From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web12.11625.1634832837595154236 for ; Thu, 21 Oct 2021 09:13:58 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@ibm.com header.s=pp1 header.b=kUU8u493; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 19LEBOk7004153; Thu, 21 Oct 2021 12:13:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pp1; bh=hnFqC470EMk7BjuqfXkpgFV/MFlm+BrcCpJfXp9IblE=; b=kUU8u493a+gPvIF36vvAj7YY35zOrxzQeE+Iq1qcDTWTD2URrNu7LoFLW5Iq23jROgas 4l+d/HJZvd5T+8ZFWImI8CgihIPzl8PmRCbwM0WgQbN2atJ/hY4jW7JcHa95N4ZwIFFS XMyjEwYPerkg+7/lLX9U2M3jaoE/AUKuBW84WnMRp3B/AdiVVJLcv25I3UxsprrnPyAV XaRaEZ9ymMNAKRUbxJ0gM/w9ON8Fpsut1KDorHcwl2UAYv1G4bNP4RNDAHlIiiORdbWm Pk5wW1L75+B4X1qyqRpbJAxQ9GtmQ3HipPLYRHkchiMa+kscaDRVSTsxGVb+K2iYJF36 PA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 3bu8kkmxu3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 21 Oct 2021 12:13:54 -0400 Received: from m0098420.ppops.net (m0098420.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 19LG70Yl031649; Thu, 21 Oct 2021 12:13:54 -0400 Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253]) by mx0b-001b2d01.pphosted.com with ESMTP id 3bu8kkmxts-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 21 Oct 2021 12:13:54 -0400 Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1]) by ppma01wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 19LG428i027122; Thu, 21 Oct 2021 16:13:53 GMT Received: from b03cxnp08027.gho.boulder.ibm.com (b03cxnp08027.gho.boulder.ibm.com [9.17.130.19]) by ppma01wdc.us.ibm.com with ESMTP id 3bqpccgvmy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 21 Oct 2021 16:13:53 +0000 Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 19LGDqFE17105540 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 21 Oct 2021 16:13:52 GMT Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 685D9136059; Thu, 21 Oct 2021 16:13:52 +0000 (GMT) Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A846D13606E; Thu, 21 Oct 2021 16:13:51 +0000 (GMT) Received: from [9.47.158.152] (unknown [9.47.158.152]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP; Thu, 21 Oct 2021 16:13:51 +0000 (GMT) Subject: Re: [PATCH 0/4] OvmfPkg: rework TPM configuration. To: Gerd Hoffmann , devel@edk2.groups.io Cc: James Bottomley , Min Xu , Jordan Justen , Erdem Aktas , Ard Biesheuvel , =?UTF-8?Q?Marc-Andr=c3=a9_Lureau?= , Jiewen Yao , Tom Lendacky , Brijesh Singh References: <20211021122003.2008499-1-kraxel@redhat.com> From: "Stefan Berger" Message-ID: <7052ea1f-8bed-f556-8882-685718c91195@linux.ibm.com> Date: Thu, 21 Oct 2021 12:13:51 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: <20211021122003.2008499-1-kraxel@redhat.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: cryr1jJfDajA78OkpwSTG6E0gAqd0SEf X-Proofpoint-GUID: U6Xe4PFPal_keJsYwujxPY33p3SeNCaw X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-10-21_04,2021-10-21_02,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 bulkscore=0 malwarescore=0 spamscore=0 lowpriorityscore=0 impostorscore=0 clxscore=1015 mlxlogscore=999 suspectscore=0 mlxscore=0 phishscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2110210082 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0b-001b2d01.pphosted.com id 19LEBOk7004153 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable A few more comments to this series: - Is there a use case where TPM2_ENABLE_CONFIG is disabled, meaning=20 where there should not be a TPM 2 menu entry? It's worth considering=20 dropping this option because a user does need to have control over=20 certain aspects of the TPM 2 configuration. Most of this control may be=20 reachable via the physical presence interface (PPI) inside the VM where=20 root can write codes into the /sys/devices/.../ppi/request file to=20 achieve similar outcomes, but it's really low level and I wouldn't know=20 how to do this if on Windows for example or maybe BSD or other OSes=20 running inside the VM. - Should it be possible to enable TPM 1.2 independent of TPM 2? For me=20 it's fine as-is since TPM 2 is mostly used these days... - I would drop patch 4 if it means that an active SHA1 bank doesn't get=20 PCR extensions (haven't tested yet). swtpm_setup currently sets up a=20 swtpm with active SHA1 and SHA256 PCR banks (=20 https://github.com/stefanberger/swtpm/blob/master/src/swtpm_setup/swtpm_s= etup.c#L65=20 ). We can change this for swtpm v0.7.0 to only activate the SHA256 bank,=20 if that's what is needed here. However, this doesn't prevent a user to=20 activate the SHA1 PCR bank either via PPI 'request' file or UEFI TPM=20 menu and when it is active it must get PCR extensions. - Since TPM 1.2 is still supported we need to add a TPM menu for it as=20 well using this patch here. I would put this under the TPM1_ENABLE=20 config option since having TPM 1.2 support without a menu is quite=20 useless. I can send a patch for this once this series has gone through. diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc=20 b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc index 6806eb245e..43acd2c755 100644 --- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc @@ -22,6 +22,7 @@ =C2=A0=C2=A0=C2=A0=C2=A0 Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.= inf =C2=A0=C2=A0 } +=C2=A0 SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf^M =C2=A0!endif =C2=A0=C2=A0 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { =C2=A0=C2=A0=C2=A0=C2=A0 diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc index fa74972678..d22e069af0 100644 --- a/OvmfPkg/OvmfTpmDxe.fdf.inc +++ b/OvmfPkg/OvmfTpmDxe.fdf.inc @@ -5,6 +5,7 @@ =C2=A0!if $(TPM2_ENABLE) =3D=3D TRUE =C2=A0!if $(TPM1_ENABLE) =3D=3D TRUE =C2=A0INF=C2=A0 SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +INF=C2=A0 SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf^M =C2=A0!endif =C2=A0INF=C2=A0 SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf =C2=A0INF=C2=A0 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf =C2=A0=C2=A0 Stefan On 10/21/21 8:19 AM, Gerd Hoffmann wrote: > Allows to enable/disable TPM 1.2 support in OVMF. > Allows to enable SHA-1 support for TPM hashing. > > Gerd Hoffmann (4): > OvmfPkg: move tcg configuration to dsc and fdf include files > OvmfPkg: create Tcg2ConfigPeiCompat12.inf > OvmfPkg: rework TPM configuration > OvmfPkg: add TPM2_SHA1_ENABLE build option > > OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 32 +++++++ > OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 28 ++++++ > OvmfPkg/OvmfTpmDefines.dsc.inc | 10 +++ > OvmfPkg/OvmfTpmLibs.dsc.inc | 16 ++++ > OvmfPkg/OvmfTpmLibsDxe.dsc.inc | 10 +++ > OvmfPkg/OvmfTpmLibsPeim.dsc.inc | 11 +++ > OvmfPkg/OvmfTpmPcds.dsc.inc | 7 ++ > OvmfPkg/OvmfTpmPcdsHii.dsc.inc | 8 ++ > OvmfPkg/OvmfTpmSecurityStub.dsc.inc | 10 +++ > OvmfPkg/AmdSev/AmdSevX64.dsc | 85 +++--------------- > OvmfPkg/OvmfPkgIa32.dsc | 88 +++---------------= - > OvmfPkg/OvmfPkgIa32X64.dsc | 85 +++--------------- > OvmfPkg/OvmfPkgX64.dsc | 85 +++--------------- > OvmfPkg/AmdSev/AmdSevX64.fdf | 17 +--- > OvmfPkg/OvmfPkgIa32.fdf | 17 +--- > OvmfPkg/OvmfPkgIa32X64.fdf | 17 +--- > OvmfPkg/OvmfPkgX64.fdf | 17 +--- > OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 9 -- > ...onfigPei.inf =3D> Tcg2ConfigPeiCompat12.inf} | 9 +- > OvmfPkg/OvmfTpmDxe.fdf.inc | 14 +++ > OvmfPkg/OvmfTpmPei.fdf.inc | 15 ++++ > .../.azurepipelines/Ubuntu-GCC5.yml | 6 +- > .../.azurepipelines/Windows-VS2019.yml | 6 +- > OvmfPkg/PlatformCI/ReadMe.md | 2 +- > 24 files changed, 221 insertions(+), 383 deletions(-) > create mode 100644 OvmfPkg/OvmfTpmComponentsDxe.dsc.inc > create mode 100644 OvmfPkg/OvmfTpmComponentsPei.dsc.inc > create mode 100644 OvmfPkg/OvmfTpmDefines.dsc.inc > create mode 100644 OvmfPkg/OvmfTpmLibs.dsc.inc > create mode 100644 OvmfPkg/OvmfTpmLibsDxe.dsc.inc > create mode 100644 OvmfPkg/OvmfTpmLibsPeim.dsc.inc > create mode 100644 OvmfPkg/OvmfTpmPcds.dsc.inc > create mode 100644 OvmfPkg/OvmfTpmPcdsHii.dsc.inc > create mode 100644 OvmfPkg/OvmfTpmSecurityStub.dsc.inc > copy OvmfPkg/Tcg/Tcg2Config/{Tcg2ConfigPei.inf =3D> Tcg2ConfigPeiComp= at12.inf} (84%) > create mode 100644 OvmfPkg/OvmfTpmDxe.fdf.inc > create mode 100644 OvmfPkg/OvmfTpmPei.fdf.inc >