[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 7/7] ovmf: add DxeTpm2MeasureBootLib
From: |
Laszlo Ersek |
Subject: |
Re: [Qemu-devel] [PATCH 7/7] ovmf: add DxeTpm2MeasureBootLib |
Date: |
Mon, 26 Feb 2018 11:29:15 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 |
On 02/23/18 14:23, address@hidden wrote:
> From: Marc-André Lureau <address@hidden>
>
> The library registers a security management handler, to measure images
> that are not measure in PEI phase.
>
> This seems to work for example with the qemu PXE rom:
>
> Loading driver at 0x0003E6C2000 EntryPoint=0x0003E6C9076 8086100e.efi
>
> And the following binary_bios_measurements log entry seems to be
> added:
>
> PCR: 2 type: EV_EFI_BOOT_SERVICES_DRIVER size: 0x4e digest:
> 70a22475e9f18806d2ed9193b48d80d26779d9a4
>
> CC: Laszlo Ersek <address@hidden>
> CC: Stefan Berger <address@hidden>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Marc-André Lureau <address@hidden>
> ---
> OvmfPkg/OvmfPkgX64.dsc | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index 2281bd5ff8..92ed9f3b0c 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -677,7 +677,10 @@
> MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
> <LibraryClasses>
>
> NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> - }
> +!if $(TPM2_ENABLE) == TRUE
> +
> NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
> +!endif
> + }
> !else
> MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> !endif
>
This looks OK to me.
First, can you please clean up the SecurityStubDxe stanza as follows (as
a separate patch):
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index 96fc7b82e708..f4288b625cba 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -634,14 +634,12 @@ [Components]
>
> MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
>
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
> <LibraryClasses>
> +!if $(SECURE_BOOT_ENABLE) == TRUE
>
> NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
> - }
> -!else
> - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
> !endif
> + }
>
> MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
> PcAtChipsetPkg/8259InterruptControllerDxe/8259.inf
The idea is that "SecurityStubDxe.inf" should be included
unconditionally; only its plug-in libs should be conditional on various
build flags. While the current (pre-patch) code does that -- in effect
-- for SECURE_BOOT_ENABLE already, your patch (as-is) can only add
TPM2_ENABLE *within* SECURE_BOOT_ENABLE.
I don't think that's for the best -- first we should make
DxeImageVerificationLib the *only* bit that's conditional on
SECURE_BOOT_ENABLE, and then we can add DxeTpm2MeasureBootLib
independently. (If neither build option is specified, we'll have a
<LibraryClasses> list that's empty, but that's perfectly fine.)
Thanks!
Laszlo
- Re: [Qemu-devel] [PATCH 3/7] HACK: HobLib: workaround infinite loop, (continued)
- [Qemu-devel] [PATCH 1/7] SecurityPkg/Tcg2Pei: drop Tcg2PhysicalPresenceLib dependency, marcandre . lureau, 2018/02/23
- [Qemu-devel] [PATCH 5/7] ovmf: link with Tcg2Dxe module, marcandre . lureau, 2018/02/23
- [Qemu-devel] [PATCH 6/7] ovmf: link with Tcg2ConfigDxe module, marcandre . lureau, 2018/02/23
- [Qemu-devel] [PATCH 7/7] ovmf: add DxeTpm2MeasureBootLib, marcandre . lureau, 2018/02/23
- Re: [Qemu-devel] [PATCH 7/7] ovmf: add DxeTpm2MeasureBootLib,
Laszlo Ersek <=
- Re: [Qemu-devel] [edk2] [PATCH 0/7] RFC: ovmf: preliminary TPM2 support, Laszlo Ersek, 2018/02/23