OvmfPkg: add customized Tcg2ConfigPei clone

The Tcg2ConfigPei module informs the firmware globally about the TPM
device type, by setting the PcdTpmInstanceGuid PCD to the appropriate
GUID value. The original module under SecurityPkg can perform device
detection, or read a cached value from a non-volatile UEFI variable.

OvmfPkg's clone of the module only performs the TPM2 hardware detection.

This is what the module does:

- Check the QEMU hardware for TPM2 availability only

- If found, set the dynamic PCD "PcdTpmInstanceGuid" to
  &gEfiTpmDeviceInstanceTpm20DtpmGuid. This is what informs the rest of
  the firmware about the TPM type.

- Install the gEfiTpmDeviceSelectedGuid PPI. This action permits the
  PEI_CORE to dispatch the Tcg2Pei module, which consumes the above PCD.
  In effect, the gEfiTpmDeviceSelectedGuid PPI serializes the setting
  and the consumption of the "TPM type" PCD.

- If no TPM2 was found, install gPeiTpmInitializationDonePpiGuid.
  (Normally this is performed by Tcg2Pei, but Tcg2Pei doesn't do it if
  no TPM2 is available. So in that case our Tcg2ConfigPei must do it.)

Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Stefan Berger <stefanb@linux.vnet.ibm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
This commit is contained in:
Marc-André Lureau 2018-02-22 14:20:58 +01:00 committed by Laszlo Ersek
parent 5487d002fa
commit 6cf1880fb5
8 changed files with 200 additions and 0 deletions

View File

@ -39,6 +39,7 @@
DEFINE HTTP_BOOT_ENABLE = FALSE DEFINE HTTP_BOOT_ENABLE = FALSE
DEFINE SMM_REQUIRE = FALSE DEFINE SMM_REQUIRE = FALSE
DEFINE TLS_ENABLE = FALSE DEFINE TLS_ENABLE = FALSE
DEFINE TPM2_ENABLE = FALSE
# #
# Flash size selection. Setting FD_SIZE_IN_KB on the command line directly to # Flash size selection. Setting FD_SIZE_IN_KB on the command line directly to
@ -203,6 +204,10 @@
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
!if $(TPM2_ENABLE) == TRUE
Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
!endif
[LibraryClasses.common] [LibraryClasses.common]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@ -267,6 +272,10 @@
PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
!if $(TPM2_ENABLE) == TRUE
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
!endif
[LibraryClasses.common.DXE_CORE] [LibraryClasses.common.DXE_CORE]
HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf
DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf
@ -547,6 +556,10 @@
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
!if $(TPM2_ENABLE) == TRUE
gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
!endif
################################################################################ ################################################################################
# #
# Components Section - list of all EDK II Modules needed by this Platform. # Components Section - list of all EDK II Modules needed by this Platform.
@ -593,6 +606,10 @@
!endif !endif
UefiCpuPkg/CpuMpPei/CpuMpPei.inf UefiCpuPkg/CpuMpPei/CpuMpPei.inf
!if $(TPM2_ENABLE) == TRUE
OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
!endif
# #
# DXE Phase modules # DXE Phase modules
# #

View File

@ -165,6 +165,10 @@ INF OvmfPkg/SmmAccess/SmmAccessPei.inf
!endif !endif
INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf
!if $(TPM2_ENABLE) == TRUE
INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
!endif
################################################################################ ################################################################################
[FV.DXEFV] [FV.DXEFV]

View File

@ -39,6 +39,7 @@
DEFINE HTTP_BOOT_ENABLE = FALSE DEFINE HTTP_BOOT_ENABLE = FALSE
DEFINE SMM_REQUIRE = FALSE DEFINE SMM_REQUIRE = FALSE
DEFINE TLS_ENABLE = FALSE DEFINE TLS_ENABLE = FALSE
DEFINE TPM2_ENABLE = FALSE
# #
# Flash size selection. Setting FD_SIZE_IN_KB on the command line directly to # Flash size selection. Setting FD_SIZE_IN_KB on the command line directly to
@ -208,6 +209,10 @@
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
!if $(TPM2_ENABLE) == TRUE
Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
!endif
[LibraryClasses.common] [LibraryClasses.common]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@ -272,6 +277,10 @@
PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
!if $(TPM2_ENABLE) == TRUE
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
!endif
[LibraryClasses.common.DXE_CORE] [LibraryClasses.common.DXE_CORE]
HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf
DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf
@ -555,6 +564,10 @@
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
!if $(TPM2_ENABLE) == TRUE
gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
!endif
################################################################################ ################################################################################
# #
# Components Section - list of all EDK II Modules needed by this Platform. # Components Section - list of all EDK II Modules needed by this Platform.
@ -601,6 +614,10 @@
!endif !endif
UefiCpuPkg/CpuMpPei/CpuMpPei.inf UefiCpuPkg/CpuMpPei/CpuMpPei.inf
!if $(TPM2_ENABLE) == TRUE
OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
!endif
[Components.X64] [Components.X64]
# #
# DXE Phase modules # DXE Phase modules

View File

@ -165,6 +165,10 @@ INF OvmfPkg/SmmAccess/SmmAccessPei.inf
!endif !endif
INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf
!if $(TPM2_ENABLE) == TRUE
INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
!endif
################################################################################ ################################################################################
[FV.DXEFV] [FV.DXEFV]

View File

@ -39,6 +39,7 @@
DEFINE HTTP_BOOT_ENABLE = FALSE DEFINE HTTP_BOOT_ENABLE = FALSE
DEFINE SMM_REQUIRE = FALSE DEFINE SMM_REQUIRE = FALSE
DEFINE TLS_ENABLE = FALSE DEFINE TLS_ENABLE = FALSE
DEFINE TPM2_ENABLE = FALSE
# #
# Flash size selection. Setting FD_SIZE_IN_KB on the command line directly to # Flash size selection. Setting FD_SIZE_IN_KB on the command line directly to
@ -208,6 +209,10 @@
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
!if $(TPM2_ENABLE) == TRUE
Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
!endif
[LibraryClasses.common] [LibraryClasses.common]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@ -272,6 +277,10 @@
PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
!if $(TPM2_ENABLE) == TRUE
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
!endif
[LibraryClasses.common.DXE_CORE] [LibraryClasses.common.DXE_CORE]
HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf
DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf DxeCoreEntryPoint|MdePkg/Library/DxeCoreEntryPoint/DxeCoreEntryPoint.inf
@ -554,6 +563,10 @@
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
!if $(TPM2_ENABLE) == TRUE
gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
!endif
################################################################################ ################################################################################
# #
# Components Section - list of all EDK II Modules needed by this Platform. # Components Section - list of all EDK II Modules needed by this Platform.
@ -600,6 +613,10 @@
!endif !endif
UefiCpuPkg/CpuMpPei/CpuMpPei.inf UefiCpuPkg/CpuMpPei/CpuMpPei.inf
!if $(TPM2_ENABLE) == TRUE
OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
!endif
# #
# DXE Phase modules # DXE Phase modules
# #

View File

@ -165,6 +165,10 @@ INF OvmfPkg/SmmAccess/SmmAccessPei.inf
!endif !endif
INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf
!if $(TPM2_ENABLE) == TRUE
INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
!endif
################################################################################ ################################################################################
[FV.DXEFV] [FV.DXEFV]

View File

@ -0,0 +1,53 @@
## @file
# Set TPM device type
#
# In SecurityPkg, this module initializes the TPM device type based on
# a UEFI variable and/or hardware detection. In OvmfPkg, the module
# only performs TPM2 hardware detection.
#
# Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
# Copyright (C) 2018, Red Hat, Inc.
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = Tcg2ConfigPei
FILE_GUID = BF7F2B0C-9F2F-4889-AB5C-12460022BE87
MODULE_TYPE = PEIM
VERSION_STRING = 1.0
ENTRY_POINT = Tcg2ConfigPeimEntryPoint
[Sources]
Tcg2ConfigPeim.c
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
SecurityPkg/SecurityPkg.dec
[LibraryClasses]
PeimEntryPoint
DebugLib
PeiServicesLib
Tpm2DeviceLib
[Guids]
gEfiTpmDeviceSelectedGuid ## PRODUCES ## GUID # Used as a PPI GUID
gEfiTpmDeviceInstanceTpm20DtpmGuid ## SOMETIMES_CONSUMES
[Ppis]
gPeiTpmInitializationDonePpiGuid ## SOMETIMES_PRODUCES
[Pcd]
gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid ## PRODUCES
[Depex]
TRUE

View File

@ -0,0 +1,84 @@
/** @file
The module entry point for Tcg2 configuration module.
Copyright (c) 2018, Red Hat, Inc.
Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include <PiPei.h>
#include <Guid/TpmInstance.h>
#include <Library/DebugLib.h>
#include <Library/PeiServicesLib.h>
#include <Library/Tpm2DeviceLib.h>
#include <Ppi/TpmInitialized.h>
STATIC CONST EFI_PEI_PPI_DESCRIPTOR mTpmSelectedPpi = {
(EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST),
&gEfiTpmDeviceSelectedGuid,
NULL
};
STATIC CONST EFI_PEI_PPI_DESCRIPTOR mTpmInitializationDonePpiList = {
EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
&gPeiTpmInitializationDonePpiGuid,
NULL
};
/**
The entry point for Tcg2 configuration driver.
@param FileHandle Handle of the file being invoked.
@param PeiServices Describes the list of possible PEI Services.
**/
EFI_STATUS
EFIAPI
Tcg2ConfigPeimEntryPoint (
IN EFI_PEI_FILE_HANDLE FileHandle,
IN CONST EFI_PEI_SERVICES **PeiServices
)
{
UINTN Size;
EFI_STATUS Status;
DEBUG ((DEBUG_INFO, "%a\n", __FUNCTION__));
Status = Tpm2RequestUseTpm ();
if (!EFI_ERROR (Status)) {
DEBUG ((DEBUG_INFO, "%a: TPM2 detected\n", __FUNCTION__));
Size = sizeof(gEfiTpmDeviceInstanceTpm20DtpmGuid);
Status = PcdSetPtrS (
PcdTpmInstanceGuid,
&Size,
&gEfiTpmDeviceInstanceTpm20DtpmGuid
);
ASSERT_EFI_ERROR (Status);
} else {
DEBUG ((DEBUG_INFO, "%a: no TPM2 detected\n", __FUNCTION__));
// If no TPM2 was detected, we still need to install
// TpmInitializationDonePpi. Namely, Tcg2Pei will exit early upon
// seeing the default (all-bits-zero) contents of
// PcdTpmInstanceGuid, thus we have to install the PPI in its place,
// in order to unblock any dependent PEIMs.
Status = PeiServicesInstallPpi (&mTpmInitializationDonePpiList);
ASSERT_EFI_ERROR (Status);
}
//
// Selection done
//
Status = PeiServicesInstallPpi (&mTpmSelectedPpi);
ASSERT_EFI_ERROR (Status);
return Status;
}