Enabling TPM support in ovmf & hang during qemu boot

Enabling TPM support in ovmf & hang during qemu boot

[Marc-André Lureau]

[-- Attachment #1: Type: text/plain, Size: 776 bytes --]

Hi,

I use the attached patch to build OVMF with TPM support.

Even without any TPM device configured (with the following qemu
command line) the VM hangs early:

qemu-system-x86_64 -enable-kvm -m 1024 -global
isa-debugcon.iobase=0x402 -debugcon file:ovmf.log -drive
if=pflash,format=raw,file=...src/edk2/Build/OvmfX64/DEBUG_GCC5/FV/OVMF_CODE.fd,readonly
-drive if=pflash,format=raw,file=...src/edk2/Build/OvmfX64/DEBUG_GCC5/FV/OVMF_VARS.fd

I don't have much clue how to debug OVMF, but adding DEBUG lines, I
could learn that during ReserveEmuVariableNvStore(), GetNextHob() runs
an infinite loop, looking for EFI_HOB_TYPE_UNUSED.

How is the HobList populated? Is it possible to add more of the UNUSED entries?

Any help welcome

-- 
Marc-André Lureau

[-- Attachment #2: tpm.patch --]
[-- Type: text/x-patch, Size: 6391 bytes --]

commit 9e13683ae1351054bf14a087bfb89a14009b38e5
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Date:   Fri Nov 10 14:49:02 2017 +0100

    Add TPM2

diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 1ffcf37f8b..ba73c250c6 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -39,6 +39,7 @@
   DEFINE HTTP_BOOT_ENABLE        = FALSE
   DEFINE SMM_REQUIRE             = FALSE
   DEFINE TLS_ENABLE              = FALSE
+  DEFINE TPM2_ENABLE             = FALSE
 
   #
   # Flash size selection. Setting FD_SIZE_IN_KB on the command line directly to
@@ -203,6 +204,13 @@
   OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
   XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
 
+!if $(TPM2_ENABLE) == TRUE
+  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+  Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
+  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
+!endif
+
 [LibraryClasses.common]
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
 
@@ -266,6 +274,13 @@
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/PeiQemuFwCfgS3LibFwCfg.inf
   PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
+!ifdef $(TPM2_ENABLE)
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+  HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+  Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.inf
+!endif
 
 [LibraryClasses.common.DXE_CORE]
   HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf
@@ -346,6 +361,11 @@
   PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
+!ifdef $(TPM2_ENABLE)
+  HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+!endif
 
 [LibraryClasses.common.UEFI_APPLICATION]
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -456,7 +476,7 @@
   # DEBUG_VERBOSE   0x00400000  // Detailed debug messages that may
   #                             // significantly impact boot performance
   # DEBUG_ERROR     0x80000000  // Error
-  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
 
 !ifdef $(SOURCE_DEBUG_ENABLE)
   gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
@@ -549,6 +569,21 @@
 
   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
 
+!if $(TPM2_ENABLE) == TRUE
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0xb6, 0xe5, 0x01, 0x8b, 0x19, 0x4f, 0xe8, 0x46, 0xab, 0x93, 0x1c, 0x53, 0x67, 0x1b, 0x90, 0xcc}
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2InitializationPolicy|1
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2SelfTestPolicy|1
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2ScrtmPolicy|1
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInitializationPolicy|1
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|3
+  gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|3
+!endif
+
+[PcdsDynamicHii.common.DEFAULT]
+  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
+
 ################################################################################
 #
 # Components Section - list of all EDK II Modules needed by this Platform.
@@ -613,6 +648,39 @@
 
   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
 
+!if $(TPM2_ENABLE) == TRUE
+  SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+  SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+
+  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf {
+    <LibraryClasses>
+      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+  }
+
+  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
+    <LibraryClasses>
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterPei.inf
+      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+  }
+
+  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+    <LibraryClasses>
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+      PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
+  }
+
+  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf {
+    <LibraryClasses>
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+  }
+!endif
+
 !if $(SECURE_BOOT_ENABLE) == TRUE
   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
     <LibraryClasses>
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 32000a3b93..32e40af2e0 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -164,6 +164,10 @@ INF  UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf
 INF  OvmfPkg/SmmAccess/SmmAccessPei.inf
 !endif
 INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+!if $(TPM2_ENABLE) == TRUE
+INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+!endif
 
 ################################################################################
 

Re: Enabling TPM support in ovmf & hang during qemu boot

[Laszlo Ersek]

On 11/12/17 20:09, Marc-André Lureau wrote:
> Hi,
> 
> I use the attached patch to build OVMF with TPM support.
> 
> Even without any TPM device configured (with the following qemu
> command line) the VM hangs early:
> 
> qemu-system-x86_64 -enable-kvm -m 1024 -global
> isa-debugcon.iobase=0x402 -debugcon file:ovmf.log -drive
> if=pflash,format=raw,file=...src/edk2/Build/OvmfX64/DEBUG_GCC5/FV/OVMF_CODE.fd,readonly
> -drive if=pflash,format=raw,file=...src/edk2/Build/OvmfX64/DEBUG_GCC5/FV/OVMF_VARS.fd
> 
> I don't have much clue how to debug OVMF, but adding DEBUG lines, I
> could learn that during ReserveEmuVariableNvStore(), GetNextHob() runs
> an infinite loop, looking for EFI_HOB_TYPE_UNUSED.
> 
> How is the HobList populated? Is it possible to add more of the UNUSED entries?
> 
> Any help welcome
> 

* Neither Tcg2ConfigPei nor Tcg2Pei depend, in their INF files' [depex]
section, on "permanent RAM has been discovered" (=
gEfiPeiMemoryDiscoveredPpiGuid). This means that they can be dispatched
before OvmfPkg/PlatformPei installs the permanent PEI RAM. Therefore, if
they call PeiServicesAllocatePages(), the allocation likely runs out of
the -- very small -- termporary PEI RAM that we have in OVMF.

The way to mitigate this is either to increase the temp PEI RAM (I
already have such a set on the list, but for different purposes -- and
this approach only works if the needed memory is really small), or to
make both of these PEIMs dependent on gEfiPeiMemoryDiscoveredPpiGuid. I
can't say -- Jiewen, would it be OK to make these PEIMs dependent on
gEfiPeiMemoryDiscoveredPpiGuid?


* Both PEIMs depend on PEI-phase read-only variable access
(gEfiPeiReadOnlyVariable2PpiGuid). However, OVMF does not include the
required drivers at the moment -- see
<https://bugzilla.tianocore.org/show_bug.cgi?id=386>. I had posted a
series for that back in ~March 2017, but Jordan disagreed with them. (I
think each of us remains unconvinced by the other's points, from the
original thread.)

Thanks
Laszlo

Re: Enabling TPM support in ovmf & hang during qemu boot

[Yao, Jiewen]

I can not add memorydiscovered dependency for tcgpei. We do have use case to unit Tpm before memory.

By design, tcgconfig peim is a platform module. Ovmf can create its own one and add dependency there.

As such, tcgpei depends on tcgconfigpei, and later can depend on memory.

thank you!
Yao, Jiewen


> 在 2017年11月13日，下午7:26，Laszlo Ersek <lersek@redhat.com> 写道：
> 
>> On 11/12/17 20:09, Marc-André Lureau wrote:
>> Hi,
>> 
>> I use the attached patch to build OVMF with TPM support.
>> 
>> Even without any TPM device configured (with the following qemu
>> command line) the VM hangs early:
>> 
>> qemu-system-x86_64 -enable-kvm -m 1024 -global
>> isa-debugcon.iobase=0x402 -debugcon file:ovmf.log -drive
>> if=pflash,format=raw,file=...src/edk2/Build/OvmfX64/DEBUG_GCC5/FV/OVMF_CODE.fd,readonly
>> -drive if=pflash,format=raw,file=...src/edk2/Build/OvmfX64/DEBUG_GCC5/FV/OVMF_VARS.fd
>> 
>> I don't have much clue how to debug OVMF, but adding DEBUG lines, I
>> could learn that during ReserveEmuVariableNvStore(), GetNextHob() runs
>> an infinite loop, looking for EFI_HOB_TYPE_UNUSED.
>> 
>> How is the HobList populated? Is it possible to add more of the UNUSED entries?
>> 
>> Any help welcome
>> 
> 
> * Neither Tcg2ConfigPei nor Tcg2Pei depend, in their INF files' [depex]
> section, on "permanent RAM has been discovered" (=
> gEfiPeiMemoryDiscoveredPpiGuid). This means that they can be dispatched
> before OvmfPkg/PlatformPei installs the permanent PEI RAM. Therefore, if
> they call PeiServicesAllocatePages(), the allocation likely runs out of
> the -- very small -- termporary PEI RAM that we have in OVMF.
> 
> The way to mitigate this is either to increase the temp PEI RAM (I
> already have such a set on the list, but for different purposes -- and
> this approach only works if the needed memory is really small), or to
> make both of these PEIMs dependent on gEfiPeiMemoryDiscoveredPpiGuid. I
> can't say -- Jiewen, would it be OK to make these PEIMs dependent on
> gEfiPeiMemoryDiscoveredPpiGuid?
> 
> 
> * Both PEIMs depend on PEI-phase read-only variable access
> (gEfiPeiReadOnlyVariable2PpiGuid). However, OVMF does not include the
> required drivers at the moment -- see
> <https://bugzilla.tianocore.org/show_bug.cgi?id=386>. I had posted a
> series for that back in ~March 2017, but Jordan disagreed with them. (I
> think each of us remains unconvinced by the other's points, from the
> original thread.)
> 
> Thanks
> Laszlo