From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web10.2968.1675395156718188401 for ; Thu, 02 Feb 2023 19:32:37 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=Df66SpNW; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1675395156; x=1706931156; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=vfw9z4auZvrQQ9rQro0dmgrn7aJWxIbBW4ktfUGLO9M=; b=Df66SpNWQ5CaZtO/Tx+Ksgg8KbkV7i/2wrswll2RNAqOleujK9TS2DnS v1CKYgn3Vu3dbzdbAStJDu819CQjtuRaywx4K2ltyHCCky6z34Olfj1nC 9b0KrItksXCZXB5nrfhZYnYzqMF/DVxkWSKiJn0lK9Gaqz9Jqjw6otsid fz0k711bCqnEiwDuv8s8k1QhymDusngugvOnAcmLOSDvtusFd7FJu2tns WDaaLC0VRf/Qk+n/frSb1y+WUholCyLL7aqt7ymhMRBe4d27UEoOAZGu3 C6gfl8BTX2RqETDTTtVZ6pqNu08vINqfW6mzvsvUq64vo4QS1owjNHasm g==; X-IronPort-AV: E=McAfee;i="6500,9779,10609"; a="328662648" X-IronPort-AV: E=Sophos;i="5.97,269,1669104000"; d="scan'208";a="328662648" Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Feb 2023 19:32:36 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10609"; a="911003714" X-IronPort-AV: E=Sophos;i="5.97,269,1669104000"; d="scan'208";a="911003714" Received: from mxu9-mobl1.ccr.corp.intel.com ([10.254.208.128]) by fmsmga006-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Feb 2023 19:32:34 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky , Michael Roth Subject: [PATCH V6 00/12] Enable Tdx measurement in OvmfPkgX64 Date: Fri, 3 Feb 2023 11:31:35 +0800 Message-Id: <20230203033147.1332-1-min.m.xu@intel.com> X-Mailer: git-send-email 2.29.2.windows.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 Tdx measurement (RTMR based measurement) is enabled in OvmfPkg/IntelTdx. This patch-set enables the feature in OvmfPkgX64 as well. Patch #1: Introduce TDX_MEASUREMETNS_DATA in SEC_TDX_WORK_AREA. That is because the RTMR measurement of TdHob and Configuration FV (CFV) are executed in very early stage of boot process. At that time the memory service is not ready and the measurement values have to be stored in OvmfWorkArea. Patch #2: Introduce TdxHelperLibNull which is the NULL instance of TdxHelperLib. Patch #3: Introduce SecTdxHelperLib which is the instance of TdxHelperLib for SEC Phase. This patch adds the stubs of TdxHelperLib functions. The actual implementation are in the following patches. Patch #4: Re-use the data struct of PLATFORM_FIRMWARE_BLOB2_STRUCT for FV_HANDOFF_TABLE_POINTERS2. Patch #5-7: These 3 patches move the functions ( which were implemented in PeilessStartupLib and PlatformInitLib ) to TdxHelperLib. So that they can be called in both OvmfPkgX64 and IntelTdxX64. Patch #8: Do tdx measurement in SecMain in IntelTdxX64 and delete the duplicated code in PeilessStartupLib. Patch #9-12: These 4 patches are the changes for OvmfPkgX64 to enable Tdx measurement. Code: https://github.com/mxu9/edk2/tree/TdxMeasurementInOvmfX64.v6 v6 changes: - Merge patch 8 and 9 (i.e. move instead of add + delete). - Rename TDX_MEASUREMENT_ENABLE to CC_MEASUREMENT_ENABLE so that the name is more accurate. v5 changes: - Re-organize the patches. Its purpose is not only to simplify review, but also to simplify testing. https://edk2.groups.io/g/devel/message/99209 v4 changes: - To make the code reviewable, the implementation of TdxHelperBuildGuidHobForTdxMeasurement is split into 4 patches (5-8). - Call Sha384HashAll instead of the 3 Sha384XXX functions so that we need to allocate memory in SEC phase. v3 changes: - Use the definition of PLATFORM_FIRMWARE_BLOB2_STRUCT in Library/TcgEventLogRecordLib.h. - Rename TDX_ENABLE as TDX_MEASUREMENT_ENABLE because this flag is introduced for Tdx-measurement. - Split the patch of SecTdxHelperLib into 2 separate patches (#3/#9). Patch#3 implements TdxHelperMeasureTdHob and TdxHelperMeasureCfvImage. Patch#9 implements TdxHelperProcessTdHob. This is to make the patches more reviewable. The duplicated codes of TdxHelperProcessTdHob are deleted in Patch#9 as well. - The implementation of TdxHelperBuildGuidHobForTdxMeasurement and update of PeilessStartupLib are in one patch (#5). Because the implmentation of TdxHelperBuildGuidHobForTdxMeasurement was once in PeilessStartupLib. v2 changes: - Split the patch of TdxHelperLib into 4 separate patches. So that it is more reviewable. - Add commit message in Patch#1 to emphasize that the tdx-measurement in OvmfPkgX64 is supported in SEC phase. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Cc: Michael Roth Signed-off-by: Min Xu Min M Xu (12): OvmfPkg: Add Tdx measurement data structure in WorkArea OvmfPkg/IntelTdx: Add TdxHelperLibNull OvmfPkg/IntelTdx: Add SecTdxHelperLib OvmfPkg/PeilessStartupLib: Update the define of FV_HANDOFF_TABLE_POINTERS2 OvmfPkg: Refactor MeasureHobList OvmfPkg: Refactor MeaureFvImage OvmfPkg: Refactor ProcessHobList OvmfPkg/IntelTdx: Measure TdHob and Configuration FV in SecMain OvmfPkg/IntelTdx: Add PeiTdxHelperLib OvmfPkg/OvmfPkgX64: Measure TdHob and Configuration FV in SecMain OvmfPkg/PlatformPei: Build GuidHob for Tdx measurement OvmfPkg: Support Tdx measurement in OvmfPkgX64 OvmfPkg/AmdSev/AmdSevX64.dsc | 5 +- OvmfPkg/CloudHv/CloudHvX64.dsc | 5 +- OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc | 10 +- .../Include/Dsc/OvmfTpmSecurityStub.dsc.inc | 8 + OvmfPkg/Include/Library/PlatformInitLib.h | 17 - OvmfPkg/Include/Library/TdxHelperLib.h | 70 ++ OvmfPkg/Include/WorkArea.h | 25 +- OvmfPkg/IntelTdx/IntelTdxX64.dsc | 4 +- OvmfPkg/IntelTdx/Sec/SecMain.c | 17 +- OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelper.c | 91 +++ .../IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf | 48 ++ .../TdxHelperLib/SecTdxHelper.c} | 304 +++---- .../IntelTdx/TdxHelperLib/SecTdxHelperLib.inf | 53 ++ .../TdxHelperLib/TdxHelperLibNull.inf | 32 + OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c | 79 ++ .../IntelTdx/TdxHelperLib/TdxMeasurementHob.c | 259 ++++++ OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 196 ----- .../PeilessStartupLib/PeilessStartup.c | 16 +- .../PeilessStartupInternal.h | 36 - .../PeilessStartupLib/PeilessStartupLib.inf | 6 - OvmfPkg/Library/PlatformInitLib/IntelTdx.c | 768 ------------------ .../Library/PlatformInitLib/IntelTdxNull.c | 20 - .../PlatformInitLib/PlatformInitLib.inf | 1 - OvmfPkg/Microvm/MicrovmX64.dsc | 5 +- OvmfPkg/OvmfPkg.dec | 4 + OvmfPkg/OvmfPkgX64.dsc | 20 +- OvmfPkg/OvmfPkgX64.fdf | 7 + OvmfPkg/PlatformPei/IntelTdx.c | 3 + OvmfPkg/Sec/SecMain.c | 17 +- 29 files changed, 915 insertions(+), 1211 deletions(-) create mode 100644 OvmfPkg/Include/Library/TdxHelperLib.h create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelper.c create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf copy OvmfPkg/{Library/PlatformInitLib/IntelTdx.c => IntelTdx/TdxHelperLib/SecTdxHelper.c} (80%) create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperLibNull.inf create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c delete mode 100644 OvmfPkg/Library/PeilessStartupLib/IntelTdx.c -- 2.29.2.windows.2