From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web10.27105.1628533722918164960 for ; Mon, 09 Aug 2021 11:28:43 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@ibm.com header.s=pp1 header.b=tWqmDTmq; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 179I4QAU185394; Mon, 9 Aug 2021 14:28:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pp1; bh=8esUhkztc+nzngARe8h2AmZ4j2mArdcJW/TBH+xQg3c=; b=tWqmDTmqoub49aeHIyr2xCm/tXFA9Zli80gFvbAIuOlhncvwa78gapZQjgDT9ynJKaQr Ua2+KjWQfgia1/v93VQhLulIaYBoiEBzgCZLmtSJngcjCt1+DgRbDik6shqXTSHH4r+z ixSSlNpOvR1rzpcv7cmkbLaLkg0iohZpZ7lr4+EK9kYI5hxEoZKw2JDLfglwubaZp+cM Ky8MHlHUztRQoY9pxsrt3S2tyx4vC0Zweu5hAIUktUxKAfIsWRLk/XPTemt9ZfC3xPLh Xvx/dtLxuJPSK+UsQ6tPFP3QYagfKSWPMcUBqZ+cifmYYsAHKHF1RKsB22N638N1Wdz1 jA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 3aa7n0gx68-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 09 Aug 2021 14:28:41 -0400 Received: from m0098419.ppops.net (m0098419.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 179I57So194468; Mon, 9 Aug 2021 14:28:41 -0400 Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0b-001b2d01.pphosted.com with ESMTP id 3aa7n0gx5y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 09 Aug 2021 14:28:41 -0400 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 179IJ8Fv022268; Mon, 9 Aug 2021 18:28:40 GMT Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by ppma02dal.us.ibm.com with ESMTP id 3a9htc2x8a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 09 Aug 2021 18:28:40 +0000 Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 179ISdEu36045226 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 9 Aug 2021 18:28:39 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7EA49AC068; Mon, 9 Aug 2021 18:28:39 +0000 (GMT) Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6070FAC05F; Mon, 9 Aug 2021 18:28:39 +0000 (GMT) Received: from [9.47.158.152] (unknown [9.47.158.152]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP; Mon, 9 Aug 2021 18:28:39 +0000 (GMT) Subject: Re: [edk2-devel] [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy To: James Bottomley , devel@edk2.groups.io, stefanb@linux.vnet.ibm.com, jiewen.yao@intel.com Cc: marcandre.lureau@redhat.com, lersek@redhat.com, dick_wilkins@phoenix.com References: <20210809163718.874512-1-stefanb@linux.vnet.ibm.com> <854e9cbc40b1a03204ed0a58aa639c4bc4a75c63.camel@HansenPartnership.com> From: "Stefan Berger" Message-ID: Date: Mon, 9 Aug 2021 14:28:38 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: <854e9cbc40b1a03204ed0a58aa639c4bc4a75c63.camel@HansenPartnership.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: L-bLQiLUChQ9uYETeQ9TAAwn43aA0DNH X-Proofpoint-ORIG-GUID: nUgrE4bA9n9xm07g5026lpespe1Xs9Dl X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-08-09_06:2021-08-06,2021-08-09 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 mlxscore=0 phishscore=0 clxscore=1011 lowpriorityscore=0 bulkscore=0 malwarescore=0 spamscore=0 mlxlogscore=999 suspectscore=0 priorityscore=1501 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108090128 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0b-001b2d01.pphosted.com id 179I4QAU185394 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 8/9/21 1:54 PM, James Bottomley wrote: > On Mon, 2021-08-09 at 12:37 -0400, Stefan Berger wrote: >> This series imports code from the edk2-platforms project related to >> changing the password of the TPM2 platform hierarchy and uses it to >> disable the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf >> aspects of the following bugs: >> >> https://bugzilla.tianocore.org/show_bug.cgi?id=3D3510 >> https://bugzilla.tianocore.org/show_bug.cgi?id=3D3499 > This raises a couple of issues: > > 1. Since OVMF is for all x86 virtual platforms not just the PC ones= , > should it be following the PC client spec for everything? I not= ice > you left out Xen and Bhyve ... should they never follow this? I am not sure how to build Bhyve but one part of the patch is already=20 there for it in this series: If this is how you build Bhyve I am getting a build failure already=20 before these patches here are applied. build -p OvmfPkg/Bhyve/BhyveX64.dsc -b DEBUG -a X64 -t GCC5 -D=20 TPM_ENABLE -D TPM_CONFIG_ENABLE -D SECURE_BOOT_ENABLE -D=20 NETWORK_TLS_ENABLE 2>&1 | tee build.log Build environment: Linux-5.12.14-300.fc34.x86_64-x86_64-with-glibc2.33 Build start time: 14:21:41, Aug.09 2021 WORKSPACE=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D /home/stefanb/dev= /edk2 EDK_TOOLS_PATH=C2=A0=C2=A0 =3D /home/stefanb/dev/edk2/BaseTools CONF_PATH=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D /home/stefanb/dev= /edk2/Conf PYTHON_COMMAND=C2=A0=C2=A0 =3D /usr/bin/python3.9 Processing meta-data . Architecture(s)=C2=A0 =3D X64 Build target=C2=A0=C2=A0=C2=A0=C2=A0 =3D DEBUG Toolchain=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D GCC5 Active Platform=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D= /home/stefanb/dev/edk2/OvmfPkg/Bhyve/BhyveX64.dsc build.py... /home/stefanb/dev/edk2/OvmfPkg/Bhyve/BhyveX64.dsc(198): error 000E:=20 File/directory not found in workspace /home/stefanb/dev/edk2/OvmfPkg/Bhyve/Library/PlatformSecureLib/PlatformSe= cureLib.inf > 2. Since OVMF is effectively both the platform and the firmware, wh= at > attitude should we take to code in edk2-platforms? There are > arguments for pulling all the necessary components into OVMF, bu= t it > could also be argued that the VMM should take care of all the ed= k2- > platforms pieces and OVMF should be strictly firmware. That's what I had been wondering about in V1 as well. This import here=20 now followed the option 2 in that discussion and I cut out basically=20 only the function that disables the platform hierarchy rather than=20 setting a random password, which I kept since it didn't seem to require=20 further dependencies. to be imported from edk2-platforms. > > Getting 2. sorted out is probably the more pressing policy issue for > us. > > James > >