-----Original Message-----
From: Yao, Jiewen
Sent: Saturday, September 11, 2021 10:38 AM
To: Stefan Berger <stef...@linux.ibm.com>; devel@edk2.groups.io;
stef...@linux.vnet.ibm.com
Cc: mhaeu...@posteo.de; spbro...@outlook.com;
marcandre.lur...@redhat.com; kra...@redhat.com
Subject: RE: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform
hierarchy
Hi Stefan
I notice you signal EndOfDxe at PlatformBootManagerBeforeConsole()
https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo
tManagerLib/BdsPlatform.c#L380
I would say, if PP is done after EndOfDxe, then the order is NOT right.
This topic has been debated for years. Finally, we reach the conclusion with the
trusted console concept.
The recommended way is to connect *trusted console only* and process PP
before EndOfDxe, to ensure no 3rd party code can touch the platform hierarchy.
We did that at PlatformBootManagerBeforeConsole(). Here is console means all
console, including the trusted console and untrusted console populated by
untrusted device. The full console list can still be connected after EndOfDxe.
The platform can decide which console is trusted v.s. not-trusted.
Thank you
Yao Jiewen
-----Original Message-----
From: Stefan Berger <stef...@linux.ibm.com>
Sent: Saturday, September 11, 2021 12:15 AM
To: Yao, Jiewen <jiewen....@intel.com>; devel@edk2.groups.io;
stef...@linux.vnet.ibm.com
Cc: mhaeu...@posteo.de; spbro...@outlook.com;
marcandre.lur...@redhat.com; kra...@redhat.com
Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform
hierarchy
On 9/10/21 11:32 AM, Yao, Jiewen wrote:
According to the security policy, PP request must be processed before
EndOfDxe.
May I know when you trigger PP request?
OVMF has 3 implementations invoking it in
PlatformBootManagerAfterConsole():
https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo
tManagerLib/BdsPlatform.c#L1517
https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo
tManagerLibBhyve/BdsPlatform.c#L1451
https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo
tManagerLibGrub/BdsPlatform.c#L1316
Stefan
Thank you
Yao Jiewen
-----Original Message-----
From: Stefan Berger <stef...@linux.ibm.com>
Sent: Friday, September 10, 2021 10:25 PM
To: devel@edk2.groups.io; stef...@linux.vnet.ibm.com
Cc: mhaeu...@posteo.de; spbro...@outlook.com;
marcandre.lur...@redhat.com; kra...@redhat.com; Yao, Jiewen
<jiewen....@intel.com>
Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform
hierarchy
On 9/9/21 1:35 PM, Stefan Berger wrote:
This series imports code from the edk2-platforms project related to
disabling the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf
aspects of the following bugs:
https://bugzilla.tianocore.org/show_bug.cgi?id=3510
https://bugzilla.tianocore.org/show_bug.cgi?id=3499
I have patched the .dsc files and successfully test-built with most of
them. Some I could not build because they failed for other reasons
unrelated to this series.
I tested the changes with QEMU on x86 following the build of
OvmfPkgX64.dsc.
Neither one of the following commands should work anymore on first
try when run on Linux:
With IBM tss2 tools:
tsshierarchychangeauth -hi p -pwdn newpass
With Intel tss2 tools:
tpm2_changeauth -c platform newpass
While disabling the platform hierarchy works, the unfortunate problem is
now that the signal to disable the TPM 2 platform hierarchy is received
before handling the physical presence interface (PPI) opcodes, which is
bad because some of the opcodes will not go through. The question now is
what is wrong? Are the PPI opcodes handled too late or the signal is
sent to early or is it the wrong signal?
Event = EfiCreateProtocolNotifyEvent (
&gEfiDxeSmmReadyToLockProtocolGuid,
TPL_CALLBACK,
SmmReadyToLockEventCallBack,
NULL,
&Registration
);
Stefan
Regards,
Stefan
v7:
- Ditched ARM support in this series
- Using Tcg2PlatformDxe and Tcg2PlaformPei from edk2-platforms now
and revised most of the patches
v6:
- Removed unnecessary entries in .dsc files
- Added support for S3 resume failure case
- Assigned unique FILE_GUID to NULL implementation
v5:
- Modified patch 1 copies the code from edk2-platforms
- Modified patch 2 fixes bugs in the code
- Modified patch 4 introduces required PCD
v4:
- Fixed and simplified code imported from edk2-platforms
v3:
- Referencing Null implementation on Bhyve and Xen platforms
- Add support in Arm
Stefan Berger (9):
SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
edk2-platforms
SecurityPkg/TPM: Fix bugs in imported PeiDxeTpmPlatformHierarchyLib
SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from edk2-platforms
SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable
SecurityPkg: Introduce new PCD PcdRandomizePlatformHierarchy
OvmfPkg: Reference new Tcg2PlatformDxe in the build system for
compilation
SecurityPkg/Tcg: Import Tcg2PlatformPei from edk2-platforms
SecurityPkg/Tcg: Make Tcg2PlatformPei buildable
OvmfPkg: Reference new Tcg2PlatformPei in the build system
OvmfPkg/AmdSev/AmdSevX64.dsc | 8 +
OvmfPkg/AmdSev/AmdSevX64.fdf | 2 +
OvmfPkg/OvmfPkgIa32.dsc | 8 +
OvmfPkg/OvmfPkgIa32.fdf | 2 +
OvmfPkg/OvmfPkgIa32X64.dsc | 8 +
OvmfPkg/OvmfPkgIa32X64.fdf | 2 +
OvmfPkg/OvmfPkgX64.dsc | 8 +
OvmfPkg/OvmfPkgX64.fdf | 2 +
.../Include/Library/TpmPlatformHierarchyLib.h | 27 ++
.../PeiDxeTpmPlatformHierarchyLib.c | 255 ++++++++++++++++++
.../PeiDxeTpmPlatformHierarchyLib.inf | 44 +++
SecurityPkg/SecurityPkg.dec | 6 +
.../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 85 ++++++
.../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 43 +++
.../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 107 ++++++++
.../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 51 ++++
16 files changed, 658 insertions(+)
create mode 100644
SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h
create mode 100644
SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierar
chyLib.c
create mode 100644
SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierar
chyLib.inf
create mode 100644
SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
create mode 100644
SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
create mode 100644
SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c
create mode 100644
SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf