From: "Stefan Berger" <stefanb@linux.ibm.com>
To: devel@edk2.groups.io, kraxel@redhat.com, marcandre.lureau@redhat.com
Cc: Stefan Berger <stefanb@linux.ibm.com>,
Jiewen Yao <jiewen.yao@intel.com>,
Jian J Wang <jian.j.wang@intel.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
Jordan Justen <jordan.l.justen@intel.com>
Subject: [PATCH v3 6/8] OvmfPkg: Enable physical presence interface for TPM 1.2
Date: Wed, 1 Dec 2021 14:30:28 -0500 [thread overview]
Message-ID: <20211201193030.3932074-7-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20211201193030.3932074-1-stefanb@linux.ibm.com>
Enable the physical presence interface for TPM 1.2. It is required for the
TPM 1.2 menu to work.
The changes to DxeTcgPhysicalPresenceLib.c are due to the device we are
using in QEMU for presenting the supported PPI commands and results to the
OS via ACPI as well as to store the PPI opcode to execute.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
.../PlatformBootManagerLib/BdsPlatform.c | 1 +
.../PlatformBootManagerLib.inf | 1 +
.../DxeTcgPhysicalPresenceLib.c | 22 +
.../DxeTcgPhysicalPresenceLib.inf | 27 +
.../DxeTcgPhysicalPresenceLib.c | 481 +++++++++---------
.../DxeTcgPhysicalPresenceLib.inf | 14 +-
OvmfPkg/Microvm/MicrovmX64.dsc | 1 +
OvmfPkg/OvmfTpmLibs.dsc.inc | 4 +
OvmfPkg/OvmfXen.dsc | 1 +
.../Include/Library/TcgPhysicalPresenceLib.h | 39 ++
SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf | 1 +
12 files changed, 342 insertions(+), 251 deletions(-)
create mode 100644 OvmfPkg/Library/TcgPhysicalPresenceLibNull/DxeTcgPhysicalPresenceLib.c
create mode 100644 OvmfPkg/Library/TcgPhysicalPresenceLibNull/DxeTcgPhysicalPresenceLib.inf
diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
index d8fe607d1c..c848451a2b 100644
--- a/OvmfPkg/Bhyve/BhyveX64.dsc
+++ b/OvmfPkg/Bhyve/BhyveX64.dsc
@@ -223,6 +223,7 @@
XenPlatformLib|OvmfPkg/Library/XenPlatformLib/XenPlatformLib.inf
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
+ TcgPhysicalPresenceLib|OvmfPkg/Library/TcgPhysicalPresenceLibNull/DxeTcgPhysicalPresenceLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
[LibraryClasses.common]
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
index 2905356fc4..1765026de2 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
@@ -12,6 +12,7 @@
#include <Protocol/FirmwareVolume2.h>
#include <Library/PlatformBmPrintScLib.h>
#include <Library/Tcg2PhysicalPresenceLib.h>
+#include <Library/TcgPhysicalPresenceLib.h>
#include <Library/XenPlatformLib.h>
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
index c249a3cf1e..f12975d065 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+++ b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -54,6 +54,7 @@
ReportStatusCodeLib
UefiLib
PlatformBmPrintScLib
+ TcgPhysicalPresenceLib
Tcg2PhysicalPresenceLib
XenPlatformLib
diff --git a/OvmfPkg/Library/TcgPhysicalPresenceLibNull/DxeTcgPhysicalPresenceLib.c b/OvmfPkg/Library/TcgPhysicalPresenceLibNull/DxeTcgPhysicalPresenceLib.c
new file mode 100644
index 0000000000..d434175717
--- /dev/null
+++ b/OvmfPkg/Library/TcgPhysicalPresenceLibNull/DxeTcgPhysicalPresenceLib.c
@@ -0,0 +1,22 @@
+/** @file
+ NULL TcgPhysicalPresenceLib library instance
+
+ Copyright (C) 2021, IBM Corporation
+ Copyright (c) 2018, Red Hat, Inc.
+ Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/TcgPhysicalPresenceLib.h>
+
+VOID
+EFIAPI
+TcgPhysicalPresenceLibProcessRequest (
+ VOID
+ )
+{
+ //
+ // do nothing
+ //
+}
diff --git a/OvmfPkg/Library/TcgPhysicalPresenceLibNull/DxeTcgPhysicalPresenceLib.inf b/OvmfPkg/Library/TcgPhysicalPresenceLibNull/DxeTcgPhysicalPresenceLib.inf
new file mode 100644
index 0000000000..4421c6c5b0
--- /dev/null
+++ b/OvmfPkg/Library/TcgPhysicalPresenceLibNull/DxeTcgPhysicalPresenceLib.inf
@@ -0,0 +1,27 @@
+# NULL TcgPhysicalPresenceLib library instance
+#
+# Under SecurityPkg, the corresponding library instance will check and
+# execute TPM 1.2 request from OS or BIOS; the request may ask for user
+# confirmation before execution. This Null instance implements a no-op
+# Tcg2PhysicalPresenceLibProcessRequest(), without user interaction.
+#
+# Copyright (C) 2018, Red Hat, Inc.
+# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = DxeTcgPhysicalPresenceLibNull
+ FILE_GUID = B648575C-ED00-4C0D-BD7F-B705B9B0CC93
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = TcgPhysicalPresenceLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION UEFI_DRIVER
+
+[Sources]
+ DxeTcgPhysicalPresenceLib.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
diff --git a/OvmfPkg/Library/TcgPhysicalPresenceLibQemu/DxeTcgPhysicalPresenceLib.c b/OvmfPkg/Library/TcgPhysicalPresenceLibQemu/DxeTcgPhysicalPresenceLib.c
index 8a3ae95012..df0d7b5c1a 100644
--- a/OvmfPkg/Library/TcgPhysicalPresenceLibQemu/DxeTcgPhysicalPresenceLib.c
+++ b/OvmfPkg/Library/TcgPhysicalPresenceLibQemu/DxeTcgPhysicalPresenceLib.c
@@ -15,18 +15,23 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <PiDxe.h>
+#include <IndustryStandard/QemuTpm.h>
+#include <IndustryStandard/TcgPhysicalPresence.h>
+
#include <Protocol/TcgService.h>
-#include <Protocol/VariableLock.h>
+#include <Library/HobLib.h>
#include <Library/DebugLib.h>
#include <Library/BaseMemoryLib.h>
+#include <Library/DxeServicesTableLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/UefiDriverEntryPoint.h>
#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiBootManagerLib.h>
#include <Library/UefiLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/PrintLib.h>
+#include <Library/QemuFwCfgLib.h>
#include <Library/HiiLib.h>
-#include <Guid/EventGroup.h>
#include <Guid/PhysicalPresenceData.h>
#include <Library/TcgPpVendorLib.h>
@@ -34,6 +39,168 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
EFI_HII_HANDLE mPpStringPackHandle;
+STATIC volatile QEMU_TPM_PPI *mPpi;
+
+#define TPM_PPI_PROVISION_FLAGS(PpiFlags) \
+ ((PpiFlags.PPFlags & TCG_BIOS_TPM_MANAGEMENT_FLAG_NO_PPI_PROVISION) != 0) \
+ ? QEMU_TPM_PPI_FUNC_ALLOWED_USR_NOT_REQ \
+ : QEMU_TPM_PPI_FUNC_ALLOWED_USR_REQ
+
+#define TPM_PPI_CLEAR_FLAGS(PpiFlags) \
+ ((PpiFlags.PPFlags & TCG_BIOS_TPM_MANAGEMENT_FLAG_NO_PPI_CLEAR) != 0) \
+ ? QEMU_TPM_PPI_FUNC_ALLOWED_USR_NOT_REQ \
+ : QEMU_TPM_PPI_FUNC_ALLOWED_USR_REQ
+
+#define TPM_PPI_CLEAR_MAINT_FLAGS(PpiFlags) \
+ ((PpiFlags.PPFlags & TCG_BIOS_TPM_MANAGEMENT_FLAG_NO_PPI_CLEAR) != 0 && \
+ (PpiFlags.PPFlags & TCG_BIOS_TPM_MANAGEMENT_FLAG_NO_PPI_MAINTENANCE) != 0) \
+ ? QEMU_TPM_PPI_FUNC_ALLOWED_USR_NOT_REQ \
+ : QEMU_TPM_PPI_FUNC_ALLOWED_USR_REQ
+
+/**
+ Reads QEMU PPI config from fw_cfg.
+
+ @param[out] The Config structure to read to.
+
+ @retval EFI_SUCCESS Operation completed successfully.
+ @retval EFI_PROTOCOL_ERROR Invalid fw_cfg entry size.
+**/
+STATIC
+EFI_STATUS
+QemuTpmReadConfig (
+ OUT QEMU_FWCFG_TPM_CONFIG *Config
+ )
+{
+ EFI_STATUS Status;
+ FIRMWARE_CONFIG_ITEM FwCfgItem;
+ UINTN FwCfgSize;
+
+ Status = QemuFwCfgFindFile ("etc/tpm/config", &FwCfgItem, &FwCfgSize);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ if (FwCfgSize != sizeof (*Config)) {
+ return EFI_PROTOCOL_ERROR;
+ }
+
+ QemuFwCfgSelectItem (FwCfgItem);
+ QemuFwCfgReadBytes (sizeof (*Config), Config);
+ return EFI_SUCCESS;
+}
+
+
+/**
+ Initilalize the QEMU PPI memory region's function array
+**/
+STATIC
+VOID
+QemuTpmInitPPIFunc(
+ EFI_PHYSICAL_PRESENCE_FLAGS PpiFlags
+ )
+{
+ ZeroMem ((void *)mPpi->Func, sizeof(mPpi->Func));
+
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_ENABLE] = TPM_PPI_PROVISION_FLAGS(PpiFlags);
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_DISABLE] = TPM_PPI_PROVISION_FLAGS(PpiFlags);
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_ACTIVATE] = TPM_PPI_PROVISION_FLAGS(PpiFlags);
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_DEACTIVATE] = TPM_PPI_PROVISION_FLAGS(PpiFlags);
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_CLEAR] = TPM_PPI_CLEAR_FLAGS(PpiFlags);
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_ENABLE_ACTIVATE] = TPM_PPI_PROVISION_FLAGS(PpiFlags);
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_DEACTIVATE_DISABLE] = TPM_PPI_PROVISION_FLAGS(PpiFlags);
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_SET_OWNER_INSTALL_TRUE] = TPM_PPI_PROVISION_FLAGS(PpiFlags);
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_SET_OWNER_INSTALL_FALSE] = TPM_PPI_PROVISION_FLAGS(PpiFlags);
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_ENABLE_ACTIVATE_OWNER_TRUE] = TPM_PPI_PROVISION_FLAGS(PpiFlags);
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_DEACTIVATE_DISABLE_OWNER_FALSE] = TPM_PPI_PROVISION_FLAGS(PpiFlags);
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_SET_OPERATOR_AUTH] = TPM_PPI_PROVISION_FLAGS(PpiFlags);
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_CLEAR_ENABLE_ACTIVATE] = TPM_PPI_CLEAR_FLAGS(PpiFlags);
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_SET_NO_PPI_PROVISION_FALSE] = QEMU_TPM_PPI_FUNC_ALLOWED_USR_NOT_REQ;
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_SET_NO_PPI_PROVISION_TRUE] = QEMU_TPM_PPI_FUNC_ALLOWED_USR_REQ;
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_FALSE] = QEMU_TPM_PPI_FUNC_ALLOWED_USR_NOT_REQ;
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_TRUE] = QEMU_TPM_PPI_FUNC_ALLOWED_USR_REQ;
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_SET_NO_PPI_MAINTENANCE_FALSE] = QEMU_TPM_PPI_FUNC_ALLOWED_USR_NOT_REQ;
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_SET_NO_PPI_MAINTENANCE_TRUE] = QEMU_TPM_PPI_FUNC_ALLOWED_USR_REQ;
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR] = TPM_PPI_CLEAR_MAINT_FLAGS(PpiFlags);
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR_ENABLE_ACTIVATE] = TPM_PPI_CLEAR_MAINT_FLAGS(PpiFlags);
+ mPpi->Func[TCG_PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR] = TPM_PPI_CLEAR_MAINT_FLAGS(PpiFlags);
+}
+
+
+/**
+ Initializes QEMU PPI memory region.
+
+ @retval EFI_SUCCESS Operation completed successfully.
+ @retval EFI_PROTOCOL_ERROR PPI address is invalid.
+**/
+STATIC
+EFI_STATUS
+QemuTpmInitPPI (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ QEMU_FWCFG_TPM_CONFIG Config;
+ EFI_PHYSICAL_ADDRESS PpiAddress64;
+ EFI_GCD_MEMORY_SPACE_DESCRIPTOR Descriptor;
+ EFI_PHYSICAL_PRESENCE_FLAGS PpiFlags;
+
+ if (mPpi != NULL) {
+ return EFI_SUCCESS;
+ }
+
+ Status = QemuTpmReadConfig (&Config);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ if (Config.TpmVersion != QEMU_TPM_VERSION_1_2) {
+ DEBUG ((DEBUG_ERROR, "[TPM] Not setting up PPI. This is not a TPM 1.2.\n"));
+ return EFI_PROTOCOL_ERROR;
+ }
+
+ mPpi = (QEMU_TPM_PPI *)(UINTN)Config.PpiAddress;
+ if (mPpi == NULL) {
+ return EFI_PROTOCOL_ERROR;
+ }
+
+ DEBUG ((DEBUG_INFO, "[TPM] mPpi=%p version=%d\n", mPpi, Config.TpmVersion));
+
+ PpiAddress64 = (UINTN)mPpi;
+ if ((PpiAddress64 & ~(UINT64)EFI_PAGE_MASK) !=
+ ((PpiAddress64 + sizeof *mPpi - 1) & ~(UINT64)EFI_PAGE_MASK)) {
+ DEBUG ((DEBUG_ERROR, "[TPM] mPpi crosses a page boundary\n"));
+ goto InvalidPpiAddress;
+ }
+
+ Status = gDS->GetMemorySpaceDescriptor (PpiAddress64, &Descriptor);
+ if (EFI_ERROR (Status) && Status != EFI_NOT_FOUND) {
+ ASSERT_EFI_ERROR (Status);
+ goto InvalidPpiAddress;
+ }
+ if (!EFI_ERROR (Status) &&
+ (Descriptor.GcdMemoryType != EfiGcdMemoryTypeMemoryMappedIo &&
+ Descriptor.GcdMemoryType != EfiGcdMemoryTypeNonExistent)) {
+ DEBUG ((DEBUG_ERROR, "[TPM] mPpi has an invalid memory type\n"));
+ goto InvalidPpiAddress;
+ }
+
+ PpiFlags.PPFlags = 0;
+ QemuTpmInitPPIFunc(PpiFlags);
+
+ if (mPpi->In == 0) {
+ mPpi->In = 1;
+ mPpi->Request = PHYSICAL_PRESENCE_NO_ACTION;
+ mPpi->LastRequest = PHYSICAL_PRESENCE_NO_ACTION;
+ mPpi->NextStep = PHYSICAL_PRESENCE_NO_ACTION;
+ }
+
+ return EFI_SUCCESS;
+
+InvalidPpiAddress:
+ mPpi = NULL;
+ return EFI_PROTOCOL_ERROR;
+}
+
/**
Get string by string id from HII Interface.
@@ -506,7 +673,7 @@ TcgPhysicalPresenceLibConstructor (
IN EFI_SYSTEM_TABLE *SystemTable
)
{
- mPpStringPackHandle = HiiAddPackages (&gEfiPhysicalPresenceGuid, ImageHandle, DxeTcgPhysicalPresenceLibStrings, NULL);
+ mPpStringPackHandle = HiiAddPackages (&gEfiPhysicalPresenceGuid, ImageHandle, TcgPhysicalPresenceLibQemuStrings, NULL);
ASSERT (mPpStringPackHandle != NULL);
return EFI_SUCCESS;
@@ -875,6 +1042,10 @@ UserConfirm (
return FALSE;
}
+ // Console for user interaction
+ // We need to connect all trusted consoles for TCG PP. Here we treat all consoles in OVMF to be trusted consoles.
+ EfiBootManagerConnectAllDefaultConsoles ();
+
TmpStr1 = PhysicalPresenceGetStringById (STRING_TOKEN (TPM_REJECT_KEY));
BufSize -= StrSize (ConfirmText);
UnicodeSPrint (ConfirmText + StrLen (ConfirmText), BufSize, TmpStr1, TmpStr2);
@@ -975,7 +1146,7 @@ HaveValidTpmRequest (
default:
if (TcgPpData->PPRequest >= TCG_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
- IsRequestValid = TcgPpVendorLibHasValidRequest (TcgPpData->PPRequest, Flags.PPFlags, RequestConfirmed);
+ IsRequestValid = FALSE; // vendor-specifc commands are not supported
if (!IsRequestValid) {
return FALSE;
} else {
@@ -1015,60 +1186,47 @@ HaveValidTpmRequest (
@param[in] Flags The physical presence interface flags.
**/
+STATIC
VOID
ExecutePendingTpmRequest (
IN EFI_TCG_PROTOCOL *TcgProtocol,
- IN EFI_PHYSICAL_PRESENCE *TcgPpData,
IN EFI_PHYSICAL_PRESENCE_FLAGS Flags
)
{
EFI_STATUS Status;
- UINTN DataSize;
BOOLEAN RequestConfirmed;
+ EFI_PHYSICAL_PRESENCE TcgPpData;
EFI_PHYSICAL_PRESENCE_FLAGS NewFlags;
- BOOLEAN ResetRequired;
- UINT32 NewPPFlags;
- if (!HaveValidTpmRequest(TcgPpData, Flags, &RequestConfirmed)) {
+ DEBUG ((DEBUG_INFO, "[TPM] Flags=%x, PPRequest=%x\n", Flags.PPFlags, mPpi->Request));
+
+ TcgPpData.PPRequest = (UINT8)mPpi->Request;
+
+ if (!HaveValidTpmRequest(&TcgPpData, Flags, &RequestConfirmed)) {
//
// Invalid operation request.
//
- TcgPpData->PPResponse = TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
- TcgPpData->LastPPRequest = TcgPpData->PPRequest;
- TcgPpData->PPRequest = PHYSICAL_PRESENCE_NO_ACTION;
- DataSize = sizeof (EFI_PHYSICAL_PRESENCE);
- Status = gRT->SetVariable (
- PHYSICAL_PRESENCE_VARIABLE,
- &gEfiPhysicalPresenceGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
- DataSize,
- TcgPpData
- );
+ mPpi->Response = TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
+ mPpi->LastRequest = mPpi->Request;
+ mPpi->Request = TCG_PHYSICAL_PRESENCE_NO_ACTION;
+ mPpi->RequestParameter = 0;
return;
}
- ResetRequired = FALSE;
- if (TcgPpData->PPRequest >= TCG_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
- NewFlags = Flags;
- NewPPFlags = NewFlags.PPFlags;
- TcgPpData->PPResponse = TcgPpVendorLibExecutePendingRequest (TcgPpData->PPRequest, &NewPPFlags, &ResetRequired);
- NewFlags.PPFlags = (UINT8)NewPPFlags;
- } else {
- if (!RequestConfirmed) {
- //
- // Print confirm text and wait for approval.
- //
- RequestConfirmed = UserConfirm (TcgPpData->PPRequest);
- }
-
+ if (!RequestConfirmed) {
//
- // Execute requested physical presence command
+ // Print confirm text and wait for approval.
//
- TcgPpData->PPResponse = TCG_PP_OPERATION_RESPONSE_USER_ABORT;
- NewFlags = Flags;
- if (RequestConfirmed) {
- TcgPpData->PPResponse = ExecutePhysicalPresence (TcgProtocol, TcgPpData->PPRequest, &NewFlags);
- }
+ RequestConfirmed = UserConfirm (mPpi->Request);
+ }
+
+ //
+ // Execute requested physical presence command
+ //
+ mPpi->Response = TCG_PP_OPERATION_RESPONSE_USER_ABORT;
+ NewFlags = Flags;
+ if (RequestConfirmed) {
+ mPpi->Response = ExecutePhysicalPresence (TcgProtocol, mPpi->Request, &NewFlags);
}
//
@@ -1085,39 +1243,32 @@ ExecutePendingTpmRequest (
if (EFI_ERROR (Status)) {
return;
}
+
+ //
+ // Update the flags for the commands following PPFlags changes
+ //
+ QemuTpmInitPPIFunc(NewFlags);
+
+ DEBUG ((DEBUG_INFO, "[TPM] New PPFlags = %x\n", NewFlags.PPFlags));
}
//
// Clear request
//
if ((NewFlags.PPFlags & TCG_VENDOR_LIB_FLAG_RESET_TRACK) == 0) {
- TcgPpData->LastPPRequest = TcgPpData->PPRequest;
- TcgPpData->PPRequest = PHYSICAL_PRESENCE_NO_ACTION;
+ mPpi->LastRequest = mPpi->Request;
+ mPpi->Request = PHYSICAL_PRESENCE_NO_ACTION;
+ mPpi->RequestParameter = 0;
}
- //
- // Save changes
- //
- DataSize = sizeof (EFI_PHYSICAL_PRESENCE);
- Status = gRT->SetVariable (
- PHYSICAL_PRESENCE_VARIABLE,
- &gEfiPhysicalPresenceGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
- DataSize,
- TcgPpData
- );
- if (EFI_ERROR (Status)) {
- return;
- }
-
- if (TcgPpData->PPResponse == TCG_PP_OPERATION_RESPONSE_USER_ABORT) {
+ if (mPpi->Response == TCG_PP_OPERATION_RESPONSE_USER_ABORT) {
return;
}
//
// Reset system to make new TPM settings in effect
//
- switch (TcgPpData->LastPPRequest) {
+ switch (mPpi->LastRequest) {
case PHYSICAL_PRESENCE_ACTIVATE:
case PHYSICAL_PRESENCE_DEACTIVATE:
case PHYSICAL_PRESENCE_CLEAR:
@@ -1131,17 +1282,10 @@ ExecutePendingTpmRequest (
case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR_ENABLE_ACTIVATE:
break;
default:
- if (TcgPpData->LastPPRequest >= TCG_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
- if (ResetRequired) {
- break;
- } else {
- return ;
- }
- }
- if (TcgPpData->PPRequest != PHYSICAL_PRESENCE_NO_ACTION) {
- break;
- }
- return;
+ if (mPpi->Request != TCG_PHYSICAL_PRESENCE_NO_ACTION) {
+ break;
+ }
+ return;
}
Print (L"Rebooting system to make TPM settings in effect\n");
@@ -1172,11 +1316,24 @@ TcgPhysicalPresenceLibProcessRequest (
BOOLEAN LifetimeLock;
BOOLEAN CmdEnable;
UINTN DataSize;
- EFI_PHYSICAL_PRESENCE TcgPpData;
EFI_TCG_PROTOCOL *TcgProtocol;
- EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol;
EFI_PHYSICAL_PRESENCE_FLAGS PpiFlags;
+ Status = QemuTpmInitPPI ();
+ if (EFI_ERROR (Status)) {
+ return ;
+ }
+
+ DEBUG ((DEBUG_INFO, "[TPM] Detected a TPM 1.2\n"));
+
+ //
+ // Check S4 resume
+ //
+ if (GetBootModeHob () == BOOT_ON_S4_RESUME) {
+ DEBUG ((DEBUG_INFO, "S4 Resume, Skip TPM PP process!\n"));
+ return ;
+ }
+
Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **)&TcgProtocol);
if (EFI_ERROR (Status)) {
return ;
@@ -1209,53 +1366,11 @@ TcgPhysicalPresenceLibProcessRequest (
}
DEBUG ((DEBUG_INFO, "[TPM] PpiFlags = %x\n", PpiFlags.PPFlags));
- //
- // This flags variable controls whether physical presence is required for TPM command.
- // It should be protected from malicious software. We set it as read-only variable here.
