From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>,
Laszlo Ersek <lersek@redhat.com>,
"marcandre.lureau@redhat.com" <marcandre.lureau@redhat.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "javierm@redhat.com" <javierm@redhat.com>,
"pjones@redhat.com" <pjones@redhat.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Subject: Re: [PATCH v2 8/8] ovmf: add DxeTpm2MeasureBootLib
Date: Fri, 9 Mar 2018 00:47:58 +0000 [thread overview]
Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503AAEF06A@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C503AAEEFF3@shsmsx102.ccr.corp.intel.com>
Besides the comment below, I should have used the example in OvmfPkg.
Please refer to https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
The EfiBootManagerDispatchDeferredImages() API call is added just after gEfiDxeSmmReadyToLockProtocolGuid.
So I don’t see any problem in OVMF pkg.
Thank you
Yao Jiewen
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Yao,
> Jiewen
> Sent: Friday, March 9, 2018 8:39 AM
> To: Laszlo Ersek <lersek@redhat.com>; marcandre.lureau@redhat.com;
> edk2-devel@lists.01.org
> Cc: javierm@redhat.com; pjones@redhat.com; qemu-devel@nongnu.org
> Subject: Re: [edk2] [PATCH v2 8/8] ovmf: add DxeTpm2MeasureBootLib
>
> Very good question.
> Comment below:
>
> > -----Original Message-----
> > From: Laszlo Ersek [mailto:lersek@redhat.com]
> > Sent: Friday, March 9, 2018 3:54 AM
> > To: marcandre.lureau@redhat.com; edk2-devel@lists.01.org; Yao, Jiewen
> > <jiewen.yao@intel.com>
> > Cc: pjones@redhat.com; stefanb@linux.vnet.ibm.com;
> > qemu-devel@nongnu.org; javierm@redhat.com
> > Subject: Re: [PATCH v2 8/8] ovmf: add DxeTpm2MeasureBootLib
> >
> > (Jiewen, below I have a question for you as well; please help with that.)
> >
> > On 03/07/18 16:57, marcandre.lureau@redhat.com wrote:
> > > From: Marc-André Lureau <marcandre.lureau@redhat.com>
> > >
> > > The library registers a security management handler, to measure images
> > > that are not measure in PEI phase.
> > >
> > > This seems to work for example with the qemu PXE rom:
> > >
> > > Loading driver at 0x0003E6C2000 EntryPoint=0x0003E6C9076 8086100e.efi
> > >
> > > And the following binary_bios_measurements log entry seems to be
> > > added:
> > >
> > > PCR: 2 type: EV_EFI_BOOT_SERVICES_DRIVER size: 0x4e digest:
> > 70a22475e9f18806d2ed9193b48d80d26779d9a4
> > >
> > > Cc: Laszlo Ersek <lersek@redhat.com>
> > > Cc: Stefan Berger <stefanb@linux.vnet.ibm.com>
> > > Contributed-under: TianoCore Contribution Agreement 1.0
> > > Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> > > ---
> > > OvmfPkg/OvmfPkgX64.dsc | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> > > index 7753852144fb..9db1712e3623 100644
> > > --- a/OvmfPkg/OvmfPkgX64.dsc
> > > +++ b/OvmfPkg/OvmfPkgX64.dsc
> > > @@ -662,6 +662,9 @@ [Components]
> > > <LibraryClasses>
> > > !if $(SECURE_BOOT_ENABLE) == TRUE
> > >
> >
> NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> > > +!endif
> > > +!if $(TPM2_ENABLE) == TRUE
> > > +
> >
> NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.i
> > nf
> > > !endif
> > > }
> > >
> > >
> >
> > (1) Marc-André, please change the subject line to:
> >
> > OvmfPkg: plug DxeTpm2MeasureBootLib into SecurityStubDxe
> >
> >
> > (2) I have a question for Jiewen:
> >
> > DxeTpm2MeasureBootLib consumes the TCG2 protocol, but it does not depend
> > on it with a DEPEX. Instead, DxeTpm2MeasureBootHandler() tries to locate
> > the protocol on every invocation.
> [Jiewen] Yes.
>
> > This means that SecurityStubDxe may produce the Security and Security2
> > Architectural Protocols before measurements into the TPM2 device are
> > possible.
> [Jiewen] Yes.
>
> > Therefore, UEFI_DRIVER modules (which depend on all of the
> > Arch protocols) may be started before they can be measured into the TPM.
> >
> > Now, this is likely no problem for UEFI_DRIVER modules that are built
> > into the firmware volume(s), because those are measured by Tcg2Pei
> > anyway.
> [Jiewen] That is TRUE.
>
> However, it would be a problem for UEFI_DRIVER modules / apps
> > that come from external media (disk, network, PCI oprom, etc).
> [Jiewen] By design, the 3rd part module should not be invoked before EndOfDxe.
> All Arch Protocol Ready is not strong enough. :-)
> Please refer to
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Universal/Sec
> urityStubDxe/Defer3rdPartyImageLoad.c
>
> If a non-FV image is loaded before EndOfDxe, it will be queued into
> mDeferred3rdPartyImage.
>
> We also added EfiBootManagerDispatchDeferredImages() API in
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Include/Librar
> y/UefiBootManagerLib.h and implemented in
> https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Library/UefiB
> ootManagerLib/BmMisc.c
> A platform must call EfiBootManagerDispatchDeferredImages(), if the platform
> supports PCI OROM.
>
> You can find the sample code in
> https://github.com/tianocore/edk2-platforms/blob/devel-MinPlatform/Platform
> /Intel/MinPlatformPkg/Bds/Library/DxePlatformBootManagerLib/BdsPlatform.c
>
>
>
> > However, such are loaded only in the BDS phase, and BDS is only entered
> > after all of the DXE drivers are dispatched from the firmware volumes.
> > In other words, the ordering between Tcg2Dxe and external UEFI_DRIVER /
> > UEFI_APPLICATION modules is ensured that Tcg2Dxe will be dispatched in
> > the DXE phase, while the latter will only be loaded in BDS.
> >
> > Is this intentional? Is my understanding correct?
>
> [Jiewen] Right. The only assumption is: Tcg2Dxe is included in the firmware
> volume and it is dispatched before EndOfDxe.
>
>
>
> >
> > (3) If that's the case, then Marc-André, please add the following to the
> > commit message:
> >
> > --------
> > Hooking DxeTpm2MeasureBootLib into SecurityStubDxe ensures that the
> > Security and Security2 Arch protocols will entail, by the time of
> > entering the BDS phase, the measuring of UEFI binaries into the TPM.
> > Thus, external UEFI_DRIVER and UEFI_APPLICATION modules (which are
> > loaded in the BDS phase, from disk, network, PCI oprom, etc) will be
> > measured.
> >
> > Drivers dispatched in the DXE phase before Tcg2Dxe will not be measured
> > individually; however such drivers come from the firmware volume(s), and
> > those are measured in the PEI phase by Tcg2Pei.
> > --------
> >
> > Thanks!
> > Laszlo
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
next prev parent reply other threads:[~2018-03-09 0:41 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-07 15:57 [PATCH v2 0/8] RFC: ovmf: preliminary TPM2 support marcandre.lureau
2018-03-07 15:57 ` [PATCH v2 1/8] SecurityPkg: also clear HashInterfaceHob.SupportedHashMask marcandre.lureau
2018-03-08 0:35 ` Zhang, Chao B
2018-03-08 0:48 ` Zeng, Star
2018-03-08 11:40 ` Laszlo Ersek
2018-03-07 15:57 ` [PATCH v2 2/8] SecurityPkg/Tcg2Pei: drop PeiReadOnlyVariable from Depex marcandre.lureau
2018-03-07 16:04 ` Yao, Jiewen
2018-03-08 0:36 ` Zhang, Chao B
2018-03-09 13:05 ` Marc-André Lureau
2018-03-09 15:05 ` Laszlo Ersek
2018-03-08 11:41 ` Laszlo Ersek
2018-03-07 15:57 ` [PATCH v2 3/8] MdeModulePkg: fix REGISITER -> REGISTER marcandre.lureau
2018-03-08 11:59 ` Laszlo Ersek
2018-03-08 12:08 ` Zeng, Star
2018-03-07 15:57 ` [PATCH v2 4/8] ovmf: simplify SecurityStubDxe.inf inclusion marcandre.lureau
2018-03-08 16:35 ` Laszlo Ersek
2018-03-07 15:57 ` [PATCH v2 5/8] ovmf: add OvmfPkg Tcg2ConfigPei module marcandre.lureau
2018-03-08 17:46 ` Laszlo Ersek
2018-03-08 18:10 ` Laszlo Ersek
2018-03-07 15:57 ` [PATCH v2 6/8] ovmf: link with Tcg2Pei module marcandre.lureau
2018-03-08 18:20 ` Laszlo Ersek
2018-03-08 18:33 ` Laszlo Ersek
2018-03-07 15:57 ` [PATCH v2 7/8] ovmf: link with Tcg2Dxe module marcandre.lureau
2018-03-08 19:14 ` Laszlo Ersek
2018-03-07 15:57 ` [PATCH v2 8/8] ovmf: add DxeTpm2MeasureBootLib marcandre.lureau
2018-03-08 19:54 ` Laszlo Ersek
2018-03-08 19:56 ` Laszlo Ersek
2018-03-09 0:39 ` Yao, Jiewen
2018-03-09 0:47 ` Yao, Jiewen [this message]
2018-03-09 10:26 ` Laszlo Ersek
2018-03-09 11:37 ` Yao, Jiewen
2018-03-08 12:31 ` [PATCH v2 0/8] RFC: ovmf: preliminary TPM2 support Shi, Steven
2018-03-08 13:59 ` Marc-André Lureau
2018-03-09 3:03 ` Shi, Steven
2018-03-09 13:54 ` Stefan Berger
2018-03-12 5:00 ` Shi, Steven
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=74D8A39837DF1E4DA445A8C0B3885C503AAEF06A@shsmsx102.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox