[edk2-devel] TPM2 EventLog EFI vs. ACPI

Andrew Fish via groups.io afish=apple.com at groups.io
Sat Sep 17 02:28:11 UTC 2022 

Is it possible to query the address from fw_cfg?

Thanks,

Andrew Fish

> On Sep 16, 2022, at 12:45 PM, Jason Andryuk <jandryuk at gmail.com> wrote:
> 
> Hi,
> 
> I've noticed an issue with the TPM2 EventLog.  OVMF exposes the TPM
> Event Log via EFI and ACPI, but they have different addresses.  The
> EFI one retrievable by GetEventLog() is populated.  The ACPI is empty.
> Oh, there are actually two EFI Event Logs for the two formats:
> EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2
> EFI_TCG2_EVENT_LOG_FORMAT_TCG_2
> 
> The debug log from the Fedora 36 OVMF shows:
> Tcg2GetEventLog (EventLogLocation - 7EEB2000)
> which matches the address retrieved with GetEventLog().
> And hexdump-ing the TPM2 ACPI table shows 0x7fbe6000.
> 
> On a different build, I added output for both EFI logs, and the addresses are:
> 0x7ec3d000 - EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2
> 0x7ec1b000 - EFI_TCG2_EVENT_LOG_FORMAT_TCG_2
> 0x7fbe6000 - ACPI
> 
> The ACPI one is a little more user friendly as its address is
> available through the table during runtime.  The EFI addresses can
> only be grabbed before exiting boot services.
> 
> I think the issue is that the ACPI tables are created from Qemu fw_cfg
> data, which allocates memory for the log and places the address in
> ACPI tables.  Meanwhile,
> SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c:SetupEventLog() allocates its own
> event log memory.  SetupEventLog() saves the size and address in
> PcdTpm2AcpiTableLaml & PcdTpm2AcpiTableLasa, but nothing puts those
> values in the actual ACPI tables.
> 
> It seems like SetupEventLog would be better structured to check
> existing ACPI tables and look for a log in a TPM2 section.  If found,
> use that, otherwise create a new log area.
> 
> The other wrinkle is that the Tcg2 code is keeping two event logs in
> the two formats.  It seems to me that for TPM2, it would be easier to
> just keep only the newer EFI_TCG2_EVENT_LOG_FORMAT_TCG_2.  If support
> for both is needed, then the EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 one
> should share the same region as the ACPI table.
> 
> Regards,
> Jason
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#93914): https://edk2.groups.io/g/devel/message/93914
Mute This Topic: https://groups.io/mt/93730585/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/edk2-devel-archive/attachments/20220916/66e9f2f9/attachment-0001.htm>

More information about the edk2-devel-archive mailing list