- //
- Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **)&VariableLockProtocol);
- if (!EFI_ERROR (Status)) {
- Status = VariableLockProtocol->RequestToLock (
- VariableLockProtocol,
- PHYSICAL_PRESENCE_FLAGS_VARIABLE,
- &gEfiPhysicalPresenceGuid
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "[TPM] Error when lock variable %s, Status = %r\n", PHYSICAL_PRESENCE_FLAGS_VARIABLE, Status));
- ASSERT_EFI_ERROR (Status);
- }
- }
-
- //
- // Initialize physical presence variable.
- //
- DataSize = sizeof (EFI_PHYSICAL_PRESENCE);
- Status = gRT->GetVariable (
- PHYSICAL_PRESENCE_VARIABLE,
- &gEfiPhysicalPresenceGuid,
- NULL,
- &DataSize,
- &TcgPpData
- );
- if (EFI_ERROR (Status)) {
- ZeroMem ((VOID*)&TcgPpData, sizeof (TcgPpData));
- DataSize = sizeof (EFI_PHYSICAL_PRESENCE);
- Status = gRT->SetVariable (
- PHYSICAL_PRESENCE_VARIABLE,
- &gEfiPhysicalPresenceGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
- DataSize,
- &TcgPpData
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "[TPM] Set physical presence variable failed, Status = %r\n", Status));
- return;
- }
- }
+ QemuTpmInitPPIFunc(PpiFlags);
- DEBUG ((DEBUG_INFO, "[TPM] Flags=%x, PPRequest=%x\n", PpiFlags.PPFlags, TcgPpData.PPRequest));
+ DEBUG ((DEBUG_INFO, "[TPM] Flags=%x, PPRequest=%x\n", PpiFlags.PPFlags, mPpi->Request));
- if (TcgPpData.PPRequest == PHYSICAL_PRESENCE_NO_ACTION) {
+ if (mPpi->Request == PHYSICAL_PRESENCE_NO_ACTION) {
//
// No operation request
//
@@ -1291,8 +1406,8 @@ TcgPhysicalPresenceLibProcessRequest (
//
// Execute pending TPM request.
//
- ExecutePendingTpmRequest (TcgProtocol, &TcgPpData, PpiFlags);
- DEBUG ((DEBUG_INFO, "[TPM] PPResponse = %x\n", TcgPpData.PPResponse));
+ ExecutePendingTpmRequest (TcgProtocol, PpiFlags);
+ DEBUG ((DEBUG_INFO, "[TPM] PPResponse = %x\n", mPpi->Response));
//
// Lock physical presence.
@@ -1300,104 +1415,6 @@ TcgPhysicalPresenceLibProcessRequest (
TpmPhysicalPresence (TcgProtocol, TPM_PHYSICAL_PRESENCE_NOTPRESENT | TPM_PHYSICAL_PRESENCE_LOCK);
}
-/**
- Check if the pending TPM request needs user input to confirm.
-
- The TPM request may come from OS. This API will check if TPM request exists and need user
- input to confirmation.
-
- @retval TRUE TPM needs input to confirm user physical presence.
- @retval FALSE TPM doesn't need input to confirm user physical presence.
-
-**/
-BOOLEAN
-EFIAPI
-TcgPhysicalPresenceLibNeedUserConfirm(
- VOID
- )
-{
- EFI_STATUS Status;
- EFI_PHYSICAL_PRESENCE TcgPpData;
- UINTN DataSize;
- BOOLEAN RequestConfirmed;
- BOOLEAN LifetimeLock;
- BOOLEAN CmdEnable;
- EFI_TCG_PROTOCOL *TcgProtocol;
- EFI_PHYSICAL_PRESENCE_FLAGS PpiFlags;
-
- Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **)&TcgProtocol);
- if (EFI_ERROR (Status)) {
- return FALSE;
- }
-
- //
- // Check Tpm requests
- //
- DataSize = sizeof (EFI_PHYSICAL_PRESENCE);
- Status = gRT->GetVariable (
- PHYSICAL_PRESENCE_VARIABLE,
- &gEfiPhysicalPresenceGuid,
- NULL,
- &DataSize,
- &TcgPpData
- );
- if (EFI_ERROR (Status)) {
- return FALSE;
- }
-
- DataSize = sizeof (EFI_PHYSICAL_PRESENCE_FLAGS);
- Status = gRT->GetVariable (
- PHYSICAL_PRESENCE_FLAGS_VARIABLE,
- &gEfiPhysicalPresenceGuid,
- NULL,
- &DataSize,
- &PpiFlags
- );
- if (EFI_ERROR (Status)) {
- return FALSE;
- }
-
- if (TcgPpData.PPRequest == PHYSICAL_PRESENCE_NO_ACTION) {
- //
- // No operation request
- //
- return FALSE;
- }
-
- if (!HaveValidTpmRequest(&TcgPpData, PpiFlags, &RequestConfirmed)) {
- //
- // Invalid operation request.
- //
- return FALSE;
- }
-
- //
- // Check Tpm Capability
- //
- Status = GetTpmCapability (TcgProtocol, &LifetimeLock, &CmdEnable);
- if (EFI_ERROR (Status)) {
- return FALSE;
- }
-
- if (!CmdEnable) {
- if (LifetimeLock) {
- //
- // physicalPresenceCMDEnable is locked, can't execute physical presence command.
