* [PATCH 1/4] OvmfPkg: Add library class BlobMeasurementLib with null implementation
2022-05-23 5:55 [PATCH 0/4] Measure kernel blob Min Xu
@ 2022-05-23 5:55 ` Min Xu
2022-05-23 5:55 ` [PATCH 2/4] OvmfPkg: Add BlobMeasurementLibNull to dsc Min Xu
` (4 subsequent siblings)
5 siblings, 0 replies; 9+ messages in thread
From: Min Xu @ 2022-05-23 5:55 UTC (permalink / raw)
To: devel
Cc: Min Xu, Ard Biesheuvel, Jordan Justen, Ashish Kalra,
Brijesh Singh, Erdem Aktas, James Bottomley, Jiewen Yao,
Tom Lendacky, Sami Mujawar, Gerd Hoffmann
BlobMeasurementLib will be used to measure blobs fetching from QEMU's
firmware config (fw_cfg) in platforms which implments
EFI_CC_MEASUREMENT_PROTOCOL.
The null implementation BlobMeasurementLibNull always return EFI_SUCCESS.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
OvmfPkg/Include/Library/BlobMeasurementLib.h | 38 +++++++++++++++++++
.../BlobMeasurementLibNull.c | 34 +++++++++++++++++
.../BlobMeasurementLibNull.inf | 24 ++++++++++++
OvmfPkg/OvmfPkg.dec | 3 ++
4 files changed, 99 insertions(+)
create mode 100644 OvmfPkg/Include/Library/BlobMeasurementLib.h
create mode 100644 OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.c
create mode 100644 OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
diff --git a/OvmfPkg/Include/Library/BlobMeasurementLib.h b/OvmfPkg/Include/Library/BlobMeasurementLib.h
new file mode 100644
index 000000000000..e54a41c2c9c1
--- /dev/null
+++ b/OvmfPkg/Include/Library/BlobMeasurementLib.h
@@ -0,0 +1,38 @@
+/** @file
+
+ Blob measurement library
+
+ This library class allows measuring blobs from external sources, such as QEMU's firmware config.
+
+ Copyright (C) 2022, Intel Corporation. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef BLOB_MEASUREMENT_LIB_H_
+#define BLOB_MEASUREMENT_LIB_H_
+
+#include <Uefi/UefiBaseType.h>
+#include <Base.h>
+
+/**
+ Measure blob from an external source.
+
+ @param[in] BlobName The name of the blob
+ @param[in] BlobNameSize Size of the blob name
+ @param[in] BlobBase The data of the blob
+ @param[in] BlobSize The size of the blob in bytes
+
+ @retval EFI_SUCCESS The blob was measured successfully.
+ @retval Other errors
+**/
+EFI_STATUS
+EFIAPI
+MeasureKernelBlob (
+ IN CONST CHAR16 *BlobName,
+ IN UINT32 BlobNameSize,
+ IN CONST VOID *BlobBase,
+ IN UINT32 BlobSize
+ );
+
+#endif
diff --git a/OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.c b/OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.c
new file mode 100644
index 000000000000..e93e3cf164c0
--- /dev/null
+++ b/OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.c
@@ -0,0 +1,34 @@
+/** @file
+
+ Null implementation of the blob measurement library.
+
+ Copyright (C) 2022, Intel Corporation. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/BlobMeasurementLib.h>
+
+/**
+ Measure blob from an external source.
+
+ @param[in] BlobName The name of the blob
+ @param[in] BlobNameSize Size of the blob name
+ @param[in] BlobBase The data of the blob
+ @param[in] BlobSize The size of the blob in bytes
+
+ @retval EFI_SUCCESS The blob was measured successfully.
+ @retval Other errors
+**/
+EFI_STATUS
+EFIAPI
+MeasureKernelBlob (
+ IN CONST CHAR16 *BlobName,
+ IN UINT32 BlobNameSize,
+ IN CONST VOID *BlobBase,
+ IN UINT32 BlobSize
+ )
+{
+ return EFI_SUCCESS;
+}
diff --git a/OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf b/OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
new file mode 100644
index 000000000000..5bf3710222c2
--- /dev/null
+++ b/OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
@@ -0,0 +1,24 @@
+## @file
+#
+# Null implementation of the blob measurement library.
