From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1])
 by mx.groups.io with SMTP id smtpd.web11.6595.1634899593146158491
 for <devel@edk2.groups.io>;
 Fri, 22 Oct 2021 03:46:33 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@ibm.com header.s=pp1 header.b=fTw/6YQe;
 spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com)
Received: from pps.filterd (m0098394.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 19M8LZ8D031535;
	Fri, 22 Oct 2021 06:46:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc :
 references : from : message-id : date : in-reply-to : content-type :
 content-transfer-encoding : mime-version; s=pp1;
 bh=P4/yTGRe58XCXQMbT1yhAQtpQPm+bp1/6Voo7hSk+wc=;
 b=fTw/6YQeV+ctJr+ndbrnoh/FBLr9w/dZ3nWtP74IG/+Jc0soBU3Hlb/HrhfOJawziUOh
 z0tIlnX2gAOnfaw2gYFCEIaYo1lt1cNWxr5k5jtDEDqacYTCrTX1pX1O3pXjltnuxZTD
 6YAzsZNSW4FXFYMg5ZCwCc6vWkH/g1rdy/Oo1mNsENUh9jgQ4SN2GTArlG9t/9fuGaL4
 +ikV7RZuv6RLixBGopwywMdMtU9XJ9yDHgq1An7aL4vwj0WzvkD6srp9+xBW9ThxSjDr
 2kfMXvecua5q59efULIfdztd+GOMsB8ef3yg+Ururi+dpVizo4XQgWHxrxbd5kc+hrTk Sg== 
Received: from pps.reinject (localhost [127.0.0.1])
	by mx0a-001b2d01.pphosted.com with ESMTP id 3bubku2tjv-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Fri, 22 Oct 2021 06:46:30 -0400
Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 19MAbxUi019689;
	Fri, 22 Oct 2021 06:46:29 -0400
Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186])
	by mx0a-001b2d01.pphosted.com with ESMTP id 3bubku2tjh-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Fri, 22 Oct 2021 06:46:29 -0400
Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1])
	by ppma03wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 19MAiBQl021549;
	Fri, 22 Oct 2021 10:46:28 GMT
Received: from b03cxnp07028.gho.boulder.ibm.com (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15])
	by ppma03wdc.us.ibm.com with ESMTP id 3bt4stjeuq-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Fri, 22 Oct 2021 10:46:28 +0000
Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
	by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 19MAkR3W27853352
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 22 Oct 2021 10:46:27 GMT
Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 77FA278068;
	Fri, 22 Oct 2021 10:46:27 +0000 (GMT)
Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 6167878060;
	Fri, 22 Oct 2021 10:46:26 +0000 (GMT)
Received: from [9.47.158.152] (unknown [9.47.158.152])
	by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
	Fri, 22 Oct 2021 10:46:26 +0000 (GMT)
Subject: Re: [edk2-devel] [PATCH 0/4] OvmfPkg: rework TPM configuration.
To: devel@edk2.groups.io, kraxel@redhat.com
Cc: James Bottomley <jejb@linux.ibm.com>, Min Xu <min.m.xu@intel.com>,
        Jordan Justen <jordan.l.justen@intel.com>,
        Erdem Aktas <erdemaktas@google.com>,
        Ard Biesheuvel <ardb+tianocore@kernel.org>,
        =?UTF-8?Q?Marc-Andr=c3=a9_Lureau?= <marcandre.lureau@redhat.com>,
        Jiewen Yao <jiewen.yao@intel.com>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        Brijesh Singh <brijesh.singh@amd.com>
References: <20211021122003.2008499-1-kraxel@redhat.com>
 <7052ea1f-8bed-f556-8882-685718c91195@linux.ibm.com>
 <20211022070137.jn5nngecb6hbptvd@sirius.home.kraxel.org>
From: "Stefan Berger" <stefanb@linux.ibm.com>
Message-ID: <5b590f3f-9e02-806e-39e9-12821225820c@linux.ibm.com>
Date: Fri, 22 Oct 2021 06:46:25 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.11.0
In-Reply-To: <20211022070137.jn5nngecb6hbptvd@sirius.home.kraxel.org>
X-TM-AS-GCONF: 00
X-Proofpoint-ORIG-GUID: DJXTleu4OWnAiVCVZurbqYhA1ewuo1wE
X-Proofpoint-GUID: LZ8awKnxg-oRSku3XvSSxHDBbW-V6HTh
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475
 definitions=2021-10-22_03,2021-10-21_02,2020-04-07_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 impostorscore=0
 mlxscore=0 phishscore=0 bulkscore=0 lowpriorityscore=0 malwarescore=0
 adultscore=0 clxscore=1015 priorityscore=1501 suspectscore=0
 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2109230001 definitions=main-2110220058
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit


On 10/22/21 3:01 AM, Gerd Hoffmann wrote:
> On Thu, Oct 21, 2021 at 12:13:51PM -0400, Stefan Berger wrote:
>> A few more comments to this series:
>>
>> - Is there a use case where TPM2_ENABLE_CONFIG is disabled, meaning where
>> there should not be a TPM 2 menu entry? It's worth considering dropping this
>> option because a user does need to have control over certain aspects of the
>> TPM 2 configuration.
> I happily drop the option if it doesn't make sense.  I've already
> wondered why it is there but assumed there is some valid reason for
> it and left it as-is.

I think we should drop it.


>> - I would drop patch 4 if it means that an active SHA1 bank doesn't get PCR
>> extensions (haven't tested yet). swtpm_setup currently sets up a swtpm with
>> active SHA1 and SHA256 PCR banks ( https://github.com/stefanberger/swtpm/blob/master/src/swtpm_setup/swtpm_setup.c#L65
>> ). We can change this for swtpm v0.7.0 to only activate the SHA256 bank, if
>> that's what is needed here. However, this doesn't prevent a user to activate
>> the SHA1 PCR bank either via PPI 'request' file or UEFI TPM menu and when it
>> is active it must get PCR extensions.
> With SHA1 being considered broken we want avoid SHA1 being used.
> Ideally by removing support it altogether.  In case this is not possible
> for backward compatibility reasons at least have it disabled by default.
>
> So swtpm_setup not enabling the SHA1 bank by default is certainly a good
> idea and a move into the right direction (independent from the patch #4
> discussion).

I will change this then for swtpm v0.7.0. Just in time... I wanted to 
make the release today but I'll delay that a bit then.


>
> Didn't do much testing yet to see whenever removing SHA1 support
> altogether trips up operating systems.
>
>> - Since TPM 1.2 is still supported we need to add a TPM menu for it as well
>> using this patch here. I would put this under the TPM1_ENABLE config option
>> since having TPM 1.2 support without a menu is quite useless. I can send a
>> patch for this once this series has gone through.
> I can pick this up for v2 if you don't mind.

Yes, please!


>
> take care,
>    Gerd
>
>
>
> 
>
>