Thanks Jason. I think we should NOT measure TPM2 table *after* ACPI table patch. The measurement should happen *before* ACPI table patch.
Hi Chao Do you agree on that? Thank you Yao Jiewen From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of jason.spottsw...@hpe.com Sent: Tuesday, June 25, 2019 11:58 PM To: devel@edk2.groups.io Subject: [edk2-devel] TPM ACPI HID creation Tcg2Smm.c has a function "UpdateHID to create the ACPI HID for the TPM. This function uses the TPM vendor ID combined with the firmware version number to create the ACPI HID. The use of the TPM firmware version is not specified in any spec from the TCG or otherwise that I have been able to find. I believe this was a design choice specific to EDK2. However, using the TPM firmware version does not match the intended use case from the TCG PC Client spec, where the HID should be comprised of the vendor ID and device ID. See below. One problem that arises from this design is that the ACPI tables will change when the TPM FW has been updated. Since the ACPI tables are hashed into PCR[0], it consequently means that a TPM FW change will cause a change to PCR[0]. It is not intuitive nor spec'd that TPM FW be included in PCR[0] measurements. In fact, PCR[0] is used only for system FW/UEFI code measurements. If a user does not update UEFI, then there is no expectation of PCR[0] measurement changes. I propose that EDK2 change the UpdateHID function to use the vendor ID and device ID read from register TPM_DID_VID_0 (locality 0 offset 0xF00) in the creation of the ACPI HID. The following was taken from the TCG PC Client Platform Firmware spec: According to the ACPI Specification (version 5, Errata A, Section 6.1.5 and 6.1.3) a hardware ID or compatibility ID is either a PNP ID with format “AAA####” or ACPI ID with format “NNNN####”. The manufacturer ID returned by a TPM2_GetCapability command can be used to set the “AAA” or “NNNN” portion of the ID. The remaining four hexadecimal digits should be set to a value that allows software to differentiate different device classes built by the same manufacturer. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#42836): https://edk2.groups.io/g/devel/message/42836 Mute This Topic: https://groups.io/mt/32205028/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
