OvmfPkg: Handle TPM 2 physical presence opcodes much earlier

Handle the TPM 2 physical presence interface (PPI) opcodes in PlatformBootManagerBeforeConsole() before the TPM 2 platform hierarchy is disabled. Since the handling of the PPI opcodes may require inter- action with the user, initialize the keyboard before handling PPI codes. Cc: Rebecca Cran <rebecca@bsdio.com> Cc: Peter Grehan <grehan@freebsd.org> Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Min Xu <min.m.xu@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
2021-09-15 09:25:04 +08:00 · 2021-09-15 09:25:04 +08:00 · b8675deaa8
parent 499c4608b1
commit b8675deaa8
3 changed files with 31 additions and 22 deletions
--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
@ -387,8 +387,19 @@ PlatformBootManagerBeforeConsole (
    SaveS3BootScript ();
  }

+  // We need to connect all trusted consoles for TCG PP. Here we treat all
+  // consoles in OVMF to be trusted consoles.
+  PlatformInitializeConsole (
+    XenDetected() ? gXenPlatformConsole : gPlatformConsole);
+
+  //
+  // Process TPM PPI request; this may require keyboard input
+  //
+  Tcg2PhysicalPresenceLibProcessRequest (NULL);
+
  //
  // Prevent further changes to LockBoxes or SMRAM.
+  // Any TPM 2 Physical Presence Interface opcode must be handled before.
  //
  Handle = NULL;
  Status = gBS->InstallProtocolInterface (&Handle,
@ -402,9 +413,6 @@ PlatformBootManagerBeforeConsole (
  //
  EfiBootManagerDispatchDeferredImages ();

-  PlatformInitializeConsole (
-    XenDetected() ? gXenPlatformConsole : gPlatformConsole);
-
  FrontPageTimeout = GetFrontPageTimeoutFromQemu ();
  PcdStatus = PcdSet16S (PcdPlatformBootTimeOut, FrontPageTimeout);
  ASSERT_RETURN_ERROR (PcdStatus);
@ -1511,11 +1519,6 @@ PlatformBootManagerAfterConsole (
  //
  PciAcpiInitialization ();

-  //
-  // Process TPM PPI request
-  //
-  Tcg2PhysicalPresenceLibProcessRequest (NULL);
-
  //
  // Process QEMU's -kernel command line option
  //
--- a/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
@ -375,8 +375,18 @@ PlatformBootManagerBeforeConsole (
  //
  EfiEventGroupSignal (&gEfiEndOfDxeEventGroupGuid);

+  // We need to connect all trusted consoles for TCG PP. Here we treat all
+  // consoles in OVMF to be trusted consoles.
+  PlatformInitializeConsole (gPlatformConsole);
+
+  //
+  // Process TPM PPI request
+  //
+  Tcg2PhysicalPresenceLibProcessRequest (NULL);
+
  //
  // Prevent further changes to LockBoxes or SMRAM.
+  // Any TPM 2 Physical Presence Interface opcode must be handled before.
  //
  Handle = NULL;
  Status = gBS->InstallProtocolInterface (&Handle,
@ -390,8 +400,6 @@ PlatformBootManagerBeforeConsole (
  //
  EfiBootManagerDispatchDeferredImages ();

-  PlatformInitializeConsole (gPlatformConsole);
-
  PlatformRegisterOptionsAndKeys ();

  //
@ -1445,11 +1453,6 @@ PlatformBootManagerAfterConsole (
  //
  PciAcpiInitialization ();

-  //
-  // Process TPM PPI request
-  //
-  Tcg2PhysicalPresenceLibProcessRequest (NULL);
-
  //
  // Perform some platform specific connect sequence
  //
--- a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
@ -338,8 +338,18 @@ PlatformBootManagerBeforeConsole (
  //
  EfiEventGroupSignal (&gEfiEndOfDxeEventGroupGuid);

+  // We need to connect all trusted consoles for TCG PP. Here we treat all
+  // consoles in OVMF to be trusted consoles.
+  PlatformInitializeConsole (gPlatformConsole);
+
+  //
+  // Process TPM PPI request
+  //
+  Tcg2PhysicalPresenceLibProcessRequest (NULL);
+
  //
  // Prevent further changes to LockBoxes or SMRAM.
+  // Any TPM 2 Physical Presence Interface opcode must be handled before.
  //
  Handle = NULL;
  Status = gBS->InstallProtocolInterface (&Handle,
@ -353,8 +363,6 @@ PlatformBootManagerBeforeConsole (
  //
  EfiBootManagerDispatchDeferredImages ();

-  PlatformInitializeConsole (gPlatformConsole);
-
  Status = gRT->SetVariable (
                  EFI_TIME_OUT_VARIABLE_NAME,
                  &gEfiGlobalVariableGuid,
@ -1310,11 +1318,6 @@ PlatformBootManagerAfterConsole (
  //
  PciAcpiInitialization ();

-  //
-  // Process TPM PPI request
-  //
-  Tcg2PhysicalPresenceLibProcessRequest (NULL);
-
  //
  // Process QEMU's -kernel command line option
  //