diff --git a/edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch b/edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch new file mode 100644 index 0000000..44dc3e4 --- /dev/null +++ b/edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch @@ -0,0 +1,158 @@ +From 0ecb863aaca8d71a35763645ced278589666ada2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 15 Dec 2021 12:39:19 +0100 +Subject: [PATCH 4/6] OvmfPkg: create Tcg12ConfigPei.inf + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 9: backport tpm build updates, disable tpm 1.2 support +RH-Commit: [4/6] 92926b9a05aaff38aab9a2aeee211be736863ab9 (kraxel/centos-edk2) +RH-Bugzilla: 1935497 +RH-Acked-by: Oliver Steffen + +Split Tcg2ConfigPei.inf into two variants: Tcg12ConfigPei.inf with +TPM 1.2 support included and Tcg2ConfigPei.inf supporting TPM 2.0 only. +This allows x86 builds to choose whenever TPM 1.2 support should be +included or not by picking the one or the other inf file. + +Switch x86 builds to Tcg12ConfigPei.inf, so they continue to +have TPM 1.2 support. + +No functional change. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Stefan Berger +Tested-by: Stefan Berger +(cherry picked from commit b81938877276e808b6535e612b320eee559c4c2f) +--- + OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 2 +- + OvmfPkg/OvmfTpmPei.fdf.inc | 2 +- + OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf | 56 +++++++++++++++++++++++ + OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 11 +---- + 4 files changed, 59 insertions(+), 12 deletions(-) + create mode 100644 OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf + +diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc +index 99fa7c13b3..87d491da50 100644 +--- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc ++++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc +@@ -4,7 +4,7 @@ + + !if $(TPM_ENABLE) == TRUE + OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++ OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf + SecurityPkg/Tcg/TcgPei/TcgPei.inf + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { + +diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc +index 9aefd73d21..709a608cc3 100644 +--- a/OvmfPkg/OvmfTpmPei.fdf.inc ++++ b/OvmfPkg/OvmfTpmPei.fdf.inc +@@ -4,7 +4,7 @@ + + !if $(TPM_ENABLE) == TRUE + INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +-INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++INF OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf + INF SecurityPkg/Tcg/TcgPei/TcgPei.inf + INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf + INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf +new file mode 100644 +index 0000000000..e8e0b88e60 +--- /dev/null ++++ b/OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf +@@ -0,0 +1,56 @@ ++## @file ++# Set TPM device type - supports TPM 1.2 and 2.0 ++# ++# In SecurityPkg, this module initializes the TPM device type based on a UEFI ++# variable and/or hardware detection. In OvmfPkg, the module only performs TPM ++# hardware detection. ++# ++# Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
++# Copyright (C) 2018, Red Hat, Inc. ++# ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++[Defines] ++ INF_VERSION = 0x00010005 ++ BASE_NAME = Tcg2ConfigPei ++ FILE_GUID = 8AD3148F-945F-46B4-8ACD-71469EA73945 ++ MODULE_TYPE = PEIM ++ VERSION_STRING = 1.0 ++ ENTRY_POINT = Tcg2ConfigPeimEntryPoint ++ ++[Sources] ++ Tcg2ConfigPeim.c ++ Tpm12Support.h ++ Tpm12Support.c ++ ++[Packages] ++ MdePkg/MdePkg.dec ++ MdeModulePkg/MdeModulePkg.dec ++ OvmfPkg/OvmfPkg.dec ++ SecurityPkg/SecurityPkg.dec ++ ++[LibraryClasses] ++ PeimEntryPoint ++ DebugLib ++ PeiServicesLib ++ Tpm2DeviceLib ++ BaseLib ++ Tpm12DeviceLib ++ ++[Guids] ++ gEfiTpmDeviceSelectedGuid ## PRODUCES ## GUID # Used as a PPI GUID ++ gEfiTpmDeviceInstanceTpm20DtpmGuid ## SOMETIMES_CONSUMES ++ gEfiTpmDeviceInstanceTpm12Guid ## SOMETIMES_CONSUMES ++ ++[Ppis] ++ gPeiTpmInitializationDonePpiGuid ## SOMETIMES_PRODUCES ++ ++[Pcd] ++ gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid ## PRODUCES ++ ++[Depex.IA32, Depex.X64] ++ gOvmfTpmMmioAccessiblePpiGuid ++ ++[Depex.ARM, Depex.AARCH64] ++ gOvmfTpmDiscoveredPpiGuid +diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +index 39d1deeed1..51078c9813 100644 +--- a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++++ b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +@@ -1,5 +1,5 @@ + ## @file +-# Set TPM device type ++# Set TPM device type - supports TPM 2.0 only + # + # In SecurityPkg, this module initializes the TPM device type based on a UEFI + # variable and/or hardware detection. In OvmfPkg, the module only performs TPM +@@ -22,11 +22,6 @@ + [Sources] + Tcg2ConfigPeim.c + Tpm12Support.h +- +-[Sources.IA32, Sources.X64] +- Tpm12Support.c +- +-[Sources.ARM, Sources.AARCH64] + Tpm12SupportNull.c + + [Packages] +@@ -41,10 +36,6 @@ + PeiServicesLib + Tpm2DeviceLib + +-[LibraryClasses.IA32, LibraryClasses.X64] +- BaseLib +- Tpm12DeviceLib +- + [Guids] + gEfiTpmDeviceSelectedGuid ## PRODUCES ## GUID # Used as a PPI GUID + gEfiTpmDeviceInstanceTpm20DtpmGuid ## SOMETIMES_CONSUMES +-- +2.27.0 + diff --git a/edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch b/edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch new file mode 100644 index 0000000..d77387a --- /dev/null +++ b/edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch @@ -0,0 +1,151 @@ +From 505473655db4b91e4a0ac732069968f9eddabc51 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 15 Dec 2021 12:39:18 +0100 +Subject: [PATCH 3/6] OvmfPkg: drop TPM_CONFIG_ENABLE + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 9: backport tpm build updates, disable tpm 1.2 support +RH-Commit: [3/6] be335526f74358d4af21fbd35cc7008b227ebb23 (kraxel/centos-edk2) +RH-Bugzilla: 1935497 +RH-Acked-by: Oliver Steffen + +Drop TPM_CONFIG_ENABLE config option. Including TPM support in the +build without also including the TPM configuration menu is not useful. + +Suggested-by: Stefan Berger +Signed-off-by: Gerd Hoffmann +Tested-by: Stefan Berger +(cherry picked from commit 5711ff4d0b56ff4c58dc7a780e706bc58aed2253) +--- + OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 2 -- + OvmfPkg/OvmfTpmDefines.dsc.inc | 1 - + OvmfPkg/OvmfTpmDxe.fdf.inc | 2 -- + OvmfPkg/OvmfTpmPcdsHii.dsc.inc | 2 +- + OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml | 6 +++--- + OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml | 6 +++--- + OvmfPkg/PlatformCI/ReadMe.md | 2 +- + 7 files changed, 8 insertions(+), 13 deletions(-) + +diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +index d5c2586118..e025d85a58 100644 +--- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc ++++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +@@ -14,9 +14,7 @@ + NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf + } +-!if $(TPM_CONFIG_ENABLE) == TRUE + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif + SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { + + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc +index 51da7508b3..5df4a331fb 100644 +--- a/OvmfPkg/OvmfTpmDefines.dsc.inc ++++ b/OvmfPkg/OvmfTpmDefines.dsc.inc +@@ -3,4 +3,3 @@ + ## + + DEFINE TPM_ENABLE = FALSE +- DEFINE TPM_CONFIG_ENABLE = FALSE +diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc +index 9dcdaaf01c..32eef24638 100644 +--- a/OvmfPkg/OvmfTpmDxe.fdf.inc ++++ b/OvmfPkg/OvmfTpmDxe.fdf.inc +@@ -6,7 +6,5 @@ + INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf + INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +-!if $(TPM_CONFIG_ENABLE) == TRUE + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf + !endif +-!endif +diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc +index 164bc9c7fc..2e02a5b4cb 100644 +--- a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc ++++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc +@@ -2,7 +2,7 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE ++!if $(TPM_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS + !endif +diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml +index 7117b86b81..1774423580 100644 +--- a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml ++++ b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml +@@ -95,21 +95,21 @@ jobs: + OVMF_IA32X64_FULL_DEBUG: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "DEBUG" + Run.Flags: $(run_flags) + Run: $(should_run) + OVMF_IA32X64_FULL_RELEASE: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "RELEASE" + Run.Flags: $(run_flags) + Run: $(should_run) + OVMF_IA32X64_FULL_NOOPT: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "NOOPT" + Run.Flags: $(run_flags) + Run: $(should_run) +diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml +index 2e07a3d889..09f9851312 100644 +--- a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml ++++ b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml +@@ -94,14 +94,14 @@ jobs: + OVMF_IA32X64_FULL_DEBUG: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "DEBUG" + Run.Flags: $(run_flags) + Run: $(should_run) + OVMF_IA32X64_FULL_RELEASE: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "RELEASE" + Run.Flags: $(run_flags) + Run: $(should_run) +@@ -112,7 +112,7 @@ jobs: + # OVMF_IA32X64_FULL_NOOPT: + # Build.File: "$(package)/PlatformCI/PlatformBuild.py" + # Build.Arch: "IA32,X64" +- # Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_TPM_CONFIG_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ # Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + # Build.Target: "NOOPT" + # Run.Flags: $(run_flags) + # Run: $(should_run) +diff --git a/OvmfPkg/PlatformCI/ReadMe.md b/OvmfPkg/PlatformCI/ReadMe.md +index 2ce9007dbe..44aa7c4a9d 100644 +--- a/OvmfPkg/PlatformCI/ReadMe.md ++++ b/OvmfPkg/PlatformCI/ReadMe.md +@@ -14,7 +14,7 @@ supported and are described below. + | IA32 | IA32 | OvmfPkgIa32.dsc | None | + | X64 | X64 | OvmfPkgIa64.dsc | None | + | IA32 X64 | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | None | +-| IA32 X64 Full | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM_ENABLE=1 TPM_CONFIG_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 | ++| IA32 X64 Full | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 | + + ## EDK2 Developer environment + +-- +2.27.0 + diff --git a/edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch b/edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch new file mode 100644 index 0000000..cc6af03 --- /dev/null +++ b/edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch @@ -0,0 +1,993 @@ +From 02544e617ce4dfffff15dab47463484ccdc9a51f Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 15 Dec 2021 12:39:17 +0100 +Subject: [PATCH 2/6] OvmfPkg: move tcg configuration to dsc and fdf include + files + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 9: backport tpm build updates, disable tpm 1.2 support +RH-Commit: [2/6] d811b2cf266baa0fa3f958af0b80bb208f3fe27c (kraxel/centos-edk2) +RH-Bugzilla: 1935497 +RH-Acked-by: Oliver Steffen + +With this in place the tpm configuration is not duplicated for each of +our four ovmf config variants (ia32, ia32x64, x64, amdsev) and it is +easier to keep them all in sync when updating the tpm configuration. + +No functional change. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Stefan Berger +(cherry picked from commit b47575801e1903e8b316d01840572ce2681cf2c6) + +[ kraxel: solve conflict in OvmfPkg/AmdSev/AmdSevX64.dsc ] +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 85 ++++----------------------- + OvmfPkg/AmdSev/AmdSevX64.fdf | 17 +----- + OvmfPkg/OvmfPkgIa32.dsc | 88 ++++------------------------ + OvmfPkg/OvmfPkgIa32.fdf | 17 +----- + OvmfPkg/OvmfPkgIa32X64.dsc | 85 ++++----------------------- + OvmfPkg/OvmfPkgIa32X64.fdf | 17 +----- + OvmfPkg/OvmfPkgX64.dsc | 85 ++++----------------------- + OvmfPkg/OvmfPkgX64.fdf | 17 +----- + OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 28 +++++++++ + OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 22 +++++++ + OvmfPkg/OvmfTpmDefines.dsc.inc | 6 ++ + OvmfPkg/OvmfTpmDxe.fdf.inc | 12 ++++ + OvmfPkg/OvmfTpmLibs.dsc.inc | 14 +++++ + OvmfPkg/OvmfTpmLibsDxe.dsc.inc | 8 +++ + OvmfPkg/OvmfTpmLibsPeim.dsc.inc | 9 +++ + OvmfPkg/OvmfTpmPcds.dsc.inc | 7 +++ + OvmfPkg/OvmfTpmPcdsHii.dsc.inc | 8 +++ + OvmfPkg/OvmfTpmPei.fdf.inc | 11 ++++ + OvmfPkg/OvmfTpmSecurityStub.dsc.inc | 8 +++ + 19 files changed, 185 insertions(+), 359 deletions(-) + create mode 100644 OvmfPkg/OvmfTpmComponentsDxe.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmComponentsPei.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmDefines.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmDxe.fdf.inc + create mode 100644 OvmfPkg/OvmfTpmLibs.