From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1])
 by mx.groups.io with SMTP id smtpd.web08.8398.1650464730777457535
 for <devel@edk2.groups.io>;
 Wed, 20 Apr 2022 07:25:30 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@ibm.com header.s=pp1 header.b=dP6rsTqb;
 spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: jejb@linux.ibm.com)
Received: from pps.filterd (m0098404.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 23KDCdU4024445;
	Wed, 20 Apr 2022 14:25:29 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject :
 from : reply-to : to : cc : date : in-reply-to : references : content-type
 : mime-version : content-transfer-encoding; s=pp1;
 bh=saB4lmx4MdFg9H3qhcAGuENL3Wk6g+lDj2bdMvg/Rc0=;
 b=dP6rsTqbGFr9JP08oswpmmjsUOiwuX/SaMnkvODCiCcBH3Dc3IpfRrL2ieEzvFZ8fWVC
 Sgcq9TBfzL/eq2OeMQlIgfKwHMJTsSnbFH/yeE+mUIiBTSavFUEU6z7kxx7e1CQqn72M
 IEoqEZ2dsOPfWaWkcf3Iroiwi6Fn9sa0fZfEQknlmrT6H4dET04O8BnUYqBl0Om6qepU
 vu0K2toRJs2/1AlUh+hnhHYxUzRcz6ce6VaQePmgHLjTOx8lPynsZ70Zu5s7Shlyh/vh
 KywmRk8VcNgGy4uIk/1vmmBkLJiGJ33LFhTTX1tO3iwg6bZggdB5gjqAK+r65n31PaG1 Bw== 
Received: from pps.reinject (localhost [127.0.0.1])
	by mx0a-001b2d01.pphosted.com with ESMTP id 3fhyqe15wg-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 20 Apr 2022 14:25:28 +0000
Received: from m0098404.ppops.net (m0098404.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 23KDn7pC004826;
	Wed, 20 Apr 2022 14:25:28 GMT
Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122])
	by mx0a-001b2d01.pphosted.com with ESMTP id 3fhyqe15w3-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 20 Apr 2022 14:25:28 +0000
Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1])
	by ppma04dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 23KEJ09F005657;
	Wed, 20 Apr 2022 14:25:26 GMT
Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17])
	by ppma04dal.us.ibm.com with ESMTP id 3ffnea3ydf-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 20 Apr 2022 14:25:26 +0000
Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
	by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 23KEPPtU22872342
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Wed, 20 Apr 2022 14:25:25 GMT
Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id AA73578066;
	Wed, 20 Apr 2022 14:25:25 +0000 (GMT)
Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 842217805C;
	Wed, 20 Apr 2022 14:25:24 +0000 (GMT)
Received: from lingrow.int.hansenpartnership.com (unknown [9.211.96.201])
	by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
	Wed, 20 Apr 2022 14:25:24 +0000 (GMT)
Message-ID: <56d4a5fab3cda814d1d33a6e3f6987a0313129f5.camel@linux.ibm.com>
Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV
From: "James Bottomley" <jejb@linux.ibm.com>
Reply-To: jejb@linux.ibm.com
To: Gerd Hoffmann <kraxel@redhat.com>, "Yao, Jiewen" <jiewen.yao@intel.com>
Cc: "devel@edk2.groups.io" <devel@edk2.groups.io>,
        "Xu, Min M"
 <min.m.xu@intel.com>,
        Ard Biesheuvel <ardb+tianocore@kernel.org>,
        "Justen,
 Jordan L" <jordan.l.justen@intel.com>,
        Brijesh Singh
 <brijesh.singh@amd.com>,
        "Aktas, Erdem" <erdemaktas@google.com>,
        Tom
 Lendacky <thomas.lendacky@amd.com>
Date: Wed, 20 Apr 2022 10:25:23 -0400
In-Reply-To: <20220420081656.nl4sykhnwzugynm5@sirius.home.kraxel.org>
References: <cover.1650239544.git.min.m.xu@intel.com>
	 <1992c4538efeb3cd3d2e53bd02f2dd24663e9825.1650239544.git.min.m.xu@intel.com>
	 <20220419065851.mwjpm6jaeu3zudjk@sirius.home.kraxel.org>
	 <CO1PR11MB505826638A0961DD75ECF942C5F29@CO1PR11MB5058.namprd11.prod.outlook.com>
	 <20220419124901.idh7zaff3os6532f@sirius.home.kraxel.org>
	 <MW4PR11MB5872796F2D1A6DD3BF8978BD8CF29@MW4PR11MB5872.namprd11.prod.outlook.com>
	 <20220420081656.nl4sykhnwzugynm5@sirius.home.kraxel.org>
User-Agent: Evolution 3.34.4 
MIME-Version: 1.0
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: Za42IDjfAXix76rCN1NZMwlhD-3BTRxq
X-Proofpoint-ORIG-GUID: GyV7oxYUACYQ2sHuywSWy7AB_f8HJcZ9
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514
 definitions=2022-04-20_04,2022-04-20_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0
 clxscore=1011 priorityscore=1501 suspectscore=0 malwarescore=0
 adultscore=0 mlxlogscore=926 mlxscore=0 spamscore=0 impostorscore=0
 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2202240000 definitions=main-2204200084
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit

On Wed, 2022-04-20 at 10:16 +0200, Gerd Hoffmann wrote:
>   Hi,
> 
> > > Yes for validation (aka sanity-checking the fields, etc).
> > > But for measurement I don't see why the ordering matters.
> > > Whenever you do that before or after consuming the TdHob
> > > should not make a difference.
> > 
> > [Jiewen] I disagree. The order matters from security perspective.
> > If you use it, there is risk that the buggy code will compromise
> > the system before you have chance to measure it.
> 
> Measurement will only record hashes for verification later on.
> It will not prevent running possibly buggy/compromised code.

This is true, but this is also the design of measured boot: it's for
proof of correctness (or not) after the fact.  Secure boot is more the
technology that can prevent boot.

> So, no matter what the order is, you'll figure the system got
> compromised after the fact, when checking the hashes later, and in
> turn take actions like refusing to hand out secrets to the
> compromised system.

Not if the code falsifies the measurement both in the log and to the
TPM.  That's why the requirement of measured boot is you start with a
small rom based root of trust, which can't be updated because it's in
rom.  It measures the next stage (usually PEI) before executing it so
that the measurement in the TPM would change if the next stage (which
is often in flash) got compromised, so any tampering is certain to be
detected and if the compromised code tries to falsify the log, the log
now wouldn't match the TPM, so it can't evade detection.

The requirement from the TCG is that the trusted code measures the
untrusted code through the TPM before executing it to get this
proveable detection of tampering.  The TCG allows you to be elastic
about when you record the measurements in the log as long as you
measure through the TPM at the correct points.

The above applies equally to TPM substitutes like the TDX msrs.

James