On 11/8/21 07:13, Yao, Jiewen wrote:
The PPFlag variable MUST to be locked to prevent malicious modification.
Otherwise, anyone can change the PP configuration without confirmation from end
user.
That change by an attacker could presumably only be done via UEFI
shell/command line? How do I display the variables? I tried with
'dmpstore PhysicalPresenceFlags' (TPM 1.2) or 'dumpstore
Tcg2PhysicalPresenceFlags' but I don't see them. I don't see them with
'dmpstore -b', either, but I see them both on Linux in
/sys/firmware/efi/efivars.
Under Linux I can remove the (Tcg2)PhysicalPresenceFlags after 'chattr
-i' on the file and then an 'rm'. Is it a concern for this particular
variable if root can do this?
Since this is old/outdated, what is a new API for it?
Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL,
(VOID **)&VariableLockProtocol);
if (!EFI_ERROR (Status)) {
Status = VariableLockProtocol->RequestToLock (
Thanks.
Stefan
Thank you
Yao Jiewen
-----Original Message-----
From: Gerd Hoffmann <kra...@redhat.com>
Sent: Monday, November 8, 2021 7:58 PM
To: Stefan Berger <stef...@linux.ibm.com>
Cc: devel@edk2.groups.io; marcandre.lur...@redhat.com; Yao, Jiewen
<jiewen....@intel.com>; Wang, Jian J <jian.j.w...@intel.com>; Ard Biesheuvel
<ardb+tianoc...@kernel.org>; Justen, Jordan L <jordan.l.jus...@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 3/4] OvmfPkg: Enable physical presence
interface for TPM 1.2
On Sat, Nov 06, 2021 at 09:19:33PM -0400, Stefan Berger wrote:
On 11/5/21 08:17, Gerd Hoffmann wrote:
On Tue, Nov 02, 2021 at 11:49:09AM -0400, Stefan Berger wrote:
Enable the physical presence interface for TPM 1.2. It is required for the
TPM 1.2 menu to work.
The changes to DxeTcgPhysicalPresenceLib.c are due to the device we are
using
in QEMU for presenting the supported PPI commands and results to the OS
via
ACPI as well as to store the PPI opcode to execute.
Fails to build for microvm.
+
TcgPhysicalPresenceLib|OvmfPkg/Library/TcgPhysicalPresenceLibNull/DxeTcgPh
ysicalPresenceLib.inf
I guess this line is needed just next to Tcg2PhysicalPresenceLibNull
line?
(same problem on OvmfXen.dsc)
Fixed in v3 for microvm and Xen and Bhyve also.
You happen to know about the variable lock issue? Why does the variable need
to be locked?
No clue, sorry. That's a topic I have to learn about myself. Noticed
the variable locking deprecation warning in the ovmf boot log too, but
havn't found the time yet to look into that.
take care,
Gerd
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#83453): https://edk2.groups.io/g/devel/message/83453
Mute This Topic: https://groups.io/mt/86769186/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
