* [PATCH 0/4] OvmfPkg: rework TPM configuration.
@ 2021-10-21 12:19 Gerd Hoffmann
2021-10-21 12:20 ` [PATCH 1/4] OvmfPkg: move tcg configuration to dsc and fdf include files Gerd Hoffmann
` (4 more replies)
0 siblings, 5 replies; 27+ messages in thread
From: Gerd Hoffmann @ 2021-10-21 12:19 UTC (permalink / raw)
To: devel
Cc: Gerd Hoffmann, James Bottomley, Min Xu, Jordan Justen,
Erdem Aktas, Stefan Berger, Ard Biesheuvel,
Marc-André Lureau, Jiewen Yao, Tom Lendacky, Brijesh Singh
Allows to enable/disable TPM 1.2 support in OVMF.
Allows to enable SHA-1 support for TPM hashing.
Gerd Hoffmann (4):
OvmfPkg: move tcg configuration to dsc and fdf include files
OvmfPkg: create Tcg2ConfigPeiCompat12.inf
OvmfPkg: rework TPM configuration
OvmfPkg: add TPM2_SHA1_ENABLE build option
OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 32 +++++++
OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 28 ++++++
OvmfPkg/OvmfTpmDefines.dsc.inc | 10 +++
OvmfPkg/OvmfTpmLibs.dsc.inc | 16 ++++
OvmfPkg/OvmfTpmLibsDxe.dsc.inc | 10 +++
OvmfPkg/OvmfTpmLibsPeim.dsc.inc | 11 +++
OvmfPkg/OvmfTpmPcds.dsc.inc | 7 ++
OvmfPkg/OvmfTpmPcdsHii.dsc.inc | 8 ++
OvmfPkg/OvmfTpmSecurityStub.dsc.inc | 10 +++
OvmfPkg/AmdSev/AmdSevX64.dsc | 85 +++---------------
OvmfPkg/OvmfPkgIa32.dsc | 88 +++----------------
OvmfPkg/OvmfPkgIa32X64.dsc | 85 +++---------------
OvmfPkg/OvmfPkgX64.dsc | 85 +++---------------
OvmfPkg/AmdSev/AmdSevX64.fdf | 17 +---
OvmfPkg/OvmfPkgIa32.fdf | 17 +---
OvmfPkg/OvmfPkgIa32X64.fdf | 17 +---
OvmfPkg/OvmfPkgX64.fdf | 17 +---
OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 9 --
...onfigPei.inf => Tcg2ConfigPeiCompat12.inf} | 9 +-
OvmfPkg/OvmfTpmDxe.fdf.inc | 14 +++
OvmfPkg/OvmfTpmPei.fdf.inc | 15 ++++
.../.azurepipelines/Ubuntu-GCC5.yml | 6 +-
.../.azurepipelines/Windows-VS2019.yml | 6 +-
OvmfPkg/PlatformCI/ReadMe.md | 2 +-
24 files changed, 221 insertions(+), 383 deletions(-)
create mode 100644 OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmComponentsPei.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmDefines.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmLibs.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmLibsDxe.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmLibsPeim.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmPcds.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmPcdsHii.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmSecurityStub.dsc.inc
copy OvmfPkg/Tcg/Tcg2Config/{Tcg2ConfigPei.inf => Tcg2ConfigPeiCompat12.inf} (84%)
create mode 100644 OvmfPkg/OvmfTpmDxe.fdf.inc
create mode 100644 OvmfPkg/OvmfTpmPei.fdf.inc
--
2.31.1
^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH 1/4] OvmfPkg: move tcg configuration to dsc and fdf include files
2021-10-21 12:19 [PATCH 0/4] OvmfPkg: rework TPM configuration Gerd Hoffmann
@ 2021-10-21 12:20 ` Gerd Hoffmann
2021-10-21 14:12 ` [edk2-devel] " Stefan Berger
2021-10-21 12:20 ` [PATCH 2/4] OvmfPkg: create Tcg2ConfigPeiCompat12.inf Gerd Hoffmann
` (3 subsequent siblings)
4 siblings, 1 reply; 27+ messages in thread
From: Gerd Hoffmann @ 2021-10-21 12:20 UTC (permalink / raw)
To: devel
Cc: Gerd Hoffmann, James Bottomley, Min Xu, Jordan Justen,
Erdem Aktas, Stefan Berger, Ard Biesheuvel,
Marc-André Lureau, Jiewen Yao, Tom Lendacky, Brijesh Singh
With this in place the tpm configuration is not duplicated for each of
our four ovmf config variants (ia32, ia32x64, x64, amdsev) and it is
easier to keep them all in sync when updating the tpm configuration.
No functional change.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 28 +++++++++
OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 22 +++++++
OvmfPkg/OvmfTpmDefines.dsc.inc | 6 ++
OvmfPkg/OvmfTpmLibs.dsc.inc | 14 +++++
OvmfPkg/OvmfTpmLibsDxe.dsc.inc | 8 +++
OvmfPkg/OvmfTpmLibsPeim.dsc.inc | 9 +++
OvmfPkg/OvmfTpmPcds.dsc.inc | 7 +++
OvmfPkg/OvmfTpmPcdsHii.dsc.inc | 8 +++
OvmfPkg/OvmfTpmSecurityStub.dsc.inc | 8 +++
OvmfPkg/AmdSev/AmdSevX64.dsc | 85 ++++-----------------------
OvmfPkg/OvmfPkgIa32.dsc | 88 ++++------------------------
OvmfPkg/OvmfPkgIa32X64.dsc | 85 ++++-----------------------
OvmfPkg/OvmfPkgX64.dsc | 85 ++++-----------------------
OvmfPkg/AmdSev/AmdSevX64.fdf | 17 +-----
OvmfPkg/OvmfPkgIa32.fdf | 17 +-----
OvmfPkg/OvmfPkgIa32X64.fdf | 17 +-----
OvmfPkg/OvmfPkgX64.fdf | 17 +-----
OvmfPkg/OvmfTpmDxe.fdf.inc | 12 ++++
OvmfPkg/OvmfTpmPei.fdf.inc | 11 ++++
19 files changed, 185 insertions(+), 359 deletions(-)
create mode 100644 OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmComponentsPei.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmDefines.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmLibs.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmLibsDxe.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmLibsPeim.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmPcds.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmPcdsHii.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmSecurityStub.dsc.inc
create mode 100644 OvmfPkg/OvmfTpmDxe.fdf.inc
create mode 100644 OvmfPkg/OvmfTpmPei.fdf.inc
diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
new file mode 100644
index 000000000000..d5c2586118f1
--- /dev/null
+++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
@@ -0,0 +1,28 @@
+##
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+ <LibraryClasses>
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+ HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+ }
+!if $(TPM_CONFIG_ENABLE) == TRUE
+ SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!endif
+ SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
+ <LibraryClasses>
+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+ }
+ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+ <LibraryClasses>
+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+ }
+!endif
diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
new file mode 100644
index 000000000000..99fa7c13b3e7
--- /dev/null
+++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
@@ -0,0 +1,22 @@
+##
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+ OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+ SecurityPkg/Tcg/TcgPei/TcgPei.inf
+ SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
+ <LibraryClasses>
+ HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+ }
+ SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
+ <LibraryClasses>
+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+ }
+!endif
diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc
new file mode 100644
index 000000000000..51da7508b307
--- /dev/null
+++ b/OvmfPkg/OvmfTpmDefines.dsc.inc
@@ -0,0 +1,6 @@
+##
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+ DEFINE TPM_ENABLE = FALSE
+ DEFINE TPM_CONFIG_ENABLE = FALSE
diff --git a/OvmfPkg/OvmfTpmLibs.dsc.inc b/OvmfPkg/OvmfTpmLibs.dsc.inc
new file mode 100644
index 000000000000..50100f2c0371
--- /dev/null
+++ b/OvmfPkg/OvmfTpmLibs.dsc.inc
@@ -0,0 +1,14 @@
+##
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+ Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+ Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
+ Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
+ TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+!else
+ Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
+ TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+!endif
diff --git a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
new file mode 100644
index 000000000000..67d5027abaea
--- /dev/null
+++ b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
@@ -0,0 +1,8 @@
+##
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+!endif
diff --git a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
new file mode 100644
index 000000000000..4e84e3dcaaeb
--- /dev/null
+++ b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
@@ -0,0 +1,9 @@
+##
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+!endif
diff --git a/OvmfPkg/OvmfTpmPcds.dsc.inc b/OvmfPkg/OvmfTpmPcds.dsc.inc
new file mode 100644
index 000000000000..0e7f83c04bd7
--- /dev/null
+++ b/OvmfPkg/OvmfTpmPcds.dsc.inc
@@ -0,0 +1,7 @@
+##
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
+!endif
diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
new file mode 100644
index 000000000000..164bc9c7fca0
--- /dev/null
+++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
@@ -0,0 +1,8 @@
+##
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
+ gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
+!endif
diff --git a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
new file mode 100644
index 000000000000..4bd4066843ef
--- /dev/null
+++ b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
@@ -0,0 +1,8 @@
+##
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+ NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+ NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+!endif
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 5ee54451169b..d145b491fb44 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -32,8 +32,8 @@ [Defines]
# -D FLAG=VALUE
#
DEFINE SOURCE_DEBUG_ENABLE = FALSE
- DEFINE TPM_ENABLE = FALSE
- DEFINE TPM_CONFIG_ENABLE = FALSE
+
+!include OvmfPkg/OvmfTpmDefines.dsc.inc
#
# Shell can be useful for debugging but should not be enabled for production
@@ -203,16 +203,7 @@ [LibraryClasses]
SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
-!if $(TPM_ENABLE) == TRUE
- Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
- Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
- Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
- TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
-!else
- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-!endif
+!include OvmfPkg/OvmfTpmLibs.dsc.inc
[LibraryClasses.common]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -286,11 +277,7 @@ [LibraryClasses.common.PEIM]
PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
-!if $(TPM_ENABLE) == TRUE
- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
-!endif
+!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
@@ -371,10 +358,8 @@ [LibraryClasses.common.DXE_DRIVER]
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
-!if $(TPM_ENABLE) == TRUE
- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
-!endif
+
+!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
[LibraryClasses.common.UEFI_APPLICATION]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -575,15 +560,10 @@ [PcdsDynamicDefault]
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
-!if $(TPM_ENABLE) == TRUE
- gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
-!endif
+!include OvmfPkg/OvmfTpmPcds.dsc.inc
[PcdsDynamicHii]
-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
- gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
- gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
-!endif
+!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
################################################################################
#
@@ -624,24 +604,7 @@ [Components]
UefiCpuPkg/CpuMpPei/CpuMpPei.inf
OvmfPkg/AmdSev/SecretPei/SecretPei.inf
-!if $(TPM_ENABLE) == TRUE
- OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
- SecurityPkg/Tcg/TcgPei/TcgPei.inf
- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
- <LibraryClasses>
- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
- }
- SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
- <LibraryClasses>
- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
- }
-!endif
+!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
#
# DXE Phase modules
@@ -663,10 +626,7 @@ [Components]
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
<LibraryClasses>
-!if $(TPM_ENABLE) == TRUE
- NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
- NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
-!endif
+!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
}
MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
@@ -836,27 +796,4 @@ [Components]
#
# TPM support
#
-!if $(TPM_ENABLE) == TRUE
- SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
- <LibraryClasses>
- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
- NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
- }
-!if $(TPM_CONFIG_ENABLE) == TRUE
- SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
- SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
- <LibraryClasses>
- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
- }
- SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
- <LibraryClasses>
- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
- }
-!endif
+!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 6a5be97c059d..462c1b970ed8 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -32,10 +32,10 @@ [Defines]
DEFINE SECURE_BOOT_ENABLE = FALSE
DEFINE SMM_REQUIRE = FALSE
DEFINE SOURCE_DEBUG_ENABLE = FALSE
- DEFINE TPM_ENABLE = FALSE
- DEFINE TPM_CONFIG_ENABLE = FALSE
DEFINE LOAD_X64_ON_IA32_ENABLE = FALSE
+!include OvmfPkg/OvmfTpmDefines.dsc.inc
+
#
# Network definition
#
@@ -229,16 +229,7 @@ [LibraryClasses]
SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
-!if $(TPM_ENABLE) == TRUE
- Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
- Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
- Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
- TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
-!else
- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-!endif
+!include OvmfPkg/OvmfTpmLibs.dsc.inc
[LibraryClasses.common]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -309,11 +300,7 @@ [LibraryClasses.common.PEIM]
PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
-!if $(TPM_ENABLE) == TRUE
- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
-!endif
+!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
@@ -401,10 +388,8 @@ [LibraryClasses.common.DXE_DRIVER]
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-!if $(TPM_ENABLE) == TRUE
- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
-!endif
+
+!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
[LibraryClasses.common.UEFI_APPLICATION]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -642,19 +627,14 @@ [PcdsDynamicDefault]
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
-!if $(TPM_ENABLE) == TRUE
- gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
-!endif
+!include OvmfPkg/OvmfTpmPcds.dsc.inc
# IPv4 and IPv6 PXE Boot support.
gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01
gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01
[PcdsDynamicHii]
-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
- gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
- gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
-!endif
+!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
################################################################################
#
@@ -704,24 +684,7 @@ [Components]
!endif
UefiCpuPkg/CpuMpPei/CpuMpPei.inf
-!if $(TPM_ENABLE) == TRUE
- OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
- SecurityPkg/Tcg/TcgPei/TcgPei.inf
- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
- <LibraryClasses>
- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
- }
- SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
- <LibraryClasses>
- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
- }
-!endif
+!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
#
# DXE Phase modules
@@ -746,10 +709,7 @@ [Components]
!if $(SECURE_BOOT_ENABLE) == TRUE
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
!endif
-!if $(TPM_ENABLE) == TRUE
- NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
- NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
-!endif
+!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
}
MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
@@ -1019,31 +979,5 @@ [Components]
#
# TPM support
#
-!if $(TPM_ENABLE) == TRUE
- SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
- <LibraryClasses>
- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
- NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
- }
-!if $(TPM_CONFIG_ENABLE) == TRUE
- SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
- SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
- <LibraryClasses>
- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
- }
- SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
- <LibraryClasses>
- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
- }
-!endif
+!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
-!if $(LOAD_X64_ON_IA32_ENABLE) == TRUE
- OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf
-!endif
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 71227d1b709a..3908acbc9c78 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -32,8 +32,8 @@ [Defines]
DEFINE SECURE_BOOT_ENABLE = FALSE
DEFINE SMM_REQUIRE = FALSE
DEFINE SOURCE_DEBUG_ENABLE = FALSE
- DEFINE TPM_ENABLE = FALSE
- DEFINE TPM_CONFIG_ENABLE = FALSE
+
+!include OvmfPkg/OvmfTpmDefines.dsc.inc
#
# Network definition
@@ -233,16 +233,7 @@ [LibraryClasses]
SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
-!if $(TPM_ENABLE) == TRUE
- Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
- Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
- Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
- TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
-!else
- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-!endif
+!include OvmfPkg/OvmfTpmLibs.dsc.inc
[LibraryClasses.common]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -313,11 +304,7 @@ [LibraryClasses.common.PEIM]
PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
-!if $(TPM_ENABLE) == TRUE
- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
-!endif
+!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
@@ -405,10 +392,8 @@ [LibraryClasses.common.DXE_DRIVER]
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-!if $(TPM_ENABLE) == TRUE
- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
-!endif
+
+!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
[LibraryClasses.common.UEFI_APPLICATION]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -654,9 +639,7 @@ [PcdsDynamicDefault]
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
-!if $(TPM_ENABLE) == TRUE
- gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
-!endif
+!include OvmfPkg/OvmfTpmPcds.dsc.inc
[PcdsDynamicDefault.X64]
# IPv4 and IPv6 PXE Boot support.
@@ -664,10 +647,7 @@ [PcdsDynamicDefault.X64]
gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01
[PcdsDynamicHii]
-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
- gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
- gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
-!endif
+!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
################################################################################
#
@@ -717,24 +697,7 @@ [Components.IA32]
!endif
UefiCpuPkg/CpuMpPei/CpuMpPei.inf
-!if $(TPM_ENABLE) == TRUE
- OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
- SecurityPkg/Tcg/TcgPei/TcgPei.inf
- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
- <LibraryClasses>
- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
- }
- SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
- <LibraryClasses>
- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
- }
-!endif
+!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
[Components.X64]
#
@@ -760,10 +723,7 @@ [Components.X64]
!if $(SECURE_BOOT_ENABLE) == TRUE
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
!endif
-!if $(TPM_ENABLE) == TRUE
- NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
- NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
-!endif
+!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
}
MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
@@ -1034,27 +994,4 @@ [Components.X64]
#
# TPM support
#
-!if $(TPM_ENABLE) == TRUE
- SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
- <LibraryClasses>
- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
- NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
- }
-!if $(TPM_CONFIG_ENABLE) == TRUE
- SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
- SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
- <LibraryClasses>
- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
- }
- SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
- <LibraryClasses>
- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
- }
-!endif
+!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 52f7598cf1c7..6114a4d61ab7 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -32,8 +32,8 @@ [Defines]
DEFINE SECURE_BOOT_ENABLE = FALSE
DEFINE SMM_REQUIRE = FALSE
DEFINE SOURCE_DEBUG_ENABLE = FALSE
- DEFINE TPM_ENABLE = FALSE
- DEFINE TPM_CONFIG_ENABLE = FALSE
+
+!include OvmfPkg/OvmfTpmDefines.dsc.inc
#
# Network definition
@@ -233,16 +233,7 @@ [LibraryClasses]
SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
-!if $(TPM_ENABLE) == TRUE
- Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
- Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
- Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
- TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
-!else
- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-!endif
+!include OvmfPkg/OvmfTpmLibs.dsc.inc
[LibraryClasses.common]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -315,11 +306,7 @@ [LibraryClasses.common.PEIM]
PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
-!if $(TPM_ENABLE) == TRUE
- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
-!endif
+!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
@@ -407,10 +394,8 @@ [LibraryClasses.common.DXE_DRIVER]
MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-!if $(TPM_ENABLE) == TRUE
- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
-!endif
+
+!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
[LibraryClasses.common.UEFI_APPLICATION]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -654,19 +639,14 @@ [PcdsDynamicDefault]
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
-!if $(TPM_ENABLE) == TRUE
- gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
-!endif
+!include OvmfPkg/OvmfTpmPcds.dsc.inc
# IPv4 and IPv6 PXE Boot support.
gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01
gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01
[PcdsDynamicHii]
-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
- gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
- gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
-!endif
+!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
################################################################################
#
@@ -716,24 +696,7 @@ [Components]
!endif
UefiCpuPkg/CpuMpPei/CpuMpPei.inf
-!if $(TPM_ENABLE) == TRUE
- OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
- SecurityPkg/Tcg/TcgPei/TcgPei.inf
- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
- <LibraryClasses>
- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
- }
- SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
- <LibraryClasses>
- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
- }
-!endif
+!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
#
# DXE Phase modules
@@ -757,10 +720,7 @@ [Components]
<LibraryClasses>
!if $(SECURE_BOOT_ENABLE) == TRUE
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
-!endif
-!if $(TPM_ENABLE) == TRUE
- NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
- NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
!endif
}
@@ -1032,27 +992,4 @@ [Components]
#
# TPM support
#
-!if $(TPM_ENABLE) == TRUE
- SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
- <LibraryClasses>
- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
- NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
- }
-!if $(TPM_CONFIG_ENABLE) == TRUE
- SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
- SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
- <LibraryClasses>
- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
- }
- SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
- <LibraryClasses>
- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
- }
-!endif
+!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 56626098862c..b9017f490458 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -156,13 +156,7 @@ [FV.PEIFV]
INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf
INF OvmfPkg/AmdSev/SecretPei/SecretPei.inf
-!if $(TPM_ENABLE) == TRUE
-INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
-INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
-INF SecurityPkg/Tcg/TcgPei/TcgPei.inf
-INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
-INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
-!endif
+!include OvmfPkg/OvmfTpmPei.fdf.inc
################################################################################
@@ -318,14 +312,7 @@ [FV.DXEFV]
#
# TPM support
#
-!if $(TPM_ENABLE) == TRUE
-INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
-INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
-INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
-!if $(TPM_CONFIG_ENABLE) == TRUE
-INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
-!endif
+!include OvmfPkg/OvmfTpmDxe.fdf.inc
################################################################################
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 775ea2d71098..24e4366c172d 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -161,13 +161,7 @@ [FV.PEIFV]
!endif
INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf
-!if $(TPM_ENABLE) == TRUE
-INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
-INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
-INF SecurityPkg/Tcg/TcgPei/TcgPei.inf
-INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
-INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
-!endif
+!include OvmfPkg/OvmfTpmPei.fdf.inc
################################################################################
@@ -361,14 +355,7 @@ [FV.DXEFV]
#
# TPM support
#
-!if $(TPM_ENABLE) == TRUE
-INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
-INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
-INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
-!if $(TPM_CONFIG_ENABLE) == TRUE
-INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
-!endif
+!include OvmfPkg/OvmfTpmDxe.fdf.inc
!if $(LOAD_X64_ON_IA32_ENABLE) == TRUE
INF OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 9d8695922f97..734df36602bd 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -164,13 +164,7 @@ [FV.PEIFV]
!endif
INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf
-!if $(TPM_ENABLE) == TRUE
-INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
-INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
-INF SecurityPkg/Tcg/TcgPei/TcgPei.inf
-INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
-INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
-!endif
+!include OvmfPkg/OvmfTpmPei.fdf.inc
################################################################################
@@ -371,14 +365,7 @@ [FV.DXEFV]
#
# TPM support
#
-!if $(TPM_ENABLE) == TRUE
-INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
-INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
-INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
-!if $(TPM_CONFIG_ENABLE) == TRUE
-INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
-!endif
+!include OvmfPkg/OvmfTpmDxe.fdf.inc
################################################################################
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index b6cc3cabdd69..b8d074c6e496 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -180,13 +180,7 @@ [FV.PEIFV]
!endif
INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf
-!if $(TPM_ENABLE) == TRUE
-INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
-INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
-INF SecurityPkg/Tcg/TcgPei/TcgPei.inf
-INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
-INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
-!endif
+!include OvmfPkg/OvmfTpmPei.fdf.inc
################################################################################
@@ -387,14 +381,7 @@ [FV.DXEFV]
#
# TPM support
#
-!if $(TPM_ENABLE) == TRUE
-INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
-INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
-INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
-!if $(TPM_CONFIG_ENABLE) == TRUE
-INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
-!endif
-!endif
+!include OvmfPkg/OvmfTpmDxe.fdf.inc
################################################################################
diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc
new file mode 100644
index 000000000000..9dcdaaf01c39
--- /dev/null
+++ b/OvmfPkg/OvmfTpmDxe.fdf.inc
@@ -0,0 +1,12 @@
+##
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+!if $(TPM_CONFIG_ENABLE) == TRUE
+INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!endif
+!endif
diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc
new file mode 100644
index 000000000000..9aefd73d219c
--- /dev/null
+++ b/OvmfPkg/OvmfTpmPei.fdf.inc
@@ -0,0 +1,11 @@
+##
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+INF SecurityPkg/Tcg/TcgPei/TcgPei.inf
+INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
+!endif
--
2.31.1
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH 2/4] OvmfPkg: create Tcg2ConfigPeiCompat12.inf
2021-10-21 12:19 [PATCH 0/4] OvmfPkg: rework TPM configuration Gerd Hoffmann
2021-10-21 12:20 ` [PATCH 1/4] OvmfPkg: move tcg configuration to dsc and fdf include files Gerd Hoffmann
@ 2021-10-21 12:20 ` Gerd Hoffmann
2021-10-21 14:46 ` [edk2-devel] " Stefan Berger
2021-10-21 12:20 ` [PATCH 3/4] OvmfPkg: rework TPM configuration Gerd Hoffmann
` (2 subsequent siblings)
4 siblings, 1 reply; 27+ messages in thread
From: Gerd Hoffmann @ 2021-10-21 12:20 UTC (permalink / raw)
To: devel
Cc: Gerd Hoffmann, James Bottomley, Min Xu, Jordan Justen,
Erdem Aktas, Stefan Berger, Ard Biesheuvel,
Marc-André Lureau, Jiewen Yao, Tom Lendacky, Brijesh Singh
Split Tcg2ConfigPei.inf into two variants: Tcg2ConfigPeiCompat12.inf
with TPM 1.2 backward compatibility included and Tcg2ConfigPei.inf
supporting TPM 2.0 only. This allows x86 builds to choose whenever
TPM 1.2 support should be included or not by picking the one or the
other inf file.
Switch x86 builds to Tcg2ConfigPeiCompat12.inf, so they continue to
have TPM 1.2 support.
