: Julien Grall
Cc: Peter Grehan
Cc: Qi Zhang
Cc: Ray Han Lim Ng
Cc: Stefan Berger
Cc: Wenxing Hou
Cc: Xiaoyu Lu
Signed-off-by: Michael D Kinney
Reviewed-by: Stefan Berger
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110278
On 2/15/20 6:33 AM, Marc-André Lureau wrote:
Hi Yao
On Thu, Feb 13, 2020 at 2:51 PM Yao, Jiewen wrote:
Hi Lureau
I don’t think we should expose the TPM Interface type via TpmCommandLib.
That is the TPM device implementation. The TPM device might use TIS/FIFO/CRB,
but there might be also othe
amp; CRB which are TPM 2.0), try to send a GetTicks TPM
1.2 command to probe the version. In case of failure, fallback on TPM
2.0 path.
Signed-off-by: Marc-André Lureau
Reviewed-by: Stefan Berger
---
OvmfPkg/OvmfPkgIa32.dsc | 2 +
OvmfPkg/OvmfPkgIa32X64.dsc
this expectation in "Maintainers.txt" in
machine-readable format.
Cc: Andrew Fish
Cc: Ard Biesheuvel
Cc: Jordan Justen
Cc: Leif Lindholm
Cc: Marc-André Lureau
Cc: Michael D Kinney
Cc: Philippe Mathieu-Daudé
Cc: Stefan Berger
Signed-off-by: Laszlo Ersek
Reviewed-by: Marc-André
On 9/19/22 05:17, Igor Mammedov wrote:
On Fri, 16 Sep 2022 15:45:38 -0400
"Jason Andryuk" wrote:
CCing Stefan as he is probably the best person to talk about qemu
impl. of TPM
Hi,
I've noticed an issue with the TPM2 EventLog. OVMF exposes the TPM
Event Log via EFI and ACPI, but they have
On 9/19/22 12:55, Jason Andryuk wrote:
Hi, Stefan,
On Mon, Sep 19, 2022 at 8:22 AM Stefan Berger wrote:
On 9/19/22 05:17, Igor Mammedov wrote:
On Fri, 16 Sep 2022 15:45:38 -0400
"Jason Andryuk" wrote:
CCing Stefan as he is probably the best person to talk about qemu
impl. o
On 7/10/20 1:43 AM, Laszlo Ersek wrote:
(+Marc-André, Stefan)
On 07/10/20 02:44, Gao, Zhichao wrote:
This bug is not obeserved by me. But I view the code. The condition is
incorrect and it would affect the TCG operation:
if (!mIsTcg2PPVerLowerThan_1_3) {
if (OperationRequest <
T
On 7/10/20 9:53 AM, Stefan Berger wrote:
On 7/10/20 1:43 AM, Laszlo Ersek wrote:
(+Marc-André, Stefan)
On 07/10/20 02:44, Gao, Zhichao wrote:
This bug is not obeserved by me. But I view the code. The condition
is incorrect and it would affect the TCG operation:
if
On 10/21/21 8:20 AM, Gerd Hoffmann wrote:
Allows to compile OVMF without HashInstanceLibSha1,
i.e. no SHA1 hash support in TPM/TCG modules.
Does that then mean that the SHA1 bank in a TPM 2 stays untouched,
meaning the PCRs there won't get extended even though the bank is there
and active?
Hoffmann
Tested-by: Stefan Berger
[Tested with OvmfPkg/OvmfPkgX64.dsc]
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#82458): https://edk2.groups.io/g/devel/message/82458
Mute This Topic: https://groups.io/mt/86487980/21656
Group
picking the one or the
other inf file.
FYI: TPM 2 does not provide backwards compatibility to TPM 1.2. TPM 1.2
is its own implementation that is incompatible with TPM 2.
So the extension 'Compat12' is a bit odd in this case.
Tested-by: Stefan Berger
[Tested with OvmfPkg/Ovmf
On 10/21/21 8:20 AM, Gerd Hoffmann wrote:
Rename TPM_ENABLE to TPM2_ENABLE and TPM_CONFIG_ENABLE to
TPM2_CONFIG_ENABLE so they are in line with the ArmVirtPkg
config option names.
Add separate TPM1_ENABLE option for TPM 1.2 support.
I tested this on Fedora and attached a TPM 1.2 to the VM a
A few more comments to this series:
- Is there a use case where TPM2_ENABLE_CONFIG is disabled, meaning
where there should not be a TPM 2 menu entry? It's worth considering
dropping this option because a user does need to have control over
certain aspects of the TPM 2 configuration. Most of th
On 10/22/21 3:01 AM, Gerd Hoffmann wrote:
On Thu, Oct 21, 2021 at 12:13:51PM -0400, Stefan Berger wrote:
A few more comments to this series:
- Is there a use case where TPM2_ENABLE_CONFIG is disabled, meaning where
there should not be a TPM 2 menu entry? It's worth considering dropping
On 10/22/21 2:39 AM, Gerd Hoffmann wrote:
On Thu, Oct 21, 2021 at 09:24:55AM -0400, Stefan Berger wrote:
On 10/21/21 8:20 AM, Gerd Hoffmann wrote:
Allows to compile OVMF without HashInstanceLibSha1,
i.e. no SHA1 hash support in TPM/TCG modules.
Does that then mean that the SHA1 bank in a
On 10/22/21 7:49 AM, James Bottomley wrote:
On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote:
[...]
I see this also but when I get into Linux and run tpm2_pcrread I see
the SHA1 bank active but not having received any PCR extensions from
the firmware, which is not supposed to happen
On 10/22/21 8:40 AM, James Bottomley wrote:
On Fri, 2021-10-22 at 07:57 -0400, Stefan Berger wrote:
On 10/22/21 7:49 AM, James Bottomley wrote:
On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote:
[...]
I see this also but when I get into Linux and run tpm2_pcrread I
see the SHA1 bank
On 10/22/21 2:31 AM, Gerd Hoffmann wrote:
Hi,
FYI: TPM 2 does not provide backwards compatibility to TPM 1.2. TPM 1.2 is
its own implementation that is incompatible with TPM 2.
So the extension 'Compat12' is a bit odd in this case.
Suggestions for a better name?
Tcg2ConfigPeiCompat12.
On 10/22/21 10:17 AM, James Bottomley wrote:
On Fri, 2021-10-22 at 09:13 -0400, Stefan Berger wrote:
On 10/22/21 8:40 AM, James Bottomley wrote:
On Fri, 2021-10-22 at 07:57 -0400, Stefan Berger wrote:
On 10/22/21 7:49 AM, James Bottomley wrote:
On Fri, 2021-10-22 at 06:50 -0400, Stefan
On 10/22/21 11:01 AM, James Bottomley wrote:
On Fri, 2021-10-22 at 10:52 -0400, Stefan Berger wrote:
along with the quote on the sha1 bank.
The validator shouldn't accept that quote ... it should require a quote
covering all banks. This is the point: you can't fake the quo
On 10/25/21 8:15 AM, Gerd Hoffmann wrote:
Drop TPM_CONFIG_ENABLE config option. Including TPM support in the
build without also including the TPM configuration menu is not useful.
Suggested-by: Stefan Berger
Signed-off-by: Gerd Hoffmann
2 more files would need this change:
./OvmfPkg
1.2 support
should be included or not by picking the one or the other inf file.
Switch x86 builds to Tcg12ConfigPei.inf, so they continue to
have TPM 1.2 support.
No functional change.
Signed-off-by: Gerd Hoffmann
Reviewed-by: Stefan Berger
Tested-by: Stefan Berger
---
Ovmf
: DEFINE TPM_ENABLE = FALSE
Tested-by: Stefan Berger
---
OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 4 +++-
OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 6 +-
OvmfPkg/OvmfTpmDefines.dsc.inc| 5 -
OvmfPkg
On 10/25/21 8:15 AM, Gerd Hoffmann wrote:
When building OVMF with TPM 1.2 support enabled
do also include the configuration menu.
Suggested-by: Stefan Berger
Signed-off-by: Gerd Hoffmann
The menu is there but it doesn't react to the selections, which I hadn't
tested before.
Hoffmann
Reviewed-by: Stefan Berger
---
OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 28 +
OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 22 +++
OvmfPkg/OvmfTpmDefines.dsc.inc | 6 ++
OvmfPkg/OvmfTpmLibs.dsc.inc | 14 +
OvmfPkg/OvmfTpmLibsDxe.dsc.inc | 8
keep them at a minimum.
For the PPI Flags I am using a EFI variable just like the original code does.
(SecurityPkg/Library/DxeTcgPhysicalPresenceLib/DxeTcgPhysicalPresenceLib.c)
Regards,
Stefan
Gerd Hoffmann (1):
OvmfPkg: add TPM 1.2 config menu
Stefan Berger (3):
OvmfPkg: Check for TPM 2
TPM 1.2 and TPM 2 share QEMU's PPI memory/device and for the TPM 2 code
not to initilize over the TPM 1.2 initilization, leave the init function
early without touching that memory.
Cc: Gerd Hoffmann
Cc: Marc-André Lureau
Signed-off-by: Stefan Berger
---
.../DxeTcg2PhysicalPresence
Yao
Cc: Jian J Wang
Cc: Marc-André Lureau
Signed-off-by: Stefan Berger
---
.../DxeTcgPhysicalPresenceLib.c | 55 +++
SecurityPkg/Tcg/TcgConfigDxe/TcgConfigImpl.c | 41 +-
2 files changed, 70 insertions(+), 26 deletions(-)
diff --git
a/SecurityPkg
From: Gerd Hoffmann
When building OVMF with TPM 1.2 support enabled
do also include the configuration menu.
Suggested-by: Stefan Berger
Signed-off-by: Gerd Hoffmann
---
OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 1 +
OvmfPkg/OvmfTpmDxe.fdf.inc | 1 +
2 files changed, 2 insertions
Enable the physical presence interface for TPM 1.2. It is required for
the TPM 1.2 menu to work.
Cc: Jiewen Yao
Cc: Jian J Wang
Cc: Ard Biesheuvel
Cc: Jordan Justen
Cc: Gerd Hoffmann
Cc: Marc-André Lureau
Signed-off-by: Stefan Berger
---
OvmfPkg/Include/Library/QemuPPI.h
On 10/26/21 13:38, Stefan Berger wrote:
Enable the physical presence interface for TPM 1.2. It is required for
the TPM 1.2 menu to work.
I am also extending the TPM 2 PPI QEMU code and I am trying to introduce
a variable there as well for holding physical presence flags.
When trying to
On 10/28/21 07:09, Gerd Hoffmann wrote:
Signed-off-by: Gerd Hoffmann
Reviewed-by: Stefan Berger
---
OvmfPkg/Microvm/MicrovmX64.dsc | 2 --
1 file changed, 2 deletions(-)
diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
index 617f92539518..c58c4c35d4cb 100644
Yao
Cc: Jian J Wang
Cc: Marc-André Lureau
Signed-off-by: Stefan Berger
---
.../DxeTcgPhysicalPresenceLib.c | 55 +++
SecurityPkg/Tcg/TcgConfigDxe/TcgConfigImpl.c | 41 +-
2 files changed, 70 insertions(+), 26 deletions(-)
diff --git
a/SecurityPkg
From: Gerd Hoffmann
When building OVMF with TPM 1.2 support enabled do also include the
configuration menu.
Suggested-by: Stefan Berger
Signed-off-by: Gerd Hoffmann
---
OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 1 +
OvmfPkg/OvmfTpmDxe.fdf.inc | 1 +
2 files changed, 2 insertions
from DxeTcgPhysicalPresenceLib.inf
- Other nits
Gerd Hoffmann (1):
OvmfPkg: add TPM 1.2 config menu
Stefan Berger (3):
SecurityPkg: Store physical presence code by submitting to PreOS func
OvmfPkg: Copy TPM 1.2 DxeTcgPhysicalPresenceLib.c from SecuityPkg
OvmfPkg: Enable physical presence
execute.
Cc: Jiewen Yao
Cc: Jian J Wang
Cc: Ard Biesheuvel
Cc: Jordan Justen
Cc: Gerd Hoffmann
Cc: Marc-André Lureau
Signed-off-by: Stefan Berger
---
.../PlatformBootManagerLib/BdsPlatform.c | 2 +
.../PlatformBootManagerLib.inf| 1 +
.../DxeTcgPhysicalPresenceLib.c
Copy the TPM 1.2 physical presence interface support from SecurityPkg
DxeTcgPhysicalPresenceLib.c along with its .inf and .uni files into
OvmfPkg.
Fix EFI_F_INFO and EFI_D_ERROR to meet code standards.
Signed-off-by: Stefan Berger
---
.../DxeTcgPhysicalPresenceLib.c | 1455
On 11/5/21 08:17, Gerd Hoffmann wrote:
On Tue, Nov 02, 2021 at 11:49:09AM -0400, Stefan Berger wrote:
Enable the physical presence interface for TPM 1.2. It is required for the
TPM 1.2 menu to work.
The changes to DxeTcgPhysicalPresenceLib.c are due to the device we are using
in QEMU for
bleLockProtocolGuid, NULL,
(VOID **)&VariableLockProtocol);
if (!EFI_ERROR (Status)) {
Status = VariableLockProtocol->RequestToLock (
Thanks.
Stefan
Thank you
Yao Jiewen
-Original Message-----
From: Gerd Hoffmann
Sent: Monday, November 8, 2021 7:58 PM
To: Stefan Berger
On 11/8/21 09:43, Stefan Berger wrote:
On 11/8/21 07:13, Yao, Jiewen wrote:
The PPFlag variable MUST to be locked to prevent malicious modification.
Otherwise, anyone can change the PP configuration without
confirmation from end user.
That change by an attacker could presumably only be
Stefan Berger (7):
OvmfPkg: Move processing of physical presence opcode before End-of-Dxe
OvmfPkg: Check for TPM 2 early to leave function early
SecurityPkg: Store physical presence code by submitting to PreOS func
SecurityPkg: Declare PhysicalPresenceFlags variable and its properties
For variable creation and locking to work later on we need to
move the processing of the TPM physical presence opcode to before
End-of-Dxe.
Signed-off-by: Stefan Berger
---
.../PlatformBootManagerLib/BdsPlatform.c | 20 +--
.../PlatformBootManagerLibBhyve/BdsPlatform.c | 18
Copy the TPM 1.2 physical presence interface support from SecurityPkg
DxeTcgPhysicalPresenceLib.c along with its .inf and .uni files into
OvmfPkg.
Fix EFI_F_INFO and EFI_D_ERROR to meet code standards.
Signed-off-by: Stefan Berger
---
.../DxeTcgPhysicalPresenceLib.c | 1455
execute.
Cc: Jiewen Yao
Cc: Jian J Wang
Cc: Ard Biesheuvel
Cc: Jordan Justen
Cc: Gerd Hoffmann
Cc: Marc-André Lureau
Signed-off-by: Stefan Berger
---
OvmfPkg/Bhyve/BhyveX64.dsc| 1 +
.../PlatformBootManagerLib/BdsPlatform.c | 1 +
.../PlatformBootManagerLib.inf
From: Gerd Hoffmann
When building OVMF with TPM 1.2 support enabled also include the
configuration menu.
Suggested-by: Stefan Berger
Signed-off-by: Gerd Hoffmann
Signed-off-by: Stefan Berger
---
OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 1 +
OvmfPkg/OvmfTpmDxe.fdf.inc | 1 +
2 files
Enable the processing of the TPM 1.2 physical presence opcodes.
This needs to be done before End-of-Dxe since otherwise the
creation of the variables doesn't work.
Signed-off-by: Stefan Berger
---
OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c | 2 ++
OvmfPkg/Li
:
ls PhysicalPresenceFlags-*
Signed-off-by: Stefan Berger
---
.../Library/AuthVariableLib/AuthServiceInternal.h | 1 +
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c | 11 +++
.../Library/AuthVariableLib/AuthVariableLib.inf | 4
3 files changed, 16 insertions
TPM 1.2 and TPM 2 share QEMU's PPI memory/device and for the TPM 2 code
not to initilize over the TPM 1.2 initilization, leave the init function
early without touching that memory.
Cc: Gerd Hoffmann
Cc: Marc-André Lureau
Signed-off-by: Stefan Berger
---
.../DxeTcg2PhysicalPresence
Yao
Cc: Jian J Wang
Cc: Marc-André Lureau
Signed-off-by: Stefan Berger
---
.../DxeTcgPhysicalPresenceLib.c | 55 +++
SecurityPkg/Tcg/TcgConfigDxe/TcgConfigImpl.c | 41 +-
2 files changed, 70 insertions(+), 26 deletions(-)
diff --git
a/SecurityPkg
supported before processing TCG physical presence opcodes.
Signed-off-by: Stefan Berger
Tested-by: Shivanshu Goyal
---
OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c | 7 +++
OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c | 5 +
OvmfPkg/Library
supported before processing TCG physical presence opcodes.
Fixes: b8675deaa819631db2667df63f89799fe65fc906
Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=3771
Cc: Ard Biesheuvel
Cc: Jiewen Yao
Cc: Jordan Justen
Cc: Gerd Hoffmann
Signed-off-by: Stefan Berger
Tested-by: Shivanshu Goyal
v2 had lost the cc: list for some reason.
I opened this PR: https://github.com/tianocore/edk2/pull/2319
Stefan
On 12/16/21 21:41, Stefan Berger wrote:
For GPU passthrough support we have to initialize the console after
EfiBootManagerDispatchDeferredImages() has loaded ROMs, so call it after
Hello!
The TPM 2 code in EDK2 is missing an important call to
Tpm2HierarchyChangeAuth for the platform hierarchy. We have to set the
password of that hierarchy and discard the password. See also specs
section 11:
https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v2
-devel] Missing TPM 2 related call to
Tpm2HierarchyChangeAuth
Adding @Jeremiah <mailto:jere...@microsoft.com>…
Jeremiah, weren’t you or @Michael
<mailto:michael.kuba...@microsoft.com> shopping this change to
MinPlatform?
- Bret
*From: *Stefan Berger via groups.io
<mai
to:michael.kuba...@microsoft.com> shopping this change to
MinPlatform?
- Bret
*From: *Stefan Berger via groups.io
<mailto:stefanb=linux.ibm@groups.io>
*Sent: *Monday, July 26, 2021 7:48 AM
*To: *Yao, Jiewen <mailto:jiewen@intel.com>; devel@edk2.groups.io
<mailto:devel@
/MinPlatformPkg.dec
Signed-off-by: Stefan Berger
---
.../PeiDxeTpmPlatformHierarchyLib.inf | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git
a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
b/SecurityPkg/Library
'you' wanted to fix
things up and repost it, please go ahead...
Stefan
Stefan Berger (7):
SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
edk2-platforms
SecruityPkg/TPM: Disable dependency on MinPlatformPkg
SecurityPkg/TPM: Disable PcdGetBool (PcdRandomizePl
/home/stefanb/dev/edk2/MdeModulePkg/MdeModulePkg.dec
/home/stefanb/dev/edk2/SecurityPkg/SecurityPkg.dec
/home/stefanb/dev/edk2/CryptoPkg/CryptoPkg.dec
Signed-off-by: Stefan Berger
---
.../PeiDxeTpmPlatformHierarchyLib.inf | 4 ++--
1 file changed, 2
Use the newly added functions to disable the TPM2 platform hierarchy.
Signed-off-by: Stefan Berger
---
OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c | 6 ++
OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c | 6 ++
OvmfPkg/Library/PlatformBootManagerLibGrub
Signed-off-by: Stefan Berger
---
.../Include/Library/TpmPlatformHierarchyLib.h | 27 ++
.../PeiDxeTpmPlatformHierarchyLib.c | 266 ++
.../PeiDxeTpmPlatformHierarchyLib.inf | 45 +++
3 files changed, 338 insertions(+)
create mode 100644 SecurityPkg/Include
~~
Signed-off-by: Stefan Berger
---
.../PeiDxeTpmPlatformHierarchyLib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
b/SecurityPkg/Library/PeiDxeTpmPlatformHi
Signed-off-by: Stefan Berger
---
.../PeiDxeTpmPlatformHierarchyLib.c | 23 +++
.../PeiDxeTpmPlatformHierarchyLib.inf | 39 +++
2 files changed, 62 insertions(+)
create mode 100644
SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLibNull
Compile the added code now.
Signed-off-by: Stefan Berger
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +++
.../Library/PlatformBootManagerLib/PlatformBootManagerLib.inf | 1 +
OvmfPkg/OvmfPkgIa32.dsc| 3 +++
OvmfPkg
t this in this case?
Please also merge 2, 3, 4 into 1. I don’t think we want a broken patch in 1,
then add fix in 2, 3, 4.
Thank you
Yao Jiewen
-Original Message-
From: Stefan Berger
Sent: Friday, August 6, 2021 11:33 PM
To: devel@edk2.groups.io; Yao, Jiewen
Cc: marcandre.lur...@
Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms. Modify it so
that ConfigureTpmPlatformHierarchy() is the only public function provided
by this file.
Signed-off-by: Stefan Berger
---
.../Include/Library/TpmPlatformHierarchyLib.h | 27 +++
.../PeiDxeTpmPlatformHierarchyLib.c
Use the newly added function to disable the TPM2 platform hierarchy.
Signed-off-by: Stefan Berger
---
OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c | 6 ++
OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c | 6 ++
OvmfPkg/Library/PlatformBootManagerLibGrub
Add a NULL implementation of the library class TpmPlatformHierarchyLib
Signed-off-by: Stefan Berger
---
.../PeiDxeTpmPlatformHierarchyLib.c | 19
.../PeiDxeTpmPlatformHierarchyLib.inf | 31 +++
2 files changed, 50 insertions(+)
create mode 100644
Compile the added TPM related code now.
Signed-off-by: Stefan Berger
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +++
.../Library/PlatformBootManagerLib/PlatformBootManagerLib.inf | 1 +
OvmfPkg/OvmfPkgIa32.dsc| 3 +++
OvmfPkg
://bugzilla.tianocore.org/show_bug.cgi?id=3499
Regards,
Stefan
Stefan Berger (4):
OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
edk2-platforms
OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib
OvmfPkg: Reference new TPM classes in the build system for compilation
On 8/9/21 1:54 PM, James Bottomley wrote:
On Mon, 2021-08-09 at 12:37 -0400, Stefan Berger wrote:
This series imports code from the edk2-platforms project related to
changing the password of the TPM2 platform hierarchy and uses it to
disable the TPM2 platform hierarchy in Ovmf. It addresses
Compile the added TPM related code now.
Signed-off-by: Stefan Berger
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +++
OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
.../Library/PlatformBootManagerLib/PlatformBootManagerLib.inf | 1 +
OvmfPkg
ArmVirtPkg
Stefan Berger (6):
OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
edk2-platforms
OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib
OvmfPkg: Reference new TPM classes in the build system for compilation
OvmfPkg: Disable the TPM2 platform hierarchy
Signed-off-by: Stefan Berger
---
ArmVirtPkg/ArmVirtCloudHv.dsc| 1 +
ArmVirtPkg/ArmVirtQemu.dsc | 3 +++
ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
ArmVirtPkg/ArmVirtXen.dsc| 1 +
4 files changed, 6 insertions(+)
diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg
Add a NULL implementation of the library class TpmPlatformHierarchyLib
Signed-off-by: Stefan Berger
---
.../PeiDxeTpmPlatformHierarchyLib.c | 19
.../PeiDxeTpmPlatformHierarchyLib.inf | 31 +++
2 files changed, 50 insertions(+)
create mode 100644
Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms. Modify it so
that ConfigureTpmPlatformHierarchy() is the only public function provided
by this file.
Signed-off-by: Stefan Berger
---
.../Include/Library/TpmPlatformHierarchyLib.h | 27 +++
.../PeiDxeTpmPlatformHierarchyLib.c
Use the newly added function to disable the TPM2 platform hierarchy.
Signed-off-by: Stefan Berger
---
ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c | 6 ++
.../PlatformBootManagerLib/PlatformBootManagerLib.inf | 1 +
2 files changed, 7 insertions(+)
diff --git a
Use the newly added function to disable the TPM2 platform hierarchy.
Signed-off-by: Stefan Berger
---
OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c | 6 ++
OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c | 6 ++
OvmfPkg/Library/PlatformBootManagerLibGrub
On 8/12/21 9:48 AM, Marc-André Lureau wrote:
Hi On Tue, Aug 10, 2021 at 9:22 PM Stefan Berger
wrote: Import
PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms. Modify it so that
ConfigureTpmPlatformHierarchy() is the only public function provided
ZjQcmQRYFpfptBannerStart
This Message
Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms. Fix some bugs
from the original code and simplify parts of it.
Signed-off-by: Stefan Berger
---
.../Include/Library/TpmPlatformHierarchyLib.h | 27 +++
.../PeiDxeTpmPlatformHierarchyLib.c | 200
Use the newly added function to disable the TPM2 platform hierarchy.
Signed-off-by: Stefan Berger
---
OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c | 6 ++
OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c | 7 +++
OvmfPkg/Library/PlatformBootManagerLibGrub
Compile the added TPM related code now.
Signed-off-by: Stefan Berger
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +++
OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
.../Library/PlatformBootManagerLib/PlatformBootManagerLib.inf | 1 +
OvmfPkg
Use the newly added function to disable the TPM2 platform hierarchy.
Signed-off-by: Stefan Berger
---
ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c | 6 ++
.../PlatformBootManagerLib/PlatformBootManagerLib.inf | 1 +
2 files changed, 7 insertions(+)
diff --git a
Add a NULL implementation of the library class TpmPlatformHierarchyLib
Signed-off-by: Stefan Berger
---
.../PeiDxeTpmPlatformHierarchyLib.c | 19
.../PeiDxeTpmPlatformHierarchyLib.inf | 31 +++
2 files changed, 50 insertions(+)
create mode 100644
:
tsshierarchychangeauth -hi p -pwdn newpass
With Intel tss2 tools:
tpm2_changeauth -c platform newpass
Regards,
Stefan
v4:
- Fixed and simplified code imported from edk2-platforms
v3:
- Referencing Null implementation on Bhyve and Xen platforms
- Add support in ArmVirtPkg
Stefan Berger (6
Signed-off-by: Stefan Berger
---
ArmVirtPkg/ArmVirtCloudHv.dsc| 1 +
ArmVirtPkg/ArmVirtQemu.dsc | 3 +++
ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
ArmVirtPkg/ArmVirtXen.dsc| 1 +
4 files changed, 6 insertions(+)
diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg
On 8/12/21 4:59 PM, Sean Brogan wrote:
This seems like a bad place for a general purpose lib that many other
platforms may take a dependency on.
In v1 this was SecurityPkg. OvmfPkg is a platform package and
therefore not a good place to define broad interfaces.
What caused this to move he
Yao,
do you have any comments on this series? Would SecurityPkg be a
better place for it?
Stefan
On 8/12/21 12:59 PM, Stefan Berger wrote:
This series imports code from the edk2-platforms project related to
changing the password of the TPM2 platform hierarchy and uses it to
disable
l references in your INFs for dependency
Thanks
Sean
On 8/12/2021 3:19 PM, Stefan Berger wrote:
On 8/12/21 4:59 PM, Sean Brogan wrote:
This seems like a bad place for a general purpose lib that many
other platforms may take a dependency on.
In v1 this was SecurityPkg. OvmfPkg is a platform
On 8/31/21 5:57 AM, Gerd Hoffmann wrote:
Microvm has no TPM support.
Signed-off-by: Gerd Hoffmann
Reviewed-by: Stefan Berger
---
OvmfPkg/Microvm/MicrovmX64.dsc | 76 +-
OvmfPkg/Microvm/MicrovmX64.fdf | 18
2 files changed, 1 insertion(+), 93
Bhyve and Xen platforms
- Add support in ArmVirtPkg
Stefan Berger (8):
SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
edk2-platforms
SecurityPkg/TPM: Fix bugs in imported PeiDxeTpmPlatformHierarchyLib
SecurityPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib
Add a NULL implementation of the library class TpmPlatformHierarchyLib
Signed-off-by: Stefan Berger
---
.../PeiDxeTpmPlatformHierarchyLib.c | 19
.../PeiDxeTpmPlatformHierarchyLib.inf | 31 +++
2 files changed, 50 insertions(+)
create mode 100644
Fix some bugs in the original PeiDxeTpmPlatformHierarchyLib.c.
Signed-off-by: Stefan Berger
---
.../PeiDxeTpmPlatformHierarchyLib.c | 23 +--
1 file changed, 6 insertions(+), 17 deletions(-)
diff --git
a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib
Compile the added TPM related code now.
Signed-off-by: Stefan Berger
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +++
OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
.../Library/PlatformBootManagerLib/PlatformBootManagerLib.inf | 1 +
OvmfPkg
Introduce the new PCD
gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy.
Signed-off-by: Stefan Berger
---
.../PeiDxeTpmPlatformHierarchyLib.inf | 3 +--
SecurityPkg/SecurityPkg.dec | 6 ++
2 files changed, 7 insertions(+), 2
Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms.
Signed-off-by: Stefan Berger
---
.../Include/Library/TpmPlatformHierarchyLib.h | 27 ++
.../PeiDxeTpmPlatformHierarchyLib.c | 266 ++
.../PeiDxeTpmPlatformHierarchyLib.inf | 45 +++
3 files changed
Signed-off-by: Stefan Berger
---
ArmVirtPkg/ArmVirtCloudHv.dsc | 1 +
ArmVirtPkg/ArmVirtQemu.dsc | 3 +++
ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
ArmVirtPkg/ArmVirtXen.dsc
Use the newly added function to disable the TPM2 platform hierarchy.
Signed-off-by: Stefan Berger
---
OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c | 6 ++
OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c | 7 +++
OvmfPkg/Library/PlatformBootManagerLibGrub
Bhyve and Xen platforms
- Add support in ArmVirtPkg
Stefan Berger (8):
SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
edk2-platforms
SecurityPkg/TPM: Fix bugs in imported PeiDxeTpmPlatformHierarchyLib
SecurityPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib
Use the newly added function to disable the TPM2 platform hierarchy.
Signed-off-by: Stefan Berger
---
ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c | 6 ++
.../PlatformBootManagerLib/PlatformBootManagerLib.inf | 1 +
2 files changed, 7 insertions(+)
diff --git a
Fix some bugs in the original PeiDxeTpmPlatformHierarchyLib.c.
Signed-off-by: Stefan Berger
---
.../PeiDxeTpmPlatformHierarchyLib.c | 23 +--
1 file changed, 6 insertions(+), 17 deletions(-)
diff --git
a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib
1 - 100 of 201 matches
Mail list logo