[edk2-devel] [PATCH 3/3] OvmfPkg/PlatformPei: Mark TPM MMIO range as unencrypted for SEV

Laszlo Ersek lersek at redhat.com
Thu Apr 22 08:39:43 UTC 2021 

On 04/22/21 09:34, Laszlo Ersek wrote:

> The new InternalTpmDecryptAddressRange() function should be called
> from Tcg2ConfigPeimEntryPoint(), before the latter calls
> InternalTpm12Detect(). Regarding error checking... if
> InternalTpmDecryptAddressRange() fails, I think we can log an error
> message, and hang with CpuDeadLoop().

Sorry, another point:

(6) where we determine that no TPM is available:

      //
      // If no TPM2 was detected, we still need to install
      // TpmInitializationDonePpi. Namely, Tcg2Pei will exit early upon seeing
      // the default (all-bits-zero) contents of PcdTpmInstanceGuid, thus we have
      // to install the PPI in its place, in order to unblock any dependent
      // PEIMs.
      //
      Status = PeiServicesInstallPpi (&mTpmInitializationDonePpiList);

we should re-encrypt the address range, as if nothing had happened.

For this, we'll likely need a similarly polymorphic function called
InternalTpmEncryptAddressRange().

(

For some background on this particular branch of the code, please refer
to commit 6cf1880fb5b6 ("OvmfPkg: add customized Tcg2ConfigPei clone",
2018-03-09):

    - Check the QEMU hardware for TPM2 availability only

    - If found, set the dynamic PCD "PcdTpmInstanceGuid" to
      &gEfiTpmDeviceInstanceTpm20DtpmGuid. This is what informs the rest of
      the firmware about the TPM type.

    - Install the gEfiTpmDeviceSelectedGuid PPI. This action permits the
      PEI_CORE to dispatch the Tcg2Pei module, which consumes the above PCD.
      In effect, the gEfiTpmDeviceSelectedGuid PPI serializes the setting
      and the consumption of the "TPM type" PCD.

    - If no TPM2 was found, install gPeiTpmInitializationDonePpiGuid.
      (Normally this is performed by Tcg2Pei, but Tcg2Pei doesn't do it if
      no TPM2 is available. So in that case our Tcg2ConfigPei must do it.)

)

Thanks
Laszlo



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#74351): https://edk2.groups.io/g/devel/message/74351
Mute This Topic: https://groups.io/mt/82248382/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list