No functional change.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 2 +-
OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 9 ---------
.../{Tcg2ConfigPei.inf => Tcg2ConfigPeiCompat12.inf} | 9 +--------
OvmfPkg/OvmfTpmPei.fdf.inc | 2 +-
4 files changed, 3 insertions(+), 19 deletions(-)
copy OvmfPkg/Tcg/Tcg2Config/{Tcg2ConfigPei.inf => Tcg2ConfigPeiCompat12.inf} (84%)
diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
index 99fa7c13b3e7..b5dc20c4858c 100644
--- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
@@ -4,7 +4,7 @@
!if $(TPM_ENABLE) == TRUE
OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeiCompat12.inf
SecurityPkg/Tcg/TcgPei/TcgPei.inf
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
<LibraryClasses>
diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
index 39d1deeed16b..bf8b12da8195 100644
--- a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+++ b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
@@ -22,11 +22,6 @@ [Defines]
[Sources]
Tcg2ConfigPeim.c
Tpm12Support.h
-
-[Sources.IA32, Sources.X64]
- Tpm12Support.c
-
-[Sources.ARM, Sources.AARCH64]
Tpm12SupportNull.c
[Packages]
@@ -41,10 +36,6 @@ [LibraryClasses]
PeiServicesLib
Tpm2DeviceLib
-[LibraryClasses.IA32, LibraryClasses.X64]
- BaseLib
- Tpm12DeviceLib
-
[Guids]
gEfiTpmDeviceSelectedGuid ## PRODUCES ## GUID # Used as a PPI GUID
gEfiTpmDeviceInstanceTpm20DtpmGuid ## SOMETIMES_CONSUMES
diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeiCompat12.inf
similarity index 84%
copy from OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
copy to OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeiCompat12.inf
index 39d1deeed16b..919006f35cf1 100644
--- a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+++ b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeiCompat12.inf
@@ -14,7 +14,7 @@
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = Tcg2ConfigPei
- FILE_GUID = BF7F2B0C-9F2F-4889-AB5C-12460022BE87
+ FILE_GUID = 8AD3148F-945F-46B4-8ACD-71469EA73945
MODULE_TYPE = PEIM
VERSION_STRING = 1.0
ENTRY_POINT = Tcg2ConfigPeimEntryPoint
@@ -22,13 +22,8 @@ [Defines]
[Sources]
Tcg2ConfigPeim.c
Tpm12Support.h
-
-[Sources.IA32, Sources.X64]
Tpm12Support.c
-[Sources.ARM, Sources.AARCH64]
- Tpm12SupportNull.c
-
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
@@ -40,8 +35,6 @@ [LibraryClasses]
DebugLib
PeiServicesLib
Tpm2DeviceLib
-
-[LibraryClasses.IA32, LibraryClasses.X64]
BaseLib
Tpm12DeviceLib
diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc
index 9aefd73d219c..6380d7660d40 100644
--- a/OvmfPkg/OvmfTpmPei.fdf.inc
+++ b/OvmfPkg/OvmfTpmPei.fdf.inc
@@ -4,7 +4,7 @@
!if $(TPM_ENABLE) == TRUE
INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
-INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeiCompat12.inf
INF SecurityPkg/Tcg/TcgPei/TcgPei.inf
INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
--
2.31.1
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH 3/4] OvmfPkg: rework TPM configuration
2021-10-21 12:19 [PATCH 0/4] OvmfPkg: rework TPM configuration Gerd Hoffmann
2021-10-21 12:20 ` [PATCH 1/4] OvmfPkg: move tcg configuration to dsc and fdf include files Gerd Hoffmann
2021-10-21 12:20 ` [PATCH 2/4] OvmfPkg: create Tcg2ConfigPeiCompat12.inf Gerd Hoffmann
@ 2021-10-21 12:20 ` Gerd Hoffmann
2021-10-21 15:44 ` Stefan Berger
2021-10-21 12:20 ` [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option Gerd Hoffmann
2021-10-21 16:13 ` [PATCH 0/4] OvmfPkg: rework TPM configuration Stefan Berger
4 siblings, 1 reply; 27+ messages in thread
From: Gerd Hoffmann @ 2021-10-21 12:20 UTC (permalink / raw)
To: devel
Cc: Gerd Hoffmann, James Bottomley, Min Xu, Jordan Justen,
Erdem Aktas, Stefan Berger, Ard Biesheuvel,
Marc-André Lureau, Jiewen Yao, Tom Lendacky, Brijesh Singh
Rename TPM_ENABLE to TPM2_ENABLE and TPM_CONFIG_ENABLE to
TPM2_CONFIG_ENABLE so they are in line with the ArmVirtPkg
config option names.
Add separate TPM1_ENABLE option for TPM 1.2 support.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 6 ++++--
OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 6 +++++-
OvmfPkg/OvmfTpmDefines.dsc.inc | 7 +++++--
OvmfPkg/OvmfTpmLibs.dsc.inc | 4 +++-
OvmfPkg/OvmfTpmLibsDxe.dsc.inc | 4 +++-
OvmfPkg/OvmfTpmLibsPeim.dsc.inc | 4 +++-
OvmfPkg/OvmfTpmPcds.dsc.inc | 2 +-
OvmfPkg/OvmfTpmPcdsHii.dsc.inc | 2 +-
OvmfPkg/OvmfTpmSecurityStub.dsc.inc | 4 +++-
OvmfPkg/OvmfTpmDxe.fdf.inc | 6 ++++--
OvmfPkg/OvmfTpmPei.fdf.inc | 6 +++++-
OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml | 6 +++---
OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml | 6 +++---
OvmfPkg/PlatformCI/ReadMe.md | 2 +-
14 files changed, 44 insertions(+), 21 deletions(-)
diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
index d5c2586118f1..6806eb245e2b 100644
--- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
@@ -2,7 +2,7 @@
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
<LibraryClasses>
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
@@ -14,13 +14,15 @@
NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
}
-!if $(TPM_CONFIG_ENABLE) == TRUE
+!if $(TPM2_CONFIG_ENABLE) == TRUE
SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
!endif
+!if $(TPM1_ENABLE) == TRUE
SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
<LibraryClasses>
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
}
+!endif
SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
<LibraryClasses>
TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
index b5dc20c4858c..94bc124f9b78 100644
--- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
@@ -2,10 +2,14 @@
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+!if $(TPM1_ENABLE) == TRUE
OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeiCompat12.inf
SecurityPkg/Tcg/TcgPei/TcgPei.inf
+!else
+ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+!endif
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
<LibraryClasses>
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc
index 51da7508b307..de55cbdcf852 100644
--- a/OvmfPkg/OvmfTpmDefines.dsc.inc
+++ b/OvmfPkg/OvmfTpmDefines.dsc.inc
@@ -2,5 +2,8 @@
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
- DEFINE TPM_ENABLE = FALSE
- DEFINE TPM_CONFIG_ENABLE = FALSE
+ DEFINE TPM2_ENABLE = FALSE
+ DEFINE TPM2_CONFIG_ENABLE = FALSE
+
+ # has no effect unless TPM2_ENABLE == TRUE
+ DEFINE TPM1_ENABLE = TRUE
diff --git a/OvmfPkg/OvmfTpmLibs.dsc.inc b/OvmfPkg/OvmfTpmLibs.dsc.inc
index 50100f2c0371..418747b13487 100644
--- a/OvmfPkg/OvmfTpmLibs.dsc.inc
+++ b/OvmfPkg/OvmfTpmLibs.dsc.inc
@@ -2,8 +2,10 @@
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+!endif
Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
diff --git a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
index 67d5027abaea..1d66cdac778c 100644
--- a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
+++ b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
@@ -2,7 +2,9 @@
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+!endif
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
!endif
diff --git a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
index 4e84e3dcaaeb..03caccd7c688 100644
--- a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
+++ b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
@@ -2,8 +2,10 @@
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+!if $(TPM1_ENABLE) == TRUE
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+!endif
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
!endif
diff --git a/OvmfPkg/OvmfTpmPcds.dsc.inc b/OvmfPkg/OvmfTpmPcds.dsc.inc
index 0e7f83c04bd7..0d55d6273702 100644
--- a/OvmfPkg/OvmfTpmPcds.dsc.inc
+++ b/OvmfPkg/OvmfTpmPcds.dsc.inc
@@ -2,6 +2,6 @@
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
!endif
diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
index 164bc9c7fca0..a0aa81aedf3a 100644
--- a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
@@ -2,7 +2,7 @@
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE && $(TPM2_CONFIG_ENABLE) == TRUE
gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
!endif
diff --git a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
index 4bd4066843ef..e9ab2fca7bc7 100644
--- a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
+++ b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
@@ -2,7 +2,9 @@
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+!endif
NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
!endif
diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc
index 9dcdaaf01c39..fa749726789a 100644
--- a/OvmfPkg/OvmfTpmDxe.fdf.inc
+++ b/OvmfPkg/OvmfTpmDxe.fdf.inc
@@ -2,11 +2,13 @@
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+!endif
INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
-!if $(TPM_CONFIG_ENABLE) == TRUE
+!if $(TPM2_CONFIG_ENABLE) == TRUE
INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
!endif
!endif
diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc
index 6380d7660d40..a4f0f80715d4 100644
--- a/OvmfPkg/OvmfTpmPei.fdf.inc
+++ b/OvmfPkg/OvmfTpmPei.fdf.inc
@@ -2,10 +2,14 @@
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+!if $(TPM1_ENABLE) == TRUE
INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeiCompat12.inf
INF SecurityPkg/Tcg/TcgPei/TcgPei.inf
+!else
+INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+!endif
INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
!endif
diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
index 7117b86b8177..4a3c08029a5b 100644
--- a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
+++ b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
@@ -95,21 +95,21 @@ jobs:
OVMF_IA32X64_FULL_DEBUG:
Build.File: "$(package)/PlatformCI/PlatformBuild.py"
Build.Arch: "IA32,X64"
- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_TPM2_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
Build.Target: "DEBUG"
Run.Flags: $(run_flags)
Run: $(should_run)
OVMF_IA32X64_FULL_RELEASE:
Build.File: "$(package)/PlatformCI/PlatformBuild.py"
Build.Arch: "IA32,X64"
- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_TPM2_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
Build.Target: "RELEASE"
Run.Flags: $(run_flags)
Run: $(should_run)
OVMF_IA32X64_FULL_NOOPT:
Build.File: "$(package)/PlatformCI/PlatformBuild.py"
Build.Arch: "IA32,X64"
- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_TPM2_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
Build.Target: "NOOPT"
Run.Flags: $(run_flags)
Run: $(should_run)
diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
index 2e07a3d8893a..0e6f54c57cce 100644
--- a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
+++ b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
@@ -94,14 +94,14 @@ jobs:
OVMF_IA32X64_FULL_DEBUG:
Build.File: "$(package)/PlatformCI/PlatformBuild.py"
Build.Arch: "IA32,X64"
- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_TPM2_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
Build.Target: "DEBUG"
Run.Flags: $(run_flags)
Run: $(should_run)
OVMF_IA32X64_FULL_RELEASE:
Build.File: "$(package)/PlatformCI/PlatformBuild.py"
Build.Arch: "IA32,X64"
- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_TPM2_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
Build.Target: "RELEASE"
Run.Flags: $(run_flags)
Run: $(should_run)
@@ -112,7 +112,7 @@ jobs:
# OVMF_IA32X64_FULL_NOOPT:
# Build.File: "$(package)/PlatformCI/PlatformBuild.py"
# Build.Arch: "IA32,X64"
- # Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+ # Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_TPM2_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
# Build.Target: "NOOPT"
# Run.Flags: $(run_flags)
# Run: $(should_run)
diff --git a/OvmfPkg/PlatformCI/ReadMe.md b/OvmfPkg/PlatformCI/ReadMe.md
index 2ce9007dbeaa..4b3ebe022dad 100644
--- a/OvmfPkg/PlatformCI/ReadMe.md
+++ b/OvmfPkg/PlatformCI/ReadMe.md
@@ -14,7 +14,7 @@ supported and are described below.
| IA32 | IA32 | OvmfPkgIa32.dsc | None |
| X64 | X64 | OvmfPkgIa64.dsc | None |
| IA32 X64 | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | None |
-| IA32 X64 Full | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM_ENABLE=1 TPM_CONFIG_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 |
+| IA32 X64 Full | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM1_ENABLE=1 TPM2_ENABLE=1 TPM2_CONFIG_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 |
## EDK2 Developer environment
--
2.31.1
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option
2021-10-21 12:19 [PATCH 0/4] OvmfPkg: rework TPM configuration Gerd Hoffmann
` (2 preceding siblings ...)
2021-10-21 12:20 ` [PATCH 3/4] OvmfPkg: rework TPM configuration Gerd Hoffmann
@ 2021-10-21 12:20 ` Gerd Hoffmann
2021-10-21 13:24 ` Stefan Berger
2021-10-21 16:13 ` [PATCH 0/4] OvmfPkg: rework TPM configuration Stefan Berger
4 siblings, 1 reply; 27+ messages in thread
From: Gerd Hoffmann @ 2021-10-21 12:20 UTC (permalink / raw)
To: devel
Cc: Gerd Hoffmann, James Bottomley, Min Xu, Jordan Justen,
Erdem Aktas, Stefan Berger, Ard Biesheuvel,
Marc-André Lureau, Jiewen Yao, Tom Lendacky, Brijesh Singh
Allows to compile OVMF without HashInstanceLibSha1,
i.e. no SHA1 hash support in TPM/TCG modules.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 2 ++
OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 2 ++
OvmfPkg/OvmfTpmDefines.dsc.inc | 1 +
3 files changed, 5 insertions(+)
diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
index 6806eb245e2b..1952a848b17c 100644
--- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
@@ -8,7 +8,9 @@
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+!if $(TPM2_SHA1_ENABLE) == TRUE
NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+!endif
NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
index 94bc124f9b78..fbe905603312 100644
--- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
@@ -13,7 +13,9 @@
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
<LibraryClasses>
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+!if $(TPM2_SHA1_ENABLE) == TRUE
NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+!endif
NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc
index de55cbdcf852..7db7ad7e7934 100644
--- a/OvmfPkg/OvmfTpmDefines.dsc.inc
+++ b/OvmfPkg/OvmfTpmDefines.dsc.inc
@@ -7,3 +7,4 @@
# has no effect unless TPM2_ENABLE == TRUE
DEFINE TPM1_ENABLE = TRUE
+ DEFINE TPM2_SHA1_ENABLE = TRUE
--
2.31.1
^ permalink raw reply related [flat|nested] 27+ messages in thread
* Re: [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option
2021-10-21 12:20 ` [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option Gerd Hoffmann
@ 2021-10-21 13:24 ` Stefan Berger
2021-10-22 6:39 ` Gerd Hoffmann
0 siblings, 1 reply; 27+ messages in thread
From: Stefan Berger @ 2021-10-21 13:24 UTC (permalink / raw)
To: Gerd Hoffmann, devel
Cc: James Bottomley, Min Xu, Jordan Justen, Erdem Aktas,
Ard Biesheuvel, Marc-André Lureau, Jiewen Yao, Tom Lendacky,
Brijesh Singh
On 10/21/21 8:20 AM, Gerd Hoffmann wrote:
> Allows to compile OVMF without HashInstanceLibSha1,
> i.e. no SHA1 hash support in TPM/TCG modules.
Does that then mean that the SHA1 bank in a TPM 2 stays untouched,
meaning the PCRs there won't get extended even though the bank is there
and active?
Stefan
>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
> OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 2 ++
> OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 2 ++
> OvmfPkg/OvmfTpmDefines.dsc.inc | 1 +
> 3 files changed, 5 insertions(+)
>
> diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> index 6806eb245e2b..1952a848b17c 100644
> --- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> +++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> @@ -8,7 +8,9 @@
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
> NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
> HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
> +!if $(TPM2_SHA1_ENABLE) == TRUE
> NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> +!endif
> NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> index 94bc124f9b78..fbe905603312 100644
> --- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> +++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> @@ -13,7 +13,9 @@
> SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
> <LibraryClasses>
> HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
> +!if $(TPM2_SHA1_ENABLE) == TRUE
> NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> +!endif
> NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc
> index de55cbdcf852..7db7ad7e7934 100644
> --- a/OvmfPkg/OvmfTpmDefines.dsc.inc
> +++ b/OvmfPkg/OvmfTpmDefines.dsc.inc
> @@ -7,3 +7,4 @@
>
> # has no effect unless TPM2_ENABLE == TRUE
> DEFINE TPM1_ENABLE = TRUE
> + DEFINE TPM2_SHA1_ENABLE = TRUE
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH 1/4] OvmfPkg: move tcg configuration to dsc and fdf include files
2021-10-21 12:20 ` [PATCH 1/4] OvmfPkg: move tcg configuration to dsc and fdf include files Gerd Hoffmann
@ 2021-10-21 14:12 ` Stefan Berger
0 siblings, 0 replies; 27+ messages in thread
From: Stefan Berger @ 2021-10-21 14:12 UTC (permalink / raw)
To: devel, kraxel
Cc: James Bottomley, Min Xu, Jordan Justen, Erdem Aktas,
Ard Biesheuvel, Marc-André Lureau, Jiewen Yao, Tom Lendacky,
Brijesh Singh
On 10/21/21 8:20 AM, Gerd Hoffmann wrote:
> With this in place the tpm configuration is not duplicated for each of
> our four ovmf config variants (ia32, ia32x64, x64, amdsev) and it is
> easier to keep them all in sync when updating the tpm configuration.
>
> No functional change.
>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
[Tested with OvmfPkg/OvmfPkgX64.dsc]
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH 2/4] OvmfPkg: create Tcg2ConfigPeiCompat12.inf
2021-10-21 12:20 ` [PATCH 2/4] OvmfPkg: create Tcg2ConfigPeiCompat12.inf Gerd Hoffmann
@ 2021-10-21 14:46 ` Stefan Berger
2021-10-22 6:31 ` Gerd Hoffmann
0 siblings, 1 reply; 27+ messages in thread
From: Stefan Berger @ 2021-10-21 14:46 UTC (permalink / raw)
To: devel, kraxel
Cc: James Bottomley, Min Xu, Jordan Justen, Erdem Aktas,
Ard Biesheuvel, Marc-André Lureau, Jiewen Yao, Tom Lendacky,
Brijesh Singh
On 10/21/21 8:20 AM, Gerd Hoffmann wrote:
> Split Tcg2ConfigPei.inf into two variants: Tcg2ConfigPeiCompat12.inf
> with TPM 1.2 backward compatibility included and Tcg2ConfigPei.inf
> supporting TPM 2.0 only. This allows x86 builds to choose whenever
> TPM 1.2 support should be included or not by picking the one or the
> other inf file.
FYI: TPM 2 does not provide backwards compatibility to TPM 1.2. TPM 1.2
is its own implementation that is incompatible with TPM 2.
So the extension 'Compat12' is a bit odd in this case.
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
[Tested with OvmfPkg/OvmfPkgX64.dsc]
>
> Switch x86 builds to Tcg2ConfigPeiCompat12.inf, so they continue to
> have TPM 1.2 support.
>
> No functional change.
>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
> OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 2 +-
> OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 9 ---------
> .../{Tcg2ConfigPei.inf => Tcg2ConfigPeiCompat12.inf} | 9 +--------
> OvmfPkg/OvmfTpmPei.fdf.inc | 2 +-
> 4 files changed, 3 insertions(+), 19 deletions(-)
> copy OvmfPkg/Tcg/Tcg2Config/{Tcg2ConfigPei.inf => Tcg2ConfigPeiCompat12.inf} (84%)
>
> diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> index 99fa7c13b3e7..b5dc20c4858c 100644
> --- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> +++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> @@ -4,7 +4,7 @@
>
> !if $(TPM_ENABLE) == TRUE
> OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> - OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> + OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeiCompat12.inf
> SecurityPkg/Tcg/TcgPei/TcgPei.inf
> SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
> <LibraryClasses>
> diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> index 39d1deeed16b..bf8b12da8195 100644
> --- a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +++ b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> @@ -22,11 +22,6 @@ [Defines]
> [Sources]
> Tcg2ConfigPeim.c
> Tpm12Support.h
> -
> -[Sources.IA32, Sources.X64]
> - Tpm12Support.c
> -
> -[Sources.ARM, Sources.AARCH64]
> Tpm12SupportNull.c
>
> [Packages]
> @@ -41,10 +36,6 @@ [LibraryClasses]
> PeiServicesLib
> Tpm2DeviceLib
>
> -[LibraryClasses.IA32, LibraryClasses.X64]
> - BaseLib
> - Tpm12DeviceLib
> -
> [Guids]
> gEfiTpmDeviceSelectedGuid ## PRODUCES ## GUID # Used as a PPI GUID
> gEfiTpmDeviceInstanceTpm20DtpmGuid ## SOMETIMES_CONSUMES
> diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeiCompat12.inf
> similarity index 84%
> copy from OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> copy to OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeiCompat12.inf
> index 39d1deeed16b..919006f35cf1 100644
> --- a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +++ b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeiCompat12.inf
> @@ -14,7 +14,7 @@
> [Defines]
> INF_VERSION = 0x00010005
> BASE_NAME = Tcg2ConfigPei
> - FILE_GUID = BF7F2B0C-9F2F-4889-AB5C-12460022BE87
> + FILE_GUID = 8AD3148F-945F-46B4-8ACD-71469EA73945
> MODULE_TYPE = PEIM
> VERSION_STRING = 1.0
> ENTRY_POINT = Tcg2ConfigPeimEntryPoint
> @@ -22,13 +22,8 @@ [Defines]
> [Sources]
> Tcg2ConfigPeim.c
> Tpm12Support.h
> -
> -[Sources.IA32, Sources.X64]
> Tpm12Support.c
>
> -[Sources.ARM, Sources.AARCH64]
> - Tpm12SupportNull.c
> -
> [Packages]
> MdePkg/MdePkg.dec
> MdeModulePkg/MdeModulePkg.dec
> @@ -40,8 +35,6 @@ [LibraryClasses]
> DebugLib
> PeiServicesLib
> Tpm2DeviceLib
> -
> -[LibraryClasses.IA32, LibraryClasses.X64]
> BaseLib
> Tpm12DeviceLib
>
> diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc
> index 9aefd73d219c..6380d7660d40 100644
> --- a/OvmfPkg/OvmfTpmPei.fdf.inc
> +++ b/OvmfPkg/OvmfTpmPei.fdf.inc
> @@ -4,7 +4,7 @@
>
> !if $(TPM_ENABLE) == TRUE
> INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> -INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeiCompat12.inf
> INF SecurityPkg/Tcg/TcgPei/TcgPei.inf
> INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
> INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH 3/4] OvmfPkg: rework TPM configuration
2021-10-21 12:20 ` [PATCH 3/4] OvmfPkg: rework TPM configuration Gerd Hoffmann
@ 2021-10-21 15:44 ` Stefan Berger
2021-10-22 6:30 ` Gerd Hoffmann
0 siblings, 1 reply; 27+ messages in thread
From: Stefan Berger @ 2021-10-21 15:44 UTC (permalink / raw)
To: Gerd Hoffmann, devel
Cc: James Bottomley, Min Xu, Jordan Justen, Erdem Aktas,
Ard Biesheuvel, Marc-André Lureau, Jiewen Yao, Tom Lendacky,
Brijesh Singh
On 10/21/21 8:20 AM, Gerd Hoffmann wrote:
> Rename TPM_ENABLE to TPM2_ENABLE and TPM_CONFIG_ENABLE to
> TPM2_CONFIG_ENABLE so they are in line with the ArmVirtPkg
> config option names.
>
> Add separate TPM1_ENABLE option for TPM 1.2 support.
I tested this on Fedora and attached a TPM 1.2 to the VM after a build
**without** TPM1_ENABLE. When I run this here inside the VM
cat /sys/devices/pnp0/00\:04/prcs
I get measurements in PCRs 0-9 hinting that the TPM 1.2 support isn't
entirely disabled but somehow it's still measuring into those
firmware-related PCRs. It is due to this here:
diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc
index 51da7508b307..de55cbdcf852 100644
--- a/OvmfPkg/OvmfTpmDefines.dsc.inc
+++ b/OvmfPkg/OvmfTpmDefines.dsc.inc
@@ -2,5 +2,8 @@
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
- DEFINE TPM_ENABLE = FALSE
- DEFINE TPM_CONFIG_ENABLE = FALSE
+ DEFINE TPM2_ENABLE = FALSE
+ DEFINE TPM2_CONFIG_ENABLE = FALSE
+
+ # has no effect unless TPM2_ENABLE == TRUE
+ DEFINE TPM1_ENABLE = TRUE
If you set this to FALSE then it removes TPM 1.2 support if TPM1_ENABLE
is not passed.
Stefan
>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
> OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 6 ++++--
> OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 6 +++++-
> OvmfPkg/OvmfTpmDefines.dsc.inc | 7 +++++--
> OvmfPkg/OvmfTpmLibs.dsc.inc | 4 +++-
> OvmfPkg/OvmfTpmLibsDxe.dsc.inc | 4 +++-
> OvmfPkg/OvmfTpmLibsPeim.dsc.inc | 4 +++-
> OvmfPkg/OvmfTpmPcds.dsc.inc | 2 +-
> OvmfPkg/OvmfTpmPcdsHii.dsc.inc | 2 +-
> OvmfPkg/OvmfTpmSecurityStub.dsc.inc | 4 +++-
> OvmfPkg/OvmfTpmDxe.fdf.inc | 6 ++++--
> OvmfPkg/OvmfTpmPei.fdf.inc | 6 +++++-
> OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml | 6 +++---
> OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml | 6 +++---
> OvmfPkg/PlatformCI/ReadMe.md | 2 +-
> 14 files changed, 44 insertions(+), 21 deletions(-)
>
> diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> index d5c2586118f1..6806eb245e2b 100644
> --- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> +++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> @@ -2,7 +2,7 @@
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> ##
>
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
> SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
> <LibraryClasses>
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
> @@ -14,13 +14,15 @@
> NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
> }
> -!if $(TPM_CONFIG_ENABLE) == TRUE
> +!if $(TPM2_CONFIG_ENABLE) == TRUE
> SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> !endif
> +!if $(TPM1_ENABLE) == TRUE
> SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
> <LibraryClasses>
> Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> }
> +!endif
> SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
> <LibraryClasses>
> TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> index b5dc20c4858c..94bc124f9b78 100644
> --- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> +++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> @@ -2,10 +2,14 @@
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> ##
>
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
> OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> +!if $(TPM1_ENABLE) == TRUE
> OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeiCompat12.inf
> SecurityPkg/Tcg/TcgPei/TcgPei.inf
> +!else
> + OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +!endif
> SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
> <LibraryClasses>
> HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
> diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc
> index 51da7508b307..de55cbdcf852 100644
> --- a/OvmfPkg/OvmfTpmDefines.dsc.inc
> +++ b/OvmfPkg/OvmfTpmDefines.dsc.inc
> @@ -2,5 +2,8 @@
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> ##
>
> - DEFINE TPM_ENABLE = FALSE
> - DEFINE TPM_CONFIG_ENABLE = FALSE
> + DEFINE TPM2_ENABLE = FALSE
> + DEFINE TPM2_CONFIG_ENABLE = FALSE
> +
> + # has no effect unless TPM2_ENABLE == TRUE
> + DEFINE TPM1_ENABLE = TRUE
> diff --git a/OvmfPkg/OvmfTpmLibs.dsc.inc b/OvmfPkg/OvmfTpmLibs.dsc.inc
> index 50100f2c0371..418747b13487 100644
> --- a/OvmfPkg/OvmfTpmLibs.dsc.inc
> +++ b/OvmfPkg/OvmfTpmLibs.dsc.inc
> @@ -2,8 +2,10 @@
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> ##
>
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
> +!if $(TPM1_ENABLE) == TRUE
> Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
> +!endif
> Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
> Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
> Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
> diff --git a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
> index 67d5027abaea..1d66cdac778c 100644
> --- a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
> +++ b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
> @@ -2,7 +2,9 @@
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> ##
>
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
> +!if $(TPM1_ENABLE) == TRUE
> Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
> +!endif
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
> !endif
> diff --git a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
> index 4e84e3dcaaeb..03caccd7c688 100644
> --- a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
> +++ b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
> @@ -2,8 +2,10 @@
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> ##
>
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +!if $(TPM1_ENABLE) == TRUE
> Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
> +!endif
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
> !endif
> diff --git a/OvmfPkg/OvmfTpmPcds.dsc.inc b/OvmfPkg/OvmfTpmPcds.dsc.inc
> index 0e7f83c04bd7..0d55d6273702 100644
> --- a/OvmfPkg/OvmfTpmPcds.dsc.inc
> +++ b/OvmfPkg/OvmfTpmPcds.dsc.inc
> @@ -2,6 +2,6 @@
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> ##
>
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
> gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
> !endif
> diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
> index 164bc9c7fca0..a0aa81aedf3a 100644
> --- a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
> +++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
> @@ -2,7 +2,7 @@
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> ##
>
> -!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE && $(TPM2_CONFIG_ENABLE) == TRUE
> gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
> gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
> !endif
> diff --git a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
> index 4bd4066843ef..e9ab2fca7bc7 100644
> --- a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
> +++ b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
> @@ -2,7 +2,9 @@
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> ##
>
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
> +!if $(TPM1_ENABLE) == TRUE
> NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
> +!endif
> NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
> !endif
> diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc
> index 9dcdaaf01c39..fa749726789a 100644
> --- a/OvmfPkg/OvmfTpmDxe.fdf.inc
> +++ b/OvmfPkg/OvmfTpmDxe.fdf.inc
> @@ -2,11 +2,13 @@
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> ##
>
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
> +!if $(TPM1_ENABLE) == TRUE
> INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
> +!endif
> INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
> INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
> -!if $(TPM_CONFIG_ENABLE) == TRUE
> +!if $(TPM2_CONFIG_ENABLE) == TRUE
> INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
> !endif
> !endif
> diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc
> index 6380d7660d40..a4f0f80715d4 100644
> --- a/OvmfPkg/OvmfTpmPei.fdf.inc
> +++ b/OvmfPkg/OvmfTpmPei.fdf.inc
> @@ -2,10 +2,14 @@
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> ##
>
> -!if $(TPM_ENABLE) == TRUE
> +!if $(TPM2_ENABLE) == TRUE
> INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> +!if $(TPM1_ENABLE) == TRUE
> INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPeiCompat12.inf
> INF SecurityPkg/Tcg/TcgPei/TcgPei.inf
> +!else
> +INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +!endif
> INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
> INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
> !endif
> diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
> index 7117b86b8177..4a3c08029a5b 100644
> --- a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
> +++ b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
> @@ -95,21 +95,21 @@ jobs:
> OVMF_IA32X64_FULL_DEBUG:
> Build.File: "$(package)/PlatformCI/PlatformBuild.py"
> Build.Arch: "IA32,X64"
> - Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> + Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_TPM2_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> Build.Target: "DEBUG"
> Run.Flags: $(run_flags)
> Run: $(should_run)
> OVMF_IA32X64_FULL_RELEASE:
> Build.File: "$(package)/PlatformCI/PlatformBuild.py"
> Build.Arch: "IA32,X64"
> - Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> + Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_TPM2_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> Build.Target: "RELEASE"
> Run.Flags: $(run_flags)
> Run: $(should_run)
> OVMF_IA32X64_FULL_NOOPT:
> Build.File: "$(package)/PlatformCI/PlatformBuild.py"
> Build.Arch: "IA32,X64"
> - Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> + Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_TPM2_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> Build.Target: "NOOPT"
> Run.Flags: $(run_flags)
> Run: $(should_run)
> diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
> index 2e07a3d8893a..0e6f54c57cce 100644
> --- a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
> +++ b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
> @@ -94,14 +94,14 @@ jobs:
> OVMF_IA32X64_FULL_DEBUG:
> Build.File: "$(package)/PlatformCI/PlatformBuild.py"
> Build.Arch: "IA32,X64"
> - Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> + Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_TPM2_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> Build.Target: "DEBUG"
> Run.Flags: $(run_flags)
> Run: $(should_run)
> OVMF_IA32X64_FULL_RELEASE:
> Build.File: "$(package)/PlatformCI/PlatformBuild.py"
> Build.Arch: "IA32,X64"
> - Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> + Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_TPM2_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> Build.Target: "RELEASE"
> Run.Flags: $(run_flags)
> Run: $(should_run)
> @@ -112,7 +112,7 @@ jobs:
> # OVMF_IA32X64_FULL_NOOPT:
> # Build.File: "$(package)/PlatformCI/PlatformBuild.py"
> # Build.Arch: "IA32,X64"
> - # Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> + # Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_TPM2_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
> # Build.Target: "NOOPT"
> # Run.Flags: $(run_flags)
> # Run: $(should_run)
> diff --git a/OvmfPkg/PlatformCI/ReadMe.md b/OvmfPkg/PlatformCI/ReadMe.md
> index 2ce9007dbeaa..4b3ebe022dad 100644
> --- a/OvmfPkg/PlatformCI/ReadMe.md
> +++ b/OvmfPkg/PlatformCI/ReadMe.md
> @@ -14,7 +14,7 @@ supported and are described below.
> | IA32 | IA32 | OvmfPkgIa32.dsc | None |
> | X64 | X64 | OvmfPkgIa64.dsc | None |
> | IA32 X64 | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | None |
> -| IA32 X64 Full | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM_ENABLE=1 TPM_CONFIG_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 |
> +| IA32 X64 Full | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM1_ENABLE=1 TPM2_ENABLE=1 TPM2_CONFIG_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 |
>
> ## EDK2 Developer environment
>
^ permalink raw reply related [flat|nested] 27+ messages in thread
* Re: [PATCH 0/4] OvmfPkg: rework TPM configuration.
2021-10-21 12:19 [PATCH 0/4] OvmfPkg: rework TPM configuration Gerd Hoffmann
` (3 preceding siblings ...)
2021-10-21 12:20 ` [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option Gerd Hoffmann
@ 2021-10-21 16:13 ` Stefan Berger
2021-10-22 7:01 ` Gerd Hoffmann
4 siblings, 1 reply; 27+ messages in thread
From: Stefan Berger @ 2021-10-21 16:13 UTC (permalink / raw)
To: Gerd Hoffmann, devel
Cc: James Bottomley, Min Xu, Jordan Justen, Erdem Aktas,
Ard Biesheuvel, Marc-André Lureau, Jiewen Yao, Tom Lendacky,
Brijesh Singh
A few more comments to this series:
- Is there a use case where TPM2_ENABLE_CONFIG is disabled, meaning
where there should not be a TPM 2 menu entry? It's worth considering
dropping this option because a user does need to have control over
certain aspects of the TPM 2 configuration. Most of this control may be
reachable via the physical presence interface (PPI) inside the VM where
root can write codes into the /sys/devices/.../ppi/request file to
achieve similar outcomes, but it's really low level and I wouldn't know
how to do this if on Windows for example or maybe BSD or other OSes
running inside the VM.
- Should it be possible to enable TPM 1.2 independent of TPM 2? For me
it's fine as-is since TPM 2 is mostly used these days...
- I would drop patch 4 if it means that an active SHA1 bank doesn't get
PCR extensions (haven't tested yet). swtpm_setup currently sets up a
swtpm with active SHA1 and SHA256 PCR banks (
https://github.com/stefanberger/swtpm/blob/master/src/swtpm_setup/swtpm_setup.c#L65
). We can change this for swtpm v0.7.0 to only activate the SHA256 bank,
if that's what is needed here. However, this doesn't prevent a user to
activate the SHA1 PCR bank either via PPI 'request' file or UEFI TPM
menu and when it is active it must get PCR extensions.
- Since TPM 1.2 is still supported we need to add a TPM menu for it as
well using this patch here. I would put this under the TPM1_ENABLE
config option since having TPM 1.2 support without a menu is quite
useless. I can send a patch for this once this series has gone through.
diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
index 6806eb245e..43acd2c755 100644
--- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
@@ -22,6 +22,7 @@
<LibraryClasses>
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
}
+ SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf^M
!endif
SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
<LibraryClasses>
diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc
index fa74972678..d22e069af0 100644
--- a/OvmfPkg/OvmfTpmDxe.fdf.inc
+++ b/OvmfPkg/OvmfTpmDxe.fdf.inc
@@ -5,6 +5,7 @@
!if $(TPM2_ENABLE) == TRUE
!if $(TPM1_ENABLE) == TRUE
INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+INF SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf^M
!endif
INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
Stefan
On 10/21/21 8:19 AM, Gerd Hoffmann wrote:
> Allows to enable/disable TPM 1.2 support in OVMF.
> Allows to enable SHA-1 support for TPM hashing.
>
> Gerd Hoffmann (4):
> OvmfPkg: move tcg configuration to dsc and fdf include files
> OvmfPkg: create Tcg2ConfigPeiCompat12.inf
> OvmfPkg: rework TPM configuration
> OvmfPkg: add TPM2_SHA1_ENABLE build option
>
> OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 32 +++++++
> OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 28 ++++++
> OvmfPkg/OvmfTpmDefines.dsc.inc | 10 +++
> OvmfPkg/OvmfTpmLibs.dsc.inc | 16 ++++
> OvmfPkg/OvmfTpmLibsDxe.dsc.inc | 10 +++
> OvmfPkg/OvmfTpmLibsPeim.dsc.inc | 11 +++
> OvmfPkg/OvmfTpmPcds.dsc.inc | 7 ++
> OvmfPkg/OvmfTpmPcdsHii.dsc.inc | 8 ++
> OvmfPkg/OvmfTpmSecurityStub.dsc.inc | 10 +++
> OvmfPkg/AmdSev/AmdSevX64.dsc | 85 +++---------------
> OvmfPkg/OvmfPkgIa32.dsc | 88 +++----------------
> OvmfPkg/OvmfPkgIa32X64.dsc | 85 +++---------------
> OvmfPkg/OvmfPkgX64.dsc | 85 +++---------------
> OvmfPkg/AmdSev/AmdSevX64.fdf | 17 +---
> OvmfPkg/OvmfPkgIa32.fdf | 17 +---
> OvmfPkg/OvmfPkgIa32X64.fdf | 17 +---
> OvmfPkg/OvmfPkgX64.fdf | 17 +---
> OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 9 --
> ...onfigPei.inf => Tcg2ConfigPeiCompat12.inf} | 9 +-
> OvmfPkg/OvmfTpmDxe.fdf.inc | 14 +++
> OvmfPkg/OvmfTpmPei.fdf.inc | 15 ++++
> .../.azurepipelines/Ubuntu-GCC5.yml | 6 +-
> .../.azurepipelines/Windows-VS2019.yml | 6 +-
> OvmfPkg/PlatformCI/ReadMe.md | 2 +-
> 24 files changed, 221 insertions(+), 383 deletions(-)
> create mode 100644 OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
> create mode 100644 OvmfPkg/OvmfTpmComponentsPei.dsc.inc
> create mode 100644 OvmfPkg/OvmfTpmDefines.dsc.inc
> create mode 100644 OvmfPkg/OvmfTpmLibs.dsc.inc
> create mode 100644 OvmfPkg/OvmfTpmLibsDxe.dsc.inc
> create mode 100644 OvmfPkg/OvmfTpmLibsPeim.dsc.inc
> create mode 100644 OvmfPkg/OvmfTpmPcds.dsc.inc
> create mode 100644 OvmfPkg/OvmfTpmPcdsHii.dsc.inc
> create mode 100644 OvmfPkg/OvmfTpmSecurityStub.dsc.inc
> copy OvmfPkg/Tcg/Tcg2Config/{Tcg2ConfigPei.inf => Tcg2ConfigPeiCompat12.inf} (84%)
> create mode 100644 OvmfPkg/OvmfTpmDxe.fdf.inc
> create mode 100644 OvmfPkg/OvmfTpmPei.fdf.inc
>
^ permalink raw reply related [flat|nested] 27+ messages in thread
* Re: [PATCH 3/4] OvmfPkg: rework TPM configuration
2021-10-21 15:44 ` Stefan Berger
@ 2021-10-22 6:30 ` Gerd Hoffmann
0 siblings, 0 replies; 27+ messages in thread
From: Gerd Hoffmann @ 2021-10-22 6:30 UTC (permalink / raw)
To: Stefan Berger
Cc: devel, James Bottomley, Min Xu, Jordan Justen, Erdem Aktas,
Ard Biesheuvel, Marc-André Lureau, Jiewen Yao, Tom Lendacky,
Brijesh Singh
On Thu, Oct 21, 2021 at 11:44:54AM -0400, Stefan Berger wrote:
>
> On 10/21/21 8:20 AM, Gerd Hoffmann wrote:
> > Rename TPM_ENABLE to TPM2_ENABLE and TPM_CONFIG_ENABLE to
> > TPM2_CONFIG_ENABLE so they are in line with the ArmVirtPkg
> > config option names.
