search

Dasharo / dasharo-issues

The Dasharo issue tracker
https://dasharo.com/
25 stars 0 forks source link

Integrate dTPM with HAP enabled in EDK/UEFI on MSI boards #1039

Closed MykeHalk closed 2 months ago

MykeHalk commented 2 months ago

The problem you're addressing (if any)

The dTPM is also disabled when HAP bit enabled.

Describe the solution you'd like

I noticed that this a feature in the heads firmware, would it be possible to integrate it into the UEFI firmware as well? When HAP is enabled check header for dTPM. Not sure if there are some conflicts I am unaware about that allows heads to have this feature and not EDK payload.

Where is the value to a user, and who might that user be?

Not sure but first thing that comes to mind is some games are starting to require Secure Boot and TPM to be enabled to play them.

Some people might want to have ME disabled so they can sleep at night knowing that its one less attack surface that they don't have to worry about but still have a discrete TPM for instances that require it. Heads also does not implement secure boot afaik.

I feel like this would benefit an average users that is slightly security focused but does not want to compromise functionality of his system.

Describe alternatives you've considered

Using heads itself but it does not support secure boot so its trading on thing for another.

Additional context

No response

miczyg1 commented 2 months ago

It was already done when releasing heads variant. it is not available for UEFI just because there was no release for UEFI variant.

MykeHalk commented 2 months ago

it is not available for UEFI just because there was no release for UEFI variant.

@miczyg1 Could you explain what you mean by this? Are we not able to integrate this into EDK2 for MSI Z790-P boards

miczyg1 commented 2 months ago

Could you explain what you mean by this?

dTPM support has been added after v0.9.1 version has been released. So if you would like to use dTPM, you would have to build the binary yourself from dasharo-4.21 branch on coreboot repository

MykeHalk commented 2 months ago

Awesome thank you. Looks like its working great, just what I needed.

MykeHalk commented 1 month ago

@miczyg1 I had a question, I noticed some new tags (v0.9.2-rc1, v0.9.2.-rc0). Will this be added to v0.9.2?

I built v0.9.2-rc1 and it didn't have dTPM when HAP was disabled.

miczyg1 commented 1 month ago

@miczyg1 I had a question, I noticed some new tags (v0.9.2-rc1, v0.9.2.-rc0). Will this be added to v0.9.2?

I built v0.9.2-rc1 and it didn't have dTPM when HAP was disabled.

I'm not sure what is the scope. @SergiiDmytruk ?

SergiiDmytruk commented 1 month ago

I don't think it's out of scope, but looks like I need to update configuration a bit to enable it (thought it's automatic). This is a very early preparation for upcoming releases (tags will move, testing hasn't started yet), so thanks for pointing this out right away @MykeHalk. I've updated https://github.com/Dasharo/coreboot/pull/565 with changes that should enable dTPM if you're eager to test it.

MykeHalk commented 1 month ago

Awesome thank you.