On 02/25/20 11:44, Ard Biesheuvel wrote: > Duplicate the TPM2_ENABLE and TPM2_CONFIG_ENABLE build time flags that > already exist in OvmfPkg, and wire them up in the .DSC and .FDF so > that setting those flags produces a ArmVirtQemu build that implements > measured boot using a TPM provided by QEMU and described in the device > tree. > > Note that the TPM2 driver stack relies on a PEI phase being implemented, > so there is no point in enabling this for ArmVirtQemuKernel or ArmVirtXen. > > Also note that, despite ArmVirtQemuKernel being unaffected by this patch, > ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc is being modified, for keeping the > contexts of the referring !include directives simple. > > Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org> > --- > ArmVirtPkg/ArmVirtQemu.dsc | 75 ++++++++++++++++++++ > ArmVirtPkg/ArmVirtQemu.fdf | 6 ++ > ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 10 +++ > 3 files changed, 91 insertions(+)
Under a similar, recent patch from Marc-André (which proposes enabling TPM-1.2 in OvmfPkg), I asked Marc-André to build up the work in small steps, practically mirroring the gradual TPM2.0 stuff from OvmfPkg: * [edk2-devel] [PATCH v2 3/3] Ovmf: enable TPM 1.2 support bbf8cf87-9c90-5507-82b3-ae8534555a54@redhat.com">http://mid.mail-archive.com/bbf8cf87-9c90-5507-82b3-ae8534555a54@redhat.com https://edk2.groups.io/g/devel/message/54473 I'd like to be consistent as a review (and I indeed prefer that approach), so I'd like to ask you for the same. Now if you and Marc-André agree that I'm being unreasonable, I guess I could be convinced... I don't want to annoy patch authors needlessly (I just find small gradual steps easier to understand, later). (Extra apologies if my current request contradicts something I asked for in the v1 review -- please do point it out, if that's the case. I'd like to be responsive and consistent, but there's just too much to re-review, even incrementally. I can easily see myself making process mistakes here, due to fatigue.) Thanks Laszlo > diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc > index 7ae6702ac1f0..e8ea711e1a17 100644 > --- a/ArmVirtPkg/ArmVirtQemu.dsc > +++ b/ArmVirtPkg/ArmVirtQemu.dsc > @@ -29,6 +29,8 @@ [Defines] > # > DEFINE TTY_TERMINAL = FALSE > DEFINE SECURE_BOOT_ENABLE = FALSE > + DEFINE TPM2_ENABLE = FALSE > + DEFINE TPM2_CONFIG_ENABLE = FALSE > > # > # Network definition > @@ -74,12 +76,32 @@ [LibraryClasses.common] > PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf > > PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf > > +!if $(TPM2_ENABLE) == TRUE > + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf > + > Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf > + > Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf > + > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf > +!else > + > Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf > + > TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf > +!endif > + > [LibraryClasses.common.PEIM] > > ArmVirtMemInfoLib|ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoPeiLib.inf > + ResetSystemLib|MdeModulePkg/Library/PeiResetSystemLib/PeiResetSystemLib.inf > + > +!if $(TPM2_ENABLE) == TRUE > + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf > +!endif > > [LibraryClasses.common.DXE_DRIVER] > > ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf > > +!if $(TPM2_ENABLE) == TRUE > + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf > +!endif > + > [LibraryClasses.common.UEFI_DRIVER] > UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf > > @@ -100,6 +122,8 @@ [PcdsFeatureFlag.common] > > gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE > > + gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE) > + > [PcdsFixedAtBuild.common] > !if $(ARCH) == AARCH64 > gArmTokenSpaceGuid.PcdVFPEnabled|1 > @@ -237,9 +261,20 @@ [PcdsDynamicDefault.common] > gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0 > gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE > > +!if $(TPM2_ENABLE) == TRUE > + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, > 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} > + gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0 > + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0 > +!endif > + > [PcdsDynamicHii] > > gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS > > +!if $(TPM2_CONFIG_ENABLE) == TRUE > + > gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS > + > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS > +!endif > + > > ################################################################################ > # > # Components Section - list of all EDK II Modules needed by this Platform > @@ -261,6 +296,23 @@ [Components.common] > > MdeModulePkg/Universal/Variable/Pei/VariablePei.inf > > +!if $(TPM2_ENABLE) == TRUE > + MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf { > + <LibraryClasses> > + > ResetSystemLib|ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf > + } > + OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf > + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { > + <LibraryClasses> > + > HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf > + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf > + > NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf > + > NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf > + > NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf > + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf > + } > +!endif > + > MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf { > <LibraryClasses> > > NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf > @@ -295,6 +347,9 @@ [Components.common] > MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { > <LibraryClasses> > > NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf > +!if $(TPM2_ENABLE) == TRUE > + > NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf > +!endif > } > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf > @@ -430,6 +485,26 @@ [Components.common] > MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf > MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf > > + # > + # TPM2 support > + # > +!if $(TPM2_ENABLE) == TRUE > + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { > + <LibraryClasses> > + > HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf > + > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf > + NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf > + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf > + > NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf > + > NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf > + > NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf > + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf > + } > +!if $(TPM2_CONFIG_ENABLE) == TRUE > + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf > +!endif > +!endif > + > # > # ACPI Support > # > diff --git a/ArmVirtPkg/ArmVirtQemu.fdf b/ArmVirtPkg/ArmVirtQemu.fdf > index 2c8936a1ae15..b5e2253295fe 100644 > --- a/ArmVirtPkg/ArmVirtQemu.fdf > +++ b/ArmVirtPkg/ArmVirtQemu.fdf > @@ -113,6 +113,12 @@ [FV.FVMAIN_COMPACT] > INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf > INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf > > +!if $(TPM2_ENABLE) == TRUE > + INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf > + INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf > + INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf > +!endif > + > FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 { > SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED > = TRUE { > SECTION FV_IMAGE = FVMAIN > diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc > b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc > index 31f615a9d0f9..d481e4b2b8fb 100644 > --- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc > +++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc > @@ -182,3 +182,13 @@ [FV.FvMain] > # Ramdisk support > # > INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf > + > + # > + # TPM2 support > + # > +!if $(TPM2_ENABLE) == TRUE > + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf > +!if $(TPM2_CONFIG_ENABLE) == TRUE > + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf > +!endif > +!endif > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54821): https://edk2.groups.io/g/devel/message/54821 Mute This Topic: https://groups.io/mt/71530906/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
