From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web11.10934.1631407349265086868 for ; Sat, 11 Sep 2021 17:42:29 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@ibm.com header.s=pp1 header.b=KlIrpAxb; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.1.2/8.16.0.43) with SMTP id 18BL2HHu003393; Sat, 11 Sep 2021 20:42:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pp1; bh=5Wv+FJWThclAMQ1M7Slfan9rB+3u5L4y3srYGJySDRo=; b=KlIrpAxb8d37PUIlj6FtSESbGpb8Db6JU7msosChauCfBOEiVeV5osS7+mjnOzKqIbW0 rfZ3mbP4W+DxfeOi2NzJd2FE+70kKaelHjqQ2XwjTiMKcb2t2V9u1qZ9zmqonjpYPqUt b0jAr/4D3+0JlHjFZG+nNmEiEkz06sDNeLR2z8toFt+ZTbwJXXOlciGikPSmV7GnUD2E FrYbhgRV87riNHUg0TEPeAtd9bseZEfSSBUK24ibdO7mFHBPI5WNfyUpAfYAuUlDbBJ4 ptM+ep1oeQt6v7Gd/LUiW6LwXwIHLf0WOthfk8yAjurpntwjmuR4gddqO85WmOQL/co9 7Q== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 3b0rq5j78r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 11 Sep 2021 20:42:27 -0400 Received: from m0098414.ppops.net (m0098414.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 18C0gR6B005967; Sat, 11 Sep 2021 20:42:27 -0400 Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0b-001b2d01.pphosted.com with ESMTP id 3b0rq5j78j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 11 Sep 2021 20:42:27 -0400 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 18C0ag8A010207; Sun, 12 Sep 2021 00:42:26 GMT Received: from b01cxnp22036.gho.pok.ibm.com (b01cxnp22036.gho.pok.ibm.com [9.57.198.26]) by ppma04dal.us.ibm.com with ESMTP id 3b0m38vr8h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 12 Sep 2021 00:42:26 +0000 Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com [9.57.199.107]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 18C0gPWa11666344 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 12 Sep 2021 00:42:25 GMT Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BE2EF124055; Sun, 12 Sep 2021 00:42:25 +0000 (GMT) Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A1ECC124053; Sun, 12 Sep 2021 00:42:25 +0000 (GMT) Received: from [9.47.158.152] (unknown [9.47.158.152]) by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP; Sun, 12 Sep 2021 00:42:25 +0000 (GMT) Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform hierarchy To: "Yao, Jiewen" , "devel@edk2.groups.io" , "stefanb@linux.vnet.ibm.com" Cc: "mhaeuser@posteo.de" , "spbrogan@outlook.com" , "marcandre.lureau@redhat.com" , "kraxel@redhat.com" References: <20210909173538.2380673-1-stefanb@linux.vnet.ibm.com> <187817cf-5490-7563-077f-a4ff420a8c8f@linux.ibm.com> <4b89dbef-f86b-31c6-aec6-8ae619e3dafe@linux.ibm.com> From: "Stefan Berger" Message-ID: <8040bc84-9bf3-a25f-d99c-fdf1c14ad1d6@linux.ibm.com> Date: Sat, 11 Sep 2021 20:42:25 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: tdn1c7S9DsvkusvQqfcgcaUntFJgQVf3 X-Proofpoint-GUID: LNmRVWsPiwIJBH2XbE0p7EzZFe4iAGxK X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.687,Hydra:6.0.235,FMLib:17.0.607.475 definitions=2020-10-13_15,2020-10-13_02,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 phishscore=0 lowpriorityscore=0 clxscore=1015 suspectscore=0 spamscore=0 mlxlogscore=999 bulkscore=0 impostorscore=0 mlxscore=0 malwarescore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109030001 definitions=main-2109110058 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0b-001b2d01.pphosted.com id 18BL2HHu003393 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 9/10/21 10:46 PM, Yao, Jiewen wrote: > If you want, I would suggest to take 2 steps (2 separate patch sets). > > 1) To add the TCG2 platform auth handling the security pkg (just move t= he code from min-platform to securitypkg) > If nothing else is changed, it can be approved easily. I suppose you are talking about this series here. Can you have a look at=20 it and tell me whether it fulfills this requirement? It's not just a=20 move from min-platform but does need some modifications. You may alos=20 want to skip the Ovmf-related patches that modify those builds where we=20 have that issue with the ordering. =C2=A0=C2=A0 Stefan > > 2) To enable QEMU support to make platform auth + TCG PP work together.= (based upon 1) > Need consider how to do it in a secure way. > Thank you > Yao Jiewen > >> -----Original Message----- >> From: Yao, Jiewen >> Sent: Saturday, September 11, 2021 10:38 AM >> To: Stefan Berger ; devel@edk2.groups.io; >> stefanb@linux.vnet.ibm.com >> Cc: mhaeuser@posteo.de; spbrogan@outlook.com; >> marcandre.lureau@redhat.com; kraxel@redhat.com >> Subject: RE: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platfo= rm >> hierarchy >> >> Hi Stefan >> I notice you signal EndOfDxe at PlatformBootManagerBeforeConsole() >> https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/Platform= Boo >> tManagerLib/BdsPlatform.c#L380 >> I would say, if PP is done after EndOfDxe, then the order is NOT right. >> >> This topic has been debated for years. Finally, we reach the conclusio= n with the >> trusted console concept. >> >> The recommended way is to connect *trusted console only* and process P= P >> before EndOfDxe, to ensure no 3rd party code can touch the platform h= ierarchy. >> We did that at PlatformBootManagerBeforeConsole(). Here is console mea= ns all >> console, including the trusted console and untrusted console populated= by >> untrusted device. The full console list can still be connected after E= ndOfDxe. >> The platform can decide which console is trusted v.s. not-trusted. >> >> Thank you >> Yao Jiewen >> >> >>> -----Original Message----- >>> From: Stefan Berger >>> Sent: Saturday, September 11, 2021 12:15 AM >>> To: Yao, Jiewen ; devel@edk2.groups.io; >>> stefanb@linux.vnet.ibm.com >>> Cc: mhaeuser@posteo.de; spbrogan@outlook.com; >>> marcandre.lureau@redhat.com; kraxel@redhat.com >>> Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platf= orm >>> hierarchy >>> >>> >>> On 9/10/21 11:32 AM, Yao, Jiewen wrote: >>>> According to the security policy, PP request must be processed befor= e >>> EndOfDxe. >>>> May I know when you trigger PP request? >>> OVMF has 3 implementations invoking it in >> PlatformBootManagerAfterConsole(): >>> >> https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/Platform= Boo >>> tManagerLib/BdsPlatform.c#L1517 >>> >>> >> https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/Platform= Boo >>> tManagerLibBhyve/BdsPlatform.c#L1451 >>> >>> >> https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/Platform= Boo >>> tManagerLibGrub/BdsPlatform.c#L1316 >>> >>> =C2=A0 Stefan >>> >>> >>>> Thank you >>>> Yao Jiewen >>>> >>>>> -----Original Message----- >>>>> From: Stefan Berger >>>>> Sent: Friday, September 10, 2021 10:25 PM >>>>> To: devel@edk2.groups.io; stefanb@linux.vnet.ibm.com >>>>> Cc: mhaeuser@posteo.de; spbrogan@outlook.com; >>>>> marcandre.lureau@redhat.com; kraxel@redhat.com; Yao, Jiewen >>>>> >>>>> Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 pla= tform >>>>> hierarchy >>>>> >>>>> >>>>> On 9/9/21 1:35 PM, Stefan Berger wrote: >>>>>> This series imports code from the edk2-platforms project related t= o >>>>>> disabling the TPM2 platform hierarchy in Ovmf. It addresses the Ov= mf >>>>>> aspects of the following bugs: >>>>>> >>>>>> https://bugzilla.tianocore.org/show_bug.cgi?id=3D3510 >>>>>> https://bugzilla.tianocore.org/show_bug.cgi?id=3D3499 >>>>>> >>>>>> I have patched the .dsc files and successfully test-built with mos= t of >>>>>> them. Some I could not build because they failed for other reasons >>>>>> unrelated to this series. >>>>>> >>>>>> I tested the changes with QEMU on x86 following the build of >>>>>> OvmfPkgX64.dsc. >>>>>> >>>>>> Neither one of the following commands should work anymore on first >>>>>> try when run on Linux: >>>>>> >>>>>> With IBM tss2 tools: >>>>>> tsshierarchychangeauth -hi p -pwdn newpass >>>>>> >>>>>> With Intel tss2 tools: >>>>>> tpm2_changeauth -c platform newpass >>>>> While disabling the platform hierarchy works, the unfortunate probl= em is >>>>> now that the signal to disable the TPM 2 platform hierarchy is rece= ived >>>>> before handling the physical presence interface (PPI) opcodes, whic= h is >>>>> bad because some of the opcodes will not go through. The question n= ow is >>>>> what is wrong? Are the PPI opcodes handled too late or the signal i= s >>>>> sent to early or is it the wrong signal? >>>>> >>>>> Event =3D EfiCreateProtocolNotifyEvent ( >>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= &gEfiDxeSmmReadyToLockProtocolGuid, >>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= TPL_CALLBACK, >>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= SmmReadyToLockEventCallBack, >>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= NULL, >>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= &Registration >>>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= ); >>>>> >>>>> =C2=A0=C2=A0 Stefan >>>>> >>>>>> Regards, >>>>>> Stefan >>>>>> >>>>>> v7: >>>>>> - Ditched ARM support in this series >>>>>> - Using Tcg2PlatformDxe and Tcg2PlaformPei from edk2-platforms= now >>>>>> and revised most of the patches >>>>>> >>>>>> v6: >>>>>> - Removed unnecessary entries in .dsc files >>>>>> - Added support for S3 resume failure case >>>>>> - Assigned unique FILE_GUID to NULL implementation >>>>>> >>>>>> v5: >>>>>> - Modified patch 1 copies the code from edk2-platforms >>>>>> - Modified patch 2 fixes bugs in the code >>>>>> - Modified patch 4 introduces required PCD >>>>>> >>>>>> v4: >>>>>> - Fixed and simplified code imported from edk2-platforms >>>>>> >>>>>> v3: >>>>>> - Referencing Null implementation on Bhyve and Xen platforms >>>>>> - Add support in Arm >>>>>> >>>>>> >>>>>> Stefan Berger (9): >>>>>> SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from >>>>>> edk2-platforms >>>>>> SecurityPkg/TPM: Fix bugs in imported PeiDxeTpmPlatformHierar= chyLib >>>>>> SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from edk2-platforms >>>>>> SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable >>>>>> SecurityPkg: Introduce new PCD PcdRandomizePlatformHierarchy >>>>>> OvmfPkg: Reference new Tcg2PlatformDxe in the build system fo= r >>>>>> compilation >>>>>> SecurityPkg/Tcg: Import Tcg2PlatformPei from edk2-platforms >>>>>> SecurityPkg/Tcg: Make Tcg2PlatformPei buildable >>>>>> OvmfPkg: Reference new Tcg2PlatformPei in the build system >>>>>> >>>>>> OvmfPkg/AmdSev/AmdSevX64.dsc | 8 + >>>>>> OvmfPkg/AmdSev/AmdSevX64.fdf | 2 + >>>>>> OvmfPkg/OvmfPkgIa32.dsc | 8 + >>>>>> OvmfPkg/OvmfPkgIa32.fdf | 2 + >>>>>> OvmfPkg/OvmfPkgIa32X64.dsc | 8 + >>>>>> OvmfPkg/OvmfPkgIa32X64.fdf | 2 + >>>>>> OvmfPkg/OvmfPkgX64.dsc | 8 + >>>>>> OvmfPkg/OvmfPkgX64.fdf | 2 + >>>>>> .../Include/Library/TpmPlatformHierarchyLib.h | 27 ++ >>>>>> .../PeiDxeTpmPlatformHierarchyLib.c | 255 ++++++++++= ++++++++ >>>>>> .../PeiDxeTpmPlatformHierarchyLib.inf | 44 +++ >>>>>> SecurityPkg/SecurityPkg.dec | 6 + >>>>>> .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 85 ++++++ >>>>>> .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 43 +++ >>>>>> .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 107 ++++++++ >>>>>> .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 51 ++++ >>>>>> 16 files changed, 658 insertions(+) >>>>>> create mode 100644 >>> SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h >>>>>> create mode 100644 >> SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHie= rar >>>>> chyLib.c >>>>>> create mode 100644 >> SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHie= rar >>>>> chyLib.inf >>>>>> create mode 100644 >>> SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c >>>>>> create mode 100644 >>> SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf >>>>>> create mode 100644 >> SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c >>>>>> create mode 100644 >>> SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf