From: Dov Murik <dovmurik@linux.ibm.com>
To: devel@edk2.groups.io
Cc: Dov Murik <dovmurik@linux.ibm.com>,
Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
Tobin Feldman-Fitzthum <tobin@ibm.com>,
Jim Cadden <jcadden@ibm.com>,
James Bottomley <jejb@linux.ibm.com>,
Hubertus Franke <frankeh@us.ibm.com>,
Laszlo Ersek <lersek@redhat.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
Jordan Justen <jordan.l.justen@intel.com>,
Ashish Kalra <ashish.kalra@amd.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Erdem Aktas <erdemaktas@google.com>,
Jiewen Yao <jiewen.yao@intel.com>, Min Xu <min.m.xu@intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>
Subject: [PATCH v1 6/8] OvmfPkg/AmdSev: Add firmware file plugin to verifier
Date: Tue, 25 May 2021 05:31:14 +0000 [thread overview]
Message-ID: <20210525053116.1533673-7-dovmurik@linux.ibm.com> (raw)
In-Reply-To: <20210525053116.1533673-1-dovmurik@linux.ibm.com>
From: James Bottomley <jejb@linux.ibm.com>
Provide a library verifier that plugs into the QemuKernelLoaderFs
hooks to verify the hashes against the SEV hash table (stored in
encrypted memory).
The verifier is enabled when SEV memory encryption is active.
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: James Bottomley <jejb@linux.ibm.com>
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 5 +-
OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.inf | 30 ++++++++++
OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.c | 60 ++++++++++++++++++++
3 files changed, 94 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index b4484ca07614..bfb16798b3b7 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -697,7 +697,10 @@ [Components]
NULL|MdeModulePkg/Library/BootManagerUiLib/BootManagerUiLib.inf
NULL|MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootMaintenanceManagerUiLib.inf
}
- OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+ OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
+ <LibraryClasses>
+ NULL|OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.inf
+ }
OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
OvmfPkg/Virtio10Dxe/Virtio10.inf
OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
diff --git a/OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.inf b/OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.inf
new file mode 100644
index 000000000000..86d099455d55
--- /dev/null
+++ b/OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.inf
@@ -0,0 +1,30 @@
+## @file
+# Provides the Secure Verification services for AMD SEV firmware config
+#
+# Copyright (C) 2021 James Bottomley, IBM Corporation.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = SevFwCfgVerifier
+ FILE_GUID = 33457c78-aae2-4511-9188-ac1fe88d03de
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = NULL|DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
+ CONSTRUCTOR = SevFwCfgVerifierConstructor
+
+[Sources]
+ SevFwCfgVerifier.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ OvmfPkg/OvmfPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ DebugLib
+ MemEncryptSevLib
+ SevHashFinderLib
diff --git a/OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.c b/OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.c
new file mode 100644
index 000000000000..53b617a72aa9
--- /dev/null
+++ b/OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.c
@@ -0,0 +1,60 @@
+/** @file
+ AMD SEV Firmware Config file verifier
+
+ Copyright (C) 2021 James Bottomley, IBM Corporation.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/DebugLib.h>
+#include <Library/MemEncryptSevLib.h>
+#include <Library/QemuFwCfgLib.h>
+#include <Library/SevHashFinderLib.h>
+
+STATIC EFI_STATUS
+EFIAPI
+SevFwCfgVerifier (
+ IN CONST CHAR16 *Name,
+ IN VOID *Buffer,
+ IN UINTN Size
+ )
+{
+ DEBUG ((DEBUG_INFO, "%a: Validating Hash of %s\n", __FUNCTION__, Name));
+
+ if (StrCmp (Name, L"kernel") == 0) {
+ return ValidateHashEntry (&SEV_KERNEL_HASH_GUID, Buffer, Size);
+ }
+ if (StrCmp (Name, L"initrd") == 0) {
+ return ValidateHashEntry (&SEV_INITRD_HASH_GUID, Buffer, Size);
+ }
+
+ DEBUG ((DEBUG_ERROR, "%a: Failed to find Filename %s", __FUNCTION__, Name));
+ return EFI_SECURITY_VIOLATION;
+}
+
+/**
+ Register security measurement handler.
+
+ @param ImageHandle ImageHandle of the loaded driver.
+ @param SystemTable Pointer to the EFI System Table.
+
+ @retval EFI_SUCCESS The handlers were registered successfully.
+**/
+EFI_STATUS
+EFIAPI
+SevFwCfgVerifierConstructor (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ if (MemEncryptSevIsEnabled ()) {
+ DEBUG ((DEBUG_INFO, "Enabling hash verification of fw_cfg files"));
+ return RegisterFwCfgVerifier (SevFwCfgVerifier);
+ } else {
+ //
+ // Don't install verifier if SEV isn't enabled
+ //
+ DEBUG ((DEBUG_INFO, "NOT Enabling hash verification of fw_cfg files"));
+ return EFI_SUCCESS;
+ }
+}
--
2.25.1
next prev parent reply other threads:[~2021-05-25 5:31 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-25 5:31 [PATCH v1 0/8] Measured SEV boot with kernel/initrd/cmdline Dov Murik
2021-05-25 5:31 ` [PATCH v1 1/8] OvmfPkg/AmdSev/SecretDxe: fix header comment to generic naming Dov Murik
2021-05-25 5:31 ` [PATCH v1 2/8] OvmfPkg: PlatformBootManagerLibGrub: Allow executing kernel via fw_cfg Dov Murik
2021-05-25 5:31 ` [PATCH v1 3/8] OvmfPkg/AmdSev: add a page to the MEMFD for firmware config hashes Dov Murik
2021-05-25 5:31 ` [PATCH v1 4/8] OvmfPkg/QemuKernelLoaderFsDxe: Add ability to verify loaded items Dov Murik
2021-05-25 5:31 ` [PATCH v1 5/8] OvmfPkg/AmdSev: Add library to find encrypted hashes for the FwCfg device Dov Murik
2021-05-25 5:31 ` Dov Murik [this message]
2021-05-25 5:31 ` [PATCH v1 7/8] OvmfPkg: GenericQemuLoadImageLib: Allow verifying fw_cfg command line Dov Murik
2021-05-25 5:31 ` [PATCH v1 8/8] OvmfPkg/AmdSev: add SevQemuLoadImageLib Dov Murik
2021-05-25 13:07 ` [edk2-devel] [PATCH v1 0/8] Measured SEV boot with kernel/initrd/cmdline Dov Murik
2021-05-25 15:48 ` Brijesh Singh
2021-05-25 20:08 ` [edk2-devel] " Dov Murik
2021-05-25 20:33 ` Lendacky, Thomas
2021-05-25 23:15 ` James Bottomley
2021-05-25 23:37 ` Brijesh Singh
2021-05-26 6:21 ` Dov Murik
2021-05-27 9:41 ` Laszlo Ersek
2021-06-01 12:11 ` Laszlo Ersek
2021-06-01 13:20 ` Ard Biesheuvel
2021-06-01 16:13 ` Laszlo Ersek
2021-06-02 18:10 ` James Bottomley
2021-06-03 8:28 ` Laszlo Ersek
2021-06-04 10:30 ` Dov Murik
2021-06-04 11:26 ` Laszlo Ersek
2021-06-06 13:21 ` Dov Murik
2021-06-07 13:33 ` Laszlo Ersek
2021-06-08 9:57 ` Dov Murik
2021-06-08 10:59 ` Laszlo Ersek
2021-06-08 12:09 ` Dov Murik
2021-06-08 15:59 ` Laszlo Ersek
2021-06-09 12:25 ` Dov Murik
2021-06-09 13:54 ` Laszlo Ersek
2021-06-10 9:15 ` 回复: " gaoliming
2021-06-14 7:33 ` Dov Murik
2021-06-08 12:49 ` Ard Biesheuvel
2021-06-08 16:00 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210525053116.1533673-7-dovmurik@linux.ibm.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox