On 04/22/21 09:34, Laszlo Ersek wrote: > The new InternalTpmDecryptAddressRange() function should be called > from Tcg2ConfigPeimEntryPoint(), before the latter calls > InternalTpm12Detect(). Regarding error checking... if > InternalTpmDecryptAddressRange() fails, I think we can log an error > message, and hang with CpuDeadLoop().
Sorry, another point: (6) where we determine that no TPM is available: // // If no TPM2 was detected, we still need to install // TpmInitializationDonePpi. Namely, Tcg2Pei will exit early upon seeing // the default (all-bits-zero) contents of PcdTpmInstanceGuid, thus we have // to install the PPI in its place, in order to unblock any dependent // PEIMs. // Status = PeiServicesInstallPpi (&mTpmInitializationDonePpiList); we should re-encrypt the address range, as if nothing had happened. For this, we'll likely need a similarly polymorphic function called InternalTpmEncryptAddressRange(). ( For some background on this particular branch of the code, please refer to commit 6cf1880fb5b6 ("OvmfPkg: add customized Tcg2ConfigPei clone", 2018-03-09): - Check the QEMU hardware for TPM2 availability only - If found, set the dynamic PCD "PcdTpmInstanceGuid" to &gEfiTpmDeviceInstanceTpm20DtpmGuid. This is what informs the rest of the firmware about the TPM type. - Install the gEfiTpmDeviceSelectedGuid PPI. This action permits the PEI_CORE to dispatch the Tcg2Pei module, which consumes the above PCD. In effect, the gEfiTpmDeviceSelectedGuid PPI serializes the setting and the consumption of the "TPM type" PCD. - If no TPM2 was found, install gPeiTpmInitializationDonePpiGuid. (Normally this is performed by Tcg2Pei, but Tcg2Pei doesn't do it if no TPM2 is available. So in that case our Tcg2ConfigPei must do it.) ) Thanks Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#74351): https://edk2.groups.io/g/devel/message/74351 Mute This Topic: https://groups.io/mt/82248382/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-