From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.groups.io with SMTP id smtpd.web10.193751.1673954761455927566 for ; Tue, 17 Jan 2023 03:26:01 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=P8U+Z3dU; spf=pass (domain: redhat.com, ip: 170.10.129.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1673954760; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=njgzovG7o2uJCIgADhWSbq9s0Ln3qOW2VjCv+goMQVE=; b=P8U+Z3dUT/YghCypfuV/aRz3ZC9NT49eSe5hbcNyiTvELE1Q2WyjABwnMuTr0EfaVUhQmS VYfdHKutchS1rAONMVr2S1rQusd3cuMjL9dujsAuraM3JWYDlQrf0e9Yl0L/8AThSVYAya C6NVrHdejcRDlGUDNBsu91GgflpC/DU= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-39-SmBoTDtMM7-gws6idh9vWA-1; Tue, 17 Jan 2023 06:25:58 -0500 X-MC-Unique: SmBoTDtMM7-gws6idh9vWA-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B7412811E6E; Tue, 17 Jan 2023 11:25:57 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.192.124]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 789C72026D4B; Tue, 17 Jan 2023 11:25:57 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id DF8AE1800097; Tue, 17 Jan 2023 12:25:54 +0100 (CET) Date: Tue, 17 Jan 2023 12:25:54 +0100 From: "Gerd Hoffmann" To: Min Xu Cc: devel@edk2.groups.io, Erdem Aktas , James Bottomley , Jiewen Yao , Tom Lendacky , Michael Roth Subject: Re: [PATCH V1 1/7] OvmfPkg: Add Tdx measurement data structure in WorkArea Message-ID: <20230117112554.opz5cc7edq26raty@sirius.home.kraxel.org> References: <20230117074016.1056-1-min.m.xu@intel.com> <20230117074016.1056-2-min.m.xu@intel.com> MIME-Version: 1.0 In-Reply-To: <20230117074016.1056-2-min.m.xu@intel.com> X-Scanned-By: MIMEDefang 3.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jan 17, 2023 at 03:40:10PM +0800, Min Xu wrote: > From: Min M Xu > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 > > From the perspective of security any external input should be measured > and extended to some registers (TPM PCRs or TDX RTMR registers). > > There are below 2 external input in a Td guest: > - TdHob > - Configuration FV (CFV) > > TdHob contains the resource information passed from VMM, such as > unaccepted memory region. CFV contains the configurations, such as > secure boot variables. > > TdHob and CFV should be measured and extended to RTMRs before they're > consumed. TdHob is consumed in the very early stage of boot process. > At that moment the memory service is not ready. Cfv is consumed in > PlatformPei to initialize the EmuVariableNvStore. To make the > implementation simple and clean, these 2 external input are measured > and extended to RTMRs in SEC phase. The measurement values are stored > in WorkArea. Then after the Hob service is available, these 2 measurement > values are retrieved and GuidHobs for these 2 tdx measurements are > generated. So the measurement is done early and the hashes are stored to create the event log entries later, correct? Why both TdHob and CFV are handled this way? It should be needed for TdHob only, right? The work area has a fixed size, IMHO we should not store data there unless we absolutely have to, and for CFV I don't see the justification. take care, Gerd