From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web10.22221.1630936209836427413 for ; Mon, 06 Sep 2021 06:50:10 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@ibm.com header.s=pp1 header.b=FcbP8fP5; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 186Ddt39163353; Mon, 6 Sep 2021 09:50:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pp1; bh=W2utqicI4hyS2KfJcpOI+xfKH7YMgGtet/uDO+OGJF0=; b=FcbP8fP579H2gAqojoZNgcDzgE391nEmLXOMiFJrMFOgTObKBerxYGPOlwTdQNlQl5qC JVdoYeA3LCoF49lvHHpQBMLsQ1G/VVDcqlZy8Poq3C5/2Jx2YHQy6SnPYWd3M+pghg8s vDwNxYep25iWzsMaxvIrPwNq84l/i87STpxc46f7wF5PVIWb3dxa1Hg7FTwuhMAXJZKl 6kJIZOJIZtWki+bd4H/2RpWsZS8zY+D762/80bhRJ7kmwpKfI45U/boluR22SuN9RXnk HT/UdyvE/fn/+FYTqn3dCSzX/+hDzu8RM7urBhBwbz83/2h3qQWBa2K85wqRy6z13gMr iA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 3awj5sb0t3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 06 Sep 2021 09:50:08 -0400 Received: from m0098420.ppops.net (m0098420.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 186De1Qb164260; Mon, 6 Sep 2021 09:50:08 -0400 Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0b-001b2d01.pphosted.com with ESMTP id 3awj5sb0sf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 06 Sep 2021 09:50:08 -0400 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 186DhKns010352; Mon, 6 Sep 2021 13:50:07 GMT Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20]) by ppma04dal.us.ibm.com with ESMTP id 3avbhxjae4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 06 Sep 2021 13:50:07 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 186Do4Hk15270390 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 6 Sep 2021 13:50:04 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 43B2AC605A; Mon, 6 Sep 2021 13:50:04 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 232C3C605F; Mon, 6 Sep 2021 13:50:02 +0000 (GMT) Received: from [9.47.158.152] (unknown [9.47.158.152]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP; Mon, 6 Sep 2021 13:50:01 +0000 (GMT) Subject: Re: [edk2-devel] [PATCH v5 0/8] Ovmf: Disable the TPM2 platform hierarchy To: devel@edk2.groups.io, jiewen.yao@intel.com, Stefan Berger Cc: "mhaeuser@posteo.de" , "spbrogan@outlook.com" , "marcandre.lureau@redhat.com" , "kraxel@redhat.com" References: <20210901212153.1915585-1-stefanb@linux.vnet.ibm.com> From: "Stefan Berger" Message-ID: Date: Mon, 6 Sep 2021 09:50:01 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 In-Reply-To: X-TM-AS-GCONF: 00 X-Proofpoint-GUID: HmXOndElcn6WxsNYHacq6yMTTT5dR4vZ X-Proofpoint-ORIG-GUID: F0S_ialnHjdegkQN8YwadWW2py6yK14X X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-09-06_06:2021-09-03,2021-09-06 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 lowpriorityscore=0 malwarescore=0 spamscore=0 impostorscore=0 mlxlogscore=697 adultscore=0 bulkscore=0 mlxscore=0 suspectscore=0 priorityscore=1501 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2108310000 definitions=main-2109060086 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0b-001b2d01.pphosted.com id 186Ddt39163353 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 9/6/21 8:34 AM, Yao, Jiewen wrote: > Hi Stefan > Thank you very much for the work. > > I would like to double confirm with you on several things: > 1) S3 resume - According to security guideline, we can randomize platfo= rm hiearachy if S3 start state fail. > > REF: https://github.com/tianocore/edk2-platforms/blob/master/Platform/I= ntel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c > > But I did not see your S3 solution there. That may be a omission, also for ARM. > > 2) I am curious, why you don't use a DXE driver, but choose to like to = BDS lib for the DXE case. I don't know the difference. Is the code in edk2-platforms unsuitable? > You also include a NULL lib there, which seems unnecessary, if you use = a DXE/PEI module > > The downside of linking to BDS lib is that you have to change all BDS l= ib instance, which is a big burden. > And you still have code to choose NULL lib v.s. real Lib based upon TPM= enable flag. > > How about just include Tcg2PlatformPei/Tcg2PlatformDxe to securityPkg a= s well? Then we can remove the TcgPlatform from MinPlatform totally. > > 3) In some platform, you add TpmPlatformHierarchyLib to Tcg2Dxe. Would = you please help me understand why? > > SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { > > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2Device= LibRouterDxe.inf > TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHie= rarchyLib/PeiDxeTpmPlatformHierarchyLib.inf > NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.i= nf I cannot compile several of the target platforms that I have made=20 modifications to that I thought were correct but have done so 'blindly'.=20 For example , I cannot compile for OvmfPkg/AmdSev/AmdSevX64.dsc, it=20 fails for me for this reason: # build -p OvmfPkg/AmdSev/AmdSevX64.dsc -b DEBUG -a X64 -t GCC5 -D=20 TPM_ENABLE -D TPM_CONFIG_ENABLE -D SECURE_BOOT_ENABLE -D NETWORK_TLS_ENAB= LE mkfs.fat 4.2 (2021-01-31) grub2-mkimage: error: cannot open `/usr/lib/grub/x86_64-efi/moddep.lst':=20 No such file or directory. This here is an example of a platform I cannot build at all (before my=20 modifications) but would need changes as well: $ build -p OvmfPkg/OvmfPkgIa32X64.dsc -b DEBUG -a IA32 -t GCC5 -D=20 TPM_ENABLE -D TPM_CONFIG_ENABLE -D SECURE_BOOT_ENABLE -D NETWORK_TLS_ENAB= LE [...] Active Platform=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D= /home/stefanb/dev/edk2/OvmfPkg/OvmfPkgIa32X64.dsc =2E build.py... =C2=A0: error F001: Module=20 /home/stefanb/dev/edk2/MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe= .inf=20 NOT found in DSC file; Is it really a binary module? Should I drop the targets I cannot compile for or that seem broken just=20 to begin with? Does someone else want to take a pass on this series? I have to say that=20 I work with too many unknowns here so that this is now the preferred=20 path from my perspective. Thanks. =C2=A0=C2=A0 Stefan