+#
+# Copyright (C) 2022, Intel Corporation. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = BlobMeasurementLibNull
+ FILE_GUID = fad119ff-8627-4661-a35f-920a6eeb2866
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = BlobMeasurementLib
+
+[Sources]
+ BlobMeasurementLibNull.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ OvmfPkg/OvmfPkg.dec
diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 8c2048051bea..da94e4c7aa89 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -26,6 +26,9 @@
## @libraryclass Verify blobs read from the VMM
BlobVerifierLib|Include/Library/BlobVerifierLib.h
+ ## @libraryclass Measure blobs read from the VMM
+ BlobMeasurementLib|Include/Library/BlobMeasurementLib.h
+
## @libraryclass Loads and boots a Linux kernel image
#
LoadLinuxLib|Include/Library/LoadLinuxLib.h
--
2.29.2.windows.2
^ permalink raw reply related [flat|nested] 9+ messages in thread* [PATCH 2/4] OvmfPkg: Add BlobMeasurementLibNull to dsc
2022-05-23 5:55 [PATCH 0/4] Measure kernel blob Min Xu
2022-05-23 5:55 ` [PATCH 1/4] OvmfPkg: Add library class BlobMeasurementLib with null implementation Min Xu
@ 2022-05-23 5:55 ` Min Xu
2022-05-23 5:55 ` [PATCH 3/4] OvmfPkg: Implement BlobMeasurementLibTdx Min Xu
` (3 subsequent siblings)
5 siblings, 0 replies; 9+ messages in thread
From: Min Xu @ 2022-05-23 5:55 UTC (permalink / raw)
To: devel
Cc: Min Xu, Ard Biesheuvel, Jordan Justen, Ashish Kalra,
Brijesh Singh, Erdem Aktas, James Bottomley, Jiewen Yao,
Tom Lendacky, Sami Mujawar, Gerd Hoffmann
This prepares the ground for calling MeasureKernelBlob() in
QemuKernelLoaderFsDxe.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
ArmVirtPkg/ArmVirtQemu.dsc | 1 +
ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
OvmfPkg/AmdSev/AmdSevX64.dsc | 2 ++
OvmfPkg/CloudHv/CloudHvX64.dsc | 1 +
OvmfPkg/Microvm/MicrovmX64.dsc | 1 +
OvmfPkg/OvmfPkgIa32.dsc | 1 +
OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
OvmfPkg/OvmfPkgX64.dsc | 1 +
OvmfPkg/OvmfXen.dsc | 1 +
9 files changed, 10 insertions(+)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index aa0ce61630f7..5d7416c61e05 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -447,6 +447,7 @@
OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
<LibraryClasses>
NULL|OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierLibNull.inf
+ NULL|OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
}
#
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 7f7d15d6eee3..c74c2630bd7a 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -382,6 +382,7 @@
OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
<LibraryClasses>
NULL|OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierLibNull.inf
+ NULL|OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
}
#
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index bead9722eab8..5e62cff033e1 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -176,6 +176,7 @@
FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf
BlobVerifierLib|OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierLibSevHashes.inf
MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLib.inf
+ BlobMeasurementLib|OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
!if $(SOURCE_DEBUG_ENABLE) == TRUE
PeCoffExtraActionLib|SourceLevelDebugPkg/Library/PeCoffExtraActionLibDebug/PeCoffExtraActionLibDebug.inf
@@ -678,6 +679,7 @@
OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
<LibraryClasses>
NULL|OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierLibSevHashes.inf
+ NULL|OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
}
OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
OvmfPkg/Virtio10Dxe/Virtio10.inf
diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc
index 92664f319be2..a89413f2ffba 100644
--- a/OvmfPkg/CloudHv/CloudHvX64.dsc
+++ b/OvmfPkg/CloudHv/CloudHvX64.dsc
@@ -744,6 +744,7 @@
OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
<LibraryClasses>
NULL|OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierLibNull.inf
+ NULL|OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
}
OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
OvmfPkg/Virtio10Dxe/Virtio10.inf
diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
index f8fc977cb205..4c96a4a1dc3a 100644
--- a/OvmfPkg/Microvm/MicrovmX64.dsc
+++ b/OvmfPkg/Microvm/MicrovmX64.dsc
@@ -705,6 +705,7 @@
OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
<LibraryClasses>
NULL|OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierLibNull.inf
+ NULL|OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
}
OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
OvmfPkg/Virtio10Dxe/Virtio10.inf
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index c16a840fff16..40339d2812e9 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -780,6 +780,7 @@
OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
<LibraryClasses>
NULL|OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierLibNull.inf
+ NULL|OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
}
OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
OvmfPkg/Virtio10Dxe/Virtio10.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index d3a80cb56892..144d2308bb0e 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -794,6 +794,7 @@
OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
<LibraryClasses>
NULL|OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierLibNull.inf
+ NULL|OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
}
OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
OvmfPkg/Virtio10Dxe/Virtio10.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 7b3d48aac430..9a027a89b417 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -859,6 +859,7 @@
OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
<LibraryClasses>
NULL|OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierLibNull.inf
+ NULL|OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
}
OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
OvmfPkg/Virtio10Dxe/Virtio10.inf
diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
index 6ba4bd729ae7..b0410a33d6ac 100644
--- a/OvmfPkg/OvmfXen.dsc
+++ b/OvmfPkg/OvmfXen.dsc
@@ -603,6 +603,7 @@
OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
<LibraryClasses>
NULL|OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierLibNull.inf
+ NULL|OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
}
OvmfPkg/XenIoPvhDxe/XenIoPvhDxe.inf
OvmfPkg/XenIoPciDxe/XenIoPciDxe.inf
--
2.29.2.windows.2
^ permalink raw reply related [flat|nested] 9+ messages in thread* [PATCH 3/4] OvmfPkg: Implement BlobMeasurementLibTdx
2022-05-23 5:55 [PATCH 0/4] Measure kernel blob Min Xu
2022-05-23 5:55 ` [PATCH 1/4] OvmfPkg: Add library class BlobMeasurementLib with null implementation Min Xu
2022-05-23 5:55 ` [PATCH 2/4] OvmfPkg: Add BlobMeasurementLibNull to dsc Min Xu
@ 2022-05-23 5:55 ` Min Xu
2022-05-23 8:14 ` Gerd Hoffmann
2022-05-23 5:55 ` [PATCH 4/4] OvmfPkg: Call MeasureKernelBlob after fetch from fw_cfg Min Xu
` (2 subsequent siblings)
5 siblings, 1 reply; 9+ messages in thread
From: Min Xu @ 2022-05-23 5:55 UTC (permalink / raw)
To: devel
Cc: Min Xu, Ard Biesheuvel, Jordan Justen, Ashish Kalra,
Brijesh Singh, Erdem Aktas, James Bottomley, Jiewen Yao,
Sami Mujawar, Tom Lendacky, Gerd Hoffmann
OvmfPkg/IntelTdx/BlobMeasurementLibTdx is implemented for measurement
of Kernel blob. It calls EFI_CC_MEASUREMENT_PROTOCOL to do the
measurement.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
.../BlobMeasurementLibTdx/BlobMeasurement.c | 87 +++++++++++++++++++
.../BlobMeasurementLibTdx.inf | 30 +++++++
2 files changed, 117 insertions(+)
create mode 100644 OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurement.c
create mode 100644 OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurementLibTdx.inf
diff --git a/OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurement.c b/OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurement.c
new file mode 100644
index 000000000000..33a2a3502109
--- /dev/null
+++ b/OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurement.c
@@ -0,0 +1,87 @@
+/** @file
+
+ Copyright (C) 2022, Intel Corporation. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <PiDxe.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Protocol/Tcg2Protocol.h>
+#include <Protocol/CcMeasurement.h>
+#include <Library/BlobVerifierLib.h>
+
+EFI_CC_MEASUREMENT_PROTOCOL *mCcProtocol = NULL;
+
+/**
+ Measure blob from an external source.
+
+ @param[in] BlobName The name of the blob
+ @param[in] BlobNameSize Size of the blob name
+ @param[in] BlobBase The data of the blob
+ @param[in] BlobSize The size of the blob in bytes
+
+ @retval EFI_SUCCESS The blob was measured successfully.
+ @retval Other errors
+**/
+EFI_STATUS
+EFIAPI
+MeasureKernelBlob (
+ IN CONST CHAR16 *BlobName,
+ IN UINT32 BlobNameSize,
+ IN CONST VOID *BlobBase,
+ IN UINT32 BlobSize
+ )
+{
+ EFI_STATUS Status;
+ UINT32 MrIndex;
+ EFI_CC_EVENT *CcEvent;
+
+ if ((BlobBase == 0) || (BlobSize == 0)) {
+ ASSERT (FALSE);
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (mCcProtocol == NULL) {
+ Status = gBS->LocateProtocol (&gEfiCcMeasurementProtocolGuid, NULL, (VOID **)&mCcProtocol);
+ if (EFI_ERROR (Status)) {
+ //
+ // EFI_CC_MEASUREMENT_PROTOCOL protocol is not installed.
+ //
+ DEBUG ((DEBUG_ERROR, "%a: EFI_CC_MEASUREMENT_PROTOCOL protocol is not installed.\n", __FUNCTION__));
+ return EFI_NOT_FOUND;
+ }
+ }
+
+ Status = mCcProtocol->MapPcrToMrIndex (mCcProtocol, 4, &MrIndex);
+ if (EFI_ERROR (Status)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ CcEvent = AllocateZeroPool (BlobNameSize + sizeof (EFI_CC_EVENT) - sizeof (CcEvent->Event));
+ if (CcEvent == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ CcEvent->Size = BlobNameSize + sizeof (EFI_CC_EVENT) - sizeof (CcEvent->Event);
+ CcEvent->Header.EventType = EV_PLATFORM_CONFIG_FLAGS;
+ CcEvent->Header.MrIndex = MrIndex;
+ CcEvent->Header.HeaderSize = sizeof (EFI_TCG2_EVENT_HEADER);
+ CcEvent->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
+ CopyMem (&CcEvent->Event[0], BlobName, BlobNameSize);
+
+ Status = mCcProtocol->HashLogExtendEvent (
+ mCcProtocol,
+ 0,
+ (EFI_PHYSICAL_ADDRESS)(UINTN)BlobBase,
+ BlobSize,
+ CcEvent
+ );
+
+ FreePool (CcEvent);
+
+ return Status;
+}
diff --git a/OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurementLibTdx.inf b/OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurementLibTdx.inf
new file mode 100644
index 000000000000..880c60159c3d
--- /dev/null
+++ b/OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurementLibTdx.inf
@@ -0,0 +1,30 @@
+## @file
+#
+# Copyright (C) 2022, Intel Corporation. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = BlobMeasurementLibTdx
+ FILE_GUID = ac1a8997-9d91-47c4-b18a-dbe0d1a94fde
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = BlobMeaurementLib
+
+[Sources]
+ BlobMeasurement.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ OvmfPkg/OvmfPkg.dec
+
+[LibraryClasses]
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+
+[Protocols]
+ gEfiCcMeasurementProtocolGuid
--
2.29.2.windows.2
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH 3/4] OvmfPkg: Implement BlobMeasurementLibTdx
2022-05-23 5:55 ` [PATCH 3/4] OvmfPkg: Implement BlobMeasurementLibTdx Min Xu
@ 2022-05-23 8:14 ` Gerd Hoffmann
0 siblings, 0 replies; 9+ messages in thread
From: Gerd Hoffmann @ 2022-05-23 8:14 UTC (permalink / raw)
To: Min Xu
Cc: devel, Ard Biesheuvel, Jordan Justen, Ashish Kalra, Brijesh Singh,
Erdem Aktas, James Bottomley, Jiewen Yao, Sami Mujawar,
Tom Lendacky
> +EFI_STATUS
> +EFIAPI
> +MeasureKernelBlob (
> + IN CONST CHAR16 *BlobName,
> + IN UINT32 BlobNameSize,
> + IN CONST VOID *BlobBase,
> + IN UINT32 BlobSize
> + )
> +{
> + EFI_STATUS Status;
> + UINT32 MrIndex;
> + EFI_CC_EVENT *CcEvent;
> +
> + if ((BlobBase == 0) || (BlobSize == 0)) {
> + ASSERT (FALSE);
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + if (mCcProtocol == NULL) {
> + Status = gBS->LocateProtocol (&gEfiCcMeasurementProtocolGuid, NULL, (VOID **)&mCcProtocol);
> + if (EFI_ERROR (Status)) {
> + //
> + // EFI_CC_MEASUREMENT_PROTOCOL protocol is not installed.
> + //
> + DEBUG ((DEBUG_ERROR, "%a: EFI_CC_MEASUREMENT_PROTOCOL protocol is not installed.\n", __FUNCTION__));
> + return EFI_NOT_FOUND;
> + }
> + }
I think it makes sense to support measurement to both tdx and tpm here.
> + Status = mCcProtocol->MapPcrToMrIndex (mCcProtocol, 4, &MrIndex);
Why PCR 4 for everything?
When grub measures to the tpm it uses PCR 8 (strings, i.e. configuration
and kernel command line) and PCR 9 (binaries, i.e. kernel + initrd).
take care,
Gerd
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 4/4] OvmfPkg: Call MeasureKernelBlob after fetch from fw_cfg
2022-05-23 5:55 [PATCH 0/4] Measure kernel blob Min Xu
` (2 preceding siblings ...)
2022-05-23 5:55 ` [PATCH 3/4] OvmfPkg: Implement BlobMeasurementLibTdx Min Xu
@ 2022-05-23 5:55 ` Min Xu
2022-05-23 9:29 ` [PATCH 0/4] Measure kernel blob Yao, Jiewen
[not found] ` <16F1B1F290429BFD.18186@groups.io>
5 siblings, 0 replies; 9+ messages in thread
From: Min Xu @ 2022-05-23 5:55 UTC (permalink / raw)
To: devel
Cc: Min Xu, Ard Biesheuvel, Jordan Justen, Ashish Kalra,
Brijesh Singh, Erdem Aktas, James Bottomley, Jiewen Yao,
Sami Mujawar, Tom Lendacky, Gerd Hoffmann
In QemuKernelLoaderFsDxeEntrypoint we use FetchBlob to read the content
of the kernel/initrd/cmdline from the QEMU fw_cfg interface. Insert a
call to MeasureKernelBlob after fetching to allow BlobMeasurementLib
implementations to add a measurement step for these blobs.
This will allow confidential computing OVMF builds to add measurement
mechanisms for these blobs that originate from an untrusted source
(QEMU).
In current platforms in OvmfPkg, only IntelTdx supports blob measurement.
So OvmfPkg/IntelTdx/IntelTdxX64.dsc is updated to use
OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurementLibTdx.inf. Other
dsc are using the null implementation of BlobMeasurementLibNull.inf.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 +
.../QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 13 +++++++++++++
2 files changed, 14 insertions(+)
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
index 00bc1255bc4e..2887047316b6 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@@ -611,6 +611,7 @@
OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
<LibraryClasses>
NULL|OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierLibNull.inf
+ NULL|OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurementLibTdx.inf
}
OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
OvmfPkg/Virtio10Dxe/Virtio10.inf
diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
index d4f3cd92255f..6720dae1d06c 100644
--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
@@ -18,6 +18,7 @@
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/BlobVerifierLib.h>
+#include <Library/BlobMeasurementLib.h>
#include <Library/DebugLib.h>
#include <Library/DevicePathLib.h>
#include <Library/MemoryAllocationLib.h>
@@ -1074,6 +1075,18 @@ QemuKernelLoaderFsDxeEntrypoint (
goto FreeBlobs;
}
+ if ((CurrentBlob->Data > 0) && (CurrentBlob->Size > 0)) {
+ Status = MeasureKernelBlob (
+ CurrentBlob->Name,
+ sizeof (CurrentBlob->Name),
+ CurrentBlob->Data,
+ CurrentBlob->Size
+ );
+ if (EFI_ERROR (Status)) {
+ goto FreeBlobs;
+ }
+ }
+
mTotalBlobBytes += CurrentBlob->Size;
}
--
2.29.2.windows.2
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH 0/4] Measure kernel blob
2022-05-23 5:55 [PATCH 0/4] Measure kernel blob Min Xu
` (3 preceding siblings ...)
2022-05-23 5:55 ` [PATCH 4/4] OvmfPkg: Call MeasureKernelBlob after fetch from fw_cfg Min Xu
@ 2022-05-23 9:29 ` Yao, Jiewen
[not found] ` <16F1B1F290429BFD.18186@groups.io>
5 siblings, 0 replies; 9+ messages in thread
From: Yao, Jiewen @ 2022-05-23 9:29 UTC (permalink / raw)
To: Xu, Min M, devel@edk2.groups.io
Cc: Ard Biesheuvel, Justen, Jordan L, Ashish Kalra, Brijesh Singh,
Aktas, Erdem, James Bottomley, Tom Lendacky, Sami Mujawar,
Gerd Hoffmann
Hi
I am not clear about the design. Some questions:
1. This should be generic feature for trusted boot. Not TDX specific. Right?
2. Why we need BlobMeasurementLib?
We already have TpmMeasurementLib. Why we cannot use it?
3. Why we need BlobMeasurementLibTdx?
Even if we really need BlobMeasurementLib, the flow should be: ->BlobMeasurementLib->TpmMeasurementLib->TpmMeasurementLibTdx
4. Why we need BlobMeasurementLibNull?
We already have TpmMeasurementLibNull. What is benefit to add one more NULL MeasurementLib?
Thank you
Yao Jiewen
> -----Original Message-----
> From: Xu, Min M <min.m.xu@intel.com>
> Sent: Monday, May 23, 2022 1:56 PM
> To: devel@edk2.groups.io
> Cc: Xu, Min M <min.m.xu@intel.com>; Ard Biesheuvel
> <ardb+tianocore@kernel.org>; Justen, Jordan L <jordan.l.justen@intel.com>;
> Ashish Kalra <ashish.kalra@amd.com>; Brijesh Singh <brijesh.singh@amd.com>;
> Aktas, Erdem <erdemaktas@google.com>; James Bottomley
> <jejb@linux.ibm.com>; Yao, Jiewen <jiewen.yao@intel.com>; Tom Lendacky
> <thomas.lendacky@amd.com>; Sami Mujawar <sami.mujawar@arm.com>;
> Gerd Hoffmann <kraxel@redhat.com>
> Subject: [PATCH 0/4] Measure kernel blob
>
> Kernel blobs include the kernel image, initrd, command line. These are
> external inputs from host VMM. In some platforms,such as Tdx environment,
> Host VMM is treated as un-trusted. So these external inputs should be
> measured.
>
> This patch-set imports a new library class (BlobMeasurementLib). It is
> designed to do the blob measurement, including the kernel blob
> measurement. In the future, it will do other blob measurement, such as
> measuring ACPI table which is also passed from host VMM.
>
> The code is at: https://github.com/mxu9/edk2/tree/MeasureKernelBlob.v1
>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Ashish Kalra <ashish.kalra@amd.com>
> Cc: Brijesh Singh <brijesh.singh@amd.com>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Cc: James Bottomley <jejb@linux.ibm.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Min Xu <min.m.xu@intel.com>
>
> Min Xu (4):
> OvmfPkg: Add library class BlobMeasurementLib with null implementation
> OvmfPkg: Add BlobMeasurementLibNull to dsc
> OvmfPkg: Implement BlobMeasurementLibTdx
> OvmfPkg: Call MeasureKernelBlob after fetch from fw_cfg
>
> ArmVirtPkg/ArmVirtQemu.dsc | 1 +
> ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
> OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +
> OvmfPkg/CloudHv/CloudHvX64.dsc | 1 +
> OvmfPkg/Include/Library/BlobMeasurementLib.h | 38 ++++++++
> .../BlobMeasurementLibTdx/BlobMeasurement.c | 87 +++++++++++++++++++
> .../BlobMeasurementLibTdx.inf | 30 +++++++
> OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 +
> .../BlobMeasurementLibNull.c | 34 ++++++++
> .../BlobMeasurementLibNull.inf | 24 +++++
> OvmfPkg/Microvm/MicrovmX64.dsc | 1 +
> OvmfPkg/OvmfPkg.dec | 3 +
> OvmfPkg/OvmfPkgIa32.dsc | 1 +
> OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
> OvmfPkg/OvmfPkgX64.dsc | 1 +
> OvmfPkg/OvmfXen.dsc | 1 +
> .../QemuKernelLoaderFsDxe.c | 13 +++
> 17 files changed, 240 insertions(+)
> create mode 100644 OvmfPkg/Include/Library/BlobMeasurementLib.h
> create mode 100644
> OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurement.c
> create mode 100644
> OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurementLibTdx.inf
> create mode 100644
> OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.c
> create mode 100644
> OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
>
> --
> 2.29.2.windows.2
^ permalink raw reply [flat|nested] 9+ messages in thread[parent not found: <16F1B1F290429BFD.18186@groups.io>]
* Re: [edk2-devel] [PATCH 0/4] Measure kernel blob
[not found] ` <16F1B1F290429BFD.18186@groups.io>
@ 2022-05-23 9:36 ` Yao, Jiewen
2022-05-23 11:13 ` Ard Biesheuvel
0 siblings, 1 reply; 9+ messages in thread
From: Yao, Jiewen @ 2022-05-23 9:36 UTC (permalink / raw)
To: devel@edk2.groups.io, Yao, Jiewen, Xu, Min M
Cc: Ard Biesheuvel, Justen, Jordan L, Ashish Kalra, Brijesh Singh,
Aktas, Erdem, James Bottomley, Tom Lendacky, Sami Mujawar,
Gerd Hoffmann
Fix Typo for 3:
->BlobMeasurementLib->TpmMeasurementLib->TpmMeasurementLibTdx
Should be: ->BlobMeasurementLib->TpmMeasurementLib->CcProtocol->Tdx
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen
> Sent: Monday, May 23, 2022 5:30 PM
> To: Xu, Min M <min.m.xu@intel.com>; devel@edk2.groups.io
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>; Justen, Jordan L
> <jordan.l.justen@intel.com>; Ashish Kalra <ashish.kalra@amd.com>; Brijesh
> Singh <brijesh.singh@amd.com>; Aktas, Erdem <erdemaktas@google.com>;
> James Bottomley <jejb@linux.ibm.com>; Tom Lendacky
> <thomas.lendacky@amd.com>; Sami Mujawar <sami.mujawar@arm.com>;
> Gerd Hoffmann <kraxel@redhat.com>
> Subject: Re: [edk2-devel] [PATCH 0/4] Measure kernel blob
>
> Hi
> I am not clear about the design. Some questions:
>
> 1. This should be generic feature for trusted boot. Not TDX specific. Right?
>
> 2. Why we need BlobMeasurementLib?
> We already have TpmMeasurementLib. Why we cannot use it?
>
> 3. Why we need BlobMeasurementLibTdx?
> Even if we really need BlobMeasurementLib, the flow should be: -
> >BlobMeasurementLib->TpmMeasurementLib->TpmMeasurementLibTdx
>
> 4. Why we need BlobMeasurementLibNull?
> We already have TpmMeasurementLibNull. What is benefit to add one more
> NULL MeasurementLib?
>
> Thank you
> Yao Jiewen
>
> > -----Original Message-----
> > From: Xu, Min M <min.m.xu@intel.com>
> > Sent: Monday, May 23, 2022 1:56 PM
> > To: devel@edk2.groups.io
> > Cc: Xu, Min M <min.m.xu@intel.com>; Ard Biesheuvel
> > <ardb+tianocore@kernel.org>; Justen, Jordan L <jordan.l.justen@intel.com>;
> > Ashish Kalra <ashish.kalra@amd.com>; Brijesh Singh
> <brijesh.singh@amd.com>;
> > Aktas, Erdem <erdemaktas@google.com>; James Bottomley
> > <jejb@linux.ibm.com>; Yao, Jiewen <jiewen.yao@intel.com>; Tom Lendacky
> > <thomas.lendacky@amd.com>; Sami Mujawar <sami.mujawar@arm.com>;
> > Gerd Hoffmann <kraxel@redhat.com>
> > Subject: [PATCH 0/4] Measure kernel blob
> >
> > Kernel blobs include the kernel image, initrd, command line. These are
> > external inputs from host VMM. In some platforms,such as Tdx environment,
> > Host VMM is treated as un-trusted. So these external inputs should be
> > measured.
> >
> > This patch-set imports a new library class (BlobMeasurementLib). It is
> > designed to do the blob measurement, including the kernel blob
> > measurement. In the future, it will do other blob measurement, such as
> > measuring ACPI table which is also passed from host VMM.
> >
> > The code is at: https://github.com/mxu9/edk2/tree/MeasureKernelBlob.v1
> >
> > Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> > Cc: Jordan Justen <jordan.l.justen@intel.com>
> > Cc: Ashish Kalra <ashish.kalra@amd.com>
> > Cc: Brijesh Singh <brijesh.singh@amd.com>
> > Cc: Erdem Aktas <erdemaktas@google.com>
> > Cc: James Bottomley <jejb@linux.ibm.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Tom Lendacky <thomas.lendacky@amd.com>
> > Cc: Sami Mujawar <sami.mujawar@arm.com>
> > Cc: Gerd Hoffmann <kraxel@redhat.com>
> > Signed-off-by: Min Xu <min.m.xu@intel.com>
> >
> > Min Xu (4):
> > OvmfPkg: Add library class BlobMeasurementLib with null implementation
> > OvmfPkg: Add BlobMeasurementLibNull to dsc
> > OvmfPkg: Implement BlobMeasurementLibTdx
> > OvmfPkg: Call MeasureKernelBlob after fetch from fw_cfg
> >
> > ArmVirtPkg/ArmVirtQemu.dsc | 1 +
> > ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
> > OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +
> > OvmfPkg/CloudHv/CloudHvX64.dsc | 1 +
> > OvmfPkg/Include/Library/BlobMeasurementLib.h | 38 ++++++++
> > .../BlobMeasurementLibTdx/BlobMeasurement.c | 87
> +++++++++++++++++++
> > .../BlobMeasurementLibTdx.inf | 30 +++++++
> > OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 +
> > .../BlobMeasurementLibNull.c | 34 ++++++++
> > .../BlobMeasurementLibNull.inf | 24 +++++
> > OvmfPkg/Microvm/MicrovmX64.dsc | 1 +
> > OvmfPkg/OvmfPkg.dec | 3 +
> > OvmfPkg/OvmfPkgIa32.dsc | 1 +
> > OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
> > OvmfPkg/OvmfPkgX64.dsc | 1 +
> > OvmfPkg/OvmfXen.dsc | 1 +
> > .../QemuKernelLoaderFsDxe.c | 13 +++
> > 17 files changed, 240 insertions(+)
> > create mode 100644 OvmfPkg/Include/Library/BlobMeasurementLib.h
> > create mode 100644
> > OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurement.c
> > create mode 100644
> > OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurementLibTdx.inf
> > create mode 100644
> > OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.c
> > create mode 100644
> > OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
> >
> > --
> > 2.29.2.windows.2
>
>
>
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [edk2-devel] [PATCH 0/4] Measure kernel blob
2022-05-23 9:36 ` [edk2-devel] " Yao, Jiewen
@ 2022-05-23 11:13 ` Ard Biesheuvel
0 siblings, 0 replies; 9+ messages in thread
From: Ard Biesheuvel @ 2022-05-23 11:13 UTC (permalink / raw)
To: Yao, Jiewen
Cc: devel@edk2.groups.io, Xu, Min M, Ard Biesheuvel, Justen, Jordan L,
Ashish Kalra, Brijesh Singh, Aktas, Erdem, James Bottomley,
Tom Lendacky, Sami Mujawar, Gerd Hoffmann
Same questions here. I don't think we should use the legacy Linux EFI
handover protocol for CC implementations, and the ordinary
LoadImage/StartImage based boot sequence already incorporates TPM
measurement, of which TDX and SEV/SNP are just a specialization.
So I don't understand why we need any of this in the first place.
On Mon, 23 May 2022 at 11:36, Yao, Jiewen <jiewen.yao@intel.com> wrote:
>
> Fix Typo for 3:
> ->BlobMeasurementLib->TpmMeasurementLib->TpmMeasurementLibTdx
> Should be: ->BlobMeasurementLib->TpmMeasurementLib->CcProtocol->Tdx
>
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen
> > Sent: Monday, May 23, 2022 5:30 PM
> > To: Xu, Min M <min.m.xu@intel.com>; devel@edk2.groups.io
> > Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>; Justen, Jordan L
> > <jordan.l.justen@intel.com>; Ashish Kalra <ashish.kalra@amd.com>; Brijesh
> > Singh <brijesh.singh@amd.com>; Aktas, Erdem <erdemaktas@google.com>;
> > James Bottomley <jejb@linux.ibm.com>; Tom Lendacky
> > <thomas.lendacky@amd.com>; Sami Mujawar <sami.mujawar@arm.com>;
> > Gerd Hoffmann <kraxel@redhat.com>
> > Subject: Re: [edk2-devel] [PATCH 0/4] Measure kernel blob
> >
> > Hi
> > I am not clear about the design. Some questions:
> >
> > 1. This should be generic feature for trusted boot. Not TDX specific. Right?
> >
> > 2. Why we need BlobMeasurementLib?
> > We already have TpmMeasurementLib. Why we cannot use it?
> >
> > 3. Why we need BlobMeasurementLibTdx?
> > Even if we really need BlobMeasurementLib, the flow should be: -
> > >BlobMeasurementLib->TpmMeasurementLib->TpmMeasurementLibTdx
> >
> > 4. Why we need BlobMeasurementLibNull?
> > We already have TpmMeasurementLibNull. What is benefit to add one more
> > NULL MeasurementLib?
> >
> > Thank you
> > Yao Jiewen
> >
> > > -----Original Message-----
> > > From: Xu, Min M <min.m.xu@intel.com>
> > > Sent: Monday, May 23, 2022 1:56 PM
> > > To: devel@edk2.groups.io
> > > Cc: Xu, Min M <min.m.xu@intel.com>; Ard Biesheuvel
> > > <ardb+tianocore@kernel.org>; Justen, Jordan L <jordan.l.justen@intel.com>;
> > > Ashish Kalra <ashish.kalra@amd.com>; Brijesh Singh
> > <brijesh.singh@amd.com>;
> > > Aktas, Erdem <erdemaktas@google.com>; James Bottomley
> > > <jejb@linux.ibm.com>; Yao, Jiewen <jiewen.yao@intel.com>; Tom Lendacky
> > > <thomas.lendacky@amd.com>; Sami Mujawar <sami.mujawar@arm.com>;
> > > Gerd Hoffmann <kraxel@redhat.com>
> > > Subject: [PATCH 0/4] Measure kernel blob
> > >
> > > Kernel blobs include the kernel image, initrd, command line. These are
> > > external inputs from host VMM. In some platforms,such as Tdx environment,
> > > Host VMM is treated as un-trusted. So these external inputs should be
> > > measured.
> > >
> > > This patch-set imports a new library class (BlobMeasurementLib). It is
> > > designed to do the blob measurement, including the kernel blob
> > > measurement. In the future, it will do other blob measurement, such as
> > > measuring ACPI table which is also passed from host VMM.
> > >
> > > The code is at: https://github.com/mxu9/edk2/tree/MeasureKernelBlob.v1
> > >
> > > Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> > > Cc: Jordan Justen <jordan.l.justen@intel.com>
> > > Cc: Ashish Kalra <ashish.kalra@amd.com>
> > > Cc: Brijesh Singh <brijesh.singh@amd.com>
> > > Cc: Erdem Aktas <erdemaktas@google.com>
> > > Cc: James Bottomley <jejb@linux.ibm.com>
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Cc: Tom Lendacky <thomas.lendacky@amd.com>
> > > Cc: Sami Mujawar <sami.mujawar@arm.com>
> > > Cc: Gerd Hoffmann <kraxel@redhat.com>
> > > Signed-off-by: Min Xu <min.m.xu@intel.com>
> > >
> > > Min Xu (4):
> > > OvmfPkg: Add library class BlobMeasurementLib with null implementation
> > > OvmfPkg: Add BlobMeasurementLibNull to dsc
> > > OvmfPkg: Implement BlobMeasurementLibTdx
> > > OvmfPkg: Call MeasureKernelBlob after fetch from fw_cfg
> > >
> > > ArmVirtPkg/ArmVirtQemu.dsc | 1 +
> > > ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
> > > OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +
> > > OvmfPkg/CloudHv/CloudHvX64.dsc | 1 +
> > > OvmfPkg/Include/Library/BlobMeasurementLib.h | 38 ++++++++
> > > .../BlobMeasurementLibTdx/BlobMeasurement.c | 87
> > +++++++++++++++++++
> > > .../BlobMeasurementLibTdx.inf | 30 +++++++
> > > OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 +
> > > .../BlobMeasurementLibNull.c | 34 ++++++++
> > > .../BlobMeasurementLibNull.inf | 24 +++++
> > > OvmfPkg/Microvm/MicrovmX64.dsc | 1 +
> > > OvmfPkg/OvmfPkg.dec | 3 +
> > > OvmfPkg/OvmfPkgIa32.dsc | 1 +
> > > OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
> > > OvmfPkg/OvmfPkgX64.dsc | 1 +
> > > OvmfPkg/OvmfXen.dsc | 1 +
> > > .../QemuKernelLoaderFsDxe.c | 13 +++
> > > 17 files changed, 240 insertions(+)
> > > create mode 100644 OvmfPkg/Include/Library/BlobMeasurementLib.h
> > > create mode 100644
> > > OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurement.c
> > > create mode 100644
> > > OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurementLibTdx.inf
> > > create mode 100644
> > > OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.c
> > > create mode 100644
> > > OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
> > >
> > > --
> > > 2.29.2.windows.2
> >
> >
> >
> >
> >
>
^ permalink raw reply [flat|nested] 9+ messages in thread