From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web09.35900.1628857949227633413 for ; Fri, 13 Aug 2021 05:32:29 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@ibm.com header.s=pp1 header.b=DLByc558; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17DC2g7d174778; Fri, 13 Aug 2021 08:32:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pp1; bh=FkjeKq4zgNrwCJClK+TcbO15eNge444jLg1Rmlm3niM=; b=DLByc558JiRdKKqM7q/0JyOUoMHRFuxhbgj7y2Dv2B3ZqK1dmvNbQSGIsAx/S3frWXKe d7nNI0d3SSBmqC4LfVtIAiWpknrZMfYkurIi/zOnEqNj64udBmpnUAKB1Zg851WQptmc vXgh4mejrS0Aelo2NXT2tGyZYfvN664ynxC31nY8mYhivrpKc3zmTjoe3oRKoEbIRZ5A rPULsjmFxHu+gDysw8CtQ2CHxn1RxNZKfVWnCVO5NGVe4YXs1SLrcsNdh9/o4Rl2CoFx Vjfp7IKV3G7ZeJWAa8/enMMHu0d1kuegampBkSuifb43gzQaFzx8Cumv21sP7wMqjod9 fQ== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3ad0qyyx9y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 13 Aug 2021 08:32:28 -0400 Received: from m0098409.ppops.net (m0098409.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 17DC2hXB174948; Fri, 13 Aug 2021 08:32:27 -0400 Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com with ESMTP id 3ad0qyyx96-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 13 Aug 2021 08:32:27 -0400 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 17DCHaCq024608; Fri, 13 Aug 2021 12:32:26 GMT Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by ppma02wdc.us.ibm.com with ESMTP id 3aapjdp7gc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 13 Aug 2021 12:32:26 +0000 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 17DCWPMp22872408 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 13 Aug 2021 12:32:25 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9C65911206D; Fri, 13 Aug 2021 12:32:25 +0000 (GMT) Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8BB40112065; Fri, 13 Aug 2021 12:32:25 +0000 (GMT) Received: from [9.47.158.152] (unknown [9.47.158.152]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP; Fri, 13 Aug 2021 12:32:25 +0000 (GMT) Subject: Re: [PATCH v4 0/6] Ovmf: Disable the TPM2 platform hierarchy To: Stefan Berger , devel@edk2.groups.io, jiewen.yao@intel.com Cc: marcandre.lureau@redhat.com, lersek@redhat.com, dick_wilkins@phoenix.com, James.Bottomley@HansenPartnership.com References: <20210812165931.3071083-1-stefanb@linux.vnet.ibm.com> From: "Stefan Berger" Message-ID: <3563118d-b43e-6773-9163-5f2efd2f0d15@linux.ibm.com> Date: Fri, 13 Aug 2021 08:32:25 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: <20210812165931.3071083-1-stefanb@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: XIljn9yUv1KxmsG2DPQtJmnedEH8ujZw X-Proofpoint-ORIG-GUID: nIXtN3SW8To3UMcqEWAUPtixGcF-NmPK X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-08-13_04:2021-08-12,2021-08-13 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 spamscore=0 mlxlogscore=999 lowpriorityscore=0 suspectscore=0 clxscore=1015 phishscore=0 impostorscore=0 mlxscore=0 bulkscore=0 adultscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108130073 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-001b2d01.pphosted.com id 17DC2g7d174778 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable Yao, =C2=A0 do you have any comments on this series? Would SecurityPkg be a=20 better place for it? =C2=A0=C2=A0=C2=A0 Stefan On 8/12/21 12:59 PM, Stefan Berger wrote: > This series imports code from the edk2-platforms project related to > changing the password of the TPM2 platform hierarchy and uses it to > disable the TPM2 platform hierarchy in Ovmf and ArmVirtPkg. It > addresses the Ovmf aspects of the following bugs: > > https://bugzilla.tianocore.org/show_bug.cgi?id=3D3510 > https://bugzilla.tianocore.org/show_bug.cgi?id=3D3499 > > I have patched the .dsc files and successfully test-built with most of > them. Some I could not build because they failed for other reasons > unrelated to this series. > > I tested the changes with QEMU on x86 following the build of > ArmVirtQemu.dsc and OvmfPkgX64.dsc. > > The disablement of the platform hierarchy is done after possibly > handling PPI. Following TPM 2 logs on Arm, only PCR extensions are > following afterwards until GRUB takes over. > > Neither one of the following commands should work anymore on first > try: > > With IBM tss2 tools: > tsshierarchychangeauth -hi p -pwdn newpass > > With Intel tss2 tools: > tpm2_changeauth -c platform newpass > > Regards, > Stefan > > v4: > - Fixed and simplified code imported from edk2-platforms > > v3: > - Referencing Null implementation on Bhyve and Xen platforms > - Add support in ArmVirtPkg > > Stefan Berger (6): > OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from > edk2-platforms > OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib > OvmfPkg: Reference new TPM classes in the build system for compilati= on > OvmfPkg: Disable the TPM2 platform hierarchy > ArmVirtPkg: Reference new TPM classes in the build system for > compilation > ArmVirtPkg: Disable the TPM2 platform hierarchy > > ArmVirtPkg/ArmVirtCloudHv.dsc | 1 + > ArmVirtPkg/ArmVirtQemu.dsc | 3 + > ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 + > ArmVirtPkg/ArmVirtXen.dsc | 1 + > .../PlatformBootManagerLib/PlatformBm.c | 6 + > .../PlatformBootManagerLib.inf | 1 + > OvmfPkg/AmdSev/AmdSevX64.dsc | 3 + > OvmfPkg/Bhyve/BhyveX64.dsc | 1 + > .../Include/Library/TpmPlatformHierarchyLib.h | 27 +++ > .../PeiDxeTpmPlatformHierarchyLib.c | 200 +++++++++++++++++= + > .../PeiDxeTpmPlatformHierarchyLib.inf | 40 ++++ > .../PeiDxeTpmPlatformHierarchyLib.c | 19 ++ > .../PeiDxeTpmPlatformHierarchyLib.inf | 31 +++ > .../PlatformBootManagerLib/BdsPlatform.c | 6 + > .../PlatformBootManagerLib.inf | 1 + > .../PlatformBootManagerLibBhyve/BdsPlatform.c | 7 + > .../PlatformBootManagerLibGrub/BdsPlatform.c | 7 + > OvmfPkg/OvmfPkgIa32.dsc | 3 + > OvmfPkg/OvmfPkgIa32X64.dsc | 3 + > OvmfPkg/OvmfPkgX64.dsc | 3 + > OvmfPkg/OvmfXen.dsc | 1 + > 21 files changed, 365 insertions(+) > create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h > create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiD= xeTpmPlatformHierarchyLib.c > create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiD= xeTpmPlatformHierarchyLib.inf > create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/= PeiDxeTpmPlatformHierarchyLib.c > create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/= PeiDxeTpmPlatformHierarchyLib.inf >