From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id E1F7E220C2A68 for ; Fri, 9 Mar 2018 08:45:16 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B3517402277B; Fri, 9 Mar 2018 16:51:33 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-125-183.rdu2.redhat.com [10.10.125.183]) by smtp.corp.redhat.com (Postfix) with ESMTP id D4A372026DFD; Fri, 9 Mar 2018 16:51:27 +0000 (UTC) To: marcandre.lureau@redhat.com, edk2-devel@lists.01.org Cc: pjones@redhat.com, jiewen.yao@intel.com, stefanb@linux.vnet.ibm.com, qemu-devel@nongnu.org, javierm@redhat.com References: <20180309130918.734-1-marcandre.lureau@redhat.com> <20180309130918.734-8-marcandre.lureau@redhat.com> From: Laszlo Ersek Message-ID: <4f6e9d19-0f11-4132-c9a2-7ad96597e35d@redhat.com> Date: Fri, 9 Mar 2018 17:51:26 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180309130918.734-8-marcandre.lureau@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Fri, 09 Mar 2018 16:51:33 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Fri, 09 Mar 2018 16:51:33 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: Re: [PATCH v3 7/7] OvmfPkg: plug DxeTpm2MeasureBootLib into SecurityStubDxe X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2018 16:45:17 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit On 03/09/18 14:09, marcandre.lureau@redhat.com wrote: > From: Marc-André Lureau > > The library registers a security management handler, to measure images > that are not measure in PEI phase. For example with the qemu PXE rom: > > Loading driver at 0x0003E6C2000 EntryPoint=0x0003E6C9076 8086100e.efi > > And the following binary_bios_measurements log entry seems to be > added: > > PCR: 2 type: EV_EFI_BOOT_SERVICES_DRIVER size: 0x4e digest: 70a22475e9f18806d2ed9193b48d80d26779d9a4 > > The following order of operations ensures that 3rd party UEFI modules, > such as PCI option ROMs and other modules possibly loaded from outside > of firmware volumes, are measured into the TPM: > > (1) Tcg2Dxe is included in DXEFV, therefore it produces the TCG2 > protocol sometime in the DXE phase (assuming a TPM2 chip is present, > reported via PcdTpmInstanceGuid). > > (2) The DXE core finds that no more drivers are left to dispatch from > DXEFV, and we enter the BDS phase. > > (3) OVMF's PlatformBootManagerLib connects all PCI root bridges > non-recursively, producing PciIo instances and discovering PCI > oproms. > > (4) The dispatching of images that don't originate from FVs is deferred > at this point, by > "MdeModulePkg/Universal/SecurityStubDxe/Defer3rdPartyImageLoad.c". > > (5) OVMF's PlatformBootManagerLib signals EndOfDxe. > > (6) OVMF's PlatformBootManagerLib calls > EfiBootManagerDispatchDeferredImages() -- the images deferred in > step (4) are now dispatched. > > (7) Image dispatch invokes the Security / Security2 Arch protocols > (produced by SecurityStubDxe). In this patch, we hook > DxeTpm2MeasureBootLib into SecurityStubDxe, therefore image dispatch > will try to locate the TCG2 protocol, and measure the image into the > TPM2 chip with the protocol. Because of step (1), the TCG2 protocol > will always be found and used (assuming a TPM2 chip is present). > > Cc: Laszlo Ersek > Cc: Stefan Berger > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Marc-André Lureau > --- > OvmfPkg/OvmfPkgIa32.dsc | 3 +++ > OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++ > OvmfPkg/OvmfPkgX64.dsc | 3 +++ > 3 files changed, 9 insertions(+) > > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > index f80fb50d4a38..92c8c560a067 100644 > --- a/OvmfPkg/OvmfPkgIa32.dsc > +++ b/OvmfPkg/OvmfPkgIa32.dsc > @@ -644,6 +644,9 @@ [Components] > > !if $(SECURE_BOOT_ENABLE) == TRUE > NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf > +!endif > +!if $(TPM2_ENABLE) == TRUE > + NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf > !endif > } > > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc > index bc48b5b63c7a..6ecaa795b288 100644 > --- a/OvmfPkg/OvmfPkgIa32X64.dsc > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > @@ -653,6 +653,9 @@ [Components.X64] > > !if $(SECURE_BOOT_ENABLE) == TRUE > NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf > +!endif > +!if $(TPM2_ENABLE) == TRUE > + NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf > !endif > } > > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > index e89de093d6a2..c98a3657c6f6 100644 > --- a/OvmfPkg/OvmfPkgX64.dsc > +++ b/OvmfPkg/OvmfPkgX64.dsc > @@ -651,6 +651,9 @@ [Components] > > !if $(SECURE_BOOT_ENABLE) == TRUE > NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf > +!endif > +!if $(TPM2_ENABLE) == TRUE > + NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf > !endif > } > > Reviewed-by: Laszlo Ersek