On 9/19/22 05:17, Igor Mammedov wrote:
On Fri, 16 Sep 2022 15:45:38 -0400
"Jason Andryuk" <jandr...@gmail.com> wrote:
CCing Stefan as he is probably the best person to talk about qemu
impl. of TPM
Hi,
I've noticed an issue with the TPM2 EventLog. OVMF exposes the TPM
Event Log via EFI and ACPI, but they have different addresses. The
EFI one retrievable by GetEventLog() is populated. The ACPI is empty.
The ACPI one is for SeaBIOS.
Oh, there are actually two EFI Event Logs for the two formats:
EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2
EFI_TCG2_EVENT_LOG_FORMAT_TCG_2
The debug log from the Fedora 36 OVMF shows:
Tcg2GetEventLog (EventLogLocation - 7EEB2000)
which matches the address retrieved with GetEventLog().
And hexdump-ing the TPM2 ACPI table shows 0x7fbe6000.
On a different build, I added output for both EFI logs, and the addresses are:
0x7ec3d000 - EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2
0x7ec1b000 - EFI_TCG2_EVENT_LOG_FORMAT_TCG_2
I am also not familiar with the origin of the EDK2 code as to why it was
done this way. Maybe typical builds for EDK2 don't include TPM 1.2 and
TPM 2 and OVMF is an outlier here...
0x7fbe6000 - ACPI
The ACPI one is a little more user friendly as its address is
available through the table during runtime. The EFI addresses can
only be grabbed before exiting boot services.
I think the issue is that the ACPI tables are created from Qemu fw_cfg
data, which allocates memory for the log and places the address in
ACPI tables. Meanwhile,
That's because of SeaBIOS iirc.
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c:SetupEventLog() allocates its own
event log memory. SetupEventLog() saves the size and address in
PcdTpm2AcpiTableLaml & PcdTpm2AcpiTableLasa, but nothing puts those
values in the actual ACPI tables.
It seems like SetupEventLog would be better structured to check
existing ACPI tables and look for a log in a TPM2 section. If found,
use that, otherwise create a new log area.
The other wrinkle is that the Tcg2 code is keeping two event logs in
the two formats. It seems to me that for TPM2, it would be easier to
Does it log everything twice?
just keep only the newer EFI_TCG2_EVENT_LOG_FORMAT_TCG_2. If support
for both is needed, then the EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 one
should share the same region as the ACPI tab
Regards,
Stefan
Regards,
Jason
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#93937): https://edk2.groups.io/g/devel/message/93937
Mute This Topic: https://groups.io/mt/93730585/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
