[edk2-devel] [PATCH v2 0/4] Ovmf: Disable the TPM2 platform hierarchy

Stefan Berger stefanb at linux.ibm.com
Mon Aug 9 18:28:38 UTC 2021 

On 8/9/21 1:54 PM, James Bottomley wrote:
> On Mon, 2021-08-09 at 12:37 -0400, Stefan Berger wrote:
>> This series imports code from the edk2-platforms project related to
>> changing the password of the TPM2 platform hierarchy and uses it to
>> disable the TPM2 platform hierarchy in Ovmf. It addresses the Ovmf
>> aspects of the following bugs:
>>
>> https://bugzilla.tianocore.org/show_bug.cgi?id=3510
>> https://bugzilla.tianocore.org/show_bug.cgi?id=3499
> This raises a couple of issues:
>
>     1. Since OVMF is for all x86 virtual platforms not just the PC ones,
>        should it be following the PC client spec for everything?  I notice
>        you left out Xen and Bhyve ... should they never follow this?

I am not sure how to build Bhyve but one part of the patch is already 
there for it in this series:


If this is how you build Bhyve I am getting a build failure already 
before these patches here are applied.

build -p OvmfPkg/Bhyve/BhyveX64.dsc -b DEBUG -a X64 -t GCC5 -D 
TPM_ENABLE -D TPM_CONFIG_ENABLE -D SECURE_BOOT_ENABLE -D 
NETWORK_TLS_ENABLE 2>&1 | tee build.log
Build environment: Linux-5.12.14-300.fc34.x86_64-x86_64-with-glibc2.33
Build start time: 14:21:41, Aug.09 2021

WORKSPACE        = /home/stefanb/dev/edk2
EDK_TOOLS_PATH   = /home/stefanb/dev/edk2/BaseTools
CONF_PATH        = /home/stefanb/dev/edk2/Conf
PYTHON_COMMAND   = /usr/bin/python3.9


Processing meta-data .
Architecture(s)  = X64
Build target     = DEBUG
Toolchain        = GCC5

Active Platform          = /home/stefanb/dev/edk2/OvmfPkg/Bhyve/BhyveX64.dsc


build.py...
/home/stefanb/dev/edk2/OvmfPkg/Bhyve/BhyveX64.dsc(198): error 000E: 
File/directory not found in workspace
/home/stefanb/dev/edk2/OvmfPkg/Bhyve/Library/PlatformSecureLib/PlatformSecureLib.inf


>     2. Since OVMF is effectively both the platform and the firmware, what
>        attitude should we take to code in edk2-platforms?  There are
>        arguments for pulling all the necessary components into OVMF, but it
>        could also be argued that the VMM should take care of all the edk2-
>        platforms pieces and OVMF should be strictly firmware.

That's what I had been wondering about in V1 as well. This import here 
now followed the option 2 in that discussion and I cut out basically 
only the function that disables the platform hierarchy rather than 
setting a random password, which I kept since it didn't seem to require 
further dependencies. to be imported from edk2-platforms.


>
> Getting 2. sorted out is probably the more pressing policy issue for
> us.
>
> James
>
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78984): https://edk2.groups.io/g/devel/message/78984
Mute This Topic: https://groups.io/mt/84773154/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list