ArmvirtPkg/ArmVirtQemu: enable TPM2 based measured boot and enable the TPM2 configuration module

Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>

0003-OvmfPkg-Tcg2ConfigPei-introduce-a-signalling-PPI-to-.patch

@@ -0,0 +1,61 @@
+From bf5008f94fd887f7f9c1daf1a09f47c0733d38ed Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 26 Feb 2020 20:05:06 +0100
+Subject: [PATCH 03/13] OvmfPkg/Tcg2ConfigPei: introduce a signalling PPI to
+ depex on
+
+On ARM systems, the TPM does not live at a fixed address, and so we
+need the platform to discover it first. So introduce a PPI that signals
+that the TPM address has been discovered and recorded in the appropriate
+PCD, and make Tcg2ConfigPei depex on it when built for ARM or AARCH64.
+
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
+---
+ OvmfPkg/OvmfPkg.dec                      | 5 +++++
+ OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 6 +++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
+index 4c5b651..7c27f01 100644
+--- a/OvmfPkg/OvmfPkg.dec
++++ b/OvmfPkg/OvmfPkg.dec
+@@ -87,6 +87,11 @@
+   gEfiLegacyBiosGuid                  = {0x2E3044AC, 0x879F, 0x490F, {0x97, 0x60, 0xBB, 0xDF, 0xAF, 0x69, 0x5F, 0x50}}
+   gEfiLegacyDevOrderVariableGuid      = {0xa56074db, 0x65fe, 0x45f7, {0xbd, 0x21, 0x2d, 0x2b, 0xdd, 0x8e, 0x96, 0x52}}
+ 
++[Ppis]
++  # PPI whose presence in the PPI database signals that the TPM base address
++  # has been discovered and recorded
++  gOvmfTpmDiscoveredPpiGuid           = {0xb9a61ad0, 0x2802, 0x41f3, {0xb5, 0x13, 0x96, 0x51, 0xce, 0x6b, 0xd5, 0x75}}
++
+ [Protocols]
+   gVirtioDeviceProtocolGuid           = {0xfa920010, 0x6785, 0x4941, {0xb6, 0xec, 0x49, 0x8c, 0x57, 0x9f, 0x16, 0x0a}}
+   gXenBusProtocolGuid                 = {0x3d3ca290, 0xb9a5, 0x11e3, {0xb7, 0x5d, 0xb8, 0xac, 0x6f, 0x7d, 0x65, 0xe6}}
+diff --git a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+index e34cd62..6673ce0 100644
+--- a/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
++++ b/OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+@@ -25,6 +25,7 @@
+ [Packages]
+   MdePkg/MdePkg.dec
+   MdeModulePkg/MdeModulePkg.dec
++  OvmfPkg/OvmfPkg.dec
+   SecurityPkg/SecurityPkg.dec
+ 
+ [LibraryClasses]
+@@ -43,5 +44,8 @@
+ [Pcd]
+   gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid                 ## PRODUCES
+ 
+-[Depex]
++[Depex.IA32, Depex.X64]
+   TRUE
++
++[Depex.ARM, Depex.AARCH64]
++  gOvmfTpmDiscoveredPpiGuid
+-- 
+2.18.2
+

0004-ArmVirtPkg-PlatformPeiLib-make-PcdLib-dependency-exp.patch

@@ -0,0 +1,37 @@
+From 4b9b1a6908eae0440b0d230d3ac39c6ff2a3f15f Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 26 Feb 2020 20:05:07 +0100
+Subject: [PATCH 04/13] ArmVirtPkg/PlatformPeiLib: make PcdLib dependency
+ explicit in .INF
+
+We currently include PcdLib.h in PlatformPeiLib, without declaring
+this dependency in its .INF description. Since all the PCDs we use
+resolve to fixed type in practice, this does not really matter at
+the moment, but since we will be adding dynamic PCD references in
+a subsequent patch, let's make the PcdLib dependency explicit, so
+that its dispatch is guaranteed to be ordered correctly with respect
+to the provider of the dynamic PCD PPI.
+
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
+---
+ ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
+index 46db117..1ef04d1 100644
+--- a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
++++ b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
+@@ -29,6 +29,7 @@
+   DebugLib
+   HobLib
+   FdtLib
++  PcdLib
+ 
+ [FixedPcd]
+   gArmTokenSpaceGuid.PcdFvSize
+-- 
+2.18.2
+