> >
> > Add separate TPM1_ENABLE option for TPM 1.2 support.
>
>
> I tested this on Fedora and attached a TPM 1.2 to the VM after a build
> **without** TPM1_ENABLE. When I run this here inside the VM
>
> cat /sys/devices/pnp0/00\:04/prcs
>
> I get measurements in PCRs 0-9 hinting that the TPM 1.2 support isn't
> entirely disabled but somehow it's still measuring into those
> firmware-related PCRs. It is due to this here:
>
> + # has no effect unless TPM2_ENABLE == TRUE
> + DEFINE TPM1_ENABLE = TRUE
>
>
> If you set this to FALSE then it removes TPM 1.2 support if TPM1_ENABLE is
> not passed.
Yes, that is intentional. By default (when you don't explicitly set
TPM1_ENABLE) behavior doesn't change and TPM 1.2 support continues to
be available like it is the case without this series applied.
When you think it is better to flip the default instead of being
conservative I happily change it in v2.
take care,
Gerd
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH 2/4] OvmfPkg: create Tcg2ConfigPeiCompat12.inf
2021-10-21 14:46 ` [edk2-devel] " Stefan Berger
@ 2021-10-22 6:31 ` Gerd Hoffmann
2021-10-22 13:29 ` Stefan Berger
0 siblings, 1 reply; 27+ messages in thread
From: Gerd Hoffmann @ 2021-10-22 6:31 UTC (permalink / raw)
To: Stefan Berger
Cc: devel, James Bottomley, Min Xu, Jordan Justen, Erdem Aktas,
Ard Biesheuvel, Marc-André Lureau, Jiewen Yao, Tom Lendacky,
Brijesh Singh
Hi,
> FYI: TPM 2 does not provide backwards compatibility to TPM 1.2. TPM 1.2 is
> its own implementation that is incompatible with TPM 2.
>
> So the extension 'Compat12' is a bit odd in this case.
Suggestions for a better name?
take care,
Gerd
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option
2021-10-21 13:24 ` Stefan Berger
@ 2021-10-22 6:39 ` Gerd Hoffmann
2021-10-22 10:50 ` Stefan Berger
0 siblings, 1 reply; 27+ messages in thread
From: Gerd Hoffmann @ 2021-10-22 6:39 UTC (permalink / raw)
To: Stefan Berger
Cc: devel, James Bottomley, Min Xu, Jordan Justen, Erdem Aktas,
Ard Biesheuvel, Marc-André Lureau, Jiewen Yao, Tom Lendacky,
Brijesh Singh
On Thu, Oct 21, 2021 at 09:24:55AM -0400, Stefan Berger wrote:
>
> On 10/21/21 8:20 AM, Gerd Hoffmann wrote:
> > Allows to compile OVMF without HashInstanceLibSha1,
> > i.e. no SHA1 hash support in TPM/TCG modules.
>
> Does that then mean that the SHA1 bank in a TPM 2 stays untouched, meaning
> the PCRs there won't get extended even though the bank is there and active?
Not fully sure. The tcg2 config menu looks like this:
[ ... ]
TPM2 Active PCR Hash SHA1, SHA256
Algorithm
TPM2 Hardware Supported SHA1, SHA256, SHA384,
Hash Algorithm SHA512
BIOS Supported Hash SHA256, SHA384, SHA512
Algorithm
[ ... ]
TCG2 Protocol Configuration
Supported Event Log Format TCG_2
Hash Algorithm Bitmap SHA256, SHA384, SHA512
Number of PCR Banks 3
Active PCR Banks SHA256
PCR Bank: SHA1 [ ]
PCR Bank: SHA256 [X]
PCR Bank: SHA384 [ ]
PCR Bank: SHA512 [ ]
[ ... ]
Which looks correct to me (SHA1 bank present but not active).
take care,
Gerd
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH 0/4] OvmfPkg: rework TPM configuration.
2021-10-21 16:13 ` [PATCH 0/4] OvmfPkg: rework TPM configuration Stefan Berger
@ 2021-10-22 7:01 ` Gerd Hoffmann
2021-10-22 10:46 ` [edk2-devel] " Stefan Berger
0 siblings, 1 reply; 27+ messages in thread
From: Gerd Hoffmann @ 2021-10-22 7:01 UTC (permalink / raw)
To: Stefan Berger
Cc: devel, James Bottomley, Min Xu, Jordan Justen, Erdem Aktas,
Ard Biesheuvel, Marc-André Lureau, Jiewen Yao, Tom Lendacky,
Brijesh Singh
On Thu, Oct 21, 2021 at 12:13:51PM -0400, Stefan Berger wrote:
> A few more comments to this series:
>
> - Is there a use case where TPM2_ENABLE_CONFIG is disabled, meaning where
> there should not be a TPM 2 menu entry? It's worth considering dropping this
> option because a user does need to have control over certain aspects of the
> TPM 2 configuration.
I happily drop the option if it doesn't make sense. I've already
wondered why it is there but assumed there is some valid reason for
it and left it as-is.
> - Should it be possible to enable TPM 1.2 independent of TPM 2? For me it's
> fine as-is since TPM 2 is mostly used these days...
Exactly. With the world moving to TPM 2 building OVMF with TPM 1.2 only
looks pointless to me.
> - I would drop patch 4 if it means that an active SHA1 bank doesn't get PCR
> extensions (haven't tested yet). swtpm_setup currently sets up a swtpm with
> active SHA1 and SHA256 PCR banks ( https://github.com/stefanberger/swtpm/blob/master/src/swtpm_setup/swtpm_setup.c#L65
> ). We can change this for swtpm v0.7.0 to only activate the SHA256 bank, if
> that's what is needed here. However, this doesn't prevent a user to activate
> the SHA1 PCR bank either via PPI 'request' file or UEFI TPM menu and when it
> is active it must get PCR extensions.
With SHA1 being considered broken we want avoid SHA1 being used.
Ideally by removing support it altogether. In case this is not possible
for backward compatibility reasons at least have it disabled by default.
So swtpm_setup not enabling the SHA1 bank by default is certainly a good
idea and a move into the right direction (independent from the patch #4
discussion).
Didn't do much testing yet to see whenever removing SHA1 support
altogether trips up operating systems.
> - Since TPM 1.2 is still supported we need to add a TPM menu for it as well
> using this patch here. I would put this under the TPM1_ENABLE config option
> since having TPM 1.2 support without a menu is quite useless. I can send a
> patch for this once this series has gone through.
I can pick this up for v2 if you don't mind.
take care,
Gerd
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH 0/4] OvmfPkg: rework TPM configuration.
2021-10-22 7:01 ` Gerd Hoffmann
@ 2021-10-22 10:46 ` Stefan Berger
0 siblings, 0 replies; 27+ messages in thread
From: Stefan Berger @ 2021-10-22 10:46 UTC (permalink / raw)
To: devel, kraxel
Cc: James Bottomley, Min Xu, Jordan Justen, Erdem Aktas,
Ard Biesheuvel, Marc-André Lureau, Jiewen Yao, Tom Lendacky,
Brijesh Singh
On 10/22/21 3:01 AM, Gerd Hoffmann wrote:
> On Thu, Oct 21, 2021 at 12:13:51PM -0400, Stefan Berger wrote:
>> A few more comments to this series:
>>
>> - Is there a use case where TPM2_ENABLE_CONFIG is disabled, meaning where
>> there should not be a TPM 2 menu entry? It's worth considering dropping this
>> option because a user does need to have control over certain aspects of the
>> TPM 2 configuration.
> I happily drop the option if it doesn't make sense. I've already
> wondered why it is there but assumed there is some valid reason for
> it and left it as-is.
I think we should drop it.
>> - I would drop patch 4 if it means that an active SHA1 bank doesn't get PCR
>> extensions (haven't tested yet). swtpm_setup currently sets up a swtpm with
>> active SHA1 and SHA256 PCR banks ( https://github.com/stefanberger/swtpm/blob/master/src/swtpm_setup/swtpm_setup.c#L65
>> ). We can change this for swtpm v0.7.0 to only activate the SHA256 bank, if
>> that's what is needed here. However, this doesn't prevent a user to activate
>> the SHA1 PCR bank either via PPI 'request' file or UEFI TPM menu and when it
>> is active it must get PCR extensions.
> With SHA1 being considered broken we want avoid SHA1 being used.
> Ideally by removing support it altogether. In case this is not possible
> for backward compatibility reasons at least have it disabled by default.
>
> So swtpm_setup not enabling the SHA1 bank by default is certainly a good
> idea and a move into the right direction (independent from the patch #4
> discussion).
I will change this then for swtpm v0.7.0. Just in time... I wanted to
make the release today but I'll delay that a bit then.
>
> Didn't do much testing yet to see whenever removing SHA1 support
> altogether trips up operating systems.
>
>> - Since TPM 1.2 is still supported we need to add a TPM menu for it as well
>> using this patch here. I would put this under the TPM1_ENABLE config option
>> since having TPM 1.2 support without a menu is quite useless. I can send a
>> patch for this once this series has gone through.
> I can pick this up for v2 if you don't mind.
Yes, please!
>
> take care,
> Gerd
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option
2021-10-22 6:39 ` Gerd Hoffmann
@ 2021-10-22 10:50 ` Stefan Berger
2021-10-22 11:37 ` Gerd Hoffmann
2021-10-22 11:49 ` James Bottomley
0 siblings, 2 replies; 27+ messages in thread
From: Stefan Berger @ 2021-10-22 10:50 UTC (permalink / raw)
To: Gerd Hoffmann
Cc: devel, James Bottomley, Min Xu, Jordan Justen, Erdem Aktas,
Ard Biesheuvel, Marc-André Lureau, Jiewen Yao, Tom Lendacky,
Brijesh Singh
On 10/22/21 2:39 AM, Gerd Hoffmann wrote:
> On Thu, Oct 21, 2021 at 09:24:55AM -0400, Stefan Berger wrote:
>> On 10/21/21 8:20 AM, Gerd Hoffmann wrote:
>>> Allows to compile OVMF without HashInstanceLibSha1,
>>> i.e. no SHA1 hash support in TPM/TCG modules.
>> Does that then mean that the SHA1 bank in a TPM 2 stays untouched, meaning
>> the PCRs there won't get extended even though the bank is there and active?
> Not fully sure. The tcg2 config menu looks like this:
>
> [ ... ]
> TPM2 Active PCR Hash SHA1, SHA256
> Algorithm
> TPM2 Hardware Supported SHA1, SHA256, SHA384,
> Hash Algorithm SHA512
> BIOS Supported Hash SHA256, SHA384, SHA512
> Algorithm
> [ ... ]
> TCG2 Protocol Configuration
> Supported Event Log Format TCG_2
> Hash Algorithm Bitmap SHA256, SHA384, SHA512
> Number of PCR Banks 3
> Active PCR Banks SHA256
>
> PCR Bank: SHA1 [ ]
> PCR Bank: SHA256 [X]
> PCR Bank: SHA384 [ ]
> PCR Bank: SHA512 [ ]
> [ ... ]
>
> Which looks correct to me (SHA1 bank present but not active).
I see this also but when I get into Linux and run tpm2_pcrread I see the
SHA1 bank active but not having received any PCR extensions from the
firmware, which is not supposed to happen. So I think you should drop
this patch and I'll change the set of active PCR banks on the
swtpm_setup level.
Stefan
>
> take care,
> Gerd
>
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option
2021-10-22 10:50 ` Stefan Berger
@ 2021-10-22 11:37 ` Gerd Hoffmann
2021-10-22 11:49 ` James Bottomley
1 sibling, 0 replies; 27+ messages in thread
From: Gerd Hoffmann @ 2021-10-22 11:37 UTC (permalink / raw)
To: Stefan Berger
Cc: devel, James Bottomley, Min Xu, Jordan Justen, Erdem Aktas,
Ard Biesheuvel, Marc-André Lureau, Jiewen Yao, Tom Lendacky,
Brijesh Singh
Hi,
> > TPM2 Active PCR Hash SHA1, SHA256
> > Algorithm
> > Active PCR Banks SHA256
> I see this also but when I get into Linux and run tpm2_pcrread I see the
> SHA1 bank active but not having received any PCR extensions from the
> firmware, which is not supposed to happen.
