On 02/13/18 13:57, Igor Mammedov wrote:
> On Mon, 12 Feb 2018 15:17:21 -0500
> Stefan Berger <stef...@linux.vnet.ibm.com> wrote:
>> On 02/12/2018 02:45 PM, Kevin O'Connor wrote:
>>> On Fri, Feb 09, 2018 at 03:19:31PM -0500, Stefan Berger wrote:  
>>>> I have played around with this patch and some modifications to EDK2. Though
>>>> for EDK2 the question is whether to try to circumvent their current
>>>> implementation that uses SMM or use SMM. With this patch so far I 
>>>> circumvent
>>>> it, which is maybe not a good idea.
>>>> The facts for EDK2's PPI:
>>>> - from within the OS a PPI code is submitted to ACPI and ACPI enters SMM 
>>>> via
>>>> an SMI and the PPI code is written into a UEFI variable. For this ACPI uses
>>>> the memory are at 0xFFFF 0000 to pass parameters from the OS (via ACPI) to
>>>> SMM. This is declared in ACPI with an OperationRegion() at that address.
>>>> Once the machine is rebooted, UEFI reads the variable and finds the PPI 
>>>> code
>>>> and reacts to it.  
>>> I'm a bit confused by this.  The top 1M of the first 4G of ram is
>>> generally mapped to the flash device on real machines.  Indeed, this
>>> is part of the mechanism used to boot an X86 machine - it starts
>>> execution from flash at 0xfffffff0.  This is true even on modern
>>> machines.
>>> So, it seems strange that UEFI is pushing a code through a memory
>>> device at 0xffff0000.  I can't see how that would be portable.  Are
>>> you sure the memory write to 0xffff0000 is not just a trigger to
>>> invoke the SMI?  
>> I base this on the code here:
>> https://github.com/tianocore/edk2/blob/master/SecurityPkg/Tcg/Tcg2Smm/Tpm.asl#L81
>> OperationRegion (TNVS, SystemMemory, 0xFFFF0000, 0xF0)
> Is the goal to reuse EDK PPI impl. including ASL?

Right, that is one important question. Some code in edk2 is meant only
as example code (so actual firmware platforms are encouraged to copy &
customize the code, or use similar or dissimilar alternatives). Some
modules are meant for inclusion "as-is" in the platform description
files (~ makefiles). There are so many edk2 modules related to TPM
(several versions of the specs even) that it's hard to say what is meant
for what usage type. (By my earlier count, there are 19 modules.)

> If it's so, then perhaps we only need to write address into QEMU
> and let OVMF to discard PPI SSDT from QEMU.

That's something I would not like. When running on QEMU, it's OK for
some edk2 modules to install their own ACPI tables, but only if they are
"software" tables, such as the IBFT for iSCSI booting, BGRT (boot
graphics table) for the boot logo / splash screen, etc. For ACPI tables
that describe hardware (data tables) or carry out actions related to
hardware (DefinitionBlocks / AML), I much prefer QEMU to generate all
the stuff.

If there is a conflict between hardware-related tables that QEMU
generates and similar tables that pre-exist in edk2, I prefer working
with the edk2 maintainers to customize their subsystems, so that a
concrete firmware platform, such as OvmfPkg and ArmVirtPkg, can
conditionalize / exclude those preexistent ACPI tables, while benefiting
from the rest of the code. Then the ACPI linker/loader client used in
both OvmfPkg and ArmVirtPkg can remain dumb and process & expose
whatever tables QEMU generates.

We could control the AML payload for TPM and/or TPM PPI -- e.g. whether
it should raise an SMI -- via "-device tpm2,smi=on", for example. (Just
making up the syntax, but you know what I mean.)

We could go one step further, "-device tpm2,acpi=[on|off]". acpi=on
would make QEMU generate the TPM related tables (perhaps targeting only
SeaBIOS, if that makes sense), acpi=off would leave the related tables
to the firmware.

This is just speculation on my part; the point is I'd like to avoid any
more "intelligent filtering" regarding ACPI tables in OVMF. What we have
there is terrible enough already.


Reply via email to