From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web10.2968.1675395156718188401 for ; Thu, 02 Feb 2023 19:32:54 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=dW+IGFOR; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1675395173; x=1706931173; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=YsojsrC22WiOXfcymUOyRV+BUPE6I4xAhSzU1dexLu0=; b=dW+IGFORaGhPC5nUp043Dt6yNibv7URLurJ+zID+VkeNiYed9+cAoDEj 0Z/XCwRN+g+CYgZPp8R5JX4nUgFhxxQbPLj5RD28ElMcWR0k1uwGOaKtz 37OHh1Wbub5CfKDh3Apn20zfAcqlH+G/6IDsQ4DXjKwySNdYhalbxIBWH ZZ8zI/AwIpyh4hP1/xj6TpLgLp5JZvkw6aQzgYvXfyD6y3dmc3+fzF2yo JMSqKkMKsFekL7BBs3bjKTycA2E54ee6v6QXx6R9gLbYey/3npr3Ro+0K 2yjL2zi++BfOS4Eriial71wOmENk34ZFr+0ejeWzL4NjGusu7tmrpJfAN w==; X-IronPort-AV: E=McAfee;i="6500,9779,10609"; a="328662868" X-IronPort-AV: E=Sophos;i="5.97,269,1669104000"; d="scan'208";a="328662868" Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Feb 2023 19:32:53 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10609"; a="911003800" X-IronPort-AV: E=Sophos;i="5.97,269,1669104000"; d="scan'208";a="911003800" Received: from mxu9-mobl1.ccr.corp.intel.com ([10.254.208.128]) by fmsmga006-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Feb 2023 19:32:51 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky , Michael Roth Subject: [PATCH V6 08/12] OvmfPkg/IntelTdx: Measure TdHob and Configuration FV in SecMain Date: Fri, 3 Feb 2023 11:31:43 +0800 Message-Id: <20230203033147.1332-9-min.m.xu@intel.com> X-Mailer: git-send-email 2.29.2.windows.2 In-Reply-To: <20230203033147.1332-1-min.m.xu@intel.com> References: <20230203033147.1332-1-min.m.xu@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Min M Xu BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 TdHob and Configuration FV (Cfv) are external inputs from VMM. From the security perspective, they should be measured before they're consumed. This patch measures TdHob and Cfv and stores the measurement values in WorkArea. After TdHob and Configuration FV (Cfv) are measured in SecMain, the same measurements in PeilessStartupLib are deleted. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Cc: Michael Roth Reviewed-by: Jiewen Yao Signed-off-by: Min Xu --- OvmfPkg/IntelTdx/IntelTdxX64.dsc | 3 --- OvmfPkg/IntelTdx/Sec/SecMain.c | 13 ++++++++++++ .../PeilessStartupLib/PeilessStartup.c | 20 +------------------ .../PeilessStartupLib/PeilessStartupLib.inf | 2 -- 4 files changed, 14 insertions(+), 24 deletions(-) diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc index 920f1c6080d4..41de2e942817 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -548,11 +548,8 @@ OvmfPkg/IntelTdx/Sec/SecMain.inf { NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf - TpmMeasurementLib|SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.inf NULL|OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf - HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf - NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf } # diff --git a/OvmfPkg/IntelTdx/Sec/SecMain.c b/OvmfPkg/IntelTdx/Sec/SecMain.c index 41bd5c66ba29..ccb217b709a0 100644 --- a/OvmfPkg/IntelTdx/Sec/SecMain.c +++ b/OvmfPkg/IntelTdx/Sec/SecMain.c @@ -62,6 +62,19 @@ SecCoreStartupWithStack ( volatile UINT8 *Table; if (CcProbe () == CcGuestTypeIntelTdx) { + // + // From the security perspective all the external input should be measured before + // it is consumed. TdHob and Configuration FV (Cfv) image are passed from VMM + // and should be measured here. + // + if (EFI_ERROR (TdxHelperMeasureTdHob ())) { + CpuDeadLoop (); + } + + if (EFI_ERROR (TdxHelperMeasureCfvImage ())) { + CpuDeadLoop (); + } + // // For Td guests, the memory map info is in TdHobLib. It should be processed // first so that the memory is accepted. Otherwise access to the unaccepted diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c index 79d3a178a65f..164aa2d61911 100644 --- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c +++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c @@ -176,25 +176,7 @@ PeilessStartup ( if (TdIsEnabled ()) { // - // Measure HobList - // - Status = TdxHelperMeasureTdHob (); - if (EFI_ERROR (Status)) { - ASSERT (FALSE); - CpuDeadLoop (); - } - - // - // Measure Tdx CFV - // - Status = TdxHelperMeasureCfvImage (); - if (EFI_ERROR (Status)) { - ASSERT (FALSE); - CpuDeadLoop (); - } - - // - // Build GuidHob for tdx measurement + // Build GuidHob for the tdx measurements which were done in SEC phase. // Status = TdxHelperBuildGuidHobForTdxMeasurement (); if (EFI_ERROR (Status)) { diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf index 4ced5dda9945..e77ad7bc921e 100644 --- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf +++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf @@ -56,8 +56,6 @@ PrePiLib QemuFwCfgLib PlatformInitLib - HashLib - TpmMeasurementLib [Guids] gEfiHobMemoryAllocModuleGuid -- 2.29.2.windows.2