Because of the discrepancy above I guess.
> So I think you should drop this
> patch and I'll change the set of active PCR banks on the swtpm_setup level.
Yes. I think the code base is not ready for this.
I can disable sha1 in the tpm2 config menu, with the effect that SHA1 is
removed from the "TPM2 Active PCR Hash Algorithm" list. But that works
only in case ovmf is built with sha1 *enabled*.
OVMF with SHA1 support disabled neither disabling the bank automatically
nor allowing me to do this manually is clearly a non-starter. This
needs fixing before we can consider to disable SHA1 support.
take care,
Gerd
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option
2021-10-22 10:50 ` Stefan Berger
2021-10-22 11:37 ` Gerd Hoffmann
@ 2021-10-22 11:49 ` James Bottomley
2021-10-22 11:57 ` Stefan Berger
1 sibling, 1 reply; 27+ messages in thread
From: James Bottomley @ 2021-10-22 11:49 UTC (permalink / raw)
To: Stefan Berger, Gerd Hoffmann
Cc: devel, Min Xu, Jordan Justen, Erdem Aktas, Ard Biesheuvel,
Marc-André Lureau, Jiewen Yao, Tom Lendacky, Brijesh Singh
On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote:
[...]
> I see this also but when I get into Linux and run tpm2_pcrread I see
> the SHA1 bank active but not having received any PCR extensions from
> the firmware, which is not supposed to happen.
That's not entirely correct: the TCG firmware profile just requires us
to log through at least one bank; it doesn't require that all active
banks be logged. I've got several physical systems with three active
banks but only one or two measured through.
The knock on problem the
linux kernel is going to have is that we do tend to expect the sha1
bank to be extended into if any others are, so someone is going to have
to update expectations ... we should have this in hand already as sha1
is deprecated.
> So I think you should drop this patch and I'll change the set of
> active PCR banks on the swtpm_setup level.
Even if the firmware deactivated the sha1 bank, the kernel expectation
problem is still going to exist.
James
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option
2021-10-22 11:49 ` James Bottomley
@ 2021-10-22 11:57 ` Stefan Berger
2021-10-22 12:40 ` James Bottomley
0 siblings, 1 reply; 27+ messages in thread
From: Stefan Berger @ 2021-10-22 11:57 UTC (permalink / raw)
To: jejb, Gerd Hoffmann
Cc: devel, Min Xu, Jordan Justen, Erdem Aktas, Ard Biesheuvel,
Marc-André Lureau, Jiewen Yao, Tom Lendacky, Brijesh Singh
On 10/22/21 7:49 AM, James Bottomley wrote:
> On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote:
> [...]
>> I see this also but when I get into Linux and run tpm2_pcrread I see
>> the SHA1 bank active but not having received any PCR extensions from
>> the firmware, which is not supposed to happen.
> That's not entirely correct: the TCG firmware profile just requires us
> to log through at least one bank; it doesn't require that all active
> banks be logged. I've got several physical systems with three active
> banks but only one or two measured through.
The problem with this is that you can then fake measured boot on that
system using it's unused SHA1 bank and extend into it whatever you want
and create a fake log along with it and the quote is going to look alright.
>
> The knock on problem the
> linux kernel is going to have is that we do tend to expect the sha1
> bank to be extended into if any others are, so someone is going to have
> to update expectations ... we should have this in hand already as sha1
> is deprecated.
>
>> So I think you should drop this patch and I'll change the set of
>> active PCR banks on the swtpm_setup level.
> Even if the firmware deactivated the sha1 bank, the kernel expectation
> problem is still going to exist.
Is that older Linux kernels or which part still requires sha1? A pointer
would be good. I would have to revert the change to not activat ethe
SHA1 bank from swtpm_setup if that's going to create headaches. I
thought some hardware TPM 2's today are only providing a SHA256 bank and
so it shouldn't be a problem.
Stefan
>
> James
>
>
>
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option
2021-10-22 11:57 ` Stefan Berger
@ 2021-10-22 12:40 ` James Bottomley
2021-10-22 13:13 ` Stefan Berger
0 siblings, 1 reply; 27+ messages in thread
From: James Bottomley @ 2021-10-22 12:40 UTC (permalink / raw)
To: Stefan Berger, Gerd Hoffmann
Cc: devel, Min Xu, Jordan Justen, Erdem Aktas, Ard Biesheuvel,
Marc-André Lureau, Jiewen Yao, Tom Lendacky, Brijesh Singh
On Fri, 2021-10-22 at 07:57 -0400, Stefan Berger wrote:
> On 10/22/21 7:49 AM, James Bottomley wrote:
> > On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote:
> > [...]
> > > I see this also but when I get into Linux and run tpm2_pcrread I
> > > see the SHA1 bank active but not having received any PCR
> > > extensions from the firmware, which is not supposed to happen.
> > That's not entirely correct: the TCG firmware profile just requires
> > us to log through at least one bank; it doesn't require that all
> > active banks be logged. I've got several physical systems with
> > three active banks but only one or two measured through.
>
> The problem with this is that you can then fake measured boot on
> that system using it's unused SHA1 bank and extend into it whatever
> you want and create a fake log along with it and the quote is going
> to look alright.
I don't think you can. The measured boot PCRs in unused banks should
always be their default values and the measurement software should
check for this. So on a system that only uses the sha256 bank, the
sha1 bank PCR0-7 should be all zeros ... if they aren't this should be
a measurement failure.
That means that if you try to replace the sha256 agile log with one
containing fake sha1 entries, the attestation still fails because the
sha256 bank doesn't have default entries.
> > The knock on problem the linux kernel is going to have is that we
> > do tend to expect the sha1 bank to be extended into if any others
> > are, so someone is going to have to update expectations ... we
> > should have this in hand already as sha1 is deprecated.
> >
> > > So I think you should drop this patch and I'll change the set
> > > of active PCR banks on the swtpm_setup level.
> >
> > Even if the firmware deactivated the sha1 bank, the kernel
> > expectation problem is still going to exist.
>
> Is that older Linux kernels or which part still requires sha1? A
> pointer would be good. I would have to revert the change to not
> activat ethe SHA1 bank from swtpm_setup if that's going to create
> headaches. I thought some hardware TPM 2's today are only providing a
> SHA256 bank and so it shouldn't be a problem.
The problem is IMA: it's hash is a kernel config parameter which
defaults to sha1. It then tries to calculate the boot aggregate over
the configured hash bank and doesn't check if it's unused.
What IMA should probably be doing is working out which bank the bios is
logging through and using that as the hash instead of having it as a
Kconfig parameter.
James
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option
2021-10-22 12:40 ` James Bottomley
@ 2021-10-22 13:13 ` Stefan Berger
2021-10-22 14:17 ` James Bottomley
0 siblings, 1 reply; 27+ messages in thread
From: Stefan Berger @ 2021-10-22 13:13 UTC (permalink / raw)
To: jejb, Gerd Hoffmann
Cc: devel, Min Xu, Jordan Justen, Erdem Aktas, Ard Biesheuvel,
Marc-André Lureau, Jiewen Yao, Tom Lendacky, Brijesh Singh
On 10/22/21 8:40 AM, James Bottomley wrote:
> On Fri, 2021-10-22 at 07:57 -0400, Stefan Berger wrote:
>> On 10/22/21 7:49 AM, James Bottomley wrote:
>>> On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote:
>>> [...]
>>>> I see this also but when I get into Linux and run tpm2_pcrread I
>>>> see the SHA1 bank active but not having received any PCR
>>>> extensions from the firmware, which is not supposed to happen.
>>> That's not entirely correct: the TCG firmware profile just requires
>>> us to log through at least one bank; it doesn't require that all
>>> active banks be logged. I've got several physical systems with
>>> three active banks but only one or two measured through.
>>
>> The problem with this is that you can then fake measured boot on
>> that system using it's unused SHA1 bank and extend into it whatever
>> you want and create a fake log along with it and the quote is going
>> to look alright.
> I don't think you can. The measured boot PCRs in unused banks should
> always be their default values and the measurement software should
> check for this. So on a system that only uses the sha256 bank, the
> sha1 bank PCR0-7 should be all zeros ... if they aren't this should be
> a measurement failure.
>
> That means that if you try to replace the sha256 agile log with one
> containing fake sha1 entries, the attestation still fails because the
> sha256 bank doesn't have default entries.
You can still pretend that your system only has an active SHA1 bank and
serve the fake log. Which part would raise suspicion about that on the
side that looks at that trusted boot log, SHA1 PCR 0-7 state, and quote
then?
>>>> So I think you should drop this patch and I'll change the set
>>>> of active PCR banks on the swtpm_setup level.
>>>
>>> Even if the firmware deactivated the sha1 bank, the kernel
>>> expectation problem is still going to exist.
>> Is that older Linux kernels or which part still requires sha1? A
>> pointer would be good. I would have to revert the change to not
>> activat ethe SHA1 bank from swtpm_setup if that's going to create
>> headaches. I thought some hardware TPM 2's today are only providing a
>> SHA256 bank and so it shouldn't be a problem.
> The problem is IMA: it's hash is a kernel config parameter which
> defaults to sha1. It then tries to calculate the boot aggregate over
> the configured hash bank and doesn't check if it's unused.
>
> What IMA should probably be doing is working out which bank the bios is
> logging through and using that as the hash instead of having it as a
> Kconfig parameter.
I think IMA is doing the right thing and extending into SHA1 and SHA256
PCRs if the banks are active and with the boot aggregate puts a lid on
top of the PCRs 0-7(,8-9). IMA may help raise the suspicion about abuse
of an unused PCR bank by the firmware but looking at the measured boot
log etc. alone I think is not enough.
At least a test with a recent kernel seems to work out alright when only
the SHA256 bank is active.
Stefan
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH 2/4] OvmfPkg: create Tcg2ConfigPeiCompat12.inf
2021-10-22 6:31 ` Gerd Hoffmann
@ 2021-10-22 13:29 ` Stefan Berger
0 siblings, 0 replies; 27+ messages in thread
From: Stefan Berger @ 2021-10-22 13:29 UTC (permalink / raw)
To: Gerd Hoffmann
Cc: devel, James Bottomley, Min Xu, Jordan Justen, Erdem Aktas,
Ard Biesheuvel, Marc-André Lureau, Jiewen Yao, Tom Lendacky,
Brijesh Singh
On 10/22/21 2:31 AM, Gerd Hoffmann wrote:
> Hi,
>
>> FYI: TPM 2 does not provide backwards compatibility to TPM 1.2. TPM 1.2 is
>> its own implementation that is incompatible with TPM 2.
>>
>> So the extension 'Compat12' is a bit odd in this case.
> Suggestions for a better name?
Tcg2ConfigPeiCompat12.inf -> Tcg12ConfigPei.inf ?
Stefan
>
> take care,
> Gerd
>
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option
2021-10-22 13:13 ` Stefan Berger
@ 2021-10-22 14:17 ` James Bottomley
2021-10-22 14:52 ` [edk2-devel] " Stefan Berger
0 siblings, 1 reply; 27+ messages in thread
From: James Bottomley @ 2021-10-22 14:17 UTC (permalink / raw)
To: Stefan Berger, Gerd Hoffmann
Cc: devel, Min Xu, Jordan Justen, Erdem Aktas, Ard Biesheuvel,
Marc-André Lureau, Jiewen Yao, Tom Lendacky, Brijesh Singh
On Fri, 2021-10-22 at 09:13 -0400, Stefan Berger wrote:
> On 10/22/21 8:40 AM, James Bottomley wrote:
>
> > On Fri, 2021-10-22 at 07:57 -0400, Stefan Berger wrote:
> > > On 10/22/21 7:49 AM, James Bottomley wrote:
> > > > On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote:
> > > > [...]
> > > > > I see this also but when I get into Linux and run
> > > > > tpm2_pcrread I see the SHA1 bank active but not having
> > > > > received any PCR extensions from the firmware, which is not
> > > > > supposed to happen.
> > > >
> > > > That's not entirely correct: the TCG firmware profile just
> > > > requires us to log through at least one bank; it doesn't
> > > > require that all active banks be logged. I've got several
> > > > physical systems with three active banks but only one or two
> > > > measured through.
> > >
> > > The problem with this is that you can then fake measured boot on
> > > that system using it's unused SHA1 bank and extend into it
> > > whatever you want and create a fake log along with it and the
> > > quote is going to look alright.
> >
> > I don't think you can. The measured boot PCRs in unused banks
> > should always be their default values and the measurement software
> > should check for this. So on a system that only uses the sha256
> > bank, the sha1 bank PCR0-7 should be all zeros ... if they aren't
> > this should be a measurement failure.
> >
> > That means that if you try to replace the sha256 agile log with one
> > containing fake sha1 entries, the attestation still fails because
> > the sha256 bank doesn't have default entries.
>
> You can still pretend that your system only has an active SHA1 bank
> and serve the fake log.
Which "You" can fake a TPM quote? The whole design of the TPM system
is supposed to be that what goes into the TPM can't be erased, only
updated and we can get definitive proof of the values using a quote.
You can fake the log to be sha1 only but you can't make it match the
quote that includes the sha256 banks.
> at that trusted boot log, SHA1 PCR 0-7 state, and quote then?
You don't just quote the bank you think is being logged ... you should
quote all banks of the TPM; that way you can't be duped in this
fashion.
> > > > > So I think you should drop this patch and I'll change the
> > > > > set of active PCR banks on the swtpm_setup level.
> > > >
> > > > Even if the firmware deactivated the sha1 bank, the kernel
> > > > expectation problem is still going to exist.
> > >
> > > Is that older Linux kernels or which part still requires sha1? A
> > > pointer would be good. I would have to revert the change to not
> > > activat ethe SHA1 bank from swtpm_setup if that's going to create
> > > headaches. I thought some hardware TPM 2's today are only
> > > providing a SHA256 bank and so it shouldn't be a problem.
> >
> > The problem is IMA: it's hash is a kernel config parameter which
> > defaults to sha1. It then tries to calculate the boot aggregate
> > over the configured hash bank and doesn't check if it's unused.
> >
> > What IMA should probably be doing is working out which bank the
> > bios is logging through and using that as the hash instead of
> > having it as a Kconfig parameter.
>
> I think IMA is doing the right thing and extending into SHA1 and
> SHA256 PCRs if the banks are active and with the boot aggregate puts
> a lid on top of the PCRs 0-7(,8-9). IMA may help raise the suspicion
> about abuse of an unused PCR bank by the firmware but looking at the
> measured boot log etc. alone I think is not enough.
The problem is not where IMA extends, it's where it gets the boot
aggregate from. If the IMA hash is sha1 and a sha1 bank exists, it
will use it alone for the boot aggregate.
> At least a test with a recent kernel seems to work out alright when
> only the SHA256 bank is active.
Well, yes, if IMA is configured as sha1 and no sha1 bank exists, it
will fall back to sha256, but that doesn't cover the boot aggregate
problem above.
James
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option
2021-10-22 14:17 ` James Bottomley
@ 2021-10-22 14:52 ` Stefan Berger
2021-10-22 15:01 ` James Bottomley
0 siblings, 1 reply; 27+ messages in thread
From: Stefan Berger @ 2021-10-22 14:52 UTC (permalink / raw)
To: devel, jejb, Gerd Hoffmann
Cc: Min Xu, Jordan Justen, Erdem Aktas, Ard Biesheuvel,
Marc-André Lureau, Jiewen Yao, Tom Lendacky, Brijesh Singh
On 10/22/21 10:17 AM, James Bottomley wrote:
> On Fri, 2021-10-22 at 09:13 -0400, Stefan Berger wrote:
>> On 10/22/21 8:40 AM, James Bottomley wrote:
>>
>>> On Fri, 2021-10-22 at 07:57 -0400, Stefan Berger wrote:
>>>> On 10/22/21 7:49 AM, James Bottomley wrote:
>>>>> On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote:
>>>>> [...]
>>>>>> I see this also but when I get into Linux and run
>>>>>> tpm2_pcrread I see the SHA1 bank active but not having
>>>>>> received any PCR extensions from the firmware, which is not
>>>>>> supposed to happen.
>>>>> That's not entirely correct: the TCG firmware profile just
>>>>> requires us to log through at least one bank; it doesn't
>>>>> require that all active banks be logged. I've got several
>>>>> physical systems with three active banks but only one or two
>>>>> measured through.
>>>>
>>>> The problem with this is that you can then fake measured boot on
>>>> that system using it's unused SHA1 bank and extend into it
>>>> whatever you want and create a fake log along with it and the
>>>> quote is going to look alright.
>>> I don't think you can. The measured boot PCRs in unused banks
>>> should always be their default values and the measurement software
>>> should check for this. So on a system that only uses the sha256
>>> bank, the sha1 bank PCR0-7 should be all zeros ... if they aren't
>>> this should be a measurement failure.
>>>
>>> That means that if you try to replace the sha256 agile log with one
>>> containing fake sha1 entries, the attestation still fails because
>>> the sha256 bank doesn't have default entries.
>> You can still pretend that your system only has an active SHA1 bank
>> and serve the fake log.
> Which "You" can fake a TPM quote? The whole design of the TPM system
> is supposed to be that what goes into the TPM can't be erased, only
> updated and we can get definitive proof of the values using a quote.
What I meant is the admin runs TPM2_PCR_Extend on PCRs 0-7 of the unused
sha1 bank and extends it with known good values and has a log that goes
with it and presents these to a validator along with the quote on the
sha1 bank.
> You can fake the log to be sha1 only but you can't make it match the
> quote that includes the sha256 banks.
Yes, that's right. The client must insist that the sha256 bank, and any
other possible bank, is quoted so that the system cannot just pretend
that it only has a XYZ [sha1] bank (unlikely for TPM 2), and ABC banks
[sha256] doesn't exist there, even though the SHA256 matches the true
log. A quote by itself doesn't quote all the banks. You have to select
which banks to quote and the client needs to have some control over that
it seems to for sure see what the true firmware did.
Stefan
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option
2021-10-22 14:52 ` [edk2-devel] " Stefan Berger
@ 2021-10-22 15:01 ` James Bottomley
2021-10-22 15:48 ` Stefan Berger
0 siblings, 1 reply; 27+ messages in thread
From: James Bottomley @ 2021-10-22 15:01 UTC (permalink / raw)
To: Stefan Berger, devel, Gerd Hoffmann
Cc: Min Xu, Jordan Justen, Erdem Aktas, Ard Biesheuvel,
Marc-André Lureau, Jiewen Yao, Tom Lendacky, Brijesh Singh
On Fri, 2021-10-22 at 10:52 -0400, Stefan Berger wrote:
> On 10/22/21 10:17 AM, James Bottomley wrote:
> > On Fri, 2021-10-22 at 09:13 -0400, Stefan Berger wrote:
> > > On 10/22/21 8:40 AM, James Bottomley wrote:
> > >
> > > > On Fri, 2021-10-22 at 07:57 -0400, Stefan Berger wrote:
> > > > > On 10/22/21 7:49 AM, James Bottomley wrote:
> > > > > > On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote:
> > > > > > [...]
> > > > > > > I see this also but when I get into Linux and run
> > > > > > > tpm2_pcrread I see the SHA1 bank active but not having
> > > > > > > received any PCR extensions from the firmware, which is
> > > > > > > not supposed to happen.
> > > > > >
> > > > > > That's not entirely correct: the TCG firmware profile just
> > > > > > requires us to log through at least one bank; it doesn't
> > > > > > require that all active banks be logged. I've got several
> > > > > > physical systems with three active banks but only one or
> > > > > > two measured through.
> > > > >
> > > > > The problem with this is that you can then fake measured boot
> > > > > on that system using it's unused SHA1 bank and extend into it
> > > > > whatever you want and create a fake log along with it and the
> > > > > quote is going to look alright.
> > > >
> > > > I don't think you can. The measured boot PCRs in unused banks
> > > > should always be their default values and the measurement
> > > > software should check for this. So on a system that only uses
> > > > the sha256 bank, the sha1 bank PCR0-7 should be all zeros ...
> > > > if they aren't this should be a measurement failure.
> > > >
> > > > That means that if you try to replace the sha256 agile log with
> > > > one containing fake sha1 entries, the attestation still fails
> > > > because the sha256 bank doesn't have default entries.
> > >
> > > You can still pretend that your system only has an active SHA1
> > > bank and serve the fake log.
> >
> > Which "You" can fake a TPM quote? The whole design of the TPM
> > system is supposed to be that what goes into the TPM can't be
> > erased, only updated and we can get definitive proof of the values
> > using a quote.
>
> What I meant is the admin runs TPM2_PCR_Extend on PCRs 0-7 of the
> unused sha1 bank and extends it with known good values and has a log
> that goes with it and presents these to a validator
Yes, I got all that.
> along with the quote on the sha1 bank.
The validator shouldn't accept that quote ... it should require a quote
covering all banks. This is the point: you can't fake the quote and
the quote should cover all banks to assure you that unextended banks
really are.
> > You can fake the log to be sha1 only but you can't make it match
> > the quote that includes the sha256 banks.
>
> Yes, that's right. The client must insist that the sha256 bank, and
> any other possible bank, is quoted so that the system cannot just
> pretend that it only has a XYZ [sha1] bank (unlikely for TPM 2),
Impossible per the TPM spec.
> and ABC banks [sha256] doesn't exist there, even though the SHA256
> matches the true log. A quote by itself doesn't quote all the banks.
> You have to select which banks to quote and the client needs to have
> some control over that it seems to for sure see what the true
> firmware did.
Hey, I'm not going to disagree that the TPM system leaves many ways for
people to shoot themselves in the foot. The only point I'm making is
that if you use it correctly (which I fully accept is somewhat complex)
you quote all banks and thus can't be tricked into accepting a fake log
through a bank unextended by firmware.
James
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option
2021-10-22 15:01 ` James Bottomley
@ 2021-10-22 15:48 ` Stefan Berger
2021-10-22 16:50 ` James Bottomley
0 siblings, 1 reply; 27+ messages in thread
From: Stefan Berger @ 2021-10-22 15:48 UTC (permalink / raw)
To: jejb, devel, Gerd Hoffmann
Cc: Min Xu, Jordan Justen, Erdem Aktas, Ard Biesheuvel,
Marc-André Lureau, Jiewen Yao, Tom Lendacky, Brijesh Singh
On 10/22/21 11:01 AM, James Bottomley wrote:
> On Fri, 2021-10-22 at 10:52 -0400, Stefan Berger wrote:
>
>> along with the quote on the sha1 bank.
> The validator shouldn't accept that quote ... it should require a quote
> covering all banks. This is the point: you can't fake the quote and
> the quote should cover all banks to assure you that unextended banks
> really are.
Unfortunately this seems to be flawed on the TPM2_Quote level...
Stefan
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option
2021-10-22 15:48 ` Stefan Berger
@ 2021-10-22 16:50 ` James Bottomley
0 siblings, 0 replies; 27+ messages in thread
From: James Bottomley @ 2021-10-22 16:50 UTC (permalink / raw)
To: Stefan Berger, devel, Gerd Hoffmann
Cc: Min Xu, Jordan Justen, Erdem Aktas, Ard Biesheuvel,
Marc-André Lureau, Jiewen Yao, Tom Lendacky, Brijesh Singh
On Fri, 2021-10-22 at 11:48 -0400, Stefan Berger wrote:
> On 10/22/21 11:01 AM, James Bottomley wrote:
> > On Fri, 2021-10-22 at 10:52 -0400, Stefan Berger wrote:
> >
> > > along with the quote on the sha1 bank.
> > The validator shouldn't accept that quote ... it should require a
> > quote covering all banks. This is the point: you can't fake the
> > quote and the quote should cover all banks to assure you that
> > unextended banks really are.
>
> Unfortunately this seems to be flawed on the TPM2_Quote level...
In what way?
James
^ permalink raw reply [flat|nested] 27+ messages in thread
end of thread, other threads:[~2021-10-22 16:50 UTC | newest]
Thread overview: 27+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-10-21 12:19 [PATCH 0/4] OvmfPkg: rework TPM configuration Gerd Hoffmann
2021-10-21 12:20 ` [PATCH 1/4] OvmfPkg: move tcg configuration to dsc and fdf include files Gerd Hoffmann
2021-10-21 14:12 ` [edk2-devel] " Stefan Berger
2021-10-21 12:20 ` [PATCH 2/4] OvmfPkg: create Tcg2ConfigPeiCompat12.inf Gerd Hoffmann
2021-10-21 14:46 ` [edk2-devel] " Stefan Berger
2021-10-22 6:31 ` Gerd Hoffmann
2021-10-22 13:29 ` Stefan Berger
2021-10-21 12:20 ` [PATCH 3/4] OvmfPkg: rework TPM configuration Gerd Hoffmann
2021-10-21 15:44 ` Stefan Berger
2021-10-22 6:30 ` Gerd Hoffmann
2021-10-21 12:20 ` [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option Gerd Hoffmann
2021-10-21 13:24 ` Stefan Berger
2021-10-22 6:39 ` Gerd Hoffmann
2021-10-22 10:50 ` Stefan Berger
2021-10-22 11:37 ` Gerd Hoffmann
2021-10-22 11:49 ` James Bottomley
2021-10-22 11:57 ` Stefan Berger
2021-10-22 12:40 ` James Bottomley
2021-10-22 13:13 ` Stefan Berger
2021-10-22 14:17 ` James Bottomley
2021-10-22 14:52 ` [edk2-devel] " Stefan Berger
2021-10-22 15:01 ` James Bottomley
2021-10-22 15:48 ` Stefan Berger
2021-10-22 16:50 ` James Bottomley
2021-10-21 16:13 ` [PATCH 0/4] OvmfPkg: rework TPM configuration Stefan Berger
2021-10-22 7:01 ` Gerd Hoffmann
2021-10-22 10:46 ` [edk2-devel] " Stefan Berger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox