public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Min Xu" <min.m.xu@intel.com>
To: devel@edk2.groups.io
Cc: Min M Xu <min.m.xu@intel.com>,
	Erdem Aktas <erdemaktas@google.com>,
	James Bottomley <jejb@linux.ibm.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	Arti Gupta <ARGU@microsoft.com>
Subject: [PATCH V1 2/3] OvmfPkg/TdTcg2Dxe: Fix the mapping error between PCR index and MR index
Date: Wed, 14 Dec 2022 15:14:18 +0800	[thread overview]
Message-ID: <20221214071419.1813-3-min.m.xu@intel.com> (raw)
In-Reply-To: <20221214071419.1813-1-min.m.xu@intel.com>

From: Min M Xu <min.m.xu@intel.com>

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4179

According to UEFI Spec 2.10 it is supposed to return the mapping from PCR
index to CC MR index:
//
// In the current version, we use the below mapping for TDX:
//
// TPM PCR Index | CC Measurement Register Index | TDX-measurement register
// -----------------------------------------------------------------------
// 0             |   0                           |   MRTD
// 1, 7          |   1                           |   RTMR[0]
// 2~6           |   2                           |   RTMR[1]
// 8~15          |   3                           |   RTMR[2]

In the current implementation TdMapPcrToMrIndex returns the index of RTMR,
not the MR index.

After fix the spec unconsistent, other related codes are updated
accordingly.
1) The index of event log uses the input MrIndex.
2) MrIndex is decreated by 1 before it is sent for RTMR extending.

Cc: Erdem Aktas <erdemaktas@google.com> [ruleof2]
Cc: James Bottomley <jejb@linux.ibm.com> [jejb]
Cc: Jiewen Yao <jiewen.yao@intel.com> [jyao1]
Cc: Tom Lendacky <thomas.lendacky@amd.com> [tlendacky]
Cc: Arti Gupta <ARGU@microsoft.com>
Reported-by: Arti Gupta <ARGU@microsoft.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
 OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c | 89 +++++++++++++++++---------
 1 file changed, 60 insertions(+), 29 deletions(-)

diff --git a/OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c b/OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c
index a6b4f8e0aa6b..d19923b0c682 100644
--- a/OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c
+++ b/OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c
@@ -49,7 +49,11 @@
 #define PERF_ID_CC_TCG2_DXE  0x3130
 
 #define   CC_EVENT_LOG_AREA_COUNT_MAX  1
-#define   INVALID_RTMR_INDEX           4
+#define   CC_MR_INDEX_0_MRTD           0
+#define   CC_MR_INDEX_1_RTMR0          1
+#define   CC_MR_INDEX_2_RTMR1          2
+#define   CC_MR_INDEX_3_RTMR2          3
+#define   CC_MR_INDEX_INVALID          4
 
 typedef struct {
   CHAR16      *VariableName;
@@ -240,7 +244,7 @@ EFI_HANDLE  mImageHandle;
 
   Notes: PE/COFF image is checked by BasePeCoffLib PeCoffLoaderGetImageInfo().
 
-  @param[in]  MrIndex      RTMR index
+  @param[in]  RtmrIndex        RTMR index
   @param[in]  ImageAddress   Start address of image buffer.
   @param[in]  ImageSize      Image size
   @param[out] DigestList     Digest list of this image.
@@ -251,7 +255,7 @@ EFI_HANDLE  mImageHandle;
 **/
 EFI_STATUS
 MeasurePeImageAndExtend (
-  IN  UINT32                MrIndex,
+  IN  UINT32                RtmrIndex,
   IN  EFI_PHYSICAL_ADDRESS  ImageAddress,
   IN  UINTN                 ImageSize,
   OUT TPML_DIGEST_VALUES    *DigestList
@@ -925,10 +929,22 @@ TcgCommLogEvent (
 }
 
 /**
-    RTMR[0]  => PCR[1,7]
-    RTMR[1]  => PCR[2,3,4,5]
-    RTMR[2]  => PCR[8~15]
-    RTMR[3]  => NA
+  According to UEFI Spec 2.10 Section 38.4.1:
+    The following table shows the TPM PCR index mapping and CC event log measurement
+  register index interpretation for Intel TDX, where MRTD means Trust Domain Measurement
+   Register and RTMR means Runtime Measurement Register
+
+    // TPM PCR Index | CC Measurement Register Index | TDX-measurement register
+    //  ------------------------------------------------------------------------
+    // 0             |   0                           |   MRTD
+    // 1, 7          |   1                           |   RTMR[0]
+    // 2~6           |   2                           |   RTMR[1]
+    // 8~15          |   3                           |   RTMR[2]
+
+  @param[in] PCRIndex Index of the TPM PCR
+
+  @retval    UINT32               Index of the CC Event Log Measurement Register Index
+  @retval    CC_MR_INDEX_INVALID  Invalid MR Index
 **/
 UINT32
 EFIAPI
@@ -938,18 +954,20 @@ MapPcrToMrIndex (
 {
   UINT32  MrIndex;
 
-  if ((PCRIndex > 16) || (PCRIndex == 6) || (PCRIndex == 0)) {
+  if (PCRIndex > 15) {
     ASSERT (FALSE);
-    return INVALID_RTMR_INDEX;
+    return CC_MR_INDEX_INVALID;
   }
 
   MrIndex = 0;
-  if ((PCRIndex == 1) || (PCRIndex == 7)) {
-    MrIndex = 0;
-  } else if ((PCRIndex > 1) && (PCRIndex < 6)) {
-    MrIndex = 1;
-  } else if ((PCRIndex > 7) && (PCRIndex < 16)) {
-    MrIndex = 2;
+  if (PCRIndex == 0) {
+    MrIndex = CC_MR_INDEX_0_MRTD;
+  } else if ((PCRIndex == 1) || (PCRIndex == 7)) {
+    MrIndex = CC_MR_INDEX_1_RTMR0;
+  } else if ((PCRIndex >= 2) && (PCRIndex <= 6)) {
+    MrIndex = CC_MR_INDEX_2_RTMR1;
+  } else if ((PCRIndex >= 8) && (PCRIndex <= 15)) {
+    MrIndex = CC_MR_INDEX_3_RTMR2;
   }
 
   return MrIndex;
@@ -967,13 +985,9 @@ TdMapPcrToMrIndex (
     return EFI_INVALID_PARAMETER;
   }
 
-  if ((PCRIndex > 16) || (PCRIndex == 0) || (PCRIndex == 6)) {
-    return EFI_INVALID_PARAMETER;
-  }
-
   *MrIndex = MapPcrToMrIndex (PCRIndex);
 
-  return *MrIndex == INVALID_RTMR_INDEX ? EFI_INVALID_PARAMETER : EFI_SUCCESS;
+  return *MrIndex == CC_MR_INDEX_INVALID ? EFI_INVALID_PARAMETER : EFI_SUCCESS;
 }
 
 /**
@@ -1197,12 +1211,7 @@ TdxDxeLogHashEvent (
   LogFormat = EFI_CC_EVENT_LOG_FORMAT_TCG_2;
 
   ZeroMem (&CcEvent, sizeof (CcEvent));
-  //
-  // The index of event log is designed as below:
-  //   0  : MRTD
-  //   1-4: RTMR[0-3]
-  //
-  CcEvent.MrIndex   = NewEventHdr->MrIndex + 1;
+  CcEvent.MrIndex   = NewEventHdr->MrIndex;
   CcEvent.EventType = NewEventHdr->EventType;
   DigestBuffer      = (UINT8 *)&CcEvent.Digests;
   EventSizePtr      = CopyDigestListToBuffer (DigestBuffer, DigestList, HASH_ALG_SHA384);
@@ -1270,8 +1279,16 @@ TdxDxeHashLogExtendEvent (
     return Status;
   }
 
+  //
+  // According to UEFI Spec 2.10 Section 38.4.1 the mapping between MrIndex and Intel
+  // TDX Measurement Register is:
+  //    MrIndex 0   <--> MRTD
+  //    MrIndex 1-3 <--> RTMR[0-2]
+  // Only the RMTR registers can be extended in TDVF by HashAndExtend. So MrIndex will
+  // decreased by 1 before it is sent to HashAndExtend.
+  //
   Status = HashAndExtend (
-             NewEventHdr->MrIndex,
+             NewEventHdr->MrIndex - 1,
              HashData,
              (UINTN)HashDataLen,
              &DigestList
@@ -1335,7 +1352,13 @@ TdHashLogExtendEvent (
     return EFI_INVALID_PARAMETER;
   }
 
-  if (CcEvent->Header.MrIndex > 4) {
+  if (CcEvent->Header.MrIndex == CC_MR_INDEX_0_MRTD) {
+    DEBUG ((DEBUG_ERROR, "%a: MRTD cannot be extended in TDVF.\n", __FUNCTION__));
+    return EFI_INVALID_PARAMETER;
+  }
+
+  if (CcEvent->Header.MrIndex >= CC_MR_INDEX_INVALID) {
+    DEBUG ((DEBUG_ERROR, "%a: MrIndex is invalid. (%d)\n", __FUNCTION__, CcEvent->Header.MrIndex));
     return EFI_INVALID_PARAMETER;
   }
 
@@ -1343,8 +1366,16 @@ TdHashLogExtendEvent (
   NewEventHdr.EventType = CcEvent->Header.EventType;
   NewEventHdr.EventSize = CcEvent->Size - sizeof (UINT32) - CcEvent->Header.HeaderSize;
   if ((Flags & EFI_CC_FLAG_PE_COFF_IMAGE) != 0) {
+    //
+    // According to UEFI Spec 2.10 Section 38.4.1 the mapping between MrIndex and Intel
+    // TDX Measurement Register is:
+    //    MrIndex 0   <--> MRTD
+    //    MrIndex 1-3 <--> RTMR[0-2]
+    // Only the RMTR registers can be extended in TDVF by HashAndExtend. So MrIndex will
+    // decreased by 1 before it is sent to MeasurePeImageAndExtend.
+    //
     Status = MeasurePeImageAndExtend (
-               NewEventHdr.MrIndex,
+               NewEventHdr.MrIndex - 1,
                DataToHash,
                (UINTN)DataToHashLen,
                &DigestList
-- 
2.29.2.windows.2


  parent reply	other threads:[~2022-12-14  7:15 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-14  7:14 [PATCH V1 0/3] Fix incorrect implementation in CcMeasurement Min Xu
2022-12-14  7:14 ` [PATCH V1 1/3] OvmfPkg/TdTcg2Dxe: Fix incorrect protocol and structure version Min Xu
2022-12-14  7:14 ` Min Xu [this message]
2022-12-14  7:14 ` [PATCH V1 3/3] OvmfPkg/SecTpmMeasurementLib: Fix the mapping error of PCR and RTMR index Min Xu
2022-12-14 16:24 ` [PATCH V1 0/3] Fix incorrect implementation in CcMeasurement Yao, Jiewen
     [not found] ` <1730B590101EA428.23954@groups.io>
2022-12-15  3:20   ` [edk2-devel] " Yao, Jiewen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221214071419.1813-3-min.m.xu@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox