From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web09.14408.1650493771150897633 for ; Wed, 20 Apr 2022 15:29:31 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=G3aoD0rs; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1650493771; x=1682029771; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=tpHFRHMr189GWwqJwL/3c9Qq6Q+FYedQ2t/QIf/Gepg=; b=G3aoD0rs2LcDyzdHPNrGsKO3cDR/hgQu6IzpJiyaGMgjqSAIG8er60w5 2wD1Q2vTKEW0+y+5T8oVucUfmgCMPwTtyCSLqUbRZfMDlqHxZeKVq5dWg fNyLKJM0PbR9dGzXvvuIsFF5MFmFZ8CslQoSl5AXrYKTmllM0hrmRdP7e deIP/jobb9uYnzHq86O7HJZqXEW5UWdVoFYbZaXvXrBFMSY5v2WNtS67s nbepoDgFIyUG0HjIDi2cGDeMcuQoOMZLgM8AzZF6KjIfLYhUn6VsqoQdZ jN0RiaBwVPIS6hCVQXqYMACFSbjlnAg6MMuwjM2ud+ZH2PlaDx6Vm1aTk g==; X-IronPort-AV: E=McAfee;i="6400,9594,10323"; a="264337694" X-IronPort-AV: E=Sophos;i="5.90,276,1643702400"; d="scan'208";a="264337694" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Apr 2022 15:29:15 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.90,276,1643702400"; d="scan'208";a="702822852" Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by fmsmga001.fm.intel.com with ESMTP; 20 Apr 2022 15:29:15 -0700 Received: from orsmsx609.amr.corp.intel.com (10.22.229.22) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Wed, 20 Apr 2022 15:29:14 -0700 Received: from orsmsx603.amr.corp.intel.com (10.22.229.16) by ORSMSX609.amr.corp.intel.com (10.22.229.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Wed, 20 Apr 2022 15:29:14 -0700 Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27 via Frontend Transport; Wed, 20 Apr 2022 15:29:14 -0700 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.176) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.27; Wed, 20 Apr 2022 15:29:13 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GR17+EKreAK4SJJWmwiEHQjGliHE7WdI19nMAaMx1TXWi9VOEdFtQdRigTJTCYvmK9kqXZ7qMCUAA5lXbXSyUCKHMeLPRjAlUczv3wTz76eF7r5+g/xp7av4xrvs9exZ2uMFr43x/a42QirLw630jpumsE/PUbiWp/9wNNdpzyo3dOwzCkUdPKeWuCtj4dYSV/5jrIZV3zXk3hWSOnBQnXFTrbC+I715WqaepW3eSNJVGIhFCdvbaGeFvNOnZaaMv84hG/0gstigrf+ATl3+XEQDGEvUOyvDDQtqzeEjKrDaMbX+qzL8fc5yz7Ntq0CAxjunEeG2xLkRD5RV3d6W2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ig4FMIVTGTeJtiA/UGGTWzytGkheJWC/u1cw9M34dIQ=; b=mJCsveVFeIPW3V9t/KfcJsH8js4KYjPWE3DE0LXJ8nNjABdtAJY92WYhCCBFfDfOw5N7tJVQzjPB2306Li7idFhdqufaSKr+rz6HRpuwyn0VaVwqyvMQQlHRP8Di2Og8oBgiiCWwsz0AXyeXDO8nyUgXbn1rM8L+H01iTkp0X8qSyHwXnLD1sorszBXc6pxBypWbcZR/2Ptc3CpF0K7xV/Bh1I0wWARHtTwNYf96Dnw4/nFlf4begb9oBVKVpVfjcuE7f+3BszkMAuK5YUK4UheNpvok5BQLSmTm0laV2CBbXKq4WWJe6u5oSjfSF8mRVVb9V8WNR5Wn9PQJMN4AhA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by BY5PR11MB3973.namprd11.prod.outlook.com (2603:10b6:a03:185::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Wed, 20 Apr 2022 22:29:11 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::d55d:28c1:bfab:3dd]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::d55d:28c1:bfab:3dd%5]) with mapi id 15.20.5186.013; Wed, 20 Apr 2022 22:29:11 +0000 From: "Yao, Jiewen" To: Gerd Hoffmann , James Bottomley CC: "devel@edk2.groups.io" , "Xu, Min M" , Ard Biesheuvel , "Justen, Jordan L" , Brijesh Singh , "Aktas, Erdem" , Tom Lendacky Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV Thread-Topic: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV Thread-Index: AQHYU95iMIYlb1sFBkiJhG2nbXFPI6z3L/KAgAAUaWCAATHnAIAAZvKAgAAim4CAAGKcsA== Date: Wed, 20 Apr 2022 22:29:11 +0000 Message-ID: References: <1992c4538efeb3cd3d2e53bd02f2dd24663e9825.1650239544.git.min.m.xu@intel.com> <20220419065851.mwjpm6jaeu3zudjk@sirius.home.kraxel.org> <20220419124901.idh7zaff3os6532f@sirius.home.kraxel.org> <20220420081656.nl4sykhnwzugynm5@sirius.home.kraxel.org> <56d4a5fab3cda814d1d33a6e3f6987a0313129f5.camel@linux.ibm.com> <20220420162915.k234kumo33jgqsg6@sirius.home.kraxel.org> In-Reply-To: <20220420162915.k234kumo33jgqsg6@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.401.20 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 0fb2cb49-e508-4b89-3df4-08da231d3172 x-ms-traffictypediagnostic: BY5PR11MB3973:EE_ x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: gHFq0XHkprt71OwSeJyFQ47CmBfWMOekmnQXxi0kQ+zj2cg/2XqQvBpZjrjZMslgrw/88OYbLid6La+ZmXwyMNkZVF5kDU0bMTnLbVwzHhUytZdmqxnlH+/LhpxBGMl9O7fpK+Fo38irxugZOKbXw29O3IF3qsgJEYFkUF7CdjV82lWxvipW57h0WwVHaoPnMLeEykxFRArl1YJb3E2KR5LJxM1DxlwMpkp5qHimSdiaVg3S76RNYhvBoZlzVL9mCGIGUh/znf14O35G499czvTwo6hvYv3y7Du5pmhY0Oq6OSodRow846sOk1W/uYG7BUivpaRt+MbGCWxSIfyj3mZ8A0UN596Klo0oLp3A5wr+5E7ChbM5ohWo8x49ecQJH33nhSEvVzqxefNQM1xSaelq4UzcJTbeDUB8lrRu3e5T13Cgwlepxv0KE/y4WOYv/4y9YzaA6WwlUAvDhmGXNnO7CJ5BuZf1cq9ff/zBC7Ve5kT2WxeqxzN0q33w+G279F4N9dB2zVZJ+yk0CuY0jYtBlC+Eu2qYz/aLhLVZIGpD7vbTdYna/gJV23xMf0wC+HXuTlUevvJu1Y7PWsY27/vN0uWBD2q9ONv6xvNeR4FGQUI5XucNQoODoJ3Mzu8RCAxwaIHpVm4iVTxCfsqnIPo1fA5hjU1R5+dVuVWLY5mrTBH1xSNr/sQBsCwMusel7HIJ51FSEZz3c3uOwN//alP2XGAWUTTtomhYHp9raadfhVENtR6tXAp5MET/yQ9jAx1pGCYgfG2zYtguEvcRjls0vYfPd+vTiIdJhx+WeM0InvXKgX9vJoNlAkBmCk6hqsvL2Y5tzJmS6WyOi7G4UA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(38100700002)(66556008)(66946007)(7696005)(38070700005)(66476007)(316002)(64756008)(66446008)(6506007)(53546011)(52536014)(33656002)(5660300002)(110136005)(54906003)(55016003)(8936002)(122000001)(83380400001)(186003)(8676002)(4326008)(76116006)(508600001)(82960400001)(2906002)(9686003)(966005)(71200400001)(26005)(86362001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?aU4eBH2i2HyblwmEl/XQbSBd8K4GnHoMXM9CCNTK2HsMmK6c17Ed57E9CbXf?= =?us-ascii?Q?+JOB64IRjreJwTNtubJTnxjOmLUnmC8lpJpHcF2/3xfX0PitJliRR46ID5CM?= =?us-ascii?Q?GBViQcPj1+p1ApF7CwcnBtSip/2vpCVwhhEvnPYDTyOU/bDI6kf37zPeY1JU?= =?us-ascii?Q?WIdkWgqZ1d7w1o+eUpapYlJjgh8OtYHc3IPxojI7PGssyZ55Q9RdQILyh+nS?= =?us-ascii?Q?PhBkPmVnNGdNKagSppUQgbW+Jz/hwXa9voLD44j7rVpF33jfg4QHx0AtTUtY?= =?us-ascii?Q?siau/PPzJl6IyphcExKePrOq7zPlzKLkKF8KVXEovHvyIRAeW1LyUexLfB6r?= =?us-ascii?Q?HGiTflcepcATwZb4PRfy8fQBo28gLPfISl+d9e6mWpw+difczzc0d8ozANqG?= =?us-ascii?Q?GLHjf29vOJ/Hr4DZRM3ggB4BYXcmUCrE/BxNjVY4gNmQR+p33i+PFJWDICS6?= =?us-ascii?Q?8LoP66J76EP/5119OCw9luqqBKHaXvfDzwgNgvECgtGgKe3AN5r5nwLTjJdW?= =?us-ascii?Q?q4GU9aC5cffAh4aPO6fqz5js3QUL/IcUZJNk0Rki6QQj5+szDkaDK07X4itZ?= =?us-ascii?Q?GsKh1TJ0FTT7RziZ1m4NLJu9+UBTYBhZ1fCFS17LaM4C+H7Ty4ii+9K6r8Jf?= =?us-ascii?Q?DRnh1xjrsMX1BhTmtbafnr7x2XecqoJU3v0Y+gc/ur8uSuvKgD/yhMjDbNCf?= =?us-ascii?Q?rfmAo8UJ4S0StiP/w+a68jKJapHLKeprD3xKFp4Z1TilqPmzRZDy3CSACB/e?= =?us-ascii?Q?s+h5LaKN/QAaOi2qHqwxAJfNVN6PVyU9YpcAbA8AM73+Z6Ek71P3hcJqFE2v?= =?us-ascii?Q?+Khjz65hDKU9I8HbwXdbK7u778Mnxiku/98VwEGsL6KGuPfEpgL/0x3g1CmG?= =?us-ascii?Q?/QSe+4gT/YJ+07l9YO4TfRP77uaDqrtKkmqg/VMlWyLl6sx94giJUL3bzNf7?= =?us-ascii?Q?wrl+Y9JEaphhfLS1fSioZg+/pPoIdYzyXIDEOharfBLpWtJk73mYF/a0WqXo?= =?us-ascii?Q?bNoRGRve/K5tFMDxujrhJ2NtiZasDQSr7IjFIOzMSrMl1bQzxFWyLH8tQPZ5?= =?us-ascii?Q?qQ69aCMqg1v7kXA1BlgUH03inpCp6wag9s8zAgNwTR9rjxzsk2xKJr3GdfBv?= =?us-ascii?Q?yACtIvAeJdq0EGGEU53M3DEB+MDf+RNH8aJwFhRuAviSDU/1ThBlxdvf/CRu?= =?us-ascii?Q?FI/DUe2vs5Zh8JYmrMiRyly7aDXQ6+aI/z9+6D4bsugLICesUcgUuDFKZh0/?= =?us-ascii?Q?d8uKf8FwDgFn+9hg0ony2Fe1PKdBTVQFPSDTKmKxXfE3IphDVSAT8X72EIsC?= =?us-ascii?Q?wXj+WTXP5159XKvAuKDLeyZxMtHS5GyyPWIH5cWtBwbm89rDb5K4jw3u2Kfa?= =?us-ascii?Q?47aQkMMzp8CkXcwiGGCXhfarIy2oaFdWsk+sETOTkqjjlOZY2U4GrQqLwPvi?= =?us-ascii?Q?h/LNsokyM6IhppGveKBQcBicj+H+FMmqONRoGH/5yKH/FdM1O/upJiSerwsz?= =?us-ascii?Q?QfdhpajJPbMa1v3kC1eOUOzN+q+v/+Bn7Sr2bTlCEZjFIXYL3DYdIomfHlRd?= =?us-ascii?Q?HA7uxDB1kPUNRvfSCn/1w76DeZ/e4Qc5f6f/qoG7MEyXIVu859/ui6vB6YW9?= =?us-ascii?Q?W9IEElE2FrnZ5zhwX9FRNNpvFyGNTwL/xKo83tirBiDN+Jecs3hkUxp9sWce?= =?us-ascii?Q?FQ5c9jBXsiAOwIRQEEpPRoFuEirqMd5HbK5NdvHRQpjNqsK5gKFV4mZQ6sqo?= =?us-ascii?Q?InllOkII1Q=3D=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0fb2cb49-e508-4b89-3df4-08da231d3172 X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Apr 2022 22:29:11.6784 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: CSoeMCy2WIl1Xid8Un5bnyjk/IbKXi/OhjMM9QZhf9Fk4rDN5Hw6q4P9YLmTZdmnyII+o5tO/0oHSaHMg6PYjg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB3973 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable The Root-of-Trust for Measurement (RTM) for TDX is TDX-Module. The TDX-Modu= le will enforce the MRTD calculation for the TDVF code. Then TDVF can then act as Chain-of-Trust for Measurement (CTM) to setup RTM= R and continue the rest. It is described in [TDX-Module] Chapter 11, [TDVF] Chapter 8. [TDX-Module] https://www.intel.com/content/dam/develop/external/us/en/docum= ents/tdx-module-1.0-public-spec-v0.931.pdf [TDVF] https://www.intel.com/content/dam/develop/external/us/en/documents/t= dx-virtual-firmware-design-guide-rev-1.01.pdf > -----Original Message----- > From: Gerd Hoffmann > Sent: Thursday, April 21, 2022 12:29 AM > To: James Bottomley > Cc: Yao, Jiewen ; devel@edk2.groups.io; Xu, Min M > ; Ard Biesheuvel ; Justen, > Jordan L ; Brijesh Singh ; > Aktas, Erdem ; Tom Lendacky > > Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td > HobList and Configuration FV >=20 > Hi, >=20 > > > So, no matter what the order is, you'll figure the system got > > > compromised after the fact, when checking the hashes later, and in > > > turn take actions like refusing to hand out secrets to the > > > compromised system. > > > > Not if the code falsifies the measurement both in the log and to the > > TPM. That's why the requirement of measured boot is you start with a > > small rom based root of trust, which can't be updated because it's in > > rom. It measures the next stage (usually PEI) before executing it so > > that the measurement in the TPM would change if the next stage (which > > is often in flash) got compromised, so any tampering is certain to be > > detected and if the compromised code tries to falsify the log, the log > > now wouldn't match the TPM, so it can't evade detection. >=20 > How do we establish the root of trust in case of TDX? We don't have a > real rom in virtual machines ... >=20 > Does the tdx firmware measure the firmware code before running it? >=20 > Why handle CFV and BFV differently? Wouldn't it be easier to have the > tdx firmware simply measure the complete OVMF.fd image, given that tdx > doesn't support flash and thus we don't have the code/vars split in the > first place? >=20 > The TD HobList is prepared by the hypervisor and present at launch time, > so possibly the tdx firmware could measure it too before handing over > control to the guest? >=20 > take care, > Gerd