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmLibsDxe.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmLibsPeim.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmPcds.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmPcdsHii.dsc.inc + create mode 100644 OvmfPkg/OvmfTpmPei.fdf.inc + create mode 100644 OvmfPkg/OvmfTpmSecurityStub.dsc.inc + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 88b65b9f59..8610602ddb 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -32,8 +32,8 @@ + # -D FLAG=VALUE + # + DEFINE SOURCE_DEBUG_ENABLE = FALSE +- DEFINE TPM_ENABLE = FALSE +- DEFINE TPM_CONFIG_ENABLE = FALSE ++ ++!include OvmfPkg/OvmfTpmDefines.dsc.inc + + # + # Shell can be useful for debugging but should not be enabled for production +@@ -203,16 +203,7 @@ + SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf + OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf + +-!if $(TPM_ENABLE) == TRUE +- Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf +- Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf +- Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf +- TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf +-!else +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf +- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf +-!endif ++!include OvmfPkg/OvmfTpmLibs.dsc.inc + + [LibraryClasses.common] + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +@@ -286,11 +277,7 @@ + PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf + QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf + +-!if $(TPM_ENABLE) == TRUE +- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf +-!endif ++!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc + + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf + +@@ -371,10 +358,8 @@ + MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf + QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf + QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf +-!if $(TPM_ENABLE) == TRUE +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf +-!endif ++ ++!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc + + [LibraryClasses.common.UEFI_APPLICATION] + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf +@@ -576,15 +561,10 @@ + + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 + +-!if $(TPM_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} +-!endif ++!include OvmfPkg/OvmfTpmPcds.dsc.inc + + [PcdsDynamicHii] +-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS +- gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS +-!endif ++!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc + + ################################################################################ + # +@@ -625,24 +605,7 @@ + UefiCpuPkg/CpuMpPei/CpuMpPei.inf + OvmfPkg/AmdSev/SecretPei/SecretPei.inf + +-!if $(TPM_ENABLE) == TRUE +- OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +- SecurityPkg/Tcg/TcgPei/TcgPei.inf +- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { +- +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc + + # + # DXE Phase modules +@@ -664,10 +627,7 @@ + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + +-!if $(TPM_ENABLE) == TRUE +- NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf +- NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf +-!endif ++!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc + } + + OvmfPkg/8259InterruptControllerDxe/8259.inf +@@ -830,27 +790,4 @@ + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { +- +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf +- NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +-!if $(TPM_CONFIG_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +- SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { +- +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index 325570c5a3..3f2329dab4 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -156,13 +156,7 @@ INF UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf + INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf + INF OvmfPkg/AmdSev/SecretPei/SecretPei.inf + +-!if $(TPM_ENABLE) == TRUE +-INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +-INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +-INF SecurityPkg/Tcg/TcgPei/TcgPei.inf +-INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf +-INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +-!endif ++!include OvmfPkg/OvmfTpmPei.fdf.inc + + ################################################################################ + +@@ -311,14 +305,7 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +-INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +-INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +-INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +-!if $(TPM_CONFIG_ENABLE) == TRUE +-INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +-!endif ++!include OvmfPkg/OvmfTpmDxe.fdf.inc + + ################################################################################ + +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index fa42d919be..904176ccfc 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -32,10 +32,10 @@ + DEFINE SECURE_BOOT_ENABLE = FALSE + DEFINE SMM_REQUIRE = FALSE + DEFINE SOURCE_DEBUG_ENABLE = FALSE +- DEFINE TPM_ENABLE = FALSE +- DEFINE TPM_CONFIG_ENABLE = FALSE + DEFINE LOAD_X64_ON_IA32_ENABLE = FALSE + ++!include OvmfPkg/OvmfTpmDefines.dsc.inc ++ + # + # Network definition + # +@@ -229,16 +229,7 @@ + SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf + OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf + +-!if $(TPM_ENABLE) == TRUE +- Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf +- Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf +- Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf +- TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf +-!else +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf +- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf +-!endif ++!include OvmfPkg/OvmfTpmLibs.dsc.inc + + [LibraryClasses.common] + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +@@ -309,11 +300,7 @@ + PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf + QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf + +-!if $(TPM_ENABLE) == TRUE +- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf +-!endif ++!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc + + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf + +@@ -401,10 +388,8 @@ + MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf + QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf + QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf +-!if $(TPM_ENABLE) == TRUE +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf +-!endif ++ ++!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc + + [LibraryClasses.common.UEFI_APPLICATION] + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf +@@ -643,19 +628,14 @@ + + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 + +-!if $(TPM_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} +-!endif ++!include OvmfPkg/OvmfTpmPcds.dsc.inc + + # IPv4 and IPv6 PXE Boot support. + gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01 + gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01 + + [PcdsDynamicHii] +-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS +- gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS +-!endif ++!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc + + ################################################################################ + # +@@ -705,24 +685,7 @@ + !endif + UefiCpuPkg/CpuMpPei/CpuMpPei.inf + +-!if $(TPM_ENABLE) == TRUE +- OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +- SecurityPkg/Tcg/TcgPei/TcgPei.inf +- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { +- +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc + + # + # DXE Phase modules +@@ -747,10 +710,7 @@ + !if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf + !endif +-!if $(TPM_ENABLE) == TRUE +- NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf +- NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf +-!endif ++!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc + } + + OvmfPkg/8259InterruptControllerDxe/8259.inf +@@ -1004,31 +964,5 @@ + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { +- +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf +- NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +-!if $(TPM_CONFIG_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +- SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { +- +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc + +-!if $(LOAD_X64_ON_IA32_ENABLE) == TRUE +- OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf +-!endif +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index 51433836d6..8ba9ffc83e 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -161,13 +161,7 @@ INF OvmfPkg/SmmAccess/SmmAccessPei.inf + !endif + INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf + +-!if $(TPM_ENABLE) == TRUE +-INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +-INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +-INF SecurityPkg/Tcg/TcgPei/TcgPei.inf +-INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf +-INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +-!endif ++!include OvmfPkg/OvmfTpmPei.fdf.inc + + ################################################################################ + +@@ -353,14 +347,7 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +-INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +-INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +-INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +-!if $(TPM_CONFIG_ENABLE) == TRUE +-INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +-!endif ++!include OvmfPkg/OvmfTpmDxe.fdf.inc + + !if $(LOAD_X64_ON_IA32_ENABLE) == TRUE + INF OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index ef962565f8..aebd8980e4 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -32,8 +32,8 @@ + DEFINE SECURE_BOOT_ENABLE = FALSE + DEFINE SMM_REQUIRE = FALSE + DEFINE SOURCE_DEBUG_ENABLE = FALSE +- DEFINE TPM_ENABLE = FALSE +- DEFINE TPM_CONFIG_ENABLE = FALSE ++ ++!include OvmfPkg/OvmfTpmDefines.dsc.inc + + # + # Network definition +@@ -233,16 +233,7 @@ + SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf + OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf + +-!if $(TPM_ENABLE) == TRUE +- Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf +- Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf +- Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf +- TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf +-!else +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf +- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf +-!endif ++!include OvmfPkg/OvmfTpmLibs.dsc.inc + + [LibraryClasses.common] + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +@@ -313,11 +304,7 @@ + PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf + QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf + +-!if $(TPM_ENABLE) == TRUE +- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf +-!endif ++!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc + + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf + +@@ -405,10 +392,8 @@ + MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf + QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf + QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf +-!if $(TPM_ENABLE) == TRUE +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf +-!endif ++ ++!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc + + [LibraryClasses.common.UEFI_APPLICATION] + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf +@@ -655,9 +640,7 @@ + + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 + +-!if $(TPM_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} +-!endif ++!include OvmfPkg/OvmfTpmPcds.dsc.inc + + [PcdsDynamicDefault.X64] + # IPv4 and IPv6 PXE Boot support. +@@ -665,10 +648,7 @@ + gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01 + + [PcdsDynamicHii] +-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS +- gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS +-!endif ++!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc + + ################################################################################ + # +@@ -718,24 +698,7 @@ + !endif + UefiCpuPkg/CpuMpPei/CpuMpPei.inf + +-!if $(TPM_ENABLE) == TRUE +- OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +- SecurityPkg/Tcg/TcgPei/TcgPei.inf +- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { +- +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc + + [Components.X64] + # +@@ -761,10 +724,7 @@ + !if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf + !endif +-!if $(TPM_ENABLE) == TRUE +- NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf +- NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf +-!endif ++!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc + } + + OvmfPkg/8259InterruptControllerDxe/8259.inf +@@ -1019,27 +979,4 @@ + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { +- +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf +- NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +-!if $(TPM_CONFIG_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +- SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { +- +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index a50f80e1e9..65d2600016 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -164,13 +164,7 @@ INF OvmfPkg/SmmAccess/SmmAccessPei.inf + !endif + INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf + +-!if $(TPM_ENABLE) == TRUE +-INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +-INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +-INF SecurityPkg/Tcg/TcgPei/TcgPei.inf +-INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf +-INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +-!endif ++!include OvmfPkg/OvmfTpmPei.fdf.inc + + ################################################################################ + +@@ -363,14 +357,7 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +-INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +-INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +-INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +-!if $(TPM_CONFIG_ENABLE) == TRUE +-INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +-!endif ++!include OvmfPkg/OvmfTpmDxe.fdf.inc + + ################################################################################ + +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index ba9f9833b0..e85ac3d682 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -32,8 +32,8 @@ + DEFINE SECURE_BOOT_ENABLE = FALSE + DEFINE SMM_REQUIRE = FALSE + DEFINE SOURCE_DEBUG_ENABLE = FALSE +- DEFINE TPM_ENABLE = FALSE +- DEFINE TPM_CONFIG_ENABLE = FALSE ++ ++!include OvmfPkg/OvmfTpmDefines.dsc.inc + + # + # Network definition +@@ -233,16 +233,7 @@ + SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf + OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf + +-!if $(TPM_ENABLE) == TRUE +- Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf +- Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf +- Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf +- TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf +-!else +- Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf +- TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf +-!endif ++!include OvmfPkg/OvmfTpmLibs.dsc.inc + + [LibraryClasses.common] + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +@@ -315,11 +306,7 @@ + PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf + QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf + +-!if $(TPM_ENABLE) == TRUE +- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf +-!endif ++!include OvmfPkg/OvmfTpmLibsPeim.dsc.inc + + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf + +@@ -407,10 +394,8 @@ + MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf + QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf + QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf +-!if $(TPM_ENABLE) == TRUE +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf +-!endif ++ ++!include OvmfPkg/OvmfTpmLibsDxe.dsc.inc + + [LibraryClasses.common.UEFI_APPLICATION] + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf +@@ -655,19 +640,14 @@ + + gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 + +-!if $(TPM_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} +-!endif ++!include OvmfPkg/OvmfTpmPcds.dsc.inc + + # IPv4 and IPv6 PXE Boot support. + gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01 + gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01 + + [PcdsDynamicHii] +-!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE +- gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS +- gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS +-!endif ++!include OvmfPkg/OvmfTpmPcdsHii.dsc.inc + + ################################################################################ + # +@@ -717,24 +697,7 @@ + !endif + UefiCpuPkg/CpuMpPei/CpuMpPei.inf + +-!if $(TPM_ENABLE) == TRUE +- OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +- OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +- SecurityPkg/Tcg/TcgPei/TcgPei.inf +- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { +- +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsPei.dsc.inc + + # + # DXE Phase modules +@@ -758,10 +721,7 @@ + + !if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +-!endif +-!if $(TPM_ENABLE) == TRUE +- NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf +- NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf ++!include OvmfPkg/OvmfTpmSecurityStub.dsc.inc + !endif + } + +@@ -1017,27 +977,4 @@ + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { +- +- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf +- NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf +- HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf +- NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf +- NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf +- } +-!if $(TPM_CONFIG_ENABLE) == TRUE +- SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +- SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { +- +- Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf +- } +- SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { +- +- TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +- } +-!endif ++!include OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index dd1c6eded9..e5cbae2073 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -180,13 +180,7 @@ INF OvmfPkg/SmmAccess/SmmAccessPei.inf + !endif + INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf + +-!if $(TPM_ENABLE) == TRUE +-INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf +-INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf +-INF SecurityPkg/Tcg/TcgPei/TcgPei.inf +-INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf +-INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +-!endif ++!include OvmfPkg/OvmfTpmPei.fdf.inc + + ################################################################################ + +@@ -379,14 +373,7 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + # + # TPM support + # +-!if $(TPM_ENABLE) == TRUE +-INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf +-INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +-INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +-!if $(TPM_CONFIG_ENABLE) == TRUE +-INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +-!endif +-!endif ++!include OvmfPkg/OvmfTpmDxe.fdf.inc + + ################################################################################ + +diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +new file mode 100644 +index 0000000000..d5c2586118 +--- /dev/null ++++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +@@ -0,0 +1,28 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { ++ ++ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf ++ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf ++ HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf ++ } ++!if $(TPM_CONFIG_ENABLE) == TRUE ++ SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf ++!endif ++ SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { ++ ++ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf ++ } ++ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { ++ ++ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++ } ++!endif +diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc +new file mode 100644 +index 0000000000..99fa7c13b3 +--- /dev/null ++++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc +@@ -0,0 +1,22 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++ OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf ++ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++ SecurityPkg/Tcg/TcgPei/TcgPei.inf ++ SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { ++ ++ HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf ++ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf ++ } ++ SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf { ++ ++ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++ } ++!endif +diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc +new file mode 100644 +index 0000000000..51da7508b3 +--- /dev/null ++++ b/OvmfPkg/OvmfTpmDefines.dsc.inc +@@ -0,0 +1,6 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++ DEFINE TPM_ENABLE = FALSE ++ DEFINE TPM_CONFIG_ENABLE = FALSE +diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc +new file mode 100644 +index 0000000000..9dcdaaf01c +--- /dev/null ++++ b/OvmfPkg/OvmfTpmDxe.fdf.inc +@@ -0,0 +1,12 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf ++INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf ++INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf ++!if $(TPM_CONFIG_ENABLE) == TRUE ++INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf ++!endif ++!endif +diff --git a/OvmfPkg/OvmfTpmLibs.dsc.inc b/OvmfPkg/OvmfTpmLibs.dsc.inc +new file mode 100644 +index 0000000000..50100f2c03 +--- /dev/null ++++ b/OvmfPkg/OvmfTpmLibs.dsc.inc +@@ -0,0 +1,14 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++ Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf ++ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf ++ Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf ++ Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf ++ TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf ++!else ++ Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf ++ TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf ++!endif +diff --git a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc +new file mode 100644 +index 0000000000..67d5027aba +--- /dev/null ++++ b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc +@@ -0,0 +1,8 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf ++ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf ++!endif +diff --git a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc +new file mode 100644 +index 0000000000..4e84e3dcaa +--- /dev/null ++++ b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc +@@ -0,0 +1,9 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf ++ Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf ++ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf ++!endif +diff --git a/OvmfPkg/OvmfTpmPcds.dsc.inc b/OvmfPkg/OvmfTpmPcds.dsc.inc +new file mode 100644 +index 0000000000..0e7f83c04b +--- /dev/null ++++ b/OvmfPkg/OvmfTpmPcds.dsc.inc +@@ -0,0 +1,7 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++ gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} ++!endif +diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc +new file mode 100644 +index 0000000000..164bc9c7fc +--- /dev/null ++++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc +@@ -0,0 +1,8 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE ++ gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS ++ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS ++!endif +diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc +new file mode 100644 +index 0000000000..9aefd73d21 +--- /dev/null ++++ b/OvmfPkg/OvmfTpmPei.fdf.inc +@@ -0,0 +1,11 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf ++INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++INF SecurityPkg/Tcg/TcgPei/TcgPei.inf ++INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf ++INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf ++!endif +diff --git a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc +new file mode 100644 +index 0000000000..4bd4066843 +--- /dev/null ++++ b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc +@@ -0,0 +1,8 @@ ++## ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++!if $(TPM_ENABLE) == TRUE ++ NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf ++ NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf ++!endif +-- +2.27.0 + diff --git a/edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch b/edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch new file mode 100644 index 0000000..6920cec --- /dev/null +++ b/edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch @@ -0,0 +1,33 @@ +From 9948bb7e9e693b4add121964ec724d4db09df352 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 15 Dec 2021 12:39:16 +0100 +Subject: [PATCH 1/6] OvmfPkg: remove unused TPM options from MicrovmX64.dsc + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 9: backport tpm build updates, disable tpm 1.2 support +RH-Commit: [1/6] cce6ba5501b413c0eb87ac452a53818e68dfa630 (kraxel/centos-edk2) +RH-Bugzilla: 1935497 +RH-Acked-by: Oliver Steffen + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 3a72ec71cd83f0f5ad2f1d3c78527f4b247da75f) +--- + OvmfPkg/Microvm/MicrovmX64.dsc | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc +index 617f925395..c58c4c35d4 100644 +--- a/OvmfPkg/Microvm/MicrovmX64.dsc ++++ b/OvmfPkg/Microvm/MicrovmX64.dsc +@@ -32,8 +32,6 @@ + DEFINE SECURE_BOOT_ENABLE = FALSE + DEFINE SMM_REQUIRE = FALSE + DEFINE SOURCE_DEBUG_ENABLE = FALSE +- DEFINE TPM_ENABLE = FALSE +- DEFINE TPM_CONFIG_ENABLE = FALSE + + # + # Network definition +-- +2.27.0 + diff --git a/edk2-OvmfPkg-rework-TPM-configuration.patch b/edk2-OvmfPkg-rework-TPM-configuration.patch new file mode 100644 index 0000000..6843741 --- /dev/null +++ b/edk2-OvmfPkg-rework-TPM-configuration.patch @@ -0,0 +1,293 @@ +From 5787adaccb16e4af7df661d6c7eb3197c7f14218 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 15 Dec 2021 12:39:20 +0100 +Subject: [PATCH 5/6] OvmfPkg: rework TPM configuration + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 9: backport tpm build updates, disable tpm 1.2 support +RH-Commit: [5/6] 81ed86c6993e8cca4fabf5f471e198134b907562 (kraxel/centos-edk2) +RH-Bugzilla: 1935497 +RH-Acked-by: Oliver Steffen + +Rename TPM_ENABLE to TPM2_ENABLE so naming is in line with the +ArmVirtPkg config option name. + +Add separate TPM1_ENABLE option for TPM 1.2 support. + +Signed-off-by: Gerd Hoffmann +Tested-by: Stefan Berger +(cherry picked from commit 4de8d61bcec02a13ceed84f92b0cf3ea58adf9c5) +--- + OvmfPkg/OvmfTpmComponentsDxe.dsc.inc | 4 +++- + OvmfPkg/OvmfTpmComponentsPei.dsc.inc | 6 +++++- + OvmfPkg/OvmfTpmDefines.dsc.inc | 5 ++++- + OvmfPkg/OvmfTpmDxe.fdf.inc | 4 +++- + OvmfPkg/OvmfTpmLibs.dsc.inc | 4 +++- + OvmfPkg/OvmfTpmLibsDxe.dsc.inc | 4 +++- + OvmfPkg/OvmfTpmLibsPeim.dsc.inc | 4 +++- + OvmfPkg/OvmfTpmPcds.dsc.inc | 2 +- + OvmfPkg/OvmfTpmPcdsHii.dsc.inc | 2 +- + OvmfPkg/OvmfTpmPei.fdf.inc | 6 +++++- + OvmfPkg/OvmfTpmSecurityStub.dsc.inc | 4 +++- + OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml | 6 +++--- + OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml | 6 +++--- + OvmfPkg/PlatformCI/ReadMe.md | 2 +- + 14 files changed, 41 insertions(+), 18 deletions(-) + +diff --git a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +index e025d85a58..75ae09571e 100644 +--- a/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc ++++ b/OvmfPkg/OvmfTpmComponentsDxe.dsc.inc +@@ -2,7 +2,7 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { + + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf +@@ -15,10 +15,12 @@ + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf + } + SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf ++!if $(TPM1_ENABLE) == TRUE + SecurityPkg/Tcg/TcgDxe/TcgDxe.inf { + + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf + } ++!endif + SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { + + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +diff --git a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc +index 87d491da50..fa486eed82 100644 +--- a/OvmfPkg/OvmfTpmComponentsPei.dsc.inc ++++ b/OvmfPkg/OvmfTpmComponentsPei.dsc.inc +@@ -2,10 +2,14 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE + OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf ++!if $(TPM1_ENABLE) == TRUE + OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf + SecurityPkg/Tcg/TcgPei/TcgPei.inf ++!else ++ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++!endif + SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf { + + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf +diff --git a/OvmfPkg/OvmfTpmDefines.dsc.inc b/OvmfPkg/OvmfTpmDefines.dsc.inc +index 5df4a331fb..a65564d8d9 100644 +--- a/OvmfPkg/OvmfTpmDefines.dsc.inc ++++ b/OvmfPkg/OvmfTpmDefines.dsc.inc +@@ -2,4 +2,7 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +- DEFINE TPM_ENABLE = FALSE ++ DEFINE TPM2_ENABLE = FALSE ++ ++ # has no effect unless TPM2_ENABLE == TRUE ++ DEFINE TPM1_ENABLE = TRUE +diff --git a/OvmfPkg/OvmfTpmDxe.fdf.inc b/OvmfPkg/OvmfTpmDxe.fdf.inc +index 32eef24638..7fc2bf8590 100644 +--- a/OvmfPkg/OvmfTpmDxe.fdf.inc ++++ b/OvmfPkg/OvmfTpmDxe.fdf.inc +@@ -2,8 +2,10 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE ++!if $(TPM1_ENABLE) == TRUE + INF SecurityPkg/Tcg/TcgDxe/TcgDxe.inf ++!endif + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf + INF SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf + INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +diff --git a/OvmfPkg/OvmfTpmLibs.dsc.inc b/OvmfPkg/OvmfTpmLibs.dsc.inc +index 50100f2c03..418747b134 100644 +--- a/OvmfPkg/OvmfTpmLibs.dsc.inc ++++ b/OvmfPkg/OvmfTpmLibs.dsc.inc +@@ -2,8 +2,10 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE ++!if $(TPM1_ENABLE) == TRUE + Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf ++!endif + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf + Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf + Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf +diff --git a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc +index 67d5027aba..1d66cdac77 100644 +--- a/OvmfPkg/OvmfTpmLibsDxe.dsc.inc ++++ b/OvmfPkg/OvmfTpmLibsDxe.dsc.inc +@@ -2,7 +2,9 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE ++!if $(TPM1_ENABLE) == TRUE + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf ++!endif + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf + !endif +diff --git a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc +index 4e84e3dcaa..03caccd7c6 100644 +--- a/OvmfPkg/OvmfTpmLibsPeim.dsc.inc ++++ b/OvmfPkg/OvmfTpmLibsPeim.dsc.inc +@@ -2,8 +2,10 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf ++!if $(TPM1_ENABLE) == TRUE + Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf ++!endif + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf + !endif +diff --git a/OvmfPkg/OvmfTpmPcds.dsc.inc b/OvmfPkg/OvmfTpmPcds.dsc.inc +index 0e7f83c04b..0d55d62737 100644 +--- a/OvmfPkg/OvmfTpmPcds.dsc.inc ++++ b/OvmfPkg/OvmfTpmPcds.dsc.inc +@@ -2,6 +2,6 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} + !endif +diff --git a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc +index 2e02a5b4cb..e842253235 100644 +--- a/OvmfPkg/OvmfTpmPcdsHii.dsc.inc ++++ b/OvmfPkg/OvmfTpmPcdsHii.dsc.inc +@@ -2,7 +2,7 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS + !endif +diff --git a/OvmfPkg/OvmfTpmPei.fdf.inc b/OvmfPkg/OvmfTpmPei.fdf.inc +index 709a608cc3..9f8b9bdd5b 100644 +--- a/OvmfPkg/OvmfTpmPei.fdf.inc ++++ b/OvmfPkg/OvmfTpmPei.fdf.inc +@@ -2,10 +2,14 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE + INF OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf ++!if $(TPM1_ENABLE) == TRUE + INF OvmfPkg/Tcg/Tcg2Config/Tcg12ConfigPei.inf + INF SecurityPkg/Tcg/TcgPei/TcgPei.inf ++!else ++INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf ++!endif + INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf + INF SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf + !endif +diff --git a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc +index 4bd4066843..e9ab2fca7b 100644 +--- a/OvmfPkg/OvmfTpmSecurityStub.dsc.inc ++++ b/OvmfPkg/OvmfTpmSecurityStub.dsc.inc +@@ -2,7 +2,9 @@ + # SPDX-License-Identifier: BSD-2-Clause-Patent + ## + +-!if $(TPM_ENABLE) == TRUE ++!if $(TPM2_ENABLE) == TRUE ++!if $(TPM1_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf ++!endif + NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf + !endif +diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml +index 1774423580..8df31298f5 100644 +--- a/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml ++++ b/OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml +@@ -95,21 +95,21 @@ jobs: + OVMF_IA32X64_FULL_DEBUG: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "DEBUG" + Run.Flags: $(run_flags) + Run: $(should_run) + OVMF_IA32X64_FULL_RELEASE: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "RELEASE" + Run.Flags: $(run_flags) + Run: $(should_run) + OVMF_IA32X64_FULL_NOOPT: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "NOOPT" + Run.Flags: $(run_flags) + Run: $(should_run) +diff --git a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml +index 09f9851312..68b5d951e9 100644 +--- a/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml ++++ b/OvmfPkg/PlatformCI/.azurepipelines/Windows-VS2019.yml +@@ -94,14 +94,14 @@ jobs: + OVMF_IA32X64_FULL_DEBUG: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "DEBUG" + Run.Flags: $(run_flags) + Run: $(should_run) + OVMF_IA32X64_FULL_RELEASE: + Build.File: "$(package)/PlatformCI/PlatformBuild.py" + Build.Arch: "IA32,X64" +- Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + Build.Target: "RELEASE" + Run.Flags: $(run_flags) + Run: $(should_run) +@@ -112,7 +112,7 @@ jobs: + # OVMF_IA32X64_FULL_NOOPT: + # Build.File: "$(package)/PlatformCI/PlatformBuild.py" + # Build.Arch: "IA32,X64" +- # Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" ++ # Build.Flags: "BLD_*_SECURE_BOOT_ENABLE=1 BLD_*_SMM_REQUIRE=1 BLD_*_TPM2_ENABLE=1 BLD_*_NETWORK_TLS_ENABLE=1 BLD_*_NETWORK_IP6_ENABLE=1 BLD_*_NETWORK_HTTP_BOOT_ENABLE=1" + # Build.Target: "NOOPT" + # Run.Flags: $(run_flags) + # Run: $(should_run) +diff --git a/OvmfPkg/PlatformCI/ReadMe.md b/OvmfPkg/PlatformCI/ReadMe.md +index 44aa7c4a9d..1216dee126 100644 +--- a/OvmfPkg/PlatformCI/ReadMe.md ++++ b/OvmfPkg/PlatformCI/ReadMe.md +@@ -14,7 +14,7 @@ supported and are described below. + | IA32 | IA32 | OvmfPkgIa32.dsc | None | + | X64 | X64 | OvmfPkgIa64.dsc | None | + | IA32 X64 | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | None | +-| IA32 X64 Full | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 | ++| IA32 X64 Full | PEI-IA32 DXE-X64 | OvmfPkgIa32X64.dsc | SECURE_BOOT_ENABLE=1 SMM_REQUIRE=1 TPM1_ENABLE=1 TPM2_ENABLE=1 NETWORK_TLS_ENABLE=1 NETWORK_IP6_ENABLE=1 NETWORK_HTTP_BOOT_ENABLE=1 | + + ## EDK2 Developer environment + +-- +2.27.0 + diff --git a/edk2.spec b/edk2.spec index 8fff630..5836d90 100644 --- a/edk2.spec +++ b/edk2.spec @@ -24,7 +24,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 1%{?dist} +Release: 2%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: BSD-2-Clause-Patent and OpenSSL and MIT URL: http://www.tianocore.org @@ -83,6 +83,16 @@ Patch0043: 0043-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch Patch0044: 0044-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch Patch0045: 0045-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch Patch0046: 0046-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch +# For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default +Patch47: edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch +# For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default +Patch48: edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch +# For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default +Patch49: edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch +# For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default +Patch50: edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch +# For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default +Patch51: edk2-OvmfPkg-rework-TPM-configuration.patch # python3-devel and libuuid-devel are required for building tools. @@ -226,8 +236,8 @@ fi CC_FLAGS="$CC_FLAGS --cmd-len=65536 -t %{TOOLCHAIN} -b DEBUG --hash" CC_FLAGS="$CC_FLAGS -D NETWORK_IP6_ENABLE" CC_FLAGS="$CC_FLAGS -D NETWORK_HTTP_BOOT_ENABLE -D NETWORK_TLS_ENABLE" -CC_FLAGS="$CC_FLAGS -D TPM_ENABLE" # x86 -CC_FLAGS="$CC_FLAGS -D TPM2_ENABLE" # arm +CC_FLAGS="$CC_FLAGS -D TPM2_ENABLE=TRUE" +CC_FLAGS="$CC_FLAGS -D TPM1_ENABLE=FALSE" OVMF_FLAGS="${CC_FLAGS}" OVMF_FLAGS="${OVMF_FLAGS} -D FD_SIZE_4MB" @@ -521,6 +531,16 @@ KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$') %changelog +* Tue Feb 08 2022 Miroslav Rezanina - 20220126gitbb1bba3d77-2 +- edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch [bz#1935497] +- edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch [bz#1935497] +- edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch [bz#1935497] +- edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch [bz#1935497] +- edk2-OvmfPkg-rework-TPM-configuration.patch [bz#1935497] +- edk2-spec-adapt-specfile-to-build-option-changes-disable-.patch [bz#1935497] +- Resolves: bz#1935497 + (edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default) + * Tue Feb 01 2022 Miroslav Rezanina - 20220126gitbb1bba3d77-1 - Rebase to latest upstream release [bz#2018388] - Resolves: bz#2018388