From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web12.33772.1650240013440859893 for ; Sun, 17 Apr 2022 17:00:13 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=PgkEudt2; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1650240013; x=1681776013; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=ufew6WBenPg8MvGA+HgN4y7xn0Zg49pV51tAIf1xzy0=; b=PgkEudt2A2i13DLBiW4TiLsoaLJyQlAmfctrsYAGt8RlnDSLV2IY0W2i x7ZxnW2P4jrb7UjF2P9MU+LTvXVnCVa1hS/EnaZZSLj+l4RaMf/arYzfw BS3LynF3oGxcf1uTitdP4/xrNx7qk6Z5SlZr8tdMNJAlnVey/s9xeWGND I293pVOa452dIeoJUPLxQqrzF1qrayPCOGyBAU3Lh5N7eTtVbJ2tUDSnI dMnmP/M7wU/E4blJohlLB6TnOPkp/pBoO6LrvxTDbMo2XLccJRmSHu6rz RRRw7YzDHoDD/MujnCEVH+HLKK6hnVTFrRGe3jAHdMj6/jiehDKxS7NqW g==; X-IronPort-AV: E=McAfee;i="6400,9594,10320"; a="349872399" X-IronPort-AV: E=Sophos;i="5.90,267,1643702400"; d="scan'208";a="349872399" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Apr 2022 17:00:13 -0700 X-IronPort-AV: E=Sophos;i="5.90,267,1643702400"; d="scan'208";a="575329280" Received: from cuixin-mobl.ccr.corp.intel.com (HELO mxu9-mobl1.ccr.corp.intel.com) ([10.249.170.67]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Apr 2022 17:00:11 -0700 From: "Min Xu" To: devel@edk2.groups.io Cc: Min Xu , Jiewen Yao , Jian J Wang , Gerd Hoffmann Subject: [PATCH V3 1/9] Security: Add HashLibTdx Date: Mon, 18 Apr 2022 07:59:52 +0800 Message-Id: <10572635e3ee19425a408a69d8cb785367dd8fe6.1650239544.git.min.m.xu@intel.com> X-Mailer: git-send-email 2.29.2.windows.2 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 This library provides hash service by registered hash handler in Td guest. Currently only SHA384 is supported. After that the hash value is extended to Td RTMR registers which is similar to TPM PCRs. Cc: Jiewen Yao Cc: Jian J Wang Cc: Gerd Hoffmann Signed-off-by: Min Xu --- SecurityPkg/Library/HashLibTdx/HashLibTdx.c | 207 ++++++++++++++++++ SecurityPkg/Library/HashLibTdx/HashLibTdx.inf | 37 ++++ SecurityPkg/SecurityPkg.dsc | 10 + 3 files changed, 254 insertions(+) create mode 100644 SecurityPkg/Library/HashLibTdx/HashLibTdx.c create mode 100644 SecurityPkg/Library/HashLibTdx/HashLibTdx.inf diff --git a/SecurityPkg/Library/HashLibTdx/HashLibTdx.c b/SecurityPkg/Library/HashLibTdx/HashLibTdx.c new file mode 100644 index 000000000000..75d96ee64b44 --- /dev/null +++ b/SecurityPkg/Library/HashLibTdx/HashLibTdx.c @@ -0,0 +1,207 @@ +/** @file + This library is HashLib for Tdx. + +Copyright (c) 2021 - 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include + +EFI_GUID mSha384Guid = HASH_ALGORITHM_SHA384_GUID; + +// +// Currently TDX supports SHA384. +// +HASH_INTERFACE mHashInterface = { + { 0 }, NULL, NULL, NULL +}; + +UINTN mHashInterfaceCount = 0; + +/** + Start hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash sequence start and HandleHandle returned. + @retval EFI_OUT_OF_RESOURCES No enough resource to start hash. +**/ +EFI_STATUS +EFIAPI +HashStart ( + OUT HASH_HANDLE *HashHandle + ) +{ + HASH_HANDLE HashCtx; + + if (mHashInterfaceCount == 0) { + ASSERT (FALSE); + return EFI_UNSUPPORTED; + } + + HashCtx = 0; + mHashInterface.HashInit (&HashCtx); + + *HashHandle = HashCtx; + + return EFI_SUCCESS; +} + +/** + Update hash sequence data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash sequence updated. +**/ +EFI_STATUS +EFIAPI +HashUpdate ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen + ) +{ + if (mHashInterfaceCount == 0) { + ASSERT (FALSE); + return EFI_UNSUPPORTED; + } + + mHashInterface.HashUpdate (HashHandle, DataToHash, DataToHashLen); + + return EFI_SUCCESS; +} + +/** + Hash sequence complete and extend to PCR. + + @param HashHandle Hash handle. + @param PcrIndex PCR to be extended. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + @param DigestList Digest list. + + @retval EFI_SUCCESS Hash sequence complete and DigestList is returned. +**/ +EFI_STATUS +EFIAPI +HashCompleteAndExtend ( + IN HASH_HANDLE HashHandle, + IN TPMI_DH_PCR PcrIndex, + IN VOID *DataToHash, + IN UINTN DataToHashLen, + OUT TPML_DIGEST_VALUES *DigestList + ) +{ + TPML_DIGEST_VALUES Digest; + EFI_STATUS Status; + + if (mHashInterfaceCount == 0) { + ASSERT (FALSE); + return EFI_UNSUPPORTED; + } + + ZeroMem (DigestList, sizeof (*DigestList)); + + mHashInterface.HashUpdate (HashHandle, DataToHash, DataToHashLen); + mHashInterface.HashFinal (HashHandle, &Digest); + + CopyMem ( + &DigestList->digests[0], + &Digest.digests[0], + sizeof (Digest.digests[0]) + ); + DigestList->count++; + + ASSERT (DigestList->count == 1 && DigestList->digests[0].hashAlg == TPM_ALG_SHA384); + + Status = TdExtendRtmr ( + (UINT32 *)DigestList->digests[0].digest.sha384, + SHA384_DIGEST_SIZE, + (UINT8)PcrIndex + ); + + ASSERT (!EFI_ERROR (Status)); + return Status; +} + +/** + Hash data and extend to RTMR. + + @param PcrIndex PCR to be extended. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + @param DigestList Digest list. + + @retval EFI_SUCCESS Hash data and DigestList is returned. +**/ +EFI_STATUS +EFIAPI +HashAndExtend ( + IN TPMI_DH_PCR PcrIndex, + IN VOID *DataToHash, + IN UINTN DataToHashLen, + OUT TPML_DIGEST_VALUES *DigestList + ) +{ + HASH_HANDLE HashHandle; + EFI_STATUS Status; + + if (mHashInterfaceCount == 0) { + ASSERT (FALSE); + return EFI_UNSUPPORTED; + } + + ASSERT (TdIsEnabled ()); + + HashStart (&HashHandle); + HashUpdate (HashHandle, DataToHash, DataToHashLen); + Status = HashCompleteAndExtend (HashHandle, PcrIndex, NULL, 0, DigestList); + + return Status; +} + +/** + This service register Hash. + + @param HashInterface Hash interface + + @retval EFI_SUCCESS This hash interface is registered successfully. + @retval EFI_UNSUPPORTED System does not support register this interface. + @retval EFI_ALREADY_STARTED System already register this interface. +**/ +EFI_STATUS +EFIAPI +RegisterHashInterfaceLib ( + IN HASH_INTERFACE *HashInterface + ) +{ + ASSERT (TdIsEnabled ()); + + // + // Only SHA384 is allowed. + // + if (!CompareGuid (&mSha384Guid, &HashInterface->HashGuid)) { + return EFI_UNSUPPORTED; + } + + if (mHashInterfaceCount != 0) { + ASSERT (FALSE); + return EFI_OUT_OF_RESOURCES; + } + + CopyMem (&mHashInterface, HashInterface, sizeof (*HashInterface)); + mHashInterfaceCount++; + + return EFI_SUCCESS; +} diff --git a/SecurityPkg/Library/HashLibTdx/HashLibTdx.inf b/SecurityPkg/Library/HashLibTdx/HashLibTdx.inf new file mode 100644 index 000000000000..946132124c85 --- /dev/null +++ b/SecurityPkg/Library/HashLibTdx/HashLibTdx.inf @@ -0,0 +1,37 @@ +## @file +# Provides hash service by registered hash handler in Tdx. +# +# This library is HashLib for Tdx. Currently only SHA384 is supported. +# +# Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = HashLibTdx + FILE_GUID = 77F6EA3E-1ABA-4467-A447-926E8CEB2D13 + MODULE_TYPE = BASE + VERSION_STRING = 1.0 + LIBRARY_CLASS = HashLib|SEC DXE_DRIVER + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = X64 +# + +[Sources] + HashLibTdx.c + +[Packages] + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + PcdLib + TdxLib diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index 73a93c2285b1..0d8c997b2f40 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -72,6 +72,7 @@ MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf + TdxLib|MdePkg/Library/TdxLib/TdxLib.inf [LibraryClasses.ARM, LibraryClasses.AARCH64] # @@ -92,6 +93,12 @@ [LibraryClasses.RISCV64] RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf +[LibraryClasses.X64.SEC] + HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf + +[LibraryClasses.X64.DXE_DRIVER] + HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf + [LibraryClasses.common.PEIM] PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf PeiServicesLib|MdePkg/Library/PeiServicesLib/PeiServicesLib.inf @@ -283,6 +290,9 @@ # SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf +[Components.X64] + SecurityPkg/Library/HashLibTdx/HashLibTdx.inf + [Components.IA32, Components.X64] SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf -- 2.29.2.windows.2