[PATCH v8 00/10] Ovmf: Disable the TPM2 platform hierarchy


Stefan Berger <stefanb@...>
 

This series imports code from the edk2-platforms project related to
disabling the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf
aspects of the following bugs:

https://bugzilla.tianocore.org/show_bug.cgi?id=3510
https://bugzilla.tianocore.org/show_bug.cgi?id=3499

I have patched the .dsc files and successfully test-built with most of
them. Some I could not build because they failed for other reasons
unrelated to this series.

I tested the changes with QEMU on x86 following the build of
OvmfPkgX64.dsc.

Neither one of the following commands should work anymore on first
try when run on Linux:

With IBM tss2 tools:
tsshierarchychangeauth -hi p -pwdn newpass

With Intel tss2 tools:
tpm2_changeauth -c platform newpass

Regards,
Stefan

v8:
- Fixed style issue in imported code; added patch 10

v7:
- Ditched ARM support in this series
- Using Tcg2PlatformDxe and Tcg2PlaformPei from edk2-platforms now
and revised most of the patches

v6:
- Removed unnecessary entries in .dsc files
- Added support for S3 resume failure case
- Assigned unique FILE_GUID to NULL implementation

v5:
- Modified patch 1 copies the code from edk2-platforms
- Modified patch 2 fixes bugs in the code
- Modified patch 4 introduces required PCD

v4:
- Fixed and simplified code imported from edk2-platforms

v3:
- Referencing Null implementation on Bhyve and Xen platforms
- Add support in Arm



Stefan Berger (10):
SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
edk2-platforms
SecurityPkg/TPM: Fix bugs in imported PeiDxeTpmPlatformHierarchyLib
SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from edk2-platforms
SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable and fix style issues
SecurityPkg: Introduce new PCD PcdRandomizePlatformHierarchy
OvmfPkg: Reference new Tcg2PlatformDxe in the build system for
compilation
SecurityPkg/Tcg: Import Tcg2PlatformPei from edk2-platforms
SecurityPkg/Tcg: Make Tcg2PlatformPei buildable and fix style issues
OvmfPkg: Reference new Tcg2PlatformPei in the build system
SecurityPkg: Add references to header and inf files to SecurityPkg

OvmfPkg/AmdSev/AmdSevX64.dsc | 8 +
OvmfPkg/AmdSev/AmdSevX64.fdf | 2 +
OvmfPkg/OvmfPkgIa32.dsc | 8 +
OvmfPkg/OvmfPkgIa32.fdf | 2 +
OvmfPkg/OvmfPkgIa32X64.dsc | 8 +
OvmfPkg/OvmfPkgIa32X64.fdf | 2 +
OvmfPkg/OvmfPkgX64.dsc | 8 +
OvmfPkg/OvmfPkgX64.fdf | 2 +
.../Include/Library/TpmPlatformHierarchyLib.h | 27 ++
.../PeiDxeTpmPlatformHierarchyLib.c | 255 ++++++++++++++++++
.../PeiDxeTpmPlatformHierarchyLib.inf | 43 +++
SecurityPkg/SecurityPkg.dec | 10 +
SecurityPkg/SecurityPkg.dsc | 12 +
.../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 85 ++++++
.../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 43 +++
.../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 108 ++++++++
.../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 52 ++++
17 files changed, 675 insertions(+)
create mode 100644 SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h
create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c
create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf

--
2.31.1


Yao, Jiewen
 

PR - https://github.com/tianocore/edk2/pull/1968
Git Hash: 3b69fcf5f849021aa3bc810f8100ea71c03019e5..610d8073f29f30aa2f9dd58fe9d59e0dc979d085

Thank you
Yao Jiewen

-----Original Message-----
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Sent: Monday, September 13, 2021 10:21 PM
To: devel@edk2.groups.io
Cc: mhaeuser@posteo.de; spbrogan@outlook.com;
marcandre.lureau@redhat.com; kraxel@redhat.com; Yao, Jiewen
<jiewen.yao@intel.com>; Stefan Berger <stefanb@linux.vnet.ibm.com>
Subject: [PATCH v8 00/10] Ovmf: Disable the TPM2 platform hierarchy

This series imports code from the edk2-platforms project related to
disabling the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf
aspects of the following bugs:

https://bugzilla.tianocore.org/show_bug.cgi?id=3510
https://bugzilla.tianocore.org/show_bug.cgi?id=3499

I have patched the .dsc files and successfully test-built with most of
them. Some I could not build because they failed for other reasons
unrelated to this series.

I tested the changes with QEMU on x86 following the build of
OvmfPkgX64.dsc.

Neither one of the following commands should work anymore on first
try when run on Linux:

With IBM tss2 tools:
tsshierarchychangeauth -hi p -pwdn newpass

With Intel tss2 tools:
tpm2_changeauth -c platform newpass

Regards,
Stefan

v8:
- Fixed style issue in imported code; added patch 10

v7:
- Ditched ARM support in this series
- Using Tcg2PlatformDxe and Tcg2PlaformPei from edk2-platforms now
and revised most of the patches

v6:
- Removed unnecessary entries in .dsc files
- Added support for S3 resume failure case
- Assigned unique FILE_GUID to NULL implementation

v5:
- Modified patch 1 copies the code from edk2-platforms
- Modified patch 2 fixes bugs in the code
- Modified patch 4 introduces required PCD

v4:
- Fixed and simplified code imported from edk2-platforms

v3:
- Referencing Null implementation on Bhyve and Xen platforms
- Add support in Arm



Stefan Berger (10):
SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
edk2-platforms
SecurityPkg/TPM: Fix bugs in imported PeiDxeTpmPlatformHierarchyLib
SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from edk2-platforms
SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable and fix style issues
SecurityPkg: Introduce new PCD PcdRandomizePlatformHierarchy
OvmfPkg: Reference new Tcg2PlatformDxe in the build system for
compilation
SecurityPkg/Tcg: Import Tcg2PlatformPei from edk2-platforms
SecurityPkg/Tcg: Make Tcg2PlatformPei buildable and fix style issues
OvmfPkg: Reference new Tcg2PlatformPei in the build system
SecurityPkg: Add references to header and inf files to SecurityPkg

OvmfPkg/AmdSev/AmdSevX64.dsc | 8 +
OvmfPkg/AmdSev/AmdSevX64.fdf | 2 +
OvmfPkg/OvmfPkgIa32.dsc | 8 +
OvmfPkg/OvmfPkgIa32.fdf | 2 +
OvmfPkg/OvmfPkgIa32X64.dsc | 8 +
OvmfPkg/OvmfPkgIa32X64.fdf | 2 +
OvmfPkg/OvmfPkgX64.dsc | 8 +
OvmfPkg/OvmfPkgX64.fdf | 2 +
.../Include/Library/TpmPlatformHierarchyLib.h | 27 ++
.../PeiDxeTpmPlatformHierarchyLib.c | 255 ++++++++++++++++++
.../PeiDxeTpmPlatformHierarchyLib.inf | 43 +++
SecurityPkg/SecurityPkg.dec | 10 +
SecurityPkg/SecurityPkg.dsc | 12 +
.../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 85 ++++++
.../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 43 +++
.../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 108 ++++++++
.../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 52 ++++
17 files changed, 675 insertions(+)
create mode 100644 SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h
create mode 100644
SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierar
chyLib.c
create mode 100644
SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierar
chyLib.inf
create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c
create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf

--
2.31.1