Hi Stefan,

I have a minor suggestion marked inline as [SAMI].

With that updated,

Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>

Regards,

Sami Mujawar


On 16/09/2021 10:17 PM, Stefan Berger wrote:
From: Stefan Berger <stefanb@linux.vnet.ibm.com>

Disable the TPM2 platform hierarchy by directly calling
ConfigureTpmPlatformHierarchy().
[SAMI] Please add the bugzilla reference. It will also be helpful to include the commit message from the cover letter here.

Also, your bugzilla description (pasted below) would be really useful reference:
                 Per the TCG firmware specification "TCG PC Client Platform Firmware Profile Specification" the TPM 2 platform hierarchy needs to be disabled or a random password set and discarded before the firmware passes control to the next stage bootloader or kernel.
                 Current specs are here: https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf 
            Section 11 states:
           "Platform Firmware MUST protect access to the Platform Hierarchy and prevent access to the platform hierarchy by non-manufacturer-controlled components."
Please note - I have updated the specification link above to point to the latest TCG published spec.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c      | 6 ++++++
 .../PlatformBootManagerLib/PlatformBootManagerLib.inf       | 1 +
 2 files changed, 7 insertions(+)

diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
index 69448ff65b..1848042f86 100644
--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
@@ -16,6 +16,7 @@
 #include <Library/PcdLib.h>

 #include <Library/PlatformBmPrintScLib.h>

 #include <Library/QemuBootOrderLib.h>

+#include <Library/TpmPlatformHierarchyLib.h>

 #include <Library/UefiBootManagerLib.h>

 #include <Protocol/DevicePath.h>

 #include <Protocol/FirmwareVolume2.h>

@@ -696,6 +697,11 @@ PlatformBootManagerBeforeConsole (
   //

   EfiEventGroupSignal (&gEfiEndOfDxeEventGroupGuid);

 

+  //

+  // Disable the TPM 2 platform hierarchy

+  //

+  ConfigureTpmPlatformHierarchy ();

+

   //

   // Dispatch deferred images after EndOfDxe event.

   //

diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
index 9f54224d3e..997eb1a442 100644
--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -48,6 +48,7 @@
   QemuBootOrderLib

   QemuLoadImageLib

   ReportStatusCodeLib

+  TpmPlatformHierarchyLib

   UefiBootManagerLib

   UefiBootServicesTableLib

   UefiLib