OvmfPkg: Handle TPM 2 physical presence opcodes much earlier

Handle the TPM 2 physical presence interface (PPI) opcodes in
PlatformBootManagerBeforeConsole() before the TPM 2 platform hierarchy
is disabled. Since the handling of the PPI opcodes may require inter-
action with the user, initialize the keyboard before handling PPI codes.

Cc: Rebecca Cran <rebecca@bsdio.com>
Cc: Peter Grehan <grehan@freebsd.org>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
index 71f63b244828c7784fd5398181802f30fc79fb13..4448722e1971991dffb3ec5b1531454e2d5bae47 100644 (file)
--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
@@ -387,8 +387,19 @@ PlatformBootManagerBeforeConsole (
     SaveS3BootScript ();\r
   }\r
 \r
+  // We need to connect all trusted consoles for TCG PP. Here we treat all\r
+  // consoles in OVMF to be trusted consoles.\r
+  PlatformInitializeConsole (\r
+    XenDetected() ? gXenPlatformConsole : gPlatformConsole);\r
+\r
+  //\r
+  // Process TPM PPI request; this may require keyboard input\r
+  //\r
+  Tcg2PhysicalPresenceLibProcessRequest (NULL);\r
+\r
   //\r
   // Prevent further changes to LockBoxes or SMRAM.\r
+  // Any TPM 2 Physical Presence Interface opcode must be handled before.\r
   //\r
   Handle = NULL;\r
   Status = gBS->InstallProtocolInterface (&Handle,\r
@@ -402,9 +413,6 @@ PlatformBootManagerBeforeConsole (
   //\r
   EfiBootManagerDispatchDeferredImages ();\r
 \r
-  PlatformInitializeConsole (\r
-    XenDetected() ? gXenPlatformConsole : gPlatformConsole);\r
-\r
   FrontPageTimeout = GetFrontPageTimeoutFromQemu ();\r
   PcdStatus = PcdSet16S (PcdPlatformBootTimeOut, FrontPageTimeout);\r
   ASSERT_RETURN_ERROR (PcdStatus);\r
@@ -1511,11 +1519,6 @@ PlatformBootManagerAfterConsole (
   //\r
   PciAcpiInitialization ();\r
 \r
-  //\r
-  // Process TPM PPI request\r
-  //\r
-  Tcg2PhysicalPresenceLibProcessRequest (NULL);\r
-\r
   //\r
   // Process QEMU's -kernel command line option\r
   //\r

diff --git a/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
index eaade4adeae2e0d15a7a0a1f4c7f653dbf2575ff..513d2f00a7471de6035b286757487aaa01e0adb9 100644 (file)
--- a/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
@@ -375,8 +375,18 @@ PlatformBootManagerBeforeConsole (
   //\r
   EfiEventGroupSignal (&gEfiEndOfDxeEventGroupGuid);\r
 \r
+  // We need to connect all trusted consoles for TCG PP. Here we treat all\r
+  // consoles in OVMF to be trusted consoles.\r
+  PlatformInitializeConsole (gPlatformConsole);\r
+\r
+  //\r
+  // Process TPM PPI request\r
+  //\r
+  Tcg2PhysicalPresenceLibProcessRequest (NULL);\r
+\r
   //\r
   // Prevent further changes to LockBoxes or SMRAM.\r
+  // Any TPM 2 Physical Presence Interface opcode must be handled before.\r
   //\r
   Handle = NULL;\r
   Status = gBS->InstallProtocolInterface (&Handle,\r
@@ -390,8 +400,6 @@ PlatformBootManagerBeforeConsole (
   //\r
   EfiBootManagerDispatchDeferredImages ();\r
 \r
-  PlatformInitializeConsole (gPlatformConsole);\r
-\r
   PlatformRegisterOptionsAndKeys ();\r
 \r
   //\r
@@ -1445,11 +1453,6 @@ PlatformBootManagerAfterConsole (
   //\r
   PciAcpiInitialization ();\r
 \r
-  //\r
-  // Process TPM PPI request\r
-  //\r
-  Tcg2PhysicalPresenceLibProcessRequest (NULL);\r
-\r
   //\r
   // Perform some platform specific connect sequence\r
   //\r

diff --git a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
index 7cceeea4879c9f3d17a892f61ca673a5b60155af..1c5405f620e762fff7efe112ba52d5ad4d293bb8 100644 (file)
--- a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
@@ -338,8 +338,18 @@ PlatformBootManagerBeforeConsole (
   //\r
   EfiEventGroupSignal (&gEfiEndOfDxeEventGroupGuid);\r
 \r
+  // We need to connect all trusted consoles for TCG PP. Here we treat all\r
+  // consoles in OVMF to be trusted consoles.\r
+  PlatformInitializeConsole (gPlatformConsole);\r
+\r
+  //\r
+  // Process TPM PPI request\r
+  //\r
+  Tcg2PhysicalPresenceLibProcessRequest (NULL);\r
+\r
   //\r
   // Prevent further changes to LockBoxes or SMRAM.\r
+  // Any TPM 2 Physical Presence Interface opcode must be handled before.\r
   //\r
   Handle = NULL;\r
   Status = gBS->InstallProtocolInterface (&Handle,\r
@@ -353,8 +363,6 @@ PlatformBootManagerBeforeConsole (
   //\r
   EfiBootManagerDispatchDeferredImages ();\r
 \r
-  PlatformInitializeConsole (gPlatformConsole);\r
-\r
   Status = gRT->SetVariable (\r
                   EFI_TIME_OUT_VARIABLE_NAME,\r
                   &gEfiGlobalVariableGuid,\r
@@ -1310,11 +1318,6 @@ PlatformBootManagerAfterConsole (
   //\r
   PciAcpiInitialization ();\r
 \r
-  //\r
-  // Process TPM PPI request\r
-  //\r
-  Tcg2PhysicalPresenceLibProcessRequest (NULL);\r
-\r
   //\r
   // Process QEMU's -kernel command line option\r
   //\r