[edk2-devel] [PATCH v5 0/8] Ovmf: Disable the TPM2 platform hierarchy
Yao, Jiewen
jiewen.yao at intel.com
Wed Sep 8 14:37:46 UTC 2021
Hi Stefan
According to our security policy, the PPI must be sent before EndOfDxe.
Then registering PlatformAuth clear at EndOfDxe is safe. I still don’t get your point on why we have do in PlatformBds.
At least, I do want to make sure all X86 implementation are align to one solution.
Also, for PEI, I don’t think we shall modify the Tcg2Pei in this patch set.
The platform auth clear is platform action. I think we need a standalone PEIM, to allow platform do its own stuff.
All in all, I try to understand, why not just copy the solution in MinPlatformPkg?
A standalone TcgPlatformPei/Dxe?
Thank you
Yao Jiewen
> -----Original Message-----
> From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of Stefan
> Berger
> Sent: Wednesday, September 8, 2021 8:54 PM
> To: devel at edk2.groups.io; Yao, Jiewen <jiewen.yao at intel.com>; Stefan Berger
> <stefanb at linux.vnet.ibm.com>
> Cc: mhaeuser at posteo.de; spbrogan at outlook.com;
> marcandre.lureau at redhat.com; kraxel at redhat.com
> Subject: Re: [edk2-devel] [PATCH v5 0/8] Ovmf: Disable the TPM2 platform
> hierarchy
>
>
> On 9/6/21 8:34 AM, Yao, Jiewen wrote:
> >
> > 2) I am curious, why you don't use a DXE driver, but choose to like to BDS lib
> for the DXE case.
> > You also include a NULL lib there, which seems unnecessary, if you use a
> DXE/PEI module.
> >
> > The downside of linking to BDS lib is that you have to change all BDS lib
> instance, which is a big burden.
> > And you still have code to choose NULL lib v.s. real Lib based upon TPM enable
> flag.
>
> We have to call ConfigureTpmPlatformHierarchy () some time *after* the
> handling of physical presence interface (PPI) platform opcodes since the
> TPM 2 commands they produce may require access to the TPM 2's platform
> hierarchy, so we cannot disable that hierarchy before handling PPI. For
> x86 machines I found the call to handling the PPI opcodes in different
> files and placed that call right after it. On ARM it's a bit different.
> Here it's the fact that I placed that call into the same function
> PlatformBootManagerAfterConsole as it is on x86. This seemed a safe place.
>
> Stefan
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#80367): https://edk2.groups.io/g/devel/message/80367
Mute This Topic: https://groups.io/mt/85316773/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list