From: "Gerd Hoffmann" <kraxel@redhat.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>
Cc: James Bottomley <jejb@linux.ibm.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>,
"Xu, Min M" <min.m.xu@intel.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
"Justen, Jordan L" <jordan.l.justen@intel.com>,
Brijesh Singh <brijesh.singh@amd.com>,
"Aktas, Erdem" <erdemaktas@google.com>,
Tom Lendacky <thomas.lendacky@amd.com>
Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV
Date: Thu, 21 Apr 2022 11:14:30 +0200 [thread overview]
Message-ID: <20220421091430.55zgdocsn6h4z5dy@sirius.home.kraxel.org> (raw)
In-Reply-To: <MW4PR11MB58726CBEF3E28EC5D8CF3BA98CF59@MW4PR11MB5872.namprd11.prod.outlook.com>
On Wed, Apr 20, 2022 at 10:29:11PM +0000, Yao, Jiewen wrote:
> The Root-of-Trust for Measurement (RTM) for TDX is TDX-Module. The TDX-Module will enforce the MRTD calculation for the TDVF code.
> Then TDVF can then act as Chain-of-Trust for Measurement (CTM) to setup RTMR and continue the rest.
>
> It is described in [TDX-Module] Chapter 11, [TDVF] Chapter 8.
>
> [TDX-Module] https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-module-1.0-public-spec-v0.931.pdf
> [TDVF] https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.01.pdf
Ok. So it all works via TDH.MEM.PAGE.ADD (initial set of accepted
pages) and TDH.MR.EXTEND (measure into MRTD) functions.
Looking at our binary ...
# virt-fw-dump -i Build/IntelTdx/DEBUG_GCC5/FV/OVMF.fd --ovmf-meta
image=Build/IntelTdx/DEBUG_GCC5/FV/OVMF.fd
resetvector size=0x9b0
[ ... sev metadata snipped ... ]
guid:TdxMetadataOffset size=0x16 data=50080000
mbase=0xffc84000 msize=0x37c000 type=BFV (code) fbase=0x84000 fsize=0x37c000 flags=0x1
mbase=0xffc00000 msize=0x84000 type=CFV (vars) fbase=0x0 fsize=0x84000
mbase=0x810000 msize=0x10000 type=MEM
mbase=0x80b000 msize=0x2000 type=MEM
mbase=0x809000 msize=0x2000 type=TD Hob
mbase=0x800000 msize=0x6000 type=MEM
... BFV is measured (bit 0 of flags) whereas CFV and TD Hob are only
added but not measured.
Adding CFV and TH Hob to the initial launch measurement should be
possible by just updating flags, correct?
I think this should be done for the CFV. The firmware will be loaded
via "qemu -bios OVMF.fd". No separate images for CODE and VARS. So
splitting the measurement looks rather pointless to me.
TD Hob could be part of the initial launch measurement too, which would
avoid the need to measure anything in SEC. On the other hand the that
would make the launch measurement depend not only on the firmware image
but also the guest configuration (memory size), which would likely make
things more complexity elsewhere, so probably not a good idea.
take care,
Gerd
next prev parent reply other threads:[~2022-04-21 9:14 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-17 23:59 [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Min Xu
2022-04-17 23:59 ` [PATCH V3 1/9] Security: Add HashLibTdx Min Xu
2022-04-17 23:59 ` [PATCH V3 2/9] CryptoPkg: Add SecCryptLib Min Xu
2022-04-18 15:31 ` [edk2-devel] " Michael D Kinney
2022-04-19 11:45 ` Min Xu
2022-04-17 23:59 ` [PATCH V3 3/9] SecurityPkg: Add definition of EFI_CC_EVENT_HOB_GUID Min Xu
2022-04-17 23:59 ` [PATCH V3 4/9] OvmfPkg: Introduce SecMeasurementLib Min Xu
2022-04-17 23:59 ` [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV Min Xu
2022-04-19 6:58 ` Gerd Hoffmann
2022-04-19 11:12 ` Min Xu
2022-04-19 12:49 ` [edk2-devel] " Gerd Hoffmann
2022-04-19 14:06 ` Yao, Jiewen
2022-04-20 8:16 ` Gerd Hoffmann
2022-04-20 9:46 ` Yao, Jiewen
2022-04-20 16:05 ` Gerd Hoffmann
2022-04-20 14:25 ` James Bottomley
2022-04-20 16:29 ` Gerd Hoffmann
2022-04-20 22:29 ` Yao, Jiewen
2022-04-21 9:14 ` Gerd Hoffmann [this message]
2022-04-21 9:24 ` Yao, Jiewen
2022-04-17 23:59 ` [PATCH V3 6/9] OvmfPkg: Add PCDs for LAML/LASA field in CC EVENTLOG ACPI table Min Xu
2022-04-17 23:59 ` [PATCH V3 7/9] MdePkg: Define CC Measure EventLog ACPI Table Min Xu
2022-04-18 1:23 ` Yao, Jiewen
2022-04-18 2:02 ` Min Xu
2022-04-17 23:59 ` [PATCH V3 8/9] OvmfPkg/IntelTdx: Add TdTcg2Dxe Min Xu
2022-04-18 0:00 ` [PATCH V3 9/9] OvmfPkg/IntelTdx: Enable RTMR based measurement and measure boot Min Xu
2022-04-18 1:43 ` [edk2-devel] [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220421091430.55zgdocsn6h4z5dy@sirius.home.kraxel.org \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox