* Tue Feb 08 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-2

- edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch [bz#1935497] - edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch [bz#1935497] - edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch [bz#1935497] - edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch [bz#1935497] - edk2-OvmfPkg-rework-TPM-configuration.patch [bz#1935497] - edk2-spec-adapt-specfile-to-build-option-changes-disable-.patch [bz#1935497] - Resolves: bz#1935497 (edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default)
2022-02-08 07:15:48 -05:00 · 2022-02-08 07:15:48 -05:00 · 088600e053
commit 088600e053
parent 4dd210a593
6 changed files with 1651 additions and 3 deletions
--- a/edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch
+++ b/edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch
@ -0,0 +1,158 @@
+From 0ecb863aaca8d71a35763645ced278589666ada2 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 15 Dec 2021 12:39:19 +0100
+Subject: [PATCH 4/6] OvmfPkg: create Tcg12ConfigPei.inf
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 9: backport tpm build updates, disable tpm 1.2 support
+RH-Commit: [4/6] 92926b9a05aaff38aab9a2aeee211be736863ab9 (kraxel/centos-edk2)
+RH-Bugzilla: 1935497
+RH-Acked-by: Oliver Steffen <None>
+
+Split Tcg2ConfigPei.inf into two variants: Tcg12ConfigPei.inf with
+TPM 1.2 support included and Tcg2ConfigPei.inf supporting TPM 2.0 only.
+This allows x86 builds to choose whenever TPM 1.2 support should be
+included or not by picking the one or the other inf file.
+
+Switch x86 builds to Tcg12ConfigPei.inf, so they continue to
+have TPM 1.2 support.
+
+No functional change.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
+Tested-by: Stefan Berger <stefanb@linux.ibm.com>
+(cherry picked from commit b81938877276e808b6535e612b320eee559c4c2f)
+---
+ OvmfPkg/OvmfTpmComponentsPei.dsc.inc      |  2 +-
+ OvmfPkg/OvmfTpmPei.fdf.inc                |  2 +-
+ OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf | 56 +++++++++++++++++++++++
+ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf  | 11 +----
+ 4 files changed, 59 insertions(+), 12 deletions(-)
+ create mode 100644 OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
+
+diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+index 99fa7c13b3..87d491da50 100644
+--- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+@@ -4,7 +4,7 @@
+ 
+ !if $(TPM_ENABLE) == TRUE
+   OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+-  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+  OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
+   SecurityPkg/Tcg/TcgPei/TcgPei.inf
+   SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
+     <LibraryClasses>
+diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc
+index 9aefd73d21..709a608cc3 100644
+--- a/OvmfPkg/OvmfTpmPei.fdf.inc
+++ b/OvmfPkg/OvmfTpmPei.fdf.inc
+@@ -4,7 +4,7 @@
+ 
+ !if $(TPM_ENABLE) == TRUE
+ INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+-INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+INF  OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
+ INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+ INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+ INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
+diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
+new file mode 100644
+index 0000000000..e8e0b88e60
+--- /dev/null
+++ b/OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
+@@ -0,0 +1,56 @@
+## @file
+# Set TPM device type - supports TPM 1.2 and 2.0
+#
+# In SecurityPkg, this module initializes the TPM device type based on a UEFI
+# variable and/or hardware detection. In OvmfPkg, the module only performs TPM
+# hardware detection.
+#
+# Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+# Copyright (C) 2018, Red Hat, Inc.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = Tcg2ConfigPei
+  FILE_GUID                      = 8AD3148F-945F-46B4-8ACD-71469EA73945
+  MODULE_TYPE                    = PEIM
+  VERSION_STRING                 = 1.0
+  ENTRY_POINT                    = Tcg2ConfigPeimEntryPoint
+
+[Sources]
+  Tcg2ConfigPeim.c
+  Tpm12Support.h
+  Tpm12Support.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  OvmfPkg/OvmfPkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+  PeimEntryPoint
+  DebugLib
+  PeiServicesLib
+  Tpm2DeviceLib
+  BaseLib
+  Tpm12DeviceLib
+
+[Guids]
+  gEfiTpmDeviceSelectedGuid           ## PRODUCES ## GUID # Used as a PPI GUID
+  gEfiTpmDeviceInstanceTpm20DtpmGuid  ## SOMETIMES_CONSUMES
+  gEfiTpmDeviceInstanceTpm12Guid      ## SOMETIMES_CONSUMES
+
+[Ppis]
+  gPeiTpmInitializationDonePpiGuid    ## SOMETIMES_PRODUCES
+
+[Pcd]
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid                 ## PRODUCES
+
+[Depex.IA32, Depex.X64]
+  gOvmfTpmMmioAccessiblePpiGuid
+
+[Depex.ARM, Depex.AARCH64]
+  gOvmfTpmDiscoveredPpiGuid
+diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+index 39d1deeed1..51078c9813 100644
+--- a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+++ b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+@@ -1,5 +1,5 @@
+ ## @file
+-# Set TPM device type
+# Set TPM device type - supports TPM 2.0 only
+ #
+ # In SecurityPkg, this module initializes the TPM device type based on a UEFI
+ # variable and/or hardware detection. In OvmfPkg, the module only performs TPM
+@@ -22,11 +22,6 @@
+ [Sources]
+   Tcg2ConfigPeim.c
+   Tpm12Support.h
+-
+-[Sources.IA32, Sources.X64]
+-  Tpm12Support.c
+-
+-[Sources.ARM, Sources.AARCH64]
+   Tpm12SupportNull.c
+ 
+ [Packages]
+@@ -41,10 +36,6 @@
+   PeiServicesLib
+   Tpm2DeviceLib
+ 
+-[LibraryClasses.IA32, LibraryClasses.X64]
+-  BaseLib
+-  Tpm12DeviceLib
+-
+ [Guids]
+   gEfiTpmDeviceSelectedGuid           ## PRODUCES ## GUID # Used as a PPI GUID
+   gEfiTpmDeviceInstanceTpm20DtpmGuid  ## SOMETIMES_CONSUMES
+-- 
+2.27.0
+
--- a/edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch
+++ b/edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch
@ -0,0 +1,151 @@
+From 505473655db4b91e4a0ac732069968f9eddabc51 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 15 Dec 2021 12:39:18 +0100
+Subject: [PATCH 3/6] OvmfPkg: drop TPM_CONFIG_ENABLE
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 9: backport tpm build updates, disable tpm 1.2 support
+RH-Commit: [3/6] be335526f74358d4af21fbd35cc7008b227ebb23 (kraxel/centos-edk2)
+RH-Bugzilla: 1935497
+RH-Acked-by: Oliver Steffen <None>
+
+Drop TPM_CONFIG_ENABLE config option.  Including TPM support in the
+build without also including the TPM configuration menu is not useful.
+
+Suggested-by: Stefan Berger <stefanb@linux.ibm.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Stefan Berger <stefanb@linux.ibm.com>
+(cherry picked from commit 5711ff4d0b56ff4c58dc7a780e706bc58aed2253)
+---
+ OvmfPkg/OvmfTpmComponentsDxe.dsc.inc                  | 2 --
+ OvmfPkg/OvmfTpmDefines.dsc.inc                        | 1 -
+ OvmfPkg/OvmfTpmDxe.fdf.inc                            | 2 --
+ OvmfPkg/OvmfTpmPcdsHii.dsc.inc                        | 2 +-
+ OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml    | 6 +++---
+ OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml | 6 +++---
+ OvmfPkg/PlatformCI/ReadMe.md                          | 2 +-
+ 7 files changed, 8 insertions(+), 13 deletions(-)
+
+diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+index d5c2586118..e025d85a58 100644
+--- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+@@ -14,9 +14,7 @@
+       NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+       NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+   }
+-!if $(TPM_CONFIG_ENABLE) == TRUE
+   SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+-!endif
+   SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
+     <LibraryClasses>
+       Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc
+index 51da7508b3..5df4a331fb 100644
+--- a/OvmfPkg/OvmfTpmDefines.dsc.inc
+++ b/OvmfPkg/OvmfTpmDefines.dsc.inc
+@@ -3,4 +3,3 @@
+ ##
+ 
+   DEFINE TPM_ENABLE              = FALSE
+-  DEFINE TPM_CONFIG_ENABLE       = FALSE
+diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc
+index 9dcdaaf01c..32eef24638 100644
+--- a/OvmfPkg/OvmfTpmDxe.fdf.inc
+++ b/OvmfPkg/OvmfTpmDxe.fdf.inc
+@@ -6,7 +6,5 @@
+ INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+ INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+ INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+-!if $(TPM_CONFIG_ENABLE) == TRUE
+ INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+ !endif
+-!endif
+diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+index 164bc9c7fc..2e02a5b4cb 100644
+--- a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+@@ -2,7 +2,7 @@
+ #    SPDX-License-Identifier: BSD-2-Clause-Patent
+ ##
+ 
+-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
+!if $(TPM_ENABLE) == TRUE
+   gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
+   gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
+ !endif
+diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
+index 7117b86b81..1774423580 100644
+--- a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
+++ b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
+@@ -95,21 +95,21 @@ jobs:
+           OVMF_IA32X64_FULL_DEBUG:
+             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
+             Build.Arch: "IA32,X64"
+-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+             Build.Target: "DEBUG"
+             Run.Flags: $(run_flags)
+             Run: $(should_run)
+           OVMF_IA32X64_FULL_RELEASE:
+             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
+             Build.Arch: "IA32,X64"
+-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+             Build.Target: "RELEASE"
+             Run.Flags: $(run_flags)
+             Run: $(should_run)
+           OVMF_IA32X64_FULL_NOOPT:
+             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
+             Build.Arch: "IA32,X64"
+-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+             Build.Target: "NOOPT"
+             Run.Flags: $(run_flags)
+             Run: $(should_run)
+diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
+index 2e07a3d889..09f9851312 100644
+--- a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
+++ b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
+@@ -94,14 +94,14 @@ jobs:
+           OVMF_IA32X64_FULL_DEBUG:
+             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
+             Build.Arch: "IA32,X64"
+-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+             Build.Target: "DEBUG"
+             Run.Flags: $(run_flags)
+             Run: $(should_run)
+           OVMF_IA32X64_FULL_RELEASE:
+             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
+             Build.Arch: "IA32,X64"
+-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+             Build.Target: "RELEASE"
+             Run.Flags: $(run_flags)
+             Run: $(should_run)
+@@ -112,7 +112,7 @@ jobs:
+     #       OVMF_IA32X64_FULL_NOOPT:
+     #         Build.File: "$(package)/PlatformCI/PlatformBuild.py"
+     #         Build.Arch: "IA32,X64"
+-    #         Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+    #         Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+     #         Build.Target: "NOOPT"
+     #         Run.Flags: $(run_flags)
+     #         Run: $(should_run)
+diff --git a/OvmfPkg/PlatformCI/ReadMe.md b/OvmfPkg/PlatformCI/ReadMe.md
+index 2ce9007dbe..44aa7c4a9d 100644
+--- a/OvmfPkg/PlatformCI/ReadMe.md
+++ b/OvmfPkg/PlatformCI/ReadMe.md
+@@ -14,7 +14,7 @@ supported and are described below.
+ | IA32                    | IA32               | OvmfPkgIa32.dsc     | None            |
+ | X64                     | X64                | OvmfPkgIa64.dsc     | None            |
+ | IA32 X64                | PEI-IA32 DXE-X64   | OvmfPkgIa32X64.dsc  | None            |
+-| IA32 X64 Full           | PEI-IA32 DXE-X64   | OvmfPkgIa32X64.dsc  | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM_ENABLE=1 TPM_CONFIG_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 |
+| IA32 X64 Full           | PEI-IA32 DXE-X64   | OvmfPkgIa32X64.dsc  | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 |
+ 
+ ## EDK2 Developer environment
+ 
+-- 
+2.27.0
+
--- a/edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch
+++ b/edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch
@ -0,0 +1,993 @@
+From 02544e617ce4dfffff15dab47463484ccdc9a51f Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 15 Dec 2021 12:39:17 +0100
+Subject: [PATCH 2/6] OvmfPkg: move tcg configuration to dsc and fdf include
+ files
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 9: backport tpm build updates, disable tpm 1.2 support
+RH-Commit: [2/6] d811b2cf266baa0fa3f958af0b80bb208f3fe27c (kraxel/centos-edk2)
+RH-Bugzilla: 1935497
+RH-Acked-by: Oliver Steffen <None>
+
+With this in place the tpm configuration is not duplicated for each of
+our four ovmf config variants (ia32, ia32x64, x64, amdsev) and it is
+easier to keep them all in sync when updating the tpm configuration.
+
+No functional change.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
+(cherry picked from commit b47575801e1903e8b316d01840572ce2681cf2c6)
+
+[ kraxel: solve conflict in OvmfPkg/AmdSev/AmdSevX64.dsc ]
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc         | 85 ++++-----------------------
+ OvmfPkg/AmdSev/AmdSevX64.fdf         | 17 +-----
+ OvmfPkg/OvmfPkgIa32.dsc              | 88 ++++------------------------
+ OvmfPkg/OvmfPkgIa32.fdf              | 17 +-----
+ OvmfPkg/OvmfPkgIa32X64.dsc           | 85 ++++-----------------------
+ OvmfPkg/OvmfPkgIa32X64.fdf           | 17 +-----
+ OvmfPkg/OvmfPkgX64.dsc               | 85 ++++-----------------------
+ OvmfPkg/OvmfPkgX64.fdf               | 17 +-----
+ OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 28 +++++++++
+ OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 22 +++++++
+ OvmfPkg/OvmfTpmDefines.dsc.inc       |  6 ++
+ OvmfPkg/OvmfTpmDxe.fdf.inc           | 12 ++++
+ OvmfPkg/OvmfTpmLibs.dsc.inc          | 14 +++++
+ OvmfPkg/OvmfTpmLibsDxe.dsc.inc       |  8 +++
+ OvmfPkg/OvmfTpmLibsPeim.dsc.inc      |  9 +++
+ OvmfPkg/OvmfTpmPcds.dsc.inc          |  7 +++
+ OvmfPkg/OvmfTpmPcdsHii.dsc.inc       |  8 +++
+ OvmfPkg/OvmfTpmPei.fdf.inc           | 11 ++++
+ OvmfPkg/OvmfTpmSecurityStub.dsc.inc  |  8 +++
+ 19 files changed, 185 insertions(+), 359 deletions(-)
+ create mode 100644 OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+ create mode 100644 OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+ create mode 100644 OvmfPkg/OvmfTpmDefines.dsc.inc
+ create mode 100644 OvmfPkg/OvmfTpmDxe.fdf.inc
+ create mode 100644 OvmfPkg/OvmfTpmLibs.dsc.inc
+ create mode 100644 OvmfPkg/OvmfTpmLibsDxe.dsc.inc
+ create mode 100644 OvmfPkg/OvmfTpmLibsPeim.dsc.inc
+ create mode 100644 OvmfPkg/OvmfTpmPcds.dsc.inc
+ create mode 100644 OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+ create mode 100644 OvmfPkg/OvmfTpmPei.fdf.inc
+ create mode 100644 OvmfPkg/OvmfTpmSecurityStub.dsc.inc
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 88b65b9f59..8610602ddb 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -32,8 +32,8 @@
+   # -D FLAG=VALUE
+   #
+   DEFINE SOURCE_DEBUG_ENABLE     = FALSE
+-  DEFINE TPM_ENABLE              = FALSE
+-  DEFINE TPM_CONFIG_ENABLE       = FALSE
+
+!include OvmfPkg/OvmfTpmDefines.dsc.inc
+ 
+   #
+   # Shell can be useful for debugging but should not be enabled for production
+@@ -203,16 +203,7 @@
+   SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
+   OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+-  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
+-  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
+-  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+-!else
+-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
+-  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+-!endif
+!include OvmfPkg/OvmfTpmLibs.dsc.inc
+ 
+ [LibraryClasses.common]
+   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+@@ -286,11 +277,7 @@
+   PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
+   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+-!endif
+!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
+ 
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
+ 
+@@ -371,10 +358,8 @@
+   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
+   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
+   QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
+-!if $(TPM_ENABLE) == TRUE
+-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+-!endif
+
+!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
+ 
+ [LibraryClasses.common.UEFI_APPLICATION]
+   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
+@@ -576,15 +561,10 @@
+ 
+   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
+-!endif
+!include OvmfPkg/OvmfTpmPcds.dsc.inc
+ 
+ [PcdsDynamicHii]
+-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
+-  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
+-  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
+-!endif
+!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+ 
+ ################################################################################
+ #
+@@ -625,24 +605,7 @@
+   UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+   OvmfPkg/AmdSev/SecretPei/SecretPei.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+-  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+-  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+-  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
+-    <LibraryClasses>
+-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+-  }
+-  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
+-    <LibraryClasses>
+-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+-  }
+-!endif
+!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+ 
+   #
+   # DXE Phase modules
+@@ -664,10 +627,7 @@
+ 
+   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+     <LibraryClasses>
+-!if $(TPM_ENABLE) == TRUE
+-      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+-      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+-!endif
+!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
+   }
+ 
+   OvmfPkg/8259InterruptControllerDxe/8259.inf
+@@ -830,27 +790,4 @@
+   #
+   # TPM support
+   #
+-!if $(TPM_ENABLE) == TRUE
+-  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+-    <LibraryClasses>
+-      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+-      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+-  }
+-!if $(TPM_CONFIG_ENABLE) == TRUE
+-  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+-!endif
+-  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
+-    <LibraryClasses>
+-      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+-  }
+-  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+-    <LibraryClasses>
+-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+-  }
+-!endif
+!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index 325570c5a3..3f2329dab4 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -156,13 +156,7 @@ INF  UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf
+ INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+ INF  OvmfPkg/AmdSev/SecretPei/SecretPei.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+-INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+-INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+-INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+-INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
+-!endif
+!include OvmfPkg/OvmfTpmPei.fdf.inc
+ 
+ ################################################################################
+ 
+@@ -311,14 +305,7 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+ #
+ # TPM support
+ #
+-!if $(TPM_ENABLE) == TRUE
+-INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+-INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+-INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+-!if $(TPM_CONFIG_ENABLE) == TRUE
+-INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+-!endif
+-!endif
+!include OvmfPkg/OvmfTpmDxe.fdf.inc
+ 
+ ################################################################################
+ 
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index fa42d919be..904176ccfc 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -32,10 +32,10 @@
+   DEFINE SECURE_BOOT_ENABLE      = FALSE
+   DEFINE SMM_REQUIRE             = FALSE
+   DEFINE SOURCE_DEBUG_ENABLE     = FALSE
+-  DEFINE TPM_ENABLE              = FALSE
+-  DEFINE TPM_CONFIG_ENABLE       = FALSE
+   DEFINE LOAD_X64_ON_IA32_ENABLE = FALSE
+ 
+!include OvmfPkg/OvmfTpmDefines.dsc.inc
+
+   #
+   # Network definition
+   #
+@@ -229,16 +229,7 @@
+   SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
+   OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+-  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
+-  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
+-  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+-!else
+-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
+-  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+-!endif
+!include OvmfPkg/OvmfTpmLibs.dsc.inc
+ 
+ [LibraryClasses.common]
+   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+@@ -309,11 +300,7 @@
+   PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
+   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+-!endif
+!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
+ 
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
+ 
+@@ -401,10 +388,8 @@
+   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
+   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
+   QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
+-!if $(TPM_ENABLE) == TRUE
+-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+-!endif
+
+!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
+ 
+ [LibraryClasses.common.UEFI_APPLICATION]
+   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
+@@ -643,19 +628,14 @@
+ 
+   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
+-!endif
+!include OvmfPkg/OvmfTpmPcds.dsc.inc
+ 
+   # IPv4 and IPv6 PXE Boot support.
+   gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01
+   gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01
+ 
+ [PcdsDynamicHii]
+-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
+-  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
+-  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
+-!endif
+!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+ 
+ ################################################################################
+ #
+@@ -705,24 +685,7 @@
+ !endif
+   UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+-  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+-  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+-  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
+-    <LibraryClasses>
+-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+-  }
+-  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
+-    <LibraryClasses>
+-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+-  }
+-!endif
+!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+ 
+   #
+   # DXE Phase modules
+@@ -747,10 +710,7 @@
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+ !endif
+-!if $(TPM_ENABLE) == TRUE
+-      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+-      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+-!endif
+!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
+   }
+ 
+   OvmfPkg/8259InterruptControllerDxe/8259.inf
+@@ -1004,31 +964,5 @@
+   #
+   # TPM support
+   #
+-!if $(TPM_ENABLE) == TRUE
+-  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+-    <LibraryClasses>
+-      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+-      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+-  }
+-!if $(TPM_CONFIG_ENABLE) == TRUE
+-  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+-!endif
+-  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
+-    <LibraryClasses>
+-      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+-  }
+-  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+-    <LibraryClasses>
+-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+-  }
+-!endif
+!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+ 
+-!if $(LOAD_X64_ON_IA32_ENABLE) == TRUE
+-  OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf
+-!endif
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index 51433836d6..8ba9ffc83e 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -161,13 +161,7 @@ INF  OvmfPkg/SmmAccess/SmmAccessPei.inf
+ !endif
+ INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+-INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+-INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+-INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+-INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
+-!endif
+!include OvmfPkg/OvmfTpmPei.fdf.inc
+ 
+ ################################################################################
+ 
+@@ -353,14 +347,7 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+ #
+ # TPM support
+ #
+-!if $(TPM_ENABLE) == TRUE
+-INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+-INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+-INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+-!if $(TPM_CONFIG_ENABLE) == TRUE
+-INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+-!endif
+-!endif
+!include OvmfPkg/OvmfTpmDxe.fdf.inc
+ 
+ !if $(LOAD_X64_ON_IA32_ENABLE) == TRUE
+ INF  OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index ef962565f8..aebd8980e4 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -32,8 +32,8 @@
+   DEFINE SECURE_BOOT_ENABLE      = FALSE
+   DEFINE SMM_REQUIRE             = FALSE
+   DEFINE SOURCE_DEBUG_ENABLE     = FALSE
+-  DEFINE TPM_ENABLE              = FALSE
+-  DEFINE TPM_CONFIG_ENABLE       = FALSE
+
+!include OvmfPkg/OvmfTpmDefines.dsc.inc
+ 
+   #
+   # Network definition
+@@ -233,16 +233,7 @@
+   SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
+   OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+-  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
+-  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
+-  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+-!else
+-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
+-  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+-!endif
+!include OvmfPkg/OvmfTpmLibs.dsc.inc
+ 
+ [LibraryClasses.common]
+   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+@@ -313,11 +304,7 @@
+   PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
+   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+-!endif
+!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
+ 
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
+ 
+@@ -405,10 +392,8 @@
+   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
+   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
+   QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
+-!if $(TPM_ENABLE) == TRUE
+-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+-!endif
+
+!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
+ 
+ [LibraryClasses.common.UEFI_APPLICATION]
+   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
+@@ -655,9 +640,7 @@
+ 
+   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
+-!endif
+!include OvmfPkg/OvmfTpmPcds.dsc.inc
+ 
+ [PcdsDynamicDefault.X64]
+   # IPv4 and IPv6 PXE Boot support.
+@@ -665,10 +648,7 @@
+   gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01
+ 
+ [PcdsDynamicHii]
+-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
+-  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
+-  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
+-!endif
+!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+ 
+ ################################################################################
+ #
+@@ -718,24 +698,7 @@
+ !endif
+   UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+-  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+-  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+-  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
+-    <LibraryClasses>
+-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+-  }
+-  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
+-    <LibraryClasses>
+-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+-  }
+-!endif
+!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+ 
+ [Components.X64]
+   #
+@@ -761,10 +724,7 @@
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+ !endif
+-!if $(TPM_ENABLE) == TRUE
+-      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+-      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+-!endif
+!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
+   }
+ 
+   OvmfPkg/8259InterruptControllerDxe/8259.inf
+@@ -1019,27 +979,4 @@
+   #
+   # TPM support
+   #
+-!if $(TPM_ENABLE) == TRUE
+-  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+-    <LibraryClasses>
+-      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+-      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+-  }
+-!if $(TPM_CONFIG_ENABLE) == TRUE
+-  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+-!endif
+-  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
+-    <LibraryClasses>
+-      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+-  }
+-  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+-    <LibraryClasses>
+-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+-  }
+-!endif
+!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index a50f80e1e9..65d2600016 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -164,13 +164,7 @@ INF  OvmfPkg/SmmAccess/SmmAccessPei.inf
+ !endif
+ INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+-INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+-INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+-INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+-INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
+-!endif
+!include OvmfPkg/OvmfTpmPei.fdf.inc
+ 
+ ################################################################################
+ 
+@@ -363,14 +357,7 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+ #
+ # TPM support
+ #
+-!if $(TPM_ENABLE) == TRUE
+-INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+-INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+-INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+-!if $(TPM_CONFIG_ENABLE) == TRUE
+-INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+-!endif
+-!endif
+!include OvmfPkg/OvmfTpmDxe.fdf.inc
+ 
+ ################################################################################
+ 
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index ba9f9833b0..e85ac3d682 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -32,8 +32,8 @@
+   DEFINE SECURE_BOOT_ENABLE      = FALSE
+   DEFINE SMM_REQUIRE             = FALSE
+   DEFINE SOURCE_DEBUG_ENABLE     = FALSE
+-  DEFINE TPM_ENABLE              = FALSE
+-  DEFINE TPM_CONFIG_ENABLE       = FALSE
+
+!include OvmfPkg/OvmfTpmDefines.dsc.inc
+ 
+   #
+   # Network definition
+@@ -233,16 +233,7 @@
+   SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
+   OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+-  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
+-  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
+-  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+-!else
+-  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
+-  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+-!endif
+!include OvmfPkg/OvmfTpmLibs.dsc.inc
+ 
+ [LibraryClasses.common]
+   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+@@ -315,11 +306,7 @@
+   PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
+   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+-!endif
+!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc
+ 
+   MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
+ 
+@@ -407,10 +394,8 @@
+   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
+   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
+   QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
+-!if $(TPM_ENABLE) == TRUE
+-  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+-!endif
+
+!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc
+ 
+ [LibraryClasses.common.UEFI_APPLICATION]
+   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
+@@ -655,19 +640,14 @@
+ 
+   gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
+-!endif
+!include OvmfPkg/OvmfTpmPcds.dsc.inc
+ 
+   # IPv4 and IPv6 PXE Boot support.
+   gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01
+   gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01
+ 
+ [PcdsDynamicHii]
+-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
+-  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
+-  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
+-!endif
+!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+ 
+ ################################################################################
+ #
+@@ -717,24 +697,7 @@
+ !endif
+   UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+-  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+-  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+-  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
+-    <LibraryClasses>
+-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+-  }
+-  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
+-    <LibraryClasses>
+-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+-  }
+-!endif
+!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+ 
+   #
+   # DXE Phase modules
+@@ -758,10 +721,7 @@
+     <LibraryClasses>
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+-!endif
+-!if $(TPM_ENABLE) == TRUE
+-      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+-      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc
+ !endif
+   }
+ 
+@@ -1017,27 +977,4 @@
+   #
+   # TPM support
+   #
+-!if $(TPM_ENABLE) == TRUE
+-  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+-    <LibraryClasses>
+-      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+-      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+-      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+-      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+-  }
+-!if $(TPM_CONFIG_ENABLE) == TRUE
+-  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+-!endif
+-  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
+-    <LibraryClasses>
+-      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+-  }
+-  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+-    <LibraryClasses>
+-      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+-  }
+-!endif
+!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index dd1c6eded9..e5cbae2073 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -180,13 +180,7 @@ INF  OvmfPkg/SmmAccess/SmmAccessPei.inf
+ !endif
+ INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+ 
+-!if $(TPM_ENABLE) == TRUE
+-INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+-INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+-INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+-INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+-INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
+-!endif
+!include OvmfPkg/OvmfTpmPei.fdf.inc
+ 
+ ################################################################################
+ 
+@@ -379,14 +373,7 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+ #
+ # TPM support
+ #
+-!if $(TPM_ENABLE) == TRUE
+-INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+-INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+-INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+-!if $(TPM_CONFIG_ENABLE) == TRUE
+-INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+-!endif
+-!endif
+!include OvmfPkg/OvmfTpmDxe.fdf.inc
+ 
+ ################################################################################
+ 
+diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+new file mode 100644
+index 0000000000..d5c2586118
+--- /dev/null
+++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+@@ -0,0 +1,28 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+    <LibraryClasses>
+      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+  }
+!if $(TPM_CONFIG_ENABLE) == TRUE
+  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!endif
+  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
+    <LibraryClasses>
+      Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+  }
+  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+    <LibraryClasses>
+      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+  }
+!endif
+diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+new file mode 100644
+index 0000000000..99fa7c13b3
+--- /dev/null
+++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+@@ -0,0 +1,22 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
+    <LibraryClasses>
+      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+  }
+  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
+    <LibraryClasses>
+      TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+  }
+!endif
+diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc
+new file mode 100644
+index 0000000000..51da7508b3
+--- /dev/null
+++ b/OvmfPkg/OvmfTpmDefines.dsc.inc
+@@ -0,0 +1,6 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+  DEFINE TPM_ENABLE              = FALSE
+  DEFINE TPM_CONFIG_ENABLE       = FALSE
+diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc
+new file mode 100644
+index 0000000000..9dcdaaf01c
+--- /dev/null
+++ b/OvmfPkg/OvmfTpmDxe.fdf.inc
+@@ -0,0 +1,12 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+!if $(TPM_CONFIG_ENABLE) == TRUE
+INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!endif
+!endif
+diff --git a/OvmfPkg/OvmfTpmLibs.dsc.inc b/OvmfPkg/OvmfTpmLibs.dsc.inc
+new file mode 100644
+index 0000000000..50100f2c03
+--- /dev/null
+++ b/OvmfPkg/OvmfTpmLibs.dsc.inc
+@@ -0,0 +1,14 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+  Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
+  Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
+  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+!else
+  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
+  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+!endif
+diff --git a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
+new file mode 100644
+index 0000000000..67d5027aba
+--- /dev/null
+++ b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
+@@ -0,0 +1,8 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+!endif
+diff --git a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
+new file mode 100644
+index 0000000000..4e84e3dcaa
+--- /dev/null
+++ b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
+@@ -0,0 +1,9 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+  Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+!endif
+diff --git a/OvmfPkg/OvmfTpmPcds.dsc.inc b/OvmfPkg/OvmfTpmPcds.dsc.inc
+new file mode 100644
+index 0000000000..0e7f83c04b
+--- /dev/null
+++ b/OvmfPkg/OvmfTpmPcds.dsc.inc
+@@ -0,0 +1,7 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
+!endif
+diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+new file mode 100644
+index 0000000000..164bc9c7fc
+--- /dev/null
+++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+@@ -0,0 +1,8 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
+  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
+!endif
+diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc
+new file mode 100644
+index 0000000000..9aefd73d21
+--- /dev/null
+++ b/OvmfPkg/OvmfTpmPei.fdf.inc
+@@ -0,0 +1,11 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
+!endif
+diff --git a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
+new file mode 100644
+index 0000000000..4bd4066843
+--- /dev/null
+++ b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
+@@ -0,0 +1,8 @@
+##
+#    SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+!if $(TPM_ENABLE) == TRUE
+      NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+!endif
+-- 
+2.27.0
+
--- a/edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch
+++ b/edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch
@ -0,0 +1,33 @@
+From 9948bb7e9e693b4add121964ec724d4db09df352 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 15 Dec 2021 12:39:16 +0100
+Subject: [PATCH 1/6] OvmfPkg: remove unused TPM options from MicrovmX64.dsc
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 9: backport tpm build updates, disable tpm 1.2 support
+RH-Commit: [1/6] cce6ba5501b413c0eb87ac452a53818e68dfa630 (kraxel/centos-edk2)
+RH-Bugzilla: 1935497
+RH-Acked-by: Oliver Steffen <None>
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 3a72ec71cd83f0f5ad2f1d3c78527f4b247da75f)
+---
+ OvmfPkg/Microvm/MicrovmX64.dsc | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
+index 617f925395..c58c4c35d4 100644
+--- a/OvmfPkg/Microvm/MicrovmX64.dsc
+++ b/OvmfPkg/Microvm/MicrovmX64.dsc
+@@ -32,8 +32,6 @@
+   DEFINE SECURE_BOOT_ENABLE      = FALSE
+   DEFINE SMM_REQUIRE             = FALSE
+   DEFINE SOURCE_DEBUG_ENABLE     = FALSE
+-  DEFINE TPM_ENABLE              = FALSE
+-  DEFINE TPM_CONFIG_ENABLE       = FALSE
+ 
+   #
+   # Network definition
+-- 
+2.27.0
+
--- a/edk2-OvmfPkg-rework-TPM-configuration.patch
+++ b/edk2-OvmfPkg-rework-TPM-configuration.patch
@ -0,0 +1,293 @@
+From 5787adaccb16e4af7df661d6c7eb3197c7f14218 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 15 Dec 2021 12:39:20 +0100
+Subject: [PATCH 5/6] OvmfPkg: rework TPM configuration
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 9: backport tpm build updates, disable tpm 1.2 support
+RH-Commit: [5/6] 81ed86c6993e8cca4fabf5f471e198134b907562 (kraxel/centos-edk2)
+RH-Bugzilla: 1935497
+RH-Acked-by: Oliver Steffen <None>
+
+Rename TPM_ENABLE to TPM2_ENABLE so naming is in line with the
+ArmVirtPkg config option name.
+
+Add separate TPM1_ENABLE option for TPM 1.2 support.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Stefan Berger <stefanb@linux.ibm.com>
+(cherry picked from commit 4de8d61bcec02a13ceed84f92b0cf3ea58adf9c5)
+---
+ OvmfPkg/OvmfTpmComponentsDxe.dsc.inc                  | 4 +++-
+ OvmfPkg/OvmfTpmComponentsPei.dsc.inc                  | 6 +++++-
+ OvmfPkg/OvmfTpmDefines.dsc.inc                        | 5 ++++-
+ OvmfPkg/OvmfTpmDxe.fdf.inc                            | 4 +++-
+ OvmfPkg/OvmfTpmLibs.dsc.inc                           | 4 +++-
+ OvmfPkg/OvmfTpmLibsDxe.dsc.inc                        | 4 +++-
+ OvmfPkg/OvmfTpmLibsPeim.dsc.inc                       | 4 +++-
+ OvmfPkg/OvmfTpmPcds.dsc.inc                           | 2 +-
+ OvmfPkg/OvmfTpmPcdsHii.dsc.inc                        | 2 +-
+ OvmfPkg/OvmfTpmPei.fdf.inc                            | 6 +++++-
+ OvmfPkg/OvmfTpmSecurityStub.dsc.inc                   | 4 +++-
+ OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml    | 6 +++---
+ OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml | 6 +++---
+ OvmfPkg/PlatformCI/ReadMe.md                          | 2 +-
+ 14 files changed, 41 insertions(+), 18 deletions(-)
+
+diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+index e025d85a58..75ae09571e 100644
+--- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc
+@@ -2,7 +2,7 @@
+ #    SPDX-License-Identifier: BSD-2-Clause-Patent
+ ##
+ 
+-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+   SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+     <LibraryClasses>
+       Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+@@ -15,10 +15,12 @@
+       NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+   }
+   SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+!if $(TPM1_ENABLE) == TRUE
+   SecurityPkg/Tcg/TcgDxe/TcgDxe.inf {
+     <LibraryClasses>
+       Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+   }
+!endif
+   SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
+     <LibraryClasses>
+       TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+index 87d491da50..fa486eed82 100644
+--- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc
+@@ -2,10 +2,14 @@
+ #    SPDX-License-Identifier: BSD-2-Clause-Patent
+ ##
+ 
+-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+   OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+!if $(TPM1_ENABLE) == TRUE
+   OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
+   SecurityPkg/Tcg/TcgPei/TcgPei.inf
+!else
+  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+!endif
+   SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
+     <LibraryClasses>
+       HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc
+index 5df4a331fb..a65564d8d9 100644
+--- a/OvmfPkg/OvmfTpmDefines.dsc.inc
+++ b/OvmfPkg/OvmfTpmDefines.dsc.inc
+@@ -2,4 +2,7 @@
+ #    SPDX-License-Identifier: BSD-2-Clause-Patent
+ ##
+ 
+-  DEFINE TPM_ENABLE              = FALSE
+  DEFINE TPM2_ENABLE             = FALSE
+
+  # has no effect unless TPM2_ENABLE == TRUE
+  DEFINE TPM1_ENABLE             = TRUE
+diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc
+index 32eef24638..7fc2bf8590 100644
+--- a/OvmfPkg/OvmfTpmDxe.fdf.inc
+++ b/OvmfPkg/OvmfTpmDxe.fdf.inc
+@@ -2,8 +2,10 @@
+ #    SPDX-License-Identifier: BSD-2-Clause-Patent
+ ##
+ 
+-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
+ INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+!endif
+ INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+ INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+ INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+diff --git a/OvmfPkg/OvmfTpmLibs.dsc.inc b/OvmfPkg/OvmfTpmLibs.dsc.inc
+index 50100f2c03..418747b134 100644
+--- a/OvmfPkg/OvmfTpmLibs.dsc.inc
+++ b/OvmfPkg/OvmfTpmLibs.dsc.inc
+@@ -2,8 +2,10 @@
+ #    SPDX-License-Identifier: BSD-2-Clause-Patent
+ ##
+ 
+-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
+   Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
+!endif
+   Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
+   Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
+diff --git a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
+index 67d5027aba..1d66cdac77 100644
+--- a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
+++ b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc
+@@ -2,7 +2,9 @@
+ #    SPDX-License-Identifier: BSD-2-Clause-Patent
+ ##
+ 
+-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
+   Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
+!endif
+   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+ !endif
+diff --git a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
+index 4e84e3dcaa..03caccd7c6 100644
+--- a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
+++ b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc
+@@ -2,8 +2,10 @@
+ #    SPDX-License-Identifier: BSD-2-Clause-Patent
+ ##
+ 
+-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+!if $(TPM1_ENABLE) == TRUE
+   Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
+!endif
+   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+ !endif
+diff --git a/OvmfPkg/OvmfTpmPcds.dsc.inc b/OvmfPkg/OvmfTpmPcds.dsc.inc
+index 0e7f83c04b..0d55d62737 100644
+--- a/OvmfPkg/OvmfTpmPcds.dsc.inc
+++ b/OvmfPkg/OvmfTpmPcds.dsc.inc
+@@ -2,6 +2,6 @@
+ #    SPDX-License-Identifier: BSD-2-Clause-Patent
+ ##
+ 
+-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+   gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
+ !endif
+diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+index 2e02a5b4cb..e842253235 100644
+--- a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc
+@@ -2,7 +2,7 @@
+ #    SPDX-License-Identifier: BSD-2-Clause-Patent
+ ##
+ 
+-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+   gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
+   gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
+ !endif
+diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc
+index 709a608cc3..9f8b9bdd5b 100644
+--- a/OvmfPkg/OvmfTpmPei.fdf.inc
+++ b/OvmfPkg/OvmfTpmPei.fdf.inc
+@@ -2,10 +2,14 @@
+ #    SPDX-License-Identifier: BSD-2-Clause-Patent
+ ##
+ 
+-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+ INF  OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
+!if $(TPM1_ENABLE) == TRUE
+ INF  OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf
+ INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
+!else
+INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+!endif
+ INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+ INF  SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
+ !endif
+diff --git a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
+index 4bd4066843..e9ab2fca7b 100644
+--- a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
+++ b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc
+@@ -2,7 +2,9 @@
+ #    SPDX-License-Identifier: BSD-2-Clause-Patent
+ ##
+ 
+-!if $(TPM_ENABLE) == TRUE
+!if $(TPM2_ENABLE) == TRUE
+!if $(TPM1_ENABLE) == TRUE
+       NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
+!endif
+       NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+ !endif
+diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
+index 1774423580..8df31298f5 100644
+--- a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
+++ b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml
+@@ -95,21 +95,21 @@ jobs:
+           OVMF_IA32X64_FULL_DEBUG:
+             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
+             Build.Arch: "IA32,X64"
+-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+             Build.Target: "DEBUG"
+             Run.Flags: $(run_flags)
+             Run: $(should_run)
+           OVMF_IA32X64_FULL_RELEASE:
+             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
+             Build.Arch: "IA32,X64"
+-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+             Build.Target: "RELEASE"
+             Run.Flags: $(run_flags)
+             Run: $(should_run)
+           OVMF_IA32X64_FULL_NOOPT:
+             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
+             Build.Arch: "IA32,X64"
+-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+             Build.Target: "NOOPT"
+             Run.Flags: $(run_flags)
+             Run: $(should_run)
+diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
+index 09f9851312..68b5d951e9 100644
+--- a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
+++ b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml
+@@ -94,14 +94,14 @@ jobs:
+           OVMF_IA32X64_FULL_DEBUG:
+             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
+             Build.Arch: "IA32,X64"
+-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+             Build.Target: "DEBUG"
+             Run.Flags: $(run_flags)
+             Run: $(should_run)
+           OVMF_IA32X64_FULL_RELEASE:
+             Build.File: "$(package)/PlatformCI/PlatformBuild.py"
+             Build.Arch: "IA32,X64"
+-            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+            Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+             Build.Target: "RELEASE"
+             Run.Flags: $(run_flags)
+             Run: $(should_run)
+@@ -112,7 +112,7 @@ jobs:
+     #       OVMF_IA32X64_FULL_NOOPT:
+     #         Build.File: "$(package)/PlatformCI/PlatformBuild.py"
+     #         Build.Arch: "IA32,X64"
+-    #         Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+    #         Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1  BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1"
+     #         Build.Target: "NOOPT"
+     #         Run.Flags: $(run_flags)
+     #         Run: $(should_run)
+diff --git a/OvmfPkg/PlatformCI/ReadMe.md b/OvmfPkg/PlatformCI/ReadMe.md
+index 44aa7c4a9d..1216dee126 100644
+--- a/OvmfPkg/PlatformCI/ReadMe.md
+++ b/OvmfPkg/PlatformCI/ReadMe.md
+@@ -14,7 +14,7 @@ supported and are described below.
+ | IA32                    | IA32               | OvmfPkgIa32.dsc     | None            |
+ | X64                     | X64                | OvmfPkgIa64.dsc     | None            |
+ | IA32 X64                | PEI-IA32 DXE-X64   | OvmfPkgIa32X64.dsc  | None            |
+-| IA32 X64 Full           | PEI-IA32 DXE-X64   | OvmfPkgIa32X64.dsc  | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 |
+| IA32 X64 Full           | PEI-IA32 DXE-X64   | OvmfPkgIa32X64.dsc  | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM1_ENABLE=1 TPM2_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 |
+ 
+ ## EDK2 Developer environment
+ 
+-- 
+2.27.0
+
--- a/edk2.spec
+++ b/edk2.spec
@ -24,7 +24,7 @@ ExclusiveArch: x86_64 aarch64

 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    1%{?dist}
+Release:    2%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    BSD-2-Clause-Patent and OpenSSL and MIT
 URL:        http://www.tianocore.org
@ -83,6 +83,16 @@ Patch0043: 0043-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch
 Patch0044: 0044-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch
 Patch0045: 0045-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch
 Patch0046: 0046-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch
+# For bz#1935497 - edk2  implements and/or uses the deprecated MD5 and SHA-1 algorithms by default
+Patch47: edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch
+# For bz#1935497 - edk2  implements and/or uses the deprecated MD5 and SHA-1 algorithms by default
+Patch48: edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch
+# For bz#1935497 - edk2  implements and/or uses the deprecated MD5 and SHA-1 algorithms by default
+Patch49: edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch
+# For bz#1935497 - edk2  implements and/or uses the deprecated MD5 and SHA-1 algorithms by default
+Patch50: edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch
+# For bz#1935497 - edk2  implements and/or uses the deprecated MD5 and SHA-1 algorithms by default
+Patch51: edk2-OvmfPkg-rework-TPM-configuration.patch


 # python3-devel and libuuid-devel are required for building tools.
@ -226,8 +236,8 @@ fi
 CC_FLAGS="$CC_FLAGS --cmd-len=65536 -t %{TOOLCHAIN} -b DEBUG --hash"
 CC_FLAGS="$CC_FLAGS -D NETWORK_IP6_ENABLE"
 CC_FLAGS="$CC_FLAGS -D NETWORK_HTTP_BOOT_ENABLE -D NETWORK_TLS_ENABLE"
-CC_FLAGS="$CC_FLAGS -D TPM_ENABLE"  # x86
-CC_FLAGS="$CC_FLAGS -D TPM2_ENABLE" # arm
+CC_FLAGS="$CC_FLAGS -D TPM2_ENABLE=TRUE"
+CC_FLAGS="$CC_FLAGS -D TPM1_ENABLE=FALSE"

 OVMF_FLAGS="${CC_FLAGS}"
 OVMF_FLAGS="${OVMF_FLAGS} -D FD_SIZE_4MB"
@ -521,6 +531,16 @@ KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$')


 %changelog
+* Tue Feb 08 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-2
+- edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch [bz#1935497]
+- edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch [bz#1935497]
+- edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch [bz#1935497]
+- edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch [bz#1935497]
+- edk2-OvmfPkg-rework-TPM-configuration.patch [bz#1935497]
+- edk2-spec-adapt-specfile-to-build-option-changes-disable-.patch [bz#1935497]
+- Resolves: bz#1935497
+  (edk2  implements and/or uses the deprecated MD5 and SHA-1 algorithms by default)
+
 * Tue Feb 01 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-1
 - Rebase to latest upstream release [bz#2018388]
 - Resolves: bz#2018388