0005-ArmVirtPkg-PlatformPeiLib-discover-the-TPM-base-addr.patch

@@ -0,0 +1,318 @@
+From f1bb8ca123be4d0194a9f65b93a9c65c85861b50 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 26 Feb 2020 20:05:08 +0100
+Subject: [PATCH 05/13] ArmVirtPkg/PlatformPeiLib: discover the TPM base
+ address from the DT
+
+Introduce a boolean PCD that tells us whether TPM support is enabled
+in the build, and if it is, record the TPM base address in the existing
+routine that traverses the device tree in the platform PEIM.
+
+If a TPM is found, install the gOvmfTpmDiscoveredPpiGuid signalling PPI
+that will unlock the dispatch of OvmfPkg's Tcg2ConfigPei. If TPM2
+support is enabled in the build but no TPM2 device is found, install the
+gPeiTpmInitializationDonePpiGuid PPI, which is normally installed by
+Tcg2ConfigPei if no TPM2 is found, but in our case Tcg2ConfigPei will
+never run so let's do it here instead.
+
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
+---
+ ArmVirtPkg/ArmVirtPkg.dec                     |   6 ++
+ ArmVirtPkg/ArmVirtQemu.dsc                    |   5 +
+ ArmVirtPkg/ArmVirtQemuKernel.dsc              |   6 ++
+ ArmVirtPkg/ArmVirtXen.dsc                     |   6 ++
+ .../Library/PlatformPeiLib/PlatformPeiLib.c   | 101 ++++++++++++++++--
+ .../Library/PlatformPeiLib/PlatformPeiLib.inf |  19 +++-
+ 6 files changed, 129 insertions(+), 14 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirtPkg.dec b/ArmVirtPkg/ArmVirtPkg.dec
+index a019cc2..0619efc 100644
+--- a/ArmVirtPkg/ArmVirtPkg.dec
++++ b/ArmVirtPkg/ArmVirtPkg.dec
+@@ -36,6 +36,12 @@
+ [Protocols]
+   gFdtClientProtocolGuid = { 0xE11FACA0, 0x4710, 0x4C8E, { 0xA7, 0xA2, 0x01, 0xBA, 0xA2, 0x59, 0x1B, 0x4C } }
+ 
++[PcdsFeatureFlag]
++  #
++  # Feature Flag PCD that defines whether TPM2 support is enabled
++  #
++  gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|FALSE|BOOLEAN|0x00000004
++
+ [PcdsFixedAtBuild, PcdsPatchableInModule]
+   #
+   # This is the physical address where the device tree is expected to be stored
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 7ae6702..984df5c 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -237,6 +237,11 @@
+   gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0
+   gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE
+ 
++  #
++  # TPM2 support
++  #
++  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0
++
+ [PcdsDynamicHii]
+   gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
+ 
+diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+index 3b0f049..8243876 100644
+--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+@@ -172,6 +172,12 @@
+   gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|3
+ 
+ [PcdsPatchableInModule.common]
++  # we need to provide a resolution for this PCD that supports PcdSet64()
++  # being called from ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c,
++  # even though that call will be compiled out on this platform as it does
++  # not (and cannot) support the TPM2 driver stack
++  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0
++
+   #
+   # This will be overridden in the code
+   #
+diff --git a/ArmVirtPkg/ArmVirtXen.dsc b/ArmVirtPkg/ArmVirtXen.dsc
+index 1b42a9a..8a6ace2 100644
+--- a/ArmVirtPkg/ArmVirtXen.dsc
++++ b/ArmVirtPkg/ArmVirtXen.dsc
+@@ -95,6 +95,12 @@
+   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvModeEnable|TRUE
+ 
+ [PcdsPatchableInModule.common]
++  # we need to provide a resolution for this PCD that supports PcdSet64()
++  # being called from ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c,
++  # even though that call will be compiled out on this platform as it does
++  # not (and cannot) support the TPM2 driver stack
++  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0
++
+   #
+   # This will be overridden in the code
+   #
+diff --git a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c
+index 0a14695..eabd800 100644
+--- a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c
++++ b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c
+@@ -1,7 +1,7 @@
+ /** @file
+ *
+ *  Copyright (c) 2011-2014, ARM Limited. All rights reserved.
+-*  Copyright (c) 2014, Linaro Limited. All rights reserved.
++*  Copyright (c) 2014-2020, Linaro Limited. All rights reserved.
+ *
+ *  SPDX-License-Identifier: BSD-2-Clause-Patent
+ *
+@@ -13,11 +13,24 @@
+ #include <Library/DebugLib.h>
+ #include <Library/HobLib.h>
+ #include <Library/PcdLib.h>
++#include <Library/PeiServicesLib.h>
+ #include <libfdt.h>
+ 
+ #include <Guid/EarlyPL011BaseAddress.h>
+ #include <Guid/FdtHob.h>
+ 
++STATIC CONST EFI_PEI_PPI_DESCRIPTOR mTpm2DiscoveredPpi = {
++  EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
++  &gOvmfTpmDiscoveredPpiGuid,
++  NULL
++};
++
++STATIC CONST EFI_PEI_PPI_DESCRIPTOR mTpm2InitializationDonePpi = {
++  EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
++  &gPeiTpmInitializationDonePpiGuid,
++  NULL
++};
++
+ EFI_STATUS
+ EFIAPI
+ PlatformPeim (
+@@ -31,14 +44,18 @@ PlatformPeim (
+   UINT64             *FdtHobData;
+   UINT64             *UartHobData;
+   INT32              Node, Prev;
++  INT32              Parent, Depth;
+   CONST CHAR8        *Compatible;
+   CONST CHAR8        *CompItem;
+   CONST CHAR8        *NodeStatus;
+   INT32              Len;
++  INT32              RangesLen;
+   INT32              StatusLen;
+   CONST UINT64       *RegProp;
++  CONST UINT32       *RangesProp;
+   UINT64             UartBase;
+-
++  UINT64             TpmBase;
++  EFI_STATUS         Status;
+ 
+   Base = (VOID*)(UINTN)PcdGet64 (PcdDeviceTreeInitialBaseAddress);
+   ASSERT (Base != NULL);
+@@ -58,18 +75,18 @@ PlatformPeim (
+   ASSERT (UartHobData != NULL);
+   *UartHobData = 0;
+ 
+-  //
+-  // Look for a UART node
+-  //
+-  for (Prev = 0;; Prev = Node) {
+-    Node = fdt_next_node (Base, Prev, NULL);
++  TpmBase = 0;
++
++  for (Prev = Depth = 0;; Prev = Node) {
++    Node = fdt_next_node (Base, Prev, &Depth);
+     if (Node < 0) {
+       break;
+     }
+ 
+-    //
+-    // Check for UART node
+-    //
++    if (Depth == 1) {
++      Parent = Node;
++    }
++
+     Compatible = fdt_getprop (Base, Node, "compatible", &Len);
+ 
+     //
+@@ -93,10 +110,74 @@ PlatformPeim (
+ 
+         *UartHobData = UartBase;
+         break;
++      } else if (FeaturePcdGet (PcdTpm2SupportEnabled) &&
++                 AsciiStrCmp (CompItem, "tcg,tpm-tis-mmio") == 0) {
++
++        RegProp = fdt_getprop (Base, Node, "reg", &Len);
++        ASSERT (Len == 8 || Len == 16);
++        if (Len == 8) {
++          TpmBase = fdt32_to_cpu (RegProp[0]);
++        } else if (Len == 16) {
++          TpmBase = fdt64_to_cpu (ReadUnaligned64 ((UINT64 *)RegProp));
++        }
++
++        if (Depth > 1) {
++          //
++          // QEMU/mach-virt may put the TPM on the platform bus, in which case
++          // we have to take its 'ranges' property into account to translate the
++          // MMIO address. This consists of a <child base, parent base, size>
++          // tuple, where the child base and the size use the same number of
++          // cells as the 'reg' property above, and the parent base uses 2 cells
++          //
++          RangesProp = fdt_getprop (Base, Parent, "ranges", &RangesLen);
++          ASSERT (RangesProp != NULL);
++
++          //
++          // a plain 'ranges' attribute without a value implies a 1:1 mapping
++          //
++          if (RangesLen != 0) {
++            //
++            // assume a single translated range with 2 cells for the parent base
++            //
++            if (RangesLen != Len + 2 * sizeof (UINT32)) {
++              DEBUG ((DEBUG_WARN,
++                "%a: 'ranges' property has unexpected size %d\n",
++                __FUNCTION__, RangesLen));
++              break;
++            }
++
++            if (Len == 8) {
++              TpmBase -= fdt32_to_cpu (RangesProp[0]);
++            } else {
++              TpmBase -= fdt64_to_cpu (ReadUnaligned64 ((UINT64 *)RangesProp));
++            }
++
++            //
++            // advance RangesProp to the parent bus address
++            //
++            RangesProp = (UINT32 *)((UINT8 *)RangesProp + Len / 2);
++            TpmBase += fdt64_to_cpu (ReadUnaligned64 ((UINT64 *)RangesProp));
++          }
++        }
++        break;
+       }
+     }
+   }
+ 
++  if (FeaturePcdGet (PcdTpm2SupportEnabled)) {
++    if (TpmBase != 0) {
++      DEBUG ((DEBUG_INFO, "%a: TPM @ 0x%lx\n", __FUNCTION__, TpmBase));
++
++      Status = (EFI_STATUS)PcdSet64S (PcdTpmBaseAddress, TpmBase);
++      ASSERT_EFI_ERROR (Status);
++
++      Status = PeiServicesInstallPpi (&mTpm2DiscoveredPpi);
++    } else {
++      Status = PeiServicesInstallPpi (&mTpm2InitializationDonePpi);
++    }
++    ASSERT_EFI_ERROR (Status);
++  }
++
+   BuildFvHob (PcdGet64 (PcdFvBaseAddress), PcdGet32 (PcdFvSize));
+ 
+   return EFI_SUCCESS;
+diff --git a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
+index 1ef04d1..5dae4df 100644
+--- a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
++++ b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
+@@ -1,7 +1,7 @@
+ #/** @file
+ #
+ #  Copyright (c) 2011-2015, ARM Limited. All rights reserved.
+-#  Copyright (c) 2014, Linaro Limited. All rights reserved.
++#  Copyright (c) 2014-2020, Linaro Limited. All rights reserved.
+ #
+ #  SPDX-License-Identifier: BSD-2-Clause-Patent
+ #
+@@ -11,7 +11,7 @@
+   INF_VERSION                    = 0x00010005
+   BASE_NAME                      = PlatformPeiLib
+   FILE_GUID                      = 59C11815-F8DA-4F49-B4FB-EC1E41ED1F06
+-  MODULE_TYPE                    = SEC
++  MODULE_TYPE                    = BASE
+   VERSION_STRING                 = 1.0
+   LIBRARY_CLASS                  = PlatformPeiLib
+ 
+@@ -21,15 +21,21 @@
+ [Packages]
+   ArmPkg/ArmPkg.dec
+   ArmVirtPkg/ArmVirtPkg.dec
+-  MdePkg/MdePkg.dec
+-  MdeModulePkg/MdeModulePkg.dec
+   EmbeddedPkg/EmbeddedPkg.dec
++  MdeModulePkg/MdeModulePkg.dec
++  MdePkg/MdePkg.dec
++  OvmfPkg/OvmfPkg.dec
++  SecurityPkg/SecurityPkg.dec
++
++[FeaturePcd]
++  gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled
+ 
+ [LibraryClasses]
+   DebugLib
+   HobLib
+   FdtLib
+   PcdLib
++  PeiServicesLib
+ 
+ [FixedPcd]
+   gArmTokenSpaceGuid.PcdFvSize
+@@ -38,6 +44,11 @@
+ [Pcd]
+   gArmTokenSpaceGuid.PcdFvBaseAddress
+   gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
++  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress         ## SOMETIMES_PRODUCES
++
++[Ppis]
++  gOvmfTpmDiscoveredPpiGuid                               ## SOMETIMES_PRODUCES
++  gPeiTpmInitializationDonePpiGuid                        ## SOMETIMES_PRODUCES
+ 
+ [Guids]
+   gEarlyPL011BaseAddressGuid
+-- 
+2.18.2
+

0006-ArmVirtPkg-implement-ArmVirtPsciResetSystemPeiLib.patch

@@ -0,0 +1,311 @@
+From be6f854c61807ab26d7cc6db797876ed00d54469 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 26 Feb 2020 20:05:09 +0100
+Subject: [PATCH 06/13] ArmVirtPkg: implement ArmVirtPsciResetSystemPeiLib
+
+Implement a ArmVirtPkg specific version of the PSCI ResetSystemLib that
+is usable in the PEI phase, as the existing one relies on the FDT client
+protocol, making it unsuitable.
+
+Note that accessing the device tree passed by QEMU via its initial base
+address is guaranteed to be safe at any time during the PEI phase, so we
+can defer discovery of the PSCI method until the time the reset library
+is actually invoked (which is rarely)
+
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
+---
+ .../ArmVirtPsciResetSystemPeiLib.c            | 232 ++++++++++++++++++
+ .../ArmVirtPsciResetSystemPeiLib.inf          |  39 +++
+ 2 files changed, 271 insertions(+)
+ create mode 100644 ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.c
+ create mode 100644 ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
+
+diff --git a/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.c b/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.c
+new file mode 100644
+index 0000000..9cfd55d
+--- /dev/null
++++ b/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.c
+@@ -0,0 +1,232 @@
++/** @file
++  Reset System lib using PSCI hypervisor or secure monitor calls
++
++  Copyright (c) 2008 - 2009, Apple Inc. All rights reserved.<BR>
++  Copyright (c) 2013, ARM Ltd. All rights reserved.<BR>
++  Copyright (c) 2014-2020, Linaro Ltd. All rights reserved.<BR>
++  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
++
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++
++**/
++
++#include <PiPei.h>
++
++#include <libfdt.h>
++#include <Library/ArmHvcLib.h>
++#include <Library/ArmSmcLib.h>
++#include <Library/BaseLib.h>
++#include <Library/DebugLib.h>
++#include <Library/HobLib.h>
++#include <Library/ResetSystemLib.h>
++
++#include <IndustryStandard/ArmStdSmc.h>
++
++typedef enum {
++  PsciMethodUnknown,
++  PsciMethodSmc,
++  PsciMethodHvc,
++} PSCI_METHOD;
++
++STATIC
++PSCI_METHOD
++DiscoverPsciMethod (
++  VOID
++  )
++{
++  VOID                            *DeviceTreeBase;
++  INT32                           Node, Prev;
++  INT32                           Len;
++  CONST CHAR8                     *Compatible;
++  CONST CHAR8                     *CompatibleItem;
++  CONST VOID                      *Prop;
++
++  DeviceTreeBase = (VOID*)(UINTN)PcdGet64 (PcdDeviceTreeInitialBaseAddress);
++  ASSERT (fdt_check_header (DeviceTreeBase) == 0);
++
++  //
++  // Enumerate all FDT nodes looking for the PSCI node and capture the method
++  //
++  for (Prev = 0;; Prev = Node) {
++    Node = fdt_next_node (DeviceTreeBase, Prev, NULL);
++    if (Node < 0) {
++      break;
++    }
++
++    Compatible = fdt_getprop (DeviceTreeBase, Node, "compatible", &Len);
++    if (Compatible == NULL) {
++      continue;
++    }
++
++    //
++    // Iterate over the NULL-separated items in the compatible string
++    //
++    for (CompatibleItem = Compatible; CompatibleItem < Compatible + Len;
++      CompatibleItem += 1 + AsciiStrLen (CompatibleItem)) {
++
++      if (AsciiStrCmp (CompatibleItem, "arm,psci-0.2") != 0) {
++        continue;
++      }
++
++      Prop = fdt_getprop (DeviceTreeBase, Node, "method", NULL);
++      if (!Prop) {
++        DEBUG ((DEBUG_ERROR, "%a: Missing PSCI method property\n",
++          __FUNCTION__));
++        return PsciMethodUnknown;
++      }
++
++      if (AsciiStrnCmp (Prop, "hvc", 3) == 0) {
++        return PsciMethodHvc;
++      } else if (AsciiStrnCmp (Prop, "smc", 3) == 0) {
++        return PsciMethodSmc;
++      } else {
++        DEBUG ((DEBUG_ERROR, "%a: Unknown PSCI method \"%a\"\n", __FUNCTION__,
++          Prop));
++        return PsciMethodUnknown;
++      }
++    }
++  }
++  return PsciMethodUnknown;
++}
++
++STATIC
++VOID
++PerformPsciAction (
++  IN  UINTN     Arg0
++  )
++{
++  ARM_SMC_ARGS ArmSmcArgs;
++  ARM_HVC_ARGS ArmHvcArgs;
++
++  ArmSmcArgs.Arg0 = Arg0;
++  ArmHvcArgs.Arg0 = Arg0;
++
++  switch (DiscoverPsciMethod ()) {
++  case PsciMethodHvc:
++    ArmCallHvc (&ArmHvcArgs);
++    break;
++
++  case PsciMethodSmc:
++    ArmCallSmc (&ArmSmcArgs);
++    break;
++
++  default:
++    DEBUG ((DEBUG_ERROR, "%a: no PSCI method defined\n", __FUNCTION__));
++    ASSERT (FALSE);
++  }
++}
++
++/**
++  This function causes a system-wide reset (cold reset), in which
++  all circuitry within the system returns to its initial state. This type of reset
++  is asynchronous to system operation and operates without regard to
++  cycle boundaries.
++
++  If this function returns, it means that the system does not support cold reset.
++**/
++VOID
++EFIAPI
++ResetCold (
++  VOID
++  )
++{
++  // Send a PSCI 0.2 SYSTEM_RESET command
++  PerformPsciAction (ARM_SMC_ID_PSCI_SYSTEM_RESET);
++}
++
++/**
++  This function causes a system-wide initialization (warm reset), in which all processors
++  are set to their initial state. Pending cycles are not corrupted.
++
++  If this function returns, it means that the system does not support warm reset.
++**/
++VOID
++EFIAPI
++ResetWarm (
++  VOID
++  )
++{
++  // Map a warm reset into a cold reset
++  ResetCold ();
++}
++
++/**
++  This function causes the system to enter a power state equivalent
++  to the ACPI G2/S5 or G3 states.
++
++  If this function returns, it means that the system does not support shutdown reset.
++**/
++VOID
++EFIAPI
++ResetShutdown (
++  VOID
++  )
++{
++  // Send a PSCI 0.2 SYSTEM_OFF command
++  PerformPsciAction (ARM_SMC_ID_PSCI_SYSTEM_OFF);
++}
++
++/**
++  This function causes a systemwide reset. The exact type of the reset is
++  defined by the EFI_GUID that follows the Null-terminated Unicode string passed
++  into ResetData. If the platform does not recognize the EFI_GUID in ResetData
++  the platform must pick a supported reset type to perform.The platform may
++  optionally log the parameters from any non-normal reset that occurs.
++
++  @param[in]  DataSize   The size, in bytes, of ResetData.
++  @param[in]  ResetData  The data buffer starts with a Null-terminated string,
++                         followed by the EFI_GUID.
++**/
++VOID
++EFIAPI
++ResetPlatformSpecific (
++  IN UINTN   DataSize,
++  IN VOID    *ResetData
++  )
++{
++  // Map the platform specific reset as reboot
++  ResetCold ();
++}
++
++/**
++  The ResetSystem function resets the entire platform.
++
++  @param[in] ResetType      The type of reset to perform.
++  @param[in] ResetStatus    The status code for the reset.
++  @param[in] DataSize       The size, in bytes, of ResetData.
++  @param[in] ResetData      For a ResetType of EfiResetCold, EfiResetWarm, or EfiResetShutdown
++                            the data buffer starts with a Null-terminated string, optionally
++                            followed by additional binary data. The string is a description
++                            that the caller may use to further indicate the reason for the
++                            system reset.
++**/
++VOID
++EFIAPI
++ResetSystem (
++  IN EFI_RESET_TYPE               ResetType,
++  IN EFI_STATUS                   ResetStatus,
++  IN UINTN                        DataSize,
++  IN VOID                         *ResetData OPTIONAL
++  )
++{
++  switch (ResetType) {
++  case EfiResetWarm:
++    ResetWarm ();
++    break;
++
++  case EfiResetCold:
++    ResetCold ();
++    break;
++
++  case EfiResetShutdown:
++    ResetShutdown ();
++    return;
++
++  case EfiResetPlatformSpecific:
++    ResetPlatformSpecific (DataSize, ResetData);
++    return;
++
++  default:
++    return;
++  }
++}
+diff --git a/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf b/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
+new file mode 100644
+index 0000000..b480cae
+--- /dev/null
++++ b/ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
+@@ -0,0 +1,39 @@
++#/** @file
++# Reset System lib using PSCI hypervisor or secure monitor calls
++#
++# Copyright (c) 2008, Apple Inc. All rights reserved.<BR>
++# Copyright (c) 2014-2020, Linaro Ltd. All rights reserved.<BR>
++#
++#  SPDX-License-Identifier: BSD-2-Clause-Patent
++#
++#
++#**/
++
++[Defines]
++  INF_VERSION                    = 1.27
++  BASE_NAME                      = ArmVirtPsciResetSystemPeiLib
++  FILE_GUID                      = 551cfb98-c185-41a3-86bf-8cdb7e2a530c
++  MODULE_TYPE                    = BASE
++  VERSION_STRING                 = 1.0
++  LIBRARY_CLASS                  = ResetSystemLib|PEIM
++
++[Sources]
++  ArmVirtPsciResetSystemPeiLib.c
++
++[Packages]
++  ArmPkg/ArmPkg.dec
++  ArmVirtPkg/ArmVirtPkg.dec
++  EmbeddedPkg/EmbeddedPkg.dec
++  MdeModulePkg/MdeModulePkg.dec
++  MdePkg/MdePkg.dec
++
++[LibraryClasses]
++  ArmSmcLib
++  ArmHvcLib
++  BaseLib
++  DebugLib
++  FdtLib
++  HobLib
++
++[Pcd]
++  gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
+-- 
+2.18.2
+

0007-ArmVirtPkg-ArmVirtQemu-add-ResetSystem-PEIM-for-upco.patch

@@ -0,0 +1,89 @@
+From 1cb4d8d12542e95274881c7fce1c95816bd883ff Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 26 Feb 2020 20:05:10 +0100
+Subject: [PATCH 07/13] ArmVirtPkg/ArmVirtQemu: add ResetSystem PEIM for
+ upcoming TPM2 support
+
+As a first step in gradually adding TPM2 support to ArmVirtQemu, add
+the TPM2_ENABLE configurable to the [Defines] section, and if it is
+set, add the ResetSystem PEIM to the build, along with the library
+class references that we will need to support it:
+- wire ArmVirtPsciResetSystemPeiLib into the ResetSystem PEIM itself,
+  which will be in charge of performing the actual reset
+- add PeiResetSystemLib as the common ResetSystemLib resolution for
+  PEIM class modules, so that other PEIMs will invoke the PPI
+  published by the ResetSystem PEIM.
+
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
+---
+ ArmVirtPkg/ArmVirtQemu.dsc | 14 ++++++++++++++
+ ArmVirtPkg/ArmVirtQemu.fdf |  4 ++++
+ 2 files changed, 18 insertions(+)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 984df5c..3bbc79c 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -29,6 +29,7 @@
+   #
+   DEFINE TTY_TERMINAL            = FALSE
+   DEFINE SECURE_BOOT_ENABLE      = FALSE
++  DEFINE TPM2_ENABLE             = FALSE
+ 
+   #
+   # Network definition
+@@ -77,6 +78,10 @@
+ [LibraryClasses.common.PEIM]
+   ArmVirtMemInfoLib|ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoPeiLib.inf
+ 
++!if $(TPM2_ENABLE) == TRUE
++  ResetSystemLib|MdeModulePkg/Library/PeiResetSystemLib/PeiResetSystemLib.inf
++!endif
++
+ [LibraryClasses.common.DXE_DRIVER]
+   ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
+ 
+@@ -100,6 +105,8 @@
+ 
+   gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
+ 
++  gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE)
++
+ [PcdsFixedAtBuild.common]
+ !if $(ARCH) == AARCH64
+   gArmTokenSpaceGuid.PcdVFPEnabled|1
+@@ -266,6 +273,13 @@
+ 
+   MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
+ 
++!if $(TPM2_ENABLE) == TRUE
++  MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf {
++    <LibraryClasses>
++      ResetSystemLib|ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
++  }
++!endif
++
+   MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf {
+     <LibraryClasses>
+       NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
+diff --git a/ArmVirtPkg/ArmVirtQemu.fdf b/ArmVirtPkg/ArmVirtQemu.fdf
+index 2c8936a..69fa501 100644
+--- a/ArmVirtPkg/ArmVirtQemu.fdf
++++ b/ArmVirtPkg/ArmVirtQemu.fdf
+@@ -113,6 +113,10 @@ READ_LOCK_STATUS   = TRUE
+   INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
+   INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
+ 
++!if $(TPM2_ENABLE) == TRUE
++  INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf
++!endif
++
+   FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
+     SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
+       SECTION FV_IMAGE = FVMAIN
+-- 
+2.18.2
+

