public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Min Xu" <min.m.xu@intel.com>
To: devel@edk2.groups.io
Cc: Min Xu <min.m.xu@intel.com>, Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Gerd Hoffmann <kraxel@redhat.com>
Subject: [PATCH V2 1/8] Security: Add HashLibBaseCryptoRouterTdx
Date: Fri,  8 Apr 2022 14:39:16 +0800	[thread overview]
Message-ID: <99947b16ce335be4c1d9ada4dab7c6dd1e36cb28.1649399642.git.min.m.xu@intel.com> (raw)
In-Reply-To: <cover.1649399642.git.min.m.xu@intel.com>

RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853

This library provides hash service by registered hash handler in Td
guest. It redirects hash request to each individual hash handler
(currently only SHA384 is supported). After that the hash value is
extended to Td RTMR registers which is similar to TPM PCRs.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
 .../HashLibBaseCryptoRouterTdx.c              | 214 ++++++++++++++++++
 .../HashLibBaseCryptoRouterTdx.inf            |  41 ++++
 SecurityPkg/SecurityPkg.dsc                   |  10 +
 3 files changed, 265 insertions(+)
 create mode 100644 SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.c
 create mode 100644 SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.inf

diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.c b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.c
new file mode 100644
index 000000000000..77e2a14c19be
--- /dev/null
+++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.c
@@ -0,0 +1,214 @@
+/** @file
+  This library is BaseCrypto router for Tdx.
+
+Copyright (c) 2021 - 2022, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiPei.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/HashLib.h>
+#include <Library/TdxLib.h>
+#include <Protocol/CcMeasurement.h>
+#include "HashLibBaseCryptoRouterCommon.h"
+
+//
+// Currently TDX supports SHA384.
+//
+#define TDX_HASH_COUNT  1
+HASH_INTERFACE  mHashInterface[TDX_HASH_COUNT] = {
+  {
+    { 0 }, NULL, NULL, NULL
+  }
+};
+
+UINTN        mHashInterfaceCount      = 0;
+HASH_HANDLE  mHashCtx[TDX_HASH_COUNT] = { 0 };
+
+/**
+  Start hash sequence.
+
+  @param HashHandle Hash handle.
+
+  @retval EFI_SUCCESS          Hash sequence start and HandleHandle returned.
+  @retval EFI_OUT_OF_RESOURCES No enough resource to start hash.
+**/
+EFI_STATUS
+EFIAPI
+HashStart (
+  OUT HASH_HANDLE  *HashHandle
+  )
+{
+  HASH_HANDLE  *HashCtx;
+
+  if (mHashInterfaceCount == 0) {
+    ASSERT (FALSE);
+    return EFI_UNSUPPORTED;
+  }
+
+  HashCtx = mHashCtx;
+  mHashInterface[0].HashInit (&HashCtx[0]);
+
+  *HashHandle = (HASH_HANDLE)HashCtx;
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Update hash sequence data.
+
+  @param HashHandle    Hash handle.
+  @param DataToHash    Data to be hashed.
+  @param DataToHashLen Data size.
+
+  @retval EFI_SUCCESS     Hash sequence updated.
+**/
+EFI_STATUS
+EFIAPI
+HashUpdate (
+  IN HASH_HANDLE  HashHandle,
+  IN VOID         *DataToHash,
+  IN UINTN        DataToHashLen
+  )
+{
+  HASH_HANDLE  *HashCtx;
+
+  if (mHashInterfaceCount == 0) {
+    ASSERT (FALSE);
+    return EFI_UNSUPPORTED;
+  }
+
+  HashCtx = (HASH_HANDLE *)HashHandle;
+  mHashInterface[0].HashUpdate (HashCtx[0], DataToHash, DataToHashLen);
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Hash sequence complete and extend to PCR.
+
+  @param HashHandle    Hash handle.
+  @param PcrIndex      PCR to be extended.
+  @param DataToHash    Data to be hashed.
+  @param DataToHashLen Data size.
+  @param DigestList    Digest list.
+
+  @retval EFI_SUCCESS     Hash sequence complete and DigestList is returned.
+**/
+EFI_STATUS
+EFIAPI
+HashCompleteAndExtend (
+  IN HASH_HANDLE          HashHandle,
+  IN TPMI_DH_PCR          PcrIndex,
+  IN VOID                 *DataToHash,
+  IN UINTN                DataToHashLen,
+  OUT TPML_DIGEST_VALUES  *DigestList
+  )
+{
+  TPML_DIGEST_VALUES  Digest;
+  HASH_HANDLE         *HashCtx;
+  EFI_STATUS          Status;
+
+  if (mHashInterfaceCount == 0) {
+    ASSERT (FALSE);
+    return EFI_UNSUPPORTED;
+  }
+
+  HashCtx = (HASH_HANDLE *)HashHandle;
+  ZeroMem (DigestList, sizeof (*DigestList));
+
+  mHashInterface[0].HashUpdate (HashCtx[0], DataToHash, DataToHashLen);
+  mHashInterface[0].HashFinal (HashCtx[0], &Digest);
+  Tpm2SetHashToDigestList (DigestList, &Digest);
+
+  ASSERT (DigestList->count == 1 && DigestList->digests[0].hashAlg == TPM_ALG_SHA384);
+
+  Status = TdExtendRtmr (
+             (UINT32 *)DigestList->digests[0].digest.sha384,
+             SHA384_DIGEST_SIZE,
+             (UINT8)PcrIndex
+             );
+
+  ASSERT (!EFI_ERROR (Status));
+  return Status;
+}
+
+/**
+  Hash data and extend to RTMR.
+
+  @param PcrIndex      PCR to be extended.
+  @param DataToHash    Data to be hashed.
+  @param DataToHashLen Data size.
+  @param DigestList    Digest list.
+
+  @retval EFI_SUCCESS     Hash data and DigestList is returned.
+**/
+EFI_STATUS
+EFIAPI
+HashAndExtend (
+  IN TPMI_DH_PCR          PcrIndex,
+  IN VOID                 *DataToHash,
+  IN UINTN                DataToHashLen,
+  OUT TPML_DIGEST_VALUES  *DigestList
+  )
+{
+  HASH_HANDLE  HashHandle;
+  EFI_STATUS   Status;
+
+  if (mHashInterfaceCount == 0) {
+    ASSERT (FALSE);
+    return EFI_UNSUPPORTED;
+  }
+
+  ASSERT (TdIsEnabled ());
+
+  HashStart (&HashHandle);
+  HashUpdate (HashHandle, DataToHash, DataToHashLen);
+  Status = HashCompleteAndExtend (HashHandle, PcrIndex, NULL, 0, DigestList);
+
+  return Status;
+}
+
+/**
+  This service register Hash.
+
+  @param HashInterface  Hash interface
+
+  @retval EFI_SUCCESS          This hash interface is registered successfully.
+  @retval EFI_UNSUPPORTED      System does not support register this interface.
+  @retval EFI_ALREADY_STARTED  System already register this interface.
+**/
+EFI_STATUS
+EFIAPI
+RegisterHashInterfaceLib (
+  IN HASH_INTERFACE  *HashInterface
+  )
+{
+  UINT32  HashMask;
+
+  ASSERT (TdIsEnabled ());
+
+  //
+  // Check allow
+  //
+  HashMask = Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);
+  ASSERT (HashMask == HASH_ALG_SHA384);
+
+  if (HashMask != HASH_ALG_SHA384) {
+    return EFI_UNSUPPORTED;
+  }
+
+  if (mHashInterfaceCount >= ARRAY_SIZE (mHashInterface)) {
+    ASSERT (FALSE);
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  CopyMem (&mHashInterface[mHashInterfaceCount], HashInterface, sizeof (*HashInterface));
+  mHashInterfaceCount++;
+
+  return EFI_SUCCESS;
+}
diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.inf b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.inf
new file mode 100644
index 000000000000..f6b1353d0041
--- /dev/null
+++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.inf
@@ -0,0 +1,41 @@
+## @file
+#  Provides hash service by registered hash handler in Tdx.
+#
+#  This library is BaseCrypto router. It will redirect hash request to each individual
+#  hash handler registered. Currently only SHA384 is supported in this router.
+#
+# Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = HashLibBaseCryptoRouterTdx
+  MODULE_UNI_FILE                = HashLibBaseCryptoRouter.uni
+  FILE_GUID                      = 77F6EA3E-1ABA-4467-A447-926E8CEB2D13
+  MODULE_TYPE                    = BASE
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = HashLib|SEC DXE_DRIVER
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+#  VALID_ARCHITECTURES           = X64
+#
+
+[Sources]
+  HashLibBaseCryptoRouterCommon.h
+  HashLibBaseCryptoRouterCommon.c
+  HashLibBaseCryptoRouterTdx.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  DebugLib
+  PcdLib
+  TdxLib
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 73a93c2285b1..b23701ad124e 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -72,6 +72,7 @@
   MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
   SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
   SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
+  TdxLib|MdePkg/Library/TdxLib/TdxLib.inf
 
 [LibraryClasses.ARM, LibraryClasses.AARCH64]
   #
@@ -92,6 +93,12 @@
 [LibraryClasses.RISCV64]
   RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
 
+[LibraryClasses.X64.SEC]
+  HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.inf
+
+[LibraryClasses.X64.DXE_DRIVER]
+  HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.inf
+
 [LibraryClasses.common.PEIM]
   PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf
   PeiServicesLib|MdePkg/Library/PeiServicesLib/PeiServicesLib.inf
@@ -283,6 +290,9 @@
   #
   SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
 
+[Components.X64]
+  SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.inf
+
 [Components.IA32, Components.X64]
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 
-- 
2.29.2.windows.2


  reply	other threads:[~2022-04-08  6:41 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-08  6:39 [PATCH V2 0/8] Enable RTMR based measurement and measure boot for Td guest Min Xu
2022-04-08  6:39 ` Min Xu [this message]
2022-04-08  7:42   ` [PATCH V2 1/8] Security: Add HashLibBaseCryptoRouterTdx Yao, Jiewen
2022-04-08  8:07     ` Min Xu
2022-04-08  6:39 ` [PATCH V2 2/8] CryptoPkg: Add SecCryptLib Min Xu
2022-04-08  7:36   ` Yao, Jiewen
2022-04-08  8:04     ` Min Xu
2022-04-08  6:39 ` [PATCH V2 3/8] SecurityPkg: Add definition of EFI_CC_EVENT_HOB_GUID Min Xu
2022-04-08  7:36   ` Yao, Jiewen
2022-04-08  6:39 ` [PATCH V2 4/8] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV Min Xu
2022-04-08  7:43   ` Yao, Jiewen
2022-04-08  8:08     ` Min Xu
2022-04-08  6:39 ` [PATCH V2 5/8] OvmfPkg: Add PCDs for LAML/LASA field in CC EVENTLOG ACPI table Min Xu
2022-04-08  7:39   ` Yao, Jiewen
2022-04-08  6:39 ` [PATCH V2 6/8] MdePkg: Define CC Measure EventLog ACPI Table Min Xu
2022-04-08  7:37   ` Yao, Jiewen
2022-04-12  1:09   ` 回复: " gaoliming
2022-04-08  6:39 ` [PATCH V2 7/8] OvmfPkg/IntelTdx: Add TdTcg2Dxe Min Xu
2022-04-08  6:39 ` [PATCH V2 8/8] OvmfPkg/IntelTdx: Enable RTMR based measurement and measure boot Min Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=99947b16ce335be4c1d9ada4dab7c6dd1e36cb28.1649399642.git.min.m.xu@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox