From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+117764+7686176+12367111@groups.io>
Received: from mail04.groups.io (mail04.groups.io [45.79.224.9])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 1A07BD811C3
	for <rebecca@openfw.io>; Mon, 15 Apr 2024 07:56:33 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=sR42LzR0lgm7v87xObPlUIIuLYBDJhDyIuUXHq/uQXg=;
 c=relaxed/simple; d=groups.io;
 h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding;
 s=20240206; t=1713167792; v=1;
 b=dFHxJOPmL+WKWuxxrsTbp3ox9qifv1SDRBeVSX23Jvvx7DaRIcKKPAOlZzXVwdn4ni37Bf2D
 KaPQLCXESw64Z06+htf5prafXPvRkTWHnXqf1lCv5jhZ90jt9Rec1ylp81iPAU1M7QucB1frZ2t
 V+zxEHAJYX4Jn5yYi6Rloip85SdzSKd7uLfliZNiijmuDPrxJmQuGsCaV93nnR11YUpkj49sQNy
 x6wIWgotsjoQjIkIg1mq1d4vmCyUg8ES+CHA/ILjdJxgZAWjz64AqfQVJQJsOry0snXyxuF/UpC
 7U3zLorkqJIhvDvuTh7qPeU1lr1coTwl4C9n1cK5Eh7Hg==
X-Received: by 127.0.0.2 with SMTP id ykjLYY7687511xsUPZLuCRrR; Mon, 15 Apr 2024 00:56:32 -0700
X-Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.19])
 by mx.groups.io with SMTP id smtpd.web10.15780.1713167792149095238
 for <devel@edk2.groups.io>;
 Mon, 15 Apr 2024 00:56:32 -0700
X-CSE-ConnectionGUID: uCDC4Ml2RrSxCIXSGUbuMg==
X-CSE-MsgGUID: RRmhulQnSfKZtguGBYF3fA==
X-IronPort-AV: E=McAfee;i="6600,9927,11044"; a="8410929"
X-IronPort-AV: E=Sophos;i="6.07,202,1708416000"; 
   d="scan'208";a="8410929"
X-Received: from fmviesa005.fm.intel.com ([10.60.135.145])
  by orvoesa111.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Apr 2024 00:56:25 -0700
X-CSE-ConnectionGUID: GaaUCw4gQuGAc1eQRG0Y6Q==
X-CSE-MsgGUID: IrVanbB8ScKpMkvF5m4xjg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.07,202,1708416000"; 
   d="scan'208";a="26258243"
X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.124.224.178])
  by fmviesa005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Apr 2024 00:56:23 -0700
From: "Min Xu" <min.m.xu@intel.com>
To: devel@edk2.groups.io
Cc: Min M Xu <min.m.xu@intel.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Gerd Hoffmann <kraxel@redhat.com>
Subject: [edk2-devel] [PATCH V1 2/5] OmvfPkg/HashLibTdx: Add HashLibTdx
Date: Mon, 15 Apr 2024 15:55:51 +0800
Message-ID: <20240415075555.499-3-min.m.xu@intel.com>
In-Reply-To: <20240415075555.499-1-min.m.xu@intel.com>
References: <20240415075555.499-1-min.m.xu@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Resent-Date: Mon, 15 Apr 2024 00:56:32 -0700
Resent-From: min.m.xu@intel.com
Reply-To: devel@edk2.groups.io,min.m.xu@intel.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: k1GirQ7zF2tXnxxlNW1jhK7dx7686176AA=
Content-Transfer-Encoding: 8bit
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20240206 header.b=dFHxJOPm;
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.9 as permitted sender) smtp.mailfrom=bounce@groups.io;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none)

From: Min M Xu <min.m.xu@intel.com>

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4752

This library is the one of SecurityPkg/Library/HashLibTdx. It is
designed for Intel TDX enlightened OVMF. So moving it from SecurityPkg
to OvmfPkg. To prevent breaking the build, the moving is splitted into 2
patch. SecurityPkg/Library/HashLibTdx will be deleted in the next patch.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
 OvmfPkg/Library/HashLibTdx/HashLibTdx.c   | 213 ++++++++++++++++++++++
 OvmfPkg/Library/HashLibTdx/HashLibTdx.inf |  37 ++++
 2 files changed, 250 insertions(+)
 create mode 100644 OvmfPkg/Library/HashLibTdx/HashLibTdx.c
 create mode 100644 OvmfPkg/Library/HashLibTdx/HashLibTdx.inf

diff --git a/OvmfPkg/Library/HashLibTdx/HashLibTdx.c b/OvmfPkg/Library/HashLibTdx/HashLibTdx.c
new file mode 100644
index 000000000000..3cebbc70d3ec
--- /dev/null
+++ b/OvmfPkg/Library/HashLibTdx/HashLibTdx.c
@@ -0,0 +1,213 @@
+/** @file
+  This library is HashLib for Tdx.
+
+Copyright (c) 2021 - 2022, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiPei.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/HashLib.h>
+#include <Library/TdxLib.h>
+#include <Protocol/CcMeasurement.h>
+
+EFI_GUID  mSha384Guid = HASH_ALGORITHM_SHA384_GUID;
+
+//
+// Currently TDX supports SHA384.
+//
+HASH_INTERFACE  mHashInterface =  {
+  { 0 }, NULL, NULL, NULL
+};
+
+UINTN  mHashInterfaceCount = 0;
+
+/**
+  Start hash sequence.
+
+  @param HashHandle Hash handle.
+
+  @retval EFI_SUCCESS          Hash sequence start and HandleHandle returned.
+  @retval EFI_OUT_OF_RESOURCES No enough resource to start hash.
+**/
+EFI_STATUS
+EFIAPI
+HashStart (
+  OUT HASH_HANDLE  *HashHandle
+  )
+{
+  HASH_HANDLE  HashCtx;
+
+  if (mHashInterfaceCount == 0) {
+    ASSERT (FALSE);
+    return EFI_UNSUPPORTED;
+  }
+
+  HashCtx = 0;
+  mHashInterface.HashInit (&HashCtx);
+
+  *HashHandle = HashCtx;
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Update hash sequence data.
+
+  @param HashHandle    Hash handle.
+  @param DataToHash    Data to be hashed.
+  @param DataToHashLen Data size.
+
+  @retval EFI_SUCCESS     Hash sequence updated.
+**/
+EFI_STATUS
+EFIAPI
+HashUpdate (
+  IN HASH_HANDLE  HashHandle,
+  IN VOID         *DataToHash,
+  IN UINTN        DataToHashLen
+  )
+{
+  if (mHashInterfaceCount == 0) {
+    ASSERT (FALSE);
+    return EFI_UNSUPPORTED;
+  }
+
+  mHashInterface.HashUpdate (HashHandle, DataToHash, DataToHashLen);
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Hash sequence complete and extend to PCR.
+
+  @param HashHandle    Hash handle.
+  @param PcrIndex      PCR to be extended.
+  @param DataToHash    Data to be hashed.
+  @param DataToHashLen Data size.
+  @param DigestList    Digest list.
+
+  @retval EFI_SUCCESS     Hash sequence complete and DigestList is returned.
+**/
+EFI_STATUS
+EFIAPI
+HashCompleteAndExtend (
+  IN HASH_HANDLE          HashHandle,
+  IN TPMI_DH_PCR          PcrIndex,
+  IN VOID                 *DataToHash,
+  IN UINTN                DataToHashLen,
+  OUT TPML_DIGEST_VALUES  *DigestList
+  )
+{
+  TPML_DIGEST_VALUES  Digest;
+  EFI_STATUS          Status;
+
+  if (mHashInterfaceCount == 0) {
+    ASSERT (FALSE);
+    return EFI_UNSUPPORTED;
+  }
+
+  ZeroMem (DigestList, sizeof (*DigestList));
+
+  mHashInterface.HashUpdate (HashHandle, DataToHash, DataToHashLen);
+  mHashInterface.HashFinal (HashHandle, &Digest);
+
+  CopyMem (
+    &DigestList->digests[0],
+    &Digest.digests[0],
+    sizeof (Digest.digests[0])
+    );
+  DigestList->count++;
+
+  ASSERT (DigestList->count == 1 && DigestList->digests[0].hashAlg == TPM_ALG_SHA384);
+
+  Status = TdExtendRtmr (
+             (UINT32 *)DigestList->digests[0].digest.sha384,
+             SHA384_DIGEST_SIZE,
+             (UINT8)PcrIndex
+             );
+
+  ASSERT (!EFI_ERROR (Status));
+  return Status;
+}
+
+/**
+  Hash data and extend to RTMR.
+
+  @param PcrIndex      PCR to be extended.
+  @param DataToHash    Data to be hashed.
+  @param DataToHashLen Data size.
+  @param DigestList    Digest list.
+
+  @retval EFI_SUCCESS     Hash data and DigestList is returned.
+**/
+EFI_STATUS
+EFIAPI
+HashAndExtend (
+  IN TPMI_DH_PCR          PcrIndex,
+  IN VOID                 *DataToHash,
+  IN UINTN                DataToHashLen,
+  OUT TPML_DIGEST_VALUES  *DigestList
+  )
+{
+  HASH_HANDLE  HashHandle;
+  EFI_STATUS   Status;
+
+  if (mHashInterfaceCount == 0) {
+    ASSERT (FALSE);
+    return EFI_UNSUPPORTED;
+  }
+
+  ASSERT (TdIsEnabled ());
+
+  HashStart (&HashHandle);
+  HashUpdate (HashHandle, DataToHash, DataToHashLen);
+  Status = HashCompleteAndExtend (HashHandle, PcrIndex, NULL, 0, DigestList);
+
+  return Status;
+}
+
+/**
+  This service register Hash.
+
+  @param HashInterface  Hash interface
+
+  @retval EFI_SUCCESS          This hash interface is registered successfully.
+  @retval EFI_UNSUPPORTED      System does not support register this interface.
+  @retval EFI_ALREADY_STARTED  System already register this interface.
+**/
+EFI_STATUS
+EFIAPI
+RegisterHashInterfaceLib (
+  IN HASH_INTERFACE  *HashInterface
+  )
+{
+  //
+  // HashLibTdx is designed for Tdx guest. So if it is not Tdx guest,
+  // return EFI_UNSUPPORTED.
+  //
+  if (!TdIsEnabled ()) {
+    return EFI_UNSUPPORTED;
+  }
+
+  //
+  // Only SHA384 is allowed.
+  //
+  if (!CompareGuid (&mSha384Guid, &HashInterface->HashGuid)) {
+    return EFI_UNSUPPORTED;
+  }
+
+  if (mHashInterfaceCount != 0) {
+    ASSERT (FALSE);
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  CopyMem (&mHashInterface, HashInterface, sizeof (*HashInterface));
+  mHashInterfaceCount++;
+
+  return EFI_SUCCESS;
+}
diff --git a/OvmfPkg/Library/HashLibTdx/HashLibTdx.inf b/OvmfPkg/Library/HashLibTdx/HashLibTdx.inf
new file mode 100644
index 000000000000..946132124c85
--- /dev/null
+++ b/OvmfPkg/Library/HashLibTdx/HashLibTdx.inf
@@ -0,0 +1,37 @@
+## @file
+#  Provides hash service by registered hash handler in Tdx.
+#
+#  This library is HashLib for Tdx. Currently only SHA384 is supported.
+#
+# Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = HashLibTdx
+  FILE_GUID                      = 77F6EA3E-1ABA-4467-A447-926E8CEB2D13
+  MODULE_TYPE                    = BASE
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = HashLib|SEC DXE_DRIVER
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+#  VALID_ARCHITECTURES           = X64
+#
+
+[Sources]
+  HashLibTdx.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  DebugLib
+  PcdLib
+  TdxLib
-- 
2.44.0.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117764): https://edk2.groups.io/g/devel/message/117764
Mute This Topic: https://groups.io/mt/105531964/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-