From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web08.14957.1631306871288448970 for ; Fri, 10 Sep 2021 13:47:51 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@ibm.com header.s=pp1 header.b=QKDyTc5p; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0187473.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 18AKYvC9026507; Fri, 10 Sep 2021 16:47:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : from : to : cc : reply-to : references : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pp1; bh=R4cpV0OD0wm7QGXkkgJ7ymYpNlfznRpEE8T79M5RZ28=; b=QKDyTc5p7XbGn7zyfFTDT9EkbX6sv8Do9BPf6GY4ktqjkrDUb5TGSjj8LW+EHC5sWU8B /kR4nrOaWaTCJRRNTzl0+fEwutmVulsQwfELbtVuEEQCQ8kS8inUetU1eVTCnIDa6SvQ NIyh0i7aUSLDIU/7fZCY3r4cDFKjrX+C0igFOlQf43b8WNbjLzc3DZydoCkcyRhD1lOA sOoDhAjb0u951L85rxD92LRLwAvrsGIPiWR117ZT/A4MPXnjogpnmcPNKrAc28H6K3/y 7EudHp1kAyQBQbUQ3ch8YccTZfkCfI10p/iFJhqM44OHsZGWef4Icjqn0BIROXtxeesr kg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3ayy4tcmf1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Sep 2021 16:47:50 -0400 Received: from m0187473.ppops.net (m0187473.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 18AKaqC3036415; Fri, 10 Sep 2021 16:47:50 -0400 Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com with ESMTP id 3ayy4tcmet-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Sep 2021 16:47:50 -0400 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 18AKkXxm010566; Fri, 10 Sep 2021 20:47:49 GMT Received: from b03cxnp07028.gho.boulder.ibm.com (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15]) by ppma02wdc.us.ibm.com with ESMTP id 3axcnqdnac-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Sep 2021 20:47:48 +0000 Received: from b03ledav001.gho.boulder.ibm.com (b03ledav001.gho.boulder.ibm.com [9.17.130.232]) by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 18AKlmnE43319652 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Sep 2021 20:47:48 GMT Received: from b03ledav001.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 181336E054; Fri, 10 Sep 2021 20:47:48 +0000 (GMT) Received: from b03ledav001.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 606136E053; Fri, 10 Sep 2021 20:47:47 +0000 (GMT) Received: from [9.47.158.152] (unknown [9.47.158.152]) by b03ledav001.gho.boulder.ibm.com (Postfix) with ESMTP; Fri, 10 Sep 2021 20:47:47 +0000 (GMT) Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform hierarchy From: "Stefan Berger" To: "Yao, Jiewen" , "devel@edk2.groups.io" , "stefanb@linux.vnet.ibm.com" Cc: "mhaeuser@posteo.de" , "spbrogan@outlook.com" , "marcandre.lureau@redhat.com" , "kraxel@redhat.com" Reply-To: devel@edk2.groups.io, stefanb@linux.ibm.com References: <20210909173538.2380673-1-stefanb@linux.vnet.ibm.com> <187817cf-5490-7563-077f-a4ff420a8c8f@linux.ibm.com> <16A38214549AD34A.16479@groups.io> Message-ID: Date: Fri, 10 Sep 2021 16:47:46 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: <16A38214549AD34A.16479@groups.io> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 2wwZZn9UV5A5f9N-O7jk73OjRz010aWj X-Proofpoint-GUID: vzYarpL6_rgMUk3D2wCTbuqDoR7Yp3i- X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-09-10_08:2021-09-09,2021-09-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 impostorscore=0 spamscore=0 phishscore=0 lowpriorityscore=0 adultscore=0 clxscore=1015 mlxscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109030001 definitions=main-2109100113 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-001b2d01.pphosted.com id 18AKYvC9026507 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 9/10/21 12:15 PM, Stefan Berger wrote: > > On 9/10/21 11:32 AM, Yao, Jiewen wrote: >> According to the security policy, PP request must be processed before=20 >> EndOfDxe. >> >> May I know when you trigger PP request? > > OVMF has 3 implementations invoking it in=20 > PlatformBootManagerAfterConsole(): > > https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformB= ootManagerLib/BdsPlatform.c#L1517=20 > > > https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformB= ootManagerLibBhyve/BdsPlatform.c#L1451=20 > > > https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformB= ootManagerLibGrub/BdsPlatform.c#L1316=20 > Before I post yet another series...: The problem is that PPI may require interaction with the console, so it=20 seems we have to handle it in PlatformBootManagerAfterConsole(). The=20 disablement of the TPM 2 platform hierarchy may only occur after that,=20 so we have to move this part here after TPM-PPI-Handling from=20 BeforeConsole() into AfterConsole() because this is what triggers that=20 new code from edk2-platforms to disable that TPM 2 platform hierarchy: =C2=A0 Status =3D gBS->InstallProtocolInterface (&Handle, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 &gEfiDxeSmmReadyToLockProtocolGuid, EFI_NA= TIVE_INTERFACE, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 NULL); And then we have this part here also in BeforeConsole() that has to be=20 moved as well into AfterConsole(). =C2=A0 // =C2=A0 // Dispatch deferred images after EndOfDxe event and ReadyToLock =C2=A0 // installation. =C2=A0 // =C2=A0 EfiBootManagerDispatchDeferredImages (); This then leads to something like this with the sequence=20 (TPM-PPI-handling, gEfiDxeSmmReadyToLockProtocol,=20 EfiBootManagerDispatchDeferredImages) needing to stay in that order.=20 However, I am not sure know whether one can just move these parts around=20 like this. diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c=20 b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c index 71f63b2448..266d58dfbe 100644 --- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c @@ -354,7 +354,6 @@ PlatformBootManagerBeforeConsole ( =C2=A0=C2=A0 VOID =C2=A0=C2=A0 ) =C2=A0{ -=C2=A0 EFI_HANDLE=C2=A0=C2=A0=C2=A0 Handle; =C2=A0=C2=A0 EFI_STATUS=C2=A0=C2=A0=C2=A0 Status; =C2=A0=C2=A0 UINT16=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 FrontPageT= imeout; =C2=A0=C2=A0 RETURN_STATUS PcdStatus; @@ -387,8 +386,10 @@ PlatformBootManagerBeforeConsole ( =C2=A0=C2=A0=C2=A0=C2=A0 SaveS3BootScript (); =C2=A0=C2=A0 } +#if 0 =C2=A0=C2=A0 // =C2=A0=C2=A0 // Prevent further changes to LockBoxes or SMRAM. +=C2=A0 // Any TPM 2 Physical Presence Interface opcode must be handled B= EFORE =C2=A0=C2=A0 // =C2=A0=C2=A0 Handle =3D NULL; =C2=A0=C2=A0 Status =3D gBS->InstallProtocolInterface (&Handle, @@ -401,6 +402,7 @@ PlatformBootManagerBeforeConsole ( =C2=A0=C2=A0 // installation. =C2=A0=C2=A0 // =C2=A0=C2=A0 EfiBootManagerDispatchDeferredImages (); +#endif =C2=A0=C2=A0 PlatformInitializeConsole ( =C2=A0=C2=A0=C2=A0=C2=A0 XenDetected() ? gXenPlatformConsole : gPlatform= Console); @@ -437,6 +439,7 @@ PlatformBootManagerBeforeConsole ( =C2=A0=C2=A0 // =C2=A0=C2=A0 VisitAllInstancesOfProtocol (&gEfiPciIoProtocolGuid,=20 ConnectVirtioPciRng, =C2=A0=C2=A0=C2=A0=C2=A0 NULL); + =C2=A0} @@ -1474,6 +1477,8 @@ PlatformBootManagerAfterConsole ( =C2=A0=C2=A0 VOID =C2=A0=C2=A0 ) =C2=A0{ +=C2=A0 EFI_STATUS=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 Status; +=C2=A0 EFI_HANDLE=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 Handle; =C2=A0=C2=A0 EFI_BOOT_MODE=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 BootMode; =C2=A0=C2=A0 DEBUG ((DEBUG_INFO, "PlatformBootManagerAfterConsole\n")); @@ -1511,11 +1516,29 @@ PlatformBootManagerAfterConsole ( =C2=A0=C2=A0 // =C2=A0=C2=A0 PciAcpiInitialization (); +#if 1 =C2=A0=C2=A0 // -=C2=A0 // Process TPM PPI request +=C2=A0 // Process TPM PPI request; this may require interaction via cons= ole =C2=A0=C2=A0 // =C2=A0=C2=A0 Tcg2PhysicalPresenceLibProcessRequest (NULL); +=C2=A0 // +=C2=A0 // Prevent further changes to LockBoxes or SMRAM. +=C2=A0 // Any TPM 2 Physical Presence Interface opcode must be handled B= EFORE +=C2=A0 // +=C2=A0 Handle =3D NULL; +=C2=A0 Status =3D gBS->InstallProtocolInterface (&Handle, +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 &gEfiDxeSmmReadyToLockProtocolGuid, EFI_NA= TIVE_INTERFACE, +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 NULL); +=C2=A0 ASSERT_EFI_ERROR (Status); + +=C2=A0 // +=C2=A0 // Dispatch deferred images after EndOfDxe event and ReadyToLock +=C2=A0 // installation. +=C2=A0 // +=C2=A0 EfiBootManagerDispatchDeferredImages (); +#endif + =C2=A0=C2=A0 // =C2=A0=C2=A0 // Process QEMU's -kernel command line option =C2=A0=C2=A0 // =C2=A0=C2=A0 Stefan