0008-ArmVirtPkg-ArmVirtQemu-enable-TPM2-support-in-the-PE.patch

@@ -0,0 +1,99 @@
+From 806d668dee96ddbb81737675b9f074e04334fb13 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 26 Feb 2020 20:05:11 +0100
+Subject: [PATCH 08/13] ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI
+ phase
+
+Incorporate the PEI components and the associated library class
+resolutions and PCD declarations to enable TPM2 support in the
+PEI phase.
+
+This patch ports (parts of) the following OvmfPkg commits to
+ArmVirtQemu:
+- 6cf1880fb5b6 ("OvmfPkg: add customized Tcg2ConfigPei clone",
+                2018-03-09)
+- 4672a4892867 ("OvmfPkg: include Tcg2Pei module", 2018-03-09)
+- b9130c866dc0 ("OvmfPkg: link Sha384 and Sha512 support into Tcg2Pei
+                and Tcg2Dxe", 2018-08-16)
+- 5d3ef15da7c3 ("OvmfPkg: link SM3 support into Tcg2Pei and Tcg2Dxe",
+                2019-07-19)
+
+gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask defaults to 0x0 so
+that the TPM init code adopts the currently active PCR banks as
+the ones that are enabled by default.
+
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
+---
+ ArmVirtPkg/ArmVirtQemu.dsc | 20 ++++++++++++++++++++
+ ArmVirtPkg/ArmVirtQemu.fdf |  2 ++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 3bbc79c..44138e5 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -75,11 +75,17 @@
+   PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf
+   PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf
+ 
++!if $(TPM2_ENABLE) == TRUE
++  Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
++!endif
++
+ [LibraryClasses.common.PEIM]
+   ArmVirtMemInfoLib|ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoPeiLib.inf
+ 
+ !if $(TPM2_ENABLE) == TRUE
++  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+   ResetSystemLib|MdeModulePkg/Library/PeiResetSystemLib/PeiResetSystemLib.inf
++  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+ !endif
+ 
+ [LibraryClasses.common.DXE_DRIVER]
+@@ -248,6 +254,10 @@
+   # TPM2 support
+   #
+   gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0
++!if $(TPM2_ENABLE) == TRUE
++  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}
++  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0
++!endif
+ 
+ [PcdsDynamicHii]
+   gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
+@@ -278,6 +288,16 @@
+     <LibraryClasses>
+       ResetSystemLib|ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
+   }
++  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
++  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
++    <LibraryClasses>
++      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
++      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
++      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
++      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
++      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
++      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
++  }
+ !endif
+ 
+   MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf {
+diff --git a/ArmVirtPkg/ArmVirtQemu.fdf b/ArmVirtPkg/ArmVirtQemu.fdf
+index 69fa501..8488300 100644
+--- a/ArmVirtPkg/ArmVirtQemu.fdf
++++ b/ArmVirtPkg/ArmVirtQemu.fdf
+@@ -115,6 +115,8 @@ READ_LOCK_STATUS   = TRUE
+ 
+ !if $(TPM2_ENABLE) == TRUE
+   INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf
++  INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
++  INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+ !endif
+ 
+   FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
+-- 
+2.18.2
+

0009-ArmVirtPkg-avoid-DxeTpmMeasurementLib-in-shared-.DSC.patch

@@ -0,0 +1,48 @@
+From 785f0c94c6fa7bfbf307d2e5faa90964dca155a9 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Thu, 27 Feb 2020 15:12:32 +0100
+Subject: [PATCH 09/13] ArmVirtPkg; avoid DxeTpmMeasurementLib in shared .DSC
+
+DxeTpmMeasurementLib should only be used on platforms that implement
+measured boot, which we will do in a future patch, but only for
+ArmVirtQemu, as the remaining ones are fundamentally incompatible,
+given that they do not implement a PEI phase.
+
+So use TpmMeasurementLibNull as the default resolution for all
+ArmVirtPkg platforms, regardless of how they are built.
+
+This mirrors commit 1ec05b81e59f ("OvmfPkg: use DxeTpmMeasurementLib
+if and only if TPM2_ENABLE", 2019-07-04).
+
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
+---
+ ArmVirtPkg/ArmVirt.dsc.inc | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
+index 10037c9..398aa7b 100644
+--- a/ArmVirtPkg/ArmVirt.dsc.inc
++++ b/ArmVirtPkg/ArmVirt.dsc.inc
+@@ -165,15 +165,14 @@
+   # Secure Boot dependencies
+   #
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+-  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ 
+   # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
+   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
+ !else
+-  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+ !endif
++  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
+   UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManagerLib.inf
+ 
+-- 
+2.18.2
+

0010-ArmVirtPkg-unshare-TpmMeasurementLib-resolution-betw.patch

@@ -0,0 +1,72 @@
+From 454595840418dce7e227a70ff297b1d11593e768 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Thu, 27 Feb 2020 15:24:21 +0100
+Subject: [PATCH 10/13] ArmVirtPkg: unshare TpmMeasurementLib resolution
+ between platforms
+
+In preparation of conditializing the choice of resolution based on
+TPM2_ENABLE for ArmVirtQemu, move the TpmMeasurementLib out of the
+shared .DSC include and into the individual DSCs.
+
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
+---
+ ArmVirtPkg/ArmVirt.dsc.inc       | 1 -
+ ArmVirtPkg/ArmVirtQemu.dsc       | 1 +
+ ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
+ ArmVirtPkg/ArmVirtXen.dsc        | 1 +
+ 4 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
+index 398aa7b..0a28d3a 100644
+--- a/ArmVirtPkg/ArmVirt.dsc.inc
++++ b/ArmVirtPkg/ArmVirt.dsc.inc
+@@ -172,7 +172,6 @@
+ !else
+   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+ !endif
+-  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
+   UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManagerLib.inf
+ 
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 44138e5..83c4dea 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -74,6 +74,7 @@
+   PciPcdProducerLib|ArmVirtPkg/Library/FdtPciPcdProducerLib/FdtPciPcdProducerLib.inf
+   PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf
+   PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf
++  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ 
+ !if $(TPM2_ENABLE) == TRUE
+   Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
+diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+index 8243876..7bd50e4 100644
+--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+@@ -73,6 +73,7 @@
+   PciPcdProducerLib|ArmVirtPkg/Library/FdtPciPcdProducerLib/FdtPciPcdProducerLib.inf
+   PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf
+   PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf
++  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ 
+ [LibraryClasses.common.DXE_DRIVER]
+   ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
+diff --git a/ArmVirtPkg/ArmVirtXen.dsc b/ArmVirtPkg/ArmVirtXen.dsc
+index 8a6ace2..2a4ef8d 100644
+--- a/ArmVirtPkg/ArmVirtXen.dsc
++++ b/ArmVirtPkg/ArmVirtXen.dsc
+@@ -47,6 +47,7 @@
+   BootLogoLib|MdeModulePkg/Library/BootLogoLib/BootLogoLib.inf
+   PlatformBootManagerLib|ArmPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+   CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
++  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ 
+ [LibraryClasses.common.UEFI_DRIVER]
+   UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf
+-- 
+2.18.2
+

0011-ArmVirtPkg-ArmVirtQemu-enable-the-DXE-phase-TPM2-sup.patch

@@ -0,0 +1,115 @@
+From d77e86c43972cd56b37d8f4b34c253f82aa65f54 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 26 Feb 2020 20:05:12 +0100
+Subject: [PATCH 11/13] ArmVirtPkg/ArmVirtQemu: enable the DXE phase TPM2
+ support module
+
+Enable the TPM2 support module in the DXE phase, and the associated
+libraries and PCDs that it requires. This will be wired into the
+measured boot support code in a subsequent patch.
+
+Note that Tcg2Dxe.inf is added to ArmVirtQemuFvMain.fdf.inc, which
+is shared with other platforms in ArmVirtPkg, but as those will not
+set the TPM2_ENABLE define, this change does not affect them.
+
+This patch ports (parts of) the following OvmfPkg commits to
+ArmVirtQemu:
+
+- 0c0a50d6b3ff ("OvmfPkg: include Tcg2Dxe module", 2018-03-09)
+
+- b9777bb42e4f ("OvmfPkg: add Tcg2PhysicalPresenceLibQemu", 2018-05-22)
+               -- only to match OVMF's current lib class resolutions
+
+- 1ec05b81e59f ("OvmfPkg: use DxeTpmMeasurementLib if and only if
+                TPM2_ENABLE", 2019-07-04)
+
+- b9130c866dc0 ("OvmfPkg: link Sha384 and Sha512 support into Tcg2Pei
+                and Tcg2Dxe", 2018-08-16)
+
+- 5d3ef15da7c3 ("OvmfPkg: link SM3 support into Tcg2Pei and Tcg2Dxe",
+                2019-07-19)
+
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
+---
+ ArmVirtPkg/ArmVirtQemu.dsc           | 26 +++++++++++++++++++++++++-
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc |  7 +++++++
+ 2 files changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 83c4dea..291210a 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -74,10 +74,13 @@
+   PciPcdProducerLib|ArmVirtPkg/Library/FdtPciPcdProducerLib/FdtPciPcdProducerLib.inf
+   PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf
+   PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf
+-  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ 
+ !if $(TPM2_ENABLE) == TRUE
+   Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
++  Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
++  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
++!else
++  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ !endif
+ 
+ [LibraryClasses.common.PEIM]
+@@ -92,6 +95,10 @@
+ [LibraryClasses.common.DXE_DRIVER]
+   ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
+ 
++!if $(TPM2_ENABLE) == TRUE
++  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
++!endif
++
+ [LibraryClasses.common.UEFI_DRIVER]
+   UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf
+ 
+@@ -470,6 +477,23 @@
+   MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
+   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+ 
++  #
++  # TPM2 support
++  #
++!if $(TPM2_ENABLE) == TRUE
++  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
++    <LibraryClasses>
++      HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
++      Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
++      NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
++      NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
++      NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
++      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
++      NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
++      NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
++  }
++!endif
++
+   #
+   # ACPI Support
+   #
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 31f615a..047e99c 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -173,6 +173,13 @@ READ_LOCK_STATUS   = TRUE
+   INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
+   INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+ 
++  #
++  # TPM2 support
++  #
++!if $(TPM2_ENABLE) == TRUE
++  INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
++!endif
++
+   #
+   # TianoCore logo (splash screen)
+   #
+-- 
+2.18.2
+

0012-ArmVirtPkg-ArmVirtQemu-enable-the-TPM2-configuration.patch

@@ -0,0 +1,81 @@
+From c3b182fe9189137280a5397426cc08b1110aac39 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 26 Feb 2020 20:05:13 +0100
+Subject: [PATCH 12/13] ArmVirtPkg/ArmVirtQemu: enable the TPM2 configuration
+ module
+
+Enable the DXE phase component that publishes the HII pages and
+associated logic to enable TPM2 parameters to be configured by
+the user via the setup menu.
+
+This patch ports (parts of) the following commits to ArmVirtQemu:
+
+- 3103389043bd ("OvmfPkg: Add TCG2 Configuration menu to the Device
+                Manager menu", 2019-02-11)
+
+- cf3ad972a210 ("OvmfPkg: reorganize TPM2 support in DSC/FDF files",
+                2020-01-09)
+
+- f55477fe2d62 ("OvmfPkg: use HII type PCDs for TPM2 config related
+                variables", 2020-01-09)
+
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
+---
+ ArmVirtPkg/ArmVirtQemu.dsc           | 9 +++++++++
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 3 +++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 291210a..93b982a 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -30,6 +30,7 @@
+   DEFINE TTY_TERMINAL            = FALSE
+   DEFINE SECURE_BOOT_ENABLE      = FALSE
+   DEFINE TPM2_ENABLE             = FALSE
++  DEFINE TPM2_CONFIG_ENABLE      = FALSE
+ 
+   #
+   # Network definition
+@@ -270,6 +271,11 @@
+ [PcdsDynamicHii]
+   gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
+ 
++!if $(TPM2_CONFIG_ENABLE) == TRUE
++  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
++  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
++!endif
++
+ ################################################################################
+ #
+ # Components Section - list of all EDK II Modules needed by this Platform
+@@ -492,6 +498,9 @@
+       NULL|SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+       NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+   }
++!if $(TPM2_CONFIG_ENABLE) == TRUE
++  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
++!endif
+ !endif
+ 
+   #
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 047e99c..2fa69ce 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -178,6 +178,9 @@ READ_LOCK_STATUS   = TRUE
+   #
+ !if $(TPM2_ENABLE) == TRUE
+   INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
++!if $(TPM2_CONFIG_ENABLE) == TRUE
++  INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
++!endif
+ !endif
+ 
+   #
+-- 
+2.18.2
+

0013-ArmVirtPkg-ArmVirtQemu-enable-TPM2-based-measured-bo.patch

@@ -0,0 +1,37 @@
+From d9c8dd64dd827cea4a533d012f344d0db6569127 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Wed, 26 Feb 2020 20:05:14 +0100
+Subject: [PATCH 13/13] ArmVirtPkg/ArmVirtQemu: enable TPM2 based measured boot
+
+Now that all the TPM2 related plumbing is in place, we can add the
+final piece that performs the measurements of loaded images into
+the appropriate PCRs.
+
+This patch ports commit d5a002aba0aa ("OvmfPkg: plug
+DxeTpm2MeasureBootLib into SecurityStubDxe", 2018-03-09) to ArmVirtQemu.
+
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2560
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: jiangfangjie <jiangfangjie@huawei.com>
+---
+ ArmVirtPkg/ArmVirtQemu.dsc | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 93b982a..a07d546 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -348,6 +348,9 @@
+   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+     <LibraryClasses>
+       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
++!if $(TPM2_ENABLE) == TRUE
++      NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
++!endif
+   }
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+   OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+-- 
+2.18.2
+

edk2.spec

@@ -5,7 +5,7 @@
 
 Name: edk2
 Version: %{stable_date}
-Release: 2
+Release: 3
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent
 URL: https://github.com/tianocore/edk2
@@ -14,6 +14,17 @@ Source1: openssl-%{openssl_version}.tar.gz
 
 Patch0001: 0001-CryptoPkg-OpensslLib-Modify-process_files.pl-for-Ope.patch
 Patch0002: 0002-CryptoPkg-Upgrade-OpenSSL-to-1.1.1f.patch
+Patch0003: 0003-OvmfPkg-Tcg2ConfigPei-introduce-a-signalling-PPI-to-.patch
+Patch0004: 0004-ArmVirtPkg-PlatformPeiLib-make-PcdLib-dependency-exp.patch
+Patch0005: 0005-ArmVirtPkg-PlatformPeiLib-discover-the-TPM-base-addr.patch
+Patch0006: 0006-ArmVirtPkg-implement-ArmVirtPsciResetSystemPeiLib.patch
+Patch0007: 0007-ArmVirtPkg-ArmVirtQemu-add-ResetSystem-PEIM-for-upco.patch
+Patch0008: 0008-ArmVirtPkg-ArmVirtQemu-enable-TPM2-support-in-the-PE.patch
+Patch0009: 0009-ArmVirtPkg-avoid-DxeTpmMeasurementLib-in-shared-.DSC.patch
+Patch0010: 0010-ArmVirtPkg-unshare-TpmMeasurementLib-resolution-betw.patch
+Patch0011: 0011-ArmVirtPkg-ArmVirtQemu-enable-the-DXE-phase-TPM2-sup.patch
+Patch0012: 0012-ArmVirtPkg-ArmVirtQemu-enable-the-TPM2-configuration.patch
+Patch0013: 0013-ArmVirtPkg-ArmVirtQemu-enable-TPM2-based-measured-bo.patch
 
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python2
 
@@ -69,7 +80,7 @@ tar -xf %{SOURCE1} -C CryptoPkg/Library/OpensslLib/openssl --strip-components=1
 
 %build
 NCPUS=`/usr/bin/getconf _NPROCESSORS_ONLN`
-BUILD_OPTION="-t GCC49 -n $NCPUS -b RELEASE"
+BUILD_OPTION="-t GCC5 -n $NCPUS -b RELEASE"
 
 make -C BaseTools %{?_smp_mflags} EXTRA_OPTFLAGS="%{optflags}" EXTRA_LDFLAGS="%{__global_ldflags}"
 . ./edksetup.sh
@@ -87,6 +98,8 @@ COMMON_FLAGS="-D NETWORK_IP6_ENABLE"
     BUILD_OPTION="$BUILD_OPTION -a IA32 -p OvmfPkg/OvmfPkgIa32.dsc"
 %endif
 BUILD_OPTION="$BUILD_OPTION -D SECURE_BOOT_ENABLE=TRUE"
+BUILD_OPTION="$BUILD_OPTION -D TPM2_ENABLE=TRUE"
+BUILD_OPTION="$BUILD_OPTION -D TPM2_CONFIG_ENABLE=TRUE"
 build $BUILD_OPTION
 
 %install
@@ -209,6 +222,10 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 
 %changelog
+* Thu Jul 31 2020 jiangfangjie <jiangfangjie@huawei.com> - 202002-3
+- ArmVirtPkg/ArmVirtQemu: enable TPM2 based measured boot
+- ArmVirtPkg/ArmVirtQemu: enable the TPM2 configuration module
+
 * Mon Jul 27 2020 zhangxinhao <zhangxinhao1@huawei.com> - 202002-2
 - add build option "-D SECURE_BOOT_ENABLE=TRUE" to enable secure boot