* [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy
@ 2021-08-09 16:37 Stefan Berger
2021-08-09 16:37 ` [PATCH v2 1/4] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms Stefan Berger
` (4 more replies)
0 siblings, 5 replies; 7+ messages in thread
From: Stefan Berger @ 2021-08-09 16:37 UTC (permalink / raw)
To: devel, jiewen.yao; +Cc: marcandre.lureau, lersek, dick_wilkins, Stefan Berger
This series imports code from the edk2-platforms project related to
changing the password of the TPM2 platform hierarchy and uses it to
disable the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf
aspects of the following bugs:
https://bugzilla.tianocore.org/show_bug.cgi?id=3510
https://bugzilla.tianocore.org/show_bug.cgi?id=3499
Regards,
Stefan
Stefan Berger (4):
OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
edk2-platforms
OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib
OvmfPkg: Reference new TPM classes in the build system for compilation
OvmfPkg: Disable the TPM2 platform hierarchy
OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +
.../Include/Library/TpmPlatformHierarchyLib.h | 27 +++
.../PeiDxeTpmPlatformHierarchyLib.c | 210 ++++++++++++++++++
.../PeiDxeTpmPlatformHierarchyLib.inf | 40 ++++
.../PeiDxeTpmPlatformHierarchyLib.c | 19 ++
.../PeiDxeTpmPlatformHierarchyLib.inf | 31 +++
.../PlatformBootManagerLib/BdsPlatform.c | 6 +
.../PlatformBootManagerLib.inf | 1 +
.../PlatformBootManagerLibBhyve/BdsPlatform.c | 6 +
.../PlatformBootManagerLibGrub/BdsPlatform.c | 6 +
OvmfPkg/OvmfPkgIa32.dsc | 3 +
OvmfPkg/OvmfPkgIa32X64.dsc | 3 +
OvmfPkg/OvmfPkgX64.dsc | 3 +
13 files changed, 358 insertions(+)
create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
--
2.31.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 1/4] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms
2021-08-09 16:37 [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy Stefan Berger
@ 2021-08-09 16:37 ` Stefan Berger
2021-08-09 16:37 ` [PATCH v2 2/4] OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib Stefan Berger
` (3 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Stefan Berger @ 2021-08-09 16:37 UTC (permalink / raw)
To: devel, jiewen.yao
Cc: marcandre.lureau, lersek, dick_wilkins, Stefan Berger,
Stefan Berger
Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms. Modify it so
that ConfigureTpmPlatformHierarchy() is the only public function provided
by this file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
.../Include/Library/TpmPlatformHierarchyLib.h | 27 +++
.../PeiDxeTpmPlatformHierarchyLib.c | 210 ++++++++++++++++++
.../PeiDxeTpmPlatformHierarchyLib.inf | 40 ++++
3 files changed, 277 insertions(+)
create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
diff --git a/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
new file mode 100644
index 0000000000..a872fa09dc
--- /dev/null
+++ b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
@@ -0,0 +1,27 @@
+/** @file
+ TPM Platform Hierarchy configuration library.
+
+ This library provides functions for customizing the TPM's Platform Hierarchy
+ Authorization Value (platformAuth) and Platform Hierarchy Authorization
+ Policy (platformPolicy) can be defined through this function.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_
+#define _TPM_PLATFORM_HIERARCHY_LIB_H_
+
+/**
+ This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
+
+**/
+VOID
+EFIAPI
+ConfigureTpmPlatformHierarchy (
+ VOID
+ );
+
+#endif
diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
new file mode 100644
index 0000000000..ba2d99bb53
--- /dev/null
+++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
@@ -0,0 +1,210 @@
+/** @file
+ TPM Platform Hierarchy configuration library.
+
+ This library provides functions for customizing the TPM's Platform Hierarchy
+ Authorization Value (platformAuth) and Platform Hierarchy Authorization
+ Policy (platformPolicy) can be defined through this function.
+
+ Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Specification Reference:
+ https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
+**/
+
+#include <Uefi.h>
+
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/RngLib.h>
+#include <Library/Tpm2CommandLib.h>
+#include <Library/Tpm2DeviceLib.h>
+
+//
+// The authorization value may be no larger than the digest produced by the hash
+// algorithm used for context integrity.
+//
+#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
+
+UINT16 mAuthSize;
+
+/**
+ Generate high-quality entropy source through RDRAND.
+
+ @param[in] Length Size of the buffer, in bytes, to fill with.
+ @param[out] Entropy Pointer to the buffer to store the entropy data.
+
+ @retval EFI_SUCCESS Entropy generation succeeded.
+ @retval EFI_NOT_READY Failed to request random data.
+
+**/
+EFI_STATUS
+EFIAPI
+RdRandGenerateEntropy (
+ IN UINTN Length,
+ OUT UINT8 *Entropy
+ )
+{
+ EFI_STATUS Status;
+ UINTN BlockCount;
+ UINT64 Seed[2];
+ UINT8 *Ptr;
+
+ Status = EFI_NOT_READY;
+ BlockCount = Length / 64;
+ Ptr = (UINT8 *)Entropy;
+
+ //
+ // Generate high-quality seed for DRBG Entropy
+ //
+ while (BlockCount > 0) {
+ Status = GetRandomNumber128 (Seed);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ CopyMem (Ptr, Seed, 64);
+
+ BlockCount--;
+ Ptr = Ptr + 64;
+ }
+
+ //
+ // Populate the remained data as request.
+ //
+ Status = GetRandomNumber128 (Seed);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ CopyMem (Ptr, Seed, (Length % 64));
+
+ return Status;
+}
+
+/**
+ This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value
+ and limits an authValue to being no larger than the largest digest produced by a TPM.
+
+ @param[out] AuthSize Tpm2 Auth size
+
+ @retval EFI_SUCCESS Auth size returned.
+ @retval EFI_DEVICE_ERROR Can not return platform auth due to device error.
+
+**/
+EFI_STATUS
+EFIAPI
+GetAuthSize (
+ OUT UINT16 *AuthSize
+ )
+{
+ EFI_STATUS Status;
+ TPML_PCR_SELECTION Pcrs;
+ UINTN Index;
+ UINT16 DigestSize;
+
+ Status = EFI_SUCCESS;
+
+ while (mAuthSize == 0) {
+
+ mAuthSize = SHA1_DIGEST_SIZE;
+ ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
+ Status = Tpm2GetCapabilityPcrs (&Pcrs);
+
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
+ break;
+ }
+
+ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
+
+ for (Index = 0; Index < Pcrs.count; Index++) {
+ DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
+
+ switch (Pcrs.pcrSelections[Index].hash) {
+ case TPM_ALG_SHA1:
+ DigestSize = SHA1_DIGEST_SIZE;
+ break;
+ case TPM_ALG_SHA256:
+ DigestSize = SHA256_DIGEST_SIZE;
+ break;
+ case TPM_ALG_SHA384:
+ DigestSize = SHA384_DIGEST_SIZE;
+ break;
+ case TPM_ALG_SHA512:
+ DigestSize = SHA512_DIGEST_SIZE;
+ break;
+ case TPM_ALG_SM3_256:
+ DigestSize = SM3_256_DIGEST_SIZE;
+ break;
+ default:
+ DigestSize = SHA1_DIGEST_SIZE;
+ break;
+ }
+
+ if (DigestSize > mAuthSize) {
+ mAuthSize = DigestSize;
+ }
+ }
+ break;
+ }
+
+ *AuthSize = mAuthSize;
+ return Status;
+}
+
+/**
+ Set PlatformAuth to random value.
+**/
+VOID
+RandomizePlatformAuth (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ UINT16 AuthSize;
+ UINT8 *Rand;
+ UINTN RandSize;
+ TPM2B_AUTH NewPlatformAuth;
+
+ //
+ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
+ //
+
+ GetAuthSize (&AuthSize);
+
+ ZeroMem (NewPlatformAuth.buffer, AuthSize);
+ NewPlatformAuth.size = AuthSize;
+
+ //
+ // Allocate one buffer to store random data.
+ //
+ RandSize = MAX_NEW_AUTHORIZATION_SIZE;
+ Rand = AllocatePool (RandSize);
+
+ RdRandGenerateEntropy (RandSize, Rand);
+ CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
+
+ FreePool (Rand);
+
+ //
+ // Send Tpm2HierarchyChangeAuth command with the new Auth value
+ //
+ Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
+ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
+ ZeroMem (NewPlatformAuth.buffer, AuthSize);
+ ZeroMem (Rand, RandSize);
+}
+
+/**
+ This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
+ and Platform Hierarchy Authorization Policy (platformPolicy)
+
+**/
+VOID
+EFIAPI
+ConfigureTpmPlatformHierarchy (
+ )
+{
+ RandomizePlatformAuth ();
+}
diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
new file mode 100644
index 0000000000..a413e02302
--- /dev/null
+++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
@@ -0,0 +1,40 @@
+### @file
+#
+# TPM Platform Hierarchy configuration library.
+#
+# This library provides functions for customizing the TPM's Platform Hierarchy
+# Authorization Value (platformAuth) and Platform Hierarchy Authorization
+# Policy (platformPolicy) can be defined through this function.
+#
+# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.<BR>
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+###
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = PeiDxeTpmPlatformHierarchyLib
+ FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
+ MODULE_TYPE = PEIM
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ RngLib
+ Tpm2CommandLib
+ Tpm2DeviceLib
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[Sources]
+ PeiDxeTpmPlatformHierarchyLib.c
--
2.31.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 2/4] OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib
2021-08-09 16:37 [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy Stefan Berger
2021-08-09 16:37 ` [PATCH v2 1/4] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms Stefan Berger
@ 2021-08-09 16:37 ` Stefan Berger
2021-08-09 16:37 ` [PATCH v2 3/4] OvmfPkg: Reference new TPM classes in the build system for compilation Stefan Berger
` (2 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Stefan Berger @ 2021-08-09 16:37 UTC (permalink / raw)
To: devel, jiewen.yao
Cc: marcandre.lureau, lersek, dick_wilkins, Stefan Berger,
Stefan Berger
Add a NULL implementation of the library class TpmPlatformHierarchyLib
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
.../PeiDxeTpmPlatformHierarchyLib.c | 19 ++++++++++++
.../PeiDxeTpmPlatformHierarchyLib.inf | 31 +++++++++++++++++++
2 files changed, 50 insertions(+)
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
new file mode 100644
index 0000000000..a4d38a1465
--- /dev/null
+++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
@@ -0,0 +1,19 @@
+/** @file
+ Null TPM Platform Hierarchy configuration library.
+
+ This library provides stub functions for customizing the TPM's Platform Hierarchy.
+
+ Copyright (c) 2021, IBM Corporation.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Uefi.h>
+
+VOID
+EFIAPI
+ConfigureTpmPlatformHierarchy (
+ )
+{
+ /* no nothing */
+}
diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
new file mode 100644
index 0000000000..f0c474d57c
--- /dev/null
+++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
@@ -0,0 +1,31 @@
+### @file
+#
+# TPM Platform Hierarchy configuration library.
+#
+# This library provides functions for customizing the TPM's Platform Hierarchy
+# Authorization Value (platformAuth) and Platform Hierarchy Authorization
+# Policy (platformPolicy) can be defined through this function.
+#
+# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.<BR>
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+###
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = PeiDxeTpmPlatformHierarchyLibNull
+ FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
+ MODULE_TYPE = PEIM
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
+
+[LibraryClasses]
+ BaseLib
+
+[Packages]
+ MdePkg/MdePkg.dec
+
+[Sources]
+ PeiDxeTpmPlatformHierarchyLib.c
--
2.31.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 3/4] OvmfPkg: Reference new TPM classes in the build system for compilation
2021-08-09 16:37 [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy Stefan Berger
2021-08-09 16:37 ` [PATCH v2 1/4] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms Stefan Berger
2021-08-09 16:37 ` [PATCH v2 2/4] OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib Stefan Berger
@ 2021-08-09 16:37 ` Stefan Berger
2021-08-09 16:37 ` [PATCH v2 4/4] OvmfPkg: Disable the TPM2 platform hierarchy Stefan Berger
2021-08-09 17:54 ` [edk2-devel] [PATCH v2 0/4] Ovmf: " James Bottomley
4 siblings, 0 replies; 7+ messages in thread
From: Stefan Berger @ 2021-08-09 16:37 UTC (permalink / raw)
To: devel, jiewen.yao
Cc: marcandre.lureau, lersek, dick_wilkins, Stefan Berger,
Stefan Berger
Compile the added TPM related code now.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +++
.../Library/PlatformBootManagerLib/PlatformBootManagerLib.inf | 1 +
OvmfPkg/OvmfPkgIa32.dsc | 3 +++
OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++
OvmfPkg/OvmfPkgX64.dsc | 3 +++
5 files changed, 13 insertions(+)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index e6cd10b759..db1deffcc8 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -209,9 +209,11 @@
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
!else
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
!endif
[LibraryClasses.common]
@@ -836,6 +838,7 @@
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
<LibraryClasses>
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
index e470b9a6a3..e7d1917022 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+++ b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -56,6 +56,7 @@
PlatformBmPrintScLib
Tcg2PhysicalPresenceLib
XenPlatformLib
+ TpmPlatformHierarchyLib
[Pcd]
gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index d1d92c97ba..7c2948c5e9 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -235,9 +235,11 @@
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
!else
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
!endif
[LibraryClasses.common]
@@ -711,6 +713,7 @@
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
<LibraryClasses>
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index a467ab7090..88a014510f 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -239,9 +239,11 @@
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
!else
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
!endif
[LibraryClasses.common]
@@ -1034,6 +1036,7 @@
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
<LibraryClasses>
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index e56b83d95e..ca434a5faa 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -239,9 +239,11 @@
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
!else
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
!endif
[LibraryClasses.common]
@@ -723,6 +725,7 @@
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
<LibraryClasses>
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
--
2.31.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v2 4/4] OvmfPkg: Disable the TPM2 platform hierarchy
2021-08-09 16:37 [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy Stefan Berger
` (2 preceding siblings ...)
2021-08-09 16:37 ` [PATCH v2 3/4] OvmfPkg: Reference new TPM classes in the build system for compilation Stefan Berger
@ 2021-08-09 16:37 ` Stefan Berger
2021-08-09 17:54 ` [edk2-devel] [PATCH v2 0/4] Ovmf: " James Bottomley
4 siblings, 0 replies; 7+ messages in thread
From: Stefan Berger @ 2021-08-09 16:37 UTC (permalink / raw)
To: devel, jiewen.yao
Cc: marcandre.lureau, lersek, dick_wilkins, Stefan Berger,
Stefan Berger
Use the newly added function to disable the TPM2 platform hierarchy.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c | 6 ++++++
OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c | 6 ++++++
OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c | 6 ++++++
3 files changed, 18 insertions(+)
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
index b0e9742937..5bf145ba25 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
@@ -11,6 +11,7 @@
#include <Protocol/FirmwareVolume2.h>
#include <Library/PlatformBmPrintScLib.h>
#include <Library/Tcg2PhysicalPresenceLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
#include <Library/XenPlatformLib.h>
@@ -1516,6 +1517,11 @@ PlatformBootManagerAfterConsole (
//
Tcg2PhysicalPresenceLibProcessRequest (NULL);
+ //
+ // Disable the TPM 2 platform hierarchy
+ //
+ ConfigureTpmPlatformHierarchy ();
+
//
// Process QEMU's -kernel command line option
//
diff --git a/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
index eaade4adea..09418dc4ff 100644
--- a/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
@@ -12,6 +12,7 @@
#include <Protocol/FirmwareVolume2.h>
#include <Library/PlatformBmPrintScLib.h>
#include <Library/Tcg2PhysicalPresenceLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
#include <Protocol/BlockIo.h>
@@ -1450,6 +1451,11 @@ PlatformBootManagerAfterConsole (
//
Tcg2PhysicalPresenceLibProcessRequest (NULL);
+ //
+ // Disable the TPM 2 platform hierarchy
+ //
+ ConfigureTpmPlatformHierarchy ();
+
//
// Perform some platform specific connect sequence
//
diff --git a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
index 7cceeea487..508e2b6403 100644
--- a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
@@ -12,6 +12,7 @@
#include <Protocol/FirmwareVolume2.h>
#include <Library/PlatformBmPrintScLib.h>
#include <Library/Tcg2PhysicalPresenceLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
//
@@ -1315,6 +1316,11 @@ PlatformBootManagerAfterConsole (
//
Tcg2PhysicalPresenceLibProcessRequest (NULL);
+ //
+ // Disable the TPM 2 platform hierachy
+ //
+ ConfigureTpmPlatformHierarchy ();
+
//
// Process QEMU's -kernel command line option
//
--
2.31.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [edk2-devel] [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy
2021-08-09 16:37 [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy Stefan Berger
` (3 preceding siblings ...)
2021-08-09 16:37 ` [PATCH v2 4/4] OvmfPkg: Disable the TPM2 platform hierarchy Stefan Berger
@ 2021-08-09 17:54 ` James Bottomley
2021-08-09 18:28 ` Stefan Berger
4 siblings, 1 reply; 7+ messages in thread
From: James Bottomley @ 2021-08-09 17:54 UTC (permalink / raw)
To: devel, stefanb, jiewen.yao; +Cc: marcandre.lureau, lersek, dick_wilkins
On Mon, 2021-08-09 at 12:37 -0400, Stefan Berger wrote:
> This series imports code from the edk2-platforms project related to
> changing the password of the TPM2 platform hierarchy and uses it to
> disable the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf
> aspects of the following bugs:
>
> https://bugzilla.tianocore.org/show_bug.cgi?id=3510
> https://bugzilla.tianocore.org/show_bug.cgi?id=3499
This raises a couple of issues:
1. Since OVMF is for all x86 virtual platforms not just the PC ones,
should it be following the PC client spec for everything? I notice
you left out Xen and Bhyve ... should they never follow this?
2. Since OVMF is effectively both the platform and the firmware, what
attitude should we take to code in edk2-platforms? There are
arguments for pulling all the necessary components into OVMF, but it
could also be argued that the VMM should take care of all the edk2-
platforms pieces and OVMF should be strictly firmware.
Getting 2. sorted out is probably the more pressing policy issue for
us.
James
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [edk2-devel] [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy
2021-08-09 17:54 ` [edk2-devel] [PATCH v2 0/4] Ovmf: " James Bottomley
@ 2021-08-09 18:28 ` Stefan Berger
0 siblings, 0 replies; 7+ messages in thread
From: Stefan Berger @ 2021-08-09 18:28 UTC (permalink / raw)
To: James Bottomley, devel, stefanb, jiewen.yao
Cc: marcandre.lureau, lersek, dick_wilkins
On 8/9/21 1:54 PM, James Bottomley wrote:
> On Mon, 2021-08-09 at 12:37 -0400, Stefan Berger wrote:
>> This series imports code from the edk2-platforms project related to
>> changing the password of the TPM2 platform hierarchy and uses it to
>> disable the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf
>> aspects of the following bugs:
>>
>> https://bugzilla.tianocore.org/show_bug.cgi?id=3510
>> https://bugzilla.tianocore.org/show_bug.cgi?id=3499
> This raises a couple of issues:
>
> 1. Since OVMF is for all x86 virtual platforms not just the PC ones,
> should it be following the PC client spec for everything? I notice
> you left out Xen and Bhyve ... should they never follow this?
I am not sure how to build Bhyve but one part of the patch is already
there for it in this series:
If this is how you build Bhyve I am getting a build failure already
before these patches here are applied.
build -p OvmfPkg/Bhyve/BhyveX64.dsc -b DEBUG -a X64 -t GCC5 -D
TPM_ENABLE -D TPM_CONFIG_ENABLE -D SECURE_BOOT_ENABLE -D
NETWORK_TLS_ENABLE 2>&1 | tee build.log
Build environment: Linux-5.12.14-300.fc34.x86_64-x86_64-with-glibc2.33
Build start time: 14:21:41, Aug.09 2021
WORKSPACE = /home/stefanb/dev/edk2
EDK_TOOLS_PATH = /home/stefanb/dev/edk2/BaseTools
CONF_PATH = /home/stefanb/dev/edk2/Conf
PYTHON_COMMAND = /usr/bin/python3.9
Processing meta-data .
Architecture(s) = X64
Build target = DEBUG
Toolchain = GCC5
Active Platform = /home/stefanb/dev/edk2/OvmfPkg/Bhyve/BhyveX64.dsc
build.py...
/home/stefanb/dev/edk2/OvmfPkg/Bhyve/BhyveX64.dsc(198): error 000E:
File/directory not found in workspace
/home/stefanb/dev/edk2/OvmfPkg/Bhyve/Library/PlatformSecureLib/PlatformSecureLib.inf
> 2. Since OVMF is effectively both the platform and the firmware, what
> attitude should we take to code in edk2-platforms? There are
> arguments for pulling all the necessary components into OVMF, but it
> could also be argued that the VMM should take care of all the edk2-
> platforms pieces and OVMF should be strictly firmware.
That's what I had been wondering about in V1 as well. This import here
now followed the option 2 in that discussion and I cut out basically
only the function that disables the platform hierarchy rather than
setting a random password, which I kept since it didn't seem to require
further dependencies. to be imported from edk2-platforms.
>
> Getting 2. sorted out is probably the more pressing policy issue for
> us.
>
> James
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-08-09 18:28 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-09 16:37 [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy Stefan Berger
2021-08-09 16:37 ` [PATCH v2 1/4] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms Stefan Berger
2021-08-09 16:37 ` [PATCH v2 2/4] OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib Stefan Berger
2021-08-09 16:37 ` [PATCH v2 3/4] OvmfPkg: Reference new TPM classes in the build system for compilation Stefan Berger
2021-08-09 16:37 ` [PATCH v2 4/4] OvmfPkg: Disable the TPM2 platform hierarchy Stefan Berger
2021-08-09 17:54 ` [edk2-devel] [PATCH v2 0/4] Ovmf: " James Bottomley
2021-08-09 18:28 ` Stefan Berger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox