Re: [edk2-devel] [PATCH 0/4] OvmfPkg: rework TPM configuration.

Fri, 22 Oct 2021 03:46:38 -0700 


On 10/22/21 3:01 AM, Gerd Hoffmann wrote:

On Thu, Oct 21, 2021 at 12:13:51PM -0400, Stefan Berger wrote:

A few more comments to this series:

- Is there a use case where TPM2_ENABLE_CONFIG is disabled, meaning where
there should not be a TPM 2 menu entry? It's worth considering dropping this
option because a user does need to have control over certain aspects of the
TPM 2 configuration.

I happily drop the option if it doesn't make sense.  I've already
wondered why it is there but assumed there is some valid reason for
it and left it as-is.


I think we should drop it.



- I would drop patch 4 if it means that an active SHA1 bank doesn't get PCR
extensions (haven't tested yet). swtpm_setup currently sets up a swtpm with
active SHA1 and SHA256 PCR banks ( 
https://github.com/stefanberger/swtpm/blob/master/src/swtpm_setup/swtpm_setup.c#L65
). We can change this for swtpm v0.7.0 to only activate the SHA256 bank, if
that's what is needed here. However, this doesn't prevent a user to activate
the SHA1 PCR bank either via PPI 'request' file or UEFI TPM menu and when it
is active it must get PCR extensions.

With SHA1 being considered broken we want avoid SHA1 being used.
Ideally by removing support it altogether.  In case this is not possible
for backward compatibility reasons at least have it disabled by default.

So swtpm_setup not enabling the SHA1 bank by default is certainly a good
idea and a move into the right direction (independent from the patch #4
discussion).



I will change this then for swtpm v0.7.0. Just in time... I wanted to 
make the release today but I'll delay that a bit then.





Didn't do much testing yet to see whenever removing SHA1 support
altogether trips up operating systems.


- Since TPM 1.2 is still supported we need to add a TPM menu for it as well
using this patch here. I would put this under the TPM1_ENABLE config option
since having TPM 1.2 support without a menu is quite useless. I can send a
patch for this once this series has gone through.

I can pick this up for v2 if you don't mind.


Yes, please!




take care,
   Gerd









-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#82514): https://edk2.groups.io/g/devel/message/82514
Mute This Topic: https://groups.io/mt/86487983/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

























					Reply via email to