From: "Sami Mujawar" <sami.mujawar@arm.com>
To: Stefan Berger <stefanb@linux.ibm.com>, devel@edk2.groups.io
Cc: marcandre.lureau@redhat.com, kraxel@redhat.com,
jiewen.yao@intel.com, ardb+tianocore@kernel.org,
leif@nuviainc.com, Stefan Berger <stefanb@linux.vnet.ibm.com>,
nd <nd@arm.com>
Subject: Re: [RFC PATCH 3/3] ArmVirtPkg: Disable the TPM2 platform hierarchy
Date: Sat, 18 Sep 2021 09:51:34 +0100 [thread overview]
Message-ID: <a81af6a1-33fd-d0ae-b869-e9c37d501b87@arm.com> (raw)
In-Reply-To: <20210916211752.2714332-4-stefanb@linux.ibm.com>
[-- Attachment #1: Type: text/plain, Size: 3175 bytes --]
Hi Stefan,
I have a minor suggestion marked inline as [SAMI].
With that updated,
Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
Regards,
Sami Mujawar
On 16/09/2021 10:17 PM, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.vnet.ibm.com>
>
> Disable the TPM2 platform hierarchy by directly calling
> ConfigureTpmPlatformHierarchy().
[SAMI] Please add the bugzilla reference. It will also be helpful to
include the commit message from the cover letter here.
Also, your bugzilla description (pasted below) would be really useful
reference:
Per the TCG firmware specification "TCG PC Client Platform Firmware
Profile Specification" the TPM 2 platform hierarchy needs to be disabled
or a random password set and discarded before the firmware passes
control to the next stage bootloader or kernel.
Current specs are here:
https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf
Section 11 states:
"Platform Firmware MUST protect access to the Platform Hierarchy and prevent access to the platform hierarchy by non-manufacturer-controlled components."
Please note - I have updated the specification link above to point to
the latest TCG published spec.
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c | 6 ++++++
> .../PlatformBootManagerLib/PlatformBootManagerLib.inf | 1 +
> 2 files changed, 7 insertions(+)
>
> diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
> index 69448ff65b..1848042f86 100644
> --- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
> +++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
> @@ -16,6 +16,7 @@
> #include <Library/PcdLib.h>
>
> #include <Library/PlatformBmPrintScLib.h>
>
> #include <Library/QemuBootOrderLib.h>
>
> +#include <Library/TpmPlatformHierarchyLib.h>
>
> #include <Library/UefiBootManagerLib.h>
>
> #include <Protocol/DevicePath.h>
>
> #include <Protocol/FirmwareVolume2.h>
>
> @@ -696,6 +697,11 @@ PlatformBootManagerBeforeConsole (
> //
>
> EfiEventGroupSignal (&gEfiEndOfDxeEventGroupGuid);
>
>
>
> + //
>
> + // Disable the TPM 2 platform hierarchy
>
> + //
>
> + ConfigureTpmPlatformHierarchy ();
>
> +
>
> //
>
> // Dispatch deferred images after EndOfDxe event.
>
> //
>
> diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
> index 9f54224d3e..997eb1a442 100644
> --- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
> +++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
> @@ -48,6 +48,7 @@
> QemuBootOrderLib
>
> QemuLoadImageLib
>
> ReportStatusCodeLib
>
> + TpmPlatformHierarchyLib
>
> UefiBootManagerLib
>
> UefiBootServicesTableLib
>
> UefiLib
>
[-- Attachment #2: Type: text/html, Size: 5270 bytes --]
prev parent reply other threads:[~2021-09-18 8:51 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-16 21:17 [RFC PATCH 0/3] ArmVirtPkg: Disable the TPM 2 platform hierarchy Stefan Berger
2021-09-16 21:17 ` [RFC PATCH 1/3] ArmVirtPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib Stefan Berger
2021-09-18 7:55 ` [edk2-devel] " Ard Biesheuvel
2021-09-18 11:53 ` Stefan Berger
2021-09-22 11:39 ` Ard Biesheuvel
2021-09-22 16:29 ` Stefan Berger
2021-09-18 8:48 ` Sami Mujawar
2021-09-18 11:57 ` [edk2-devel] " Stefan Berger
2021-09-16 21:17 ` [RFC PATCH 2/3] ArmVirtPkg: Reference new TPM classes in the build system for compilation Stefan Berger
2021-09-18 8:49 ` Sami Mujawar
2021-09-18 11:59 ` [edk2-devel] " Stefan Berger
2021-09-16 21:17 ` [RFC PATCH 3/3] ArmVirtPkg: Disable the TPM2 platform hierarchy Stefan Berger
2021-09-18 8:51 ` Sami Mujawar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a81af6a1-33fd-d0ae-b869-e9c37d501b87@arm.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox