tpm: Don't disable TPM platform hierarchy #2136
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR removes TPM platform hierarchy control code from OpenHCL, as UEFI is now responsible for locking the TPM platform hierarchy before the End-Of-Dxe event.
- Removes the
hierarchy_controlmethod and related TPM command structures - Eliminates the platform hierarchy clearing logic during TPM initialization
- Removes associated test coverage for hierarchy control functionality
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| vm/devices/tpm/src/tpm_helper.rs | Removes hierarchy_control helper method and its corresponding test |
| vm/devices/tpm/src/tpm20proto.rs | Removes HierarchyControlCmd and HierarchyControlReply protocol structures |
| vm/devices/tpm/src/lib.rs | Removes platform hierarchy clearing call from TPM initialization |
|
NOTE: We should onboard a TPM test for OpenHCL Linux guests to validate that the TPM platform hierarchy is still locked after boot. The simplest way to do this is to have petri run this command on the guest: If successful, we should expect an error saying `Error: unable to run tpm2_createprimary) with an error code proving that it was due to the PH being disabled. @smalis-msft @tjones60, would the above proposal require us to install something in our Linux guests? |
|
Looks good to me! I'll leave it to the OpenVMM experts to decide if we should remove the code in tpm20proto and tpm_helper, or just make Clippy not complain about it being unused. |
maheeraeron
changed the title
maheeraeron
dismissed stale reviews from stunes-ms and smalis-msft
via
4c12e81
3 participants
UEFI is already now responsible for locking the TPM platform hierarchy, which will occur before the End-Of-Dxe event (i.e., the PH will be locked before we reach boot devices).
Thus, we can remove this code in OpenHCL that does this.