Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118

["Yao, Jiewen" <jiewen.yao@intel.com>]

Gerd
I have merged this patch set today.

I am fine to remove TPM1.2 in OVMF because of the known security limitation.

Thank you
Yao, Jiewen


> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Tuesday, January 16, 2024 8:01 PM
> To: devel@edk2.groups.io; dougflick@microsoft.com
> Cc: Douglas Flick [MSFT] <doug.edk2@gmail.com>; Yao, Jiewen
> <jiewen.yao@intel.com>
> Subject: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
> 
> On Thu, Jan 11, 2024 at 10:16:00AM -0800, Doug Flick via groups.io wrote:
> > This patch series include the combined / merged security patches
> > (as seperate commits) for TCBZ4117 (CVE-2022-36763) and TCBZ4118
> > (CVE-2022-36764) for DxeTpm2MeasureBootLib and DxeTpmMeasureBootLib.
> > These patches have already been reviewed by SecurityPkg Maintainer
> > (Jiewen) on GHSA.
> 
> This patch series breaks ovmf build (duplicate symbols) in case both
> TPM2 and TPM1 support are enabled (-D TPM2_ENABLE=TRUE
> -DTPM1_ENABLE=TRUE).  Compiling with TPM2 only (-D TPM2_ENABLE=TRUE
> -DTPM1_ENABLE=FALSE) works fine.
> 
> I see two options to deal with the problem:
> 
>  (1) Rename the Sanitize* functions in the TPM2 version of the library
>      to carry a '2' somewhere in the function name, simliar to all other
>      TPM2 functions, to avoid the name clash.
>  (2) Remove TPM1 support from the edk2 code base.  The relevance of
>      TPM 1.2 support should be close to zero given that the TPM 2.0
>      specification was released almost a decade ago ...
> 
> take care,
>   Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113898): https://edk2.groups.io/g/devel/message/113898
Mute This Topic: https://groups.io/mt/103675434/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-