From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by mx.groups.io with SMTP id smtpd.web12.19224.1650532480813150566
 for <devel@edk2.groups.io>;
 Thu, 21 Apr 2022 02:14:41 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=XvGv0+SQ;
 spf=pass (domain: redhat.com, ip: 170.10.129.124, mailfrom: kraxel@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1650532480;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=qMj7btvpuzYyCNbHUUKQAQvDTHXAMPI4sL9nA4SGwKY=;
	b=XvGv0+SQPIRkh05i3cLltvHSSWqG1Uu/Z7XVQ29WIP2PuivPcSH8lp0lwMKdCjquOq9I5K
	8wfDPiX2AcAWZCQ5nOly6S8fh9hGVEBfpI8e7sMobjGHPYOHROVc953w7OzJq+O8jaYJNL
	p1iSfipcPXHFGAff5uQ2pDedS4LXj5Y=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-497-ZXymcf3cMUmGzDtPCdeHXg-1; Thu, 21 Apr 2022 05:14:34 -0400
X-MC-Unique: ZXymcf3cMUmGzDtPCdeHXg-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 397A31014A61;
	Thu, 21 Apr 2022 09:14:34 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.9])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id F377D40F4940;
	Thu, 21 Apr 2022 09:14:33 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
	id EF501180039B; Thu, 21 Apr 2022 11:14:30 +0200 (CEST)
Date: Thu, 21 Apr 2022 11:14:30 +0200
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>
Cc: James Bottomley <jejb@linux.ibm.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>,
	"Xu, Min M" <min.m.xu@intel.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	"Justen, Jordan L" <jordan.l.justen@intel.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	"Aktas, Erdem" <erdemaktas@google.com>,
	Tom Lendacky <thomas.lendacky@amd.com>
Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV
Message-ID: <20220421091430.55zgdocsn6h4z5dy@sirius.home.kraxel.org>
References: <cover.1650239544.git.min.m.xu@intel.com>
 <1992c4538efeb3cd3d2e53bd02f2dd24663e9825.1650239544.git.min.m.xu@intel.com>
 <20220419065851.mwjpm6jaeu3zudjk@sirius.home.kraxel.org>
 <CO1PR11MB505826638A0961DD75ECF942C5F29@CO1PR11MB5058.namprd11.prod.outlook.com>
 <20220419124901.idh7zaff3os6532f@sirius.home.kraxel.org>
 <MW4PR11MB5872796F2D1A6DD3BF8978BD8CF29@MW4PR11MB5872.namprd11.prod.outlook.com>
 <20220420081656.nl4sykhnwzugynm5@sirius.home.kraxel.org>
 <56d4a5fab3cda814d1d33a6e3f6987a0313129f5.camel@linux.ibm.com>
 <20220420162915.k234kumo33jgqsg6@sirius.home.kraxel.org>
 <MW4PR11MB58726CBEF3E28EC5D8CF3BA98CF59@MW4PR11MB5872.namprd11.prod.outlook.com>
MIME-Version: 1.0
In-Reply-To: <MW4PR11MB58726CBEF3E28EC5D8CF3BA98CF59@MW4PR11MB5872.namprd11.prod.outlook.com>
X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=kraxel@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, Apr 20, 2022 at 10:29:11PM +0000, Yao, Jiewen wrote:
> The Root-of-Trust for Measurement (RTM) for TDX is TDX-Module. The TDX-Module will enforce the MRTD calculation for the TDVF code.
> Then TDVF can then act as Chain-of-Trust for Measurement (CTM) to setup RTMR and continue the rest.
> 
> It is described in [TDX-Module] Chapter 11, [TDVF] Chapter 8.
> 
> [TDX-Module] https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-module-1.0-public-spec-v0.931.pdf
> [TDVF] https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.01.pdf

Ok.  So it all works via TDH.MEM.PAGE.ADD (initial set of accepted
pages) and TDH.MR.EXTEND (measure into MRTD) functions.

Looking at our binary ...

# virt-fw-dump -i Build/IntelTdx/DEBUG_GCC5/FV/OVMF.fd --ovmf-meta
image=Build/IntelTdx/DEBUG_GCC5/FV/OVMF.fd
  resetvector size=0x9b0
    [ ... sev metadata snipped ... ]
    guid:TdxMetadataOffset size=0x16 data=50080000
      mbase=0xffc84000 msize=0x37c000 type=BFV (code) fbase=0x84000 fsize=0x37c000 flags=0x1
      mbase=0xffc00000 msize=0x84000 type=CFV (vars) fbase=0x0 fsize=0x84000
      mbase=0x810000 msize=0x10000 type=MEM
      mbase=0x80b000 msize=0x2000 type=MEM
      mbase=0x809000 msize=0x2000 type=TD Hob
      mbase=0x800000 msize=0x6000 type=MEM

... BFV is measured (bit 0 of flags) whereas CFV and TD Hob are only
added but not measured.

Adding CFV and TH Hob to the initial launch measurement should be
possible by just updating flags, correct?

I think this should be done for the CFV.  The firmware will be loaded
via "qemu -bios OVMF.fd".  No separate images for CODE and VARS. So
splitting the measurement looks rather pointless to me.

TD Hob could be part of the initial launch measurement too, which would
avoid the need to measure anything in SEC.  On the other hand the that
would make the launch measurement depend not only on the firmware image
but also the guest configuration (memory size), which would likely make
things more complexity elsewhere, so probably not a good idea.

take care,
  Gerd