Oh, yes, I mean this series. I did notice you *fix* something, which I think is acceptable.
So, Right, it fulfills requirement IMHO. > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Stefan > Berger > Sent: Sunday, September 12, 2021 8:42 AM > To: Yao, Jiewen <jiewen....@intel.com>; devel@edk2.groups.io; > stef...@linux.vnet.ibm.com > Cc: mhaeu...@posteo.de; spbro...@outlook.com; > marcandre.lur...@redhat.com; kra...@redhat.com > Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform > hierarchy > > > On 9/10/21 10:46 PM, Yao, Jiewen wrote: > > If you want, I would suggest to take 2 steps (2 separate patch sets). > > > > 1) To add the TCG2 platform auth handling the security pkg (just move the > code from min-platform to securitypkg) > > If nothing else is changed, it can be approved easily. > > I suppose you are talking about this series here. Can you have a look at > it and tell me whether it fulfills this requirement? It's not just a > move from min-platform but does need some modifications. You may alos > want to skip the Ovmf-related patches that modify those builds where we > have that issue with the ordering. > > Stefan > > > > > > 2) To enable QEMU support to make platform auth + TCG PP work together. > (based upon 1) > > Need consider how to do it in a secure way. > > Thank you > > Yao Jiewen > > > >> -----Original Message----- > >> From: Yao, Jiewen > >> Sent: Saturday, September 11, 2021 10:38 AM > >> To: Stefan Berger <stef...@linux.ibm.com>; devel@edk2.groups.io; > >> stef...@linux.vnet.ibm.com > >> Cc: mhaeu...@posteo.de; spbro...@outlook.com; > >> marcandre.lur...@redhat.com; kra...@redhat.com > >> Subject: RE: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform > >> hierarchy > >> > >> Hi Stefan > >> I notice you signal EndOfDxe at PlatformBootManagerBeforeConsole() > >> > https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo > >> tManagerLib/BdsPlatform.c#L380 > >> I would say, if PP is done after EndOfDxe, then the order is NOT right. > >> > >> This topic has been debated for years. Finally, we reach the conclusion > >> with > the > >> trusted console concept. > >> > >> The recommended way is to connect *trusted console only* and process PP > >> before EndOfDxe, to ensure no 3rd party code can touch the platform > hierarchy. > >> We did that at PlatformBootManagerBeforeConsole(). Here is console means > all > >> console, including the trusted console and untrusted console populated by > >> untrusted device. The full console list can still be connected after > >> EndOfDxe. > >> The platform can decide which console is trusted v.s. not-trusted. > >> > >> Thank you > >> Yao Jiewen > >> > >> > >>> -----Original Message----- > >>> From: Stefan Berger <stef...@linux.ibm.com> > >>> Sent: Saturday, September 11, 2021 12:15 AM > >>> To: Yao, Jiewen <jiewen....@intel.com>; devel@edk2.groups.io; > >>> stef...@linux.vnet.ibm.com > >>> Cc: mhaeu...@posteo.de; spbro...@outlook.com; > >>> marcandre.lur...@redhat.com; kra...@redhat.com > >>> Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 platform > >>> hierarchy > >>> > >>> > >>> On 9/10/21 11:32 AM, Yao, Jiewen wrote: > >>>> According to the security policy, PP request must be processed before > >>> EndOfDxe. > >>>> May I know when you trigger PP request? > >>> OVMF has 3 implementations invoking it in > >> PlatformBootManagerAfterConsole(): > >>> > >> > https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo > >>> tManagerLib/BdsPlatform.c#L1517 > >>> > >>> > >> > https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo > >>> tManagerLibBhyve/BdsPlatform.c#L1451 > >>> > >>> > >> > https://github.com/tianocore/edk2/blob/master/OvmfPkg/Library/PlatformBoo > >>> tManagerLibGrub/BdsPlatform.c#L1316 > >>> > >>> Stefan > >>> > >>> > >>>> Thank you > >>>> Yao Jiewen > >>>> > >>>>> -----Original Message----- > >>>>> From: Stefan Berger <stef...@linux.ibm.com> > >>>>> Sent: Friday, September 10, 2021 10:25 PM > >>>>> To: devel@edk2.groups.io; stef...@linux.vnet.ibm.com > >>>>> Cc: mhaeu...@posteo.de; spbro...@outlook.com; > >>>>> marcandre.lur...@redhat.com; kra...@redhat.com; Yao, Jiewen > >>>>> <jiewen....@intel.com> > >>>>> Subject: Re: [edk2-devel] [PATCH v7 0/9] Ovmf: Disable the TPM2 > platform > >>>>> hierarchy > >>>>> > >>>>> > >>>>> On 9/9/21 1:35 PM, Stefan Berger wrote: > >>>>>> This series imports code from the edk2-platforms project related to > >>>>>> disabling the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf > >>>>>> aspects of the following bugs: > >>>>>> > >>>>>> https://bugzilla.tianocore.org/show_bug.cgi?id=3510 > >>>>>> https://bugzilla.tianocore.org/show_bug.cgi?id=3499 > >>>>>> > >>>>>> I have patched the .dsc files and successfully test-built with most of > >>>>>> them. Some I could not build because they failed for other reasons > >>>>>> unrelated to this series. > >>>>>> > >>>>>> I tested the changes with QEMU on x86 following the build of > >>>>>> OvmfPkgX64.dsc. > >>>>>> > >>>>>> Neither one of the following commands should work anymore on first > >>>>>> try when run on Linux: > >>>>>> > >>>>>> With IBM tss2 tools: > >>>>>> tsshierarchychangeauth -hi p -pwdn newpass > >>>>>> > >>>>>> With Intel tss2 tools: > >>>>>> tpm2_changeauth -c platform newpass > >>>>> While disabling the platform hierarchy works, the unfortunate problem is > >>>>> now that the signal to disable the TPM 2 platform hierarchy is received > >>>>> before handling the physical presence interface (PPI) opcodes, which is > >>>>> bad because some of the opcodes will not go through. The question now > is > >>>>> what is wrong? Are the PPI opcodes handled too late or the signal is > >>>>> sent to early or is it the wrong signal? > >>>>> > >>>>> Event = EfiCreateProtocolNotifyEvent ( > >>>>> &gEfiDxeSmmReadyToLockProtocolGuid, > >>>>> TPL_CALLBACK, > >>>>> SmmReadyToLockEventCallBack, > >>>>> NULL, > >>>>> &Registration > >>>>> ); > >>>>> > >>>>> Stefan > >>>>> > >>>>>> Regards, > >>>>>> Stefan > >>>>>> > >>>>>> v7: > >>>>>> - Ditched ARM support in this series > >>>>>> - Using Tcg2PlatformDxe and Tcg2PlaformPei from edk2-platforms > now > >>>>>> and revised most of the patches > >>>>>> > >>>>>> v6: > >>>>>> - Removed unnecessary entries in .dsc files > >>>>>> - Added support for S3 resume failure case > >>>>>> - Assigned unique FILE_GUID to NULL implementation > >>>>>> > >>>>>> v5: > >>>>>> - Modified patch 1 copies the code from edk2-platforms > >>>>>> - Modified patch 2 fixes bugs in the code > >>>>>> - Modified patch 4 introduces required PCD > >>>>>> > >>>>>> v4: > >>>>>> - Fixed and simplified code imported from edk2-platforms > >>>>>> > >>>>>> v3: > >>>>>> - Referencing Null implementation on Bhyve and Xen platforms > >>>>>> - Add support in Arm > >>>>>> > >>>>>> > >>>>>> Stefan Berger (9): > >>>>>> SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from > >>>>>> edk2-platforms > >>>>>> SecurityPkg/TPM: Fix bugs in imported > PeiDxeTpmPlatformHierarchyLib > >>>>>> SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from edk2-platforms > >>>>>> SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable > >>>>>> SecurityPkg: Introduce new PCD PcdRandomizePlatformHierarchy > >>>>>> OvmfPkg: Reference new Tcg2PlatformDxe in the build system for > >>>>>> compilation > >>>>>> SecurityPkg/Tcg: Import Tcg2PlatformPei from edk2-platforms > >>>>>> SecurityPkg/Tcg: Make Tcg2PlatformPei buildable > >>>>>> OvmfPkg: Reference new Tcg2PlatformPei in the build system > >>>>>> > >>>>>> OvmfPkg/AmdSev/AmdSevX64.dsc | 8 + > >>>>>> OvmfPkg/AmdSev/AmdSevX64.fdf | 2 + > >>>>>> OvmfPkg/OvmfPkgIa32.dsc | 8 + > >>>>>> OvmfPkg/OvmfPkgIa32.fdf | 2 + > >>>>>> OvmfPkg/OvmfPkgIa32X64.dsc | 8 + > >>>>>> OvmfPkg/OvmfPkgIa32X64.fdf | 2 + > >>>>>> OvmfPkg/OvmfPkgX64.dsc | 8 + > >>>>>> OvmfPkg/OvmfPkgX64.fdf | 2 + > >>>>>> .../Include/Library/TpmPlatformHierarchyLib.h | 27 ++ > >>>>>> .../PeiDxeTpmPlatformHierarchyLib.c | 255 > ++++++++++++++++++ > >>>>>> .../PeiDxeTpmPlatformHierarchyLib.inf | 44 +++ > >>>>>> SecurityPkg/SecurityPkg.dec | 6 + > >>>>>> .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 85 ++++++ > >>>>>> .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 43 +++ > >>>>>> .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 107 ++++++++ > >>>>>> .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 51 ++++ > >>>>>> 16 files changed, 658 insertions(+) > >>>>>> create mode 100644 > >>> SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h > >>>>>> create mode 100644 > >> > SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierar > >>>>> chyLib.c > >>>>>> create mode 100644 > >> > SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierar > >>>>> chyLib.inf > >>>>>> create mode 100644 > >>> SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c > >>>>>> create mode 100644 > >>> SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf > >>>>>> create mode 100644 > >> SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c > >>>>>> create mode 100644 > >>> SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80539): https://edk2.groups.io/g/devel/message/80539 Mute This Topic: https://groups.io/mt/85498425/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
