From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web12.30856.1631544678372929840 for ; Mon, 13 Sep 2021 07:51:18 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@ibm.com header.s=pp1 header.b=qIl2ghe+; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.1.2/8.16.0.43) with SMTP id 18DCxOeA006142; Mon, 13 Sep 2021 10:51:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pp1; bh=WkAWlCm6PqmJaBfNZpI3agPfUJj+7kZLvjA98TWFG+s=; b=qIl2ghe+0ar+4RAYdLDZjiQ90wPkOMKKuCz2sMEcnZVfPkR3lCrFFzwcI5+/ISWd997l NVI+7k8tH3JZCEHEDJgE2WWpSKRX7PUNFP7jRL6WtbNyeq9AB1D0LxZvPf946otkWB1S TrB/z6MkW5kD/eSwAMIHFtCfrj2TzJ5iTMS6tUyPtWwGQ6RACUc7jSiQSc+r1n1CSyum Qjph4aheLEBVIXfRywzlrwq+5N7k+lGS91b2SJuYt22sv0rJv3WDIESuKmlOnzFCsSpR M0ypd3lrVOqBTHC74qKuKU0u0rHeX42lRp/emmIF1lbWLxrEgC/rN1oNuwlgfmF2F1uS iw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 3b23ha172d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 13 Sep 2021 10:51:16 -0400 Received: from m0098416.ppops.net (m0098416.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 18DCs0qg010076; Mon, 13 Sep 2021 10:51:16 -0400 Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11]) by mx0b-001b2d01.pphosted.com with ESMTP id 3b23ha1725-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 13 Sep 2021 10:51:16 -0400 Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1]) by ppma03dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 18DElipS020687; Mon, 13 Sep 2021 14:51:15 GMT Received: from b03cxnp08027.gho.boulder.ibm.com (b03cxnp08027.gho.boulder.ibm.com [9.17.130.19]) by ppma03dal.us.ibm.com with ESMTP id 3b0m3a36ch-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 13 Sep 2021 14:51:15 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 18DEpEPC19858170 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 13 Sep 2021 14:51:14 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6A1AAC6055; Mon, 13 Sep 2021 14:51:14 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 882AFC605A; Mon, 13 Sep 2021 14:51:13 +0000 (GMT) Received: from [9.47.158.152] (unknown [9.47.158.152]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP; Mon, 13 Sep 2021 14:51:13 +0000 (GMT) Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform hierarchy To: "Yao, Jiewen" , "devel@edk2.groups.io" , "stefanb@linux.vnet.ibm.com" Cc: "mhaeuser@posteo.de" , "spbrogan@outlook.com" , "marcandre.lureau@redhat.com" , "kraxel@redhat.com" References: <20210909173538.2380673-1-stefanb@linux.vnet.ibm.com> <187817cf-5490-7563-077f-a4ff420a8c8f@linux.ibm.com> <4b89dbef-f86b-31c6-aec6-8ae619e3dafe@linux.ibm.com> From: "Stefan Berger" Message-ID: <764d3dbc-8ac9-a5af-f7e2-5b692c793d50@linux.ibm.com> Date: Mon, 13 Sep 2021 10:51:13 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 9ybnJoM2cUdmbpnswFQgOZ_UhfJ40Cw1 X-Proofpoint-GUID: 2rVMVCkXFxQ7A86KthZzGimeAWzm-lPZ X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.687,Hydra:6.0.235,FMLib:17.0.607.475 definitions=2020-10-13_15,2020-10-13_02,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 suspectscore=0 impostorscore=0 priorityscore=1501 adultscore=0 lowpriorityscore=0 mlxscore=0 spamscore=0 clxscore=1015 malwarescore=0 phishscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109030001 definitions=main-2109130048 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0b-001b2d01.pphosted.com id 18DCxOeA006142 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 9/10/21 10:46 PM, Yao, Jiewen wrote: > If you want, I would suggest to take 2 steps (2 separate patch sets). > > 1) To add the TCG2 platform auth handling the security pkg (just move t= he code from min-platform to securitypkg) > If nothing else is changed, it can be approved easily. > > 2) To enable QEMU support to make platform auth + TCG PP work together.= (based upon 1) > Need consider how to do it in a secure way. I am not clear what it's going to take to get this right. Is there are=20 platform example that does things similar to Ovmf but does it in the=20 right order? Several packages are using BdsEntry() from here:=20 https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Universal/BdsD= xe/BdsEntry.c#L661 That's where the split of PlatformBootManagerBeforeConsole() and=20 ...AfterConsole() comes from. It looks like we would have to do TPM PPI=20 handling in the BeforeConsole function but cannot do it since there's no=20 console at this point but end-of-dxe is triggered there and that SMM=20 locking signal is also sent in that function. EndOfDxe:=20 https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo= tManagerLib/BdsPlatform.c#L380 Smm Lock:=20 https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo= tManagerLib/BdsPlatform.c#L394 If we now move the console initialization ('Connect consoles') to=20 'before' PlatformBootManagerBeforeConsole() is that then correct? Or=20 should the PPI module initialize the console when it needs it? =C2=A0=C2=A0 Stefan > > Thank you > Yao Jiewen > >> -----Original Message----- >> From: Yao, Jiewen >> Sent: Saturday, September 11, 2021 10:38 AM >> To: Stefan Berger ; devel@edk2.groups.io; >> stefanb@linux.vnet.ibm.com >> Cc: mhaeuser@posteo.de; spbrogan@outlook.com; >> marcandre.lureau@redhat.com; kraxel@redhat.com >> Subject: RE: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platfo= rm >> hierarchy >> >> Hi Stefan >> I notice you signal EndOfDxe at PlatformBootManagerBeforeConsole() >> https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/Platform= Boo >> tManagerLib/BdsPlatform.c#L380 >> I would say, if PP is done after EndOfDxe, then the order is NOT right. >> >> This topic has been debated for years. Finally, we reach the conclusio= n with the >> trusted console concept. >> >> The recommended way is to connect *trusted console only* and process P= P >> before EndOfDxe, to ensure no 3rd party code can touch the platform h= ierarchy. >> We did that at PlatformBootManagerBeforeConsole(). Here is console mea= ns all >> console, including the trusted console and untrusted console populated= by >> untrusted device. The full console list can still be connected after E= ndOfDxe. >> The platform can decide which console is trusted v.s. not-trusted. >> >> Thank you >> Yao Jiewen >> >> >>> -----Original Message----- >>> From: Stefan Berger >>> Sent: Saturday, September 11, 2021 12:15 AM >>> To: Yao, Jiewen ; devel@edk2.groups.io; >>> stefanb@linux.vnet.ibm.com >>> Cc: mhaeuser@posteo.de; spbrogan@outlook.com; >>> marcandre.lureau@redhat.com; kraxel@redhat.com >>> Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platf= orm >>> hierarchy >>> >>> >>> On 9/10/21 11:32 AM, Yao, Jiewen wrote: >>>> According to the security policy, PP request must be processed befor= e >>> EndOfDxe. >>>> May I know when you trigger PP request? >>> OVMF has 3 implementations invoking it in >> PlatformBootManagerAfterConsole(): >>> >> https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/Platform= Boo >>> tManagerLib/BdsPlatform.c#L1517 >>> >>> >> https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/Platform= Boo >>> tManagerLibBhyve/BdsPlatform.c#L1451 >>> >>> >> https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/Platform= Boo >>> tManagerLibGrub/BdsPlatform.c#L1316 >>> >>> =C2=A0 Stefan >>> >>> >>>> Thank you >>>> Yao Jiewen >>>> >>>>> -----Original Message----- >>>>> From: Stefan Berger >>>>> Sent: Friday, September 10, 2021 10:25 PM >>>>> To: devel@edk2.groups.io; stefanb@linux.vnet.ibm.com >>>>> Cc: mhaeuser@posteo.de; spbrogan@outlook.com; >>>>> marcandre.lureau@redhat.com; kraxel@redhat.com; Yao, Jiewen >>>>> >>>>> Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 pla= tform >>>>> hierarchy >>>>> >>>>> >>>>> On 9/9/21 1:35 PM, Stefan Berger wrote: >>>>>> This series imports code from the edk2-platforms project related t= o >>>>>> disabling the TPM2 platform hierarchy in Ovmf. It addresses the Ov= mf >>>>>> aspects of the following bugs: >>>>>> >>>>>> https://bugzilla.tianocore.org/show_bug.cgi?id=3D3510 >>>>>> https://bugzilla.tianocore.org/show_bug.cgi?id=3D3499 >>>>>> >>>>>> I have patched the .dsc files and successfully test-built with mos= t of >>>>>> them. Some I could not build because they failed for other reasons >>>>>> unrelated to this series. >>>>>> >>>>>> I tested the changes with QEMU on x86 following the build of >>>>>> OvmfPkgX64.dsc. >>>>>> >>>>>> Neither one of the following commands should work anymore on first >>>>>> try when run on Linux: >>>>>> >>>>>> With IBM tss2 tools: >>>>>> tsshierarchychangeauth -hi p -pwdn newpass >>>>>> >>>>>> With Intel tss2 tools: >>>>>> tpm2_changeauth -c platform newpass >>>>> While disabling the platform hierarchy works, the unfortunate probl= em is >>>>> now that the signal to disable the TPM 2 platform hierarchy is rece= ived >>>>> before handling the physical presence interface (PPI) opcodes, whic= h is >>>>> bad because some of the opcodes will not go through. The question n= ow is >>>>> what is wrong? Are the PPI opcodes handled too late or the signal i= s >>>>> sent to early or is it the wrong signal? >>>>> >>>>> Event =3D EfiCreateProtocolNotifyEvent ( >>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= &gEfiDxeSmmReadyToLockProtocolGuid, >>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= TPL_CALLBACK, >>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= SmmReadyToLockEventCallBack, >>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= NULL, >>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= &Registration >>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= ); >>>>> >>>>> =C2=A0=C2=A0 Stefan >>>>> >>>>>> Regards, >>>>>> Stefan >>>>>> >>>>>> v7: >>>>>> - Ditched ARM support in this series >>>>>> - Using Tcg2PlatformDxe and Tcg2PlaformPei from edk2-platforms= now >>>>>> and revised most of the patches >>>>>> >>>>>> v6: >>>>>> - Removed unnecessary entries in .dsc files >>>>>> - Added support for S3 resume failure case >>>>>> - Assigned unique FILE_GUID to NULL implementation >>>>>> >>>>>> v5: >>>>>> - Modified patch 1 copies the code from edk2-platforms >>>>>> - Modified patch 2 fixes bugs in the code >>>>>> - Modified patch 4 introduces required PCD >>>>>> >>>>>> v4: >>>>>> - Fixed and simplified code imported from edk2-platforms >>>>>> >>>>>> v3: >>>>>> - Referencing Null implementation on Bhyve and Xen platforms >>>>>> - Add support in Arm >>>>>> >>>>>> >>>>>> Stefan Berger (9): >>>>>> SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from >>>>>> edk2-platforms >>>>>> SecurityPkg/TPM: Fix bugs in imported PeiDxeTpmPlatformHierar= chyLib >>>>>> SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from edk2-platforms >>>>>> SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable >>>>>> SecurityPkg: Introduce new PCD PcdRandomizePlatformHierarchy >>>>>> OvmfPkg: Reference new Tcg2PlatformDxe in the build system fo= r >>>>>> compilation >>>>>> SecurityPkg/Tcg: Import Tcg2PlatformPei from edk2-platforms >>>>>> SecurityPkg/Tcg: Make Tcg2PlatformPei buildable >>>>>> OvmfPkg: Reference new Tcg2PlatformPei in the build system >>>>>> >>>>>> OvmfPkg/AmdSev/AmdSevX64.dsc | 8 + >>>>>> OvmfPkg/AmdSev/AmdSevX64.fdf | 2 + >>>>>> OvmfPkg/OvmfPkgIa32.dsc | 8 + >>>>>> OvmfPkg/OvmfPkgIa32.fdf | 2 + >>>>>> OvmfPkg/OvmfPkgIa32X64.dsc | 8 + >>>>>> OvmfPkg/OvmfPkgIa32X64.fdf | 2 + >>>>>> OvmfPkg/OvmfPkgX64.dsc | 8 + >>>>>> OvmfPkg/OvmfPkgX64.fdf | 2 + >>>>>> .../Include/Library/TpmPlatformHierarchyLib.h | 27 ++ >>>>>> .../PeiDxeTpmPlatformHierarchyLib.c | 255 ++++++++++= ++++++++ >>>>>> .../PeiDxeTpmPlatformHierarchyLib.inf | 44 +++ >>>>>> SecurityPkg/SecurityPkg.dec | 6 + >>>>>> .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 85 ++++++ >>>>>> .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 43 +++ >>>>>> .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 107 ++++++++ >>>>>> .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 51 ++++ >>>>>> 16 files changed, 658 insertions(+) >>>>>> create mode 100644 >>> SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h >>>>>> create mode 100644 >> SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHie= rar >>>>> chyLib.c >>>>>> create mode 100644 >> SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHie= rar >>>>> chyLib.inf >>>>>> create mode 100644 >>> SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c >>>>>> create mode 100644 >>> SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf >>>>>> create mode 100644 >> SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c >>>>>> create mode 100644 >>> SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf