From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id ADC55941D1D for ; Tue, 26 Mar 2024 15:52:16 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=WyLXwk1JPaqy7CfjplHwgIrf9YqOJVApVOJRRjezwDw=; c=relaxed/simple; d=groups.io; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Transfer-Encoding; s=20240206; t=1711468335; v=1; b=ofU7OOwRLnQ9AewQ00awNfK+zuuY6gGVlaCS4A6QjHG2C0tToVgd2XjFNb4a/fHJtzjvHiNk 9p+QqOhPKcmdI7jYFofCjZHeCZEg3JL/myCQL8dfoIbswXpjDaZwYTRYXhXi9MFgd5DrOvPH85t DPylz7VL+Jal18/q/PdNMzTP6n5ffEoEAPKwpyeEyfd79nyVRQn1BZ5VcL1FF0GoSFHkDCzTCpe GPztJ3M0WgNhOKx58uCXNo1mSIiurlBPRuLg55dO5iVzGMD5T1WkRlvTDH5JlVsDKTTfHRdpO7s HO3mxf2mdI4UVlDIa790L7aJrTvjpjoDX79EPF9W7G62g== X-Received: by 127.0.0.2 with SMTP id in5CYY7687511xwNlP0hfQIO; Tue, 26 Mar 2024 08:52:15 -0700 X-Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) by mx.groups.io with SMTP id smtpd.web11.2195.1711040381913708473 for ; Thu, 21 Mar 2024 09:59:42 -0700 X-Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-610b83ff92bso21423267b3.1 for ; Thu, 21 Mar 2024 09:59:41 -0700 (PDT) X-Gm-Message-State: eGQlNBNajwQIiTEjaQYXqSjGx7686176AA= X-Google-Smtp-Source: AGHT+IHKb2wvuObmot2f8B27NKxbHC4r8SBwwqsePGxDouTk5yUjAODv5egoOIJzYDlUP8+dQp3Sdivu8UA= X-Received: from qinkun.c.googlers.com ([fda3:e722:ac3:cc00:24:72f4:c0a8:6ec]) (user=qinkun job=sendgmr) by 2002:a05:6902:11c4:b0:dc6:d890:1a97 with SMTP id n4-20020a05690211c400b00dc6d8901a97mr1144253ybu.9.1711040381010; Thu, 21 Mar 2024 09:59:41 -0700 (PDT) Date: Thu, 21 Mar 2024 16:59:04 +0000 Mime-Version: 1.0 Message-ID: <94521f20aa2872c1b8f018b7db31eca4a2b8222d.1711039409.git.qinkun@google.com> Subject: [edk2-devel] [RFC PATCH] OvmfPkg/SecurityPkg: Add build option for coexistance of vTPM and RTMR. From: "qinkun Bao via groups.io" To: devel@edk2.groups.io Cc: linux-coco@lists.linux.dev, Erdem Aktas , Jiewen Yao , Ard Biesheuvel , Peter Gonda , Dionna Glaze , Qinkun Bao , James Bottomley , Gerd Hoffmann , Tom Lendacky , Michael Roth Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Tue, 26 Mar 2024 08:52:14 -0700 Reply-To: devel@edk2.groups.io,qinkun@google.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=ofU7OOwR; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io From: Qinkun Bao The UEFI v2.10 spec defines the protocol EFI_CC_MEASUREMENT_PROTOCOL to enable (for example) RTMR-based boot measurement for TDX VMs. With the current UEFI spec=E2=80=99s =E2=80=9Cshould not=E2=80=9D wording a= nd EDK2 implementation, TPM measurement in TDVF is disabled when RTMR measurement is enabled. Mutual exclusion of the CC measurement protocol and TCG measurement protocol breaks backwards compatibility, which makes adoption of RTMRs challenging. A virtualized TPM device (vTPM) managed by the host VMM makes boot measurements visible to the VMM operator, but this is an oft-requested feature that users can choose to accept. The TPM has been a standard for over a decade and many existing applications rely on the TPM. Both inside and outside Google, we have many users that require vTPM, including features that are not easily available via RTMRs (e.g. sealing using keys that the guest OS cannot access). This patch adds a non-default build option to allow the coexistence of both the CC measurement and TCG protocols. Not included is a vendor-specific measured event in the CC event log that indicates whether a vTPM is attached or not. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Cc: Michael Roth Signed-off-by: Qinkun Bao --- OvmfPkg/OvmfPkgX64.dsc | 9 ++++++++- .../DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c | 12 +++++++++++- .../DxeTpmMeasurementLib/DxeTpmMeasurementLib.c | 6 ++++++ 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 56c920168d..9bcee45047 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -32,7 +32,8 @@ DEFINE SECURE_BOOT_ENABLE =3D FALSE DEFINE SMM_REQUIRE =3D FALSE DEFINE SOURCE_DEBUG_ENABLE =3D FALSE - DEFINE CC_MEASUREMENT_ENABLE =3D FALSE + DEFINE CC_MEASUREMENT_ENABLE =3D TRUE + DEFINE CC_MEASUREMENT_AND_TCG2_COEXIST =3D FASLE =20 !include OvmfPkg/Include/Dsc/OvmfTpmDefines.dsc.inc =20 @@ -99,6 +100,11 @@ INTEL:*_*_X64_GENFW_FLAGS =3D --keepexceptiontable !endif RELEASE_*_*_GENFW_FLAGS =3D --zero +!if $(CC_MEASUREMENT_ENABLE) =3D=3D TRUE && $(CC_MEASUREMENT_AND_TCG2_COEX= IST) =3D=3D TRUE + MSFT:*_*_*_CC_FLAGS =3D /D CC_MEASUREMENT_AND_TCG2_COEXIST_FEATURE + INTEL:*_*_*_CC_FLAGS =3D /D CC_MEASUREMENT_AND_TCG2_COEXIST_FEATURE + GCC:*_*_*_CC_FLAGS =3D -D CC_MEASUREMENT_AND_TCG2_COEXIST_FEATURE +!endif =20 # # Disable deprecated APIs. @@ -1045,6 +1051,7 @@ } !endif =20 + # # TPM support # diff --git a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLi= b.c b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c index 73719f3b96..4c9bc8ab4a 100644 --- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c +++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c @@ -325,7 +325,12 @@ Tcg2MeasureGptTable ( } =20 DEBUG ((DEBUG_INFO, "DxeTpm2MeasureBootHandler - Cc MeasureGptTable - = %r\n", Status)); +#ifdef CC_MEASUREMENT_AND_TCG2_COEXIST_FEATURE + } + if (Tcg2Protocol !=3D NULL) { +#else } else if (Tcg2Protocol !=3D NULL) { +#endif // // If Tcg2Protocol is installed, then Measure GPT data with this proto= col. // @@ -493,7 +498,12 @@ Tcg2MeasurePeImage ( CcEvent ); DEBUG ((DEBUG_INFO, "DxeTpm2MeasureBootHandler - Cc MeasurePeImage - %= r\n", Status)); - } else if (Tcg2Protocol !=3D NULL) { +#ifdef CC_MEASUREMENT_AND_TCG2_COEXIST_FEATURE + } + if (Tcg2Protocol !=3D NULL) { +#else + } else if (Tcg2Protocol !=3D NULL) { +#endif Status =3D Tcg2Protocol->HashLogExtendEvent ( Tcg2Protocol, PE_COFF_IMAGE, diff --git a/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.= c b/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c index 6f287b31fc..b1c6198b4b 100644 --- a/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c +++ b/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c @@ -261,7 +261,11 @@ TpmMeasureAndLogData ( HashData, HashDataLen ); +#ifdef CC_MEASUREMENT_AND_TCG2_COEXIST_FEATURE + } +#else } else { +#endif // // Try to measure using Tpm20 protocol // @@ -287,7 +291,9 @@ TpmMeasureAndLogData ( HashDataLen ); } +#ifndef CC_MEASUREMENT_AND_TCG2_COEXIST_FEATURE } +#endif =20 return Status; } --=20 2.44.0.291.gc1ea87d7ee-goog -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#117131): https://edk2.groups.io/g/devel/message/117131 Mute This Topic: https://groups.io/mt/105070442/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-