From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.191458.1673941232793135292 for ; Mon, 16 Jan 2023 23:40:46 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=lAf21v8L; spf=pass (domain: intel.com, ip: 192.55.52.136, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1673941246; x=1705477246; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=giIZALnO9zcVpJkQTkstQ4LVFWpnFd6ZjxbBIRMV4Ew=; b=lAf21v8LnbDXpvu8r6VQIU93/FIiFvu1MwB1iVBMMtFmh+cZX3Wu5mWJ oyqqCRJ9ZUomZS4NvZN6/QpjL+KjgfPkH/FM6xNXobxCKlvVf2NiZbjnZ RppgxHJmT5/jJeU5XeW9gUXzZHTwKJRjZ1CBvvVWxbD08pXR9rvPXCiyr 0rtoXBfMvsu7XgOLdCCh294QKMywCQsbHybeoRHkSg5/+weE+IxrUy9nw EnVxfQfuWkRJiHRZWvZ0OpA6I/dFP8gU/V8UD2MstbEhmm0lwK0glhkGF Pcre9X1fyZhmTR7k7EuBwvSpzNhWWArcusHURSnwlHxJDDT7CYQFHFvFp g==; X-IronPort-AV: E=McAfee;i="6500,9779,10592"; a="304320326" X-IronPort-AV: E=Sophos;i="5.97,222,1669104000"; d="scan'208";a="304320326" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Jan 2023 23:40:45 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10592"; a="636772036" X-IronPort-AV: E=Sophos;i="5.97,222,1669104000"; d="scan'208";a="636772036" Received: from mxu9-mobl1.ccr.corp.intel.com ([10.254.211.139]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 Jan 2023 23:40:41 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky , Michael Roth Subject: [PATCH V1 5/7] OvmfPkg: Enable Tdx measurement in OvmfPkgX64 Date: Tue, 17 Jan 2023 15:40:14 +0800 Message-Id: <20230117074016.1056-6-min.m.xu@intel.com> X-Mailer: git-send-email 2.29.2.windows.2 In-Reply-To: <20230117074016.1056-1-min.m.xu@intel.com> References: <20230117074016.1056-1-min.m.xu@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Min M Xu BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 This patch enables Tdx measurement in OvmfPkgX64 with below changes: 1) TDX_ENABLE is introduced in OvmfPkgX64.dsc. This flag indicates if Intel TDX is enabled in OvmfPkgX64. Its default value is FALSE. 2) Update SecMain.c with the functions provided by TdxHelperLib 3) Include TdTcg2Dxe in OvmfPkgX64 so that CC_MEASUREMENT_PROTOCOL is installed in a Td-guest. TdTcg2Dxe is controlled by TDX_ENABLE because it is only valid when Intel TDX is enabled. 3) OvmfTpmLibs.dsc.inc and OvmfTpmSecurityStub.dsc.inc are updated because DxeTpm2MeasureBootLib.inf and DxeTpmMeasurementLib.inf should be included to support CC_MEASUREMENT_PROTOCOL. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Cc: Michael Roth Signed-off-by: Min Xu --- OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc | 10 +++++++++- OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc | 8 ++++++++ OvmfPkg/OvmfPkgX64.dsc | 15 ++++++++++++++- OvmfPkg/OvmfPkgX64.fdf | 7 +++++++ OvmfPkg/Sec/SecMain.c | 17 +++++++++++++++-- 5 files changed, 53 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc b/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc index cd1a899d68f7..df228dc5e2ca 100644 --- a/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc +++ b/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc @@ -10,9 +10,17 @@ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf - TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf !else Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf +!endif + +!if $(TPM2_ENABLE) == TRUE || $(TDX_ENABLE) == TRUE + # + # DxeTpmMeasurementLib supports measurement functions for both TPM and Confidential Computing. + # It should be controlled by TPM2_ENABLE and TDX_ENABLE. + # + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf +!else TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf !endif diff --git a/OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc index e9ab2fca7bc7..a08e29720f5d 100644 --- a/OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc +++ b/OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc @@ -6,5 +6,13 @@ !if $(TPM1_ENABLE) == TRUE NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf !endif +!endif + +!if $(TPM2_ENABLE) == TRUE || $(TDX_ENABLE) == TRUE + # + # DxeTpm2MeasureBootLib provides security service of TPM2 measure boot and + # Confidential Computing (CC) measure boot. It should be controlled by + # TPM2_ENABLE and TDX_ENABLE + # NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf !endif diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 3f970a79a08a..0bf16a4815b3 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -32,6 +32,7 @@ DEFINE SECURE_BOOT_ENABLE = FALSE DEFINE SMM_REQUIRE = FALSE DEFINE SOURCE_DEBUG_ENABLE = FALSE + DEFINE TDX_ENABLE = FALSE !include OvmfPkg/Include/Dsc/OvmfTpmDefines.dsc.inc @@ -724,7 +725,8 @@ OvmfPkg/Sec/SecMain.inf { NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf - NULL|OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf + NULL|OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf } # @@ -1100,6 +1102,17 @@ } !endif + # + # Cc Measurement Protocol for Td guest + # +!if $(TDX_ENABLE) == TRUE + SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf { + + HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf + } +!endif + # # TPM support # diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 8c02dfe11e37..0df986f7ebec 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -402,6 +402,13 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !endif +# +# EFI_CC_MEASUREMENT_PROTOCOL +# +!if $(TDX_ENABLE) == TRUE +INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf +!endif + # # TPM support # diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 1167d22a68cc..4bb3b641701e 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -29,7 +29,7 @@ #include #include #include -#include +#include #include #include "AmdSev.h" @@ -760,12 +760,25 @@ SecCoreStartupWithStack ( #if defined (TDX_GUEST_SUPPORTED) if (CcProbe () == CcGuestTypeIntelTdx) { + // + // From the security perspective all the external input should be measured before + // it is consumed. TdHob and Configuration FV (Cfv) image are passed from VMM + // and should be measured here. + // + if (EFI_ERROR (TdxHelperMeasureTdHob ())) { + CpuDeadLoop (); + } + + if (EFI_ERROR (TdxHelperMeasureCfvImage ())) { + CpuDeadLoop (); + } + // // For Td guests, the memory map info is in TdHobLib. It should be processed // first so that the memory is accepted. Otherwise access to the unaccepted // memory will trigger tripple fault. // - if (ProcessTdxHobList () != EFI_SUCCESS) { + if (TdxHelperProcessTdHob () != EFI_SUCCESS) { CpuDeadLoop (); } } -- 2.29.2.windows.2