If you want, I would suggest to take 2 steps (2 separate patch sets). 1) To add the TCG2 platform auth handling the security pkg (just move the code from min-platform to securitypkg) If nothing else is changed, it can be approved easily.
2) To enable QEMU support to make platform auth + TCG PP work together. (based upon 1) Need consider how to do it in a secure way. Thank you Yao Jiewen > -----Original Message----- > From: Yao, Jiewen > Sent: Saturday, September 11, 2021 10:38 AM > To: Stefan Berger <stef...@linux.ibm.com>; devel@edk2.groups.io; > stef...@linux.vnet.ibm.com > Cc: mhaeu...@posteo.de; spbro...@outlook.com; > marcandre.lur...@redhat.com; kra...@redhat.com > Subject: RE: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform > hierarchy > > Hi Stefan > I notice you signal EndOfDxe at PlatformBootManagerBeforeConsole() > https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo > tManagerLib/BdsPlatform.c#L380 > I would say, if PP is done after EndOfDxe, then the order is NOT right. > > This topic has been debated for years. Finally, we reach the conclusion with > the > trusted console concept. > > The recommended way is to connect *trusted console only* and process PP > before EndOfDxe, to ensure no 3rd party code can touch the platform > hierarchy. > We did that at PlatformBootManagerBeforeConsole(). Here is console means all > console, including the trusted console and untrusted console populated by > untrusted device. The full console list can still be connected after EndOfDxe. > The platform can decide which console is trusted v.s. not-trusted. > > Thank you > Yao Jiewen > > > > -----Original Message----- > > From: Stefan Berger <stef...@linux.ibm.com> > > Sent: Saturday, September 11, 2021 12:15 AM > > To: Yao, Jiewen <jiewen....@intel.com>; devel@edk2.groups.io; > > stef...@linux.vnet.ibm.com > > Cc: mhaeu...@posteo.de; spbro...@outlook.com; > > marcandre.lur...@redhat.com; kra...@redhat.com > > Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform > > hierarchy > > > > > > On 9/10/21 11:32 AM, Yao, Jiewen wrote: > > > According to the security policy, PP request must be processed before > > EndOfDxe. > > > > > > May I know when you trigger PP request? > > > > OVMF has 3 implementations invoking it in > PlatformBootManagerAfterConsole(): > > > > > https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo > > tManagerLib/BdsPlatform.c#L1517 > > > > > https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo > > tManagerLibBhyve/BdsPlatform.c#L1451 > > > > > https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo > > tManagerLibGrub/BdsPlatform.c#L1316 > > > > Stefan > > > > > > > > > > Thank you > > > Yao Jiewen > > > > > >> -----Original Message----- > > >> From: Stefan Berger <stef...@linux.ibm.com> > > >> Sent: Friday, September 10, 2021 10:25 PM > > >> To: devel@edk2.groups.io; stef...@linux.vnet.ibm.com > > >> Cc: mhaeu...@posteo.de; spbro...@outlook.com; > > >> marcandre.lur...@redhat.com; kra...@redhat.com; Yao, Jiewen > > >> <jiewen....@intel.com> > > >> Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform > > >> hierarchy > > >> > > >> > > >> On 9/9/21 1:35 PM, Stefan Berger wrote: > > >>> This series imports code from the edk2-platforms project related to > > >>> disabling the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf > > >>> aspects of the following bugs: > > >>> > > >>> https://bugzilla.tianocore.org/show_bug.cgi?id=3510 > > >>> https://bugzilla.tianocore.org/show_bug.cgi?id=3499 > > >>> > > >>> I have patched the .dsc files and successfully test-built with most of > > >>> them. Some I could not build because they failed for other reasons > > >>> unrelated to this series. > > >>> > > >>> I tested the changes with QEMU on x86 following the build of > > >>> OvmfPkgX64.dsc. > > >>> > > >>> Neither one of the following commands should work anymore on first > > >>> try when run on Linux: > > >>> > > >>> With IBM tss2 tools: > > >>> tsshierarchychangeauth -hi p -pwdn newpass > > >>> > > >>> With Intel tss2 tools: > > >>> tpm2_changeauth -c platform newpass > > >> > > >> While disabling the platform hierarchy works, the unfortunate problem is > > >> now that the signal to disable the TPM 2 platform hierarchy is received > > >> before handling the physical presence interface (PPI) opcodes, which is > > >> bad because some of the opcodes will not go through. The question now is > > >> what is wrong? Are the PPI opcodes handled too late or the signal is > > >> sent to early or is it the wrong signal? > > >> > > >> Event = EfiCreateProtocolNotifyEvent ( > > >> &gEfiDxeSmmReadyToLockProtocolGuid, > > >> TPL_CALLBACK, > > >> SmmReadyToLockEventCallBack, > > >> NULL, > > >> &Registration > > >> ); > > >> > > >> Stefan > > >> > > >>> Regards, > > >>> Stefan > > >>> > > >>> v7: > > >>> - Ditched ARM support in this series > > >>> - Using Tcg2PlatformDxe and Tcg2PlaformPei from edk2-platforms now > > >>> and revised most of the patches > > >>> > > >>> v6: > > >>> - Removed unnecessary entries in .dsc files > > >>> - Added support for S3 resume failure case > > >>> - Assigned unique FILE_GUID to NULL implementation > > >>> > > >>> v5: > > >>> - Modified patch 1 copies the code from edk2-platforms > > >>> - Modified patch 2 fixes bugs in the code > > >>> - Modified patch 4 introduces required PCD > > >>> > > >>> v4: > > >>> - Fixed and simplified code imported from edk2-platforms > > >>> > > >>> v3: > > >>> - Referencing Null implementation on Bhyve and Xen platforms > > >>> - Add support in Arm > > >>> > > >>> > > >>> Stefan Berger (9): > > >>> SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from > > >>> edk2-platforms > > >>> SecurityPkg/TPM: Fix bugs in imported PeiDxeTpmPlatformHierarchyLib > > >>> SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from edk2-platforms > > >>> SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable > > >>> SecurityPkg: Introduce new PCD PcdRandomizePlatformHierarchy > > >>> OvmfPkg: Reference new Tcg2PlatformDxe in the build system for > > >>> compilation > > >>> SecurityPkg/Tcg: Import Tcg2PlatformPei from edk2-platforms > > >>> SecurityPkg/Tcg: Make Tcg2PlatformPei buildable > > >>> OvmfPkg: Reference new Tcg2PlatformPei in the build system > > >>> > > >>> OvmfPkg/AmdSev/AmdSevX64.dsc | 8 + > > >>> OvmfPkg/AmdSev/AmdSevX64.fdf | 2 + > > >>> OvmfPkg/OvmfPkgIa32.dsc | 8 + > > >>> OvmfPkg/OvmfPkgIa32.fdf | 2 + > > >>> OvmfPkg/OvmfPkgIa32X64.dsc | 8 + > > >>> OvmfPkg/OvmfPkgIa32X64.fdf | 2 + > > >>> OvmfPkg/OvmfPkgX64.dsc | 8 + > > >>> OvmfPkg/OvmfPkgX64.fdf | 2 + > > >>> .../Include/Library/TpmPlatformHierarchyLib.h | 27 ++ > > >>> .../PeiDxeTpmPlatformHierarchyLib.c | 255 > > >>> ++++++++++++++++++ > > >>> .../PeiDxeTpmPlatformHierarchyLib.inf | 44 +++ > > >>> SecurityPkg/SecurityPkg.dec | 6 + > > >>> .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 85 ++++++ > > >>> .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 43 +++ > > >>> .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 107 ++++++++ > > >>> .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 51 ++++ > > >>> 16 files changed, 658 insertions(+) > > >>> create mode 100644 > > SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h > > >>> create mode 100644 > > >> > > > SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierar > > >> chyLib.c > > >>> create mode 100644 > > >> > > > SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierar > > >> chyLib.inf > > >>> create mode 100644 > > SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c > > >>> create mode 100644 > > SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf > > >>> create mode 100644 > SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c > > >>> create mode 100644 > > SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf > > >>> -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80527): https://edk2.groups.io/g/devel/message/80527 Mute This Topic: https://groups.io/mt/85498425/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-