On 04/23/21 19:41, Tom Lendacky wrote: > On 4/23/21 8:04 AM, Laszlo Ersek wrote:
>> I've had a further idea on this. >> >> You could add an entirely new PEIM just for this. The entry point >> function of the PEIM would check for SEV, decrypt the TPM range if SEV >> were active, and then install gOvmfTpmMmioAccessiblePpiGuid >> (unconditionally). The exit status of the PEIM would always be >> EFI_ABORTED, because there would be no need to keep the PEIM resident. >> >> The new PEIM would have a DEPEX on gEfiPeiMemoryDiscoveredPpiGuid, to >> make sure that potential page table splitting for the potential MMIO >> range decryption could be satisfied from permanent PEI RAM. >> >> The new PEIM would be included in the DSC and FDF files of the usual >> three OVMF platforms, and in the Bhyve platform -- dependent on the >> TPM_ENABLE build flag. >> >> There are several advantages to such a separate PEIM: >> >> - For Bhyve, the update is minimal. Just include one line in each of the >> FDF and the DSC files. No need to customize an existent >> platform-specific PEIM, no code duplication between two PlatformPei modules. >> >> - The new PEIM would depend on the TPM_ENABLE build flag, so it would >> only be included in the firmware binaries if and only if Tcg2ConfigPei >> were. No useless PPI installation would occur in the absence of TPM_ENABLE. >> >> - No need to check PcdTpmBaseAddress for nullity in the new PEIM, before >> the decryption, as TPM_ENABLE guarantees (on IA32/X64) that the PCD >> already has the right value. >> >> - The new logic would be properly ordered between PlatformPei and >> Tcg2ConfigPei, namely due to the use of two such PPI GUIDs in DEPEXes >> that actually make sense. PlatformPei -> TPM MMIO decryptor PEIM ordered >> via "memory discovered" (needed for potential page table splitting), TPM >> MMIO decryptor PEIM -> Tcg2ConfigPei ordered via "TPM MMIO decrypted". >> >> You could place the new PEIM at: >> >> OvmfPkg/Tcg/TpmMmioSevDecryptPei >> >> If you haven't lost your patience with me yet, I'd really appreciate if >> you could investigate this! >> > > So far, this appears to be working nicely. I'm new at the whole PEIM > thing, so hopefully I haven't missed anything. I should be submitting the > patches soon for review. Thanks! > > One thing I found is that the Bhyve package makes reference to the > OvmfPkg/Bhyve/Tcg directory, but that directory does not exist. So I don't > think that TPM enablement has been tested. I didn't update the Bhyve > support for that reason. That's good to know; thanks for reporting this. I've turned it now into a BZ ticket (assigned to Rebecca): https://bugzilla.tianocore.org/show_bug.cgi?id=3354 Thanks! Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#74416): https://edk2.groups.io/g/devel/message/74416 Mute This Topic: https://groups.io/mt/82247968/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