- //
- return FALSE;
- }
- }
-
- if (!RequestConfirmed) {
- //
- // Need UI to confirm
- //
- return TRUE;
- }
-
- return FALSE;
-}
-
/**
The handler for TPM physical presence function:
Submit TPM Operation Request to Pre-OS Environment and
@@ -1416,40 +1433,16 @@ TcgPhysicalPresenceLibSubmitRequestToPreOSFunction (
IN UINT32 OperationRequest
)
{
- EFI_STATUS Status;
- UINTN DataSize;
- EFI_PHYSICAL_PRESENCE PpData;
+ EFI_STATUS Status;
DEBUG ((DEBUG_INFO, "[TPM] SubmitRequestToPreOSFunction, Request = %x\n", OperationRequest));
- //
- // Get the Physical Presence variable
- //
- DataSize = sizeof (EFI_PHYSICAL_PRESENCE);
- Status = gRT->GetVariable (
- PHYSICAL_PRESENCE_VARIABLE,
- &gEfiPhysicalPresenceGuid,
- NULL,
- &DataSize,
- &PpData
- );
+ Status = QemuTpmInitPPI ();
if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "[TPM] Get PP variable failure! Status = %r\n", Status));
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
}
- PpData.PPRequest = (UINT8)OperationRequest;
- Status = gRT->SetVariable (
- PHYSICAL_PRESENCE_VARIABLE,
- &gEfiPhysicalPresenceGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
- DataSize,
- &PpData
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "[TPM] Set PP variable failure! Status = %r\n", Status));
- return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
- }
+ mPpi->Request = OperationRequest;
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_SUCCESS;
}
diff --git a/OvmfPkg/Library/TcgPhysicalPresenceLibQemu/DxeTcgPhysicalPresenceLib.inf b/OvmfPkg/Library/TcgPhysicalPresenceLibQemu/DxeTcgPhysicalPresenceLib.inf
index cfe14f20ca..a7f76d5918 100644
--- a/OvmfPkg/Library/TcgPhysicalPresenceLibQemu/DxeTcgPhysicalPresenceLib.inf
+++ b/OvmfPkg/Library/TcgPhysicalPresenceLibQemu/DxeTcgPhysicalPresenceLib.inf
@@ -16,9 +16,8 @@
[Defines]
INF_VERSION = 0x00010005
- BASE_NAME = DxeTcgPhysicalPresenceLib
- MODULE_UNI_FILE = DxeTcgPhysicalPresenceLib.uni
- FILE_GUID = EBC43A46-34AC-4F07-A7F5-A5394619361C
+ BASE_NAME = TcgPhysicalPresenceLibQemu
+ FILE_GUID = DA5A2055-ACD6-49A1-8277-857f3A47BB0C
MODULE_TYPE = DXE_DRIVER
VERSION_STRING = 1.0
LIBRARY_CLASS = TcgPhysicalPresenceLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION UEFI_DRIVER
@@ -37,19 +36,22 @@
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
+ OvmfPkg/OvmfPkg.dec
SecurityPkg/SecurityPkg.dec
[LibraryClasses]
MemoryAllocationLib
+ DxeServicesTableLib
+ HobLib
+ QemuFwCfgLib
+ UefiBootManagerLib
UefiLib
UefiBootServicesTableLib
- UefiDriverEntryPoint
UefiRuntimeServicesTableLib
BaseMemoryLib
DebugLib
PrintLib
HiiLib
- TcgPpVendorLib
[Protocols]
gEfiTcgProtocolGuid ## SOMETIMES_CONSUMES
@@ -57,8 +59,6 @@
[Guids]
## SOMETIMES_CONSUMES ## HII
- ## SOMETIMES_PRODUCES ## Variable:L"PhysicalPresence"
- ## SOMETIMES_CONSUMES ## Variable:L"PhysicalPresence"
## SOMETIMES_PRODUCES ## Variable:L"PhysicalPresenceFlags"
## SOMETIMES_CONSUMES ## Variable:L"PhysicalPresenceFlags"
gEfiPhysicalPresenceGuid
diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
index 617f925395..5561b17587 100644
--- a/OvmfPkg/Microvm/MicrovmX64.dsc
+++ b/OvmfPkg/Microvm/MicrovmX64.dsc
@@ -225,6 +225,7 @@
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
+ TcgPhysicalPresenceLib|OvmfPkg/Library/TcgPhysicalPresenceLibNull/DxeTcgPhysicalPresenceLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
[LibraryClasses.common]
diff --git a/OvmfPkg/OvmfTpmLibs.dsc.inc b/OvmfPkg/OvmfTpmLibs.dsc.inc
index 418747b134..24b54861ed 100644
--- a/OvmfPkg/OvmfTpmLibs.dsc.inc
+++ b/OvmfPkg/OvmfTpmLibs.dsc.inc
@@ -5,6 +5,9 @@
!if $(TPM2_ENABLE) == TRUE
!if $(TPM1_ENABLE) == TRUE
Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+ TcgPhysicalPresenceLib|OvmfPkg/Library/TcgPhysicalPresenceLibQemu/DxeTcgPhysicalPresenceLib.inf
+!else
+ TcgPhysicalPresenceLib|OvmfPkg/Library/TcgPhysicalPresenceLibNull/DxeTcgPhysicalPresenceLib.inf
!endif
Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
@@ -13,4 +16,5 @@
!else
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ TcgPhysicalPresenceLib|OvmfPkg/Library/TcgPhysicalPresenceLibNull/DxeTcgPhysicalPresenceLib.inf
!endif
diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
index a31519e356..82bc3ea4aa 100644
--- a/OvmfPkg/OvmfXen.dsc
+++ b/OvmfPkg/OvmfXen.dsc
@@ -215,6 +215,7 @@
XenIoMmioLib|OvmfPkg/Library/XenIoMmioLib/XenIoMmioLib.inf
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
+ TcgPhysicalPresenceLib|OvmfPkg/Library/TcgPhysicalPresenceLibNull/DxeTcgPhysicalPresenceLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
RealTimeClockLib|OvmfPkg/Library/XenRealTimeClockLib/XenRealTimeClockLib.inf
TimeBaseLib|EmbeddedPkg/Library/TimeBaseLib/TimeBaseLib.inf
diff --git a/SecurityPkg/Include/Library/TcgPhysicalPresenceLib.h b/SecurityPkg/Include/Library/TcgPhysicalPresenceLib.h
index 9826a79742..6877c08e74 100644
--- a/SecurityPkg/Include/Library/TcgPhysicalPresenceLib.h
+++ b/SecurityPkg/Include/Library/TcgPhysicalPresenceLib.h
@@ -45,4 +45,43 @@ TcgPhysicalPresenceLibNeedUserConfirm(
VOID
);
+/**
+ The handler for TPM physical presence function:
+ Return TPM Operation Response to OS Environment.
+
+ This API should be invoked in OS runtime phase to interface with ACPI method.
+
+ @param[out] MostRecentRequest Most recent operation request.
+ @param[out] Response Response to the most recent operation request.
+
+ @return Return Code for Return TPM Operation Response to OS Environment.
+**/
+UINT32
+EFIAPI
+Tcg2PhysicalPresenceLibReturnOperationResponseToOsFunction (
+ OUT UINT32 *MostRecentRequest,
+ OUT UINT32 *Response
+ );
+
+/**
+ The handler for TPM physical presence function:
+ Submit TPM Operation Request to Pre-OS Environment and
+ Submit TPM Operation Request to Pre-OS Environment 2.
+
+ This API should be invoked in OS runtime phase to interface with ACPI method.
+
+ Caution: This function may receive untrusted input.
+
+ @param[in] OperationRequest TPM physical presence operation request.
+ @param[in] RequestParameter TPM physical presence operation request parameter.
+
+ @return Return Code for Submit TPM Operation Request to Pre-OS Environment and
+ Submit TPM Operation Request to Pre-OS Environment 2.
+**/
+UINT32
+EFIAPI
+TcgPhysicalPresenceLibSubmitRequestToPreOSFunction (
+ IN UINT32 OperationRequest
+ );
+
#endif
diff --git a/SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf b/SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf
index 24428e050c..b2f36fdbb2 100644
--- a/SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf
+++ b/SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf
@@ -47,6 +47,7 @@
HiiLib
PcdLib
PrintLib
+ TcgPhysicalPresenceLib
Tpm12DeviceLib
[Guids]
--
2.31.1
next prev parent reply other threads:[~2021-12-01 19:30 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-01 19:30 [PATCH v3 0/8] Add support for TPM 1.2 Physical Presence Interface and Menu Stefan Berger
2021-12-01 19:30 ` [PATCH v3 1/8] OvmfPkg: Move processing of physical presence opcode before End-of-Dxe Stefan Berger
2021-12-01 19:30 ` [PATCH v3 2/8] OvmfPkg: Check for TPM 2 early to leave function early Stefan Berger
2021-12-01 19:30 ` [PATCH v3 3/8] SecurityPkg: Store physical presence code by submitting to PreOS func Stefan Berger
2021-12-01 19:30 ` [PATCH v3 4/8] SecurityPkg: Declare PhysicalPresenceFlags variable and its properties Stefan Berger
2021-12-01 19:30 ` [PATCH v3 5/8] OvmfPkg: Copy TPM 1.2 DxeTcgPhysicalPresenceLib.c from SecurityPkg Stefan Berger
2021-12-01 19:30 ` Stefan Berger [this message]
2021-12-01 19:30 ` [PATCH v3 7/8] OvmfPkg: Enable TPM 1.2 Physical Presence Opcode processing Stefan Berger
2021-12-01 19:30 ` [PATCH v3 8/8] OvmfPkg: add TPM 1.2 config menu Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211201193030.3932074-7-stefanb@linux.ibm.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox