[edk2-devel] [PATCH 0/4] OvmfPkg: rework TPM configuration.
Stefan Berger
stefanb at linux.ibm.com
Fri Oct 22 10:46:25 UTC 2021
On 10/22/21 3:01 AM, Gerd Hoffmann wrote:
> On Thu, Oct 21, 2021 at 12:13:51PM -0400, Stefan Berger wrote:
>> A few more comments to this series:
>>
>> - Is there a use case where TPM2_ENABLE_CONFIG is disabled, meaning where
>> there should not be a TPM 2 menu entry? It's worth considering dropping this
>> option because a user does need to have control over certain aspects of the
>> TPM 2 configuration.
> I happily drop the option if it doesn't make sense. I've already
> wondered why it is there but assumed there is some valid reason for
> it and left it as-is.
I think we should drop it.
>> - I would drop patch 4 if it means that an active SHA1 bank doesn't get PCR
>> extensions (haven't tested yet). swtpm_setup currently sets up a swtpm with
>> active SHA1 and SHA256 PCR banks ( https://github.com/stefanberger/swtpm/blob/master/src/swtpm_setup/swtpm_setup.c#L65
>> ). We can change this for swtpm v0.7.0 to only activate the SHA256 bank, if
>> that's what is needed here. However, this doesn't prevent a user to activate
>> the SHA1 PCR bank either via PPI 'request' file or UEFI TPM menu and when it
>> is active it must get PCR extensions.
> With SHA1 being considered broken we want avoid SHA1 being used.
> Ideally by removing support it altogether. In case this is not possible
> for backward compatibility reasons at least have it disabled by default.
>
> So swtpm_setup not enabling the SHA1 bank by default is certainly a good
> idea and a move into the right direction (independent from the patch #4
> discussion).
I will change this then for swtpm v0.7.0. Just in time... I wanted to
make the release today but I'll delay that a bit then.
>
> Didn't do much testing yet to see whenever removing SHA1 support
> altogether trips up operating systems.
>
>> - Since TPM 1.2 is still supported we need to add a TPM menu for it as well
>> using this patch here. I would put this under the TPM1_ENABLE config option
>> since having TPM 1.2 support without a menu is quite useless. I can send a
>> patch for this once this series has gone through.
> I can pick this up for v2 if you don't mind.
Yes, please!
>
> take care,
> Gerd
>
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#82514): https://edk2.groups.io/g/devel/message/82514
Mute This Topic: https://groups.io/mt/86487983/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list