From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web08.11448.1631290512869422485 for ; Fri, 10 Sep 2021 09:15:13 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@ibm.com header.s=pp1 header.b=n8lrAab7; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 18AG3twG005955; Fri, 10 Sep 2021 12:15:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pp1; bh=Z11xB2RilqT5+J9FX37+fHU+MHQPrsKC64cPiOu06tk=; b=n8lrAab7TB5wVFbvC5E0aFsKgVLMRr4h/7hbHLfhM6nvwd/1sg3uUiJstG6cQDmhCCti /X1pEXpGd7iPcLDovL6DGQdK2e+euF3gT5aHVcywZP73/HVWfhg/N4qq/K6DD969gSNG Q1Y7n2pStrPjPuQmK94oBCo8gcCm9hsNSdRIfx5XKOh/0KzcBHzmVgB2+IvZIiiM48D9 9jQYfEkUJudvoTOtArBvzqs5zP41Jh/kaWDfGeXzLG9xMUgiU5s8NUCSdUVYtguUWf1l bmpwCOPH648LfFlkj9nsngWMGmlQSGMKW2oY+7wiYO00TnD4Sai1HXmN595Z2YJa+5wP ew== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3b03w6hkhy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Sep 2021 12:15:12 -0400 Received: from m0098399.ppops.net (m0098399.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 18AG5FYD013042; Fri, 10 Sep 2021 12:15:11 -0400 Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com with ESMTP id 3b03w6hkhg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Sep 2021 12:15:11 -0400 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 18AG8J5G019986; Fri, 10 Sep 2021 16:15:10 GMT Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by ppma01dal.us.ibm.com with ESMTP id 3axcnsamam-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Sep 2021 16:15:09 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 18AGF8xO32899500 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Sep 2021 16:15:08 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 208B0B2074; Fri, 10 Sep 2021 16:15:08 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 167ABB2068; Fri, 10 Sep 2021 16:15:08 +0000 (GMT) Received: from [9.47.158.152] (unknown [9.47.158.152]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Fri, 10 Sep 2021 16:15:08 +0000 (GMT) Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform hierarchy To: "Yao, Jiewen" , "devel@edk2.groups.io" , "stefanb@linux.vnet.ibm.com" Cc: "mhaeuser@posteo.de" , "spbrogan@outlook.com" , "marcandre.lureau@redhat.com" , "kraxel@redhat.com" References: <20210909173538.2380673-1-stefanb@linux.vnet.ibm.com> <187817cf-5490-7563-077f-a4ff420a8c8f@linux.ibm.com> From: "Stefan Berger" Message-ID: <4b89dbef-f86b-31c6-aec6-8ae619e3dafe@linux.ibm.com> Date: Fri, 10 Sep 2021 12:15:07 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: X-TM-AS-GCONF: 00 X-Proofpoint-GUID: dUi3fMn5BED61bWvsoxhiRL27jjXoUSF X-Proofpoint-ORIG-GUID: zHwxZzEL9LF7NOrqd6AZMA3es4KjWq6I X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-09-10_06:2021-09-09,2021-09-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 impostorscore=0 malwarescore=0 priorityscore=1501 spamscore=0 phishscore=0 suspectscore=0 lowpriorityscore=0 bulkscore=0 mlxlogscore=999 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109030001 definitions=main-2109100093 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-001b2d01.pphosted.com id 18AG3twG005955 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 9/10/21 11:32 AM, Yao, Jiewen wrote: > According to the security policy, PP request must be processed before E= ndOfDxe. > > May I know when you trigger PP request? OVMF has 3 implementations invoking it in PlatformBootManagerAfterConsole= (): https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo= tManagerLib/BdsPlatform.c#L1517 https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo= tManagerLibBhyve/BdsPlatform.c#L1451 https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo= tManagerLibGrub/BdsPlatform.c#L1316 =C2=A0 Stefan > > Thank you > Yao Jiewen > >> -----Original Message----- >> From: Stefan Berger >> Sent: Friday, September 10, 2021 10:25 PM >> To: devel@edk2.groups.io; stefanb@linux.vnet.ibm.com >> Cc: mhaeuser@posteo.de; spbrogan@outlook.com; >> marcandre.lureau@redhat.com; kraxel@redhat.com; Yao, Jiewen >> >> Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platfo= rm >> hierarchy >> >> >> On 9/9/21 1:35 PM, Stefan Berger wrote: >>> This series imports code from the edk2-platforms project related to >>> disabling the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf >>> aspects of the following bugs: >>> >>> https://bugzilla.tianocore.org/show_bug.cgi?id=3D3510 >>> https://bugzilla.tianocore.org/show_bug.cgi?id=3D3499 >>> >>> I have patched the .dsc files and successfully test-built with most o= f >>> them. Some I could not build because they failed for other reasons >>> unrelated to this series. >>> >>> I tested the changes with QEMU on x86 following the build of >>> OvmfPkgX64.dsc. >>> >>> Neither one of the following commands should work anymore on first >>> try when run on Linux: >>> >>> With IBM tss2 tools: >>> tsshierarchychangeauth -hi p -pwdn newpass >>> >>> With Intel tss2 tools: >>> tpm2_changeauth -c platform newpass >> >> While disabling the platform hierarchy works, the unfortunate problem = is >> now that the signal to disable the TPM 2 platform hierarchy is receive= d >> before handling the physical presence interface (PPI) opcodes, which i= s >> bad because some of the opcodes will not go through. The question now = is >> what is wrong? Are the PPI opcodes handled too late or the signal is >> sent to early or is it the wrong signal? >> >> Event =3D EfiCreateProtocolNotifyEvent ( >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 &= gEfiDxeSmmReadyToLockProtocolGuid, >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 T= PL_CALLBACK, >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 S= mmReadyToLockEventCallBack, >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 N= ULL, >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 &= Registration >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 )= ; >> >> =C2=A0=C2=A0 Stefan >> >>> Regards, >>> Stefan >>> >>> v7: >>> - Ditched ARM support in this series >>> - Using Tcg2PlatformDxe and Tcg2PlaformPei from edk2-platforms now >>> and revised most of the patches >>> >>> v6: >>> - Removed unnecessary entries in .dsc files >>> - Added support for S3 resume failure case >>> - Assigned unique FILE_GUID to NULL implementation >>> >>> v5: >>> - Modified patch 1 copies the code from edk2-platforms >>> - Modified patch 2 fixes bugs in the code >>> - Modified patch 4 introduces required PCD >>> >>> v4: >>> - Fixed and simplified code imported from edk2-platforms >>> >>> v3: >>> - Referencing Null implementation on Bhyve and Xen platforms >>> - Add support in Arm >>> >>> >>> Stefan Berger (9): >>> SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from >>> edk2-platforms >>> SecurityPkg/TPM: Fix bugs in imported PeiDxeTpmPlatformHierarchyL= ib >>> SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from edk2-platforms >>> SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable >>> SecurityPkg: Introduce new PCD PcdRandomizePlatformHierarchy >>> OvmfPkg: Reference new Tcg2PlatformDxe in the build system for >>> compilation >>> SecurityPkg/Tcg: Import Tcg2PlatformPei from edk2-platforms >>> SecurityPkg/Tcg: Make Tcg2PlatformPei buildable >>> OvmfPkg: Reference new Tcg2PlatformPei in the build system >>> >>> OvmfPkg/AmdSev/AmdSevX64.dsc | 8 + >>> OvmfPkg/AmdSev/AmdSevX64.fdf | 2 + >>> OvmfPkg/OvmfPkgIa32.dsc | 8 + >>> OvmfPkg/OvmfPkgIa32.fdf | 2 + >>> OvmfPkg/OvmfPkgIa32X64.dsc | 8 + >>> OvmfPkg/OvmfPkgIa32X64.fdf | 2 + >>> OvmfPkg/OvmfPkgX64.dsc | 8 + >>> OvmfPkg/OvmfPkgX64.fdf | 2 + >>> .../Include/Library/TpmPlatformHierarchyLib.h | 27 ++ >>> .../PeiDxeTpmPlatformHierarchyLib.c | 255 ++++++++++++++= ++++ >>> .../PeiDxeTpmPlatformHierarchyLib.inf | 44 +++ >>> SecurityPkg/SecurityPkg.dec | 6 + >>> .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 85 ++++++ >>> .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 43 +++ >>> .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 107 ++++++++ >>> .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 51 ++++ >>> 16 files changed, 658 insertions(+) >>> create mode 100644 SecurityPkg/Include/Library/TpmPlatformHierarch= yLib.h >>> create mode 100644 >> SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHie= rar >> chyLib.c >>> create mode 100644 >> SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHie= rar >> chyLib.inf >>> create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe= .c >>> create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe= .inf >>> create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei= .c >>> create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei= .inf >>>