OvmfPkg: rework TPM configuration

Rename TPM_ENABLE to TPM2_ENABLE so naming is in line with the
ArmVirtPkg config option name.

Add separate TPM1_ENABLE option for TPM 1.2 support.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>

OvmfPkg/OvmfTpmComponentsDxe.dsc.inc

@@ -2,7 +2,7 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
   SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
     <LibraryClasses>
       Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
@@ -15,10 +15,12 @@
       NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
   }
   SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!if $(TPM1_ENABLE) == TRUE
   SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
     <LibraryClasses>
       Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
   }
+!endif
   SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
     <LibraryClasses>
       TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf

OvmfPkg/OvmfTpmComponentsPei.dsc.inc

@@ -2,10 +2,14 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
   OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+!if $(TPM1_ENABLE) == TRUE
   OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
   SecurityPkg/Tcg/TcgPei/TcgPei.inf
+!else
+  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+!endif
   SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
     <LibraryClasses>
       HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf

OvmfPkg/OvmfTpmDefines.dsc.inc

@@ -2,4 +2,7 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-  DEFINE TPM_ENABLE              = FALSE
+  DEFINE TPM2_ENABLE             = FALSE
+
+  # has no effect unless TPM2_ENABLE == TRUE
+  DEFINE TPM1_ENABLE             = TRUE

OvmfPkg/OvmfTpmDxe.fdf.inc

@@ -2,8 +2,10 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
 INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+!endif
 INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
 INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
 INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf

OvmfPkg/OvmfTpmLibs.dsc.inc

@@ -2,8 +2,10 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
   Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+!endif
   Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
   Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf

OvmfPkg/OvmfTpmLibsDxe.dsc.inc

@@ -2,7 +2,9 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
   Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+!endif
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
 !endif

OvmfPkg/OvmfTpmLibsPeim.dsc.inc

@@ -2,8 +2,10 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+!if $(TPM1_ENABLE) == TRUE
   Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+!endif
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
 !endif

OvmfPkg/OvmfTpmPcds.dsc.inc

@@ -2,6 +2,6 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
 !endif

OvmfPkg/OvmfTpmPcdsHii.dsc.inc

@@ -2,7 +2,7 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
   gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
   gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
 !endif

OvmfPkg/OvmfTpmPei.fdf.inc

@@ -2,10 +2,14 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
 INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+!if $(TPM1_ENABLE) == TRUE
 INF  OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
 INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+!else
+INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+!endif
 INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
 INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
 !endif

OvmfPkg/OvmfTpmSecurityStub.dsc.inc

@@ -2,7 +2,9 @@
 #    SPDX-License-Identifier: BSD-2-Clause-Patent
 ##
 
-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
       NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+!endif
       NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
 !endif

OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml

@@ -95,21 +95,21 @@ jobs:
           OVMF_IA32X64_FULL_DEBUG:
             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
             Build.Arch: "IA32,X64"
-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
             Build.Target: "DEBUG"
             Run.Flags: $(run_flags)
             Run: $(should_run)
           OVMF_IA32X64_FULL_RELEASE:
             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
             Build.Arch: "IA32,X64"
-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
             Build.Target: "RELEASE"
             Run.Flags: $(run_flags)
             Run: $(should_run)
           OVMF_IA32X64_FULL_NOOPT:
             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
             Build.Arch: "IA32,X64"
-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
             Build.Target: "NOOPT"
             Run.Flags: $(run_flags)
             Run: $(should_run)

OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml

@@ -94,14 +94,14 @@ jobs:
           OVMF_IA32X64_FULL_DEBUG:
             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
             Build.Arch: "IA32,X64"
-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
             Build.Target: "DEBUG"
             Run.Flags: $(run_flags)
             Run: $(should_run)
           OVMF_IA32X64_FULL_RELEASE:
             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
             Build.Arch: "IA32,X64"
-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
             Build.Target: "RELEASE"
             Run.Flags: $(run_flags)
             Run: $(should_run)
@@ -112,7 +112,7 @@ jobs:
     #       OVMF_IA32X64_FULL_NOOPT:
     #         Build.File: "$(package)/PlatformCI/PlatformBuild.py"
     #         Build.Arch: "IA32,X64"
-    #         Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+    #         Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1  BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
     #         Build.Target: "NOOPT"
     #         Run.Flags: $(run_flags)
     #         Run: $(should_run)

OvmfPkg/PlatformCI/ReadMe.md

@@ -14,7 +14,7 @@ supported and are described below.
 | IA32                    | IA32               | OvmfPkgIa32.dsc     | None            |
 | X64                     | X64                | OvmfPkgIa64.dsc     | None            |
 | IA32 X64                | PEI-IA32 DXE-X64   | OvmfPkgIa32X64.dsc  | None            |
-| IA32 X64 Full           | PEI-IA32 DXE-X64   | OvmfPkgIa32X64.dsc  | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 |
+| IA32 X64 Full           | PEI-IA32 DXE-X64   | OvmfPkgIa32X64.dsc  | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM1_ENABLE=1 TPM2_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 |
 
 ## EDK2 Developer environment