Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV

["Gerd Hoffmann" <kraxel@redhat.com>]

  Hi,
 
> > So, no matter what the order is, you'll figure the system got
> > compromised after the fact, when checking the hashes later, and in
> > turn take actions like refusing to hand out secrets to the
> > compromised system.
> 
> Not if the code falsifies the measurement both in the log and to the
> TPM.  That's why the requirement of measured boot is you start with a
> small rom based root of trust, which can't be updated because it's in
> rom.  It measures the next stage (usually PEI) before executing it so
> that the measurement in the TPM would change if the next stage (which
> is often in flash) got compromised, so any tampering is certain to be
> detected and if the compromised code tries to falsify the log, the log
> now wouldn't match the TPM, so it can't evade detection.

How do we establish the root of trust in case of TDX?  We don't have a
real rom in virtual machines ...

Does the tdx firmware measure the firmware code before running it?

Why handle CFV and BFV differently?  Wouldn't it be easier to have the
tdx firmware simply measure the complete OVMF.fd image, given that tdx
doesn't support flash and thus we don't have the code/vars split in the
first place?

The TD HobList is prepared by the hypervisor and present at launch time,
so possibly the tdx firmware could measure it too before handing over
control to the guest?

take care,
  Gerd