[edk2] [PATCH v3 1/1] OvmfPkg/PlatformPei: clear CPU caches

From: Marc-André Lureau This is for conformance with the TCG "Platform Reset Attack Mitigation Specification". Because clearing the CPU caches at boot doesn't impact performance significantly, do it unconditionally, for simplicity's sake. Flush the cache on all logical processors, thanks to

[edk2] [PATCH v2 1/1] OvmfPkg/PlatformPei: clear CPU caches

From: Marc-André Lureau This is for conformance with the TCG "Platform Reset Attack Mitigation Specification". Because clearing the CPU caches at boot doesn't impact performance significantly, do it unconditionally, for simplicity's sake. Flush the cache on all logical processors, thanks to

[edk2] [PATCH v1 1/1] OvmfPkg/PlatformPei: clear CPU caches

From: Marc-André Lureau The TCG "Platform Reset Attack Mitigation Specification" requires to clear the processor caches when the MOR bit is set at boot time. According to Paolo Bonzini, clearing the CPU cache takes only a few hundred clock cycles, so it can be done unconditionally. Flush the

[edk2] [PATCH 1/1] SecurityPkg/Library/Tpm2DeviceLibDTpm: fix s/Constructor/CONSTRUCTOR

From: Marc-André Lureau The library constructor is not being called because of the typo, causing TPM2 detection/initialization to fail. This fixes OVMF TPM2 regression since commit f15cb995bb38. https://bugzilla.tianocore.org/show_bug.cgi?id=1075 Cc: Laszlo Ersek Cc: Zhang Chao B Cc: Long

[edk2] [PATCH v3 3/4] OvmfPkg: add Tcg2PhysicalPresenceLibQemu

From: Marc-André Lureau Cloned "SecurityPkg/Library/DxeTcg2PhysicalPresenceLib" and: - removed all the functions that are unreachable from Tcg2PhysicalPresenceLibProcessRequest() [called from platform BDS], or SubmitRequestToPreOSFunction() and

[edk2] [PATCH v3 4/4] OvmfPkg/PlatformBootManagerLib: process TPM PPI request

From: Marc-André Lureau Call Tcg2PhysicalPresenceLibProcessRequest() to process pending PPI requests from PlatformBootManagerAfterConsole(). Laszlo understanding of edk2 is that the PPI operation processing was meant to occur *entirely* before End-Of-Dxe, so that

[edk2] [PATCH v3 1/4] OvmfPkg: add Tcg2PhysicalPresenceLibNull when !TPM2_ENABLE

From: Marc-André Lureau This NULL library will let us call Tcg2PhysicalPresenceLibProcessRequest() unconditionally from BdsPlatform when building without TPM2_ENABLE. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Marc-André Lureau

[edk2] [PATCH v3 0/4] RFC: ovmf: Add support for TPM Physical Presence interface

From: Marc-André Lureau Hi, The following series adds basic TPM PPI 1.3 support for OVMF-on-QEMU with TPM2 (I haven't looked at TPM1, for lack of interest). PPI test runs successfully with Windows 10 WHLK, despite the limited number of supported funcions

[edk2] [PATCH v3 2/4] OvmfPkg/IndustryStandard: add QemuTpm.h header

From: Marc-André Lureau Add some common macros and type definitions corresponding to the QEMU TPM interface. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Marc-André Lureau Acked-by: Laszlo Ersek

[edk2] [PATCH v2 1/4] OvmfPkg: add Tcg2PhysicalPresenceLibNull when !TPM2_ENABLE

From: Marc-André Lureau This NULL library will let us call Tcg2PhysicalPresenceLibProcessRequest() unconditionally from BdsPlatform when building without TPM2_ENABLE. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Marc-André Lureau

[edk2] [PATCH v2 3/4] OvmfPkg: add Tcg2PhysicalPresenceLibQemu

From: Marc-André Lureau Cloned "SecurityPkg/Library/DxeTcg2PhysicalPresenceLib" and: - removed all the functions that are unreachable from Tcg2PhysicalPresenceLibProcessRequest() - replaced everything that's related to the TCG2_PHYSICAL_PRESENCE*_VARIABLE

[edk2] [PATCH v2 4/4] OvmfPkg/PlatformBootManagerLib: process TPM PPI request

From: Marc-André Lureau Call Tcg2PhysicalPresenceLibProcessRequest() to process pending PPI requests from PlatformBootManagerAfterConsole(). Laszlo understanding of edk2 is that the PPI operation processing was meant to occur *entirely* before End-Of-Dxe, so that

[edk2] [PATCH v2 2/4] OvmfPkg/IndustryStandard: add QemuTpm.h header

From: Marc-André Lureau Add some common macros and type definitions corresponding to the QEMU TPM interface. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Marc-André Lureau ---

[edk2] [PATCH 4/4] ovmf: process TPM PPI request in AfterConsole()

From: Marc-André Lureau Call Tcg2PhysicalPresenceLibProcessRequest() to process pending PPI requests from PlatformBootManagerAfterConsole(). Laszlo understanding of edk2 is that the PPI operation processing was meant to occur *entirely* before End-Of-Dxe, so that

[edk2] [PATCH 0/4] RFC: ovmf: Add support for TPM Physical Presence interface

From: Marc-André Lureau Hi, The following series adds basic TPM PPI 1.3 support for OVMF-on-QEMU with TPM2 (I haven't tested TPM1, for lack of interest). PPI test runs successfully with Windows 10 WHLK, despite the limited number of supported funcions

[edk2] [PATCH 3/4] ovmf: replace SecurityPkg with OvfmPkg Tcg2PhysicalPresenceLibQemu

From: Marc-André Lureau Cloned "SecurityPkg/Library/DxeTcg2PhysicalPresenceLib" and: - removed all the functions that are unreachable from Tcg2PhysicalPresenceLibProcessRequest() - replaced everything that's related to the TCG2_PHYSICAL_PRESENCE*_VARIABLE

[edk2] [PATCH 2/4] ovmf: add QemuTpm.h header

From: Marc-André Lureau Add some common macros and type definitions corresponding to the QEMU TPM interface. Signed-off-by: Marc-André Lureau --- OvmfPkg/Include/IndustryStandard/QemuTpm.h | 67 ++ 1 file changed,

[edk2] [PATCH 1/4] ovmf: add and link with Tcg2PhysicalPresenceLibNull when !TPM2_ENABLE

From: Marc-André Lureau This NULL library will let us call Tcg2PhysicalPresenceLibProcessRequest() unconditionally from BdsPlatform when building without TPM2_ENABLE. Signed-off-by: Marc-André Lureau ---

[edk2] [PATCH v3 7/7] OvmfPkg: plug DxeTpm2MeasureBootLib into SecurityStubDxe

From: Marc-André Lureau The library registers a security management handler, to measure images that are not measure in PEI phase. For example with the qemu PXE rom: Loading driver at 0x0003E6C2000 EntryPoint=0x0003E6C9076 8086100e.efi And the following

[edk2] [PATCH v3 5/7] OvmfPkg: include Tcg2Pei module

From: Marc-André Lureau This module will initialize TPM device, measure reported FVs and BIOS version. We keep both SHA-1 and SHA-256 for the TCG 1.2 log format compatibility, but the SHA-256 measurements and TCG 2 log format are now recommended. Cc: Laszlo Ersek

[edk2] [PATCH v3 4/7] OvmfPkg: add customized Tcg2ConfigPei clone

From: Marc-André Lureau The Tcg2ConfigPei module informs the firmware globally about the TPM device type, by setting the PcdTpmInstanceGuid PCD to the appropriate GUID value. The original module under SecurityPkg can perform device detection, or read a cached value

[edk2] [PATCH v3 6/7] OvmfPkg: include Tcg2Dxe module

From: Marc-André Lureau This module measures and log the boot environment. It also produces the Tcg2 protocol, which allows for example to read the log from OS. The linux kernel doesn't yet read the EFI_TCG2_EVENT_LOG_FORMAT_TCG_2, which is required for crypto-agile

[edk2] [PATCH v3 0/7] ovmf: preliminary TPM2 support

From: Marc-André Lureau Hi, The following series adds basic TPM2 support for OVMF-on-QEMU (I haven't tested TPM1, for lack of interest). It links with the modules to initializes the device in PEI phase, and do measurements (both PEI and DXE). The Tcg2Dxe module

[edk2] [PATCH v3 1/7] SecurityPkg/Tcg2Pei: drop PeiReadOnlyVariable from Depex

From: Marc-André Lureau The module doesn't use read-only variable. Cc: Laszlo Ersek Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Marc-André Lureau Reviewed-by: Laszlo Ersek

[edk2] [PATCH v3 2/7] MdeModulePkg/Core/Pei: fix REGISITER -> REGISTER typo

From: Marc-André Lureau No functional changes. Cc: Laszlo Ersek Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Marc-André Lureau Reviewed-by: Laszlo Ersek Reviewed-by: Star

[edk2] [PATCH v3 3/7] OvmfPkg: simplify SecurityStubDxe.inf inclusion

From: Marc-André Lureau SecurityStubDxe.inf should be included unconditionally. Cc: Laszlo Ersek Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Marc-André Lureau Reviewed-by: Laszlo Ersek

[edk2] [PATCH v2 7/8] ovmf: link with Tcg2Dxe module

From: Marc-André Lureau This module measures and log the boot environment. It also produces the Tcg2 protocol, which allows for example to read the log from OS. The linux kernel doesn't yet read the EFI_TCG2_EVENT_LOG_FORMAT_TCG_2, which is required for crypto-agile

[edk2] [PATCH v2 6/8] ovmf: link with Tcg2Pei module

From: Marc-André Lureau This module will initialize TPM device, measure reported FVs and BIOS version. We keep both SHA-1 and SHA-256 for the TCG 1.2 log format compatibility, but the SHA-256 measurements and TCG 2 log format are now recommended. Cc: Laszlo Ersek

[edk2] [PATCH v2 8/8] ovmf: add DxeTpm2MeasureBootLib

From: Marc-André Lureau The library registers a security management handler, to measure images that are not measure in PEI phase. This seems to work for example with the qemu PXE rom: Loading driver at 0x0003E6C2000 EntryPoint=0x0003E6C9076 8086100e.efi And the

[edk2] [PATCH v2 5/8] ovmf: add OvmfPkg Tcg2ConfigPei module

From: Marc-André Lureau The Tcg2ConfigPei module informs the firmware globally about the TPM device type, by setting the PcdTpmInstanceGuid PCD to the appropriate GUID value. The original module under SecurityPkg can perform device detection, or read a cached value

[edk2] [PATCH v2 0/8] RFC: ovmf: preliminary TPM2 support

From: Marc-André Lureau Hi, The following series adds basic TPM2 support for OVMF-on-QEMU (I haven't tested TPM1, for lack of interest). It links with the modules to initializes the device in PEI phase, and do measurements (both PEI and DXE). The Tcg2Dxe module

[edk2] [PATCH v2 3/8] MdeModulePkg: fix REGISITER -> REGISTER

From: Marc-André Lureau Cc: Laszlo Ersek Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Marc-André Lureau --- MdeModulePkg/Core/Pei/Dispatcher/Dispatcher.c | 18 +-

[edk2] [PATCH v2 1/1] SecurityPkg: fix ZeroMem HashInterfaceHob

From: Marc-André Lureau The ZeroMem() call goes beyond the HashInterfaceHob structure, causing HOB list corruption. The intent was to clear all but the Identifier, that is starting from HashInterfaceCount. Quoting Laszlo Ersek: Therefore I think the *first*

[edk2] [PATCH 1/1] RFC: SecurityPkg: only clear HashInterface informations

From: Marc-André Lureau The ZeroMem() call goes beyond the HashInterfaceHob structure, causing HOB list corruption. Instead, just clear the HashInterface fields, as I suppose was originally intended. Cc: Jiewen Yao Cc: Chao Zhang

[edk2] [PATCH 6/7] ovmf: link with Tcg2ConfigDxe module

From: Marc-André Lureau The module allows to tweak and interact with the TPM. Note that many actions are broken due to implementation of qemu TPM (providing it's own ACPI table), and the lack of PPI implementation. CC: Laszlo Ersek CC: Stefan

[edk2] [PATCH 5/7] ovmf: link with Tcg2Dxe module

From: Marc-André Lureau This module measures and log the boot environment. It also produces the Tcg2 protocol, which allows for example to read the log from OS: [0.00] efi: EFI v2.70 by EDK II [0.00] efi: SMBIOS=0x3fa1f000 ACPI=0x3fbb6000 ACPI

[edk2] [PATCH 2/7] ovmf: link with Tcg2ConfigPei module

From: Marc-André Lureau This module initializes TPM device type based on variable and detection. The module requires VariablePei, which is built with MEM_VARSTORE_EMU_ENABLE=FALSE. CC: Laszlo Ersek CC: Stefan Berger

[edk2] [PATCH 0/7] RFC: ovmf: preliminary TPM2 support

From: Marc-André Lureau Hi, The following series adds basic TPM2 support for OVMF-on-QEMU (I haven't tested TPM1, for lack of interest). It links with the modules to initializes the device in PEI phase, and do measurements (both PEI and DXE). The Tcg2Dxe module

[edk2] [PATCH 3/7] HACK: HobLib: workaround infinite loop

From: Marc-André Lureau Without this hack, GetNextHob() loops infinitely with the next patch. I don't understand the reason. The loop is triggered by the GetFirstGuidHob () call. CC: Laszlo Ersek CC: Stefan Berger

[edk2] [PATCH 1/7] SecurityPkg/Tcg2Pei: drop Tcg2PhysicalPresenceLib dependency

From: Marc-André Lureau Apparently, unnecessary. Avoids extra build dependency and churn. CC: Laszlo Ersek CC: Stefan Berger Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Marc-André Lureau