Re: [edk2] [PATCH 6/7] ovmf: link with Tcg2ConfigDxe module
On 03/01/18 17:59, Stefan Berger wrote: > On 02/26/2018 04:58 AM, Laszlo Ersek wrote: >> On 02/23/18 14:23, marcandre.lur...@redhat.com wrote: >>> From: Marc-André Lureau>>> >>> The module allows to tweak and interact with the TPM. Note that many >>> actions are broken due to implementation of qemu TPM (providing it's >>> own ACPI table), and the lack of PPI implementation. >>> >>> CC: Laszlo Ersek >>> CC: Stefan Berger >>> Contributed-under: TianoCore Contribution Agreement 1.0 >>> Signed-off-by: Marc-André Lureau >>> --- >>> OvmfPkg/OvmfPkgX64.dsc | 2 ++ >>> OvmfPkg/OvmfPkgX64.fdf | 1 + >>> 2 files changed, 3 insertions(+) >>> >>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc >>> index 9bd0709f98..2281bd5ff8 100644 >>> --- a/OvmfPkg/OvmfPkgX64.dsc >>> +++ b/OvmfPkg/OvmfPkgX64.dsc >>> @@ -669,6 +669,8 @@ >>> >>> NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf >>> >>> NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf >>> } >>> + >>> + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf >>> !endif >>> !if $(SECURE_BOOT_ENABLE) == TRUE >>> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf >>> index b8dd7ecae4..985404850f 100644 >>> --- a/OvmfPkg/OvmfPkgX64.fdf >>> +++ b/OvmfPkg/OvmfPkgX64.fdf >>> @@ -399,6 +399,7 @@ INF >>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf >>> !if $(TPM2_ENABLE) == TRUE >>> INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf >>> +INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf >>> !endif >>> >>> >>> >>> >> Please drop this patch. >> >> In my earlier investigation I wrote, Tcg2ConfigDxe "[p]rovides a Setup >> TUI interface to configure the TPM. IIUC, it can also save the >> configured TPM type for subsequent boots (see Tcg2ConfigPei.inf above)". >> >> The INF file itself says "This module is only for reference only, each >> platform should have its own setup page." >> >> And Jiewen wrote earlier, "Tcg2ConfigPei/Dxe are platform sample driver. >> A platform may have its own version based upon platform requirement. For >> example, if a platform supports fTPM, it may use another Tcg2Config >> driver." >> >> Given that OVMF lacks PEI-phase variable access, and that I consequently >> suggested cloning, and seriously trimming, Tcg2ConfigPei, it makes no >> sense to include an HII dialog that sets a variable for PEI phase >> consumption. Also, as you say, many of the exposed operations are broken >> due to lack of PPI support. So let's just postpone the inclusion of this >> driver, for now. > > Just FYI: The PPI support for the OS requires ACPI OK > and, as it is > currently implemented, SMF where UEFI variables are manipulated. (I assume s/SMF/SMM/) You are correct to write "as it is currently implemented". My point in my previous email(s) was that QEMU should generate the ACPI payload needed by the OS, for queueing PPI opcodes (i.e. OVMF should install QEMU's AML, *not* the sample AML code in SecurityPkg). In turn the AML from QEMU should queue the PPI opcodes in the custom register block of the TPM device (which is anyway the only NVRAM-emulation possibility under SeaBIOS). Given that the PPI opcodes will henceforth not be stored in a UEFI variable under OVMF either, the SMM requirement in the AML falls away completely. Retrieving the PPI opcodes for processing from the custom MMIO register block of the TPM device, after reboot, as opposed to reading them out of a UEFI variable, will take custom code in OVMF. We'll get there. > Some > menu items in the TPM 2 menu (also TPM 1.2) also require these UEFI > variables of the PPI interface so that UEFI can react on the menu > choices upon re. (I assume s/re/reboot/) In "SecurityPkg/Tcg/Tcg2Config/Tcg2Config.vfr" (which is the "Visual Form Representation" of the dialog we're talking about), I see three variable references. The structures for those are defined in "SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigNvData.h": - TCG2_CONFIGURATION_INFO - TCG2_CONFIGURATION - TCG2_VERSION I think the last two are irrelevant under OVMF / QEMU (fixed version 2 TPM, and ACPI comes from QEMU -- consistent with my other comments for the PEI phase modules). TCG2_CONFIGURATION_INFO looks more complex, so perhaps we'll have to scavenge its handling for OVMF. However, it seems that TCG2_CONFIGURATION_INFO is not needed in the PEI phase. ... Understand this right: I'd be bursting from joy if OVMF had PEI-phase r/o variable access. I got that feature working for QEMU. But all my attempts to upstream the work failed (apparently because I'm not willing to develop a parallel "fake" for Xen -- on Xen, NVRAM/pflash doesn't even exist, so even if the PEI variable service existed on Xen, it would have zero chance to return valid data.) Laszlo
Re: [edk2] [PATCH 6/7] ovmf: link with Tcg2ConfigDxe module
On 02/26/2018 04:58 AM, Laszlo Ersek wrote: On 02/23/18 14:23, marcandre.lur...@redhat.com wrote: From: Marc-André LureauThe module allows to tweak and interact with the TPM. Note that many actions are broken due to implementation of qemu TPM (providing it's own ACPI table), and the lack of PPI implementation. CC: Laszlo Ersek CC: Stefan Berger Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Marc-André Lureau --- OvmfPkg/OvmfPkgX64.dsc | 2 ++ OvmfPkg/OvmfPkgX64.fdf | 1 + 2 files changed, 3 insertions(+) diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 9bd0709f98..2281bd5ff8 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -669,6 +669,8 @@ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf } + + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf !endif !if $(SECURE_BOOT_ENABLE) == TRUE diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index b8dd7ecae4..985404850f 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -399,6 +399,7 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !if $(TPM2_ENABLE) == TRUE INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf !endif Please drop this patch. In my earlier investigation I wrote, Tcg2ConfigDxe "[p]rovides a Setup TUI interface to configure the TPM. IIUC, it can also save the configured TPM type for subsequent boots (see Tcg2ConfigPei.inf above)". The INF file itself says "This module is only for reference only, each platform should have its own setup page." And Jiewen wrote earlier, "Tcg2ConfigPei/Dxe are platform sample driver. A platform may have its own version based upon platform requirement. For example, if a platform supports fTPM, it may use another Tcg2Config driver." Given that OVMF lacks PEI-phase variable access, and that I consequently suggested cloning, and seriously trimming, Tcg2ConfigPei, it makes no sense to include an HII dialog that sets a variable for PEI phase consumption. Also, as you say, many of the exposed operations are broken due to lack of PPI support. So let's just postpone the inclusion of this driver, for now. Just FYI: The PPI support for the OS requires ACPI and, as it is currently implemented, SMF where UEFI variables are manipulated. Some menu items in the TPM 2 menu (also TPM 1.2) also require these UEFI variables of the PPI interface so that UEFI can react on the menu choices upon re. Stefan ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH 6/7] ovmf: link with Tcg2ConfigDxe module
On 02/23/18 14:23, marcandre.lur...@redhat.com wrote: > From: Marc-André Lureau> > The module allows to tweak and interact with the TPM. Note that many > actions are broken due to implementation of qemu TPM (providing it's > own ACPI table), and the lack of PPI implementation. > > CC: Laszlo Ersek > CC: Stefan Berger > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Marc-André Lureau > --- > OvmfPkg/OvmfPkgX64.dsc | 2 ++ > OvmfPkg/OvmfPkgX64.fdf | 1 + > 2 files changed, 3 insertions(+) > > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > index 9bd0709f98..2281bd5ff8 100644 > --- a/OvmfPkg/OvmfPkgX64.dsc > +++ b/OvmfPkg/OvmfPkgX64.dsc > @@ -669,6 +669,8 @@ >NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf > > NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf >} > + > + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf > !endif > > !if $(SECURE_BOOT_ENABLE) == TRUE > diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf > index b8dd7ecae4..985404850f 100644 > --- a/OvmfPkg/OvmfPkgX64.fdf > +++ b/OvmfPkg/OvmfPkgX64.fdf > @@ -399,6 +399,7 @@ INF > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > > !if $(TPM2_ENABLE) == TRUE > INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf > +INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf > !endif > > > > Please drop this patch. In my earlier investigation I wrote, Tcg2ConfigDxe "[p]rovides a Setup TUI interface to configure the TPM. IIUC, it can also save the configured TPM type for subsequent boots (see Tcg2ConfigPei.inf above)". The INF file itself says "This module is only for reference only, each platform should have its own setup page." And Jiewen wrote earlier, "Tcg2ConfigPei/Dxe are platform sample driver. A platform may have its own version based upon platform requirement. For example, if a platform supports fTPM, it may use another Tcg2Config driver." Given that OVMF lacks PEI-phase variable access, and that I consequently suggested cloning, and seriously trimming, Tcg2ConfigPei, it makes no sense to include an HII dialog that sets a variable for PEI phase consumption. Also, as you say, many of the exposed operations are broken due to lack of PPI support. So let's just postpone the inclusion of this driver, for now. Thanks Laszlo ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 6/7] ovmf: link with Tcg2ConfigDxe module
From: Marc-André LureauThe module allows to tweak and interact with the TPM. Note that many actions are broken due to implementation of qemu TPM (providing it's own ACPI table), and the lack of PPI implementation. CC: Laszlo Ersek CC: Stefan Berger Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Marc-André Lureau --- OvmfPkg/OvmfPkgX64.dsc | 2 ++ OvmfPkg/OvmfPkgX64.fdf | 1 + 2 files changed, 3 insertions(+) diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 9bd0709f98..2281bd5ff8 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -669,6 +669,8 @@ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf } + + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf !endif !if $(SECURE_BOOT_ENABLE) == TRUE diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index b8dd7ecae4..985404850f 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -399,6 +399,7 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !if $(TPM2_ENABLE) == TRUE INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf !endif -- 2.16.1.73.g5832b7e9f2 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel