[4/7] ovmf: link with Tcg2Pei module

From: Marc-André Lureau <marcandre.lureau@redhat.com>

This module will initialize TPM device, measure reported FVs and BIOS
version.

CC: Laszlo Ersek <lersek@redhat.com>
CC: Stefan Berger <stefanb@linux.vnet.ibm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 OvmfPkg/OvmfPkgX64.dsc | 7 +++++++
 OvmfPkg/OvmfPkgX64.fdf | 1 +
 2 files changed, 8 insertions(+)

On 02/23/18 14:23, marcandre.lureau@redhat.com wrote:
> From: Marc-André Lureau <marcandre.lureau@redhat.com>
> 
> This module will initialize TPM device, measure reported FVs and BIOS
> version.
> 
> CC: Laszlo Ersek <lersek@redhat.com>
> CC: Stefan Berger <stefanb@linux.vnet.ibm.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> ---
>  OvmfPkg/OvmfPkgX64.dsc | 7 +++++++
>  OvmfPkg/OvmfPkgX64.fdf | 1 +
>  2 files changed, 8 insertions(+)
> 
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index b5cbe8430f..34a7c2778e 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -279,6 +279,8 @@
>    PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
>    QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
>  !if $(TPM2_ENABLE)
> +  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +  HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
>    Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
>    Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
>  !endif
> @@ -647,6 +649,11 @@
>  
>  !if $(TPM2_ENABLE) == TRUE
>    SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
> +    <LibraryClasses>
> +      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
> +      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
> +  }
>  !endif
>  
>  !if $(SECURE_BOOT_ENABLE) == TRUE
> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> index dc35d0a1f7..9558142a42 100644
> --- a/OvmfPkg/OvmfPkgX64.fdf
> +++ b/OvmfPkg/OvmfPkgX64.fdf
> @@ -170,6 +170,7 @@ INF  MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
>  !endif
>  !if $(TPM2_ENABLE) == TRUE
>  INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> +INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
>  !endif
>  
>  ################################################################################
> 

Would it be possible to drop SHA1 (include SHA256 only) by setting
PcdTpm2HashMask to value 2? Or SHA1 required for some other reason? (If
so please mention it in the commit message.)

Thanks
Laszlo

Hi

On Mon, Feb 26, 2018 at 10:38 AM, Laszlo Ersek <lersek@redhat.com> wrote:
> On 02/23/18 14:23, marcandre.lureau@redhat.com wrote:
>> From: Marc-André Lureau <marcandre.lureau@redhat.com>
>>
>> This module will initialize TPM device, measure reported FVs and BIOS
>> version.
>>
>> CC: Laszlo Ersek <lersek@redhat.com>
>> CC: Stefan Berger <stefanb@linux.vnet.ibm.com>
>> Contributed-under: TianoCore Contribution Agreement 1.0
>> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
>> ---
>>  OvmfPkg/OvmfPkgX64.dsc | 7 +++++++
>>  OvmfPkg/OvmfPkgX64.fdf | 1 +
>>  2 files changed, 8 insertions(+)
>>
>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
>> index b5cbe8430f..34a7c2778e 100644
>> --- a/OvmfPkg/OvmfPkgX64.dsc
>> +++ b/OvmfPkg/OvmfPkgX64.dsc
>> @@ -279,6 +279,8 @@
>>    PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
>>    QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
>>  !if $(TPM2_ENABLE)
>> +  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
>> +  HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
>>    Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
>>    Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
>>  !endif
>> @@ -647,6 +649,11 @@
>>
>>  !if $(TPM2_ENABLE) == TRUE
>>    SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
>> +  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
>> +    <LibraryClasses>
>> +      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
>> +      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
>> +  }
>>  !endif
>>
>>  !if $(SECURE_BOOT_ENABLE) == TRUE
>> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
>> index dc35d0a1f7..9558142a42 100644
>> --- a/OvmfPkg/OvmfPkgX64.fdf
>> +++ b/OvmfPkg/OvmfPkgX64.fdf
>> @@ -170,6 +170,7 @@ INF  MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
>>  !endif
>>  !if $(TPM2_ENABLE) == TRUE
>>  INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
>> +INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
>>  !endif
>>
>>  ################################################################################
>>
>
> Would it be possible to drop SHA1 (include SHA256 only) by setting
> PcdTpm2HashMask to value 2? Or SHA1 required for some other reason? (If
> so please mention it in the commit message.)
>

afaik, it's not strictly required, and apparently the support is being
dropped. I'll remove it.

btw, now I understand your comment about read-only variable not being
used by PEI module. I'll add a preliminary patch dropping it from
depex ;)

thanks

On 03/01/18 16:08, Marc-André Lureau wrote:
> Hi
> 
> On Mon, Feb 26, 2018 at 10:38 AM, Laszlo Ersek <lersek@redhat.com> wrote:
>> On 02/23/18 14:23, marcandre.lureau@redhat.com wrote:
>>> From: Marc-André Lureau <marcandre.lureau@redhat.com>
>>>
>>> This module will initialize TPM device, measure reported FVs and BIOS
>>> version.
>>>
>>> CC: Laszlo Ersek <lersek@redhat.com>
>>> CC: Stefan Berger <stefanb@linux.vnet.ibm.com>
>>> Contributed-under: TianoCore Contribution Agreement 1.0
>>> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
>>> ---
>>>  OvmfPkg/OvmfPkgX64.dsc | 7 +++++++
>>>  OvmfPkg/OvmfPkgX64.fdf | 1 +
>>>  2 files changed, 8 insertions(+)
>>>
>>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
>>> index b5cbe8430f..34a7c2778e 100644
>>> --- a/OvmfPkg/OvmfPkgX64.dsc
>>> +++ b/OvmfPkg/OvmfPkgX64.dsc
>>> @@ -279,6 +279,8 @@
>>>    PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
>>>    QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
>>>  !if $(TPM2_ENABLE)
>>> +  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
>>> +  HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
>>>    Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
>>>    Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
>>>  !endif
>>> @@ -647,6 +649,11 @@
>>>
>>>  !if $(TPM2_ENABLE) == TRUE
>>>    SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
>>> +  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
>>> +    <LibraryClasses>
>>> +      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
>>> +      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
>>> +  }
>>>  !endif
>>>
>>>  !if $(SECURE_BOOT_ENABLE) == TRUE
>>> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
>>> index dc35d0a1f7..9558142a42 100644
>>> --- a/OvmfPkg/OvmfPkgX64.fdf
>>> +++ b/OvmfPkg/OvmfPkgX64.fdf
>>> @@ -170,6 +170,7 @@ INF  MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
>>>  !endif
>>>  !if $(TPM2_ENABLE) == TRUE
>>>  INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
>>> +INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
>>>  !endif
>>>
>>>  ################################################################################
>>>
>>
>> Would it be possible to drop SHA1 (include SHA256 only) by setting
>> PcdTpm2HashMask to value 2? Or SHA1 required for some other reason? (If
>> so please mention it in the commit message.)
>>
> 
> afaik, it's not strictly required, and apparently the support is being
> dropped. I'll remove it.
> 
> btw, now I understand your comment about read-only variable not being
> used by PEI module. I'll add a preliminary patch dropping it from
> depex ;)

OK, thanks :)

Laszlo