From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web08.3680.1650372547767135209 for ; Tue, 19 Apr 2022 05:49:08 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=N3NXtlVk; spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1650372547; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=vbl4HE6vgZKD8C2ccWcH+MQu11zjqkQYooPIufikyGI=; b=N3NXtlVk1QDJqPfe1APQpzLss3pl9lfWiCyrAKn4V8UUjtHqeIrnQfoMD0QV7TTR7UNFtU ftJwTuIb8A6RgHVtVBT4C1DXXiz/hPQ7oIa1bpxoY0YYZt6J7U3gKWqmEJwfF1CIJakg/3 heChUleZARRIAKuHMHzyIYO0Uc+FMLQ= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-462-F1GRPjKmMKqHYSZBd2vZmQ-1; Tue, 19 Apr 2022 08:49:03 -0400 X-MC-Unique: F1GRPjKmMKqHYSZBd2vZmQ-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1F74729DD984; Tue, 19 Apr 2022 12:49:03 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.192.9]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D618B2166B4F; Tue, 19 Apr 2022 12:49:02 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 24B1218000B2; Tue, 19 Apr 2022 14:49:01 +0200 (CEST) Date: Tue, 19 Apr 2022 14:49:01 +0200 From: "Gerd Hoffmann" To: devel@edk2.groups.io, min.m.xu@intel.com Cc: Ard Biesheuvel , "Yao, Jiewen" , "Justen, Jordan L" , Brijesh Singh , "Aktas, Erdem" , James Bottomley , Tom Lendacky Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV Message-ID: <20220419124901.idh7zaff3os6532f@sirius.home.kraxel.org> References: <1992c4538efeb3cd3d2e53bd02f2dd24663e9825.1650239544.git.min.m.xu@intel.com> <20220419065851.mwjpm6jaeu3zudjk@sirius.home.kraxel.org> MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=kraxel@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Apr 19, 2022 at 11:12:39AM +0000, Min Xu wrote: > On April 19, 2022 2:59 PM, Gerd Hoffmann wrote: > > On Mon, Apr 18, 2022 at 07:59:56AM +0800, Min Xu wrote: > > > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 > > > > > > TdHobList and Configuration FV are external data provided by Host VMM. > > > These are not trusted in Td guest. So they should be validated , > > > measured and extended to Td RTMR registers. In the meantime 2 > > > EFI_CC_EVENT_HOB are created. These 2 GUIDed HOBs carry the hash > > value > > > of TdHobList and Configuration FV. In DXE phase EFI_CC_EVENT can be > > > created based on these > > > 2 GUIDed HOBs. > > > > Why this is done in the SEC phase? > TdHobList is consumed in SEC phase. So before it is consumed, it should be validated, measured. Yes for validation (aka sanity-checking the fields, etc). But for measurement I don't see why the ordering matters. Whenever you do that before or after consuming the TdHob should not make a difference. > CFV contains the information provisioned by host VMM, for example, the > secure boot parameters. These external data should be validated and > measured as well. Same argument here. You pull a bunch of stuff into SEC (sha384, ...), and I'm wondering whenever it would be better to move measurement to DXE instead where you just don't need that kind of changes. take care, Gerd