Hi Stefan,

I have a minor suggestion marked inline as [SAMI].

With that updated,

Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>

Regards,

Sami Mujawar


On 16/09/2021 10:17 PM, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.vnet.ibm.com>
>
> Disable the TPM2 platform hierarchy by directly calling
> ConfigureTpmPlatformHierarchy().
[SAMI] Please add the bugzilla reference. It will also be helpful to 
include the commit message from the cover letter here.

Also, your bugzilla description (pasted below) would be really useful 
reference:
     Per the TCG firmware specification "TCG PC Client Platform Firmware 
Profile Specification" the TPM 2 platform hierarchy needs to be disabled 
or a random password set and discarded before the firmware passes 
control to the next stage bootloader or kernel.
                  Current specs are here: 
https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf 


             Section 11 states:
            "Platform Firmware MUST protect access to the Platform Hierarchy and prevent access to the platform hierarchy by non-manufacturer-controlled components."
   

Please note - I have updated the specification link above to point to 
the latest TCG published spec.

> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>   ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c      | 6 ++++++
>   .../PlatformBootManagerLib/PlatformBootManagerLib.inf       | 1 +
>   2 files changed, 7 insertions(+)
>
> diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
> index 69448ff65b..1848042f86 100644
> --- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
> +++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
> @@ -16,6 +16,7 @@
>   #include <Library/PcdLib.h>
>
>   #include <Library/PlatformBmPrintScLib.h>
>
>   #include <Library/QemuBootOrderLib.h>
>
> +#include <Library/TpmPlatformHierarchyLib.h>
>
>   #include <Library/UefiBootManagerLib.h>
>
>   #include <Protocol/DevicePath.h>
>
>   #include <Protocol/FirmwareVolume2.h>
>
> @@ -696,6 +697,11 @@ PlatformBootManagerBeforeConsole (
>     //
>
>     EfiEventGroupSignal (&gEfiEndOfDxeEventGroupGuid);
>
>   
>
> +  //
>
> +  // Disable the TPM 2 platform hierarchy
>
> +  //
>
> +  ConfigureTpmPlatformHierarchy ();
>
> +
>
>     //
>
>     // Dispatch deferred images after EndOfDxe event.
>
>     //
>
> diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
> index 9f54224d3e..997eb1a442 100644
> --- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
> +++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
> @@ -48,6 +48,7 @@
>     QemuBootOrderLib
>
>     QemuLoadImageLib
>
>     ReportStatusCodeLib
>
> +  TpmPlatformHierarchyLib
>
>     UefiBootManagerLib
>
>     UefiBootServicesTableLib
>
>     UefiLib
>