common.UEFI_APPLICATION]
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -575,15 +560,10 @@ [PcdsDynamicDefault]
 
   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
 
-!if $(TPM_ENABLE) == TRUE
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
-!endif
+!include OvmfPkg/OvmfTpmPcds.dsc.inc
 
 [PcdsDynamicHii]
-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
-  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
-!endif
+!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
 
 ################################################################################
 #
@@ -624,24 +604,7 @@ [Components]
   UefiCpuPkg/CpuMpPei/CpuMpPei.inf
   OvmfPkg/AmdSev/SecretPei/SecretPei.inf
 
-!if $(TPM_ENABLE) == TRUE
-  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
-  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
-  SecurityPkg/Tcg/TcgPei/TcgPei.inf
-  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
-    <LibraryClasses>
-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
-  }
-  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
-    <LibraryClasses>
-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
-  }
-!endif
+!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
 
   #
   # DXE Phase modules
@@ -663,10 +626,7 @@ [Components]
 
   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
     <LibraryClasses>
-!if $(TPM_ENABLE) == TRUE
-      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
-      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
-!endif
+!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
   }
 
   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
@@ -836,27 +796,4 @@ [Components]
   #
   # TPM support
   #
-!if $(TPM_ENABLE) == TRUE
-  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
-    <LibraryClasses>
-      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
-      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
-  }
-!if $(TPM_CONFIG_ENABLE) == TRUE
-  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
-  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
-    <LibraryClasses>
-      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
-  }
-  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
-    <LibraryClasses>
-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
-  }
-!endif
+!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 6a5be97c059d..462c1b970ed8 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -32,10 +32,10 @@ [Defines]
   DEFINE SECURE_BOOT_ENABLE      = FALSE
   DEFINE SMM_REQUIRE             = FALSE
   DEFINE SOURCE_DEBUG_ENABLE     = FALSE
-  DEFINE TPM_ENABLE              = FALSE
-  DEFINE TPM_CONFIG_ENABLE       = FALSE
   DEFINE LOAD_X64_ON_IA32_ENABLE = FALSE
 
+!include OvmfPkg/OvmfTpmDefines.dsc.inc
+
   #
   # Network definition
   #
@@ -229,16 +229,7 @@ [LibraryClasses]
   SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
   OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
 
-!if $(TPM_ENABLE) == TRUE
-  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
-  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
-  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
-  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
-!else
-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
-  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-!endif
+!include OvmfPkg/OvmfTpmLibs.dsc.inc
 
 [LibraryClasses.common]
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -309,11 +300,7 @@ [LibraryClasses.common.PEIM]
   PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
 
-!if $(TPM_ENABLE) == TRUE
-  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
-!endif
+!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
 
   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
 
@@ -401,10 +388,8 @@ [LibraryClasses.common.DXE_DRIVER]
   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
   QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-!if $(TPM_ENABLE) == TRUE
-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
-!endif
+
+!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
 
 [LibraryClasses.common.UEFI_APPLICATION]
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -642,19 +627,14 @@ [PcdsDynamicDefault]
 
   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
 
-!if $(TPM_ENABLE) == TRUE
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
-!endif
+!include OvmfPkg/OvmfTpmPcds.dsc.inc
 
   # IPv4 and IPv6 PXE Boot support.
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01
 
 [PcdsDynamicHii]
-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
-  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
-!endif
+!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
 
 ################################################################################
 #
@@ -704,24 +684,7 @@ [Components]
 !endif
   UefiCpuPkg/CpuMpPei/CpuMpPei.inf
 
-!if $(TPM_ENABLE) == TRUE
-  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
-  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
-  SecurityPkg/Tcg/TcgPei/TcgPei.inf
-  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
-    <LibraryClasses>
-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
-  }
-  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
-    <LibraryClasses>
-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
-  }
-!endif
+!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
 
   #
   # DXE Phase modules
@@ -746,10 +709,7 @@ [Components]
 !if $(SECURE_BOOT_ENABLE) == TRUE
       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
 !endif
-!if $(TPM_ENABLE) == TRUE
-      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
-      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
-!endif
+!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
   }
 
   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
@@ -1019,31 +979,5 @@ [Components]
   #
   # TPM support
   #
-!if $(TPM_ENABLE) == TRUE
-  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
-    <LibraryClasses>
-      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
-      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
-  }
-!if $(TPM_CONFIG_ENABLE) == TRUE
-  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
-  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
-    <LibraryClasses>
-      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
-  }
-  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
-    <LibraryClasses>
-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
-  }
-!endif
+!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
 
-!if $(LOAD_X64_ON_IA32_ENABLE) == TRUE
-  OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf
-!endif
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 71227d1b709a..3908acbc9c78 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -32,8 +32,8 @@ [Defines]
   DEFINE SECURE_BOOT_ENABLE      = FALSE
   DEFINE SMM_REQUIRE             = FALSE
   DEFINE SOURCE_DEBUG_ENABLE     = FALSE
-  DEFINE TPM_ENABLE              = FALSE
-  DEFINE TPM_CONFIG_ENABLE       = FALSE
+
+!include OvmfPkg/OvmfTpmDefines.dsc.inc
 
   #
   # Network definition
@@ -233,16 +233,7 @@ [LibraryClasses]
   SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
   OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
 
-!if $(TPM_ENABLE) == TRUE
-  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
-  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
-  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
-  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
-!else
-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
-  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-!endif
+!include OvmfPkg/OvmfTpmLibs.dsc.inc
 
 [LibraryClasses.common]
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -313,11 +304,7 @@ [LibraryClasses.common.PEIM]
   PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
 
-!if $(TPM_ENABLE) == TRUE
-  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
-!endif
+!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
 
   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
 
@@ -405,10 +392,8 @@ [LibraryClasses.common.DXE_DRIVER]
   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
   QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-!if $(TPM_ENABLE) == TRUE
-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
-!endif
+
+!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
 
 [LibraryClasses.common.UEFI_APPLICATION]
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -654,9 +639,7 @@ [PcdsDynamicDefault]
 
   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
 
-!if $(TPM_ENABLE) == TRUE
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
-!endif
+!include OvmfPkg/OvmfTpmPcds.dsc.inc
 
 [PcdsDynamicDefault.X64]
   # IPv4 and IPv6 PXE Boot support.
@@ -664,10 +647,7 @@ [PcdsDynamicDefault.X64]
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01
 
 [PcdsDynamicHii]
-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
-  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
-!endif
+!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
 
 ################################################################################
 #
@@ -717,24 +697,7 @@ [Components.IA32]
 !endif
   UefiCpuPkg/CpuMpPei/CpuMpPei.inf
 
-!if $(TPM_ENABLE) == TRUE
-  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
-  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
-  SecurityPkg/Tcg/TcgPei/TcgPei.inf
-  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
-    <LibraryClasses>
-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
-  }
-  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
-    <LibraryClasses>
-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
-  }
-!endif
+!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
 
 [Components.X64]
   #
@@ -760,10 +723,7 @@ [Components.X64]
 !if $(SECURE_BOOT_ENABLE) == TRUE
       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
 !endif
-!if $(TPM_ENABLE) == TRUE
-      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
-      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
-!endif
+!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
   }
 
   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
@@ -1034,27 +994,4 @@ [Components.X64]
   #
   # TPM support
   #
-!if $(TPM_ENABLE) == TRUE
-  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
-    <LibraryClasses>
-      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
-      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
-  }
-!if $(TPM_CONFIG_ENABLE) == TRUE
-  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
-  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
-    <LibraryClasses>
-      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
-  }
-  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
-    <LibraryClasses>
-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
-  }
-!endif
+!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 52f7598cf1c7..6114a4d61ab7 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -32,8 +32,8 @@ [Defines]
   DEFINE SECURE_BOOT_ENABLE      = FALSE
   DEFINE SMM_REQUIRE             = FALSE
   DEFINE SOURCE_DEBUG_ENABLE     = FALSE
-  DEFINE TPM_ENABLE              = FALSE
-  DEFINE TPM_CONFIG_ENABLE       = FALSE
+
+!include OvmfPkg/OvmfTpmDefines.dsc.inc
 
   #
   # Network definition
@@ -233,16 +233,7 @@ [LibraryClasses]
   SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
   OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
 
-!if $(TPM_ENABLE) == TRUE
-  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
-  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
-  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
-  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
-!else
-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
-  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-!endif
+!include OvmfPkg/OvmfTpmLibs.dsc.inc
 
 [LibraryClasses.common]
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -315,11 +306,7 @@ [LibraryClasses.common.PEIM]
   PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
 
-!if $(TPM_ENABLE) == TRUE
-  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
-!endif
+!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
 
   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
 
@@ -407,10 +394,8 @@ [LibraryClasses.common.DXE_DRIVER]
   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
   QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-!if $(TPM_ENABLE) == TRUE
-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
-!endif
+
+!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
 
 [LibraryClasses.common.UEFI_APPLICATION]
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -654,19 +639,14 @@ [PcdsDynamicDefault]
 
   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
 
-!if $(TPM_ENABLE) == TRUE
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
-!endif
+!include OvmfPkg/OvmfTpmPcds.dsc.inc
 
   # IPv4 and IPv6 PXE Boot support.
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01
 
 [PcdsDynamicHii]
-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
-  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
-!endif
+!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
 
 ################################################################################
 #
@@ -716,24 +696,7 @@ [Components]
 !endif
   UefiCpuPkg/CpuMpPei/CpuMpPei.inf
 
-!if $(TPM_ENABLE) == TRUE
-  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
-  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
-  SecurityPkg/Tcg/TcgPei/TcgPei.inf
-  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
-    <LibraryClasses>
-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
-  }
-  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
-    <LibraryClasses>
-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
-  }
-!endif
+!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
 
   #
   # DXE Phase modules
@@ -757,10 +720,7 @@ [Components]
     <LibraryClasses>
 !if $(SECURE_BOOT_ENABLE) == TRUE
       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
-!endif
-!if $(TPM_ENABLE) == TRUE
-      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
-      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
 !endif
   }
 
@@ -1032,27 +992,4 @@ [Components]
   #
   # TPM support
   #
-!if $(TPM_ENABLE) == TRUE
-  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
-    <LibraryClasses>
-      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
-      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
-  }
-!if $(TPM_CONFIG_ENABLE) == TRUE
-  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
-  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
-    <LibraryClasses>
-      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
-  }
-  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
-    <LibraryClasses>
-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
-  }
-!endif
+!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 56626098862c..b9017f490458 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -156,13 +156,7 @@ [FV.PEIFV]
 INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
 INF  OvmfPkg/AmdSev/SecretPei/SecretPei.inf
 
-!if $(TPM_ENABLE) == TRUE
-INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
-INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
-INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
-INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
-INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
-!endif
+!include OvmfPkg/OvmfTpmPei.fdf.inc
 
 ################################################################################
 
@@ -318,14 +312,7 @@ [FV.DXEFV]
 #
 # TPM support
 #
-!if $(TPM_ENABLE) == TRUE
-INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
-INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
-INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
-!if $(TPM_CONFIG_ENABLE) == TRUE
-INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
-!endif
+!include OvmfPkg/OvmfTpmDxe.fdf.inc
 
 ################################################################################
 
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 775ea2d71098..24e4366c172d 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -161,13 +161,7 @@ [FV.PEIFV]
 !endif
 INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
 
-!if $(TPM_ENABLE) == TRUE
-INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
-INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
-INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
-INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
-INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
-!endif
+!include OvmfPkg/OvmfTpmPei.fdf.inc
 
 ################################################################################
 
@@ -361,14 +355,7 @@ [FV.DXEFV]
 #
 # TPM support
 #
-!if $(TPM_ENABLE) == TRUE
-INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
-INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
-INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
-!if $(TPM_CONFIG_ENABLE) == TRUE
-INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
-!endif
+!include OvmfPkg/OvmfTpmDxe.fdf.inc
 
 !if $(LOAD_X64_ON_IA32_ENABLE) == TRUE
 INF  OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 9d8695922f97..734df36602bd 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -164,13 +164,7 @@ [FV.PEIFV]
 !endif
 INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
 
-!if $(TPM_ENABLE) == TRUE
-INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
-INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
-INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
-INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
-INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
-!endif
+!include OvmfPkg/OvmfTpmPei.fdf.inc
 
 ################################################################################
 
@@ -371,14 +365,7 @@ [FV.DXEFV]
 #
 # TPM support
 #
-!if $(TPM_ENABLE) == TRUE
-INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
-INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
-INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
-!if $(TPM_CONFIG_ENABLE) == TRUE
-INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
-!endif
+!include OvmfPkg/OvmfTpmDxe.fdf.inc
 
 ################################################################################
 
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index b6cc3cabdd69..b8d074c6e496 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -180,13 +180,7 @@ [FV.PEIFV]
 !endif
 INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
 
-!if $(TPM_ENABLE) == TRUE
-INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
-INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
-INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
-INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
-INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
-!endif
+!include OvmfPkg/OvmfTpmPei.fdf.inc
 
 ################################################################################
 
@@ -387,14 +381,7 @@ [FV.DXEFV]
 #
 # TPM support
 #
-!if $(TPM_ENABLE) == TRUE
-INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
-INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
-INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
-!if $(TPM_CONFIG_ENABLE) == TRUE
-INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
-!endif
+!include OvmfPkg/OvmfTpmDxe.fdf.inc
 
 ################################################################################
 
diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc
new file mode 100644
index 000000000000..9dcdaaf01c39
--- /dev/null
+++ b/OvmfPkg/OvmfTpmDxe.fdf.inc
@@ -0,0 +1,12 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+!if $(TPM_CONFIG_ENABLE) == TRUE
+INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!endif
+!endif
diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc
new file mode 100644
index 000000000000..9aefd73d219c
--- /dev/null
+++ b/OvmfPkg/OvmfTpmPei.fdf.inc
@@ -0,0 +1,11 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
+!endif
-- 
2.31.1

Re: [PATCH v2 1/5] OvmfPkg: move tcg configuration to dsc and fdf include files

[Stefan Berger]

On 10/25/21 8:15 AM, Gerd Hoffmann wrote:
> With this in place the tpm configuration is not duplicated for each of
> our four ovmf config variants (ia32, ia32x64, x64, amdsev) and it is
> easier to keep them all in sync when updating the tpm configuration.
>
> No functional change.
>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>


> ---
>   OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 28 +++++++++
>   OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 22 +++++++
>   OvmfPkg/OvmfTpmDefines.dsc.inc       |  6 ++
>   OvmfPkg/OvmfTpmLibs.dsc.inc          | 14 +++++
>   OvmfPkg/OvmfTpmLibsDxe.dsc.inc       |  8 +++
>   OvmfPkg/OvmfTpmLibsPeim.dsc.inc      |  9 +++
>   OvmfPkg/OvmfTpmPcds.dsc.inc          |  7 +++
>   OvmfPkg/OvmfTpmPcdsHii.dsc.inc       |  8 +++
>   OvmfPkg/OvmfTpmSecurityStub.dsc.inc  |  8 +++
>   OvmfPkg/AmdSev/AmdSevX64.dsc         | 85 ++++-----------------------
>   OvmfPkg/OvmfPkgIa32.dsc              | 88 ++++------------------------
>   OvmfPkg/OvmfPkgIa32X64.dsc           | 85 ++++-----------------------
>   OvmfPkg/OvmfPkgX64.dsc               | 85 ++++-----------------------
>   OvmfPkg/AmdSev/AmdSevX64.fdf         | 17 +-----
>   OvmfPkg/OvmfPkgIa32.fdf              | 17 +-----
>   OvmfPkg/OvmfPkgIa32X64.fdf           | 17 +-----
>   OvmfPkg/OvmfPkgX64.fdf               | 17 +-----
>   OvmfPkg/OvmfTpmDxe.fdf.inc           | 12 ++++
>   OvmfPkg/OvmfTpmPei.fdf.inc           | 11 ++++
>   19 files changed, 185 insertions(+), 359 deletions(-)
>   create mode 100644 OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
>   create mode 100644 OvmfPkg/OvmfTpmComponentsPei.dsc.inc
>   create mode 100644 OvmfPkg/OvmfTpmDefines.dsc.inc
>   create mode 100644 OvmfPkg/OvmfTpmLibs.dsc.inc
>   create mode 100644 OvmfPkg/OvmfTpmLibsDxe.dsc.inc
>   create mode 100644 OvmfPkg/OvmfTpmLibsPeim.dsc.inc
>   create mode 100644 OvmfPkg/OvmfTpmPcds.dsc.inc
>   create mode 100644 OvmfPkg/OvmfTpmPcdsHii.dsc.inc
>   create mode 100644 OvmfPkg/OvmfTpmSecurityStub.dsc.inc
>   create mode 100644 OvmfPkg/OvmfTpmDxe.fdf.inc
>   create mode 100644 OvmfPkg/OvmfTpmPei.fdf.inc
>
> diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> new file mode 100644
> index 000000000000..d5c2586118f1
> --- /dev/null
> +++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> @@ -0,0 +1,28 @@
> +##
> +#    SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +!if $(TPM_ENABLE) == TRUE
> +  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
> +    <LibraryClasses>
> +      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
> +      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
> +      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> +  }
> +!if $(TPM_CONFIG_ENABLE) == TRUE
> +  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> +!endif
> +  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
> +    <LibraryClasses>
> +      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> +  }
> +  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
> +    <LibraryClasses>
> +      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> +  }
> +!endif
> diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> new file mode 100644
> index 000000000000..99fa7c13b3e7
> --- /dev/null
> +++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> @@ -0,0 +1,22 @@
> +##
> +#    SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +!if $(TPM_ENABLE) == TRUE
> +  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> +  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +  SecurityPkg/Tcg/TcgPei/TcgPei.inf
> +  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
> +    <LibraryClasses>
> +      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> +  }
> +  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
> +    <LibraryClasses>
> +      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> +  }
> +!endif
> diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc
> new file mode 100644
> index 000000000000..51da7508b307
> --- /dev/null
> +++ b/OvmfPkg/OvmfTpmDefines.dsc.inc
> @@ -0,0 +1,6 @@
> +##
> +#    SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +  DEFINE TPM_ENABLE              = FALSE
> +  DEFINE TPM_CONFIG_ENABLE       = FALSE
> diff --git a/OvmfPkg/OvmfTpmLibs.dsc.inc b/OvmfPkg/OvmfTpmLibs.dsc.inc
> new file mode 100644
> index 000000000000..50100f2c0371
> --- /dev/null
> +++ b/OvmfPkg/OvmfTpmLibs.dsc.inc
> @@ -0,0 +1,14 @@
> +##
> +#    SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +!if $(TPM_ENABLE) == TRUE
> +  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
> +  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> +  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
> +  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
> +  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> +!else
> +  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
> +  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
> +!endif
> diff --git a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
> new file mode 100644
> index 000000000000..67d5027abaea
> --- /dev/null
> +++ b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
> @@ -0,0 +1,8 @@
> +##
> +#    SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +!if $(TPM_ENABLE) == TRUE
> +  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
> +  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
> +!endif
> diff --git a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
> new file mode 100644
> index 000000000000..4e84e3dcaaeb
> --- /dev/null
> +++ b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
> @@ -0,0 +1,9 @@
> +##
> +#    SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +!if $(TPM_ENABLE) == TRUE
> +  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> +  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
> +!endif
> diff --git a/OvmfPkg/OvmfTpmPcds.dsc.inc b/OvmfPkg/OvmfTpmPcds.dsc.inc
> new file mode 100644
> index 000000000000..0e7f83c04bd7
> --- /dev/null
> +++ b/OvmfPkg/OvmfTpmPcds.dsc.inc
> @@ -0,0 +1,7 @@
> +##
> +#    SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +!if $(TPM_ENABLE) == TRUE
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
> +!endif
> diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
> new file mode 100644
> index 000000000000..164bc9c7fca0
> --- /dev/null
> +++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
> @@ -0,0 +1,8 @@
> +##
> +#    SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
> +!endif
> diff --git a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
> new file mode 100644
> index 000000000000..4bd4066843ef
> --- /dev/null
> +++ b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
> @@ -0,0 +1,8 @@
> +##
> +#    SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +!if $(TPM_ENABLE) == TRUE
> +      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
> +      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
> +!endif
> diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
> index 5ee54451169b..d145b491fb44 100644
> --- a/OvmfPkg/AmdSev/AmdSevX64.dsc
> +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
> @@ -32,8 +32,8 @@ [Defines]
>     # -D FLAG=VALUE
>     #
>     DEFINE SOURCE_DEBUG_ENABLE     = FALSE
> -  DEFINE TPM_ENABLE              = FALSE
> -  DEFINE TPM_CONFIG_ENABLE       = FALSE
> +
> +!include OvmfPkg/OvmfTpmDefines.dsc.inc
>   
>     #
>     # Shell can be useful for debugging but should not be enabled for production
> @@ -203,16 +203,7 @@ [LibraryClasses]
>     SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
>     OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
> -  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> -  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
> -  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
> -  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> -!else
> -  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
> -  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
> -!endif
> +!include OvmfPkg/OvmfTpmLibs.dsc.inc
>   
>   [LibraryClasses.common]
>     BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -286,11 +277,7 @@ [LibraryClasses.common.PEIM]
>     PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
>     QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> -  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> -  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
> -!endif
> +!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
>   
>     MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
>   
> @@ -371,10 +358,8 @@ [LibraryClasses.common.DXE_DRIVER]
>     MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
>     QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
>     QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
> -!if $(TPM_ENABLE) == TRUE
> -  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
> -  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
> -!endif
> +
> +!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
>   
>   [LibraryClasses.common.UEFI_APPLICATION]
>     PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
> @@ -575,15 +560,10 @@ [PcdsDynamicDefault]
>   
>     gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
>   
> -!if $(TPM_ENABLE) == TRUE
> -  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
> -!endif
> +!include OvmfPkg/OvmfTpmPcds.dsc.inc
>   
>   [PcdsDynamicHii]
> -!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
> -  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
> -  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
> -!endif
> +!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
>   
>   ################################################################################
>   #
> @@ -624,24 +604,7 @@ [Components]
>     UefiCpuPkg/CpuMpPei/CpuMpPei.inf
>     OvmfPkg/AmdSev/SecretPei/SecretPei.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> -  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> -  SecurityPkg/Tcg/TcgPei/TcgPei.inf
> -  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
> -    <LibraryClasses>
> -      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> -  }
> -  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
> -    <LibraryClasses>
> -      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> -  }
> -!endif
> +!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
>   
>     #
>     # DXE Phase modules
> @@ -663,10 +626,7 @@ [Components]
>   
>     MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
>       <LibraryClasses>
> -!if $(TPM_ENABLE) == TRUE
> -      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
> -      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
> -!endif
> +!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
>     }
>   
>     MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
> @@ -836,27 +796,4 @@ [Components]
>     #
>     # TPM support
>     #
> -!if $(TPM_ENABLE) == TRUE
> -  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
> -    <LibraryClasses>
> -      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
> -      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
> -      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> -  }
> -!if $(TPM_CONFIG_ENABLE) == TRUE
> -  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> -!endif
> -  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
> -    <LibraryClasses>
> -      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> -  }
> -  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
> -    <LibraryClasses>
> -      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> -  }
> -!endif
> +!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index 6a5be97c059d..462c1b970ed8 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -32,10 +32,10 @@ [Defines]
>     DEFINE SECURE_BOOT_ENABLE      = FALSE
>     DEFINE SMM_REQUIRE             = FALSE
>     DEFINE SOURCE_DEBUG_ENABLE     = FALSE
> -  DEFINE TPM_ENABLE              = FALSE
> -  DEFINE TPM_CONFIG_ENABLE       = FALSE
>     DEFINE LOAD_X64_ON_IA32_ENABLE = FALSE
>   
> +!include OvmfPkg/OvmfTpmDefines.dsc.inc
> +
>     #
>     # Network definition
>     #
> @@ -229,16 +229,7 @@ [LibraryClasses]
>     SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
>     OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
> -  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> -  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
> -  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
> -  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> -!else
> -  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
> -  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
> -!endif
> +!include OvmfPkg/OvmfTpmLibs.dsc.inc
>   
>   [LibraryClasses.common]
>     BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -309,11 +300,7 @@ [LibraryClasses.common.PEIM]
>     PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
>     QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> -  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> -  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
> -!endif
> +!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
>   
>     MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
>   
> @@ -401,10 +388,8 @@ [LibraryClasses.common.DXE_DRIVER]
>     MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
>     QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
>     QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
> -!if $(TPM_ENABLE) == TRUE
> -  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
> -  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
> -!endif
> +
> +!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
>   
>   [LibraryClasses.common.UEFI_APPLICATION]
>     PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
> @@ -642,19 +627,14 @@ [PcdsDynamicDefault]
>   
>     gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
>   
> -!if $(TPM_ENABLE) == TRUE
> -  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
> -!endif
> +!include OvmfPkg/OvmfTpmPcds.dsc.inc
>   
>     # IPv4 and IPv6 PXE Boot support.
>     gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01
>     gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01
>   
>   [PcdsDynamicHii]
> -!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
> -  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
> -  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
> -!endif
> +!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
>   
>   ################################################################################
>   #
> @@ -704,24 +684,7 @@ [Components]
>   !endif
>     UefiCpuPkg/CpuMpPei/CpuMpPei.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> -  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> -  SecurityPkg/Tcg/TcgPei/TcgPei.inf
> -  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
> -    <LibraryClasses>
> -      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> -  }
> -  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
> -    <LibraryClasses>
> -      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> -  }
> -!endif
> +!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
>   
>     #
>     # DXE Phase modules
> @@ -746,10 +709,7 @@ [Components]
>   !if $(SECURE_BOOT_ENABLE) == TRUE
>         NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
>   !endif
> -!if $(TPM_ENABLE) == TRUE
> -      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
> -      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
> -!endif
> +!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
>     }
>   
>     MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
> @@ -1019,31 +979,5 @@ [Components]
>     #
>     # TPM support
>     #
> -!if $(TPM_ENABLE) == TRUE
> -  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
> -    <LibraryClasses>
> -      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
> -      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
> -      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> -  }
> -!if $(TPM_CONFIG_ENABLE) == TRUE
> -  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> -!endif
> -  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
> -    <LibraryClasses>
> -      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> -  }
> -  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
> -    <LibraryClasses>
> -      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> -  }
> -!endif
> +!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
>   
> -!if $(LOAD_X64_ON_IA32_ENABLE) == TRUE
> -  OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf
> -!endif
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index 71227d1b709a..3908acbc9c78 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -32,8 +32,8 @@ [Defines]
>     DEFINE SECURE_BOOT_ENABLE      = FALSE
>     DEFINE SMM_REQUIRE             = FALSE
>     DEFINE SOURCE_DEBUG_ENABLE     = FALSE
> -  DEFINE TPM_ENABLE              = FALSE
> -  DEFINE TPM_CONFIG_ENABLE       = FALSE
> +
> +!include OvmfPkg/OvmfTpmDefines.dsc.inc
>   
>     #
>     # Network definition
> @@ -233,16 +233,7 @@ [LibraryClasses]
>     SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
>     OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
> -  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> -  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
> -  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
> -  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> -!else
> -  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
> -  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
> -!endif
> +!include OvmfPkg/OvmfTpmLibs.dsc.inc
>   
>   [LibraryClasses.common]
>     BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -313,11 +304,7 @@ [LibraryClasses.common.PEIM]
>     PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
>     QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> -  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> -  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
> -!endif
> +!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
>   
>     MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
>   
> @@ -405,10 +392,8 @@ [LibraryClasses.common.DXE_DRIVER]
>     MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
>     QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
>     QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
> -!if $(TPM_ENABLE) == TRUE
> -  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
> -  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
> -!endif
> +
> +!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
>   
>   [LibraryClasses.common.UEFI_APPLICATION]
>     PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
> @@ -654,9 +639,7 @@ [PcdsDynamicDefault]
>   
>     gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
>   
> -!if $(TPM_ENABLE) == TRUE
> -  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
> -!endif
> +!include OvmfPkg/OvmfTpmPcds.dsc.inc
>   
>   [PcdsDynamicDefault.X64]
>     # IPv4 and IPv6 PXE Boot support.
> @@ -664,10 +647,7 @@ [PcdsDynamicDefault.X64]
>     gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01
>   
>   [PcdsDynamicHii]
> -!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
> -  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
> -  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
> -!endif
> +!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
>   
>   ################################################################################
>   #
> @@ -717,24 +697,7 @@ [Components.IA32]
>   !endif
>     UefiCpuPkg/CpuMpPei/CpuMpPei.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> -  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> -  SecurityPkg/Tcg/TcgPei/TcgPei.inf
> -  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
> -    <LibraryClasses>
> -      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> -  }
> -  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
> -    <LibraryClasses>
> -      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> -  }
> -!endif
> +!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
>   
>   [Components.X64]
>     #
> @@ -760,10 +723,7 @@ [Components.X64]
>   !if $(SECURE_BOOT_ENABLE) == TRUE
>         NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
>   !endif
> -!if $(TPM_ENABLE) == TRUE
> -      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
> -      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
> -!endif
> +!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
>     }
>   
>     MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
> @@ -1034,27 +994,4 @@ [Components.X64]
>     #
>     # TPM support
>     #
> -!if $(TPM_ENABLE) == TRUE
> -  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
> -    <LibraryClasses>
> -      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
> -      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
> -      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> -  }
> -!if $(TPM_CONFIG_ENABLE) == TRUE
> -  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> -!endif
> -  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
> -    <LibraryClasses>
> -      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> -  }
> -  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
> -    <LibraryClasses>
> -      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> -  }
> -!endif
> +!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index 52f7598cf1c7..6114a4d61ab7 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -32,8 +32,8 @@ [Defines]
>     DEFINE SECURE_BOOT_ENABLE      = FALSE
>     DEFINE SMM_REQUIRE             = FALSE
>     DEFINE SOURCE_DEBUG_ENABLE     = FALSE
> -  DEFINE TPM_ENABLE              = FALSE
> -  DEFINE TPM_CONFIG_ENABLE       = FALSE
> +
> +!include OvmfPkg/OvmfTpmDefines.dsc.inc
>   
>     #
>     # Network definition
> @@ -233,16 +233,7 @@ [LibraryClasses]
>     SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
>     OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
> -  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> -  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
> -  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
> -  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> -!else
> -  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
> -  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
> -!endif
> +!include OvmfPkg/OvmfTpmLibs.dsc.inc
>   
>   [LibraryClasses.common]
>     BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -315,11 +306,7 @@ [LibraryClasses.common.PEIM]
>     PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
>     QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> -  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> -  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
> -!endif
> +!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
>   
>     MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
>   
> @@ -407,10 +394,8 @@ [LibraryClasses.common.DXE_DRIVER]
>     MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
>     QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
>     QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
> -!if $(TPM_ENABLE) == TRUE
> -  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
> -  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
> -!endif
> +
> +!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
>   
>   [LibraryClasses.common.UEFI_APPLICATION]
>     PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
> @@ -654,19 +639,14 @@ [PcdsDynamicDefault]
>   
>     gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
>   
> -!if $(TPM_ENABLE) == TRUE
> -  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
> -!endif
> +!include OvmfPkg/OvmfTpmPcds.dsc.inc
>   
>     # IPv4 and IPv6 PXE Boot support.
>     gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01
>     gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01
>   
>   [PcdsDynamicHii]
> -!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
> -  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
> -  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
> -!endif
> +!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
>   
>   ################################################################################
>   #
> @@ -716,24 +696,7 @@ [Components]
>   !endif
>     UefiCpuPkg/CpuMpPei/CpuMpPei.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> -  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> -  SecurityPkg/Tcg/TcgPei/TcgPei.inf
> -  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
> -    <LibraryClasses>
> -      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> -  }
> -  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
> -    <LibraryClasses>
> -      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> -  }
> -!endif
> +!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
>   
>     #
>     # DXE Phase modules
> @@ -757,10 +720,7 @@ [Components]
>       <LibraryClasses>
>   !if $(SECURE_BOOT_ENABLE) == TRUE
>         NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> -!endif
> -!if $(TPM_ENABLE) == TRUE
> -      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
> -      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
> +!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
>   !endif
>     }
>   
> @@ -1032,27 +992,4 @@ [Components]
>     #
>     # TPM support
>     #
> -!if $(TPM_ENABLE) == TRUE
> -  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
> -    <LibraryClasses>
> -      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
> -      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
> -      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> -      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> -  }
> -!if $(TPM_CONFIG_ENABLE) == TRUE
> -  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> -!endif
> -  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
> -    <LibraryClasses>
> -      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> -  }
> -  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
> -    <LibraryClasses>
> -      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> -  }
> -!endif
> +!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
> index 56626098862c..b9017f490458 100644
> --- a/OvmfPkg/AmdSev/AmdSevX64.fdf
> +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
> @@ -156,13 +156,7 @@ [FV.PEIFV]
>   INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
>   INF  OvmfPkg/AmdSev/SecretPei/SecretPei.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> -INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> -INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
> -INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
> -INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
> -!endif
> +!include OvmfPkg/OvmfTpmPei.fdf.inc
>   
>   ################################################################################
>   
> @@ -318,14 +312,7 @@ [FV.DXEFV]
>   #
>   # TPM support
>   #
> -!if $(TPM_ENABLE) == TRUE
> -INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
> -INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
> -INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
> -!if $(TPM_CONFIG_ENABLE) == TRUE
> -INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> -!endif
> -!endif
> +!include OvmfPkg/OvmfTpmDxe.fdf.inc
>   
>   ################################################################################
>   
> diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
> index 775ea2d71098..24e4366c172d 100644
> --- a/OvmfPkg/OvmfPkgIa32.fdf
> +++ b/OvmfPkg/OvmfPkgIa32.fdf
> @@ -161,13 +161,7 @@ [FV.PEIFV]
>   !endif
>   INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> -INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> -INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
> -INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
> -INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
> -!endif
> +!include OvmfPkg/OvmfTpmPei.fdf.inc
>   
>   ################################################################################
>   
> @@ -361,14 +355,7 @@ [FV.DXEFV]
>   #
>   # TPM support
>   #
> -!if $(TPM_ENABLE) == TRUE
> -INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
> -INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
> -INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
> -!if $(TPM_CONFIG_ENABLE) == TRUE
> -INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> -!endif
> -!endif
> +!include OvmfPkg/OvmfTpmDxe.fdf.inc
>   
>   !if $(LOAD_X64_ON_IA32_ENABLE) == TRUE
>   INF  OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf
> diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
> index 9d8695922f97..734df36602bd 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.fdf
> +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
> @@ -164,13 +164,7 @@ [FV.PEIFV]
>   !endif
>   INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> -INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> -INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
> -INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
> -INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
> -!endif
> +!include OvmfPkg/OvmfTpmPei.fdf.inc
>   
>   ################################################################################
>   
> @@ -371,14 +365,7 @@ [FV.DXEFV]
>   #
>   # TPM support
>   #
> -!if $(TPM_ENABLE) == TRUE
> -INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
> -INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
> -INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
> -!if $(TPM_CONFIG_ENABLE) == TRUE
> -INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> -!endif
> -!endif
> +!include OvmfPkg/OvmfTpmDxe.fdf.inc
>   
>   ################################################################################
>   
> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> index b6cc3cabdd69..b8d074c6e496 100644
> --- a/OvmfPkg/OvmfPkgX64.fdf
> +++ b/OvmfPkg/OvmfPkgX64.fdf
> @@ -180,13 +180,7 @@ [FV.PEIFV]
>   !endif
>   INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
>   
> -!if $(TPM_ENABLE) == TRUE
> -INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> -INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> -INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
> -INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
> -INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
> -!endif
> +!include OvmfPkg/OvmfTpmPei.fdf.inc
>   
>   ################################################################################
>   
> @@ -387,14 +381,7 @@ [FV.DXEFV]
>   #
>   # TPM support
>   #
> -!if $(TPM_ENABLE) == TRUE
> -INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
> -INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
> -INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
> -!if $(TPM_CONFIG_ENABLE) == TRUE
> -INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> -!endif
> -!endif
> +!include OvmfPkg/OvmfTpmDxe.fdf.inc
>   
>   ################################################################################
>   
> diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc
> new file mode 100644
> index 000000000000..9dcdaaf01c39
> --- /dev/null
> +++ b/OvmfPkg/OvmfTpmDxe.fdf.inc
> @@ -0,0 +1,12 @@
> +##
> +#    SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +!if $(TPM_ENABLE) == TRUE
> +INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
> +INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
> +INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
> +!if $(TPM_CONFIG_ENABLE) == TRUE
> +INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> +!endif
> +!endif
> diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc
> new file mode 100644
> index 000000000000..9aefd73d219c
> --- /dev/null
> +++ b/OvmfPkg/OvmfTpmPei.fdf.inc
> @@ -0,0 +1,11 @@
> +##
> +#    SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +!if $(TPM_ENABLE) == TRUE
> +INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> +INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
> +INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
> +INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
> +!endif

[PATCH v2 2/5] OvmfPkg: drop TPM_CONFIG_ENABLE

[Gerd Hoffmann]

Drop TPM_CONFIG_ENABLE config option.  Including TPM support in the
build without also including the TPM configuration menu is not useful.

Suggested-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 OvmfPkg/OvmfTpmComponentsDxe.dsc.inc                  | 2 --
 OvmfPkg/OvmfTpmDefines.dsc.inc                        | 1 -
 OvmfPkg/OvmfTpmPcdsHii.dsc.inc                        | 2 +-
 OvmfPkg/OvmfTpmDxe.fdf.inc                            | 2 --
 OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml    | 6 +++---
 OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml | 6 +++---
 6 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
index d5c2586118f1..e025d85a5878 100644
--- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
@@ -14,9 +14,7 @@
       NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
       NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
   }
-!if $(TPM_CONFIG_ENABLE) == TRUE
   SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
   SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
     <LibraryClasses>
       Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc
index 51da7508b307..5df4a331fb99 100644
--- a/OvmfPkg/OvmfTpmDefines.dsc.inc
+++ b/OvmfPkg/OvmfTpmDefines.dsc.inc
@@ -3,4 +3,3 @@
 ##
 
   DEFINE TPM_ENABLE              = FALSE
-  DEFINE TPM_CONFIG_ENABLE       = FALSE
diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
index 164bc9c7fca0..2e02a5b4cb90 100644
--- a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
@@ -2,7 +2,7 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
+!if $(TPM_ENABLE) == TRUE
   gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
   gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
 !endif
diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc
index 9dcdaaf01c39..32eef246387a 100644
--- a/OvmfPkg/OvmfTpmDxe.fdf.inc
+++ b/OvmfPkg/OvmfTpmDxe.fdf.inc
@@ -6,7 +6,5 @@
 INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
 INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
 INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
-!if $(TPM_CONFIG_ENABLE) == TRUE
 INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
 !endif
-!endif
diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
index 7117b86b8177..1774423580b9 100644
--- a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
+++ b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
@@ -95,21 +95,21 @@ jobs:
           OVMF_IA32X64_FULL_DEBUG:
             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
             Build.Arch: "IA32,X64"
-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
             Build.Target: "DEBUG"
             Run.Flags: $(run_flags)
             Run: $(should_run)
           OVMF_IA32X64_FULL_RELEASE:
             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
             Build.Arch: "IA32,X64"
-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
             Build.Target: "RELEASE"
             Run.Flags: $(run_flags)
             Run: $(should_run)
           OVMF_IA32X64_FULL_NOOPT:
             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
             Build.Arch: "IA32,X64"
-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
             Build.Target: "NOOPT"
             Run.Flags: $(run_flags)
             Run: $(should_run)
diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
index 2e07a3d8893a..09f9851312a2 100644
--- a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
+++ b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
@@ -94,14 +94,14 @@ jobs:
           OVMF_IA32X64_FULL_DEBUG:
             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
             Build.Arch: "IA32,X64"
-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
             Build.Target: "DEBUG"
             Run.Flags: $(run_flags)
             Run: $(should_run)
           OVMF_IA32X64_FULL_RELEASE:
             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
             Build.Arch: "IA32,X64"
-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
             Build.Target: "RELEASE"
             Run.Flags: $(run_flags)
             Run: $(should_run)
@@ -112,7 +112,7 @@ jobs:
     #       OVMF_IA32X64_FULL_NOOPT:
     #         Build.File: "$(package)/PlatformCI/PlatformBuild.py"
     #         Build.Arch: "IA32,X64"
-    #         Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+    #         Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
     #         Build.Target: "NOOPT"
     #         Run.Flags: $(run_flags)
     #         Run: $(should_run)
-- 
2.31.1

Re: [PATCH v2 2/5] OvmfPkg: drop TPM_CONFIG_ENABLE

[Stefan Berger]

On 10/25/21 8:15 AM, Gerd Hoffmann wrote:
> Drop TPM_CONFIG_ENABLE config option.  Including TPM support in the
> build without also including the TPM configuration menu is not useful.
>
> Suggested-by: Stefan Berger <stefanb@linux.ibm.com>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

2 more files would need this change:

./OvmfPkg/Microvm/MicrovmX64.dsc:  DEFINE TPM_CONFIG_ENABLE = FALSE
./OvmfPkg/PlatformCI/ReadMe.md:| IA32 X64 Full           | PEI-IA32 
DXE-X64   | OvmfPkgIa32X64.dsc  | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 
TPM_ENABLE=1 TPM_CONFIG_ENABLE=1 NETWORK_TLS_ENABLE=1 
NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 |

I tested it:

Tested-by: Stefan Berger <stefanb@linux.ibm.com>


> ---
>   OvmfPkg/OvmfTpmComponentsDxe.dsc.inc                  | 2 --
>   OvmfPkg/OvmfTpmDefines.dsc.inc                        | 1 -
>   OvmfPkg/OvmfTpmPcdsHii.dsc.inc                        | 2 +-
>   OvmfPkg/OvmfTpmDxe.fdf.inc                            | 2 --
>   OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml    | 6 +++---
>   OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml | 6 +++---
>   6 files changed, 7 insertions(+), 12 deletions(-)
>
> diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> index d5c2586118f1..e025d85a5878 100644
> --- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> +++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> @@ -14,9 +14,7 @@
>         NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
>         NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
>     }
> -!if $(TPM_CONFIG_ENABLE) == TRUE
>     SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> -!endif
>     SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
>       <LibraryClasses>
>         Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc
> index 51da7508b307..5df4a331fb99 100644
> --- a/OvmfPkg/OvmfTpmDefines.dsc.inc
> +++ b/OvmfPkg/OvmfTpmDefines.dsc.inc
> @@ -3,4 +3,3 @@
>   ##
>   
>     DEFINE TPM_ENABLE              = FALSE
> -  DEFINE TPM_CONFIG_ENABLE       = FALSE
> diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
> index 164bc9c7fca0..2e02a5b4cb90 100644
> --- a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
> +++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
> @@ -2,7 +2,7 @@
>   #    SPDX-License-Identifier: BSD-2-Clause-Patent
>   ##
>   
> -!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
> +!if $(TPM_ENABLE) == TRUE
>     gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
>     gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
>   !endif
> diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc
> index 9dcdaaf01c39..32eef246387a 100644
> --- a/OvmfPkg/OvmfTpmDxe.fdf.inc
> +++ b/OvmfPkg/OvmfTpmDxe.fdf.inc
> @@ -6,7 +6,5 @@
>   INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
>   INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
>   INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
> -!if $(TPM_CONFIG_ENABLE) == TRUE
>   INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
>   !endif
> -!endif
> diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
> index 7117b86b8177..1774423580b9 100644
> --- a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
> +++ b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
> @@ -95,21 +95,21 @@ jobs:
>             OVMF_IA32X64_FULL_DEBUG:
>               Build.File: "$(package)/PlatformCI/PlatformBuild.py"
>               Build.Arch: "IA32,X64"
> -            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> +            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
>               Build.Target: "DEBUG"
>               Run.Flags: $(run_flags)
>               Run: $(should_run)
>             OVMF_IA32X64_FULL_RELEASE:
>               Build.File: "$(package)/PlatformCI/PlatformBuild.py"
>               Build.Arch: "IA32,X64"
> -            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> +            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
>               Build.Target: "RELEASE"
>               Run.Flags: $(run_flags)
>               Run: $(should_run)
>             OVMF_IA32X64_FULL_NOOPT:
>               Build.File: "$(package)/PlatformCI/PlatformBuild.py"
>               Build.Arch: "IA32,X64"
> -            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> +            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
>               Build.Target: "NOOPT"
>               Run.Flags: $(run_flags)
>               Run: $(should_run)
> diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
> index 2e07a3d8893a..09f9851312a2 100644
> --- a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
> +++ b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
> @@ -94,14 +94,14 @@ jobs:
>             OVMF_IA32X64_FULL_DEBUG:
>               Build.File: "$(package)/PlatformCI/PlatformBuild.py"
>               Build.Arch: "IA32,X64"
> -            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> +            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
>               Build.Target: "DEBUG"
>               Run.Flags: $(run_flags)
>               Run: $(should_run)
>             OVMF_IA32X64_FULL_RELEASE:
>               Build.File: "$(package)/PlatformCI/PlatformBuild.py"
>               Build.Arch: "IA32,X64"
> -            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> +            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
>               Build.Target: "RELEASE"
>               Run.Flags: $(run_flags)
>               Run: $(should_run)
> @@ -112,7 +112,7 @@ jobs:
>       #       OVMF_IA32X64_FULL_NOOPT:
>       #         Build.File: "$(package)/PlatformCI/PlatformBuild.py"
>       #         Build.Arch: "IA32,X64"
> -    #         Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> +    #         Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
>       #         Build.Target: "NOOPT"
>       #         Run.Flags: $(run_flags)
>       #         Run: $(should_run)

[PATCH v2 3/5] OvmfPkg: create Tcg12ConfigPei.inf

[Gerd Hoffmann]

Split Tcg2ConfigPei.inf into two variants: Tcg12ConfigPei.inf with TPM
1.2 backward compatibility included and Tcg2ConfigPei.inf supporting TPM
2.0 only.  This allows x86 builds to choose whenever TPM 1.2 support
should be included or not by picking the one or the other inf file.

Switch x86 builds to Tcg12ConfigPei.inf, so they continue to
have TPM 1.2 support.

No functional change.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 OvmfPkg/OvmfTpmComponentsPei.dsc.inc                  |  2 +-
 .../{Tcg2ConfigPei.inf => Tcg12ConfigPei.inf}         | 11 ++---------
 OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf              | 11 +----------
 OvmfPkg/OvmfTpmPei.fdf.inc                            |  2 +-
 4 files changed, 5 insertions(+), 21 deletions(-)
 copy OvmfPkg/Tcg/Tcg2Config/{Tcg2ConfigPei.inf => Tcg12ConfigPei.inf} (82%)

diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
index 99fa7c13b3e7..87d491da5047 100644
--- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
@@ -4,7 +4,7 @@
 
 !if $(TPM_ENABLE) == TRUE
   OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
-  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+  OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
   SecurityPkg/Tcg/TcgPei/TcgPei.inf
   SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
     <LibraryClasses>
diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
similarity index 82%
copy from OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
copy to OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
index 39d1deeed16b..e8e0b88e6058 100644
--- a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+++ b/OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
@@ -1,5 +1,5 @@
 ## @file
-# Set TPM device type
+# Set TPM device type - supports TPM 1.2 and 2.0
 #
 # In SecurityPkg, this module initializes the TPM device type based on a UEFI
 # variable and/or hardware detection. In OvmfPkg, the module only performs TPM
@@ -14,7 +14,7 @@
 [Defines]
   INF_VERSION                    = 0x00010005
   BASE_NAME                      = Tcg2ConfigPei
-  FILE_GUID                      = BF7F2B0C-9F2F-4889-AB5C-12460022BE87
+  FILE_GUID                      = 8AD3148F-945F-46B4-8ACD-71469EA73945
   MODULE_TYPE                    = PEIM
   VERSION_STRING                 = 1.0
   ENTRY_POINT                    = Tcg2ConfigPeimEntryPoint
@@ -22,13 +22,8 @@ [Defines]
 [Sources]
   Tcg2ConfigPeim.c
   Tpm12Support.h
-
-[Sources.IA32, Sources.X64]
   Tpm12Support.c
 
-[Sources.ARM, Sources.AARCH64]
-  Tpm12SupportNull.c
-
 [Packages]
   MdePkg/MdePkg.dec
   MdeModulePkg/MdeModulePkg.dec
@@ -40,8 +35,6 @@ [LibraryClasses]
   DebugLib
   PeiServicesLib
   Tpm2DeviceLib
-
-[LibraryClasses.IA32, LibraryClasses.X64]
   BaseLib
   Tpm12DeviceLib
 
diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
index 39d1deeed16b..51078c981374 100644
--- a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+++ b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
@@ -1,5 +1,5 @@
 ## @file
-# Set TPM device type
+# Set TPM device type - supports TPM 2.0 only
 #
 # In SecurityPkg, this module initializes the TPM device type based on a UEFI
 # variable and/or hardware detection. In OvmfPkg, the module only performs TPM
@@ -22,11 +22,6 @@ [Defines]
 [Sources]
   Tcg2ConfigPeim.c
   Tpm12Support.h
-
-[Sources.IA32, Sources.X64]
-  Tpm12Support.c
-
-[Sources.ARM, Sources.AARCH64]
   Tpm12SupportNull.c
 
 [Packages]
@@ -41,10 +36,6 @@ [LibraryClasses]
   PeiServicesLib
   Tpm2DeviceLib
 
-[LibraryClasses.IA32, LibraryClasses.X64]
-  BaseLib
-  Tpm12DeviceLib
-
 [Guids]
   gEfiTpmDeviceSelectedGuid           ## PRODUCES ## GUID # Used as a PPI GUID
   gEfiTpmDeviceInstanceTpm20DtpmGuid  ## SOMETIMES_CONSUMES
diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc
index 9aefd73d219c..709a608cc3bd 100644
--- a/OvmfPkg/OvmfTpmPei.fdf.inc
+++ b/OvmfPkg/OvmfTpmPei.fdf.inc
@@ -4,7 +4,7 @@
 
 !if $(TPM_ENABLE) == TRUE
 INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
-INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+INF  OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
 INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
 INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
 INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
-- 
2.31.1

Re: [PATCH v2 3/5] OvmfPkg: create Tcg12ConfigPei.inf

[Stefan Berger]

On 10/25/21 8:15 AM, Gerd Hoffmann wrote:
> Split Tcg2ConfigPei.inf into two variants: Tcg12ConfigPei.inf with TPM
> 1.2 backward compatibility included and Tcg2ConfigPei.inf supporting TPM

backward compatibility included -> support


> 2.0 only.  This allows x86 builds to choose whenever TPM 1.2 support
> should be included or not by picking the one or the other inf file.
>
> Switch x86 builds to Tcg12ConfigPei.inf, so they continue to
> have TPM 1.2 support.
>
> No functional change.
>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

Tested-by: Stefan Berger <stefanb@linux.ibm.com>



> ---
>   OvmfPkg/OvmfTpmComponentsPei.dsc.inc                  |  2 +-
>   .../{Tcg2ConfigPei.inf => Tcg12ConfigPei.inf}         | 11 ++---------
>   OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf              | 11 +----------
>   OvmfPkg/OvmfTpmPei.fdf.inc                            |  2 +-
>   4 files changed, 5 insertions(+), 21 deletions(-)
>   copy OvmfPkg/Tcg/Tcg2Config/{Tcg2ConfigPei.inf => Tcg12ConfigPei.inf} (82%)
>
> diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> index 99fa7c13b3e7..87d491da5047 100644
> --- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> +++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> @@ -4,7 +4,7 @@
>   
>   !if $(TPM_ENABLE) == TRUE
>     OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> -  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +  OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
>     SecurityPkg/Tcg/TcgPei/TcgPei.inf
>     SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
>       <LibraryClasses>
> diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
> similarity index 82%
> copy from OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> copy to OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
> index 39d1deeed16b..e8e0b88e6058 100644
> --- a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +++ b/OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
> @@ -1,5 +1,5 @@
>   ## @file
> -# Set TPM device type
> +# Set TPM device type - supports TPM 1.2 and 2.0
>   #
>   # In SecurityPkg, this module initializes the TPM device type based on a UEFI
>   # variable and/or hardware detection. In OvmfPkg, the module only performs TPM
> @@ -14,7 +14,7 @@
>   [Defines]
>     INF_VERSION                    = 0x00010005
>     BASE_NAME                      = Tcg2ConfigPei
> -  FILE_GUID                      = BF7F2B0C-9F2F-4889-AB5C-12460022BE87
> +  FILE_GUID                      = 8AD3148F-945F-46B4-8ACD-71469EA73945
>     MODULE_TYPE                    = PEIM
>     VERSION_STRING                 = 1.0
>     ENTRY_POINT                    = Tcg2ConfigPeimEntryPoint
> @@ -22,13 +22,8 @@ [Defines]
>   [Sources]
>     Tcg2ConfigPeim.c
>     Tpm12Support.h
> -
> -[Sources.IA32, Sources.X64]
>     Tpm12Support.c
>   
> -[Sources.ARM, Sources.AARCH64]
> -  Tpm12SupportNull.c
> -
>   [Packages]
>     MdePkg/MdePkg.dec
>     MdeModulePkg/MdeModulePkg.dec
> @@ -40,8 +35,6 @@ [LibraryClasses]
>     DebugLib
>     PeiServicesLib
>     Tpm2DeviceLib
> -
> -[LibraryClasses.IA32, LibraryClasses.X64]
>     BaseLib
>     Tpm12DeviceLib
>   
> diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> index 39d1deeed16b..51078c981374 100644
> --- a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +++ b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> @@ -1,5 +1,5 @@
>   ## @file
> -# Set TPM device type
> +# Set TPM device type - supports TPM 2.0 only
>   #
>   # In SecurityPkg, this module initializes the TPM device type based on a UEFI
>   # variable and/or hardware detection. In OvmfPkg, the module only performs TPM
> @@ -22,11 +22,6 @@ [Defines]
>   [Sources]
>     Tcg2ConfigPeim.c
>     Tpm12Support.h
> -
> -[Sources.IA32, Sources.X64]
> -  Tpm12Support.c
> -
> -[Sources.ARM, Sources.AARCH64]
>     Tpm12SupportNull.c
>   
>   [Packages]
> @@ -41,10 +36,6 @@ [LibraryClasses]
>     PeiServicesLib
>     Tpm2DeviceLib
>   
> -[LibraryClasses.IA32, LibraryClasses.X64]
> -  BaseLib
> -  Tpm12DeviceLib
> -
>   [Guids]
>     gEfiTpmDeviceSelectedGuid           ## PRODUCES ## GUID # Used as a PPI GUID
>     gEfiTpmDeviceInstanceTpm20DtpmGuid  ## SOMETIMES_CONSUMES
> diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc
> index 9aefd73d219c..709a608cc3bd 100644
> --- a/OvmfPkg/OvmfTpmPei.fdf.inc
> +++ b/OvmfPkg/OvmfTpmPei.fdf.inc
> @@ -4,7 +4,7 @@
>   
>   !if $(TPM_ENABLE) == TRUE
>   INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> -INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +INF  OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
>   INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
>   INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
>   INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf

[PATCH v2 4/5] OvmfPkg: rework TPM configuration

[Gerd Hoffmann]

Rename TPM_ENABLE to TPM2_ENABLE so naming is in line with the
ArmVirtPkg config option name.

Add separate TPM1_ENABLE option for TPM 1.2 support.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 OvmfPkg/OvmfTpmComponentsDxe.dsc.inc                  | 4 +++-
 OvmfPkg/OvmfTpmComponentsPei.dsc.inc                  | 6 +++++-
 OvmfPkg/OvmfTpmDefines.dsc.inc                        | 5 ++++-
 OvmfPkg/OvmfTpmLibs.dsc.inc                           | 4 +++-
 OvmfPkg/OvmfTpmLibsDxe.dsc.inc                        | 4 +++-
 OvmfPkg/OvmfTpmLibsPeim.dsc.inc                       | 4 +++-
 OvmfPkg/OvmfTpmPcds.dsc.inc                           | 2 +-
 OvmfPkg/OvmfTpmPcdsHii.dsc.inc                        | 2 +-
 OvmfPkg/OvmfTpmSecurityStub.dsc.inc                   | 4 +++-
 OvmfPkg/OvmfTpmDxe.fdf.inc                            | 4 +++-
 OvmfPkg/OvmfTpmPei.fdf.inc                            | 6 +++++-
 OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml    | 6 +++---
 OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml | 6 +++---
 OvmfPkg/PlatformCI/ReadMe.md                          | 2 +-
 14 files changed, 41 insertions(+), 18 deletions(-)

diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
index e025d85a5878..75ae09571e8c 100644
--- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
@@ -2,7 +2,7 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
   SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
     <LibraryClasses>
       Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
@@ -15,10 +15,12 @@
       NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
   }
   SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!if $(TPM1_ENABLE) == TRUE
   SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
     <LibraryClasses>
       Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
   }
+!endif
   SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
     <LibraryClasses>
       TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
index 87d491da5047..fa486eed82d2 100644
--- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
@@ -2,10 +2,14 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
   OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+!if $(TPM1_ENABLE) == TRUE
   OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
   SecurityPkg/Tcg/TcgPei/TcgPei.inf
+!else
+  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+!endif
   SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
     <LibraryClasses>
       HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc
index 5df4a331fb99..a65564d8d9d2 100644
--- a/OvmfPkg/OvmfTpmDefines.dsc.inc
+++ b/OvmfPkg/OvmfTpmDefines.dsc.inc
@@ -2,4 +2,7 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-  DEFINE TPM_ENABLE              = FALSE
+  DEFINE TPM2_ENABLE             = FALSE
+
+  # has no effect unless TPM2_ENABLE == TRUE
+  DEFINE TPM1_ENABLE             = TRUE
diff --git a/OvmfPkg/OvmfTpmLibs.dsc.inc b/OvmfPkg/OvmfTpmLibs.dsc.inc
index 50100f2c0371..418747b13487 100644
--- a/OvmfPkg/OvmfTpmLibs.dsc.inc
+++ b/OvmfPkg/OvmfTpmLibs.dsc.inc
@@ -2,8 +2,10 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
   Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+!endif
   Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
   Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
diff --git a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
index 67d5027abaea..1d66cdac778c 100644
--- a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
+++ b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
@@ -2,7 +2,9 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
   Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+!endif
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
 !endif
diff --git a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
index 4e84e3dcaaeb..03caccd7c688 100644
--- a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
+++ b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
@@ -2,8 +2,10 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+!if $(TPM1_ENABLE) == TRUE
   Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+!endif
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
 !endif
diff --git a/OvmfPkg/OvmfTpmPcds.dsc.inc b/OvmfPkg/OvmfTpmPcds.dsc.inc
index 0e7f83c04bd7..0d55d6273702 100644
--- a/OvmfPkg/OvmfTpmPcds.dsc.inc
+++ b/OvmfPkg/OvmfTpmPcds.dsc.inc
@@ -2,6 +2,6 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
 !endif
diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
index 2e02a5b4cb90..e84225323519 100644
--- a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
@@ -2,7 +2,7 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
   gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
   gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
 !endif
diff --git a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
index 4bd4066843ef..e9ab2fca7bc7 100644
--- a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
+++ b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
@@ -2,7 +2,9 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
       NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+!endif
       NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
 !endif
diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc
index 32eef246387a..7fc2bf8590a4 100644
--- a/OvmfPkg/OvmfTpmDxe.fdf.inc
+++ b/OvmfPkg/OvmfTpmDxe.fdf.inc
@@ -2,8 +2,10 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
 INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+!endif
 INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
 INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
 INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc
index 709a608cc3bd..9f8b9bdd5bed 100644
--- a/OvmfPkg/OvmfTpmPei.fdf.inc
+++ b/OvmfPkg/OvmfTpmPei.fdf.inc
@@ -2,10 +2,14 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
 INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+!if $(TPM1_ENABLE) == TRUE
 INF  OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
 INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+!else
+INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+!endif
 INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
 INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
 !endif
diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
index 1774423580b9..8df31298f551 100644
--- a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
+++ b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
@@ -95,21 +95,21 @@ jobs:
           OVMF_IA32X64_FULL_DEBUG:
             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
             Build.Arch: "IA32,X64"
-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
             Build.Target: "DEBUG"
             Run.Flags: $(run_flags)
             Run: $(should_run)
           OVMF_IA32X64_FULL_RELEASE:
             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
             Build.Arch: "IA32,X64"
-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
             Build.Target: "RELEASE"
             Run.Flags: $(run_flags)
             Run: $(should_run)
           OVMF_IA32X64_FULL_NOOPT:
             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
             Build.Arch: "IA32,X64"
-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
             Build.Target: "NOOPT"
             Run.Flags: $(run_flags)
             Run: $(should_run)
diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
index 09f9851312a2..68b5d951e908 100644
--- a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
+++ b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
@@ -94,14 +94,14 @@ jobs:
           OVMF_IA32X64_FULL_DEBUG:
             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
             Build.Arch: "IA32,X64"
-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
             Build.Target: "DEBUG"
             Run.Flags: $(run_flags)
             Run: $(should_run)
           OVMF_IA32X64_FULL_RELEASE:
             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
             Build.Arch: "IA32,X64"
-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
             Build.Target: "RELEASE"
             Run.Flags: $(run_flags)
             Run: $(should_run)
@@ -112,7 +112,7 @@ jobs:
     #       OVMF_IA32X64_FULL_NOOPT:
     #         Build.File: "$(package)/PlatformCI/PlatformBuild.py"
     #         Build.Arch: "IA32,X64"
-    #         Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+    #         Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1  BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
     #         Build.Target: "NOOPT"
     #         Run.Flags: $(run_flags)
     #         Run: $(should_run)
diff --git a/OvmfPkg/PlatformCI/ReadMe.md b/OvmfPkg/PlatformCI/ReadMe.md
index 2ce9007dbeaa..4b3ebe022dad 100644
--- a/OvmfPkg/PlatformCI/ReadMe.md
+++ b/OvmfPkg/PlatformCI/ReadMe.md
@@ -14,7 +14,7 @@ supported and are described below.
 | IA32                    | IA32               | OvmfPkgIa32.dsc     | None            |
 | X64                     | X64                | OvmfPkgIa64.dsc     | None            |
 | IA32 X64                | PEI-IA32 DXE-X64   | OvmfPkgIa32X64.dsc  | None            |
-| IA32 X64 Full           | PEI-IA32 DXE-X64   | OvmfPkgIa32X64.dsc  | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM_ENABLE=1 TPM_CONFIG_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 |
+| IA32 X64 Full           | PEI-IA32 DXE-X64   | OvmfPkgIa32X64.dsc  | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM1_ENABLE=1 TPM2_ENABLE=1 TPM2_CONFIG_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 |
 
 ## EDK2 Developer environment
 
-- 
2.31.1

Re: [PATCH v2 4/5] OvmfPkg: rework TPM configuration

[Stefan Berger]

On 10/25/21 8:15 AM, Gerd Hoffmann wrote:
> Rename TPM_ENABLE to TPM2_ENABLE so naming is in line with the
> ArmVirtPkg config option name.
>
> Add separate TPM1_ENABLE option for TPM 1.2 support.
>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>


You may have missed this one here:

  ./OvmfPkg/Microvm/MicrovmX64.dsc:  DEFINE TPM_ENABLE              = FALSE


Tested-by: Stefan Berger <stefanb@linux.ibm.com>




> ---
>   OvmfPkg/OvmfTpmComponentsDxe.dsc.inc                  | 4 +++-
>   OvmfPkg/OvmfTpmComponentsPei.dsc.inc                  | 6 +++++-
>   OvmfPkg/OvmfTpmDefines.dsc.inc                        | 5 ++++-
>   OvmfPkg/OvmfTpmLibs.dsc.inc                           | 4 +++-
>   OvmfPkg/OvmfTpmLibsDxe.dsc.inc                        | 4 +++-
>   OvmfPkg/OvmfTpmLibsPeim.dsc.inc                       | 4 +++-
>   OvmfPkg/OvmfTpmPcds.dsc.inc                           | 2 +-
>   OvmfPkg/OvmfTpmPcdsHii.dsc.inc                        | 2 +-
>   OvmfPkg/OvmfTpmSecurityStub.dsc.inc                   | 4 +++-
>   OvmfPkg/OvmfTpmDxe.fdf.inc                            | 4 +++-
>   OvmfPkg/OvmfTpmPei.fdf.inc                            | 6 +++++-
>   OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml    | 6 +++---
>   OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml | 6 +++---
>   OvmfPkg/PlatformCI/ReadMe.md                          | 2 +-
>   14 files changed, 41 insertions(+), 18 deletions(-)
>
> diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> index e025d85a5878..75ae09571e8c 100644
> --- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> +++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> @@ -2,7 +2,7 @@
>   #    SPDX-License-Identifier: BSD-2-Clause-Patent
>   ##
>   
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
>     SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
>       <LibraryClasses>
>         Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
> @@ -15,10 +15,12 @@
>         NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
>     }
>     SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> +!if $(TPM1_ENABLE) == TRUE
>     SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
>       <LibraryClasses>
>         Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
>     }
> +!endif
>     SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
>       <LibraryClasses>
>         TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> index 87d491da5047..fa486eed82d2 100644
> --- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> +++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> @@ -2,10 +2,14 @@
>   #    SPDX-License-Identifier: BSD-2-Clause-Patent
>   ##
>   
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
>     OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> +!if $(TPM1_ENABLE) == TRUE
>     OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
>     SecurityPkg/Tcg/TcgPei/TcgPei.inf
> +!else
> +  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +!endif
>     SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
>       <LibraryClasses>
>         HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
> diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc
> index 5df4a331fb99..a65564d8d9d2 100644
> --- a/OvmfPkg/OvmfTpmDefines.dsc.inc
> +++ b/OvmfPkg/OvmfTpmDefines.dsc.inc
> @@ -2,4 +2,7 @@
>   #    SPDX-License-Identifier: BSD-2-Clause-Patent
>   ##
>   
> -  DEFINE TPM_ENABLE              = FALSE
> +  DEFINE TPM2_ENABLE             = FALSE
> +
> +  # has no effect unless TPM2_ENABLE == TRUE
> +  DEFINE TPM1_ENABLE             = TRUE
> diff --git a/OvmfPkg/OvmfTpmLibs.dsc.inc b/OvmfPkg/OvmfTpmLibs.dsc.inc
> index 50100f2c0371..418747b13487 100644
> --- a/OvmfPkg/OvmfTpmLibs.dsc.inc
> +++ b/OvmfPkg/OvmfTpmLibs.dsc.inc
> @@ -2,8 +2,10 @@
>   #    SPDX-License-Identifier: BSD-2-Clause-Patent
>   ##
>   
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
> +!if $(TPM1_ENABLE) == TRUE
>     Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
> +!endif
>     Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
>     Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
>     Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
> diff --git a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
> index 67d5027abaea..1d66cdac778c 100644
> --- a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
> +++ b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
> @@ -2,7 +2,9 @@
>   #    SPDX-License-Identifier: BSD-2-Clause-Patent
>   ##
>   
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
> +!if $(TPM1_ENABLE) == TRUE
>     Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
> +!endif
>     Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
>   !endif
> diff --git a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
> index 4e84e3dcaaeb..03caccd7c688 100644
> --- a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
> +++ b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
> @@ -2,8 +2,10 @@
>   #    SPDX-License-Identifier: BSD-2-Clause-Patent
>   ##
>   
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
>     BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +!if $(TPM1_ENABLE) == TRUE
>     Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> +!endif
>     Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
>   !endif
> diff --git a/OvmfPkg/OvmfTpmPcds.dsc.inc b/OvmfPkg/OvmfTpmPcds.dsc.inc
> index 0e7f83c04bd7..0d55d6273702 100644
> --- a/OvmfPkg/OvmfTpmPcds.dsc.inc
> +++ b/OvmfPkg/OvmfTpmPcds.dsc.inc
> @@ -2,6 +2,6 @@
>   #    SPDX-License-Identifier: BSD-2-Clause-Patent
>   ##
>   
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
>     gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
>   !endif
> diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
> index 2e02a5b4cb90..e84225323519 100644
> --- a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
> +++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
> @@ -2,7 +2,7 @@
>   #    SPDX-License-Identifier: BSD-2-Clause-Patent
>   ##
>   
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
>     gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
>     gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
>   !endif
> diff --git a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
> index 4bd4066843ef..e9ab2fca7bc7 100644
> --- a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
> +++ b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
> @@ -2,7 +2,9 @@
>   #    SPDX-License-Identifier: BSD-2-Clause-Patent
>   ##
>   
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
> +!if $(TPM1_ENABLE) == TRUE
>         NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
> +!endif
>         NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
>   !endif
> diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc
> index 32eef246387a..7fc2bf8590a4 100644
> --- a/OvmfPkg/OvmfTpmDxe.fdf.inc
> +++ b/OvmfPkg/OvmfTpmDxe.fdf.inc
> @@ -2,8 +2,10 @@
>   #    SPDX-License-Identifier: BSD-2-Clause-Patent
>   ##
>   
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
> +!if $(TPM1_ENABLE) == TRUE
>   INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
> +!endif
>   INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
>   INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
>   INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc
> index 709a608cc3bd..9f8b9bdd5bed 100644
> --- a/OvmfPkg/OvmfTpmPei.fdf.inc
> +++ b/OvmfPkg/OvmfTpmPei.fdf.inc
> @@ -2,10 +2,14 @@
>   #    SPDX-License-Identifier: BSD-2-Clause-Patent
>   ##
>   
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
>   INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> +!if $(TPM1_ENABLE) == TRUE
>   INF  OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
>   INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
> +!else
> +INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +!endif
>   INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
>   INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
>   !endif
> diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
> index 1774423580b9..8df31298f551 100644
> --- a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
> +++ b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
> @@ -95,21 +95,21 @@ jobs:
>             OVMF_IA32X64_FULL_DEBUG:
>               Build.File: "$(package)/PlatformCI/PlatformBuild.py"
>               Build.Arch: "IA32,X64"
> -            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> +            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
>               Build.Target: "DEBUG"
>               Run.Flags: $(run_flags)
>               Run: $(should_run)
>             OVMF_IA32X64_FULL_RELEASE:
>               Build.File: "$(package)/PlatformCI/PlatformBuild.py"
>               Build.Arch: "IA32,X64"
> -            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> +            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
>               Build.Target: "RELEASE"
>               Run.Flags: $(run_flags)
>               Run: $(should_run)
>             OVMF_IA32X64_FULL_NOOPT:
>               Build.File: "$(package)/PlatformCI/PlatformBuild.py"
>               Build.Arch: "IA32,X64"
> -            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> +            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
>               Build.Target: "NOOPT"
>               Run.Flags: $(run_flags)
>               Run: $(should_run)
> diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
> index 09f9851312a2..68b5d951e908 100644
> --- a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
> +++ b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
> @@ -94,14 +94,14 @@ jobs:
>             OVMF_IA32X64_FULL_DEBUG:
>               Build.File: "$(package)/PlatformCI/PlatformBuild.py"
>               Build.Arch: "IA32,X64"
> -            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> +            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
>               Build.Target: "DEBUG"
>               Run.Flags: $(run_flags)
>               Run: $(should_run)
>             OVMF_IA32X64_FULL_RELEASE:
>               Build.File: "$(package)/PlatformCI/PlatformBuild.py"
>               Build.Arch: "IA32,X64"
> -            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> +            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
>               Build.Target: "RELEASE"
>               Run.Flags: $(run_flags)
>               Run: $(should_run)
> @@ -112,7 +112,7 @@ jobs:
>       #       OVMF_IA32X64_FULL_NOOPT:
>       #         Build.File: "$(package)/PlatformCI/PlatformBuild.py"
>       #         Build.Arch: "IA32,X64"
> -    #         Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> +    #         Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1  BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
>       #         Build.Target: "NOOPT"
>       #         Run.Flags: $(run_flags)
>       #         Run: $(should_run)
> diff --git a/OvmfPkg/PlatformCI/ReadMe.md b/OvmfPkg/PlatformCI/ReadMe.md
> index 2ce9007dbeaa..4b3ebe022dad 100644
> --- a/OvmfPkg/PlatformCI/ReadMe.md
> +++ b/OvmfPkg/PlatformCI/ReadMe.md
> @@ -14,7 +14,7 @@ supported and are described below.
>   | IA32                    | IA32               | OvmfPkgIa32.dsc     | None            |
>   | X64                     | X64                | OvmfPkgIa64.dsc     | None            |
>   | IA32 X64                | PEI-IA32 DXE-X64   | OvmfPkgIa32X64.dsc  | None            |
> -| IA32 X64 Full           | PEI-IA32 DXE-X64   | OvmfPkgIa32X64.dsc  | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM_ENABLE=1 TPM_CONFIG_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 |
> +| IA32 X64 Full           | PEI-IA32 DXE-X64   | OvmfPkgIa32X64.dsc  | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM1_ENABLE=1 TPM2_ENABLE=1 TPM2_CONFIG_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 |
>   
>   ## EDK2 Developer environment
>   

[PATCH v2 5/5] OvmfPkg: add TPM 1.2 config menu

[Gerd Hoffmann]

When building OVMF with TPM 1.2 support enabled
do also include the configuration menu.

Suggested-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 1 +
 OvmfPkg/OvmfTpmDxe.fdf.inc           | 1 +
 2 files changed, 2 insertions(+)

diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
index 75ae09571e8c..cdcae42ad1dc 100644
--- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
@@ -20,6 +20,7 @@
     <LibraryClasses>
       Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
   }
+  SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf
 !endif
   SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
     <LibraryClasses>
diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc
index 7fc2bf8590a4..5907d8a8f1f3 100644
--- a/OvmfPkg/OvmfTpmDxe.fdf.inc
+++ b/OvmfPkg/OvmfTpmDxe.fdf.inc
@@ -5,6 +5,7 @@
 !if $(TPM2_ENABLE) == TRUE
 !if $(TPM1_ENABLE) == TRUE
 INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+INF  SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf
 !endif
 INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
 INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
-- 
2.31.1

Re: [PATCH v2 5/5] OvmfPkg: add TPM 1.2 config menu

[Stefan Berger]

On 10/25/21 8:15 AM, Gerd Hoffmann wrote:
> When building OVMF with TPM 1.2 support enabled
> do also include the configuration menu.
>
> Suggested-by: Stefan Berger <stefanb@linux.ibm.com>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

The menu is there but it doesn't react to the selections, which I hadn't 
tested before. Maybe drop this patch in v3 and when I have time for 
looking into this I may post it again with fixes to actually make the 
menu items work.


     Stefan


> ---
>   OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 1 +
>   OvmfPkg/OvmfTpmDxe.fdf.inc           | 1 +
>   2 files changed, 2 insertions(+)
>
> diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> index 75ae09571e8c..cdcae42ad1dc 100644
> --- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> +++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> @@ -20,6 +20,7 @@
>       <LibraryClasses>
>         Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
>     }
> +  SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf
>   !endif
>     SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
>       <LibraryClasses>
> diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc
> index 7fc2bf8590a4..5907d8a8f1f3 100644
> --- a/OvmfPkg/OvmfTpmDxe.fdf.inc
> +++ b/OvmfPkg/OvmfTpmDxe.fdf.inc
> @@ -5,6 +5,7 @@
>   !if $(TPM2_ENABLE) == TRUE
>   !if $(TPM1_ENABLE) == TRUE
>   INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
> +INF  SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf
>   !endif
>   INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
>   INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf