* [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest
@ 2022-04-17 23:59 Min Xu
2022-04-17 23:59 ` [PATCH V3 1/9] Security: Add HashLibTdx Min Xu
` (9 more replies)
0 siblings, 10 replies; 27+ messages in thread
From: Min Xu @ 2022-04-17 23:59 UTC (permalink / raw)
To: devel; +Cc: Min Xu
RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853
Intel's Trust Domain Extensions (Intel TDX) refers to an Intel technology
that extends Virtual Machines Extensions (VMX) and Multi-Key Total Memory
Encryption (MKTME) with a new kind of virutal machines guest called a
Trust Domain (TD). A TD is desinged to run in a CPU mode that protects the
confidentiality of TD memory contents and the TD's CPU state from other
software, including the hosting Virtual-Machine Monitor (VMM), unless
explicitly shared by the TD itself.
There are 2 configurations for TDVF to upstream. See below link for
the definitions of the 2 configurations.
https://edk2.groups.io/g/devel/message/76367
This patch-set is to enable below features of Config-B in OvmfPkg.
- Enable RTMR based measurement and measured boot
- Install CC_MEASUREMENT_PROTOCOL instance in Td guest
The measurement for the other components, such as kernel image, initrd,
will be introduced in the following patch-sets.
Patch 1:
HashLibTdx provides SHA384 service and extend to RTMR registers.
Patch 2:
SecCryptLib is the cryptographic library instance for SEC.
Patch 3 - 8:
These 6 patches are related to RTMR based measurement and
CC Eventlog ACPI table.
Patch 9:
Update IntelTdxX64.dsc/IntelTdxX64.fdf to support RTMR based
measurement and measured boot.
Code at: https://github.com/mxu9/edk2/tree/tdvf_wave4.v3
v3 changes:
- Refine HashLibBaseCryptoRouterTdx to HashLibTdx
- Add NULL version algorithms in SecCryptLib.
- Add SecMeasurementLib which does the measurement in SEC phase.
- Rebase EDK2 code base. (commit: 91a03f78ba)
v2 changes:
- Move the definition of EFI_CC_EVENT_HOB_GUID from MdePkg to
SecurityPkg.
- Update the definition of EFI_CC_EVENTLOG_ACPI_TABLE based
on below discussion:
https://edk2.groups.io/g/devel/message/87396
https://edk2.groups.io/g/devel/message/87402
- Update the code base to 94f905b3bf.
Min Xu (9):
Security: Add HashLibTdx
CryptoPkg: Add SecCryptLib
SecurityPkg: Add definition of EFI_CC_EVENT_HOB_GUID
OvmfPkg: Introduce SecMeasurementLib
OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV
OvmfPkg: Add PCDs for LAML/LASA field in CC EVENTLOG ACPI table
MdePkg: Define CC Measure EventLog ACPI Table
OvmfPkg/IntelTdx: Add TdTcg2Dxe
OvmfPkg/IntelTdx: Enable RTMR based measurement and measure boot
CryptoPkg/CryptoPkg.dsc | 4 +
.../Library/BaseCryptLib/Hash/CryptMd5Null.c | 163 ++
.../Library/BaseCryptLib/Hash/CryptSha1Null.c | 166 ++
.../BaseCryptLib/Hash/CryptSha256Null.c | 162 ++
.../Library/BaseCryptLib/Hash/CryptSm3Null.c | 164 ++
.../BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c | 152 +
.../BaseCryptLib/Pk/CryptRsaBasicNull.c | 121 +
.../Library/BaseCryptLib/SecCryptLib.inf | 91 +
MdePkg/Include/Protocol/CcMeasurement.h | 21 +
OvmfPkg/Include/Library/SecMeasurementLib.h | 46 +
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 16 +-
OvmfPkg/IntelTdx/IntelTdxX64.fdf | 5 +
.../IntelTdx/TdTcg2Dxe/MeasureBootPeCoff.c | 407 +++
OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c | 2489 +++++++++++++++++
OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.inf | 101 +
OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 163 ++
.../PeilessStartupLib/PeilessStartup.c | 31 +
.../PeilessStartupInternal.h | 17 +
.../PeilessStartupLib/PeilessStartupLib.inf | 8 +-
.../SecMeasurementLib/SecMeasurementLibTdx.c | 340 +++
.../SecMeasurementLibTdx.inf | 30 +
OvmfPkg/OvmfPkg.dec | 10 +
SecurityPkg/Include/Guid/CcEventHob.h | 22 +
SecurityPkg/Library/HashLibTdx/HashLibTdx.c | 207 ++
SecurityPkg/Library/HashLibTdx/HashLibTdx.inf | 37 +
SecurityPkg/SecurityPkg.dec | 4 +
SecurityPkg/SecurityPkg.dsc | 10 +
27 files changed, 4984 insertions(+), 3 deletions(-)
create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5Null.c
create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1Null.c
create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256Null.c
create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3Null.c
create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf
create mode 100644 OvmfPkg/Include/Library/SecMeasurementLib.h
create mode 100644 OvmfPkg/IntelTdx/TdTcg2Dxe/MeasureBootPeCoff.c
create mode 100644 OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c
create mode 100644 OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.inf
create mode 100644 OvmfPkg/Library/PeilessStartupLib/IntelTdx.c
create mode 100644 OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.c
create mode 100644 OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf
create mode 100644 SecurityPkg/Include/Guid/CcEventHob.h
create mode 100644 SecurityPkg/Library/HashLibTdx/HashLibTdx.c
create mode 100644 SecurityPkg/Library/HashLibTdx/HashLibTdx.inf
--
2.29.2.windows.2
^ permalink raw reply [flat|nested] 27+ messages in thread* [PATCH V3 1/9] Security: Add HashLibTdx 2022-04-17 23:59 [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Min Xu @ 2022-04-17 23:59 ` Min Xu 2022-04-17 23:59 ` [PATCH V3 2/9] CryptoPkg: Add SecCryptLib Min Xu ` (8 subsequent siblings) 9 siblings, 0 replies; 27+ messages in thread From: Min Xu @ 2022-04-17 23:59 UTC (permalink / raw) To: devel; +Cc: Min Xu, Jiewen Yao, Jian J Wang, Gerd Hoffmann RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 This library provides hash service by registered hash handler in Td guest. Currently only SHA384 is supported. After that the hash value is extended to Td RTMR registers which is similar to TPM PCRs. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Min Xu <min.m.xu@intel.com> --- SecurityPkg/Library/HashLibTdx/HashLibTdx.c | 207 ++++++++++++++++++ SecurityPkg/Library/HashLibTdx/HashLibTdx.inf | 37 ++++ SecurityPkg/SecurityPkg.dsc | 10 + 3 files changed, 254 insertions(+) create mode 100644 SecurityPkg/Library/HashLibTdx/HashLibTdx.c create mode 100644 SecurityPkg/Library/HashLibTdx/HashLibTdx.inf diff --git a/SecurityPkg/Library/HashLibTdx/HashLibTdx.c b/SecurityPkg/Library/HashLibTdx/HashLibTdx.c new file mode 100644 index 000000000000..75d96ee64b44 --- /dev/null +++ b/SecurityPkg/Library/HashLibTdx/HashLibTdx.c @@ -0,0 +1,207 @@ +/** @file + This library is HashLib for Tdx. + +Copyright (c) 2021 - 2022, Intel Corporation. All rights reserved. <BR> +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include <PiPei.h> +#include <Library/BaseLib.h> +#include <Library/BaseMemoryLib.h> +#include <Library/DebugLib.h> +#include <Library/PcdLib.h> +#include <Library/HashLib.h> +#include <Library/TdxLib.h> +#include <Protocol/CcMeasurement.h> + +EFI_GUID mSha384Guid = HASH_ALGORITHM_SHA384_GUID; + +// +// Currently TDX supports SHA384. +// +HASH_INTERFACE mHashInterface = { + { 0 }, NULL, NULL, NULL +}; + +UINTN mHashInterfaceCount = 0; + +/** + Start hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash sequence start and HandleHandle returned. + @retval EFI_OUT_OF_RESOURCES No enough resource to start hash. +**/ +EFI_STATUS +EFIAPI +HashStart ( + OUT HASH_HANDLE *HashHandle + ) +{ + HASH_HANDLE HashCtx; + + if (mHashInterfaceCount == 0) { + ASSERT (FALSE); + return EFI_UNSUPPORTED; + } + + HashCtx = 0; + mHashInterface.HashInit (&HashCtx); + + *HashHandle = HashCtx; + + return EFI_SUCCESS; +} + +/** + Update hash sequence data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash sequence updated. +**/ +EFI_STATUS +EFIAPI +HashUpdate ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen + ) +{ + if (mHashInterfaceCount == 0) { + ASSERT (FALSE); + return EFI_UNSUPPORTED; + } + + mHashInterface.HashUpdate (HashHandle, DataToHash, DataToHashLen); + + return EFI_SUCCESS; +} + +/** + Hash sequence complete and extend to PCR. + + @param HashHandle Hash handle. + @param PcrIndex PCR to be extended. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + @param DigestList Digest list. + + @retval EFI_SUCCESS Hash sequence complete and DigestList is returned. +**/ +EFI_STATUS +EFIAPI +HashCompleteAndExtend ( + IN HASH_HANDLE HashHandle, + IN TPMI_DH_PCR PcrIndex, + IN VOID *DataToHash, + IN UINTN DataToHashLen, + OUT TPML_DIGEST_VALUES *DigestList + ) +{ + TPML_DIGEST_VALUES Digest; + EFI_STATUS Status; + + if (mHashInterfaceCount == 0) { + ASSERT (FALSE); + return EFI_UNSUPPORTED; + } + + ZeroMem (DigestList, sizeof (*DigestList)); + + mHashInterface.HashUpdate (HashHandle, DataToHash, DataToHashLen); + mHashInterface.HashFinal (HashHandle, &Digest); + + CopyMem ( + &DigestList->digests[0], + &Digest.digests[0], + sizeof (Digest.digests[0]) + ); + DigestList->count++; + + ASSERT (DigestList->count == 1 && DigestList->digests[0].hashAlg == TPM_ALG_SHA384); + + Status = TdExtendRtmr ( + (UINT32 *)DigestList->digests[0].digest.sha384, + SHA384_DIGEST_SIZE, + (UINT8)PcrIndex + ); + + ASSERT (!EFI_ERROR (Status)); + return Status; +} + +/** + Hash data and extend to RTMR. + + @param PcrIndex PCR to be extended. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + @param DigestList Digest list. + + @retval EFI_SUCCESS Hash data and DigestList is returned. +**/ +EFI_STATUS +EFIAPI +HashAndExtend ( + IN TPMI_DH_PCR PcrIndex, + IN VOID *DataToHash, + IN UINTN DataToHashLen, + OUT TPML_DIGEST_VALUES *DigestList + ) +{ + HASH_HANDLE HashHandle; + EFI_STATUS Status; + + if (mHashInterfaceCount == 0) { + ASSERT (FALSE); + return EFI_UNSUPPORTED; + } + + ASSERT (TdIsEnabled ()); + + HashStart (&HashHandle); + HashUpdate (HashHandle, DataToHash, DataToHashLen); + Status = HashCompleteAndExtend (HashHandle, PcrIndex, NULL, 0, DigestList); + + return Status; +} + +/** + This service register Hash. + + @param HashInterface Hash interface + + @retval EFI_SUCCESS This hash interface is registered successfully. + @retval EFI_UNSUPPORTED System does not support register this interface. + @retval EFI_ALREADY_STARTED System already register this interface. +**/ +EFI_STATUS +EFIAPI +RegisterHashInterfaceLib ( + IN HASH_INTERFACE *HashInterface + ) +{ + ASSERT (TdIsEnabled ()); + + // + // Only SHA384 is allowed. + // + if (!CompareGuid (&mSha384Guid, &HashInterface->HashGuid)) { + return EFI_UNSUPPORTED; + } + + if (mHashInterfaceCount != 0) { + ASSERT (FALSE); + return EFI_OUT_OF_RESOURCES; + } + + CopyMem (&mHashInterface, HashInterface, sizeof (*HashInterface)); + mHashInterfaceCount++; + + return EFI_SUCCESS; +} diff --git a/SecurityPkg/Library/HashLibTdx/HashLibTdx.inf b/SecurityPkg/Library/HashLibTdx/HashLibTdx.inf new file mode 100644 index 000000000000..946132124c85 --- /dev/null +++ b/SecurityPkg/Library/HashLibTdx/HashLibTdx.inf @@ -0,0 +1,37 @@ +## @file +# Provides hash service by registered hash handler in Tdx. +# +# This library is HashLib for Tdx. Currently only SHA384 is supported. +# +# Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.<BR> +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = HashLibTdx + FILE_GUID = 77F6EA3E-1ABA-4467-A447-926E8CEB2D13 + MODULE_TYPE = BASE + VERSION_STRING = 1.0 + LIBRARY_CLASS = HashLib|SEC DXE_DRIVER + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = X64 +# + +[Sources] + HashLibTdx.c + +[Packages] + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + PcdLib + TdxLib diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index 73a93c2285b1..0d8c997b2f40 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -72,6 +72,7 @@ MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf + TdxLib|MdePkg/Library/TdxLib/TdxLib.inf [LibraryClasses.ARM, LibraryClasses.AARCH64] # @@ -92,6 +93,12 @@ [LibraryClasses.RISCV64] RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf +[LibraryClasses.X64.SEC] + HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf + +[LibraryClasses.X64.DXE_DRIVER] + HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf + [LibraryClasses.common.PEIM] PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf PeiServicesLib|MdePkg/Library/PeiServicesLib/PeiServicesLib.inf @@ -283,6 +290,9 @@ # SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf +[Components.X64] + SecurityPkg/Library/HashLibTdx/HashLibTdx.inf + [Components.IA32, Components.X64] SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf -- 2.29.2.windows.2 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH V3 2/9] CryptoPkg: Add SecCryptLib 2022-04-17 23:59 [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Min Xu 2022-04-17 23:59 ` [PATCH V3 1/9] Security: Add HashLibTdx Min Xu @ 2022-04-17 23:59 ` Min Xu 2022-04-18 15:31 ` [edk2-devel] " Michael D Kinney 2022-04-17 23:59 ` [PATCH V3 3/9] SecurityPkg: Add definition of EFI_CC_EVENT_HOB_GUID Min Xu ` (7 subsequent siblings) 9 siblings, 1 reply; 27+ messages in thread From: Min Xu @ 2022-04-17 23:59 UTC (permalink / raw) To: devel Cc: Min Xu, Jiewen Yao, Jian J Wang, Xiaoyu Lu, Guomin Jiang, Gerd Hoffmann RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 This is the Cryptographic library instance for SEC. The motivation of this library is to support SHA384 in SEC phase for Td guest. So only Hash/CryptSha512.c is included which supports SHA384 and SHA512. Other cryptographics are added with the null version, such as CryptMd5Null.c. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Min Xu <min.m.xu@intel.com> --- CryptoPkg/CryptoPkg.dsc | 4 + .../Library/BaseCryptLib/Hash/CryptMd5Null.c | 163 +++++++++++++++++ .../Library/BaseCryptLib/Hash/CryptSha1Null.c | 166 ++++++++++++++++++ .../BaseCryptLib/Hash/CryptSha256Null.c | 162 +++++++++++++++++ .../Library/BaseCryptLib/Hash/CryptSm3Null.c | 164 +++++++++++++++++ .../BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c | 152 ++++++++++++++++ .../BaseCryptLib/Pk/CryptRsaBasicNull.c | 121 +++++++++++++ .../Library/BaseCryptLib/SecCryptLib.inf | 91 ++++++++++ 8 files changed, 1023 insertions(+) create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5Null.c create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1Null.c create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256Null.c create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3Null.c create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c create mode 100644 CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc index 0aa72ed87846..b814e9616454 100644 --- a/CryptoPkg/CryptoPkg.dsc +++ b/CryptoPkg/CryptoPkg.dsc @@ -109,6 +109,9 @@ [LibraryClasses.ARM] ArmSoftFloatLib|ArmPkg/Library/ArmSoftFloatLib/ArmSoftFloatLib.inf +[LibraryClasses.common.SEC] + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf + [LibraryClasses.common.PEIM] PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf ReportStatusCodeLib|MdeModulePkg/Library/PeiReportStatusCodeLib/PeiReportStatusCodeLib.inf @@ -236,6 +239,7 @@ !if $(CRYPTO_SERVICES) == PACKAGE [Components] CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5Null.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5Null.c new file mode 100644 index 000000000000..893a2302a6de --- /dev/null +++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5Null.c @@ -0,0 +1,163 @@ +/** @file + +MD5 Digest Wrapper Null Implementation. + +Copyright (c) Microsoft Corporation. All rights reserved. +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Retrieves the size, in bytes, of the context buffer required for MD5 hash operations. + + @return The size, in bytes, of the context buffer required for MD5 hash operations. + +**/ +UINTN +EFIAPI +Md5GetContextSize ( + VOID + ) +{ + ASSERT (FALSE); + return 0; +} + +/** + Initializes user-supplied memory pointed by Md5Context as MD5 hash context for + subsequent use. + + If Md5Context is NULL, then return FALSE. + + @param[out] Md5Context Pointer to MD5 context being initialized. + + @retval TRUE MD5 context initialization succeeded. + @retval FALSE MD5 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Md5Init ( + OUT VOID *Md5Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Makes a copy of an existing MD5 context. + + If Md5Context is NULL, then return FALSE. + If NewMd5Context is NULL, then return FALSE. + + @param[in] Md5Context Pointer to MD5 context being copied. + @param[out] NewMd5Context Pointer to new MD5 context. + + @retval TRUE MD5 context copy succeeded. + @retval FALSE MD5 context copy failed. + +**/ +BOOLEAN +EFIAPI +Md5Duplicate ( + IN CONST VOID *Md5Context, + OUT VOID *NewMd5Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Digests the input data and updates MD5 context. + + This function performs MD5 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + MD5 context should be already correctly intialized by Md5Init(), and should not be finalized + by Md5Final(). Behavior with invalid context is undefined. + + If Md5Context is NULL, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE MD5 data digest succeeded. + @retval FALSE MD5 data digest failed. + +**/ +BOOLEAN +EFIAPI +Md5Update ( + IN OUT VOID *Md5Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Completes computation of the MD5 digest value. + + This function completes MD5 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the MD5 context cannot + be used again. + MD5 context should be already correctly intialized by Md5Init(), and should not be + finalized by Md5Final(). Behavior with invalid MD5 context is undefined. + + If Md5Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Md5Context Pointer to the MD5 context. + @param[out] HashValue Pointer to a buffer that receives the MD5 digest + value (16 bytes). + + @retval TRUE MD5 digest computation succeeded. + @retval FALSE MD5 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Md5Final ( + IN OUT VOID *Md5Context, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** +Computes the MD5 message digest of a input data buffer. + +This function performs the MD5 message digest of a given data buffer, and places +the digest value into the specified memory. + +If this interface is not supported, then return FALSE. + +@param[in] Data Pointer to the buffer containing the data to be hashed. +@param[in] DataSize Size of Data buffer in bytes. +@param[out] HashValue Pointer to a buffer that receives the MD5 digest +value (16 bytes). + +@retval TRUE MD5 digest computation succeeded. +@retval FALSE MD5 digest computation failed. +@retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Md5HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1Null.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1Null.c new file mode 100644 index 000000000000..d9b4610af0e0 --- /dev/null +++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1Null.c @@ -0,0 +1,166 @@ +/** @file + SHA-1 Digest Wrapper Null Implementation. + +Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR> +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-1 hash operations. + +**/ +UINTN +EFIAPI +Sha1GetContextSize ( + VOID + ) +{ + // + // Retrieves SHA Context Size + // + ASSERT (FALSE); + return 0; +} + +/** + Initializes user-supplied memory pointed by Sha1Context as SHA-1 hash context for + subsequent use. + + If Sha1Context is NULL, then return FALSE. + + @param[out] Sha1Context Pointer to SHA-1 context being initialized. + + @retval TRUE SHA-1 context initialization succeeded. + @retval FALSE SHA-1 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sha1Init ( + OUT VOID *Sha1Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Makes a copy of an existing SHA-1 context. + + If Sha1Context is NULL, then return FALSE. + If NewSha1Context is NULL, then return FALSE. + + @param[in] Sha1Context Pointer to SHA-1 context being copied. + @param[out] NewSha1Context Pointer to new SHA-1 context. + + @retval TRUE SHA-1 context copy succeeded. + @retval FALSE SHA-1 context copy failed. + +**/ +BOOLEAN +EFIAPI +Sha1Duplicate ( + IN CONST VOID *Sha1Context, + OUT VOID *NewSha1Context + ) +{ + ASSERT (FALSE); + + return FALSE; +} + +/** + Digests the input data and updates SHA-1 context. + + This function performs SHA-1 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be finalized + by Sha1Final(). Behavior with invalid context is undefined. + + If Sha1Context is NULL, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-1 data digest succeeded. + @retval FALSE SHA-1 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sha1Update ( + IN OUT VOID *Sha1Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Completes computation of the SHA-1 digest value. + + This function completes SHA-1 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-1 context cannot + be used again. + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be + finalized by Sha1Final(). Behavior with invalid SHA-1 context is undefined. + + If Sha1Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha1Context Pointer to the SHA-1 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval TRUE SHA-1 digest computation succeeded. + @retval FALSE SHA-1 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sha1Final ( + IN OUT VOID *Sha1Context, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Computes the SHA-1 message digest of a input data buffer. + + This function performs the SHA-1 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest + value (20 bytes). + + @retval TRUE SHA-1 digest computation succeeded. + @retval FALSE SHA-1 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha1HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256Null.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256Null.c new file mode 100644 index 000000000000..cf994e8e0664 --- /dev/null +++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256Null.c @@ -0,0 +1,162 @@ +/** @file + SHA-256 Digest Wrapper Null Implementation. + +Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR> +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations. + + @return The size, in bytes, of the context buffer required for SHA-256 hash operations. + +**/ +UINTN +EFIAPI +Sha256GetContextSize ( + VOID + ) +{ + ASSERT (FALSE); + return 0; +} + +/** + Initializes user-supplied memory pointed by Sha256Context as SHA-256 hash context for + subsequent use. + + If Sha256Context is NULL, then return FALSE. + + @param[out] Sha256Context Pointer to SHA-256 context being initialized. + + @retval TRUE SHA-256 context initialization succeeded. + @retval FALSE SHA-256 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sha256Init ( + OUT VOID *Sha256Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Makes a copy of an existing SHA-256 context. + + If Sha256Context is NULL, then return FALSE. + If NewSha256Context is NULL, then return FALSE. + + @param[in] Sha256Context Pointer to SHA-256 context being copied. + @param[out] NewSha256Context Pointer to new SHA-256 context. + + @retval TRUE SHA-256 context copy succeeded. + @retval FALSE SHA-256 context copy failed. + +**/ +BOOLEAN +EFIAPI +Sha256Duplicate ( + IN CONST VOID *Sha256Context, + OUT VOID *NewSha256Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Digests the input data and updates SHA-256 context. + + This function performs SHA-256 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be finalized + by Sha256Final(). Behavior with invalid context is undefined. + + If Sha256Context is NULL, then return FALSE. + + @param[in, out] Sha256Context Pointer to the SHA-256 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SHA-256 data digest succeeded. + @retval FALSE SHA-256 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sha256Update ( + IN OUT VOID *Sha256Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Completes computation of the SHA-256 digest value. + + This function completes SHA-256 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SHA-256 context cannot + be used again. + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be + finalized by Sha256Final(). Behavior with invalid SHA-256 context is undefined. + + If Sha256Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sha256Context Pointer to the SHA-256 context. + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest + value (32 bytes). + + @retval TRUE SHA-256 digest computation succeeded. + @retval FALSE SHA-256 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sha256Final ( + IN OUT VOID *Sha256Context, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Computes the SHA-256 message digest of a input data buffer. + + This function performs the SHA-256 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest + value (32 bytes). + + @retval TRUE SHA-256 digest computation succeeded. + @retval FALSE SHA-256 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sha256HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3Null.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3Null.c new file mode 100644 index 000000000000..0f3c89b46517 --- /dev/null +++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3Null.c @@ -0,0 +1,164 @@ +/** @file + SM3 Digest Wrapper Null Implementation. + +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR> +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Retrieves the size, in bytes, of the context buffer required for SM3 hash operations. + + @return The size, in bytes, of the context buffer required for SM3 hash operations. + +**/ +UINTN +EFIAPI +Sm3GetContextSize ( + VOID + ) +{ + ASSERT (FALSE); + return 0; +} + +/** + Initializes user-supplied memory pointed by Sm3Context as SM3 hash context for + subsequent use. + + If Sm3Context is NULL, then return FALSE. + + @param[out] Sm3Context Pointer to SM3 context being initialized. + + @retval TRUE SM3 context initialization succeeded. + @retval FALSE SM3 context initialization failed. + +**/ +BOOLEAN +EFIAPI +Sm3Init ( + OUT VOID *Sm3Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Makes a copy of an existing SM3 context. + + If Sm3Context is NULL, then return FALSE. + If NewSm3Context is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Sm3Context Pointer to SM3 context being copied. + @param[out] NewSm3Context Pointer to new SM3 context. + + @retval TRUE SM3 context copy succeeded. + @retval FALSE SM3 context copy failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sm3Duplicate ( + IN CONST VOID *Sm3Context, + OUT VOID *NewSm3Context + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Digests the input data and updates SM3 context. + + This function performs SM3 digest on a data buffer of the specified size. + It can be called multiple times to compute the digest of long or discontinuous data streams. + SM3 context should be already correctly initialized by Sm3Init(), and should not be finalized + by Sm3Final(). Behavior with invalid context is undefined. + + If Sm3Context is NULL, then return FALSE. + + @param[in, out] Sm3Context Pointer to the SM3 context. + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + + @retval TRUE SM3 data digest succeeded. + @retval FALSE SM3 data digest failed. + +**/ +BOOLEAN +EFIAPI +Sm3Update ( + IN OUT VOID *Sm3Context, + IN CONST VOID *Data, + IN UINTN DataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Completes computation of the SM3 digest value. + + This function completes SM3 hash computation and retrieves the digest value into + the specified memory. After this function has been called, the SM3 context cannot + be used again. + SM3 context should be already correctly initialized by Sm3Init(), and should not be + finalized by Sm3Final(). Behavior with invalid SM3 context is undefined. + + If Sm3Context is NULL, then return FALSE. + If HashValue is NULL, then return FALSE. + + @param[in, out] Sm3Context Pointer to the SM3 context. + @param[out] HashValue Pointer to a buffer that receives the SM3 digest + value (32 bytes). + + @retval TRUE SM3 digest computation succeeded. + @retval FALSE SM3 digest computation failed. + +**/ +BOOLEAN +EFIAPI +Sm3Final ( + IN OUT VOID *Sm3Context, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Computes the SM3 message digest of a input data buffer. + + This function performs the SM3 message digest of a given data buffer, and places + the digest value into the specified memory. + + If this interface is not supported, then return FALSE. + + @param[in] Data Pointer to the buffer containing the data to be hashed. + @param[in] DataSize Size of Data buffer in bytes. + @param[out] HashValue Pointer to a buffer that receives the SM3 digest + value (32 bytes). + + @retval TRUE SM3 digest computation succeeded. + @retval FALSE SM3 digest computation failed. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Sm3HashAll ( + IN CONST VOID *Data, + IN UINTN DataSize, + OUT UINT8 *HashValue + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c new file mode 100644 index 000000000000..c1d9837c5129 --- /dev/null +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c @@ -0,0 +1,152 @@ +/** @file + PKCS7 Verify Null implementation. + + Copyright (C) Microsoft Corporation. All Rights Reserved. + Copyright (c) 2019, Intel Corporation. All rights reserved.<BR> + + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + This function will return the leaf signer certificate in a chain. This is + required because certificate chains are not guaranteed to have the + certificates in the order that they were issued. + + A typical certificate chain looks like this: + + + ---------------------------- + | Root | + ---------------------------- + ^ + | + ---------------------------- + | Policy CA | <-- Typical Trust Anchor. + ---------------------------- + ^ + | + ---------------------------- + | Issuing CA | + ---------------------------- + ^ + | + ----------------------------- + / End-Entity (leaf) signer / <-- Bottom certificate. + ----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1" + (Firmware Signing) + + + @param[in] CertChain Certificate chain. + + @param[out] SignerCert Last certificate in the chain. For PKCS7 signatures, + this will be the end-entity (leaf) signer cert. + + @retval EFI_SUCCESS The required EKUs were found in the signature. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND The number of signers found was not 1. + +**/ +EFI_STATUS +GetSignerCertificate ( + IN CONST VOID *CertChain, + OUT VOID **SignerCert + ) +{ + ASSERT (FALSE); + return EFI_NOT_READY; +} + +/** + Determines if the specified EKU represented in ASN1 form is present + in a given certificate. + + @param[in] Cert The certificate to check. + + @param[in] Asn1ToFind The EKU to look for. + + @retval EFI_SUCCESS We successfully identified the signing type. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. + +**/ +EFI_STATUS +IsEkuInCertificate ( + IN CONST VOID *Cert, + IN VOID *Asn1ToFind + ) +{ + ASSERT (FALSE); + return EFI_NOT_READY; +} + +/** + Determines if the specified EKUs are present in a signing certificate. + + @param[in] SignerCert The certificate to check. + @param[in] RequiredEKUs The EKUs to look for. + @param[in] RequiredEKUsSize The number of EKUs + @param[in] RequireAllPresent If TRUE, then all the specified EKUs + must be present in the certificate. + + @retval EFI_SUCCESS We successfully identified the signing type. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. +**/ +EFI_STATUS +CheckEKUs ( + IN CONST VOID *SignerCert, + IN CONST CHAR8 *RequiredEKUs[], + IN CONST UINT32 RequiredEKUsSize, + IN BOOLEAN RequireAllPresent + ) +{ + ASSERT (FALSE); + return EFI_NOT_READY; +} + +/** + This function receives a PKCS#7 formatted signature blob, + looks for the EKU SEQUENCE blob, and if found then looks + for all the required EKUs. This function was created so that + the Surface team can cut down on the number of Certificate + Authorities (CA's) by checking EKU's on leaf signers for + a specific product. This prevents one product's certificate + from signing another product's firmware or unlock blobs. + + Note that this function does not validate the certificate chain. + That needs to be done before using this function. + + @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array + containing the content block with both the signature, + the signer's certificate, and any necessary intermediate + certificates. + @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature. + @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of + required EKUs that must be present in the signature. + @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array. + @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's + must be present in the leaf signer. If it is + FALSE, then we will succeed if we find any + of the specified EKU's. + + @retval EFI_SUCCESS The required EKUs were found in the signature. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. + +**/ +EFI_STATUS +EFIAPI +VerifyEKUsInPkcs7Signature ( + IN CONST UINT8 *Pkcs7Signature, + IN CONST UINT32 SignatureSize, + IN CONST CHAR8 *RequiredEKUs[], + IN CONST UINT32 RequiredEKUsSize, + IN BOOLEAN RequireAllPresent + ) +{ + ASSERT (FALSE); + return EFI_NOT_READY; +} diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c new file mode 100644 index 000000000000..fd352e32dd93 --- /dev/null +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c @@ -0,0 +1,121 @@ +/** @file + RSA Asymmetric Cipher Wrapper Null Implementation. + + This file implements following APIs which provide basic capabilities for RSA: + 1) RsaNew + 2) RsaFree + 3) RsaSetKey + 4) RsaPkcs1Verify + +Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "InternalCryptLib.h" + +/** + Allocates and initializes one RSA context for subsequent use. + + @return Pointer to the RSA context that has been initialized. + If the allocations fails, RsaNew() returns NULL. + +**/ +VOID * +EFIAPI +RsaNew ( + VOID + ) +{ + // + // Allocates & Initializes RSA Context + // + ASSERT (FALSE); + return NULL; +} + +/** + Release the specified RSA context. + + @param[in] RsaContext Pointer to the RSA context to be released. + +**/ +VOID +EFIAPI +RsaFree ( + IN VOID *RsaContext + ) +{ + // + // Free RSA Context + // + ASSERT (FALSE); +} + +/** + Sets the tag-designated key component into the established RSA context. + + This function sets the tag-designated RSA key component into the established + RSA context from the user-specified non-negative integer (octet string format + represented in RSA PKCS#1). + If BigNumber is NULL, then the specified key component in RSA context is cleared. + + If RsaContext is NULL, then return FALSE. + + @param[in, out] RsaContext Pointer to RSA context being set. + @param[in] KeyTag Tag of RSA key component being set. + @param[in] BigNumber Pointer to octet integer buffer. + If NULL, then the specified key component in RSA + context is cleared. + @param[in] BnSize Size of big number buffer in bytes. + If BigNumber is NULL, then it is ignored. + + @retval TRUE RSA key component was set successfully. + @retval FALSE Invalid RSA key component tag. + +**/ +BOOLEAN +EFIAPI +RsaSetKey ( + IN OUT VOID *RsaContext, + IN RSA_KEY_TAG KeyTag, + IN CONST UINT8 *BigNumber, + IN UINTN BnSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme defined in + RSA PKCS#1. + + If RsaContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE. + + @param[in] RsaContext Pointer to RSA context for signature verification. + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in PKCS1-v1_5. + @retval FALSE Invalid signature or invalid RSA context. + +**/ +BOOLEAN +EFIAPI +RsaPkcs1Verify ( + IN VOID *RsaContext, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf new file mode 100644 index 000000000000..070b44447e74 --- /dev/null +++ b/CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf @@ -0,0 +1,91 @@ +## @file +# Cryptographic Library Instance for SEC. +# +# Caution: This module requires additional review when modified. +# This library will have external input - signature. +# This external input must be validated carefully to avoid security issues such as +# buffer overflow or integer overflow. +# +# Copyright (c) 2021, Intel Corporation. All rights reserved.<BR> +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = SecCryptLib + FILE_GUID = 3689D343-0D32-4284-8053-BF10537990E8 + MODULE_TYPE = BASE + VERSION_STRING = 1.0 + LIBRARY_CLASS = BaseCryptLib|SEC + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 +# + +[Sources] + InternalCryptLib.h + Hash/CryptSha512.c + + Hash/CryptMd5Null.c + Hash/CryptSha1Null.c + Hash/CryptSha256Null.c + Hash/CryptSm3Null.c + Hash/CryptParallelHashNull.c + Hmac/CryptHmacSha256Null.c + Kdf/CryptHkdfNull.c + Cipher/CryptAesNull.c + Pk/CryptRsaBasicNull.c + Pk/CryptRsaExtNull.c + Pk/CryptPkcs1OaepNull.c + Pk/CryptPkcs5Pbkdf2Null.c + Pk/CryptPkcs7SignNull.c + Pk/CryptPkcs7VerifyNull.c + Pk/CryptPkcs7VerifyEkuNull.c + Pk/CryptDhNull.c + Pk/CryptX509Null.c + Pk/CryptAuthenticodeNull.c + Pk/CryptTsNull.c + Pem/CryptPemNull.c + Rand/CryptRandNull.c + Pk/CryptRsaPssNull.c + Pk/CryptRsaPssSignNull.c + + SysCall/CrtWrapper.c + SysCall/ConstantTimeClock.c + SysCall/BaseMemAllocation.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + MemoryAllocationLib + DebugLib + OpensslLib + IntrinsicLib + +# +# Remove these [BuildOptions] after this library is cleaned up +# +[BuildOptions] + # + # suppress the following warnings so we do not break the build with warnings-as-errors: + # C4090: 'function' : different 'const' qualifiers + # C4718: 'function call' : recursive call has no side effects, deleting + # + MSFT:*_*_*_CC_FLAGS = /wd4090 /wd4718 + + # -JCryptoPkg/Include : To disable the use of the system includes provided by RVCT + # --diag_remark=1 : Reduce severity of "#1-D: last line of file ends without a newline" + RVCT:*_*_ARM_CC_FLAGS = -JCryptoPkg/Include --diag_remark=1 + + GCC:*_CLANG35_*_CC_FLAGS = -std=c99 + GCC:*_CLANG38_*_CC_FLAGS = -std=c99 + GCC:*_CLANGPDB_*_CC_FLAGS = -std=c99 -Wno-error=incompatible-pointer-types + + XCODE:*_*_*_CC_FLAGS = -std=c99 -- 2.29.2.windows.2 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH V3 2/9] CryptoPkg: Add SecCryptLib 2022-04-17 23:59 ` [PATCH V3 2/9] CryptoPkg: Add SecCryptLib Min Xu @ 2022-04-18 15:31 ` Michael D Kinney 2022-04-19 11:45 ` Min Xu 0 siblings, 1 reply; 27+ messages in thread From: Michael D Kinney @ 2022-04-18 15:31 UTC (permalink / raw) To: devel@edk2.groups.io, Xu, Min M, Kinney, Michael D Cc: Yao, Jiewen, Wang, Jian J, Lu, Xiaoyu1, Jiang, Guomin, Gerd Hoffmann Hi, Did you evaluate the use of the following PCD to make an SEC version? ## Enable/Disable the families and individual services produced by the # EDK II Crypto Protocols/PPIs. The default is all services disabled. # This Structured PCD is associated with PCD_CRYPTO_SERVICE_FAMILY_ENABLE # structure that is defined in Include/Pcd/PcdCryptoServiceFamilyEnable.h. # @Prompt Enable/Disable EDK II Crypto Protocol/PPI services gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable|{0x00}|PCD_CRYPTO_SERVICE_FAMILY_ENABLE|0x00000002 { <Packages> CryptoPkg/CryptoPkg.dec <HeaderFiles> Pcd/PcdCryptoServiceFamilyEnable.h } CryptoPkg.dsc has different PCD settings for different FW phases to configure only the crypto services required in each phase. You can extend for SEC. Here is the setting for the minimum for PEI phase. !if $(CRYPTO_SERVICES) == MIN_PEI gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Pkcs1Verify | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.New | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Free | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.SetKey | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword | TRUE !endif The complete set of settings is isn the PCD_CRYPTO_SERVICE_FAMILY_ENABLE structure: https://github.com/tianocore/edk2/blob/master/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h Mike > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Min Xu > Sent: Sunday, April 17, 2022 5:00 PM > To: devel@edk2.groups.io > Cc: Xu, Min M <min.m.xu@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Lu, Xiaoyu1 > <xiaoyu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>; Gerd Hoffmann <kraxel@redhat.com> > Subject: [edk2-devel] [PATCH V3 2/9] CryptoPkg: Add SecCryptLib > > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 > > This is the Cryptographic library instance for SEC. The motivation of > this library is to support SHA384 in SEC phase for Td guest. So only > Hash/CryptSha512.c is included which supports SHA384 and SHA512. Other > cryptographics are added with the null version, such as CryptMd5Null.c. > > Cc: Jiewen Yao <jiewen.yao@intel.com> > Cc: Jian J Wang <jian.j.wang@intel.com> > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> > Cc: Guomin Jiang <guomin.jiang@intel.com> > Cc: Gerd Hoffmann <kraxel@redhat.com> > Signed-off-by: Min Xu <min.m.xu@intel.com> > --- > CryptoPkg/CryptoPkg.dsc | 4 + > .../Library/BaseCryptLib/Hash/CryptMd5Null.c | 163 +++++++++++++++++ > .../Library/BaseCryptLib/Hash/CryptSha1Null.c | 166 ++++++++++++++++++ > .../BaseCryptLib/Hash/CryptSha256Null.c | 162 +++++++++++++++++ > .../Library/BaseCryptLib/Hash/CryptSm3Null.c | 164 +++++++++++++++++ > .../BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c | 152 ++++++++++++++++ > .../BaseCryptLib/Pk/CryptRsaBasicNull.c | 121 +++++++++++++ > .../Library/BaseCryptLib/SecCryptLib.inf | 91 ++++++++++ > 8 files changed, 1023 insertions(+) > create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5Null.c > create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1Null.c > create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256Null.c > create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3Null.c > create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c > create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c > create mode 100644 CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf > > diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc > index 0aa72ed87846..b814e9616454 100644 > --- a/CryptoPkg/CryptoPkg.dsc > +++ b/CryptoPkg/CryptoPkg.dsc > @@ -109,6 +109,9 @@ > [LibraryClasses.ARM] > ArmSoftFloatLib|ArmPkg/Library/ArmSoftFloatLib/ArmSoftFloatLib.inf > > +[LibraryClasses.common.SEC] > + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf > + > [LibraryClasses.common.PEIM] > PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf > ReportStatusCodeLib|MdeModulePkg/Library/PeiReportStatusCodeLib/PeiReportStatusCodeLib.inf > @@ -236,6 +239,7 @@ > !if $(CRYPTO_SERVICES) == PACKAGE > [Components] > CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > + CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf > CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5Null.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5Null.c > new file mode 100644 > index 000000000000..893a2302a6de > --- /dev/null > +++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5Null.c > @@ -0,0 +1,163 @@ > +/** @file > + > +MD5 Digest Wrapper Null Implementation. > + > +Copyright (c) Microsoft Corporation. All rights reserved. > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include "InternalCryptLib.h" > + > +/** > + Retrieves the size, in bytes, of the context buffer required for MD5 hash operations. > + > + @return The size, in bytes, of the context buffer required for MD5 hash operations. > + > +**/ > +UINTN > +EFIAPI > +Md5GetContextSize ( > + VOID > + ) > +{ > + ASSERT (FALSE); > + return 0; > +} > + > +/** > + Initializes user-supplied memory pointed by Md5Context as MD5 hash context for > + subsequent use. > + > + If Md5Context is NULL, then return FALSE. > + > + @param[out] Md5Context Pointer to MD5 context being initialized. > + > + @retval TRUE MD5 context initialization succeeded. > + @retval FALSE MD5 context initialization failed. > + > +**/ > +BOOLEAN > +EFIAPI > +Md5Init ( > + OUT VOID *Md5Context > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > + Makes a copy of an existing MD5 context. > + > + If Md5Context is NULL, then return FALSE. > + If NewMd5Context is NULL, then return FALSE. > + > + @param[in] Md5Context Pointer to MD5 context being copied. > + @param[out] NewMd5Context Pointer to new MD5 context. > + > + @retval TRUE MD5 context copy succeeded. > + @retval FALSE MD5 context copy failed. > + > +**/ > +BOOLEAN > +EFIAPI > +Md5Duplicate ( > + IN CONST VOID *Md5Context, > + OUT VOID *NewMd5Context > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > + Digests the input data and updates MD5 context. > + > + This function performs MD5 digest on a data buffer of the specified size. > + It can be called multiple times to compute the digest of long or discontinuous data streams. > + MD5 context should be already correctly intialized by Md5Init(), and should not be finalized > + by Md5Final(). Behavior with invalid context is undefined. > + > + If Md5Context is NULL, then return FALSE. > + > + @param[in, out] Md5Context Pointer to the MD5 context. > + @param[in] Data Pointer to the buffer containing the data to be hashed. > + @param[in] DataSize Size of Data buffer in bytes. > + > + @retval TRUE MD5 data digest succeeded. > + @retval FALSE MD5 data digest failed. > + > +**/ > +BOOLEAN > +EFIAPI > +Md5Update ( > + IN OUT VOID *Md5Context, > + IN CONST VOID *Data, > + IN UINTN DataSize > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > + Completes computation of the MD5 digest value. > + > + This function completes MD5 hash computation and retrieves the digest value into > + the specified memory. After this function has been called, the MD5 context cannot > + be used again. > + MD5 context should be already correctly intialized by Md5Init(), and should not be > + finalized by Md5Final(). Behavior with invalid MD5 context is undefined. > + > + If Md5Context is NULL, then return FALSE. > + If HashValue is NULL, then return FALSE. > + > + @param[in, out] Md5Context Pointer to the MD5 context. > + @param[out] HashValue Pointer to a buffer that receives the MD5 digest > + value (16 bytes). > + > + @retval TRUE MD5 digest computation succeeded. > + @retval FALSE MD5 digest computation failed. > + > +**/ > +BOOLEAN > +EFIAPI > +Md5Final ( > + IN OUT VOID *Md5Context, > + OUT UINT8 *HashValue > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > +Computes the MD5 message digest of a input data buffer. > + > +This function performs the MD5 message digest of a given data buffer, and places > +the digest value into the specified memory. > + > +If this interface is not supported, then return FALSE. > + > +@param[in] Data Pointer to the buffer containing the data to be hashed. > +@param[in] DataSize Size of Data buffer in bytes. > +@param[out] HashValue Pointer to a buffer that receives the MD5 digest > +value (16 bytes). > + > +@retval TRUE MD5 digest computation succeeded. > +@retval FALSE MD5 digest computation failed. > +@retval FALSE This interface is not supported. > + > +**/ > +BOOLEAN > +EFIAPI > +Md5HashAll ( > + IN CONST VOID *Data, > + IN UINTN DataSize, > + OUT UINT8 *HashValue > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1Null.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1Null.c > new file mode 100644 > index 000000000000..d9b4610af0e0 > --- /dev/null > +++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1Null.c > @@ -0,0 +1,166 @@ > +/** @file > + SHA-1 Digest Wrapper Null Implementation. > + > +Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR> > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include "InternalCryptLib.h" > + > +/** > + Retrieves the size, in bytes, of the context buffer required for SHA-1 hash operations. > + > + @return The size, in bytes, of the context buffer required for SHA-1 hash operations. > + > +**/ > +UINTN > +EFIAPI > +Sha1GetContextSize ( > + VOID > + ) > +{ > + // > + // Retrieves SHA Context Size > + // > + ASSERT (FALSE); > + return 0; > +} > + > +/** > + Initializes user-supplied memory pointed by Sha1Context as SHA-1 hash context for > + subsequent use. > + > + If Sha1Context is NULL, then return FALSE. > + > + @param[out] Sha1Context Pointer to SHA-1 context being initialized. > + > + @retval TRUE SHA-1 context initialization succeeded. > + @retval FALSE SHA-1 context initialization failed. > + > +**/ > +BOOLEAN > +EFIAPI > +Sha1Init ( > + OUT VOID *Sha1Context > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > + Makes a copy of an existing SHA-1 context. > + > + If Sha1Context is NULL, then return FALSE. > + If NewSha1Context is NULL, then return FALSE. > + > + @param[in] Sha1Context Pointer to SHA-1 context being copied. > + @param[out] NewSha1Context Pointer to new SHA-1 context. > + > + @retval TRUE SHA-1 context copy succeeded. > + @retval FALSE SHA-1 context copy failed. > + > +**/ > +BOOLEAN > +EFIAPI > +Sha1Duplicate ( > + IN CONST VOID *Sha1Context, > + OUT VOID *NewSha1Context > + ) > +{ > + ASSERT (FALSE); > + > + return FALSE; > +} > + > +/** > + Digests the input data and updates SHA-1 context. > + > + This function performs SHA-1 digest on a data buffer of the specified size. > + It can be called multiple times to compute the digest of long or discontinuous data streams. > + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be finalized > + by Sha1Final(). Behavior with invalid context is undefined. > + > + If Sha1Context is NULL, then return FALSE. > + > + @param[in, out] Sha1Context Pointer to the SHA-1 context. > + @param[in] Data Pointer to the buffer containing the data to be hashed. > + @param[in] DataSize Size of Data buffer in bytes. > + > + @retval TRUE SHA-1 data digest succeeded. > + @retval FALSE SHA-1 data digest failed. > + > +**/ > +BOOLEAN > +EFIAPI > +Sha1Update ( > + IN OUT VOID *Sha1Context, > + IN CONST VOID *Data, > + IN UINTN DataSize > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > + Completes computation of the SHA-1 digest value. > + > + This function completes SHA-1 hash computation and retrieves the digest value into > + the specified memory. After this function has been called, the SHA-1 context cannot > + be used again. > + SHA-1 context should be already correctly initialized by Sha1Init(), and should not be > + finalized by Sha1Final(). Behavior with invalid SHA-1 context is undefined. > + > + If Sha1Context is NULL, then return FALSE. > + If HashValue is NULL, then return FALSE. > + > + @param[in, out] Sha1Context Pointer to the SHA-1 context. > + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest > + value (20 bytes). > + > + @retval TRUE SHA-1 digest computation succeeded. > + @retval FALSE SHA-1 digest computation failed. > + > +**/ > +BOOLEAN > +EFIAPI > +Sha1Final ( > + IN OUT VOID *Sha1Context, > + OUT UINT8 *HashValue > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > + Computes the SHA-1 message digest of a input data buffer. > + > + This function performs the SHA-1 message digest of a given data buffer, and places > + the digest value into the specified memory. > + > + If this interface is not supported, then return FALSE. > + > + @param[in] Data Pointer to the buffer containing the data to be hashed. > + @param[in] DataSize Size of Data buffer in bytes. > + @param[out] HashValue Pointer to a buffer that receives the SHA-1 digest > + value (20 bytes). > + > + @retval TRUE SHA-1 digest computation succeeded. > + @retval FALSE SHA-1 digest computation failed. > + @retval FALSE This interface is not supported. > + > +**/ > +BOOLEAN > +EFIAPI > +Sha1HashAll ( > + IN CONST VOID *Data, > + IN UINTN DataSize, > + OUT UINT8 *HashValue > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256Null.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256Null.c > new file mode 100644 > index 000000000000..cf994e8e0664 > --- /dev/null > +++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256Null.c > @@ -0,0 +1,162 @@ > +/** @file > + SHA-256 Digest Wrapper Null Implementation. > + > +Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR> > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include "InternalCryptLib.h" > + > +/** > + Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations. > + > + @return The size, in bytes, of the context buffer required for SHA-256 hash operations. > + > +**/ > +UINTN > +EFIAPI > +Sha256GetContextSize ( > + VOID > + ) > +{ > + ASSERT (FALSE); > + return 0; > +} > + > +/** > + Initializes user-supplied memory pointed by Sha256Context as SHA-256 hash context for > + subsequent use. > + > + If Sha256Context is NULL, then return FALSE. > + > + @param[out] Sha256Context Pointer to SHA-256 context being initialized. > + > + @retval TRUE SHA-256 context initialization succeeded. > + @retval FALSE SHA-256 context initialization failed. > + > +**/ > +BOOLEAN > +EFIAPI > +Sha256Init ( > + OUT VOID *Sha256Context > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > + Makes a copy of an existing SHA-256 context. > + > + If Sha256Context is NULL, then return FALSE. > + If NewSha256Context is NULL, then return FALSE. > + > + @param[in] Sha256Context Pointer to SHA-256 context being copied. > + @param[out] NewSha256Context Pointer to new SHA-256 context. > + > + @retval TRUE SHA-256 context copy succeeded. > + @retval FALSE SHA-256 context copy failed. > + > +**/ > +BOOLEAN > +EFIAPI > +Sha256Duplicate ( > + IN CONST VOID *Sha256Context, > + OUT VOID *NewSha256Context > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > + Digests the input data and updates SHA-256 context. > + > + This function performs SHA-256 digest on a data buffer of the specified size. > + It can be called multiple times to compute the digest of long or discontinuous data streams. > + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be finalized > + by Sha256Final(). Behavior with invalid context is undefined. > + > + If Sha256Context is NULL, then return FALSE. > + > + @param[in, out] Sha256Context Pointer to the SHA-256 context. > + @param[in] Data Pointer to the buffer containing the data to be hashed. > + @param[in] DataSize Size of Data buffer in bytes. > + > + @retval TRUE SHA-256 data digest succeeded. > + @retval FALSE SHA-256 data digest failed. > + > +**/ > +BOOLEAN > +EFIAPI > +Sha256Update ( > + IN OUT VOID *Sha256Context, > + IN CONST VOID *Data, > + IN UINTN DataSize > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > + Completes computation of the SHA-256 digest value. > + > + This function completes SHA-256 hash computation and retrieves the digest value into > + the specified memory. After this function has been called, the SHA-256 context cannot > + be used again. > + SHA-256 context should be already correctly initialized by Sha256Init(), and should not be > + finalized by Sha256Final(). Behavior with invalid SHA-256 context is undefined. > + > + If Sha256Context is NULL, then return FALSE. > + If HashValue is NULL, then return FALSE. > + > + @param[in, out] Sha256Context Pointer to the SHA-256 context. > + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest > + value (32 bytes). > + > + @retval TRUE SHA-256 digest computation succeeded. > + @retval FALSE SHA-256 digest computation failed. > + > +**/ > +BOOLEAN > +EFIAPI > +Sha256Final ( > + IN OUT VOID *Sha256Context, > + OUT UINT8 *HashValue > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > + Computes the SHA-256 message digest of a input data buffer. > + > + This function performs the SHA-256 message digest of a given data buffer, and places > + the digest value into the specified memory. > + > + If this interface is not supported, then return FALSE. > + > + @param[in] Data Pointer to the buffer containing the data to be hashed. > + @param[in] DataSize Size of Data buffer in bytes. > + @param[out] HashValue Pointer to a buffer that receives the SHA-256 digest > + value (32 bytes). > + > + @retval TRUE SHA-256 digest computation succeeded. > + @retval FALSE SHA-256 digest computation failed. > + @retval FALSE This interface is not supported. > + > +**/ > +BOOLEAN > +EFIAPI > +Sha256HashAll ( > + IN CONST VOID *Data, > + IN UINTN DataSize, > + OUT UINT8 *HashValue > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3Null.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3Null.c > new file mode 100644 > index 000000000000..0f3c89b46517 > --- /dev/null > +++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3Null.c > @@ -0,0 +1,164 @@ > +/** @file > + SM3 Digest Wrapper Null Implementation. > + > +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR> > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include "InternalCryptLib.h" > + > +/** > + Retrieves the size, in bytes, of the context buffer required for SM3 hash operations. > + > + @return The size, in bytes, of the context buffer required for SM3 hash operations. > + > +**/ > +UINTN > +EFIAPI > +Sm3GetContextSize ( > + VOID > + ) > +{ > + ASSERT (FALSE); > + return 0; > +} > + > +/** > + Initializes user-supplied memory pointed by Sm3Context as SM3 hash context for > + subsequent use. > + > + If Sm3Context is NULL, then return FALSE. > + > + @param[out] Sm3Context Pointer to SM3 context being initialized. > + > + @retval TRUE SM3 context initialization succeeded. > + @retval FALSE SM3 context initialization failed. > + > +**/ > +BOOLEAN > +EFIAPI > +Sm3Init ( > + OUT VOID *Sm3Context > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > + Makes a copy of an existing SM3 context. > + > + If Sm3Context is NULL, then return FALSE. > + If NewSm3Context is NULL, then return FALSE. > + If this interface is not supported, then return FALSE. > + > + @param[in] Sm3Context Pointer to SM3 context being copied. > + @param[out] NewSm3Context Pointer to new SM3 context. > + > + @retval TRUE SM3 context copy succeeded. > + @retval FALSE SM3 context copy failed. > + @retval FALSE This interface is not supported. > + > +**/ > +BOOLEAN > +EFIAPI > +Sm3Duplicate ( > + IN CONST VOID *Sm3Context, > + OUT VOID *NewSm3Context > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > + Digests the input data and updates SM3 context. > + > + This function performs SM3 digest on a data buffer of the specified size. > + It can be called multiple times to compute the digest of long or discontinuous data streams. > + SM3 context should be already correctly initialized by Sm3Init(), and should not be finalized > + by Sm3Final(). Behavior with invalid context is undefined. > + > + If Sm3Context is NULL, then return FALSE. > + > + @param[in, out] Sm3Context Pointer to the SM3 context. > + @param[in] Data Pointer to the buffer containing the data to be hashed. > + @param[in] DataSize Size of Data buffer in bytes. > + > + @retval TRUE SM3 data digest succeeded. > + @retval FALSE SM3 data digest failed. > + > +**/ > +BOOLEAN > +EFIAPI > +Sm3Update ( > + IN OUT VOID *Sm3Context, > + IN CONST VOID *Data, > + IN UINTN DataSize > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > + Completes computation of the SM3 digest value. > + > + This function completes SM3 hash computation and retrieves the digest value into > + the specified memory. After this function has been called, the SM3 context cannot > + be used again. > + SM3 context should be already correctly initialized by Sm3Init(), and should not be > + finalized by Sm3Final(). Behavior with invalid SM3 context is undefined. > + > + If Sm3Context is NULL, then return FALSE. > + If HashValue is NULL, then return FALSE. > + > + @param[in, out] Sm3Context Pointer to the SM3 context. > + @param[out] HashValue Pointer to a buffer that receives the SM3 digest > + value (32 bytes). > + > + @retval TRUE SM3 digest computation succeeded. > + @retval FALSE SM3 digest computation failed. > + > +**/ > +BOOLEAN > +EFIAPI > +Sm3Final ( > + IN OUT VOID *Sm3Context, > + OUT UINT8 *HashValue > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > + Computes the SM3 message digest of a input data buffer. > + > + This function performs the SM3 message digest of a given data buffer, and places > + the digest value into the specified memory. > + > + If this interface is not supported, then return FALSE. > + > + @param[in] Data Pointer to the buffer containing the data to be hashed. > + @param[in] DataSize Size of Data buffer in bytes. > + @param[out] HashValue Pointer to a buffer that receives the SM3 digest > + value (32 bytes). > + > + @retval TRUE SM3 digest computation succeeded. > + @retval FALSE SM3 digest computation failed. > + @retval FALSE This interface is not supported. > + > +**/ > +BOOLEAN > +EFIAPI > +Sm3HashAll ( > + IN CONST VOID *Data, > + IN UINTN DataSize, > + OUT UINT8 *HashValue > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c > new file mode 100644 > index 000000000000..c1d9837c5129 > --- /dev/null > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c > @@ -0,0 +1,152 @@ > +/** @file > + PKCS7 Verify Null implementation. > + > + Copyright (C) Microsoft Corporation. All Rights Reserved. > + Copyright (c) 2019, Intel Corporation. All rights reserved.<BR> > + > + SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include "InternalCryptLib.h" > + > +/** > + This function will return the leaf signer certificate in a chain. This is > + required because certificate chains are not guaranteed to have the > + certificates in the order that they were issued. > + > + A typical certificate chain looks like this: > + > + > + ---------------------------- > + | Root | > + ---------------------------- > + ^ > + | > + ---------------------------- > + | Policy CA | <-- Typical Trust Anchor. > + ---------------------------- > + ^ > + | > + ---------------------------- > + | Issuing CA | > + ---------------------------- > + ^ > + | > + ----------------------------- > + / End-Entity (leaf) signer / <-- Bottom certificate. > + ----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1" > + (Firmware Signing) > + > + > + @param[in] CertChain Certificate chain. > + > + @param[out] SignerCert Last certificate in the chain. For PKCS7 signatures, > + this will be the end-entity (leaf) signer cert. > + > + @retval EFI_SUCCESS The required EKUs were found in the signature. > + @retval EFI_INVALID_PARAMETER A parameter was invalid. > + @retval EFI_NOT_FOUND The number of signers found was not 1. > + > +**/ > +EFI_STATUS > +GetSignerCertificate ( > + IN CONST VOID *CertChain, > + OUT VOID **SignerCert > + ) > +{ > + ASSERT (FALSE); > + return EFI_NOT_READY; > +} > + > +/** > + Determines if the specified EKU represented in ASN1 form is present > + in a given certificate. > + > + @param[in] Cert The certificate to check. > + > + @param[in] Asn1ToFind The EKU to look for. > + > + @retval EFI_SUCCESS We successfully identified the signing type. > + @retval EFI_INVALID_PARAMETER A parameter was invalid. > + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. > + > +**/ > +EFI_STATUS > +IsEkuInCertificate ( > + IN CONST VOID *Cert, > + IN VOID *Asn1ToFind > + ) > +{ > + ASSERT (FALSE); > + return EFI_NOT_READY; > +} > + > +/** > + Determines if the specified EKUs are present in a signing certificate. > + > + @param[in] SignerCert The certificate to check. > + @param[in] RequiredEKUs The EKUs to look for. > + @param[in] RequiredEKUsSize The number of EKUs > + @param[in] RequireAllPresent If TRUE, then all the specified EKUs > + must be present in the certificate. > + > + @retval EFI_SUCCESS We successfully identified the signing type. > + @retval EFI_INVALID_PARAMETER A parameter was invalid. > + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. > +**/ > +EFI_STATUS > +CheckEKUs ( > + IN CONST VOID *SignerCert, > + IN CONST CHAR8 *RequiredEKUs[], > + IN CONST UINT32 RequiredEKUsSize, > + IN BOOLEAN RequireAllPresent > + ) > +{ > + ASSERT (FALSE); > + return EFI_NOT_READY; > +} > + > +/** > + This function receives a PKCS#7 formatted signature blob, > + looks for the EKU SEQUENCE blob, and if found then looks > + for all the required EKUs. This function was created so that > + the Surface team can cut down on the number of Certificate > + Authorities (CA's) by checking EKU's on leaf signers for > + a specific product. This prevents one product's certificate > + from signing another product's firmware or unlock blobs. > + > + Note that this function does not validate the certificate chain. > + That needs to be done before using this function. > + > + @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array > + containing the content block with both the signature, > + the signer's certificate, and any necessary intermediate > + certificates. > + @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature. > + @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of > + required EKUs that must be present in the signature. > + @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array. > + @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's > + must be present in the leaf signer. If it is > + FALSE, then we will succeed if we find any > + of the specified EKU's. > + > + @retval EFI_SUCCESS The required EKUs were found in the signature. > + @retval EFI_INVALID_PARAMETER A parameter was invalid. > + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. > + > +**/ > +EFI_STATUS > +EFIAPI > +VerifyEKUsInPkcs7Signature ( > + IN CONST UINT8 *Pkcs7Signature, > + IN CONST UINT32 SignatureSize, > + IN CONST CHAR8 *RequiredEKUs[], > + IN CONST UINT32 RequiredEKUsSize, > + IN BOOLEAN RequireAllPresent > + ) > +{ > + ASSERT (FALSE); > + return EFI_NOT_READY; > +} > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c > new file mode 100644 > index 000000000000..fd352e32dd93 > --- /dev/null > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c > @@ -0,0 +1,121 @@ > +/** @file > + RSA Asymmetric Cipher Wrapper Null Implementation. > + > + This file implements following APIs which provide basic capabilities for RSA: > + 1) RsaNew > + 2) RsaFree > + 3) RsaSetKey > + 4) RsaPkcs1Verify > + > +Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include "InternalCryptLib.h" > + > +/** > + Allocates and initializes one RSA context for subsequent use. > + > + @return Pointer to the RSA context that has been initialized. > + If the allocations fails, RsaNew() returns NULL. > + > +**/ > +VOID * > +EFIAPI > +RsaNew ( > + VOID > + ) > +{ > + // > + // Allocates & Initializes RSA Context > + // > + ASSERT (FALSE); > + return NULL; > +} > + > +/** > + Release the specified RSA context. > + > + @param[in] RsaContext Pointer to the RSA context to be released. > + > +**/ > +VOID > +EFIAPI > +RsaFree ( > + IN VOID *RsaContext > + ) > +{ > + // > + // Free RSA Context > + // > + ASSERT (FALSE); > +} > + > +/** > + Sets the tag-designated key component into the established RSA context. > + > + This function sets the tag-designated RSA key component into the established > + RSA context from the user-specified non-negative integer (octet string format > + represented in RSA PKCS#1). > + If BigNumber is NULL, then the specified key component in RSA context is cleared. > + > + If RsaContext is NULL, then return FALSE. > + > + @param[in, out] RsaContext Pointer to RSA context being set. > + @param[in] KeyTag Tag of RSA key component being set. > + @param[in] BigNumber Pointer to octet integer buffer. > + If NULL, then the specified key component in RSA > + context is cleared. > + @param[in] BnSize Size of big number buffer in bytes. > + If BigNumber is NULL, then it is ignored. > + > + @retval TRUE RSA key component was set successfully. > + @retval FALSE Invalid RSA key component tag. > + > +**/ > +BOOLEAN > +EFIAPI > +RsaSetKey ( > + IN OUT VOID *RsaContext, > + IN RSA_KEY_TAG KeyTag, > + IN CONST UINT8 *BigNumber, > + IN UINTN BnSize > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > + > +/** > + Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme defined in > + RSA PKCS#1. > + > + If RsaContext is NULL, then return FALSE. > + If MessageHash is NULL, then return FALSE. > + If Signature is NULL, then return FALSE. > + If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE. > + > + @param[in] RsaContext Pointer to RSA context for signature verification. > + @param[in] MessageHash Pointer to octet message hash to be checked. > + @param[in] HashSize Size of the message hash in bytes. > + @param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be verified. > + @param[in] SigSize Size of signature in bytes. > + > + @retval TRUE Valid signature encoded in PKCS1-v1_5. > + @retval FALSE Invalid signature or invalid RSA context. > + > +**/ > +BOOLEAN > +EFIAPI > +RsaPkcs1Verify ( > + IN VOID *RsaContext, > + IN CONST UINT8 *MessageHash, > + IN UINTN HashSize, > + IN CONST UINT8 *Signature, > + IN UINTN SigSize > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > diff --git a/CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf > new file mode 100644 > index 000000000000..070b44447e74 > --- /dev/null > +++ b/CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf > @@ -0,0 +1,91 @@ > +## @file > +# Cryptographic Library Instance for SEC. > +# > +# Caution: This module requires additional review when modified. > +# This library will have external input - signature. > +# This external input must be validated carefully to avoid security issues such as > +# buffer overflow or integer overflow. > +# > +# Copyright (c) 2021, Intel Corporation. All rights reserved.<BR> > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION = 0x00010005 > + BASE_NAME = SecCryptLib > + FILE_GUID = 3689D343-0D32-4284-8053-BF10537990E8 > + MODULE_TYPE = BASE > + VERSION_STRING = 1.0 > + LIBRARY_CLASS = BaseCryptLib|SEC > + > +# > +# The following information is for reference only and not required by the build tools. > +# > +# VALID_ARCHITECTURES = IA32 X64 > +# > + > +[Sources] > + InternalCryptLib.h > + Hash/CryptSha512.c > + > + Hash/CryptMd5Null.c > + Hash/CryptSha1Null.c > + Hash/CryptSha256Null.c > + Hash/CryptSm3Null.c > + Hash/CryptParallelHashNull.c > + Hmac/CryptHmacSha256Null.c > + Kdf/CryptHkdfNull.c > + Cipher/CryptAesNull.c > + Pk/CryptRsaBasicNull.c > + Pk/CryptRsaExtNull.c > + Pk/CryptPkcs1OaepNull.c > + Pk/CryptPkcs5Pbkdf2Null.c > + Pk/CryptPkcs7SignNull.c > + Pk/CryptPkcs7VerifyNull.c > + Pk/CryptPkcs7VerifyEkuNull.c > + Pk/CryptDhNull.c > + Pk/CryptX509Null.c > + Pk/CryptAuthenticodeNull.c > + Pk/CryptTsNull.c > + Pem/CryptPemNull.c > + Rand/CryptRandNull.c > + Pk/CryptRsaPssNull.c > + Pk/CryptRsaPssSignNull.c > + > + SysCall/CrtWrapper.c > + SysCall/ConstantTimeClock.c > + SysCall/BaseMemAllocation.c > + > +[Packages] > + MdePkg/MdePkg.dec > + CryptoPkg/CryptoPkg.dec > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + MemoryAllocationLib > + DebugLib > + OpensslLib > + IntrinsicLib > + > +# > +# Remove these [BuildOptions] after this library is cleaned up > +# > +[BuildOptions] > + # > + # suppress the following warnings so we do not break the build with warnings-as-errors: > + # C4090: 'function' : different 'const' qualifiers > + # C4718: 'function call' : recursive call has no side effects, deleting > + # > + MSFT:*_*_*_CC_FLAGS = /wd4090 /wd4718 > + > + # -JCryptoPkg/Include : To disable the use of the system includes provided by RVCT > + # --diag_remark=1 : Reduce severity of "#1-D: last line of file ends without a newline" > + RVCT:*_*_ARM_CC_FLAGS = -JCryptoPkg/Include --diag_remark=1 > + > + GCC:*_CLANG35_*_CC_FLAGS = -std=c99 > + GCC:*_CLANG38_*_CC_FLAGS = -std=c99 > + GCC:*_CLANGPDB_*_CC_FLAGS = -std=c99 -Wno-error=incompatible-pointer-types > + > + XCODE:*_*_*_CC_FLAGS = -std=c99 > -- > 2.29.2.windows.2 > > > > > ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH V3 2/9] CryptoPkg: Add SecCryptLib 2022-04-18 15:31 ` [edk2-devel] " Michael D Kinney @ 2022-04-19 11:45 ` Min Xu 0 siblings, 0 replies; 27+ messages in thread From: Min Xu @ 2022-04-19 11:45 UTC (permalink / raw) To: Kinney, Michael D, devel@edk2.groups.io Cc: Yao, Jiewen, Wang, Jian J, Lu, Xiaoyu1, Jiang, Guomin, Gerd Hoffmann Hi, Michael I carefully think about your comments and study the PCD. This PCD is to enable/disable families and individual services produced by the EDK2 crypto Protocols/PPIs. SecCryptoLib is designed to be called in SEC phase and there is no Protocol/PPIs in SEC phase. Shall we still use the PCD to make an SEC version like below? (Currently only SHA384 is needed) !if $(CRYPTO_SERVICES) == MIN_SEC gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY !endif Thanks Min > -----Original Message----- > From: Kinney, Michael D <michael.d.kinney@intel.com> > Sent: Monday, April 18, 2022 11:32 PM > To: devel@edk2.groups.io; Xu, Min M <min.m.xu@intel.com>; Kinney, > Michael D <michael.d.kinney@intel.com> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J > <jian.j.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, > Guomin <guomin.jiang@intel.com>; Gerd Hoffmann <kraxel@redhat.com> > Subject: RE: [edk2-devel] [PATCH V3 2/9] CryptoPkg: Add SecCryptLib > > Hi, > > Did you evaluate the use of the following PCD to make an SEC version? > > ## Enable/Disable the families and individual services produced by the > # EDK II Crypto Protocols/PPIs. The default is all services disabled. > # This Structured PCD is associated with > PCD_CRYPTO_SERVICE_FAMILY_ENABLE > # structure that is defined in Include/Pcd/PcdCryptoServiceFamilyEnable.h. > # @Prompt Enable/Disable EDK II Crypto Protocol/PPI services > > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable|{0x00}|PCD_ > CRYPTO_SERVICE_FAMILY_ENABLE|0x00000002 { > <Packages> > CryptoPkg/CryptoPkg.dec > <HeaderFiles> > Pcd/PcdCryptoServiceFamilyEnable.h > } > > > CryptoPkg.dsc has different PCD settings for different FW phases to configure > only the crypto services required in each phase. You can extend for SEC. > Here is the setting for the minimum for PEI phase. > > !if $(CRYPTO_SERVICES) == MIN_PEI > > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256. > Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Famil > y | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Famil > y | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Famil > y | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY > > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services. > Pkcs1Verify | TRUE > > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services. > New | TRUE > > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.F > ree | TRUE > > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.S > etKey | TRUE > > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services. > Pkcs5HashPassword | TRUE !endif > > The complete set of settings is isn the > PCD_CRYPTO_SERVICE_FAMILY_ENABLE structure: > > https://github.com/tianocore/edk2/blob/master/CryptoPkg/Include > /Pcd/PcdCryptoServiceFamilyEnable.h > > Mike > > > -----Original Message----- > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Min > Xu > > Sent: Sunday, April 17, 2022 5:00 PM > > To: devel@edk2.groups.io > > Cc: Xu, Min M <min.m.xu@intel.com>; Yao, Jiewen > > <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Lu, > > Xiaoyu1 <xiaoyu1.lu@intel.com>; Jiang, Guomin > > <guomin.jiang@intel.com>; Gerd Hoffmann <kraxel@redhat.com> > > Subject: [edk2-devel] [PATCH V3 2/9] CryptoPkg: Add SecCryptLib > > > > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 > > > > This is the Cryptographic library instance for SEC. The motivation of > > this library is to support SHA384 in SEC phase for Td guest. So only > > Hash/CryptSha512.c is included which supports SHA384 and SHA512. > Other > > cryptographics are added with the null version, such as CryptMd5Null.c. > > > > Cc: Jiewen Yao <jiewen.yao@intel.com> > > Cc: Jian J Wang <jian.j.wang@intel.com> > > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> > > Cc: Guomin Jiang <guomin.jiang@intel.com> > > Cc: Gerd Hoffmann <kraxel@redhat.com> > > Signed-off-by: Min Xu <min.m.xu@intel.com> > > --- > > CryptoPkg/CryptoPkg.dsc | 4 + > > .../Library/BaseCryptLib/Hash/CryptMd5Null.c | 163 +++++++++++++++++ > > .../Library/BaseCryptLib/Hash/CryptSha1Null.c | 166 ++++++++++++++++++ > > .../BaseCryptLib/Hash/CryptSha256Null.c | 162 +++++++++++++++++ > > .../Library/BaseCryptLib/Hash/CryptSm3Null.c | 164 +++++++++++++++++ > > .../BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c | 152 ++++++++++++++++ > > .../BaseCryptLib/Pk/CryptRsaBasicNull.c | 121 +++++++++++++ > > .../Library/BaseCryptLib/SecCryptLib.inf | 91 ++++++++++ > > 8 files changed, 1023 insertions(+) > > create mode 100644 > CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5Null.c > > create mode 100644 > > CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1Null.c > > create mode 100644 > > CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256Null.c > > create mode 100644 > CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3Null.c > > create mode 100644 > > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c > > create mode 100644 > > CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c > > create mode 100644 CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf > > > > diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc index > > 0aa72ed87846..b814e9616454 100644 > > --- a/CryptoPkg/CryptoPkg.dsc > > +++ b/CryptoPkg/CryptoPkg.dsc > > @@ -109,6 +109,9 @@ > > [LibraryClasses.ARM] > > ArmSoftFloatLib|ArmPkg/Library/ArmSoftFloatLib/ArmSoftFloatLib.inf > > > > +[LibraryClasses.common.SEC] > > + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf > > + > > [LibraryClasses.common.PEIM] > > PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf > > > > > ReportStatusCodeLib|MdeModulePkg/Library/PeiReportStatusCodeLib/PeiR > ep > > ortStatusCodeLib.inf > > @@ -236,6 +239,7 @@ > > !if $(CRYPTO_SERVICES) == PACKAGE > > [Components] > > CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > > + CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf > > CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > > CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > > diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5Null.c > > b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5Null.c > > new file mode 100644 > > index 000000000000..893a2302a6de > > --- /dev/null > > +++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5Null.c > > @@ -0,0 +1,163 @@ > > +/** @file > > + > > +MD5 Digest Wrapper Null Implementation. > > + > > +Copyright (c) Microsoft Corporation. All rights reserved. > > +SPDX-License-Identifier: BSD-2-Clause-Patent > > + > > +**/ > > + > > +#include "InternalCryptLib.h" > > + > > +/** > > + Retrieves the size, in bytes, of the context buffer required for MD5 hash > operations. > > + > > + @return The size, in bytes, of the context buffer required for MD5 hash > operations. > > + > > +**/ > > +UINTN > > +EFIAPI > > +Md5GetContextSize ( > > + VOID > > + ) > > +{ > > + ASSERT (FALSE); > > + return 0; > > +} > > + > > +/** > > + Initializes user-supplied memory pointed by Md5Context as MD5 hash > > +context for > > + subsequent use. > > + > > + If Md5Context is NULL, then return FALSE. > > + > > + @param[out] Md5Context Pointer to MD5 context being initialized. > > + > > + @retval TRUE MD5 context initialization succeeded. > > + @retval FALSE MD5 context initialization failed. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Md5Init ( > > + OUT VOID *Md5Context > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > + Makes a copy of an existing MD5 context. > > + > > + If Md5Context is NULL, then return FALSE. > > + If NewMd5Context is NULL, then return FALSE. > > + > > + @param[in] Md5Context Pointer to MD5 context being copied. > > + @param[out] NewMd5Context Pointer to new MD5 context. > > + > > + @retval TRUE MD5 context copy succeeded. > > + @retval FALSE MD5 context copy failed. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Md5Duplicate ( > > + IN CONST VOID *Md5Context, > > + OUT VOID *NewMd5Context > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > + Digests the input data and updates MD5 context. > > + > > + This function performs MD5 digest on a data buffer of the specified size. > > + It can be called multiple times to compute the digest of long or > discontinuous data streams. > > + MD5 context should be already correctly intialized by Md5Init(), > > + and should not be finalized by Md5Final(). Behavior with invalid context > is undefined. > > + > > + If Md5Context is NULL, then return FALSE. > > + > > + @param[in, out] Md5Context Pointer to the MD5 context. > > + @param[in] Data Pointer to the buffer containing the data to be > hashed. > > + @param[in] DataSize Size of Data buffer in bytes. > > + > > + @retval TRUE MD5 data digest succeeded. > > + @retval FALSE MD5 data digest failed. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Md5Update ( > > + IN OUT VOID *Md5Context, > > + IN CONST VOID *Data, > > + IN UINTN DataSize > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > + Completes computation of the MD5 digest value. > > + > > + This function completes MD5 hash computation and retrieves the > > + digest value into the specified memory. After this function has > > + been called, the MD5 context cannot be used again. > > + MD5 context should be already correctly intialized by Md5Init(), > > + and should not be finalized by Md5Final(). Behavior with invalid MD5 > context is undefined. > > + > > + If Md5Context is NULL, then return FALSE. > > + If HashValue is NULL, then return FALSE. > > + > > + @param[in, out] Md5Context Pointer to the MD5 context. > > + @param[out] HashValue Pointer to a buffer that receives the MD5 > digest > > + value (16 bytes). > > + > > + @retval TRUE MD5 digest computation succeeded. > > + @retval FALSE MD5 digest computation failed. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Md5Final ( > > + IN OUT VOID *Md5Context, > > + OUT UINT8 *HashValue > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > +Computes the MD5 message digest of a input data buffer. > > + > > +This function performs the MD5 message digest of a given data buffer, > > +and places the digest value into the specified memory. > > + > > +If this interface is not supported, then return FALSE. > > + > > +@param[in] Data Pointer to the buffer containing the data to be > hashed. > > +@param[in] DataSize Size of Data buffer in bytes. > > +@param[out] HashValue Pointer to a buffer that receives the MD5 > digest > > +value (16 bytes). > > + > > +@retval TRUE MD5 digest computation succeeded. > > +@retval FALSE MD5 digest computation failed. > > +@retval FALSE This interface is not supported. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Md5HashAll ( > > + IN CONST VOID *Data, > > + IN UINTN DataSize, > > + OUT UINT8 *HashValue > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1Null.c > > b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1Null.c > > new file mode 100644 > > index 000000000000..d9b4610af0e0 > > --- /dev/null > > +++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1Null.c > > @@ -0,0 +1,166 @@ > > +/** @file > > + SHA-1 Digest Wrapper Null Implementation. > > + > > +Copyright (c) 2009 - 2016, Intel Corporation. All rights > > +reserved.<BR> > > +SPDX-License-Identifier: BSD-2-Clause-Patent > > + > > +**/ > > + > > +#include "InternalCryptLib.h" > > + > > +/** > > + Retrieves the size, in bytes, of the context buffer required for SHA-1 hash > operations. > > + > > + @return The size, in bytes, of the context buffer required for SHA-1 hash > operations. > > + > > +**/ > > +UINTN > > +EFIAPI > > +Sha1GetContextSize ( > > + VOID > > + ) > > +{ > > + // > > + // Retrieves SHA Context Size > > + // > > + ASSERT (FALSE); > > + return 0; > > +} > > + > > +/** > > + Initializes user-supplied memory pointed by Sha1Context as SHA-1 > > +hash context for > > + subsequent use. > > + > > + If Sha1Context is NULL, then return FALSE. > > + > > + @param[out] Sha1Context Pointer to SHA-1 context being initialized. > > + > > + @retval TRUE SHA-1 context initialization succeeded. > > + @retval FALSE SHA-1 context initialization failed. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Sha1Init ( > > + OUT VOID *Sha1Context > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > + Makes a copy of an existing SHA-1 context. > > + > > + If Sha1Context is NULL, then return FALSE. > > + If NewSha1Context is NULL, then return FALSE. > > + > > + @param[in] Sha1Context Pointer to SHA-1 context being copied. > > + @param[out] NewSha1Context Pointer to new SHA-1 context. > > + > > + @retval TRUE SHA-1 context copy succeeded. > > + @retval FALSE SHA-1 context copy failed. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Sha1Duplicate ( > > + IN CONST VOID *Sha1Context, > > + OUT VOID *NewSha1Context > > + ) > > +{ > > + ASSERT (FALSE); > > + > > + return FALSE; > > +} > > + > > +/** > > + Digests the input data and updates SHA-1 context. > > + > > + This function performs SHA-1 digest on a data buffer of the specified size. > > + It can be called multiple times to compute the digest of long or > discontinuous data streams. > > + SHA-1 context should be already correctly initialized by > > + Sha1Init(), and should not be finalized by Sha1Final(). Behavior with > invalid context is undefined. > > + > > + If Sha1Context is NULL, then return FALSE. > > + > > + @param[in, out] Sha1Context Pointer to the SHA-1 context. > > + @param[in] Data Pointer to the buffer containing the data to be > hashed. > > + @param[in] DataSize Size of Data buffer in bytes. > > + > > + @retval TRUE SHA-1 data digest succeeded. > > + @retval FALSE SHA-1 data digest failed. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Sha1Update ( > > + IN OUT VOID *Sha1Context, > > + IN CONST VOID *Data, > > + IN UINTN DataSize > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > + Completes computation of the SHA-1 digest value. > > + > > + This function completes SHA-1 hash computation and retrieves the > > + digest value into the specified memory. After this function has > > + been called, the SHA-1 context cannot be used again. > > + SHA-1 context should be already correctly initialized by > > + Sha1Init(), and should not be finalized by Sha1Final(). Behavior with > invalid SHA-1 context is undefined. > > + > > + If Sha1Context is NULL, then return FALSE. > > + If HashValue is NULL, then return FALSE. > > + > > + @param[in, out] Sha1Context Pointer to the SHA-1 context. > > + @param[out] HashValue Pointer to a buffer that receives the SHA-1 > digest > > + value (20 bytes). > > + > > + @retval TRUE SHA-1 digest computation succeeded. > > + @retval FALSE SHA-1 digest computation failed. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Sha1Final ( > > + IN OUT VOID *Sha1Context, > > + OUT UINT8 *HashValue > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > + Computes the SHA-1 message digest of a input data buffer. > > + > > + This function performs the SHA-1 message digest of a given data > > + buffer, and places the digest value into the specified memory. > > + > > + If this interface is not supported, then return FALSE. > > + > > + @param[in] Data Pointer to the buffer containing the data to be > hashed. > > + @param[in] DataSize Size of Data buffer in bytes. > > + @param[out] HashValue Pointer to a buffer that receives the SHA-1 > digest > > + value (20 bytes). > > + > > + @retval TRUE SHA-1 digest computation succeeded. > > + @retval FALSE SHA-1 digest computation failed. > > + @retval FALSE This interface is not supported. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Sha1HashAll ( > > + IN CONST VOID *Data, > > + IN UINTN DataSize, > > + OUT UINT8 *HashValue > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256Null.c > > b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256Null.c > > new file mode 100644 > > index 000000000000..cf994e8e0664 > > --- /dev/null > > +++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256Null.c > > @@ -0,0 +1,162 @@ > > +/** @file > > + SHA-256 Digest Wrapper Null Implementation. > > + > > +Copyright (c) 2009 - 2016, Intel Corporation. All rights > > +reserved.<BR> > > +SPDX-License-Identifier: BSD-2-Clause-Patent > > + > > +**/ > > + > > +#include "InternalCryptLib.h" > > + > > +/** > > + Retrieves the size, in bytes, of the context buffer required for SHA-256 > hash operations. > > + > > + @return The size, in bytes, of the context buffer required for SHA-256 > hash operations. > > + > > +**/ > > +UINTN > > +EFIAPI > > +Sha256GetContextSize ( > > + VOID > > + ) > > +{ > > + ASSERT (FALSE); > > + return 0; > > +} > > + > > +/** > > + Initializes user-supplied memory pointed by Sha256Context as > > +SHA-256 hash context for > > + subsequent use. > > + > > + If Sha256Context is NULL, then return FALSE. > > + > > + @param[out] Sha256Context Pointer to SHA-256 context being > initialized. > > + > > + @retval TRUE SHA-256 context initialization succeeded. > > + @retval FALSE SHA-256 context initialization failed. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Sha256Init ( > > + OUT VOID *Sha256Context > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > + Makes a copy of an existing SHA-256 context. > > + > > + If Sha256Context is NULL, then return FALSE. > > + If NewSha256Context is NULL, then return FALSE. > > + > > + @param[in] Sha256Context Pointer to SHA-256 context being copied. > > + @param[out] NewSha256Context Pointer to new SHA-256 context. > > + > > + @retval TRUE SHA-256 context copy succeeded. > > + @retval FALSE SHA-256 context copy failed. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Sha256Duplicate ( > > + IN CONST VOID *Sha256Context, > > + OUT VOID *NewSha256Context > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > + Digests the input data and updates SHA-256 context. > > + > > + This function performs SHA-256 digest on a data buffer of the specified > size. > > + It can be called multiple times to compute the digest of long or > discontinuous data streams. > > + SHA-256 context should be already correctly initialized by > > + Sha256Init(), and should not be finalized by Sha256Final(). Behavior with > invalid context is undefined. > > + > > + If Sha256Context is NULL, then return FALSE. > > + > > + @param[in, out] Sha256Context Pointer to the SHA-256 context. > > + @param[in] Data Pointer to the buffer containing the data to be > hashed. > > + @param[in] DataSize Size of Data buffer in bytes. > > + > > + @retval TRUE SHA-256 data digest succeeded. > > + @retval FALSE SHA-256 data digest failed. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Sha256Update ( > > + IN OUT VOID *Sha256Context, > > + IN CONST VOID *Data, > > + IN UINTN DataSize > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > + Completes computation of the SHA-256 digest value. > > + > > + This function completes SHA-256 hash computation and retrieves the > > + digest value into the specified memory. After this function has > > + been called, the SHA-256 context cannot be used again. > > + SHA-256 context should be already correctly initialized by > > + Sha256Init(), and should not be finalized by Sha256Final(). Behavior with > invalid SHA-256 context is undefined. > > + > > + If Sha256Context is NULL, then return FALSE. > > + If HashValue is NULL, then return FALSE. > > + > > + @param[in, out] Sha256Context Pointer to the SHA-256 context. > > + @param[out] HashValue Pointer to a buffer that receives the SHA- > 256 digest > > + value (32 bytes). > > + > > + @retval TRUE SHA-256 digest computation succeeded. > > + @retval FALSE SHA-256 digest computation failed. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Sha256Final ( > > + IN OUT VOID *Sha256Context, > > + OUT UINT8 *HashValue > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > + Computes the SHA-256 message digest of a input data buffer. > > + > > + This function performs the SHA-256 message digest of a given data > > + buffer, and places the digest value into the specified memory. > > + > > + If this interface is not supported, then return FALSE. > > + > > + @param[in] Data Pointer to the buffer containing the data to be > hashed. > > + @param[in] DataSize Size of Data buffer in bytes. > > + @param[out] HashValue Pointer to a buffer that receives the SHA-256 > digest > > + value (32 bytes). > > + > > + @retval TRUE SHA-256 digest computation succeeded. > > + @retval FALSE SHA-256 digest computation failed. > > + @retval FALSE This interface is not supported. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Sha256HashAll ( > > + IN CONST VOID *Data, > > + IN UINTN DataSize, > > + OUT UINT8 *HashValue > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3Null.c > > b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3Null.c > > new file mode 100644 > > index 000000000000..0f3c89b46517 > > --- /dev/null > > +++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3Null.c > > @@ -0,0 +1,164 @@ > > +/** @file > > + SM3 Digest Wrapper Null Implementation. > > + > > +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR> > > +SPDX-License-Identifier: BSD-2-Clause-Patent > > + > > +**/ > > + > > +#include "InternalCryptLib.h" > > + > > +/** > > + Retrieves the size, in bytes, of the context buffer required for SM3 hash > operations. > > + > > + @return The size, in bytes, of the context buffer required for SM3 hash > operations. > > + > > +**/ > > +UINTN > > +EFIAPI > > +Sm3GetContextSize ( > > + VOID > > + ) > > +{ > > + ASSERT (FALSE); > > + return 0; > > +} > > + > > +/** > > + Initializes user-supplied memory pointed by Sm3Context as SM3 hash > > +context for > > + subsequent use. > > + > > + If Sm3Context is NULL, then return FALSE. > > + > > + @param[out] Sm3Context Pointer to SM3 context being initialized. > > + > > + @retval TRUE SM3 context initialization succeeded. > > + @retval FALSE SM3 context initialization failed. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Sm3Init ( > > + OUT VOID *Sm3Context > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > + Makes a copy of an existing SM3 context. > > + > > + If Sm3Context is NULL, then return FALSE. > > + If NewSm3Context is NULL, then return FALSE. > > + If this interface is not supported, then return FALSE. > > + > > + @param[in] Sm3Context Pointer to SM3 context being copied. > > + @param[out] NewSm3Context Pointer to new SM3 context. > > + > > + @retval TRUE SM3 context copy succeeded. > > + @retval FALSE SM3 context copy failed. > > + @retval FALSE This interface is not supported. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Sm3Duplicate ( > > + IN CONST VOID *Sm3Context, > > + OUT VOID *NewSm3Context > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > + Digests the input data and updates SM3 context. > > + > > + This function performs SM3 digest on a data buffer of the specified size. > > + It can be called multiple times to compute the digest of long or > discontinuous data streams. > > + SM3 context should be already correctly initialized by Sm3Init(), > > + and should not be finalized by Sm3Final(). Behavior with invalid context > is undefined. > > + > > + If Sm3Context is NULL, then return FALSE. > > + > > + @param[in, out] Sm3Context Pointer to the SM3 context. > > + @param[in] Data Pointer to the buffer containing the data to be > hashed. > > + @param[in] DataSize Size of Data buffer in bytes. > > + > > + @retval TRUE SM3 data digest succeeded. > > + @retval FALSE SM3 data digest failed. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Sm3Update ( > > + IN OUT VOID *Sm3Context, > > + IN CONST VOID *Data, > > + IN UINTN DataSize > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > + Completes computation of the SM3 digest value. > > + > > + This function completes SM3 hash computation and retrieves the > > + digest value into the specified memory. After this function has > > + been called, the SM3 context cannot be used again. > > + SM3 context should be already correctly initialized by Sm3Init(), > > + and should not be finalized by Sm3Final(). Behavior with invalid SM3 > context is undefined. > > + > > + If Sm3Context is NULL, then return FALSE. > > + If HashValue is NULL, then return FALSE. > > + > > + @param[in, out] Sm3Context Pointer to the SM3 context. > > + @param[out] HashValue Pointer to a buffer that receives the SM3 > digest > > + value (32 bytes). > > + > > + @retval TRUE SM3 digest computation succeeded. > > + @retval FALSE SM3 digest computation failed. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Sm3Final ( > > + IN OUT VOID *Sm3Context, > > + OUT UINT8 *HashValue > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > + Computes the SM3 message digest of a input data buffer. > > + > > + This function performs the SM3 message digest of a given data > > + buffer, and places the digest value into the specified memory. > > + > > + If this interface is not supported, then return FALSE. > > + > > + @param[in] Data Pointer to the buffer containing the data to be > hashed. > > + @param[in] DataSize Size of Data buffer in bytes. > > + @param[out] HashValue Pointer to a buffer that receives the SM3 > digest > > + value (32 bytes). > > + > > + @retval TRUE SM3 digest computation succeeded. > > + @retval FALSE SM3 digest computation failed. > > + @retval FALSE This interface is not supported. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +Sm3HashAll ( > > + IN CONST VOID *Data, > > + IN UINTN DataSize, > > + OUT UINT8 *HashValue > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > diff --git > > a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c > > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c > > new file mode 100644 > > index 000000000000..c1d9837c5129 > > --- /dev/null > > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c > > @@ -0,0 +1,152 @@ > > +/** @file > > + PKCS7 Verify Null implementation. > > + > > + Copyright (C) Microsoft Corporation. All Rights Reserved. > > + Copyright (c) 2019, Intel Corporation. All rights reserved.<BR> > > + > > + SPDX-License-Identifier: BSD-2-Clause-Patent > > + > > +**/ > > + > > +#include "InternalCryptLib.h" > > + > > +/** > > + This function will return the leaf signer certificate in a chain. > > +This is > > + required because certificate chains are not guaranteed to have the > > + certificates in the order that they were issued. > > + > > + A typical certificate chain looks like this: > > + > > + > > + ---------------------------- > > + | Root | > > + ---------------------------- > > + ^ > > + | > > + ---------------------------- > > + | Policy CA | <-- Typical Trust Anchor. > > + ---------------------------- > > + ^ > > + | > > + ---------------------------- > > + | Issuing CA | > > + ---------------------------- > > + ^ > > + | > > + ----------------------------- > > + / End-Entity (leaf) signer / <-- Bottom certificate. > > + ----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1" > > + (Firmware > > + Signing) > > + > > + > > + @param[in] CertChain Certificate chain. > > + > > + @param[out] SignerCert Last certificate in the chain. For PKCS7 > signatures, > > + this will be the end-entity (leaf) signer cert. > > + > > + @retval EFI_SUCCESS The required EKUs were found in the > signature. > > + @retval EFI_INVALID_PARAMETER A parameter was invalid. > > + @retval EFI_NOT_FOUND The number of signers found was not 1. > > + > > +**/ > > +EFI_STATUS > > +GetSignerCertificate ( > > + IN CONST VOID *CertChain, > > + OUT VOID **SignerCert > > + ) > > +{ > > + ASSERT (FALSE); > > + return EFI_NOT_READY; > > +} > > + > > +/** > > + Determines if the specified EKU represented in ASN1 form is present > > + in a given certificate. > > + > > + @param[in] Cert The certificate to check. > > + > > + @param[in] Asn1ToFind The EKU to look for. > > + > > + @retval EFI_SUCCESS We successfully identified the signing type. > > + @retval EFI_INVALID_PARAMETER A parameter was invalid. > > + @retval EFI_NOT_FOUND One or more EKU's were not found in > the signature. > > + > > +**/ > > +EFI_STATUS > > +IsEkuInCertificate ( > > + IN CONST VOID *Cert, > > + IN VOID *Asn1ToFind > > + ) > > +{ > > + ASSERT (FALSE); > > + return EFI_NOT_READY; > > +} > > + > > +/** > > + Determines if the specified EKUs are present in a signing certificate. > > + > > + @param[in] SignerCert The certificate to check. > > + @param[in] RequiredEKUs The EKUs to look for. > > + @param[in] RequiredEKUsSize The number of EKUs > > + @param[in] RequireAllPresent If TRUE, then all the specified EKUs > > + must be present in the certificate. > > + > > + @retval EFI_SUCCESS We successfully identified the signing type. > > + @retval EFI_INVALID_PARAMETER A parameter was invalid. > > + @retval EFI_NOT_FOUND One or more EKU's were not found in > the signature. > > +**/ > > +EFI_STATUS > > +CheckEKUs ( > > + IN CONST VOID *SignerCert, > > + IN CONST CHAR8 *RequiredEKUs[], > > + IN CONST UINT32 RequiredEKUsSize, > > + IN BOOLEAN RequireAllPresent > > + ) > > +{ > > + ASSERT (FALSE); > > + return EFI_NOT_READY; > > +} > > + > > +/** > > + This function receives a PKCS#7 formatted signature blob, > > + looks for the EKU SEQUENCE blob, and if found then looks > > + for all the required EKUs. This function was created so that > > + the Surface team can cut down on the number of Certificate > > + Authorities (CA's) by checking EKU's on leaf signers for > > + a specific product. This prevents one product's certificate > > + from signing another product's firmware or unlock blobs. > > + > > + Note that this function does not validate the certificate chain. > > + That needs to be done before using this function. > > + > > + @param[in] Pkcs7Signature The PKCS#7 signed information content > block. An array > > + containing the content block with both the signature, > > + the signer's certificate, and any necessary intermediate > > + certificates. > > + @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature. > > + @param[in] RequiredEKUs Array of null-terminated strings listing > OIDs of > > + required EKUs that must be present in the signature. > > + @param[in] RequiredEKUsSize Number of elements in the > RequiredEKUs string array. > > + @param[in] RequireAllPresent If this is TRUE, then all of the specified > EKU's > > + must be present in the leaf signer. If it is > > + FALSE, then we will succeed if we find any > > + of the specified EKU's. > > + > > + @retval EFI_SUCCESS The required EKUs were found in the > signature. > > + @retval EFI_INVALID_PARAMETER A parameter was invalid. > > + @retval EFI_NOT_FOUND One or more EKU's were not found in the > signature. > > + > > +**/ > > +EFI_STATUS > > +EFIAPI > > +VerifyEKUsInPkcs7Signature ( > > + IN CONST UINT8 *Pkcs7Signature, > > + IN CONST UINT32 SignatureSize, > > + IN CONST CHAR8 *RequiredEKUs[], > > + IN CONST UINT32 RequiredEKUsSize, > > + IN BOOLEAN RequireAllPresent > > + ) > > +{ > > + ASSERT (FALSE); > > + return EFI_NOT_READY; > > +} > > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c > > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c > > new file mode 100644 > > index 000000000000..fd352e32dd93 > > --- /dev/null > > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c > > @@ -0,0 +1,121 @@ > > +/** @file > > + RSA Asymmetric Cipher Wrapper Null Implementation. > > + > > + This file implements following APIs which provide basic capabilities for > RSA: > > + 1) RsaNew > > + 2) RsaFree > > + 3) RsaSetKey > > + 4) RsaPkcs1Verify > > + > > +Copyright (c) 2009 - 2018, Intel Corporation. All rights > > +reserved.<BR> > > +SPDX-License-Identifier: BSD-2-Clause-Patent > > + > > +**/ > > + > > +#include "InternalCryptLib.h" > > + > > +/** > > + Allocates and initializes one RSA context for subsequent use. > > + > > + @return Pointer to the RSA context that has been initialized. > > + If the allocations fails, RsaNew() returns NULL. > > + > > +**/ > > +VOID * > > +EFIAPI > > +RsaNew ( > > + VOID > > + ) > > +{ > > + // > > + // Allocates & Initializes RSA Context > > + // > > + ASSERT (FALSE); > > + return NULL; > > +} > > + > > +/** > > + Release the specified RSA context. > > + > > + @param[in] RsaContext Pointer to the RSA context to be released. > > + > > +**/ > > +VOID > > +EFIAPI > > +RsaFree ( > > + IN VOID *RsaContext > > + ) > > +{ > > + // > > + // Free RSA Context > > + // > > + ASSERT (FALSE); > > +} > > + > > +/** > > + Sets the tag-designated key component into the established RSA context. > > + > > + This function sets the tag-designated RSA key component into the > > + established RSA context from the user-specified non-negative > > + integer (octet string format represented in RSA PKCS#1). > > + If BigNumber is NULL, then the specified key component in RSA context > is cleared. > > + > > + If RsaContext is NULL, then return FALSE. > > + > > + @param[in, out] RsaContext Pointer to RSA context being set. > > + @param[in] KeyTag Tag of RSA key component being set. > > + @param[in] BigNumber Pointer to octet integer buffer. > > + If NULL, then the specified key component in RSA > > + context is cleared. > > + @param[in] BnSize Size of big number buffer in bytes. > > + If BigNumber is NULL, then it is ignored. > > + > > + @retval TRUE RSA key component was set successfully. > > + @retval FALSE Invalid RSA key component tag. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +RsaSetKey ( > > + IN OUT VOID *RsaContext, > > + IN RSA_KEY_TAG KeyTag, > > + IN CONST UINT8 *BigNumber, > > + IN UINTN BnSize > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > + > > +/** > > + Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme > > +defined in > > + RSA PKCS#1. > > + > > + If RsaContext is NULL, then return FALSE. > > + If MessageHash is NULL, then return FALSE. > > + If Signature is NULL, then return FALSE. > > + If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then > return FALSE. > > + > > + @param[in] RsaContext Pointer to RSA context for signature > verification. > > + @param[in] MessageHash Pointer to octet message hash to be checked. > > + @param[in] HashSize Size of the message hash in bytes. > > + @param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be > verified. > > + @param[in] SigSize Size of signature in bytes. > > + > > + @retval TRUE Valid signature encoded in PKCS1-v1_5. > > + @retval FALSE Invalid signature or invalid RSA context. > > + > > +**/ > > +BOOLEAN > > +EFIAPI > > +RsaPkcs1Verify ( > > + IN VOID *RsaContext, > > + IN CONST UINT8 *MessageHash, > > + IN UINTN HashSize, > > + IN CONST UINT8 *Signature, > > + IN UINTN SigSize > > + ) > > +{ > > + ASSERT (FALSE); > > + return FALSE; > > +} > > diff --git a/CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf > > b/CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf > > new file mode 100644 > > index 000000000000..070b44447e74 > > --- /dev/null > > +++ b/CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf > > @@ -0,0 +1,91 @@ > > +## @file > > +# Cryptographic Library Instance for SEC. > > +# > > +# Caution: This module requires additional review when modified. > > +# This library will have external input - signature. > > +# This external input must be validated carefully to avoid security > > +issues such as # buffer overflow or integer overflow. > > +# > > +# Copyright (c) 2021, Intel Corporation. All rights reserved.<BR> # > > +SPDX-License-Identifier: BSD-2-Clause-Patent # ## > > + > > +[Defines] > > + INF_VERSION = 0x00010005 > > + BASE_NAME = SecCryptLib > > + FILE_GUID = 3689D343-0D32-4284-8053-BF10537990E8 > > + MODULE_TYPE = BASE > > + VERSION_STRING = 1.0 > > + LIBRARY_CLASS = BaseCryptLib|SEC > > + > > +# > > +# The following information is for reference only and not required by the > build tools. > > +# > > +# VALID_ARCHITECTURES = IA32 X64 > > +# > > + > > +[Sources] > > + InternalCryptLib.h > > + Hash/CryptSha512.c > > + > > + Hash/CryptMd5Null.c > > + Hash/CryptSha1Null.c > > + Hash/CryptSha256Null.c > > + Hash/CryptSm3Null.c > > + Hash/CryptParallelHashNull.c > > + Hmac/CryptHmacSha256Null.c > > + Kdf/CryptHkdfNull.c > > + Cipher/CryptAesNull.c > > + Pk/CryptRsaBasicNull.c > > + Pk/CryptRsaExtNull.c > > + Pk/CryptPkcs1OaepNull.c > > + Pk/CryptPkcs5Pbkdf2Null.c > > + Pk/CryptPkcs7SignNull.c > > + Pk/CryptPkcs7VerifyNull.c > > + Pk/CryptPkcs7VerifyEkuNull.c > > + Pk/CryptDhNull.c > > + Pk/CryptX509Null.c > > + Pk/CryptAuthenticodeNull.c > > + Pk/CryptTsNull.c > > + Pem/CryptPemNull.c > > + Rand/CryptRandNull.c > > + Pk/CryptRsaPssNull.c > > + Pk/CryptRsaPssSignNull.c > > + > > + SysCall/CrtWrapper.c > > + SysCall/ConstantTimeClock.c > > + SysCall/BaseMemAllocation.c > > + > > +[Packages] > > + MdePkg/MdePkg.dec > > + CryptoPkg/CryptoPkg.dec > > + > > +[LibraryClasses] > > + BaseLib > > + BaseMemoryLib > > + MemoryAllocationLib > > + DebugLib > > + OpensslLib > > + IntrinsicLib > > + > > +# > > +# Remove these [BuildOptions] after this library is cleaned up # > > +[BuildOptions] > > + # > > + # suppress the following warnings so we do not break the build with > warnings-as-errors: > > + # C4090: 'function' : different 'const' qualifiers > > + # C4718: 'function call' : recursive call has no side effects, > > +deleting > > + # > > + MSFT:*_*_*_CC_FLAGS = /wd4090 /wd4718 > > + > > + # -JCryptoPkg/Include : To disable the use of the system includes > provided by RVCT > > + # --diag_remark=1 : Reduce severity of "#1-D: last line of file ends > without a newline" > > + RVCT:*_*_ARM_CC_FLAGS = -JCryptoPkg/Include --diag_remark=1 > > + > > + GCC:*_CLANG35_*_CC_FLAGS = -std=c99 GCC:*_CLANG38_*_CC_FLAGS > = > > + -std=c99 GCC:*_CLANGPDB_*_CC_FLAGS = -std=c99 > > + -Wno-error=incompatible-pointer-types > > + > > + XCODE:*_*_*_CC_FLAGS = -std=c99 > > -- > > 2.29.2.windows.2 > > > > > > > > > > ^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH V3 3/9] SecurityPkg: Add definition of EFI_CC_EVENT_HOB_GUID 2022-04-17 23:59 [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Min Xu 2022-04-17 23:59 ` [PATCH V3 1/9] Security: Add HashLibTdx Min Xu 2022-04-17 23:59 ` [PATCH V3 2/9] CryptoPkg: Add SecCryptLib Min Xu @ 2022-04-17 23:59 ` Min Xu 2022-04-17 23:59 ` [PATCH V3 4/9] OvmfPkg: Introduce SecMeasurementLib Min Xu ` (6 subsequent siblings) 9 siblings, 0 replies; 27+ messages in thread From: Min Xu @ 2022-04-17 23:59 UTC (permalink / raw) To: devel; +Cc: Min Xu, Gerd Hoffmann, Jiewen Yao, Sami Mujawar, Jian J Wang RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 EFI_CC_EVENT_HOB_GUID is the global ID of a GUIDed HOB used to pass TDX_DIGEST_VALUE from SEC to a DXE Driver ( This DXE driver will be introduced in the following commit in this patch-sets ). In that DXE driver this GUIDed HOB will be parsed and the TDX_DIGEST_VALUE then will be extracted. After that a EFI_CC_EVENT will be created based on it. Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Sami Mujawar <sami.mujawar@arm.com> Cc: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Min Xu <min.m.xu@intel.com> --- SecurityPkg/Include/Guid/CcEventHob.h | 22 ++++++++++++++++++++++ SecurityPkg/SecurityPkg.dec | 4 ++++ 2 files changed, 26 insertions(+) create mode 100644 SecurityPkg/Include/Guid/CcEventHob.h diff --git a/SecurityPkg/Include/Guid/CcEventHob.h b/SecurityPkg/Include/Guid/CcEventHob.h new file mode 100644 index 000000000000..072999ce92de --- /dev/null +++ b/SecurityPkg/Include/Guid/CcEventHob.h @@ -0,0 +1,22 @@ +/** @file + Defines the HOB GUID used to pass a CC_EVENT from SEC to + a CC DXE Driver. A GUIDed HOB is generated for each measurement + made in the SEC Phase. + +Copyright (c) 2021 - 2022, Intel Corporation. All rights reserved.<BR> +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef CC_EVENT_HOB_H_ +#define CC_EVENT_HOB_H_ + +// +// The Global ID of a GUIDed HOB used to pass a CC_EVENT from SEC to a CC DXE Driver. +// +#define EFI_CC_EVENT_HOB_GUID \ + { 0x20f8fd36, 0x6d00, 0x40fb, { 0xb7, 0x04, 0xd1, 0x2c, 0x15, 0x3c, 0x62, 0xeb } } + +extern EFI_GUID gCcEventEntryHobGuid; + +#endif diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 9f7a032d60d5..0ee75efc1a97 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -136,6 +136,10 @@ ## Include/Guid/TcgEventHob.h gTcgEvent2EntryHobGuid = { 0xd26c221e, 0x2430, 0x4c8a, { 0x91, 0x70, 0x3f, 0xcb, 0x45, 0x0, 0x41, 0x3f }} + ## Hob GUID used to pass a CC_EVENT from SEC to a CC DXE Driver. + ## Include/Guid/CcEventHob.h + gCcEventEntryHobGuid = { 0x20f8fd36, 0x6d00, 0x40fb, { 0xb7, 0x04, 0xd1, 0x2c, 0x15, 0x3c, 0x62, 0xeb }} + ## HOB GUID used to record TPM device error. # Include/Guid/TcgEventHob.h gTpmErrorHobGuid = { 0xef598499, 0xb25e, 0x473a, { 0xbf, 0xaf, 0xe7, 0xe5, 0x7d, 0xce, 0x82, 0xc4 }} -- 2.29.2.windows.2 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH V3 4/9] OvmfPkg: Introduce SecMeasurementLib 2022-04-17 23:59 [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Min Xu ` (2 preceding siblings ...) 2022-04-17 23:59 ` [PATCH V3 3/9] SecurityPkg: Add definition of EFI_CC_EVENT_HOB_GUID Min Xu @ 2022-04-17 23:59 ` Min Xu 2022-04-17 23:59 ` [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV Min Xu ` (5 subsequent siblings) 9 siblings, 0 replies; 27+ messages in thread From: Min Xu @ 2022-04-17 23:59 UTC (permalink / raw) To: devel Cc: Min Xu, Brijesh Singh, Erdem Aktas, James Bottomley, Jiewen Yao, Tom Lendacky, Ken Lu, Sami Mujawar, Gerd Hoffmann RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 SecMeasurementLib is designed to do the measurement in SEC phase. In current stage there are 2 functions introduced: - MeasureHobList: Measure the Hoblist passed from the VMM. - MeasureFvImage: Measure the FV image. SecMeasurementLibTdx is the TDX version of the library. Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Ken Lu <ken.lu@intel.com> Cc: Sami Mujawar <sami.mujawar@arm.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Min Xu <min.m.xu@intel.com> --- OvmfPkg/Include/Library/SecMeasurementLib.h | 46 +++ .../SecMeasurementLib/SecMeasurementLibTdx.c | 340 ++++++++++++++++++ .../SecMeasurementLibTdx.inf | 30 ++ OvmfPkg/OvmfPkg.dec | 4 + 4 files changed, 420 insertions(+) create mode 100644 OvmfPkg/Include/Library/SecMeasurementLib.h create mode 100644 OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.c create mode 100644 OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf diff --git a/OvmfPkg/Include/Library/SecMeasurementLib.h b/OvmfPkg/Include/Library/SecMeasurementLib.h new file mode 100644 index 000000000000..ca7a7dc3a9b2 --- /dev/null +++ b/OvmfPkg/Include/Library/SecMeasurementLib.h @@ -0,0 +1,46 @@ +/** @file + + Copyright (c) 2021, Intel Corporation. All rights reserved.<BR> + + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef SEC_MEASUREMENT_LIB_H_ +#define SEC_MEASUREMENT_LIB_H_ + +/** + Measure the Hoblist passed from the VMM. + + @param[in] VmmHobList The Hoblist pass the firmware + + @retval EFI_SUCCESS Fv image is measured successfully + or it has been already measured. + @retval Others Other errors as indicated +**/ +EFI_STATUS +EFIAPI +MeasureHobList ( + IN CONST VOID *VmmHobList + ); + +/** + Measure FV image. + + @param[in] FvBase Base address of FV image. + @param[in] FvLength Length of FV image. + @param[in] PcrIndex Index of PCR + + @retval EFI_SUCCESS Fv image is measured successfully + or it has been already measured. + @retval Others Other errors as indicated +**/ +EFI_STATUS +EFIAPI +MeasureFvImage ( + IN EFI_PHYSICAL_ADDRESS FvBase, + IN UINT64 FvLength, + IN UINT8 PcrIndex + ); + +#endif diff --git a/OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.c b/OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.c new file mode 100644 index 000000000000..274fda1e563e --- /dev/null +++ b/OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.c @@ -0,0 +1,340 @@ +/** @file +* +* Copyright (c) 2021, Intel Corporation. All rights reserved.<BR> +* SPDX-License-Identifier: BSD-2-Clause-Patent +* +**/ + +#include <PiPei.h> +#include <Guid/CcEventHob.h> +#include <Library/BaseMemoryLib.h> +#include <Library/DebugLib.h> +#include <Library/HashLib.h> +#include <Library/HobLib.h> +#include <Library/PrintLib.h> +#include <IndustryStandard/Tpm20.h> +#include <Protocol/CcMeasurement.h> +#include <Library/SecMeasurementLib.h> + +#pragma pack(1) + +typedef struct { + UINT32 count; + TPMI_ALG_HASH hashAlg; + BYTE sha384[SHA384_DIGEST_SIZE]; +} TDX_DIGEST_VALUE; + +#define HANDOFF_TABLE_DESC "TdxTable" +typedef struct { + UINT8 TableDescriptionSize; + UINT8 TableDescription[sizeof (HANDOFF_TABLE_DESC)]; + UINT64 NumberOfTables; + EFI_CONFIGURATION_TABLE TableEntry[1]; +} TDX_HANDOFF_TABLE_POINTERS2; + +#define FV_HANDOFF_TABLE_DESC "Fv(XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX)" +typedef struct { + UINT8 BlobDescriptionSize; + UINT8 BlobDescription[sizeof (FV_HANDOFF_TABLE_DESC)]; + EFI_PHYSICAL_ADDRESS BlobBase; + UINT64 BlobLength; +} FV_HANDOFF_TABLE_POINTERS2; + +#pragma pack() + +#define INVALID_PCR2MR_INDEX 0xFF + +/** + RTMR[0] => PCR[1,7] + RTMR[1] => PCR[2,3,4,5] + RTMR[2] => PCR[8~15] + RTMR[3] => NA + Note: + PCR[0] is mapped to MRTD and should not appear here. + PCR[6] is reserved for OEM. It is not used. +**/ +UINT8 +GetMappedRtmrIndex ( + UINT32 PCRIndex + ) +{ + UINT8 RtmrIndex; + + if ((PCRIndex == 6) || (PCRIndex == 0) || (PCRIndex > 15)) { + DEBUG ((DEBUG_ERROR, "Invalid PCRIndex(%d) map to MR Index.\n", PCRIndex)); + ASSERT (FALSE); + return INVALID_PCR2MR_INDEX; + } + + RtmrIndex = 0; + if ((PCRIndex == 1) || (PCRIndex == 7)) { + RtmrIndex = 0; + } else if ((PCRIndex >= 2) && (PCRIndex < 6)) { + RtmrIndex = 1; + } else if ((PCRIndex >= 8) && (PCRIndex <= 15)) { + RtmrIndex = 2; + } + + return RtmrIndex; +} + +/** + Tpm measure and log data, and extend the measurement result into a specific PCR. + + @param[in] PcrIndex PCR Index. + @param[in] EventType Event type. + @param[in] EventLog Measurement event log. + @param[in] LogLen Event log length in bytes. + @param[in] HashData The start of the data buffer to be hashed, extended. + @param[in] HashDataLen The length, in bytes, of the buffer referenced by HashData + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_UNSUPPORTED TPM device not available. + @retval EFI_OUT_OF_RESOURCES Out of memory. + @retval EFI_DEVICE_ERROR The operation was unsuccessful. +**/ +EFI_STATUS +EFIAPI +TdxMeasureAndLogData ( + IN UINT32 PcrIndex, + IN UINT32 EventType, + IN VOID *EventLog, + IN UINT32 LogLen, + IN VOID *HashData, + IN UINT64 HashDataLen + ) +{ + EFI_STATUS Status; + UINT32 RtmrIndex; + VOID *EventHobData; + TCG_PCR_EVENT2 *TcgPcrEvent2; + UINT8 *DigestBuffer; + TDX_DIGEST_VALUE *TdxDigest; + TPML_DIGEST_VALUES DigestList; + UINT8 *Ptr; + + RtmrIndex = GetMappedRtmrIndex (PcrIndex); + if (RtmrIndex == INVALID_PCR2MR_INDEX) { + return EFI_INVALID_PARAMETER; + } + + DEBUG ((DEBUG_INFO, "Creating TdTcg2PcrEvent PCR[%d]/RTMR[%d] EventType 0x%x\n", PcrIndex, RtmrIndex, EventType)); + + Status = HashAndExtend ( + RtmrIndex, + (VOID *)HashData, + HashDataLen, + &DigestList + ); + + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to HashAndExtend. %r\n", Status)); + return Status; + } + + // + // Use TDX_DIGEST_VALUE in the GUID HOB DataLength calculation + // to reserve enough buffer to hold TPML_DIGEST_VALUES compact binary + // which is limited to a SHA384 digest list + // + EventHobData = BuildGuidHob ( + &gCcEventEntryHobGuid, + sizeof (TcgPcrEvent2->PCRIndex) + sizeof (TcgPcrEvent2->EventType) + + sizeof (TDX_DIGEST_VALUE) + + sizeof (TcgPcrEvent2->EventSize) + LogLen + ); + + if (EventHobData == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + Ptr = (UINT8 *)EventHobData; + // + // Initialize PcrEvent data now + // + RtmrIndex++; + CopyMem (Ptr, &RtmrIndex, sizeof (UINT32)); + Ptr += sizeof (UINT32); + CopyMem (Ptr, &EventType, sizeof (TCG_EVENTTYPE)); + Ptr += sizeof (TCG_EVENTTYPE); + + DigestBuffer = Ptr; + + TdxDigest = (TDX_DIGEST_VALUE *)DigestBuffer; + TdxDigest->count = 1; + TdxDigest->hashAlg = TPM_ALG_SHA384; + CopyMem ( + TdxDigest->sha384, + DigestList.digests[0].digest.sha384, + SHA384_DIGEST_SIZE + ); + + Ptr += sizeof (TDX_DIGEST_VALUE); + + CopyMem (Ptr, &LogLen, sizeof (UINT32)); + Ptr += sizeof (UINT32); + CopyMem (Ptr, EventLog, LogLen); + Ptr += LogLen; + + Status = EFI_SUCCESS; + return Status; +} + +/** + Measure the Hoblist passed from the VMM. + + @param[in] VmmHobList The Hoblist pass the firmware + + @retval EFI_SUCCESS Fv image is measured successfully + or it has been already measured. + @retval Others Other errors as indicated +**/ +EFI_STATUS +EFIAPI +MeasureHobList ( + IN CONST VOID *VmmHobList + ) +{ + EFI_PEI_HOB_POINTERS Hob; + TDX_HANDOFF_TABLE_POINTERS2 HandoffTables; + EFI_STATUS Status; + + if (!TdIsEnabled ()) { + ASSERT (FALSE); + return EFI_UNSUPPORTED; + } + + Hob.Raw = (UINT8 *)VmmHobList; + + // + // Parse the HOB list until end of list. + // + while (!END_OF_HOB_LIST (Hob)) { + Hob.Raw = GET_NEXT_HOB (Hob); + } + + // + // Init the log event for HOB measurement + // + + HandoffTables.TableDescriptionSize = sizeof (HandoffTables.TableDescription); + CopyMem (HandoffTables.TableDescription, HANDOFF_TABLE_DESC, sizeof (HandoffTables.TableDescription)); + HandoffTables.NumberOfTables = 1; + CopyGuid (&(HandoffTables.TableEntry[0].VendorGuid), &gUefiOvmfPkgTokenSpaceGuid); + HandoffTables.TableEntry[0].VendorTable = (VOID *)VmmHobList; + + Status = TdxMeasureAndLogData ( + 1, // PCRIndex + EV_EFI_HANDOFF_TABLES2, // EventType + (VOID *)&HandoffTables, // EventData + sizeof (HandoffTables), // EventSize + (UINT8 *)(UINTN)VmmHobList, // HashData + (UINTN)((UINT8 *)Hob.Raw - (UINT8 *)VmmHobList) // HashDataLen + ); + + if (EFI_ERROR (Status)) { + ASSERT (FALSE); + } + + return Status; +} + +/** + Get the FvName from the FV header. + + Causion: The FV is untrusted input. + + @param[in] FvBase Base address of FV image. + @param[in] FvLength Length of FV image. + + @return FvName pointer + @retval NULL FvName is NOT found +**/ +VOID * +GetFvName ( + IN EFI_PHYSICAL_ADDRESS FvBase, + IN UINT64 FvLength + ) +{ + EFI_FIRMWARE_VOLUME_HEADER *FvHeader; + EFI_FIRMWARE_VOLUME_EXT_HEADER *FvExtHeader; + + if (FvBase >= MAX_ADDRESS) { + return NULL; + } + + if (FvLength >= MAX_ADDRESS - FvBase) { + return NULL; + } + + if (FvLength < sizeof (EFI_FIRMWARE_VOLUME_HEADER)) { + return NULL; + } + + FvHeader = (EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)FvBase; + if (FvHeader->ExtHeaderOffset < sizeof (EFI_FIRMWARE_VOLUME_HEADER)) { + return NULL; + } + + if (FvHeader->ExtHeaderOffset + sizeof (EFI_FIRMWARE_VOLUME_EXT_HEADER) > FvLength) { + return NULL; + } + + FvExtHeader = (EFI_FIRMWARE_VOLUME_EXT_HEADER *)(UINTN)(FvBase + FvHeader->ExtHeaderOffset); + + return &FvExtHeader->FvName; +} + +/** + Measure FV image. + + @param[in] FvBase Base address of FV image. + @param[in] FvLength Length of FV image. + @param[in] PcrIndex Index of PCR + + @retval EFI_SUCCESS Fv image is measured successfully + or it has been already measured. + @retval EFI_OUT_OF_RESOURCES No enough memory to log the new event. + @retval EFI_DEVICE_ERROR The command was unsuccessful. + +**/ +EFI_STATUS +EFIAPI +MeasureFvImage ( + IN EFI_PHYSICAL_ADDRESS FvBase, + IN UINT64 FvLength, + IN UINT8 PcrIndex + ) +{ + EFI_STATUS Status; + FV_HANDOFF_TABLE_POINTERS2 FvBlob2; + VOID *FvName; + + // + // Init the log event for FV measurement + // + FvBlob2.BlobDescriptionSize = sizeof (FvBlob2.BlobDescription); + CopyMem (FvBlob2.BlobDescription, FV_HANDOFF_TABLE_DESC, sizeof (FvBlob2.BlobDescription)); + FvName = GetFvName (FvBase, FvLength); + if (FvName != NULL) { + AsciiSPrint ((CHAR8 *)FvBlob2.BlobDescription, sizeof (FvBlob2.BlobDescription), "Fv(%g)", FvName); + } + + FvBlob2.BlobBase = FvBase; + FvBlob2.BlobLength = FvLength; + + Status = TdxMeasureAndLogData ( + 1, // PCRIndex + EV_EFI_PLATFORM_FIRMWARE_BLOB2, // EventType + (VOID *)&FvBlob2, // EventData + sizeof (FvBlob2), // EventSize + (UINT8 *)(UINTN)FvBase, // HashData + (UINTN)(FvLength) // HashDataLen + ); + + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "The FV which failed to be measured starts at: 0x%x\n", FvBase)); + ASSERT (FALSE); + } + + return Status; +} diff --git a/OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf b/OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf new file mode 100644 index 000000000000..6215df5af8fc --- /dev/null +++ b/OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf @@ -0,0 +1,30 @@ +#/** @file +# +# Copyright (c) 2021, Intel Corporation. All rights reserved.<BR> +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +#**/ + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = SecMeasurementLibTdx + FILE_GUID = 3e3fc69d-e834-40e9-96ed-e1e721f41883 + MODULE_TYPE = BASE + VERSION_STRING = 1.0 + LIBRARY_CLASS = SecMeasurementLib + +[Sources] + SecMeasurementLibTdx.c + +[Packages] + MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec + CryptoPkg/CryptoPkg.dec + SecurityPkg/SecurityPkg.dec + +[Guids] + gCcEventEntryHobGuid + gUefiOvmfPkgTokenSpaceGuid + +[LibraryClasses] + HashLib diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index b9ca44120289..6f08dcdf0d3b 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -125,6 +125,10 @@ # PeilessStartupLib|Include/Library/PeilessStartupLib.h + ## @libraryclass SecMeasurementLib + # + SecMeasurementLib|Include/Library/SecMeasurementLib.h + [Guids] gUefiOvmfPkgTokenSpaceGuid = {0x93bb96af, 0xb9f2, 0x4eb8, {0x94, 0x62, 0xe0, 0xba, 0x74, 0x56, 0x42, 0x36}} gEfiXenInfoGuid = {0xd3b46f3b, 0xd441, 0x1244, {0x9a, 0x12, 0x0, 0x12, 0x27, 0x3f, 0xc1, 0x4d}} -- 2.29.2.windows.2 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV 2022-04-17 23:59 [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Min Xu ` (3 preceding siblings ...) 2022-04-17 23:59 ` [PATCH V3 4/9] OvmfPkg: Introduce SecMeasurementLib Min Xu @ 2022-04-17 23:59 ` Min Xu 2022-04-19 6:58 ` Gerd Hoffmann 2022-04-17 23:59 ` [PATCH V3 6/9] OvmfPkg: Add PCDs for LAML/LASA field in CC EVENTLOG ACPI table Min Xu ` (4 subsequent siblings) 9 siblings, 1 reply; 27+ messages in thread From: Min Xu @ 2022-04-17 23:59 UTC (permalink / raw) To: devel Cc: Min Xu, Ard Biesheuvel, Jiewen Yao, Jordan Justen, Brijesh Singh, Erdem Aktas, James Bottomley, Tom Lendacky, Gerd Hoffmann RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 TdHobList and Configuration FV are external data provided by Host VMM. These are not trusted in Td guest. So they should be validated , measured and extended to Td RTMR registers. In the meantime 2 EFI_CC_EVENT_HOB are created. These 2 GUIDed HOBs carry the hash value of TdHobList and Configuration FV. In DXE phase EFI_CC_EVENT can be created based on these 2 GUIDed HOBs. Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Min Xu <min.m.xu@intel.com> --- OvmfPkg/IntelTdx/IntelTdxX64.dsc | 4 + OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 163 ++++++++++++++++++ .../PeilessStartupLib/PeilessStartup.c | 31 ++++ .../PeilessStartupInternal.h | 17 ++ .../PeilessStartupLib/PeilessStartupLib.inf | 8 +- 5 files changed, 221 insertions(+), 2 deletions(-) create mode 100644 OvmfPkg/Library/PeilessStartupLib/IntelTdx.c diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc index 245155d41b30..e6cd10a120a8 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -520,6 +520,10 @@ OvmfPkg/IntelTdx/Sec/SecMain.inf { <LibraryClasses> NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf + SecMeasurementLib|OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf + HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf } # diff --git a/OvmfPkg/Library/PeilessStartupLib/IntelTdx.c b/OvmfPkg/Library/PeilessStartupLib/IntelTdx.c new file mode 100644 index 000000000000..d240d3b7719f --- /dev/null +++ b/OvmfPkg/Library/PeilessStartupLib/IntelTdx.c @@ -0,0 +1,163 @@ +/** @file + Copyright (c) 2022, Intel Corporation. All rights reserved.<BR> + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include <PiPei.h> +#include <Library/BaseLib.h> +#include <Library/BaseMemoryLib.h> +#include <Library/DebugLib.h> +#include <Guid/VariableFormat.h> +#include <Guid/SystemNvDataGuid.h> +#include "PeilessStartupInternal.h" + +/** + Check padding data all bit should be 1. + + @param[in] Buffer - A pointer to buffer header + @param[in] BufferSize - Buffer size + + @retval TRUE - The padding data is valid. + @retval TRUE - The padding data is invalid. + +**/ +BOOLEAN +CheckPaddingData ( + IN UINT8 *Buffer, + IN UINT32 BufferSize + ) +{ + UINT32 index; + + for (index = 0; index < BufferSize; index++) { + if (Buffer[index] != 0xFF) { + return FALSE; + } + } + + return TRUE; +} + +/** + Check the integrity of CFV data. + + @param[in] TdxCfvBase - A pointer to CFV header + @param[in] TdxCfvSize - CFV data size + + @retval TRUE - The CFV data is valid. + @retval FALSE - The CFV data is invalid. + +**/ +BOOLEAN +EFIAPI +TdxValidateCfv ( + IN UINT8 *TdxCfvBase, + IN UINT32 TdxCfvSize + ) +{ + UINT16 Checksum; + UINTN VariableBase; + UINT32 VariableOffset; + UINT32 VariableOffsetBeforeAlign; + EFI_FIRMWARE_VOLUME_HEADER *CfvFvHeader; + VARIABLE_STORE_HEADER *CfvVariableStoreHeader; + AUTHENTICATED_VARIABLE_HEADER *VariableHeader; + + static EFI_GUID FvHdrGUID = EFI_SYSTEM_NV_DATA_FV_GUID; + static EFI_GUID VarStoreHdrGUID = EFI_AUTHENTICATED_VARIABLE_GUID; + + VariableOffset = 0; + + if (TdxCfvBase == NULL) { + DEBUG ((DEBUG_ERROR, "TDX CFV: CFV pointer is NULL\n")); + return FALSE; + } + + // + // Verify the header zerovetor, filesystemguid, + // revision, signature, attributes, fvlength, checksum + // HeaderLength cannot be an odd number + // + CfvFvHeader = (EFI_FIRMWARE_VOLUME_HEADER *)TdxCfvBase; + + if ((!IsZeroBuffer (CfvFvHeader->ZeroVector, 16)) || + (!CompareGuid (&FvHdrGUID, &CfvFvHeader->FileSystemGuid)) || + (CfvFvHeader->Signature != EFI_FVH_SIGNATURE) || + (CfvFvHeader->Attributes != 0x4feff) || + (CfvFvHeader->Revision != EFI_FVH_REVISION) || + (CfvFvHeader->FvLength != TdxCfvSize) + ) + { + DEBUG ((DEBUG_ERROR, "TDX CFV: Basic FV headers were invalid\n")); + return FALSE; + } + + // + // Verify the header checksum + // + Checksum = CalculateSum16 ((VOID *)CfvFvHeader, CfvFvHeader->HeaderLength); + + if (Checksum != 0) { + DEBUG ((DEBUG_ERROR, "TDX CFV: FV checksum was invalid\n")); + return FALSE; + } + + // + // Verify the header signature, size, format, state + // + CfvVariableStoreHeader = (VARIABLE_STORE_HEADER *)(TdxCfvBase + CfvFvHeader->HeaderLength); + if ((!CompareGuid (&VarStoreHdrGUID, &CfvVariableStoreHeader->Signature)) || + (CfvVariableStoreHeader->Format != VARIABLE_STORE_FORMATTED) || + (CfvVariableStoreHeader->State != VARIABLE_STORE_HEALTHY) || + (CfvVariableStoreHeader->Size > (CfvFvHeader->FvLength - CfvFvHeader->HeaderLength)) || + (CfvVariableStoreHeader->Size < sizeof (VARIABLE_STORE_HEADER)) + ) + { + DEBUG ((DEBUG_ERROR, "TDX CFV: Variable Store header was invalid\n")); + return FALSE; + } + + // + // Verify the header startId, state + // Verify data to the end + // + VariableBase = (UINTN)TdxCfvBase + CfvFvHeader->HeaderLength + sizeof (VARIABLE_STORE_HEADER); + while (VariableOffset < (CfvVariableStoreHeader->Size - sizeof (VARIABLE_STORE_HEADER))) { + VariableHeader = (AUTHENTICATED_VARIABLE_HEADER *)(VariableBase + VariableOffset); + if (VariableHeader->StartId != VARIABLE_DATA) { + if (!CheckPaddingData ((UINT8 *)VariableHeader, CfvVariableStoreHeader->Size - sizeof (VARIABLE_STORE_HEADER) - VariableOffset)) { + DEBUG ((DEBUG_ERROR, "TDX CFV: Variable header was invalid\n")); + return FALSE; + } + + VariableOffset = CfvVariableStoreHeader->Size - sizeof (VARIABLE_STORE_HEADER); + } else { + if (!((VariableHeader->State == VAR_IN_DELETED_TRANSITION) || + (VariableHeader->State == VAR_DELETED) || + (VariableHeader->State == VAR_HEADER_VALID_ONLY) || + (VariableHeader->State == VAR_ADDED))) + { + DEBUG ((DEBUG_ERROR, "TDX CFV: Variable header was invalid\n")); + return FALSE; + } + + VariableOffset += sizeof (AUTHENTICATED_VARIABLE_HEADER) + VariableHeader->NameSize + VariableHeader->DataSize; + // Verify VariableOffset should be less than or equal CfvVariableStoreHeader->Size - sizeof(VARIABLE_STORE_HEADER) + if (VariableOffset > (CfvVariableStoreHeader->Size - sizeof (VARIABLE_STORE_HEADER))) { + DEBUG ((DEBUG_ERROR, "TDX CFV: Variable header was invalid\n")); + return FALSE; + } + + VariableOffsetBeforeAlign = VariableOffset; + // 4 byte align + VariableOffset = (VariableOffset + 3) & (UINTN)(~3); + + if (!CheckPaddingData ((UINT8 *)(VariableBase + VariableOffsetBeforeAlign), VariableOffset - VariableOffsetBeforeAlign)) { + DEBUG ((DEBUG_ERROR, "TDX CFV: Variable header was invalid\n")); + return FALSE; + } + } + } + + return TRUE; +} diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c index 126eb74048f4..54236b956c52 100644 --- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c +++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c @@ -20,6 +20,7 @@ #include <ConfidentialComputingGuestAttr.h> #include <Guid/MemoryTypeInformation.h> #include <OvmfPlatforms.h> +#include <Library/SecMeasurementLib.h> #include "PeilessStartupInternal.h" #define GET_GPAW_INIT_STATE(INFO) ((UINT8) ((INFO) & 0x3f)) @@ -133,11 +134,13 @@ PeilessStartup ( UINT32 DxeCodeSize; TD_RETURN_DATA TdReturnData; VOID *VmmHobList; + UINT8 *CfvBase; Status = EFI_SUCCESS; BootFv = NULL; VmmHobList = NULL; SecCoreData = (EFI_SEC_PEI_HAND_OFF *)Context; + CfvBase = (UINT8 *)(UINTN)FixedPcdGet32 (PcdCfvBase); ZeroMem (&PlatformInfoHob, sizeof (PlatformInfoHob)); @@ -167,6 +170,34 @@ PeilessStartup ( DEBUG ((DEBUG_INFO, "HobList: %p\n", GetHobList ())); + if (TdIsEnabled ()) { + // + // Measure HobList + // + Status = MeasureHobList (VmmHobList); + if (EFI_ERROR (Status)) { + ASSERT (FALSE); + CpuDeadLoop (); + } + + // + // Validate Tdx CFV + // + if (!TdxValidateCfv (CfvBase, FixedPcdGet32 (PcdCfvRawDataSize))) { + ASSERT (FALSE); + CpuDeadLoop (); + } + + // + // Measure Tdx CFV + // + Status = MeasureFvImage ((EFI_PHYSICAL_ADDRESS)(UINTN)CfvBase, FixedPcdGet32 (PcdCfvRawDataSize), 1); + if (EFI_ERROR (Status)) { + ASSERT (FALSE); + CpuDeadLoop (); + } + } + // // Initialize the Platform // diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h index 23e9e0be53f1..dd79b8a06b44 100644 --- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h +++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h @@ -52,4 +52,21 @@ EFIAPI ConstructSecHobList ( ); +/** + Check the integrity of CFV data. + + @param[in] TdxCfvBase - A pointer to CFV header + @param[in] TdxCfvSize - CFV data size + + @retval TRUE - The CFV data is valid. + @retval FALSE - The CFV data is invalid. + +**/ +BOOLEAN +EFIAPI +TdxValidateCfv ( + IN UINT8 *TdxCfvBase, + IN UINT32 TdxCfvSize + ); + #endif diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf index 8791984586a4..c5d291f02bcd 100644 --- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf +++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf @@ -29,8 +29,7 @@ PeilessStartup.c Hob.c DxeLoad.c - -[Sources.X64] + IntelTdx.c X64/VirtualMemory.c [Packages] @@ -39,6 +38,8 @@ UefiCpuPkg/UefiCpuPkg.dec OvmfPkg/OvmfPkg.dec EmbeddedPkg/EmbeddedPkg.dec + CryptoPkg/CryptoPkg.dec + SecurityPkg/SecurityPkg.dec [LibraryClasses] BaseLib @@ -56,6 +57,8 @@ PrePiLib QemuFwCfgLib PlatformInitLib + HashLib + SecMeasurementLib [Guids] gEfiHobMemoryAllocModuleGuid @@ -63,6 +66,7 @@ gUefiOvmfPkgPlatformInfoGuid gEfiMemoryTypeInformationGuid gPcdDataBaseHobGuid + gCcEventEntryHobGuid [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdCfvBase -- 2.29.2.windows.2 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* Re: [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV 2022-04-17 23:59 ` [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV Min Xu @ 2022-04-19 6:58 ` Gerd Hoffmann 2022-04-19 11:12 ` Min Xu 0 siblings, 1 reply; 27+ messages in thread From: Gerd Hoffmann @ 2022-04-19 6:58 UTC (permalink / raw) To: Min Xu Cc: devel, Ard Biesheuvel, Jiewen Yao, Jordan Justen, Brijesh Singh, Erdem Aktas, James Bottomley, Tom Lendacky On Mon, Apr 18, 2022 at 07:59:56AM +0800, Min Xu wrote: > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 > > TdHobList and Configuration FV are external data provided by Host VMM. > These are not trusted in Td guest. So they should be validated , measured > and extended to Td RTMR registers. In the meantime 2 EFI_CC_EVENT_HOB are > created. These 2 GUIDed HOBs carry the hash value of TdHobList and > Configuration FV. In DXE phase EFI_CC_EVENT can be created based on these > 2 GUIDed HOBs. Why this is done in the SEC phase? take care, Gerd ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV 2022-04-19 6:58 ` Gerd Hoffmann @ 2022-04-19 11:12 ` Min Xu 2022-04-19 12:49 ` [edk2-devel] " Gerd Hoffmann 0 siblings, 1 reply; 27+ messages in thread From: Min Xu @ 2022-04-19 11:12 UTC (permalink / raw) To: Gerd Hoffmann Cc: devel@edk2.groups.io, Ard Biesheuvel, Yao, Jiewen, Justen, Jordan L, Brijesh Singh, Aktas, Erdem, James Bottomley, Tom Lendacky On April 19, 2022 2:59 PM, Gerd Hoffmann wrote: > On Mon, Apr 18, 2022 at 07:59:56AM +0800, Min Xu wrote: > > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 > > > > TdHobList and Configuration FV are external data provided by Host VMM. > > These are not trusted in Td guest. So they should be validated , > > measured and extended to Td RTMR registers. In the meantime 2 > > EFI_CC_EVENT_HOB are created. These 2 GUIDed HOBs carry the hash > value > > of TdHobList and Configuration FV. In DXE phase EFI_CC_EVENT can be > > created based on these > > 2 GUIDed HOBs. > > Why this is done in the SEC phase? TdHobList is consumed in SEC phase. So before it is consumed, it should be validated, measured. CFV contains the information provisioned by host VMM, for example, the secure boot parameters. These external data should be validated and measured as well. RTMR based measurement is implemented in TDVF Config-B (https://edk2.groups.io/g/devel/message/76367). Config-B skip the PEI phase. So it just looks like the Tcg2Pei which measures FVs before handing off control to DXE. Thanks Min ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV 2022-04-19 11:12 ` Min Xu @ 2022-04-19 12:49 ` Gerd Hoffmann 2022-04-19 14:06 ` Yao, Jiewen 0 siblings, 1 reply; 27+ messages in thread From: Gerd Hoffmann @ 2022-04-19 12:49 UTC (permalink / raw) To: devel, min.m.xu Cc: Ard Biesheuvel, Yao, Jiewen, Justen, Jordan L, Brijesh Singh, Aktas, Erdem, James Bottomley, Tom Lendacky On Tue, Apr 19, 2022 at 11:12:39AM +0000, Min Xu wrote: > On April 19, 2022 2:59 PM, Gerd Hoffmann wrote: > > On Mon, Apr 18, 2022 at 07:59:56AM +0800, Min Xu wrote: > > > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 > > > > > > TdHobList and Configuration FV are external data provided by Host VMM. > > > These are not trusted in Td guest. So they should be validated , > > > measured and extended to Td RTMR registers. In the meantime 2 > > > EFI_CC_EVENT_HOB are created. These 2 GUIDed HOBs carry the hash > > value > > > of TdHobList and Configuration FV. In DXE phase EFI_CC_EVENT can be > > > created based on these > > > 2 GUIDed HOBs. > > > > Why this is done in the SEC phase? > TdHobList is consumed in SEC phase. So before it is consumed, it should be validated, measured. Yes for validation (aka sanity-checking the fields, etc). But for measurement I don't see why the ordering matters. Whenever you do that before or after consuming the TdHob should not make a difference. > CFV contains the information provisioned by host VMM, for example, the > secure boot parameters. These external data should be validated and > measured as well. Same argument here. You pull a bunch of stuff into SEC (sha384, ...), and I'm wondering whenever it would be better to move measurement to DXE instead where you just don't need that kind of changes. take care, Gerd ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV 2022-04-19 12:49 ` [edk2-devel] " Gerd Hoffmann @ 2022-04-19 14:06 ` Yao, Jiewen 2022-04-20 8:16 ` Gerd Hoffmann 0 siblings, 1 reply; 27+ messages in thread From: Yao, Jiewen @ 2022-04-19 14:06 UTC (permalink / raw) To: Gerd Hoffmann, devel@edk2.groups.io, Xu, Min M Cc: Ard Biesheuvel, Justen, Jordan L, Brijesh Singh, Aktas, Erdem, James Bottomley, Tom Lendacky Inlined > -----Original Message----- > From: Gerd Hoffmann <kraxel@redhat.com> > Sent: Tuesday, April 19, 2022 8:49 PM > To: devel@edk2.groups.io; Xu, Min M <min.m.xu@intel.com> > Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>; Yao, Jiewen > <jiewen.yao@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Brijesh > Singh <brijesh.singh@amd.com>; Aktas, Erdem <erdemaktas@google.com>; > James Bottomley <jejb@linux.ibm.com>; Tom Lendacky > <thomas.lendacky@amd.com> > Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td > HobList and Configuration FV > > On Tue, Apr 19, 2022 at 11:12:39AM +0000, Min Xu wrote: > > On April 19, 2022 2:59 PM, Gerd Hoffmann wrote: > > > On Mon, Apr 18, 2022 at 07:59:56AM +0800, Min Xu wrote: > > > > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 > > > > > > > > TdHobList and Configuration FV are external data provided by Host VMM. > > > > These are not trusted in Td guest. So they should be validated , > > > > measured and extended to Td RTMR registers. In the meantime 2 > > > > EFI_CC_EVENT_HOB are created. These 2 GUIDed HOBs carry the hash > > > value > > > > of TdHobList and Configuration FV. In DXE phase EFI_CC_EVENT can be > > > > created based on these > > > > 2 GUIDed HOBs. > > > > > > Why this is done in the SEC phase? > > TdHobList is consumed in SEC phase. So before it is consumed, it should be > validated, measured. > > Yes for validation (aka sanity-checking the fields, etc). > But for measurement I don't see why the ordering matters. > Whenever you do that before or after consuming the TdHob > should not make a difference. [Jiewen] I disagree. The order matters from security perspective. If you use it, there is risk that the buggy code will compromise the system before you have chance to measure it. There was already known attacks: The measurement was in wrong place, which caused the attack can forge the measurement. The best practice is always: measure then use. > > > CFV contains the information provisioned by host VMM, for example, the > > secure boot parameters. These external data should be validated and > > measured as well. > > Same argument here. > > You pull a bunch of stuff into SEC (sha384, ...), and I'm wondering > whenever it would be better to move measurement to DXE instead where > you just don't need that kind of changes. > > take care, > Gerd ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV 2022-04-19 14:06 ` Yao, Jiewen @ 2022-04-20 8:16 ` Gerd Hoffmann 2022-04-20 9:46 ` Yao, Jiewen 2022-04-20 14:25 ` James Bottomley 0 siblings, 2 replies; 27+ messages in thread From: Gerd Hoffmann @ 2022-04-20 8:16 UTC (permalink / raw) To: Yao, Jiewen Cc: devel@edk2.groups.io, Xu, Min M, Ard Biesheuvel, Justen, Jordan L, Brijesh Singh, Aktas, Erdem, James Bottomley, Tom Lendacky Hi, > > Yes for validation (aka sanity-checking the fields, etc). > > But for measurement I don't see why the ordering matters. > > Whenever you do that before or after consuming the TdHob > > should not make a difference. > > [Jiewen] I disagree. The order matters from security perspective. > If you use it, there is risk that the buggy code will compromise the system before you have chance to measure it. Measurement will only record hashes for verification later on. It will not prevent running possibly buggy/compromised code. So, no matter what the order is, you'll figure the system got compromised after the fact, when checking the hashes later, and in turn take actions like refusing to hand out secrets to the compromised system. > There was already known attacks: The measurement was in wrong place, > which caused the attack can forge the measurement. Do you have a link or CVE number for me? thanks, Gerd ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV 2022-04-20 8:16 ` Gerd Hoffmann @ 2022-04-20 9:46 ` Yao, Jiewen 2022-04-20 16:05 ` Gerd Hoffmann 2022-04-20 14:25 ` James Bottomley 1 sibling, 1 reply; 27+ messages in thread From: Yao, Jiewen @ 2022-04-20 9:46 UTC (permalink / raw) To: devel@edk2.groups.io, kraxel@redhat.com Cc: Xu, Min M, Ard Biesheuvel, Justen, Jordan L, Brijesh Singh, Aktas, Erdem, James Bottomley, Tom Lendacky Gerd I cannot agree your statement on ordering. Smart attacker can forge the good measurement based upon the severity of vulnerability. One famous example in 2011: https://invisiblethingslab.com/resources/2011/Attacking_Intel_TXT_via_SINIT_hijacking.pdf Because the attack happens before PCR18 measurement, the PCR18 is forged successfully. > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gerd > Hoffmann > Sent: Wednesday, April 20, 2022 4:17 PM > To: Yao, Jiewen <jiewen.yao@intel.com> > Cc: devel@edk2.groups.io; Xu, Min M <min.m.xu@intel.com>; Ard Biesheuvel > <ardb+tianocore@kernel.org>; Justen, Jordan L <jordan.l.justen@intel.com>; > Brijesh Singh <brijesh.singh@amd.com>; Aktas, Erdem > <erdemaktas@google.com>; James Bottomley <jejb@linux.ibm.com>; Tom > Lendacky <thomas.lendacky@amd.com> > Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td > HobList and Configuration FV > > Hi, > > > > Yes for validation (aka sanity-checking the fields, etc). > > > But for measurement I don't see why the ordering matters. > > > Whenever you do that before or after consuming the TdHob > > > should not make a difference. > > > > [Jiewen] I disagree. The order matters from security perspective. > > If you use it, there is risk that the buggy code will compromise the system > before you have chance to measure it. > > Measurement will only record hashes for verification later on. > It will not prevent running possibly buggy/compromised code. > > So, no matter what the order is, you'll figure the system got > compromised after the fact, when checking the hashes later, and in turn > take actions like refusing to hand out secrets to the compromised > system. > > > There was already known attacks: The measurement was in wrong place, > > which caused the attack can forge the measurement. > > Do you have a link or CVE number for me? > > thanks, > Gerd > > > > > ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV 2022-04-20 9:46 ` Yao, Jiewen @ 2022-04-20 16:05 ` Gerd Hoffmann 0 siblings, 0 replies; 27+ messages in thread From: Gerd Hoffmann @ 2022-04-20 16:05 UTC (permalink / raw) To: Yao, Jiewen Cc: devel@edk2.groups.io, Xu, Min M, Ard Biesheuvel, Justen, Jordan L, Brijesh Singh, Aktas, Erdem, James Bottomley, Tom Lendacky On Wed, Apr 20, 2022 at 09:46:13AM +0000, Yao, Jiewen wrote: > Gerd > I cannot agree your statement on ordering. > > Smart attacker can forge the good measurement based upon the severity of vulnerability. > > One famous example in 2011: > https://invisiblethingslab.com/resources/2011/Attacking_Intel_TXT_via_SINIT_hijacking.pdf > Because the attack happens before PCR18 measurement, the PCR18 is forged successfully. Ok, understood. The paper explains it nicely. thanks, Gerd ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV 2022-04-20 8:16 ` Gerd Hoffmann 2022-04-20 9:46 ` Yao, Jiewen @ 2022-04-20 14:25 ` James Bottomley 2022-04-20 16:29 ` Gerd Hoffmann 1 sibling, 1 reply; 27+ messages in thread From: James Bottomley @ 2022-04-20 14:25 UTC (permalink / raw) To: Gerd Hoffmann, Yao, Jiewen Cc: devel@edk2.groups.io, Xu, Min M, Ard Biesheuvel, Justen, Jordan L, Brijesh Singh, Aktas, Erdem, Tom Lendacky On Wed, 2022-04-20 at 10:16 +0200, Gerd Hoffmann wrote: > Hi, > > > > Yes for validation (aka sanity-checking the fields, etc). > > > But for measurement I don't see why the ordering matters. > > > Whenever you do that before or after consuming the TdHob > > > should not make a difference. > > > > [Jiewen] I disagree. The order matters from security perspective. > > If you use it, there is risk that the buggy code will compromise > > the system before you have chance to measure it. > > Measurement will only record hashes for verification later on. > It will not prevent running possibly buggy/compromised code. This is true, but this is also the design of measured boot: it's for proof of correctness (or not) after the fact. Secure boot is more the technology that can prevent boot. > So, no matter what the order is, you'll figure the system got > compromised after the fact, when checking the hashes later, and in > turn take actions like refusing to hand out secrets to the > compromised system. Not if the code falsifies the measurement both in the log and to the TPM. That's why the requirement of measured boot is you start with a small rom based root of trust, which can't be updated because it's in rom. It measures the next stage (usually PEI) before executing it so that the measurement in the TPM would change if the next stage (which is often in flash) got compromised, so any tampering is certain to be detected and if the compromised code tries to falsify the log, the log now wouldn't match the TPM, so it can't evade detection. The requirement from the TCG is that the trusted code measures the untrusted code through the TPM before executing it to get this proveable detection of tampering. The TCG allows you to be elastic about when you record the measurements in the log as long as you measure through the TPM at the correct points. The above applies equally to TPM substitutes like the TDX msrs. James ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV 2022-04-20 14:25 ` James Bottomley @ 2022-04-20 16:29 ` Gerd Hoffmann 2022-04-20 22:29 ` Yao, Jiewen 0 siblings, 1 reply; 27+ messages in thread From: Gerd Hoffmann @ 2022-04-20 16:29 UTC (permalink / raw) To: James Bottomley Cc: Yao, Jiewen, devel@edk2.groups.io, Xu, Min M, Ard Biesheuvel, Justen, Jordan L, Brijesh Singh, Aktas, Erdem, Tom Lendacky Hi, > > So, no matter what the order is, you'll figure the system got > > compromised after the fact, when checking the hashes later, and in > > turn take actions like refusing to hand out secrets to the > > compromised system. > > Not if the code falsifies the measurement both in the log and to the > TPM. That's why the requirement of measured boot is you start with a > small rom based root of trust, which can't be updated because it's in > rom. It measures the next stage (usually PEI) before executing it so > that the measurement in the TPM would change if the next stage (which > is often in flash) got compromised, so any tampering is certain to be > detected and if the compromised code tries to falsify the log, the log > now wouldn't match the TPM, so it can't evade detection. How do we establish the root of trust in case of TDX? We don't have a real rom in virtual machines ... Does the tdx firmware measure the firmware code before running it? Why handle CFV and BFV differently? Wouldn't it be easier to have the tdx firmware simply measure the complete OVMF.fd image, given that tdx doesn't support flash and thus we don't have the code/vars split in the first place? The TD HobList is prepared by the hypervisor and present at launch time, so possibly the tdx firmware could measure it too before handing over control to the guest? take care, Gerd ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV 2022-04-20 16:29 ` Gerd Hoffmann @ 2022-04-20 22:29 ` Yao, Jiewen 2022-04-21 9:14 ` Gerd Hoffmann 0 siblings, 1 reply; 27+ messages in thread From: Yao, Jiewen @ 2022-04-20 22:29 UTC (permalink / raw) To: Gerd Hoffmann, James Bottomley Cc: devel@edk2.groups.io, Xu, Min M, Ard Biesheuvel, Justen, Jordan L, Brijesh Singh, Aktas, Erdem, Tom Lendacky The Root-of-Trust for Measurement (RTM) for TDX is TDX-Module. The TDX-Module will enforce the MRTD calculation for the TDVF code. Then TDVF can then act as Chain-of-Trust for Measurement (CTM) to setup RTMR and continue the rest. It is described in [TDX-Module] Chapter 11, [TDVF] Chapter 8. [TDX-Module] https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-module-1.0-public-spec-v0.931.pdf [TDVF] https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.01.pdf > -----Original Message----- > From: Gerd Hoffmann <kraxel@redhat.com> > Sent: Thursday, April 21, 2022 12:29 AM > To: James Bottomley <jejb@linux.ibm.com> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io; Xu, Min M > <min.m.xu@intel.com>; Ard Biesheuvel <ardb+tianocore@kernel.org>; Justen, > Jordan L <jordan.l.justen@intel.com>; Brijesh Singh <brijesh.singh@amd.com>; > Aktas, Erdem <erdemaktas@google.com>; Tom Lendacky > <thomas.lendacky@amd.com> > Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td > HobList and Configuration FV > > Hi, > > > > So, no matter what the order is, you'll figure the system got > > > compromised after the fact, when checking the hashes later, and in > > > turn take actions like refusing to hand out secrets to the > > > compromised system. > > > > Not if the code falsifies the measurement both in the log and to the > > TPM. That's why the requirement of measured boot is you start with a > > small rom based root of trust, which can't be updated because it's in > > rom. It measures the next stage (usually PEI) before executing it so > > that the measurement in the TPM would change if the next stage (which > > is often in flash) got compromised, so any tampering is certain to be > > detected and if the compromised code tries to falsify the log, the log > > now wouldn't match the TPM, so it can't evade detection. > > How do we establish the root of trust in case of TDX? We don't have a > real rom in virtual machines ... > > Does the tdx firmware measure the firmware code before running it? > > Why handle CFV and BFV differently? Wouldn't it be easier to have the > tdx firmware simply measure the complete OVMF.fd image, given that tdx > doesn't support flash and thus we don't have the code/vars split in the > first place? > > The TD HobList is prepared by the hypervisor and present at launch time, > so possibly the tdx firmware could measure it too before handing over > control to the guest? > > take care, > Gerd ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV 2022-04-20 22:29 ` Yao, Jiewen @ 2022-04-21 9:14 ` Gerd Hoffmann 2022-04-21 9:24 ` Yao, Jiewen 0 siblings, 1 reply; 27+ messages in thread From: Gerd Hoffmann @ 2022-04-21 9:14 UTC (permalink / raw) To: Yao, Jiewen Cc: James Bottomley, devel@edk2.groups.io, Xu, Min M, Ard Biesheuvel, Justen, Jordan L, Brijesh Singh, Aktas, Erdem, Tom Lendacky On Wed, Apr 20, 2022 at 10:29:11PM +0000, Yao, Jiewen wrote: > The Root-of-Trust for Measurement (RTM) for TDX is TDX-Module. The TDX-Module will enforce the MRTD calculation for the TDVF code. > Then TDVF can then act as Chain-of-Trust for Measurement (CTM) to setup RTMR and continue the rest. > > It is described in [TDX-Module] Chapter 11, [TDVF] Chapter 8. > > [TDX-Module] https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-module-1.0-public-spec-v0.931.pdf > [TDVF] https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.01.pdf Ok. So it all works via TDH.MEM.PAGE.ADD (initial set of accepted pages) and TDH.MR.EXTEND (measure into MRTD) functions. Looking at our binary ... # virt-fw-dump -i Build/IntelTdx/DEBUG_GCC5/FV/OVMF.fd --ovmf-meta image=Build/IntelTdx/DEBUG_GCC5/FV/OVMF.fd resetvector size=0x9b0 [ ... sev metadata snipped ... ] guid:TdxMetadataOffset size=0x16 data=50080000 mbase=0xffc84000 msize=0x37c000 type=BFV (code) fbase=0x84000 fsize=0x37c000 flags=0x1 mbase=0xffc00000 msize=0x84000 type=CFV (vars) fbase=0x0 fsize=0x84000 mbase=0x810000 msize=0x10000 type=MEM mbase=0x80b000 msize=0x2000 type=MEM mbase=0x809000 msize=0x2000 type=TD Hob mbase=0x800000 msize=0x6000 type=MEM ... BFV is measured (bit 0 of flags) whereas CFV and TD Hob are only added but not measured. Adding CFV and TH Hob to the initial launch measurement should be possible by just updating flags, correct? I think this should be done for the CFV. The firmware will be loaded via "qemu -bios OVMF.fd". No separate images for CODE and VARS. So splitting the measurement looks rather pointless to me. TD Hob could be part of the initial launch measurement too, which would avoid the need to measure anything in SEC. On the other hand the that would make the launch measurement depend not only on the firmware image but also the guest configuration (memory size), which would likely make things more complexity elsewhere, so probably not a good idea. take care, Gerd ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV 2022-04-21 9:14 ` Gerd Hoffmann @ 2022-04-21 9:24 ` Yao, Jiewen 0 siblings, 0 replies; 27+ messages in thread From: Yao, Jiewen @ 2022-04-21 9:24 UTC (permalink / raw) To: Gerd Hoffmann Cc: James Bottomley, devel@edk2.groups.io, Xu, Min M, Ard Biesheuvel, Justen, Jordan L, Brijesh Singh, Aktas, Erdem, Tom Lendacky Adding CFV and TD_HOB to MRTD is technically possible, but not desired. In a typical trust boot use case, the verifier should have a way to distinguish the *code* from *configuration*. If you look at the TCG specification, the TPM has 24 PCRs. 8 of them are allocated for BIOS. Each PCRs record one type of measurements. Technically, you can merge all PCR into one. But no one will do that in reality. I would say: merging everything into one MRTD is a terrible idea. Thank you Yao Jiewen > -----Original Message----- > From: Gerd Hoffmann <kraxel@redhat.com> > Sent: Thursday, April 21, 2022 5:15 PM > To: Yao, Jiewen <jiewen.yao@intel.com> > Cc: James Bottomley <jejb@linux.ibm.com>; devel@edk2.groups.io; Xu, Min M > <min.m.xu@intel.com>; Ard Biesheuvel <ardb+tianocore@kernel.org>; Justen, > Jordan L <jordan.l.justen@intel.com>; Brijesh Singh <brijesh.singh@amd.com>; > Aktas, Erdem <erdemaktas@google.com>; Tom Lendacky > <thomas.lendacky@amd.com> > Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td > HobList and Configuration FV > > On Wed, Apr 20, 2022 at 10:29:11PM +0000, Yao, Jiewen wrote: > > The Root-of-Trust for Measurement (RTM) for TDX is TDX-Module. The TDX- > Module will enforce the MRTD calculation for the TDVF code. > > Then TDVF can then act as Chain-of-Trust for Measurement (CTM) to setup > RTMR and continue the rest. > > > > It is described in [TDX-Module] Chapter 11, [TDVF] Chapter 8. > > > > [TDX-Module] > https://www.intel.com/content/dam/develop/external/us/en/documents/tdx- > module-1.0-public-spec-v0.931.pdf > > [TDVF] > https://www.intel.com/content/dam/develop/external/us/en/documents/tdx- > virtual-firmware-design-guide-rev-1.01.pdf > > Ok. So it all works via TDH.MEM.PAGE.ADD (initial set of accepted > pages) and TDH.MR.EXTEND (measure into MRTD) functions. > > Looking at our binary ... > > # virt-fw-dump -i Build/IntelTdx/DEBUG_GCC5/FV/OVMF.fd --ovmf-meta > image=Build/IntelTdx/DEBUG_GCC5/FV/OVMF.fd > resetvector size=0x9b0 > [ ... sev metadata snipped ... ] > guid:TdxMetadataOffset size=0x16 data=50080000 > mbase=0xffc84000 msize=0x37c000 type=BFV (code) fbase=0x84000 > fsize=0x37c000 flags=0x1 > mbase=0xffc00000 msize=0x84000 type=CFV (vars) fbase=0x0 fsize=0x84000 > mbase=0x810000 msize=0x10000 type=MEM > mbase=0x80b000 msize=0x2000 type=MEM > mbase=0x809000 msize=0x2000 type=TD Hob > mbase=0x800000 msize=0x6000 type=MEM > > ... BFV is measured (bit 0 of flags) whereas CFV and TD Hob are only > added but not measured. > > Adding CFV and TH Hob to the initial launch measurement should be > possible by just updating flags, correct? > > I think this should be done for the CFV. The firmware will be loaded > via "qemu -bios OVMF.fd". No separate images for CODE and VARS. So > splitting the measurement looks rather pointless to me. > > TD Hob could be part of the initial launch measurement too, which would > avoid the need to measure anything in SEC. On the other hand the that > would make the launch measurement depend not only on the firmware image > but also the guest configuration (memory size), which would likely make > things more complexity elsewhere, so probably not a good idea. > > take care, > Gerd ^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH V3 6/9] OvmfPkg: Add PCDs for LAML/LASA field in CC EVENTLOG ACPI table 2022-04-17 23:59 [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Min Xu ` (4 preceding siblings ...) 2022-04-17 23:59 ` [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV Min Xu @ 2022-04-17 23:59 ` Min Xu 2022-04-17 23:59 ` [PATCH V3 7/9] MdePkg: Define CC Measure EventLog ACPI Table Min Xu ` (3 subsequent siblings) 9 siblings, 0 replies; 27+ messages in thread From: Min Xu @ 2022-04-17 23:59 UTC (permalink / raw) To: devel Cc: Min Xu, Brijesh Singh, Erdem Aktas, James Bottomley, Jiewen Yao, Tom Lendacky, Ken Lu, Sami Mujawar, Gerd Hoffmann RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 Add PCDs to records LAML/LASA field in CC EVENTLOG ACPI table. Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Ken Lu <ken.lu@intel.com> Cc: Sami Mujawar <sami.mujawar@arm.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Min Xu <min.m.xu@intel.com> --- OvmfPkg/OvmfPkg.dec | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 6f08dcdf0d3b..5c6944ad570c 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -440,6 +440,12 @@ # 2 - set by GOP Driver. gUefiOvmfPkgTokenSpaceGuid.PcdVideoResolutionSource|0|UINT8|0x64 + ## This PCD records LAML field in CC EVENTLOG ACPI table. + gUefiOvmfPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLaml|0|UINT32|0x66 + + ## This PCD records LASA field in CC EVENTLOG ACPI table. + gUefiOvmfPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLasa|0|UINT64|0x67 + [PcdsFeatureFlag] gUefiOvmfPkgTokenSpaceGuid.PcdQemuBootOrderPciTranslation|TRUE|BOOLEAN|0x1c gUefiOvmfPkgTokenSpaceGuid.PcdQemuBootOrderMmioTranslation|FALSE|BOOLEAN|0x1d -- 2.29.2.windows.2 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH V3 7/9] MdePkg: Define CC Measure EventLog ACPI Table 2022-04-17 23:59 [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Min Xu ` (5 preceding siblings ...) 2022-04-17 23:59 ` [PATCH V3 6/9] OvmfPkg: Add PCDs for LAML/LASA field in CC EVENTLOG ACPI table Min Xu @ 2022-04-17 23:59 ` Min Xu 2022-04-18 1:23 ` Yao, Jiewen 2022-04-17 23:59 ` [PATCH V3 8/9] OvmfPkg/IntelTdx: Add TdTcg2Dxe Min Xu ` (2 subsequent siblings) 9 siblings, 1 reply; 27+ messages in thread From: Min Xu @ 2022-04-17 23:59 UTC (permalink / raw) To: devel Cc: Min Xu, Michael D Kinney, Liming Gao, Zhiguang Liu, Jiewen Yao, Jian J Wang, Ken Lu, Sami Mujawar, Gerd Hoffmann RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 TDVF set up an ACPI table (EFI_CC_EVENTLOG_ACPI_TABLE) to pass the event-log information. The event log created by the TD owner contains the hashes to reconstruct the MRTD and RTMR registers. Please refer to Sec 4.3.3 in blow link: https://www.intel.com/content/dam/develop/external/us/en/documents/ intel-tdx-guest-hypervisor-communication-interface-1.0-344426-002.pdf Please be noted, the definition of EFI_CC_EVENTLOG_ACPI_TABLE is a little different from the above document. This difference is based on below discussion: - https://edk2.groups.io/g/devel/message/87396 - https://edk2.groups.io/g/devel/message/87402 This change will be reflected in the next version of the above document. Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Cc: Zhiguang Liu <zhiguang.liu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Ken Lu <ken.lu@intel.com> Cc: Sami Mujawar <sami.mujawar@arm.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Min Xu <min.m.xu@intel.com> --- MdePkg/Include/Protocol/CcMeasurement.h | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/MdePkg/Include/Protocol/CcMeasurement.h b/MdePkg/Include/Protocol/CcMeasurement.h index 68029e977fac..58123ca72163 100644 --- a/MdePkg/Include/Protocol/CcMeasurement.h +++ b/MdePkg/Include/Protocol/CcMeasurement.h @@ -299,4 +299,25 @@ typedef struct { extern EFI_GUID gEfiCcFinalEventsTableGuid; +// +// Define the CC Measure EventLog ACPI Table +// +#pragma pack(1) + +typedef struct { + EFI_ACPI_DESCRIPTION_HEADER Header; + EFI_CC_TYPE CcType; + UINT32 Rsvd; + UINT64 Laml; + UINT64 Lasa; +} EFI_CC_EVENTLOG_ACPI_TABLE; + +#pragma pack() + +// +// Define the signature and revision of CC Measurement EventLog ACPI Table +// +#define EFI_CC_EVENTLOG_ACPI_TABLE_SIGNATURE SIGNATURE_32('C', 'C', 'E', 'L') +#define EFI_CC_EVENTLOG_ACPI_TABLE_REVISION 1 + #endif -- 2.29.2.windows.2 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* Re: [PATCH V3 7/9] MdePkg: Define CC Measure EventLog ACPI Table 2022-04-17 23:59 ` [PATCH V3 7/9] MdePkg: Define CC Measure EventLog ACPI Table Min Xu @ 2022-04-18 1:23 ` Yao, Jiewen 2022-04-18 2:02 ` Min Xu 0 siblings, 1 reply; 27+ messages in thread From: Yao, Jiewen @ 2022-04-18 1:23 UTC (permalink / raw) To: Xu, Min M, devel@edk2.groups.io Cc: Kinney, Michael D, Gao, Liming, Liu, Zhiguang, Wang, Jian J, Lu, Ken, Sami Mujawar, Gerd Hoffmann +typedef struct { + EFI_ACPI_DESCRIPTION_HEADER Header; + EFI_CC_TYPE CcType; + UINT32 Rsvd; <== HERE! + UINT64 Laml; + UINT64 Lasa; +} EFI_CC_EVENTLOG_ACPI_TABLE; Would you please double check the spec? The Rsvd should be 2 bytes. Thank you Yao Jiewen > -----Original Message----- > From: Xu, Min M <min.m.xu@intel.com> > Sent: Monday, April 18, 2022 8:00 AM > To: devel@edk2.groups.io > Cc: Xu, Min M <min.m.xu@intel.com>; Kinney, Michael D > <michael.d.kinney@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>; Liu, > Zhiguang <zhiguang.liu@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; > Wang, Jian J <jian.j.wang@intel.com>; Lu, Ken <ken.lu@intel.com>; Sami > Mujawar <sami.mujawar@arm.com>; Gerd Hoffmann <kraxel@redhat.com> > Subject: [PATCH V3 7/9] MdePkg: Define CC Measure EventLog ACPI Table > > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 > > TDVF set up an ACPI table (EFI_CC_EVENTLOG_ACPI_TABLE) to pass the > event-log information. The event log created by the TD owner contains > the hashes to reconstruct the MRTD and RTMR registers. > > Please refer to Sec 4.3.3 in blow link: > https://www.intel.com/content/dam/develop/external/us/en/documents/ > intel-tdx-guest-hypervisor-communication-interface-1.0-344426-002.pdf > > Please be noted, the definition of EFI_CC_EVENTLOG_ACPI_TABLE is a > little different from the above document. This difference is based on > below discussion: > - https://edk2.groups.io/g/devel/message/87396 > - https://edk2.groups.io/g/devel/message/87402 > > This change will be reflected in the next version of the above document. > > Cc: Michael D Kinney <michael.d.kinney@intel.com> > Cc: Liming Gao <gaoliming@byosoft.com.cn> > Cc: Zhiguang Liu <zhiguang.liu@intel.com> > Cc: Jiewen Yao <jiewen.yao@intel.com> > Cc: Jian J Wang <jian.j.wang@intel.com> > Cc: Ken Lu <ken.lu@intel.com> > Cc: Sami Mujawar <sami.mujawar@arm.com> > Cc: Gerd Hoffmann <kraxel@redhat.com> > Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn> > Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> > Signed-off-by: Min Xu <min.m.xu@intel.com> > --- > MdePkg/Include/Protocol/CcMeasurement.h | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > > diff --git a/MdePkg/Include/Protocol/CcMeasurement.h > b/MdePkg/Include/Protocol/CcMeasurement.h > index 68029e977fac..58123ca72163 100644 > --- a/MdePkg/Include/Protocol/CcMeasurement.h > +++ b/MdePkg/Include/Protocol/CcMeasurement.h > @@ -299,4 +299,25 @@ typedef struct { > > extern EFI_GUID gEfiCcFinalEventsTableGuid; > > +// > +// Define the CC Measure EventLog ACPI Table > +// > +#pragma pack(1) > + > +typedef struct { > + EFI_ACPI_DESCRIPTION_HEADER Header; > + EFI_CC_TYPE CcType; > + UINT32 Rsvd; > + UINT64 Laml; > + UINT64 Lasa; > +} EFI_CC_EVENTLOG_ACPI_TABLE; > + > +#pragma pack() > + > +// > +// Define the signature and revision of CC Measurement EventLog ACPI Table > +// > +#define EFI_CC_EVENTLOG_ACPI_TABLE_SIGNATURE SIGNATURE_32('C', 'C', > 'E', 'L') > +#define EFI_CC_EVENTLOG_ACPI_TABLE_REVISION 1 > + > #endif > -- > 2.29.2.windows.2 ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH V3 7/9] MdePkg: Define CC Measure EventLog ACPI Table 2022-04-18 1:23 ` Yao, Jiewen @ 2022-04-18 2:02 ` Min Xu 0 siblings, 0 replies; 27+ messages in thread From: Min Xu @ 2022-04-18 2:02 UTC (permalink / raw) To: Yao, Jiewen, devel@edk2.groups.io Cc: Kinney, Michael D, Gao, Liming, Liu, Zhiguang, Wang, Jian J, Lu, Ken, Sami Mujawar, Gerd Hoffmann On April 18, 2022 9:24 AM, Yao Jiewen wrote: > > +typedef struct { > + EFI_ACPI_DESCRIPTION_HEADER Header; > + EFI_CC_TYPE CcType; > + UINT32 Rsvd; <== HERE! > + UINT64 Laml; > + UINT64 Lasa; > +} EFI_CC_EVENTLOG_ACPI_TABLE; > > Would you please double check the spec? The Rsvd should be 2 bytes. > Thanks for reminder. It should be UINT16. It will be updated in the next version. Thanks Min ^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH V3 8/9] OvmfPkg/IntelTdx: Add TdTcg2Dxe 2022-04-17 23:59 [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Min Xu ` (6 preceding siblings ...) 2022-04-17 23:59 ` [PATCH V3 7/9] MdePkg: Define CC Measure EventLog ACPI Table Min Xu @ 2022-04-17 23:59 ` Min Xu 2022-04-18 0:00 ` [PATCH V3 9/9] OvmfPkg/IntelTdx: Enable RTMR based measurement and measure boot Min Xu 2022-04-18 1:43 ` [edk2-devel] [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Yao, Jiewen 9 siblings, 0 replies; 27+ messages in thread From: Min Xu @ 2022-04-17 23:59 UTC (permalink / raw) To: devel Cc: Min Xu, Brijesh Singh, Erdem Aktas, James Bottomley, Jiewen Yao, Tom Lendacky, Ken Lu, Sami Mujawar, Gerd Hoffmann RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 TdTcg2Dxe mimics the Security/Tcg/Tcg2Dxe. It does below tasks: - Set up and install CC_EVENTLOG ACPI table - Parse the GUIDed HOB (gCcEventEntryHobGuid) and create CC event log - Measure handoff tables, Boot##### variables etc - Measure Exit Boot Service failed - Install CcMeasurement Protocol Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Ken Lu <ken.lu@intel.com> Cc: Sami Mujawar <sami.mujawar@arm.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Min Xu <min.m.xu@intel.com> --- .../IntelTdx/TdTcg2Dxe/MeasureBootPeCoff.c | 407 +++ OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c | 2489 +++++++++++++++++ OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.inf | 101 + 3 files changed, 2997 insertions(+) create mode 100644 OvmfPkg/IntelTdx/TdTcg2Dxe/MeasureBootPeCoff.c create mode 100644 OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c create mode 100644 OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.inf diff --git a/OvmfPkg/IntelTdx/TdTcg2Dxe/MeasureBootPeCoff.c b/OvmfPkg/IntelTdx/TdTcg2Dxe/MeasureBootPeCoff.c new file mode 100644 index 000000000000..4d542156badd --- /dev/null +++ b/OvmfPkg/IntelTdx/TdTcg2Dxe/MeasureBootPeCoff.c @@ -0,0 +1,407 @@ +/** @file + This module implements measuring PeCoff image for Tcg2 Protocol. + + Caution: This file requires additional review when modified. + This driver will have external input - PE/COFF image. + This external input must be validated carefully to avoid security issue like + buffer overflow, integer overflow. + +Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR> +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include <PiDxe.h> + +#include <Library/BaseLib.h> +#include <Library/DebugLib.h> +#include <Library/BaseMemoryLib.h> +#include <Library/MemoryAllocationLib.h> +#include <Library/DevicePathLib.h> +#include <Library/UefiBootServicesTableLib.h> +#include <Library/PeCoffLib.h> +#include <Library/HashLib.h> + +UINTN mTcg2DxeImageSize = 0; + +/** + Reads contents of a PE/COFF image in memory buffer. + + Caution: This function may receive untrusted input. + PE/COFF image is external input, so this function will make sure the PE/COFF image content + read is within the image buffer. + + @param FileHandle Pointer to the file handle to read the PE/COFF image. + @param FileOffset Offset into the PE/COFF image to begin the read operation. + @param ReadSize On input, the size in bytes of the requested read operation. + On output, the number of bytes actually read. + @param Buffer Output buffer that contains the data read from the PE/COFF image. + + @retval EFI_SUCCESS The specified portion of the PE/COFF image was read and the size +**/ +EFI_STATUS +EFIAPI +Tcg2DxeImageRead ( + IN VOID *FileHandle, + IN UINTN FileOffset, + IN OUT UINTN *ReadSize, + OUT VOID *Buffer + ) +{ + UINTN EndPosition; + + if ((FileHandle == NULL) || (ReadSize == NULL) || (Buffer == NULL)) { + return EFI_INVALID_PARAMETER; + } + + if (MAX_ADDRESS - FileOffset < *ReadSize) { + return EFI_INVALID_PARAMETER; + } + + EndPosition = FileOffset + *ReadSize; + if (EndPosition > mTcg2DxeImageSize) { + *ReadSize = (UINT32)(mTcg2DxeImageSize - FileOffset); + } + + if (FileOffset >= mTcg2DxeImageSize) { + *ReadSize = 0; + } + + CopyMem (Buffer, (UINT8 *)((UINTN)FileHandle + FileOffset), *ReadSize); + + return EFI_SUCCESS; +} + +/** + Measure PE image into TPM log based on the authenticode image hashing in + PE/COFF Specification 8.0 Appendix A. + + Caution: This function may receive untrusted input. + PE/COFF image is external input, so this function will validate its data structure + within this image buffer before use. + + Notes: PE/COFF image is checked by BasePeCoffLib PeCoffLoaderGetImageInfo(). + + @param[in] RtmrIndex Rtmr index + @param[in] ImageAddress Start address of image buffer. + @param[in] ImageSize Image size + @param[out] DigestList Digest list of this image. + + @retval EFI_SUCCESS Successfully measure image. + @retval EFI_OUT_OF_RESOURCES No enough resource to measure image. + @retval other error value +**/ +EFI_STATUS +MeasurePeImageAndExtend ( + IN UINT32 RtmrIndex, + IN EFI_PHYSICAL_ADDRESS ImageAddress, + IN UINTN ImageSize, + OUT TPML_DIGEST_VALUES *DigestList + ) +{ + EFI_STATUS Status; + EFI_IMAGE_DOS_HEADER *DosHdr; + UINT32 PeCoffHeaderOffset; + EFI_IMAGE_SECTION_HEADER *Section; + UINT8 *HashBase; + UINTN HashSize; + UINTN SumOfBytesHashed; + EFI_IMAGE_SECTION_HEADER *SectionHeader; + UINTN Index; + UINTN Pos; + EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION Hdr; + UINT32 NumberOfRvaAndSizes; + UINT32 CertSize; + HASH_HANDLE HashHandle; + PE_COFF_LOADER_IMAGE_CONTEXT ImageContext; + + HashHandle = 0xFFFFFFFF; // Know bad value + + Status = EFI_UNSUPPORTED; + SectionHeader = NULL; + + // + // Check PE/COFF image + // + ZeroMem (&ImageContext, sizeof (ImageContext)); + ImageContext.Handle = (VOID *)(UINTN)ImageAddress; + mTcg2DxeImageSize = ImageSize; + ImageContext.ImageRead = (PE_COFF_LOADER_READ_FILE)Tcg2DxeImageRead; + + // + // Get information about the image being loaded + // + Status = PeCoffLoaderGetImageInfo (&ImageContext); + if (EFI_ERROR (Status)) { + // + // The information can't be got from the invalid PeImage + // + DEBUG ((DEBUG_INFO, "Tcg2Dxe: PeImage invalid. Cannot retrieve image information.\n")); + goto Finish; + } + + DosHdr = (EFI_IMAGE_DOS_HEADER *)(UINTN)ImageAddress; + PeCoffHeaderOffset = 0; + if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) { + PeCoffHeaderOffset = DosHdr->e_lfanew; + } + + Hdr.Pe32 = (EFI_IMAGE_NT_HEADERS32 *)((UINT8 *)(UINTN)ImageAddress + PeCoffHeaderOffset); + if (Hdr.Pe32->Signature != EFI_IMAGE_NT_SIGNATURE) { + Status = EFI_UNSUPPORTED; + goto Finish; + } + + // + // PE/COFF Image Measurement + // + // NOTE: The following codes/steps are based upon the authenticode image hashing in + // PE/COFF Specification 8.0 Appendix A. + // + // + + // 1. Load the image header into memory. + + // 2. Initialize a SHA hash context. + + Status = HashStart (&HashHandle); + if (EFI_ERROR (Status)) { + goto Finish; + } + + // + // Measuring PE/COFF Image Header; + // But CheckSum field and SECURITY data directory (certificate) are excluded + // + + // + // 3. Calculate the distance from the base of the image header to the image checksum address. + // 4. Hash the image header from its base to beginning of the image checksum. + // + HashBase = (UINT8 *)(UINTN)ImageAddress; + if (Hdr.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { + // + // Use PE32 offset + // + NumberOfRvaAndSizes = Hdr.Pe32->OptionalHeader.NumberOfRvaAndSizes; + HashSize = (UINTN)(&Hdr.Pe32->OptionalHeader.CheckSum) - (UINTN)HashBase; + } else { + // + // Use PE32+ offset + // + NumberOfRvaAndSizes = Hdr.Pe32Plus->OptionalHeader.NumberOfRvaAndSizes; + HashSize = (UINTN)(&Hdr.Pe32Plus->OptionalHeader.CheckSum) - (UINTN)HashBase; + } + + Status = HashUpdate (HashHandle, HashBase, HashSize); + if (EFI_ERROR (Status)) { + goto Finish; + } + + // + // 5. Skip over the image checksum (it occupies a single ULONG). + // + if (NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_SECURITY) { + // + // 6. Since there is no Cert Directory in optional header, hash everything + // from the end of the checksum to the end of image header. + // + if (Hdr.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { + // + // Use PE32 offset. + // + HashBase = (UINT8 *)&Hdr.Pe32->OptionalHeader.CheckSum + sizeof (UINT32); + HashSize = Hdr.Pe32->OptionalHeader.SizeOfHeaders - (UINTN)(HashBase - ImageAddress); + } else { + // + // Use PE32+ offset. + // + HashBase = (UINT8 *)&Hdr.Pe32Plus->OptionalHeader.CheckSum + sizeof (UINT32); + HashSize = Hdr.Pe32Plus->OptionalHeader.SizeOfHeaders - (UINTN)(HashBase - ImageAddress); + } + + if (HashSize != 0) { + Status = HashUpdate (HashHandle, HashBase, HashSize); + if (EFI_ERROR (Status)) { + goto Finish; + } + } + } else { + // + // 7. Hash everything from the end of the checksum to the start of the Cert Directory. + // + if (Hdr.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { + // + // Use PE32 offset + // + HashBase = (UINT8 *)&Hdr.Pe32->OptionalHeader.CheckSum + sizeof (UINT32); + HashSize = (UINTN)(&Hdr.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]) - (UINTN)HashBase; + } else { + // + // Use PE32+ offset + // + HashBase = (UINT8 *)&Hdr.Pe32Plus->OptionalHeader.CheckSum + sizeof (UINT32); + HashSize = (UINTN)(&Hdr.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]) - (UINTN)HashBase; + } + + if (HashSize != 0) { + Status = HashUpdate (HashHandle, HashBase, HashSize); + if (EFI_ERROR (Status)) { + goto Finish; + } + } + + // + // 8. Skip over the Cert Directory. (It is sizeof(IMAGE_DATA_DIRECTORY) bytes.) + // 9. Hash everything from the end of the Cert Directory to the end of image header. + // + if (Hdr.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { + // + // Use PE32 offset + // + HashBase = (UINT8 *)&Hdr.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]; + HashSize = Hdr.Pe32->OptionalHeader.SizeOfHeaders - (UINTN)(HashBase - ImageAddress); + } else { + // + // Use PE32+ offset + // + HashBase = (UINT8 *)&Hdr.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]; + HashSize = Hdr.Pe32Plus->OptionalHeader.SizeOfHeaders - (UINTN)(HashBase - ImageAddress); + } + + if (HashSize != 0) { + Status = HashUpdate (HashHandle, HashBase, HashSize); + if (EFI_ERROR (Status)) { + goto Finish; + } + } + } + + // + // 10. Set the SUM_OF_BYTES_HASHED to the size of the header + // + if (Hdr.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { + // + // Use PE32 offset + // + SumOfBytesHashed = Hdr.Pe32->OptionalHeader.SizeOfHeaders; + } else { + // + // Use PE32+ offset + // + SumOfBytesHashed = Hdr.Pe32Plus->OptionalHeader.SizeOfHeaders; + } + + // + // 11. Build a temporary table of pointers to all the IMAGE_SECTION_HEADER + // structures in the image. The 'NumberOfSections' field of the image + // header indicates how big the table should be. Do not include any + // IMAGE_SECTION_HEADERs in the table whose 'SizeOfRawData' field is zero. + // + SectionHeader = (EFI_IMAGE_SECTION_HEADER *)AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * Hdr.Pe32->FileHeader.NumberOfSections); + if (SectionHeader == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto Finish; + } + + // + // 12. Using the 'PointerToRawData' in the referenced section headers as + // a key, arrange the elements in the table in ascending order. In other + // words, sort the section headers according to the disk-file offset of + // the section. + // + Section = (EFI_IMAGE_SECTION_HEADER *)( + (UINT8 *)(UINTN)ImageAddress + + PeCoffHeaderOffset + + sizeof (UINT32) + + sizeof (EFI_IMAGE_FILE_HEADER) + + Hdr.Pe32->FileHeader.SizeOfOptionalHeader + ); + for (Index = 0; Index < Hdr.Pe32->FileHeader.NumberOfSections; Index++) { + Pos = Index; + while ((Pos > 0) && (Section->PointerToRawData < SectionHeader[Pos - 1].PointerToRawData)) { + CopyMem (&SectionHeader[Pos], &SectionHeader[Pos - 1], sizeof (EFI_IMAGE_SECTION_HEADER)); + Pos--; + } + + CopyMem (&SectionHeader[Pos], Section, sizeof (EFI_IMAGE_SECTION_HEADER)); + Section += 1; + } + + // + // 13. Walk through the sorted table, bring the corresponding section + // into memory, and hash the entire section (using the 'SizeOfRawData' + // field in the section header to determine the amount of data to hash). + // 14. Add the section's 'SizeOfRawData' to SUM_OF_BYTES_HASHED . + // 15. Repeat steps 13 and 14 for all the sections in the sorted table. + // + for (Index = 0; Index < Hdr.Pe32->FileHeader.NumberOfSections; Index++) { + Section = (EFI_IMAGE_SECTION_HEADER *)&SectionHeader[Index]; + if (Section->SizeOfRawData == 0) { + continue; + } + + HashBase = (UINT8 *)(UINTN)ImageAddress + Section->PointerToRawData; + HashSize = (UINTN)Section->SizeOfRawData; + + Status = HashUpdate (HashHandle, HashBase, HashSize); + if (EFI_ERROR (Status)) { + goto Finish; + } + + SumOfBytesHashed += HashSize; + } + + // + // 16. If the file size is greater than SUM_OF_BYTES_HASHED, there is extra + // data in the file that needs to be added to the hash. This data begins + // at file offset SUM_OF_BYTES_HASHED and its length is: + // FileSize - (CertDirectory->Size) + // + if (ImageSize > SumOfBytesHashed) { + HashBase = (UINT8 *)(UINTN)ImageAddress + SumOfBytesHashed; + + if (NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_SECURITY) { + CertSize = 0; + } else { + if (Hdr.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { + // + // Use PE32 offset. + // + CertSize = Hdr.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size; + } else { + // + // Use PE32+ offset. + // + CertSize = Hdr.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size; + } + } + + if (ImageSize > CertSize + SumOfBytesHashed) { + HashSize = (UINTN)(ImageSize - CertSize - SumOfBytesHashed); + + Status = HashUpdate (HashHandle, HashBase, HashSize); + if (EFI_ERROR (Status)) { + goto Finish; + } + } else if (ImageSize < CertSize + SumOfBytesHashed) { + Status = EFI_UNSUPPORTED; + goto Finish; + } + } + + // + // 17. Finalize the SHA hash. + // + Status = HashCompleteAndExtend (HashHandle, RtmrIndex, NULL, 0, DigestList); + if (EFI_ERROR (Status)) { + goto Finish; + } + +Finish: + if (SectionHeader != NULL) { + FreePool (SectionHeader); + } + + return Status; +} diff --git a/OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c b/OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c new file mode 100644 index 000000000000..e9315ecda17b --- /dev/null +++ b/OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c @@ -0,0 +1,2489 @@ +/** @file + This module implements EFI TD Protocol. + + Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.<BR> + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include <PiDxe.h> +#include <IndustryStandard/Acpi.h> +#include <IndustryStandard/PeImage.h> +#include <IndustryStandard/TcpaAcpi.h> + +#include <Guid/GlobalVariable.h> +#include <Guid/HobList.h> +#include <Guid/EventGroup.h> +#include <Guid/EventExitBootServiceFailed.h> +#include <Guid/ImageAuthentication.h> +#include <Guid/TpmInstance.h> + +#include <Protocol/DevicePath.h> +#include <Protocol/MpService.h> +#include <Protocol/VariableWrite.h> +#include <Protocol/Tcg2Protocol.h> +#include <Protocol/TrEEProtocol.h> +#include <Protocol/ResetNotification.h> +#include <Protocol/AcpiTable.h> + +#include <Library/DebugLib.h> +#include <Library/BaseMemoryLib.h> +#include <Library/UefiRuntimeServicesTableLib.h> +#include <Library/UefiDriverEntryPoint.h> +#include <Library/HobLib.h> +#include <Library/UefiBootServicesTableLib.h> +#include <Library/BaseLib.h> +#include <Library/MemoryAllocationLib.h> +#include <Library/PrintLib.h> +#include <Library/PcdLib.h> +#include <Library/UefiLib.h> +#include <Library/HashLib.h> +#include <Library/PerformanceLib.h> +#include <Library/ReportStatusCodeLib.h> +#include <Library/TpmMeasurementLib.h> + +#include <Protocol/CcMeasurement.h> +#include <Guid/CcEventHob.h> +#include <Library/TdxLib.h> + +#define PERF_ID_CC_TCG2_DXE 0x3130 + +#define CC_EVENT_LOG_AREA_COUNT_MAX 1 +#define INVALID_RTMR_INDEX 4 + +typedef struct { + CHAR16 *VariableName; + EFI_GUID *VendorGuid; +} VARIABLE_TYPE; + +typedef struct { + EFI_GUID *EventGuid; + EFI_CC_EVENT_LOG_FORMAT LogFormat; +} CC_EVENT_INFO_STRUCT; + +typedef struct { + EFI_CC_EVENT_LOG_FORMAT EventLogFormat; + EFI_PHYSICAL_ADDRESS Lasa; + UINT64 Laml; + UINTN EventLogSize; + UINT8 *LastEvent; + BOOLEAN EventLogStarted; + BOOLEAN EventLogTruncated; + UINTN Next800155EventOffset; +} CC_EVENT_LOG_AREA_STRUCT; + +typedef struct _TDX_DXE_DATA { + EFI_CC_BOOT_SERVICE_CAPABILITY BsCap; + CC_EVENT_LOG_AREA_STRUCT EventLogAreaStruct[CC_EVENT_LOG_AREA_COUNT_MAX]; + BOOLEAN GetEventLogCalled[CC_EVENT_LOG_AREA_COUNT_MAX]; + CC_EVENT_LOG_AREA_STRUCT FinalEventLogAreaStruct[CC_EVENT_LOG_AREA_COUNT_MAX]; + EFI_CC_FINAL_EVENTS_TABLE *FinalEventsTable[CC_EVENT_LOG_AREA_COUNT_MAX]; +} TDX_DXE_DATA; + +typedef struct { + TPMI_ALG_HASH HashAlgo; + UINT16 HashSize; + UINT32 HashMask; +} TDX_HASH_INFO; + +// +// +CC_EVENT_INFO_STRUCT mCcEventInfo[] = { + { &gCcEventEntryHobGuid, EFI_CC_EVENT_LOG_FORMAT_TCG_2 }, +}; + +TDX_DXE_DATA mTdxDxeData = { + { + sizeof (EFI_CC_BOOT_SERVICE_CAPABILITY), // Size + { 1, 1 }, // StructureVersion + { 1, 1 }, // ProtocolVersion + EFI_CC_BOOT_HASH_ALG_SHA384, // HashAlgorithmBitmap + EFI_CC_EVENT_LOG_FORMAT_TCG_2, // SupportedEventLogs + { 2, 0 } // {CC_TYPE, CC_SUBTYPE} + }, +}; + +UINTN mBootAttempts = 0; +CHAR16 mBootVarName[] = L"BootOrder"; + +VARIABLE_TYPE mVariableType[] = { + { EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid }, + { EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid }, + { EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid }, + { EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid }, + { EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid }, +}; + +EFI_CC_EVENTLOG_ACPI_TABLE mTdxEventlogAcpiTemplate = { + { + EFI_CC_EVENTLOG_ACPI_TABLE_SIGNATURE, + sizeof (mTdxEventlogAcpiTemplate), + EFI_CC_EVENTLOG_ACPI_TABLE_REVISION, + // + // Compiler initializes the remaining bytes to 0 + // These fields should be filled in production + // + }, + { EFI_CC_TYPE_TDX, 0 }, // CcType + 0, // rsvd + 0, // laml + 0, // lasa +}; + +// +// Supported Hash list in Td guest. +// Currently SHA384 is supported. +// +TDX_HASH_INFO mHashInfo[] = { + { TPM_ALG_SHA384, SHA384_DIGEST_SIZE, HASH_ALG_SHA384 } +}; + +/** + Get hash size based on Algo + + @param[in] HashAlgo Hash Algorithm Id. + + @return Size of the hash. +**/ +UINT16 +GetHashSizeFromAlgo ( + IN TPMI_ALG_HASH HashAlgo + ) +{ + UINTN Index; + + for (Index = 0; Index < sizeof (mHashInfo)/sizeof (mHashInfo[0]); Index++) { + if (mHashInfo[Index].HashAlgo == HashAlgo) { + return mHashInfo[Index].HashSize; + } + } + + return 0; +} + +/** + Get hash mask based on Algo + + @param[in] HashAlgo Hash Algorithm Id. + + @return Hash mask. +**/ +UINT32 +GetHashMaskFromAlgo ( + IN TPMI_ALG_HASH HashAlgo + ) +{ + UINTN Index; + + for (Index = 0; Index < ARRAY_SIZE (mHashInfo); Index++) { + if (mHashInfo[Index].HashAlgo == HashAlgo) { + return mHashInfo[Index].HashMask; + } + } + + ASSERT (FALSE); + return 0; +} + +/** + Copy TPML_DIGEST_VALUES into a buffer + + @param[in,out] Buffer Buffer to hold copied TPML_DIGEST_VALUES compact binary. + @param[in] DigestList TPML_DIGEST_VALUES to be copied. + @param[in] HashAlgorithmMask HASH bits corresponding to the desired digests to copy. + + @return The end of buffer to hold TPML_DIGEST_VALUES. +**/ +VOID * +CopyDigestListToBuffer ( + IN OUT VOID *Buffer, + IN TPML_DIGEST_VALUES *DigestList, + IN UINT32 HashAlgorithmMask + ) +{ + UINTN Index; + UINT16 DigestSize; + UINT32 DigestListCount; + UINT32 *DigestListCountPtr; + + DigestListCountPtr = (UINT32 *)Buffer; + DigestListCount = 0; + Buffer = (UINT8 *)Buffer + sizeof (DigestList->count); + for (Index = 0; Index < DigestList->count; Index++) { + if ((DigestList->digests[Index].hashAlg & HashAlgorithmMask) == 0) { + DEBUG ((DEBUG_ERROR, "WARNING: TD Event log has HashAlg unsupported (0x%x)\n", DigestList->digests[Index].hashAlg)); + continue; + } + + CopyMem (Buffer, &DigestList->digests[Index].hashAlg, sizeof (DigestList->digests[Index].hashAlg)); + Buffer = (UINT8 *)Buffer + sizeof (DigestList->digests[Index].hashAlg); + DigestSize = GetHashSizeFromAlgo (DigestList->digests[Index].hashAlg); + CopyMem (Buffer, &DigestList->digests[Index].digest, DigestSize); + Buffer = (UINT8 *)Buffer + DigestSize; + DigestListCount++; + } + + WriteUnaligned32 (DigestListCountPtr, DigestListCount); + + return Buffer; +} + +EFI_HANDLE mImageHandle; + +/** + Measure PE image into TPM log based on the authenticode image hashing in + PE/COFF Specification 8.0 Appendix A. + + Caution: This function may receive untrusted input. + PE/COFF image is external input, so this function will validate its data structure + within this image buffer before use. + + Notes: PE/COFF image is checked by BasePeCoffLib PeCoffLoaderGetImageInfo(). + + @param[in] MrIndex RTMR index + @param[in] ImageAddress Start address of image buffer. + @param[in] ImageSize Image size + @param[out] DigestList Digest list of this image. + + @retval EFI_SUCCESS Successfully measure image. + @retval EFI_OUT_OF_RESOURCES No enough resource to measure image. + @retval other error value +**/ +EFI_STATUS +MeasurePeImageAndExtend ( + IN UINT32 MrIndex, + IN EFI_PHYSICAL_ADDRESS ImageAddress, + IN UINTN ImageSize, + OUT TPML_DIGEST_VALUES *DigestList + ); + +#define COLUME_SIZE (16 * 2) + +/** + + This function dump raw data. + + @param Data raw data + @param Size raw data size + +**/ +VOID +InternalDumpData ( + IN UINT8 *Data, + IN UINTN Size + ) +{ + UINTN Index; + + for (Index = 0; Index < Size; Index++) { + DEBUG ((DEBUG_INFO, Index == COLUME_SIZE/2 ? " | %02x" : " %02x", (UINTN)Data[Index])); + } +} + +/** + + This function dump raw data with colume format. + + @param Data raw data + @param Size raw data size + +**/ +VOID +InternalDumpHex ( + IN UINT8 *Data, + IN UINTN Size + ) +{ + UINTN Index; + UINTN Count; + UINTN Left; + + Count = Size / COLUME_SIZE; + Left = Size % COLUME_SIZE; + for (Index = 0; Index < Count; Index++) { + DEBUG ((DEBUG_INFO, "%04x: ", Index * COLUME_SIZE)); + InternalDumpData (Data + Index * COLUME_SIZE, COLUME_SIZE); + DEBUG ((DEBUG_INFO, "\n")); + } + + if (Left != 0) { + DEBUG ((DEBUG_INFO, "%04x: ", Index * COLUME_SIZE)); + InternalDumpData (Data + Index * COLUME_SIZE, Left); + DEBUG ((DEBUG_INFO, "\n")); + } +} + +/** + + This function initialize TD_EVENT_HDR for EV_NO_ACTION + Event Type other than EFI Specification ID event. The behavior is defined + by TCG PC Client PFP Spec. Section 9.3.4 EV_NO_ACTION Event Types + + @param[in, out] NoActionEvent Event Header of EV_NO_ACTION Event + @param[in] EventSize Event Size of the EV_NO_ACTION Event + +**/ +VOID +InitNoActionEvent ( + IN OUT CC_EVENT_HDR *NoActionEvent, + IN UINT32 EventSize + ) +{ + UINT32 DigestListCount; + TPMI_ALG_HASH HashAlgId; + UINT8 *DigestBuffer; + + DigestBuffer = (UINT8 *)NoActionEvent->Digests.digests; + DigestListCount = 0; + + NoActionEvent->MrIndex = 0; + NoActionEvent->EventType = EV_NO_ACTION; + + // + // Set Hash count & hashAlg accordingly, while Digest.digests[n].digest to all 0 + // + ZeroMem (&NoActionEvent->Digests, sizeof (NoActionEvent->Digests)); + + if ((mTdxDxeData.BsCap.HashAlgorithmBitmap & EFI_CC_BOOT_HASH_ALG_SHA384) != 0) { + HashAlgId = TPM_ALG_SHA384; + CopyMem (DigestBuffer, &HashAlgId, sizeof (TPMI_ALG_HASH)); + DigestBuffer += sizeof (TPMI_ALG_HASH) + GetHashSizeFromAlgo (HashAlgId); + DigestListCount++; + } + + // + // Set Digests Count + // + WriteUnaligned32 ((UINT32 *)&NoActionEvent->Digests.count, DigestListCount); + + // + // Set Event Size + // + WriteUnaligned32 ((UINT32 *)DigestBuffer, EventSize); +} + +/** + Get All processors EFI_CPU_LOCATION in system. LocationBuf is allocated inside the function + Caller is responsible to free LocationBuf. + + @param[out] LocationBuf Returns Processor Location Buffer. + @param[out] Num Returns processor number. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_UNSUPPORTED MpService protocol not found. + +**/ +EFI_STATUS +GetProcessorsCpuLocation ( + OUT EFI_CPU_PHYSICAL_LOCATION **LocationBuf, + OUT UINTN *Num + ) +{ + EFI_STATUS Status; + EFI_MP_SERVICES_PROTOCOL *MpProtocol; + UINTN ProcessorNum; + UINTN EnabledProcessorNum; + EFI_PROCESSOR_INFORMATION ProcessorInfo; + EFI_CPU_PHYSICAL_LOCATION *ProcessorLocBuf; + UINTN Index; + + Status = gBS->LocateProtocol (&gEfiMpServiceProtocolGuid, NULL, (VOID **)&MpProtocol); + if (EFI_ERROR (Status)) { + // + // MP protocol is not installed + // + return EFI_UNSUPPORTED; + } + + Status = MpProtocol->GetNumberOfProcessors ( + MpProtocol, + &ProcessorNum, + &EnabledProcessorNum + ); + if (EFI_ERROR (Status)) { + return Status; + } + + Status = gBS->AllocatePool ( + EfiBootServicesData, + sizeof (EFI_CPU_PHYSICAL_LOCATION) * ProcessorNum, + (VOID **)&ProcessorLocBuf + ); + if (EFI_ERROR (Status)) { + return Status; + } + + // + // Get each processor Location info + // + for (Index = 0; Index < ProcessorNum; Index++) { + Status = MpProtocol->GetProcessorInfo ( + MpProtocol, + Index, + &ProcessorInfo + ); + if (EFI_ERROR (Status)) { + FreePool (ProcessorLocBuf); + return Status; + } + + // + // Get all Processor Location info & measure + // + CopyMem ( + &ProcessorLocBuf[Index], + &ProcessorInfo.Location, + sizeof (EFI_CPU_PHYSICAL_LOCATION) + ); + } + + *LocationBuf = ProcessorLocBuf; + *Num = ProcessorNum; + + return Status; +} + +/** + The EFI_CC_MEASUREMENT_PROTOCOL GetCapability function call provides protocol + capability information and state information. + + @param[in] This Indicates the calling context + @param[in, out] ProtocolCapability The caller allocates memory for a EFI_CC_BOOT_SERVICE_CAPABILITY + structure and sets the size field to the size of the structure allocated. + The callee fills in the fields with the EFI protocol capability information + and the current EFI TCG2 state information up to the number of fields which + fit within the size of the structure passed in. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_DEVICE_ERROR The command was unsuccessful. + The ProtocolCapability variable will not be populated. + @retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect. + The ProtocolCapability variable will not be populated. + @retval EFI_BUFFER_TOO_SMALL The ProtocolCapability variable is too small to hold the full response. + It will be partially populated (required Size field will be set). +**/ +EFI_STATUS +EFIAPI +TdGetCapability ( + IN EFI_CC_MEASUREMENT_PROTOCOL *This, + IN OUT EFI_CC_BOOT_SERVICE_CAPABILITY *ProtocolCapability + ) +{ + DEBUG ((DEBUG_VERBOSE, "TdGetCapability\n")); + + if ((This == NULL) || (ProtocolCapability == NULL)) { + return EFI_INVALID_PARAMETER; + } + + CopyMem (ProtocolCapability, &mTdxDxeData.BsCap, sizeof (EFI_CC_BOOT_SERVICE_CAPABILITY)); + + return EFI_SUCCESS; +} + +/** + This function dump PCR event. + TD Event log reuse the TCG PCR Event spec. + The first event in the event log is the SHA1 log format. + There is only ONE TCG_PCR_EVENT in TD Event log. + + @param[in] EventHdr TCG PCR event structure. +**/ +VOID +DumpPcrEvent ( + IN TCG_PCR_EVENT_HDR *EventHdr + ) +{ + UINTN Index; + + DEBUG ((DEBUG_INFO, " Event:\n")); + DEBUG ((DEBUG_INFO, " MrIndex - %d\n", EventHdr->PCRIndex)); + DEBUG ((DEBUG_INFO, " EventType - 0x%08x\n", EventHdr->EventType)); + DEBUG ((DEBUG_INFO, " Digest - ")); + for (Index = 0; Index < sizeof (TCG_DIGEST); Index++) { + DEBUG ((DEBUG_INFO, "%02x ", EventHdr->Digest.digest[Index])); + } + + DEBUG ((DEBUG_INFO, "\n")); + DEBUG ((DEBUG_INFO, " EventSize - 0x%08x\n", EventHdr->EventSize)); + InternalDumpHex ((UINT8 *)(EventHdr + 1), EventHdr->EventSize); +} + +/** + This function dump TCG_EfiSpecIDEventStruct. + + @param[in] TcgEfiSpecIdEventStruct A pointer to TCG_EfiSpecIDEventStruct. +**/ +VOID +DumpTcgEfiSpecIdEventStruct ( + IN TCG_EfiSpecIDEventStruct *TcgEfiSpecIdEventStruct + ) +{ + TCG_EfiSpecIdEventAlgorithmSize *DigestSize; + UINTN Index; + UINT8 *VendorInfoSize; + UINT8 *VendorInfo; + UINT32 NumberOfAlgorithms; + + DEBUG ((DEBUG_INFO, " TCG_EfiSpecIDEventStruct:\n")); + DEBUG ((DEBUG_INFO, " signature - '")); + for (Index = 0; Index < sizeof (TcgEfiSpecIdEventStruct->signature); Index++) { + DEBUG ((DEBUG_INFO, "%c", TcgEfiSpecIdEventStruct->signature[Index])); + } + + DEBUG ((DEBUG_INFO, "'\n")); + DEBUG ((DEBUG_INFO, " platformClass - 0x%08x\n", TcgEfiSpecIdEventStruct->platformClass)); + DEBUG ((DEBUG_INFO, " specVersion - %d.%d%d\n", TcgEfiSpecIdEventStruct->specVersionMajor, TcgEfiSpecIdEventStruct->specVersionMinor, TcgEfiSpecIdEventStruct->specErrata)); + DEBUG ((DEBUG_INFO, " uintnSize - 0x%02x\n", TcgEfiSpecIdEventStruct->uintnSize)); + + CopyMem (&NumberOfAlgorithms, TcgEfiSpecIdEventStruct + 1, sizeof (NumberOfAlgorithms)); + DEBUG ((DEBUG_INFO, " NumberOfAlgorithms - 0x%08x\n", NumberOfAlgorithms)); + + DigestSize = (TCG_EfiSpecIdEventAlgorithmSize *)((UINT8 *)TcgEfiSpecIdEventStruct + sizeof (*TcgEfiSpecIdEventStruct) + sizeof (NumberOfAlgorithms)); + for (Index = 0; Index < NumberOfAlgorithms; Index++) { + DEBUG ((DEBUG_INFO, " digest(%d)\n", Index)); + DEBUG ((DEBUG_INFO, " algorithmId - 0x%04x\n", DigestSize[Index].algorithmId)); + DEBUG ((DEBUG_INFO, " digestSize - 0x%04x\n", DigestSize[Index].digestSize)); + } + + VendorInfoSize = (UINT8 *)&DigestSize[NumberOfAlgorithms]; + DEBUG ((DEBUG_INFO, " VendorInfoSize - 0x%02x\n", *VendorInfoSize)); + VendorInfo = VendorInfoSize + 1; + DEBUG ((DEBUG_INFO, " VendorInfo - ")); + for (Index = 0; Index < *VendorInfoSize; Index++) { + DEBUG ((DEBUG_INFO, "%02x ", VendorInfo[Index])); + } + + DEBUG ((DEBUG_INFO, "\n")); +} + +/** + This function get size of TCG_EfiSpecIDEventStruct. + + @param[in] TcgEfiSpecIdEventStruct A pointer to TCG_EfiSpecIDEventStruct. +**/ +UINTN +GetTcgEfiSpecIdEventStructSize ( + IN TCG_EfiSpecIDEventStruct *TcgEfiSpecIdEventStruct + ) +{ + TCG_EfiSpecIdEventAlgorithmSize *DigestSize; + UINT8 *VendorInfoSize; + UINT32 NumberOfAlgorithms; + + CopyMem (&NumberOfAlgorithms, TcgEfiSpecIdEventStruct + 1, sizeof (NumberOfAlgorithms)); + + DigestSize = (TCG_EfiSpecIdEventAlgorithmSize *)((UINT8 *)TcgEfiSpecIdEventStruct + sizeof (*TcgEfiSpecIdEventStruct) + sizeof (NumberOfAlgorithms)); + VendorInfoSize = (UINT8 *)&DigestSize[NumberOfAlgorithms]; + return sizeof (TCG_EfiSpecIDEventStruct) + sizeof (UINT32) + (NumberOfAlgorithms * sizeof (TCG_EfiSpecIdEventAlgorithmSize)) + sizeof (UINT8) + (*VendorInfoSize); +} + +/** + This function dump TD Event (including the Digests). + + @param[in] CcEvent TD Event structure. +**/ +VOID +DumpCcEvent ( + IN CC_EVENT *CcEvent + ) +{ + UINT32 DigestIndex; + UINT32 DigestCount; + TPMI_ALG_HASH HashAlgo; + UINT32 DigestSize; + UINT8 *DigestBuffer; + UINT32 EventSize; + UINT8 *EventBuffer; + + DEBUG ((DEBUG_INFO, "Cc Event:\n")); + DEBUG ((DEBUG_INFO, " MrIndex - %d\n", CcEvent->MrIndex)); + DEBUG ((DEBUG_INFO, " EventType - 0x%08x\n", CcEvent->EventType)); + DEBUG ((DEBUG_INFO, " DigestCount: 0x%08x\n", CcEvent->Digests.count)); + + DigestCount = CcEvent->Digests.count; + HashAlgo = CcEvent->Digests.digests[0].hashAlg; + DigestBuffer = (UINT8 *)&CcEvent->Digests.digests[0].digest; + for (DigestIndex = 0; DigestIndex < DigestCount; DigestIndex++) { + DEBUG ((DEBUG_INFO, " HashAlgo : 0x%04x\n", HashAlgo)); + DEBUG ((DEBUG_INFO, " Digest(%d): \n", DigestIndex)); + DigestSize = GetHashSizeFromAlgo (HashAlgo); + InternalDumpHex (DigestBuffer, DigestSize); + // + // Prepare next + // + CopyMem (&HashAlgo, DigestBuffer + DigestSize, sizeof (TPMI_ALG_HASH)); + DigestBuffer = DigestBuffer + DigestSize + sizeof (TPMI_ALG_HASH); + } + + DigestBuffer = DigestBuffer - sizeof (TPMI_ALG_HASH); + + CopyMem (&EventSize, DigestBuffer, sizeof (CcEvent->EventSize)); + DEBUG ((DEBUG_INFO, " EventSize - 0x%08x\n", EventSize)); + EventBuffer = DigestBuffer + sizeof (CcEvent->EventSize); + InternalDumpHex (EventBuffer, EventSize); + DEBUG ((DEBUG_INFO, "\n")); +} + +/** + This function returns size of Td Table event. + + @param[in] CcEvent Td Table event structure. + + @return size of Td event. +**/ +UINTN +GetCcEventSize ( + IN CC_EVENT *CcEvent + ) +{ + UINT32 DigestIndex; + UINT32 DigestCount; + TPMI_ALG_HASH HashAlgo; + UINT32 DigestSize; + UINT8 *DigestBuffer; + UINT32 EventSize; + UINT8 *EventBuffer; + + DigestCount = CcEvent->Digests.count; + HashAlgo = CcEvent->Digests.digests[0].hashAlg; + DigestBuffer = (UINT8 *)&CcEvent->Digests.digests[0].digest; + for (DigestIndex = 0; DigestIndex < DigestCount; DigestIndex++) { + DigestSize = GetHashSizeFromAlgo (HashAlgo); + // + // Prepare next + // + CopyMem (&HashAlgo, DigestBuffer + DigestSize, sizeof (TPMI_ALG_HASH)); + DigestBuffer = DigestBuffer + DigestSize + sizeof (TPMI_ALG_HASH); + } + + DigestBuffer = DigestBuffer - sizeof (TPMI_ALG_HASH); + + CopyMem (&EventSize, DigestBuffer, sizeof (CcEvent->EventSize)); + EventBuffer = DigestBuffer + sizeof (CcEvent->EventSize); + + return (UINTN)EventBuffer + EventSize - (UINTN)CcEvent; +} + +/** + This function dump CC event log. + TDVF only supports EFI_CC_EVENT_LOG_FORMAT_TCG_2 + + @param[in] EventLogFormat The type of the event log for which the information is requested. + @param[in] EventLogLocation A pointer to the memory address of the event log. + @param[in] EventLogLastEntry If the Event Log contains more than one entry, this is a pointer to the + address of the start of the last entry in the event log in memory. + @param[in] FinalEventsTable A pointer to the memory address of the final event table. +**/ +VOID +DumpCcEventLog ( + IN EFI_CC_EVENT_LOG_FORMAT EventLogFormat, + IN EFI_PHYSICAL_ADDRESS EventLogLocation, + IN EFI_PHYSICAL_ADDRESS EventLogLastEntry, + IN EFI_CC_FINAL_EVENTS_TABLE *FinalEventsTable + ) +{ + TCG_PCR_EVENT_HDR *EventHdr; + CC_EVENT *CcEvent; + TCG_EfiSpecIDEventStruct *TcgEfiSpecIdEventStruct; + UINTN NumberOfEvents; + + DEBUG ((DEBUG_INFO, "EventLogFormat: (0x%x)\n", EventLogFormat)); + ASSERT (EventLogFormat == EFI_CC_EVENT_LOG_FORMAT_TCG_2); + + // + // Dump first event. + // The first event is always the TCG_PCR_EVENT_HDR + // After this event is a TCG_EfiSpecIDEventStruct + // + EventHdr = (TCG_PCR_EVENT_HDR *)(UINTN)EventLogLocation; + DumpPcrEvent (EventHdr); + + TcgEfiSpecIdEventStruct = (TCG_EfiSpecIDEventStruct *)(EventHdr + 1); + DumpTcgEfiSpecIdEventStruct (TcgEfiSpecIdEventStruct); + + // + // Then the CcEvent (Its structure is similar to TCG_PCR_EVENT2) + // + CcEvent = (CC_EVENT *)((UINTN)TcgEfiSpecIdEventStruct + GetTcgEfiSpecIdEventStructSize (TcgEfiSpecIdEventStruct)); + while ((UINTN)CcEvent <= EventLogLastEntry) { + DumpCcEvent (CcEvent); + CcEvent = (CC_EVENT *)((UINTN)CcEvent + GetCcEventSize (CcEvent)); + } + + if (FinalEventsTable == NULL) { + DEBUG ((DEBUG_INFO, "FinalEventsTable: NOT FOUND\n")); + } else { + DEBUG ((DEBUG_INFO, "FinalEventsTable: (0x%x)\n", FinalEventsTable)); + DEBUG ((DEBUG_INFO, " Version: (0x%x)\n", FinalEventsTable->Version)); + DEBUG ((DEBUG_INFO, " NumberOfEvents: (0x%x)\n", FinalEventsTable->NumberOfEvents)); + + CcEvent = (CC_EVENT *)(UINTN)(FinalEventsTable + 1); + for (NumberOfEvents = 0; NumberOfEvents < FinalEventsTable->NumberOfEvents; NumberOfEvents++) { + DumpCcEvent (CcEvent); + CcEvent = (CC_EVENT *)((UINTN)CcEvent + GetCcEventSize (CcEvent)); + } + } + + return; +} + +/** + The EFI_CC_MEASUREMENT_PROTOCOL Get Event Log function call allows a caller to + retrieve the address of a given event log and its last entry. + + @param[in] This Indicates the calling context + @param[in] EventLogFormat The type of the event log for which the information is requested. + @param[out] EventLogLocation A pointer to the memory address of the event log. + @param[out] EventLogLastEntry If the Event Log contains more than one entry, this is a pointer to the + address of the start of the last entry in the event log in memory. + @param[out] EventLogTruncated If the Event Log is missing at least one entry because an event would + have exceeded the area allocated for events, this value is set to TRUE. + Otherwise, the value will be FALSE and the Event Log will be complete. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect + (e.g. asking for an event log whose format is not supported). +**/ +EFI_STATUS +EFIAPI +TdGetEventLog ( + IN EFI_CC_MEASUREMENT_PROTOCOL *This, + IN EFI_CC_EVENT_LOG_FORMAT EventLogFormat, + OUT EFI_PHYSICAL_ADDRESS *EventLogLocation, + OUT EFI_PHYSICAL_ADDRESS *EventLogLastEntry, + OUT BOOLEAN *EventLogTruncated + ) +{ + UINTN Index = 0; + + DEBUG ((DEBUG_INFO, "TdGetEventLog ... (0x%x)\n", EventLogFormat)); + ASSERT (EventLogFormat == EFI_CC_EVENT_LOG_FORMAT_TCG_2); + + if (EventLogLocation != NULL) { + *EventLogLocation = mTdxDxeData.EventLogAreaStruct[Index].Lasa; + DEBUG ((DEBUG_INFO, "TdGetEventLog (EventLogLocation - %x)\n", *EventLogLocation)); + } + + if (EventLogLastEntry != NULL) { + if (!mTdxDxeData.EventLogAreaStruct[Index].EventLogStarted) { + *EventLogLastEntry = (EFI_PHYSICAL_ADDRESS)(UINTN)0; + } else { + *EventLogLastEntry = (EFI_PHYSICAL_ADDRESS)(UINTN)mTdxDxeData.EventLogAreaStruct[Index].LastEvent; + } + + DEBUG ((DEBUG_INFO, "TdGetEventLog (EventLogLastEntry - %x)\n", *EventLogLastEntry)); + } + + if (EventLogTruncated != NULL) { + *EventLogTruncated = mTdxDxeData.EventLogAreaStruct[Index].EventLogTruncated; + DEBUG ((DEBUG_INFO, "TdGetEventLog (EventLogTruncated - %x)\n", *EventLogTruncated)); + } + + DEBUG ((DEBUG_INFO, "TdGetEventLog - %r\n", EFI_SUCCESS)); + + // Dump Event Log for debug purpose + if ((EventLogLocation != NULL) && (EventLogLastEntry != NULL)) { + DumpCcEventLog (EventLogFormat, *EventLogLocation, *EventLogLastEntry, mTdxDxeData.FinalEventsTable[Index]); + } + + // + // All events generated after the invocation of EFI_TCG2_GET_EVENT_LOG SHALL be stored + // in an instance of an EFI_CONFIGURATION_TABLE named by the VendorGuid of EFI_TCG2_FINAL_EVENTS_TABLE_GUID. + // + mTdxDxeData.GetEventLogCalled[Index] = TRUE; + + return EFI_SUCCESS; +} + +/** + Return if this is a Tcg800155PlatformIdEvent. + + @param[in] NewEventHdr Pointer to a TCG_PCR_EVENT_HDR/TCG_PCR_EVENT_EX data structure. + @param[in] NewEventHdrSize New event header size. + @param[in] NewEventData Pointer to the new event data. + @param[in] NewEventSize New event data size. + + @retval TRUE This is a Tcg800155PlatformIdEvent. + @retval FALSE This is NOT a Tcg800155PlatformIdEvent. + +**/ +BOOLEAN +Is800155Event ( + IN VOID *NewEventHdr, + IN UINT32 NewEventHdrSize, + IN UINT8 *NewEventData, + IN UINT32 NewEventSize + ) +{ + if ((((TCG_PCR_EVENT2_HDR *)NewEventHdr)->EventType == EV_NO_ACTION) && + (NewEventSize >= sizeof (TCG_Sp800_155_PlatformId_Event2)) && + (CompareMem ( + NewEventData, + TCG_Sp800_155_PlatformId_Event2_SIGNATURE, + sizeof (TCG_Sp800_155_PlatformId_Event2_SIGNATURE) - 1 + ) == 0)) + { + return TRUE; + } + + return FALSE; +} + +/** + Add a new entry to the Event Log. + + @param[in, out] EventLogAreaStruct The event log area data structure + @param[in] NewEventHdr Pointer to a TCG_PCR_EVENT_HDR/TCG_PCR_EVENT_EX data structure. + @param[in] NewEventHdrSize New event header size. + @param[in] NewEventData Pointer to the new event data. + @param[in] NewEventSize New event data size. + + @retval EFI_SUCCESS The new event log entry was added. + @retval EFI_OUT_OF_RESOURCES No enough memory to log the new event. + +**/ +EFI_STATUS +TcgCommLogEvent ( + IN OUT CC_EVENT_LOG_AREA_STRUCT *EventLogAreaStruct, + IN VOID *NewEventHdr, + IN UINT32 NewEventHdrSize, + IN UINT8 *NewEventData, + IN UINT32 NewEventSize + ) +{ + UINTN NewLogSize; + BOOLEAN Record800155Event; + CC_EVENT_HDR *CcEventHdr; + + CcEventHdr = (CC_EVENT_HDR *)NewEventHdr; + DEBUG ((DEBUG_VERBOSE, "Td: Try to log event. Index = %d, EventType = 0x%x\n", CcEventHdr->MrIndex, CcEventHdr->EventType)); + + if (NewEventSize > MAX_ADDRESS - NewEventHdrSize) { + return EFI_OUT_OF_RESOURCES; + } + + NewLogSize = NewEventHdrSize + NewEventSize; + + if (NewLogSize > MAX_ADDRESS - EventLogAreaStruct->EventLogSize) { + return EFI_OUT_OF_RESOURCES; + } + + if (NewLogSize + EventLogAreaStruct->EventLogSize > EventLogAreaStruct->Laml) { + DEBUG ((DEBUG_INFO, " Laml - 0x%x\n", EventLogAreaStruct->Laml)); + DEBUG ((DEBUG_INFO, " NewLogSize - 0x%x\n", NewLogSize)); + DEBUG ((DEBUG_INFO, " LogSize - 0x%x\n", EventLogAreaStruct->EventLogSize)); + DEBUG ((DEBUG_INFO, "TcgCommLogEvent - %r\n", EFI_OUT_OF_RESOURCES)); + return EFI_OUT_OF_RESOURCES; + } + + // + // Check 800-155 event + // Record to 800-155 event offset only. + // If the offset is 0, no need to record. + // + Record800155Event = Is800155Event (NewEventHdr, NewEventHdrSize, NewEventData, NewEventSize); + if (Record800155Event) { + DEBUG ((DEBUG_INFO, "It is 800155Event.\n")); + + if (EventLogAreaStruct->Next800155EventOffset != 0) { + CopyMem ( + (UINT8 *)(UINTN)EventLogAreaStruct->Lasa + EventLogAreaStruct->Next800155EventOffset + NewLogSize, + (UINT8 *)(UINTN)EventLogAreaStruct->Lasa + EventLogAreaStruct->Next800155EventOffset, + EventLogAreaStruct->EventLogSize - EventLogAreaStruct->Next800155EventOffset + ); + + CopyMem ( + (UINT8 *)(UINTN)EventLogAreaStruct->Lasa + EventLogAreaStruct->Next800155EventOffset, + NewEventHdr, + NewEventHdrSize + ); + CopyMem ( + (UINT8 *)(UINTN)EventLogAreaStruct->Lasa + EventLogAreaStruct->Next800155EventOffset + NewEventHdrSize, + NewEventData, + NewEventSize + ); + + EventLogAreaStruct->Next800155EventOffset += NewLogSize; + EventLogAreaStruct->LastEvent += NewLogSize; + EventLogAreaStruct->EventLogSize += NewLogSize; + } + + return EFI_SUCCESS; + } + + EventLogAreaStruct->LastEvent = (UINT8 *)(UINTN)EventLogAreaStruct->Lasa + EventLogAreaStruct->EventLogSize; + EventLogAreaStruct->EventLogSize += NewLogSize; + + CopyMem (EventLogAreaStruct->LastEvent, NewEventHdr, NewEventHdrSize); + CopyMem ( + EventLogAreaStruct->LastEvent + NewEventHdrSize, + NewEventData, + NewEventSize + ); + + return EFI_SUCCESS; +} + +/** + RTMR[0] => PCR[1,7] + RTMR[1] => PCR[2,3,4,5] + RTMR[2] => PCR[8~15] + RTMR[3] => NA +**/ +UINT32 +EFIAPI +MapPcrToMrIndex ( + IN UINT32 PCRIndex + ) +{ + UINT32 MrIndex; + + if ((PCRIndex > 16) || (PCRIndex == 6) || (PCRIndex == 0)) { + ASSERT (FALSE); + return INVALID_RTMR_INDEX; + } + + MrIndex = 0; + if ((PCRIndex == 1) || (PCRIndex == 7)) { + MrIndex = 0; + } else if ((PCRIndex > 1) && (PCRIndex < 6)) { + MrIndex = 1; + } else if ((PCRIndex > 7) && (PCRIndex < 16)) { + MrIndex = 2; + } + + return MrIndex; +} + +EFI_STATUS +EFIAPI +TdMapPcrToMrIndex ( + IN EFI_CC_MEASUREMENT_PROTOCOL *This, + IN UINT32 PCRIndex, + OUT UINT32 *MrIndex + ) +{ + if (MrIndex == NULL) { + return EFI_INVALID_PARAMETER; + } + + if ((PCRIndex > 16) || (PCRIndex == 0) || (PCRIndex == 6)) { + return EFI_INVALID_PARAMETER; + } + + *MrIndex = MapPcrToMrIndex (PCRIndex); + + return *MrIndex == INVALID_RTMR_INDEX ? EFI_INVALID_PARAMETER : EFI_SUCCESS; +} + +/** + Add a new entry to the Event Log. + + @param[in] EventLogFormat The type of the event log for which the information is requested. + @param[in] NewEventHdr Pointer to a TCG_PCR_EVENT_HDR/TCG_PCR_EVENT_EX data structure. + @param[in] NewEventHdrSize New event header size. + @param[in] NewEventData Pointer to the new event data. + @param[in] NewEventSize New event data size. + + @retval EFI_SUCCESS The new event log entry was added. + @retval EFI_OUT_OF_RESOURCES No enough memory to log the new event. + +**/ +EFI_STATUS +TdxDxeLogEvent ( + IN EFI_CC_EVENT_LOG_FORMAT EventLogFormat, + IN VOID *NewEventHdr, + IN UINT32 NewEventHdrSize, + IN UINT8 *NewEventData, + IN UINT32 NewEventSize + ) +{ + EFI_STATUS Status; + UINTN Index; + CC_EVENT_LOG_AREA_STRUCT *EventLogAreaStruct; + + if (EventLogFormat != EFI_CC_EVENT_LOG_FORMAT_TCG_2) { + ASSERT (FALSE); + return EFI_INVALID_PARAMETER; + } + + Index = 0; + + // + // Record to normal event log + // + EventLogAreaStruct = &mTdxDxeData.EventLogAreaStruct[Index]; + + if (EventLogAreaStruct->EventLogTruncated) { + return EFI_VOLUME_FULL; + } + + Status = TcgCommLogEvent ( + EventLogAreaStruct, + NewEventHdr, + NewEventHdrSize, + NewEventData, + NewEventSize + ); + + if (Status == EFI_OUT_OF_RESOURCES) { + EventLogAreaStruct->EventLogTruncated = TRUE; + return EFI_VOLUME_FULL; + } else if (Status == EFI_SUCCESS) { + EventLogAreaStruct->EventLogStarted = TRUE; + } + + // + // If GetEventLog is called, record to FinalEventsTable, too. + // + if (mTdxDxeData.GetEventLogCalled[Index]) { + if (mTdxDxeData.FinalEventsTable[Index] == NULL) { + // + // no need for FinalEventsTable + // + return EFI_SUCCESS; + } + + EventLogAreaStruct = &mTdxDxeData.FinalEventLogAreaStruct[Index]; + + if (EventLogAreaStruct->EventLogTruncated) { + return EFI_VOLUME_FULL; + } + + Status = TcgCommLogEvent ( + EventLogAreaStruct, + NewEventHdr, + NewEventHdrSize, + NewEventData, + NewEventSize + ); + if (Status == EFI_OUT_OF_RESOURCES) { + EventLogAreaStruct->EventLogTruncated = TRUE; + return EFI_VOLUME_FULL; + } else if (Status == EFI_SUCCESS) { + EventLogAreaStruct->EventLogStarted = TRUE; + // + // Increase the NumberOfEvents in FinalEventsTable + // + (mTdxDxeData.FinalEventsTable[Index])->NumberOfEvents++; + DEBUG ((DEBUG_INFO, "FinalEventsTable->NumberOfEvents - 0x%x\n", (mTdxDxeData.FinalEventsTable[Index])->NumberOfEvents)); + DEBUG ((DEBUG_INFO, " Size - 0x%x\n", (UINTN)EventLogAreaStruct->EventLogSize)); + } + } + + return Status; +} + +/** + Get TPML_DIGEST_VALUES compact binary buffer size. + + @param[in] DigestListBin TPML_DIGEST_VALUES compact binary buffer. + + @return TPML_DIGEST_VALUES compact binary buffer size. +**/ +UINT32 +GetDigestListBinSize ( + IN VOID *DigestListBin + ) +{ + UINTN Index; + UINT16 DigestSize; + UINT32 TotalSize; + UINT32 Count; + TPMI_ALG_HASH HashAlg; + + Count = ReadUnaligned32 (DigestListBin); + TotalSize = sizeof (Count); + DigestListBin = (UINT8 *)DigestListBin + sizeof (Count); + for (Index = 0; Index < Count; Index++) { + HashAlg = ReadUnaligned16 (DigestListBin); + TotalSize += sizeof (HashAlg); + DigestListBin = (UINT8 *)DigestListBin + sizeof (HashAlg); + + DigestSize = GetHashSizeFromAlgo (HashAlg); + TotalSize += DigestSize; + DigestListBin = (UINT8 *)DigestListBin + DigestSize; + } + + return TotalSize; +} + +/** + Copy TPML_DIGEST_VALUES compact binary into a buffer + + @param[in,out] Buffer Buffer to hold copied TPML_DIGEST_VALUES compact binary. + @param[in] DigestListBin TPML_DIGEST_VALUES compact binary buffer. + @param[in] HashAlgorithmMask HASH bits corresponding to the desired digests to copy. + @param[out] HashAlgorithmMaskCopied Pointer to HASH bits corresponding to the digests copied. + + @return The end of buffer to hold TPML_DIGEST_VALUES compact binary. +**/ +VOID * +CopyDigestListBinToBuffer ( + IN OUT VOID *Buffer, + IN VOID *DigestListBin, + IN UINT32 HashAlgorithmMask, + OUT UINT32 *HashAlgorithmMaskCopied + ) +{ + UINTN Index; + UINT16 DigestSize; + UINT32 Count; + TPMI_ALG_HASH HashAlg; + UINT32 DigestListCount; + UINT32 *DigestListCountPtr; + + DigestListCountPtr = (UINT32 *)Buffer; + DigestListCount = 0; + *HashAlgorithmMaskCopied = 0; + + Count = ReadUnaligned32 (DigestListBin); + Buffer = (UINT8 *)Buffer + sizeof (Count); + DigestListBin = (UINT8 *)DigestListBin + sizeof (Count); + for (Index = 0; Index < Count; Index++) { + HashAlg = ReadUnaligned16 (DigestListBin); + DigestListBin = (UINT8 *)DigestListBin + sizeof (HashAlg); + DigestSize = GetHashSizeFromAlgo (HashAlg); + + if ((HashAlg & HashAlgorithmMask) != 0) { + CopyMem (Buffer, &HashAlg, sizeof (HashAlg)); + Buffer = (UINT8 *)Buffer + sizeof (HashAlg); + CopyMem (Buffer, DigestListBin, DigestSize); + Buffer = (UINT8 *)Buffer + DigestSize; + DigestListCount++; + (*HashAlgorithmMaskCopied) |= GetHashMaskFromAlgo (HashAlg); + } else { + DEBUG ((DEBUG_ERROR, "WARNING: CopyDigestListBinToBuffer Event log has HashAlg unsupported by PCR bank (0x%x)\n", HashAlg)); + } + + DigestListBin = (UINT8 *)DigestListBin + DigestSize; + } + + WriteUnaligned32 (DigestListCountPtr, DigestListCount); + + return Buffer; +} + +/** + Add a new entry to the Event Log. The call chain is like below: + TdxDxeLogHashEvent -> TdxDxeLogEvent -> TcgCommonLogEvent + + Before this function is called, the event information (including the digest) + is ready. + + @param[in] DigestList A list of digest. + @param[in,out] NewEventHdr Pointer to a TD_EVENT_HDR data structure. + @param[in] NewEventData Pointer to the new event data. + + @retval EFI_SUCCESS The new event log entry was added. + @retval EFI_OUT_OF_RESOURCES No enough memory to log the new event. +**/ +EFI_STATUS +TdxDxeLogHashEvent ( + IN TPML_DIGEST_VALUES *DigestList, + IN OUT CC_EVENT_HDR *NewEventHdr, + IN UINT8 *NewEventData + ) +{ + EFI_STATUS Status; + EFI_TPL OldTpl; + EFI_STATUS RetStatus; + CC_EVENT CcEvent; + UINT8 *DigestBuffer; + UINT32 *EventSizePtr; + EFI_CC_EVENT_LOG_FORMAT LogFormat; + + RetStatus = EFI_SUCCESS; + LogFormat = EFI_CC_EVENT_LOG_FORMAT_TCG_2; + + ZeroMem (&CcEvent, sizeof (CcEvent)); + // + // The index of event log is designed as below: + // 0 : MRTD + // 1-4: RTMR[0-3] + // + CcEvent.MrIndex = NewEventHdr->MrIndex + 1; + CcEvent.EventType = NewEventHdr->EventType; + DigestBuffer = (UINT8 *)&CcEvent.Digests; + EventSizePtr = CopyDigestListToBuffer (DigestBuffer, DigestList, HASH_ALG_SHA384); + CopyMem (EventSizePtr, &NewEventHdr->EventSize, sizeof (NewEventHdr->EventSize)); + + // + // Enter critical region + // + OldTpl = gBS->RaiseTPL (TPL_HIGH_LEVEL); + Status = TdxDxeLogEvent ( + LogFormat, + &CcEvent, + sizeof (CcEvent.MrIndex) + sizeof (CcEvent.EventType) + GetDigestListBinSize (DigestBuffer) + sizeof (CcEvent.EventSize), + NewEventData, + NewEventHdr->EventSize + ); + if (Status != EFI_SUCCESS) { + RetStatus = Status; + } + + gBS->RestoreTPL (OldTpl); + + return RetStatus; +} + +/** + Do a hash operation on a data buffer, extend a specific RTMR with the hash result, + and add an entry to the Event Log. + + @param[in] Flags Bitmap providing additional information. + @param[in] HashData Physical address of the start of the data buffer + to be hashed, extended, and logged. + @param[in] HashDataLen The length, in bytes, of the buffer referenced by HashData + @param[in, out] NewEventHdr Pointer to a TD_EVENT_HDR data structure. + @param[in] NewEventData Pointer to the new event data. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_OUT_OF_RESOURCES No enough memory to log the new event. + @retval EFI_DEVICE_ERROR The command was unsuccessful. + +**/ +EFI_STATUS +TdxDxeHashLogExtendEvent ( + IN UINT64 Flags, + IN UINT8 *HashData, + IN UINT64 HashDataLen, + IN OUT CC_EVENT_HDR *NewEventHdr, + IN UINT8 *NewEventData + ) +{ + EFI_STATUS Status; + TPML_DIGEST_VALUES DigestList; + CC_EVENT_HDR NoActionEvent; + + if (NewEventHdr->EventType == EV_NO_ACTION) { + // + // Do not do RTMR extend for EV_NO_ACTION + // + Status = EFI_SUCCESS; + InitNoActionEvent (&NoActionEvent, NewEventHdr->EventSize); + if ((Flags & EFI_CC_FLAG_EXTEND_ONLY) == 0) { + Status = TdxDxeLogHashEvent (&(NoActionEvent.Digests), NewEventHdr, NewEventData); + } + + return Status; + } + + Status = HashAndExtend ( + NewEventHdr->MrIndex, + HashData, + (UINTN)HashDataLen, + &DigestList + ); + if (!EFI_ERROR (Status)) { + if ((Flags & EFI_CC_FLAG_EXTEND_ONLY) == 0) { + Status = TdxDxeLogHashEvent (&DigestList, NewEventHdr, NewEventData); + } + } + + return Status; +} + +/** + The EFI_CC_MEASUREMENT_PROTOCOL HashLogExtendEvent function call provides callers with + an opportunity to extend and optionally log events without requiring + knowledge of actual TPM commands. + The extend operation will occur even if this function cannot create an event + log entry (e.g. due to the event log being full). + + @param[in] This Indicates the calling context + @param[in] Flags Bitmap providing additional information. + @param[in] DataToHash Physical address of the start of the data buffer to be hashed. + @param[in] DataToHashLen The length in bytes of the buffer referenced by DataToHash. + @param[in] Event Pointer to data buffer containing information about the event. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_DEVICE_ERROR The command was unsuccessful. + @retval EFI_VOLUME_FULL The extend operation occurred, but the event could not be written to one or more event logs. + @retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect. + @retval EFI_UNSUPPORTED The PE/COFF image type is not supported. +**/ +EFI_STATUS +EFIAPI +TdHashLogExtendEvent ( + IN EFI_CC_MEASUREMENT_PROTOCOL *This, + IN UINT64 Flags, + IN EFI_PHYSICAL_ADDRESS DataToHash, + IN UINT64 DataToHashLen, + IN EFI_CC_EVENT *CcEvent + ) +{ + EFI_STATUS Status; + CC_EVENT_HDR NewEventHdr; + TPML_DIGEST_VALUES DigestList; + + DEBUG ((DEBUG_VERBOSE, "TdHashLogExtendEvent ...\n")); + + if ((This == NULL) || (CcEvent == NULL)) { + return EFI_INVALID_PARAMETER; + } + + // + // Do not check hash data size for EV_NO_ACTION event. + // + if ((CcEvent->Header.EventType != EV_NO_ACTION) && (DataToHash == 0)) { + return EFI_INVALID_PARAMETER; + } + + if (CcEvent->Size < CcEvent->Header.HeaderSize + sizeof (UINT32)) { + return EFI_INVALID_PARAMETER; + } + + if (CcEvent->Header.MrIndex > 4) { + return EFI_INVALID_PARAMETER; + } + + NewEventHdr.MrIndex = CcEvent->Header.MrIndex; + NewEventHdr.EventType = CcEvent->Header.EventType; + NewEventHdr.EventSize = CcEvent->Size - sizeof (UINT32) - CcEvent->Header.HeaderSize; + if ((Flags & EFI_CC_FLAG_PE_COFF_IMAGE) != 0) { + Status = MeasurePeImageAndExtend ( + NewEventHdr.MrIndex, + DataToHash, + (UINTN)DataToHashLen, + &DigestList + ); + if (!EFI_ERROR (Status)) { + if ((Flags & EFI_CC_FLAG_EXTEND_ONLY) == 0) { + Status = TdxDxeLogHashEvent (&DigestList, &NewEventHdr, CcEvent->Event); + } + } + } else { + Status = TdxDxeHashLogExtendEvent ( + Flags, + (UINT8 *)(UINTN)DataToHash, + DataToHashLen, + &NewEventHdr, + CcEvent->Event + ); + } + + DEBUG ((DEBUG_VERBOSE, "TdHashLogExtendEvent - %r\n", Status)); + return Status; +} + +EFI_CC_MEASUREMENT_PROTOCOL mTdProtocol = { + TdGetCapability, + TdGetEventLog, + TdHashLogExtendEvent, + TdMapPcrToMrIndex, +}; + +#define TD_HASH_COUNT 1 +#define TEMP_BUF_LEN (sizeof(TCG_EfiSpecIDEventStruct) + sizeof(UINT32) \ + + (TD_HASH_COUNT * sizeof(TCG_EfiSpecIdEventAlgorithmSize)) + sizeof(UINT8)) + +/** + Initialize the TD Event Log and log events passed from the PEI phase. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_OUT_OF_RESOURCES Out of memory. + +**/ +EFI_STATUS +SetupCcEventLog ( + VOID + ) +{ + EFI_STATUS Status; + EFI_PHYSICAL_ADDRESS Lasa; + UINTN Index; + TCG_EfiSpecIDEventStruct *TcgEfiSpecIdEventStruct; + UINT8 TempBuf[TEMP_BUF_LEN]; + TCG_PCR_EVENT_HDR SpecIdEvent; + TCG_EfiSpecIdEventAlgorithmSize *DigestSize; + TCG_EfiSpecIdEventAlgorithmSize *TempDigestSize; + UINT8 *VendorInfoSize; + UINT32 NumberOfAlgorithms; + EFI_CC_EVENT_LOG_FORMAT LogFormat; + EFI_PEI_HOB_POINTERS GuidHob; + CC_EVENT_HDR NoActionEvent; + + Status = EFI_SUCCESS; + DEBUG ((DEBUG_INFO, "SetupCcEventLog\n")); + + Index = 0; + LogFormat = EFI_CC_EVENT_LOG_FORMAT_TCG_2; + + // + // 1. Create Log Area + // + mTdxDxeData.EventLogAreaStruct[Index].EventLogFormat = LogFormat; + + // allocate pages for TD Event log + Status = gBS->AllocatePages ( + AllocateAnyPages, + EfiACPIMemoryNVS, + EFI_SIZE_TO_PAGES (PcdGet32 (PcdTcgLogAreaMinLen)), + &Lasa + ); + if (EFI_ERROR (Status)) { + return Status; + } + + mTdxDxeData.EventLogAreaStruct[Index].Lasa = Lasa; + mTdxDxeData.EventLogAreaStruct[Index].Laml = PcdGet32 (PcdTcgLogAreaMinLen); + mTdxDxeData.EventLogAreaStruct[Index].Next800155EventOffset = 0; + + // + // Report TD event log address and length, so that they can be reported in + // TD ACPI table. Ignore the return status, because those fields are optional. + // + PcdSet32S (PcdCcEventlogAcpiTableLaml, (UINT32)mTdxDxeData.EventLogAreaStruct[Index].Laml); + PcdSet64S (PcdCcEventlogAcpiTableLasa, mTdxDxeData.EventLogAreaStruct[Index].Lasa); + + // + // To initialize them as 0xFF is recommended + // because the OS can know the last entry for that. + // + SetMem ((VOID *)(UINTN)Lasa, PcdGet32 (PcdTcgLogAreaMinLen), 0xFF); + + // + // Create first entry for Log Header Entry Data + // + + // + // TcgEfiSpecIdEventStruct + // + TcgEfiSpecIdEventStruct = (TCG_EfiSpecIDEventStruct *)TempBuf; + CopyMem (TcgEfiSpecIdEventStruct->signature, TCG_EfiSpecIDEventStruct_SIGNATURE_03, sizeof (TcgEfiSpecIdEventStruct->signature)); + + TcgEfiSpecIdEventStruct->platformClass = PcdGet8 (PcdTpmPlatformClass); + + TcgEfiSpecIdEventStruct->specVersionMajor = TCG_EfiSpecIDEventStruct_SPEC_VERSION_MAJOR_TPM2; + TcgEfiSpecIdEventStruct->specVersionMinor = TCG_EfiSpecIDEventStruct_SPEC_VERSION_MINOR_TPM2; + TcgEfiSpecIdEventStruct->specErrata = TCG_EfiSpecIDEventStruct_SPEC_ERRATA_TPM2; + TcgEfiSpecIdEventStruct->uintnSize = sizeof (UINTN)/sizeof (UINT32); + NumberOfAlgorithms = 0; + DigestSize = (TCG_EfiSpecIdEventAlgorithmSize *)((UINT8 *)TcgEfiSpecIdEventStruct + + sizeof (*TcgEfiSpecIdEventStruct) + + sizeof (NumberOfAlgorithms)); + + TempDigestSize = DigestSize; + TempDigestSize += NumberOfAlgorithms; + TempDigestSize->algorithmId = TPM_ALG_SHA384; + TempDigestSize->digestSize = SHA384_DIGEST_SIZE; + NumberOfAlgorithms++; + + CopyMem (TcgEfiSpecIdEventStruct + 1, &NumberOfAlgorithms, sizeof (NumberOfAlgorithms)); + TempDigestSize = DigestSize; + TempDigestSize += NumberOfAlgorithms; + VendorInfoSize = (UINT8 *)TempDigestSize; + *VendorInfoSize = 0; + + SpecIdEvent.PCRIndex = 1; // PCRIndex 0 maps to MrIndex 1 + SpecIdEvent.EventType = EV_NO_ACTION; + ZeroMem (&SpecIdEvent.Digest, sizeof (SpecIdEvent.Digest)); + SpecIdEvent.EventSize = (UINT32)GetTcgEfiSpecIdEventStructSize (TcgEfiSpecIdEventStruct); + + // + // TD Event log re-use the spec of TCG2 Event log. + // Log TcgEfiSpecIdEventStruct as the first Event. Event format is TCG_PCR_EVENT. + // TCG EFI Protocol Spec. Section 5.3 Event Log Header + // TCG PC Client PFP spec. Section 9.2 Measurement Event Entries and Log + // + Status = TdxDxeLogEvent ( + LogFormat, + &SpecIdEvent, + sizeof (SpecIdEvent), + (UINT8 *)TcgEfiSpecIdEventStruct, + SpecIdEvent.EventSize + ); + // + // record the offset at the end of 800-155 event. + // the future 800-155 event can be inserted here. + // + mTdxDxeData.EventLogAreaStruct[Index].Next800155EventOffset = mTdxDxeData.EventLogAreaStruct[Index].EventLogSize; + + // + // Tcg800155PlatformIdEvent. Event format is TCG_PCR_EVENT2 + // + GuidHob.Guid = GetFirstGuidHob (&gTcg800155PlatformIdEventHobGuid); + while (GuidHob.Guid != NULL) { + InitNoActionEvent (&NoActionEvent, GET_GUID_HOB_DATA_SIZE (GuidHob.Guid)); + + Status = TdxDxeLogEvent ( + LogFormat, + &NoActionEvent, + sizeof (NoActionEvent.MrIndex) + sizeof (NoActionEvent.EventType) + GetDigestListBinSize (&NoActionEvent.Digests) + sizeof (NoActionEvent.EventSize), + GET_GUID_HOB_DATA (GuidHob.Guid), + GET_GUID_HOB_DATA_SIZE (GuidHob.Guid) + ); + + GuidHob.Guid = GET_NEXT_HOB (GuidHob); + GuidHob.Guid = GetNextGuidHob (&gTcg800155PlatformIdEventHobGuid, GuidHob.Guid); + } + + // + // 2. Create Final Log Area + // + Status = gBS->AllocatePages ( + AllocateAnyPages, + EfiACPIMemoryNVS, + EFI_SIZE_TO_PAGES (PcdGet32 (PcdTcg2FinalLogAreaLen)), + &Lasa + ); + if (EFI_ERROR (Status)) { + return Status; + } + + SetMem ((VOID *)(UINTN)Lasa, PcdGet32 (PcdTcg2FinalLogAreaLen), 0xFF); + + // + // Initialize + // + mTdxDxeData.FinalEventsTable[Index] = (VOID *)(UINTN)Lasa; + (mTdxDxeData.FinalEventsTable[Index])->Version = EFI_TCG2_FINAL_EVENTS_TABLE_VERSION; + (mTdxDxeData.FinalEventsTable[Index])->NumberOfEvents = 0; + + mTdxDxeData.FinalEventLogAreaStruct[Index].EventLogFormat = LogFormat; + mTdxDxeData.FinalEventLogAreaStruct[Index].Lasa = Lasa + sizeof (EFI_CC_FINAL_EVENTS_TABLE); + mTdxDxeData.FinalEventLogAreaStruct[Index].Laml = PcdGet32 (PcdTcg2FinalLogAreaLen) - sizeof (EFI_CC_FINAL_EVENTS_TABLE); + mTdxDxeData.FinalEventLogAreaStruct[Index].EventLogSize = 0; + mTdxDxeData.FinalEventLogAreaStruct[Index].LastEvent = (VOID *)(UINTN)mTdxDxeData.FinalEventLogAreaStruct[Index].Lasa; + mTdxDxeData.FinalEventLogAreaStruct[Index].EventLogStarted = FALSE; + mTdxDxeData.FinalEventLogAreaStruct[Index].EventLogTruncated = FALSE; + mTdxDxeData.FinalEventLogAreaStruct[Index].Next800155EventOffset = 0; + + // + // Install to configuration table for EFI_CC_EVENT_LOG_FORMAT_TCG_2 + // + Status = gBS->InstallConfigurationTable (&gEfiCcFinalEventsTableGuid, (VOID *)mTdxDxeData.FinalEventsTable[Index]); + if (EFI_ERROR (Status)) { + return Status; + } + + return Status; +} + +/** + Measure and log an action string, and extend the measurement result into RTMR. + + @param[in] MrIndex MrIndex to extend + @param[in] String A specific string that indicates an Action event. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_DEVICE_ERROR The operation was unsuccessful. + +**/ +EFI_STATUS +TdMeasureAction ( + IN UINT32 MrIndex, + IN CHAR8 *String + ) +{ + CC_EVENT_HDR CcEvent; + + CcEvent.MrIndex = MrIndex; + CcEvent.EventType = EV_EFI_ACTION; + CcEvent.EventSize = (UINT32)AsciiStrLen (String); + return TdxDxeHashLogExtendEvent ( + 0, + (UINT8 *)String, + CcEvent.EventSize, + &CcEvent, + (UINT8 *)String + ); +} + +/** + Measure and log EFI handoff tables, and extend the measurement result into PCR[1]. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_DEVICE_ERROR The operation was unsuccessful. + +**/ +EFI_STATUS +MeasureHandoffTables ( + VOID + ) +{ + EFI_STATUS Status; + CC_EVENT_HDR CcEvent; + EFI_HANDOFF_TABLE_POINTERS HandoffTables; + UINTN ProcessorNum; + EFI_CPU_PHYSICAL_LOCATION *ProcessorLocBuf; + + ProcessorLocBuf = NULL; + Status = EFI_SUCCESS; + + if (PcdGet8 (PcdTpmPlatformClass) == TCG_PLATFORM_TYPE_SERVER) { + // + // Tcg Server spec. + // Measure each processor EFI_CPU_PHYSICAL_LOCATION with EV_TABLE_OF_DEVICES to PCR[1] + // + Status = GetProcessorsCpuLocation (&ProcessorLocBuf, &ProcessorNum); + + if (!EFI_ERROR (Status)) { + CcEvent.MrIndex = MapPcrToMrIndex (1); + CcEvent.EventType = EV_TABLE_OF_DEVICES; + CcEvent.EventSize = sizeof (HandoffTables); + + HandoffTables.NumberOfTables = 1; + HandoffTables.TableEntry[0].VendorGuid = gEfiMpServiceProtocolGuid; + HandoffTables.TableEntry[0].VendorTable = ProcessorLocBuf; + + Status = TdxDxeHashLogExtendEvent ( + 0, + (UINT8 *)(UINTN)ProcessorLocBuf, + sizeof (EFI_CPU_PHYSICAL_LOCATION) * ProcessorNum, + &CcEvent, + (UINT8 *)&HandoffTables + ); + + FreePool (ProcessorLocBuf); + } + } + + return Status; +} + +/** + Measure and log Separator event, and extend the measurement result into a specific PCR. + + @param[in] PCRIndex PCR index. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_DEVICE_ERROR The operation was unsuccessful. + +**/ +EFI_STATUS +MeasureSeparatorEvent ( + IN UINT32 MrIndex + ) +{ + CC_EVENT_HDR CcEvent; + UINT32 EventData; + + DEBUG ((DEBUG_INFO, "MeasureSeparatorEvent to Rtmr - %d\n", MrIndex)); + + EventData = 0; + CcEvent.MrIndex = MrIndex; + CcEvent.EventType = EV_SEPARATOR; + CcEvent.EventSize = (UINT32)sizeof (EventData); + + return TdxDxeHashLogExtendEvent ( + 0, + (UINT8 *)&EventData, + sizeof (EventData), + &CcEvent, + (UINT8 *)&EventData + ); +} + +/** + Measure and log an EFI variable, and extend the measurement result into a specific RTMR. + + @param[in] MrIndex RTMR Index. + @param[in] EventType Event type. + @param[in] VarName A Null-terminated string that is the name of the vendor's variable. + @param[in] VendorGuid A unique identifier for the vendor. + @param[in] VarData The content of the variable data. + @param[in] VarSize The size of the variable data. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_OUT_OF_RESOURCES Out of memory. + @retval EFI_DEVICE_ERROR The operation was unsuccessful. + +**/ +EFI_STATUS +MeasureVariable ( + IN UINT32 MrIndex, + IN TCG_EVENTTYPE EventType, + IN CHAR16 *VarName, + IN EFI_GUID *VendorGuid, + IN VOID *VarData, + IN UINTN VarSize + ) +{ + EFI_STATUS Status; + CC_EVENT_HDR CcEvent; + UINTN VarNameLength; + UEFI_VARIABLE_DATA *VarLog; + + DEBUG ((DEBUG_INFO, "TdTcg2Dxe: MeasureVariable (Rtmr - %x, EventType - %x, ", (UINTN)MrIndex, (UINTN)EventType)); + DEBUG ((DEBUG_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName, VendorGuid)); + + VarNameLength = StrLen (VarName); + CcEvent.MrIndex = MrIndex; + CcEvent.EventType = EventType; + + CcEvent.EventSize = (UINT32)(sizeof (*VarLog) + VarNameLength * sizeof (*VarName) + VarSize + - sizeof (VarLog->UnicodeName) - sizeof (VarLog->VariableData)); + + VarLog = (UEFI_VARIABLE_DATA *)AllocatePool (CcEvent.EventSize); + if (VarLog == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + VarLog->VariableName = *VendorGuid; + VarLog->UnicodeNameLength = VarNameLength; + VarLog->VariableDataLength = VarSize; + CopyMem ( + VarLog->UnicodeName, + VarName, + VarNameLength * sizeof (*VarName) + ); + if ((VarSize != 0) && (VarData != NULL)) { + CopyMem ( + (CHAR16 *)VarLog->UnicodeName + VarNameLength, + VarData, + VarSize + ); + } + + if (EventType == EV_EFI_VARIABLE_DRIVER_CONFIG) { + // + // Digest is the event data (UEFI_VARIABLE_DATA) + // + Status = TdxDxeHashLogExtendEvent ( + 0, + (UINT8 *)VarLog, + CcEvent.EventSize, + &CcEvent, + (UINT8 *)VarLog + ); + } else { + ASSERT (VarData != NULL); + Status = TdxDxeHashLogExtendEvent ( + 0, + (UINT8 *)VarData, + VarSize, + &CcEvent, + (UINT8 *)VarLog + ); + } + + FreePool (VarLog); + return Status; +} + +/** + Read then Measure and log an EFI variable, and extend the measurement result into a specific RTMR. + + @param[in] MrIndex RTMR Index. + @param[in] EventType Event type. + @param[in] VarName A Null-terminated string that is the name of the vendor's variable. + @param[in] VendorGuid A unique identifier for the vendor. + @param[out] VarSize The size of the variable data. + @param[out] VarData Pointer to the content of the variable. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_OUT_OF_RESOURCES Out of memory. + @retval EFI_DEVICE_ERROR The operation was unsuccessful. + +**/ +EFI_STATUS +ReadAndMeasureVariable ( + IN UINT32 MrIndex, + IN TCG_EVENTTYPE EventType, + IN CHAR16 *VarName, + IN EFI_GUID *VendorGuid, + OUT UINTN *VarSize, + OUT VOID **VarData + ) +{ + EFI_STATUS Status; + + Status = GetVariable2 (VarName, VendorGuid, VarData, VarSize); + if (EventType == EV_EFI_VARIABLE_DRIVER_CONFIG) { + if (EFI_ERROR (Status)) { + // + // It is valid case, so we need handle it. + // + *VarData = NULL; + *VarSize = 0; + } + } else { + // + // if status error, VarData is freed and set NULL by GetVariable2 + // + if (EFI_ERROR (Status)) { + return EFI_NOT_FOUND; + } + } + + Status = MeasureVariable ( + MrIndex, + EventType, + VarName, + VendorGuid, + *VarData, + *VarSize + ); + return Status; +} + +/** + Read then Measure and log an EFI boot variable, and extend the measurement result into PCR[1]. +according to TCG PC Client PFP spec 0021 Section 2.4.4.2 + + @param[in] VarName A Null-terminated string that is the name of the vendor's variable. + @param[in] VendorGuid A unique identifier for the vendor. + @param[out] VarSize The size of the variable data. + @param[out] VarData Pointer to the content of the variable. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_OUT_OF_RESOURCES Out of memory. + @retval EFI_DEVICE_ERROR The operation was unsuccessful. + +**/ +EFI_STATUS +ReadAndMeasureBootVariable ( + IN CHAR16 *VarName, + IN EFI_GUID *VendorGuid, + OUT UINTN *VarSize, + OUT VOID **VarData + ) +{ + // + // Boot variables are measured into (PCR[5]) RTMR[1], + // details in section 8.1 of TDVF design guide. + // + return ReadAndMeasureVariable ( + MapPcrToMrIndex (5), + EV_EFI_VARIABLE_BOOT, + VarName, + VendorGuid, + VarSize, + VarData + ); +} + +/** + Read then Measure and log an EFI Secure variable, and extend the measurement result into PCR[7]. + + @param[in] VarName A Null-terminated string that is the name of the vendor's variable. + @param[in] VendorGuid A unique identifier for the vendor. + @param[out] VarSize The size of the variable data. + @param[out] VarData Pointer to the content of the variable. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_OUT_OF_RESOURCES Out of memory. + @retval EFI_DEVICE_ERROR The operation was unsuccessful. + +**/ +EFI_STATUS +ReadAndMeasureSecureVariable ( + IN CHAR16 *VarName, + IN EFI_GUID *VendorGuid, + OUT UINTN *VarSize, + OUT VOID **VarData + ) +{ + return ReadAndMeasureVariable ( + MapPcrToMrIndex (7), + EV_EFI_VARIABLE_DRIVER_CONFIG, + VarName, + VendorGuid, + VarSize, + VarData + ); +} + +/** + Measure and log all EFI boot variables, and extend the measurement result into a specific PCR. + + The EFI boot variables are BootOrder and Boot#### variables. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_OUT_OF_RESOURCES Out of memory. + @retval EFI_DEVICE_ERROR The operation was unsuccessful. + +**/ +EFI_STATUS +MeasureAllBootVariables ( + VOID + ) +{ + EFI_STATUS Status; + UINT16 *BootOrder; + UINTN BootCount; + UINTN Index; + VOID *BootVarData; + UINTN Size; + + Status = ReadAndMeasureBootVariable ( + mBootVarName, + &gEfiGlobalVariableGuid, + &BootCount, + (VOID **)&BootOrder + ); + if ((Status == EFI_NOT_FOUND) || (BootOrder == NULL)) { + return EFI_SUCCESS; + } + + if (EFI_ERROR (Status)) { + // + // BootOrder can't be NULL if status is not EFI_NOT_FOUND + // + FreePool (BootOrder); + return Status; + } + + BootCount /= sizeof (*BootOrder); + for (Index = 0; Index < BootCount; Index++) { + UnicodeSPrint (mBootVarName, sizeof (mBootVarName), L"Boot%04x", BootOrder[Index]); + Status = ReadAndMeasureBootVariable ( + mBootVarName, + &gEfiGlobalVariableGuid, + &Size, + &BootVarData + ); + if (!EFI_ERROR (Status)) { + FreePool (BootVarData); + } + } + + FreePool (BootOrder); + return EFI_SUCCESS; +} + +/** + Measure and log all EFI Secure variables, and extend the measurement result into a specific PCR. + + The EFI boot variables are BootOrder and Boot#### variables. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_OUT_OF_RESOURCES Out of memory. + @retval EFI_DEVICE_ERROR The operation was unsuccessful. + +**/ +EFI_STATUS +MeasureAllSecureVariables ( + VOID + ) +{ + EFI_STATUS Status; + VOID *Data; + UINTN DataSize; + UINTN Index; + + Status = EFI_NOT_FOUND; + for (Index = 0; Index < sizeof (mVariableType)/sizeof (mVariableType[0]); Index++) { + Status = ReadAndMeasureSecureVariable ( + mVariableType[Index].VariableName, + mVariableType[Index].VendorGuid, + &DataSize, + &Data + ); + if (!EFI_ERROR (Status)) { + if (Data != NULL) { + FreePool (Data); + } + } + } + + // + // Measure DBT if present and not empty + // + Status = GetVariable2 (EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid, &Data, &DataSize); + if (!EFI_ERROR (Status)) { + Status = MeasureVariable ( + MapPcrToMrIndex (7), + EV_EFI_VARIABLE_DRIVER_CONFIG, + EFI_IMAGE_SECURITY_DATABASE2, + &gEfiImageSecurityDatabaseGuid, + Data, + DataSize + ); + FreePool (Data); + } else { + DEBUG ((DEBUG_INFO, "Skip measuring variable %s since it's deleted\n", EFI_IMAGE_SECURITY_DATABASE2)); + } + + return EFI_SUCCESS; +} + +/** + Measure and log launch of FirmwareDebugger, and extend the measurement result into a specific PCR. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_OUT_OF_RESOURCES Out of memory. + @retval EFI_DEVICE_ERROR The operation was unsuccessful. + +**/ +EFI_STATUS +MeasureLaunchOfFirmwareDebugger ( + VOID + ) +{ + CC_EVENT_HDR CcEvent; + + CcEvent.MrIndex = MapPcrToMrIndex (7); + CcEvent.EventType = EV_EFI_ACTION; + CcEvent.EventSize = sizeof (FIRMWARE_DEBUGGER_EVENT_STRING) - 1; + return TdxDxeHashLogExtendEvent ( + 0, + (UINT8 *)FIRMWARE_DEBUGGER_EVENT_STRING, + sizeof (FIRMWARE_DEBUGGER_EVENT_STRING) - 1, + &CcEvent, + (UINT8 *)FIRMWARE_DEBUGGER_EVENT_STRING + ); +} + +/** + Measure and log all Secure Boot Policy, and extend the measurement result into a specific PCR. + + Platform firmware adhering to the policy must therefore measure the following values into PCR[7]: (in order listed) + - The contents of the SecureBoot variable + - The contents of the PK variable + - The contents of the KEK variable + - The contents of the EFI_IMAGE_SECURITY_DATABASE variable + - The contents of the EFI_IMAGE_SECURITY_DATABASE1 variable + - Separator + - Entries in the EFI_IMAGE_SECURITY_DATABASE that are used to validate EFI Drivers or EFI Boot Applications in the boot path + + NOTE: Because of the above, UEFI variables PK, KEK, EFI_IMAGE_SECURITY_DATABASE, + EFI_IMAGE_SECURITY_DATABASE1 and SecureBoot SHALL NOT be measured into PCR[3]. + + @param[in] Event Event whose notification function is being invoked + @param[in] Context Pointer to the notification function's context +**/ +VOID +EFIAPI +MeasureSecureBootPolicy ( + IN EFI_EVENT Event, + IN VOID *Context + ) +{ + EFI_STATUS Status; + VOID *Protocol; + + Status = gBS->LocateProtocol (&gEfiVariableWriteArchProtocolGuid, NULL, (VOID **)&Protocol); + if (EFI_ERROR (Status)) { + return; + } + + if (PcdGetBool (PcdFirmwareDebuggerInitialized)) { + Status = MeasureLaunchOfFirmwareDebugger (); + DEBUG ((DEBUG_INFO, "MeasureLaunchOfFirmwareDebugger - %r\n", Status)); + } + + Status = MeasureAllSecureVariables (); + DEBUG ((DEBUG_INFO, "MeasureAllSecureVariables - %r\n", Status)); + + // + // We need measure Separator(7) here, because this event must be between SecureBootPolicy (Configure) + // and ImageVerification (Authority) + // There might be a case that we need measure UEFI image from DriverOrder, besides BootOrder. So + // the Authority measurement happen before ReadToBoot event. + // + Status = MeasureSeparatorEvent (MapPcrToMrIndex (7)); + DEBUG ((DEBUG_INFO, "MeasureSeparatorEvent - %r\n", Status)); + return; +} + +/** + Ready to Boot Event notification handler. + + Sequence of OS boot events is measured in this event notification handler. + + @param[in] Event Event whose notification function is being invoked + @param[in] Context Pointer to the notification function's context + +**/ +VOID +EFIAPI +OnReadyToBoot ( + IN EFI_EVENT Event, + IN VOID *Context + ) +{ + EFI_STATUS Status; + + PERF_START_EX (mImageHandle, "EventRec", "TdTcg2Dxe", 0, PERF_ID_CC_TCG2_DXE); + if (mBootAttempts == 0) { + // + // Measure handoff tables. + // + Status = MeasureHandoffTables (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "HOBs not Measured. Error!\n")); + } + + // + // Measure BootOrder & Boot#### variables. + // + Status = MeasureAllBootVariables (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Boot Variables not Measured. Error!\n")); + } + + // + // 1. This is the first boot attempt. + // + Status = TdMeasureAction ( + MapPcrToMrIndex (4), + EFI_CALLING_EFI_APPLICATION + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a not Measured. Error!\n", EFI_CALLING_EFI_APPLICATION)); + } + + // + // 2. Draw a line between pre-boot env and entering post-boot env. + // PCR[7] (is RTMR[0]) is already done. + // + Status = MeasureSeparatorEvent (1); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Separator Event not Measured. Error!\n")); + } + + // + // 3. Measure GPT. It would be done in SAP driver. + // + + // + // 4. Measure PE/COFF OS loader. It would be done in SAP driver. + // + + // + // 5. Read & Measure variable. BootOrder already measured. + // + } else { + // + // 6. Not first attempt, meaning a return from last attempt + // + Status = TdMeasureAction ( + MapPcrToMrIndex (4), + EFI_RETURNING_FROM_EFI_APPLICATION + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a not Measured. Error!\n", EFI_RETURNING_FROM_EFI_APPLICATION)); + } + + // + // 7. Next boot attempt, measure "Calling EFI Application from Boot Option" again + // TCG PC Client PFP spec Section 2.4.4.5 Step 4 + // + Status = TdMeasureAction ( + MapPcrToMrIndex (4), + EFI_CALLING_EFI_APPLICATION + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a not Measured. Error!\n", EFI_CALLING_EFI_APPLICATION)); + } + } + + DEBUG ((DEBUG_INFO, "TdTcg2Dxe Measure Data when ReadyToBoot\n")); + // + // Increase boot attempt counter. + // + mBootAttempts++; + PERF_END_EX (mImageHandle, "EventRec", "Tcg2Dxe", 0, PERF_ID_CC_TCG2_DXE + 1); +} + +/** + Exit Boot Services Event notification handler. + + Measure invocation and success of ExitBootServices. + + @param[in] Event Event whose notification function is being invoked + @param[in] Context Pointer to the notification function's context + +**/ +VOID +EFIAPI +OnExitBootServices ( + IN EFI_EVENT Event, + IN VOID *Context + ) +{ + EFI_STATUS Status; + + // + // Measure invocation of ExitBootServices, + // + Status = TdMeasureAction ( + MapPcrToMrIndex (5), + EFI_EXIT_BOOT_SERVICES_INVOCATION + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a not Measured. Error!\n", EFI_EXIT_BOOT_SERVICES_INVOCATION)); + } + + // + // Measure success of ExitBootServices + // + Status = TdMeasureAction ( + MapPcrToMrIndex (5), + EFI_EXIT_BOOT_SERVICES_SUCCEEDED + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a not Measured. Error!\n", EFI_EXIT_BOOT_SERVICES_SUCCEEDED)); + } +} + +/** + Exit Boot Services Failed Event notification handler. + + Measure Failure of ExitBootServices. + + @param[in] Event Event whose notification function is being invoked + @param[in] Context Pointer to the notification function's context + +**/ +VOID +EFIAPI +OnExitBootServicesFailed ( + IN EFI_EVENT Event, + IN VOID *Context + ) +{ + EFI_STATUS Status; + + // + // Measure Failure of ExitBootServices, + // + Status = TdMeasureAction ( + MapPcrToMrIndex (5), + EFI_EXIT_BOOT_SERVICES_FAILED + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a not Measured. Error!\n", EFI_EXIT_BOOT_SERVICES_FAILED)); + } +} + +EFI_STATUS +SyncCcEvent ( + VOID + ) +{ + EFI_STATUS Status; + EFI_PEI_HOB_POINTERS GuidHob; + VOID *CcEvent; + VOID *DigestListBin; + UINT32 DigestListBinSize; + UINT8 *Event; + UINT32 EventSize; + EFI_CC_EVENT_LOG_FORMAT LogFormat; + + DEBUG ((DEBUG_INFO, "Sync Cc event from SEC\n")); + + Status = EFI_SUCCESS; + LogFormat = EFI_CC_EVENT_LOG_FORMAT_TCG_2; + GuidHob.Guid = GetFirstGuidHob (&gCcEventEntryHobGuid); + + while (!EFI_ERROR (Status) && GuidHob.Guid != NULL) { + CcEvent = AllocateCopyPool (GET_GUID_HOB_DATA_SIZE (GuidHob.Guid), GET_GUID_HOB_DATA (GuidHob.Guid)); + if (CcEvent == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + GuidHob.Guid = GET_NEXT_HOB (GuidHob); + GuidHob.Guid = GetNextGuidHob (&gCcEventEntryHobGuid, GuidHob.Guid); + + DigestListBin = (UINT8 *)CcEvent + sizeof (UINT32) + sizeof (TCG_EVENTTYPE); + DigestListBinSize = GetDigestListBinSize (DigestListBin); + + // + // Event size. + // + EventSize = *(UINT32 *)((UINT8 *)DigestListBin + DigestListBinSize); + Event = (UINT8 *)DigestListBin + DigestListBinSize + sizeof (UINT32); + + // + // Log the event + // + Status = TdxDxeLogEvent ( + LogFormat, + CcEvent, + sizeof (UINT32) + sizeof (TCG_EVENTTYPE) + DigestListBinSize + sizeof (UINT32), + Event, + EventSize + ); + + DumpCcEvent ((CC_EVENT *)CcEvent); + FreePool (CcEvent); + } + + return Status; +} + +/** + Install TDVF ACPI Table when ACPI Table Protocol is available. + + @param[in] Event Event whose notification function is being invoked + @param[in] Context Pointer to the notification function's context +**/ +VOID +EFIAPI +InstallAcpiTable ( + IN EFI_EVENT Event, + IN VOID *Context + ) +{ + UINTN TableKey; + EFI_STATUS Status; + EFI_ACPI_TABLE_PROTOCOL *AcpiTable; + UINT64 OemTableId; + + Status = gBS->LocateProtocol (&gEfiAcpiTableProtocolGuid, NULL, (VOID **)&AcpiTable); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "TD: AcpiTableProtocol is not installed. %r\n", Status)); + return; + } + + mTdxEventlogAcpiTemplate.Laml = (UINT64)PcdGet32 (PcdCcEventlogAcpiTableLaml); + mTdxEventlogAcpiTemplate.Lasa = PcdGet64 (PcdCcEventlogAcpiTableLasa); + CopyMem (mTdxEventlogAcpiTemplate.Header.OemId, PcdGetPtr (PcdAcpiDefaultOemId), sizeof (mTdxEventlogAcpiTemplate.Header.OemId)); + OemTableId = PcdGet64 (PcdAcpiDefaultOemTableId); + CopyMem (&mTdxEventlogAcpiTemplate.Header.OemTableId, &OemTableId, sizeof (UINT64)); + mTdxEventlogAcpiTemplate.Header.OemRevision = PcdGet32 (PcdAcpiDefaultOemRevision); + mTdxEventlogAcpiTemplate.Header.CreatorId = PcdGet32 (PcdAcpiDefaultCreatorId); + mTdxEventlogAcpiTemplate.Header.CreatorRevision = PcdGet32 (PcdAcpiDefaultCreatorRevision); + + // + // Construct ACPI Table + Status = AcpiTable->InstallAcpiTable ( + AcpiTable, + &mTdxEventlogAcpiTemplate, + mTdxEventlogAcpiTemplate.Header.Length, + &TableKey + ); + ASSERT_EFI_ERROR (Status); + + DEBUG ((DEBUG_INFO, "TDVF Eventlog ACPI Table is installed.\n")); +} + +/** + The function install TdTcg2 protocol. + + @retval EFI_SUCCESS TdTcg2 protocol is installed. + @retval other Some error occurs. +**/ +EFI_STATUS +InstallCcMeasurementProtocol ( + VOID + ) +{ + EFI_STATUS Status; + EFI_HANDLE Handle; + + Handle = NULL; + Status = gBS->InstallMultipleProtocolInterfaces ( + &Handle, + &gEfiCcMeasurementProtocolGuid, + &mTdProtocol, + NULL + ); + DEBUG ((DEBUG_INFO, "CcProtocol: Install %r\n", Status)); + return Status; +} + +/** + The driver's entry point. It publishes EFI Tcg2 Protocol. + + @param[in] ImageHandle The firmware allocated handle for the EFI image. + @param[in] SystemTable A pointer to the EFI System Table. + + @retval EFI_SUCCESS The entry point is executed successfully. + @retval other Some error occurs when executing this entry point. +**/ +EFI_STATUS +EFIAPI +DriverEntry ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + EFI_EVENT Event; + VOID *Registration; + + if (!TdIsEnabled ()) { + return EFI_UNSUPPORTED; + } + + mImageHandle = ImageHandle; + + // + // Fill information + // + // ASSERT (TD_EVENT_LOG_AREA_COUNT_MAX == sizeof(mTEventInfo)/sizeof(mTcg2EventInfo[0])); + + mTdxDxeData.BsCap.Size = sizeof (EFI_CC_BOOT_SERVICE_CAPABILITY); + mTdxDxeData.BsCap.ProtocolVersion.Major = 1; + mTdxDxeData.BsCap.ProtocolVersion.Minor = 1; + mTdxDxeData.BsCap.StructureVersion.Major = 1; + mTdxDxeData.BsCap.StructureVersion.Minor = 1; + + // + // Get supported PCR and current Active PCRs + // For TD gueset HA384 is supported. + // + mTdxDxeData.BsCap.HashAlgorithmBitmap = HASH_ALG_SHA384; + + // TD guest only supports EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 + mTdxDxeData.BsCap.SupportedEventLogs = EFI_CC_EVENT_LOG_FORMAT_TCG_2; + + // + // Setup the log area and copy event log from hob list to it + // + Status = SetupCcEventLog (); + ASSERT_EFI_ERROR (Status); + + if (!EFI_ERROR (Status)) { + Status = SyncCcEvent (); + ASSERT_EFI_ERROR (Status); + } + + // + // Measure handoff tables, Boot#### variables etc. + // + Status = EfiCreateEventReadyToBootEx ( + TPL_CALLBACK, + OnReadyToBoot, + NULL, + &Event + ); + + Status = gBS->CreateEventEx ( + EVT_NOTIFY_SIGNAL, + TPL_NOTIFY, + OnExitBootServices, + NULL, + &gEfiEventExitBootServicesGuid, + &Event + ); + + // + // Measure Exit Boot Service failed + // + Status = gBS->CreateEventEx ( + EVT_NOTIFY_SIGNAL, + TPL_NOTIFY, + OnExitBootServicesFailed, + NULL, + &gEventExitBootServicesFailedGuid, + &Event + ); + + // + // Create event callback, because we need access variable on SecureBootPolicyVariable + // We should use VariableWriteArch instead of VariableArch, because Variable driver + // may update SecureBoot value based on last setting. + // + EfiCreateProtocolNotifyEvent (&gEfiVariableWriteArchProtocolGuid, TPL_CALLBACK, MeasureSecureBootPolicy, NULL, &Registration); + + // + // Install CcMeasurementProtocol + // + Status = InstallCcMeasurementProtocol (); + DEBUG ((DEBUG_INFO, "InstallCcMeasurementProtocol - %r\n", Status)); + + if (Status == EFI_SUCCESS) { + // + // Create event callback to install CC EventLog ACPI Table + EfiCreateProtocolNotifyEvent (&gEfiAcpiTableProtocolGuid, TPL_CALLBACK, InstallAcpiTable, NULL, &Registration); + } + + return Status; +} diff --git a/OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.inf b/OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.inf new file mode 100644 index 000000000000..5efe7ef479f1 --- /dev/null +++ b/OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.inf @@ -0,0 +1,101 @@ +## @file +# +# Produces EFI_CC_MEASUREMENT_PROTOCOL and measure boot environment +# +# +# Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved.<BR> +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = TdTcg2Dxe + FILE_GUID = F062221E-C607-44C2-B0B4-C3886331D351 + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + ENTRY_POINT = DriverEntry + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = X64 +# + +[Sources] + TdTcg2Dxe.c + MeasureBootPeCoff.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + CryptoPkg/CryptoPkg.dec + OvmfPkg/OvmfPkg.dec + +[LibraryClasses] + MemoryAllocationLib + BaseLib + UefiBootServicesTableLib + HobLib + UefiDriverEntryPoint + UefiRuntimeServicesTableLib + BaseMemoryLib + DebugLib + PrintLib + UefiLib + HashLib + PerformanceLib + ReportStatusCodeLib + PeCoffLib + TpmMeasurementLib + TdxLib + +[Guids] + ## SOMETIMES_CONSUMES ## Variable:L"SecureBoot" + ## SOMETIMES_CONSUMES ## Variable:L"PK" + ## SOMETIMES_CONSUMES ## Variable:L"KEK" + ## SOMETIMES_CONSUMES ## Variable:L"BootXXXX" + gEfiGlobalVariableGuid + + ## SOMETIMES_CONSUMES ## Variable:L"db" + ## SOMETIMES_CONSUMES ## Variable:L"dbx" + gEfiImageSecurityDatabaseGuid + + # gTcgEventEntryHobGuid ## SOMETIMES_CONSUMES ## HOB + gEfiEventExitBootServicesGuid ## CONSUMES ## Event + gEventExitBootServicesFailedGuid ## SOMETIMES_CONSUMES ## Event + + gCcEventEntryHobGuid ## SOMETIMES_CONSUMES ## HOB + gTcg800155PlatformIdEventHobGuid ## SOMETIMES_CONSUMES ## HOB + gEfiCcFinalEventsTableGuid ## PRODUCES + +[Protocols] + gEfiCcMeasurementProtocolGuid ## PRODUCES + gEfiMpServiceProtocolGuid ## SOMETIMES_CONSUMES + gEfiVariableWriteArchProtocolGuid ## NOTIFY + gEfiResetNotificationProtocolGuid ## CONSUMES + gEfiAcpiTableProtocolGuid ## NOTIFY + +[Pcd] + gEfiSecurityPkgTokenSpaceGuid.PcdTpmPlatformClass ## SOMETIMES_CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized ## SOMETIMES_CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeSubClassTpmDevice ## SOMETIMES_CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap ## CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdTcg2NumberOfPCRBanks ## CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdTcgLogAreaMinLen ## CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdTcg2FinalLogAreaLen ## CONSUMES + gUefiOvmfPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLaml ## PRODUCES + gUefiOvmfPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLasa ## PRODUCES + gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemId ## CONSUMES + gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemTableId ## CONSUMES + gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemRevision ## CONSUMES + gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorId ## CONSUMES + gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorRevision ## CONSUMES + +[Depex] + # According to PcdTpm2AcpiTableRev definition in SecurityPkg.dec + # This PCD should be configured at DynamicHii or DynamicHiiEx. + # So, this PCD read operation depends on GetVariable service. + # Add VariableArch protocol dependency to make sure PCD read works. + gEfiVariableArchProtocolGuid AND gEfiAcpiTableProtocolGuid -- 2.29.2.windows.2 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH V3 9/9] OvmfPkg/IntelTdx: Enable RTMR based measurement and measure boot 2022-04-17 23:59 [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Min Xu ` (7 preceding siblings ...) 2022-04-17 23:59 ` [PATCH V3 8/9] OvmfPkg/IntelTdx: Add TdTcg2Dxe Min Xu @ 2022-04-18 0:00 ` Min Xu 2022-04-18 1:43 ` [edk2-devel] [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Yao, Jiewen 9 siblings, 0 replies; 27+ messages in thread From: Min Xu @ 2022-04-18 0:00 UTC (permalink / raw) To: devel Cc: Min Xu, Brijesh Singh, Erdem Aktas, James Bottomley, Jiewen Yao, Tom Lendacky, Ken Lu, Sami Mujawar, Gerd Hoffmann RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 Enable RTMR based measurement and measure boot for Td guest. Cc: Brijesh Singh <brijesh.singh@amd.com> Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Ken Lu <ken.lu@intel.com> Cc: Sami Mujawar <sami.mujawar@arm.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Min Xu <min.m.xu@intel.com> --- OvmfPkg/IntelTdx/IntelTdxX64.dsc | 12 +++++++++++- OvmfPkg/IntelTdx/IntelTdxX64.fdf | 5 +++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc index e6cd10a120a8..1d99de366d6c 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -192,7 +192,7 @@ OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf - TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf [LibraryClasses.common] BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf @@ -549,6 +549,7 @@ !if $(SECURE_BOOT_ENABLE) == TRUE NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf !endif + NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf } MdeModulePkg/Universal/EbcDxe/EbcDxe.inf @@ -723,3 +724,12 @@ <LibraryClasses> NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf } + + # + # Cc Measurement Protocol for Td guest + # + OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.inf { + <LibraryClasses> + HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf + } diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.fdf b/OvmfPkg/IntelTdx/IntelTdxX64.fdf index 9e290ea78f61..b7eb217847b8 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.fdf +++ b/OvmfPkg/IntelTdx/IntelTdxX64.fdf @@ -292,6 +292,11 @@ INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +# +# EFI_CC_MEASUREMENT_PROTOCOL +# +INF OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.inf + ################################################################################ [FV.FVMAIN_COMPACT] -- 2.29.2.windows.2 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* Re: [edk2-devel] [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest 2022-04-17 23:59 [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Min Xu ` (8 preceding siblings ...) 2022-04-18 0:00 ` [PATCH V3 9/9] OvmfPkg/IntelTdx: Enable RTMR based measurement and measure boot Min Xu @ 2022-04-18 1:43 ` Yao, Jiewen 9 siblings, 0 replies; 27+ messages in thread From: Yao, Jiewen @ 2022-04-18 1:43 UTC (permalink / raw) To: devel@edk2.groups.io, Xu, Min M; +Cc: Yao, Jiewen Thanks for the update. With CCEL Rsvd changed to 2 bytes, the series reviewed-by: Jiewen Yao <Jiewen.yao@Intel.com> > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Min Xu > Sent: Monday, April 18, 2022 8:00 AM > To: devel@edk2.groups.io > Cc: Xu, Min M <min.m.xu@intel.com> > Subject: [edk2-devel] [PATCH V3 0/9] Enable RTMR based measurement and > measure boot for Td guest > > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 > > Intel's Trust Domain Extensions (Intel TDX) refers to an Intel technology > that extends Virtual Machines Extensions (VMX) and Multi-Key Total Memory > Encryption (MKTME) with a new kind of virutal machines guest called a > Trust Domain (TD). A TD is desinged to run in a CPU mode that protects the > confidentiality of TD memory contents and the TD's CPU state from other > software, including the hosting Virtual-Machine Monitor (VMM), unless > explicitly shared by the TD itself. > > There are 2 configurations for TDVF to upstream. See below link for > the definitions of the 2 configurations. > https://edk2.groups.io/g/devel/message/76367 > > This patch-set is to enable below features of Config-B in OvmfPkg. > - Enable RTMR based measurement and measured boot > - Install CC_MEASUREMENT_PROTOCOL instance in Td guest > > The measurement for the other components, such as kernel image, initrd, > will be introduced in the following patch-sets. > > Patch 1: > HashLibTdx provides SHA384 service and extend to RTMR registers. > > Patch 2: > SecCryptLib is the cryptographic library instance for SEC. > > Patch 3 - 8: > These 6 patches are related to RTMR based measurement and > CC Eventlog ACPI table. > > Patch 9: > Update IntelTdxX64.dsc/IntelTdxX64.fdf to support RTMR based > measurement and measured boot. > > Code at: https://github.com/mxu9/edk2/tree/tdvf_wave4.v3 > > v3 changes: > - Refine HashLibBaseCryptoRouterTdx to HashLibTdx > - Add NULL version algorithms in SecCryptLib. > - Add SecMeasurementLib which does the measurement in SEC phase. > - Rebase EDK2 code base. (commit: 91a03f78ba) > > v2 changes: > - Move the definition of EFI_CC_EVENT_HOB_GUID from MdePkg to > SecurityPkg. > - Update the definition of EFI_CC_EVENTLOG_ACPI_TABLE based > on below discussion: > https://edk2.groups.io/g/devel/message/87396 > https://edk2.groups.io/g/devel/message/87402 > - Update the code base to 94f905b3bf. > > Min Xu (9): > Security: Add HashLibTdx > CryptoPkg: Add SecCryptLib > SecurityPkg: Add definition of EFI_CC_EVENT_HOB_GUID > OvmfPkg: Introduce SecMeasurementLib > OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV > OvmfPkg: Add PCDs for LAML/LASA field in CC EVENTLOG ACPI table > MdePkg: Define CC Measure EventLog ACPI Table > OvmfPkg/IntelTdx: Add TdTcg2Dxe > OvmfPkg/IntelTdx: Enable RTMR based measurement and measure boot > > CryptoPkg/CryptoPkg.dsc | 4 + > .../Library/BaseCryptLib/Hash/CryptMd5Null.c | 163 ++ > .../Library/BaseCryptLib/Hash/CryptSha1Null.c | 166 ++ > .../BaseCryptLib/Hash/CryptSha256Null.c | 162 ++ > .../Library/BaseCryptLib/Hash/CryptSm3Null.c | 164 ++ > .../BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c | 152 + > .../BaseCryptLib/Pk/CryptRsaBasicNull.c | 121 + > .../Library/BaseCryptLib/SecCryptLib.inf | 91 + > MdePkg/Include/Protocol/CcMeasurement.h | 21 + > OvmfPkg/Include/Library/SecMeasurementLib.h | 46 + > OvmfPkg/IntelTdx/IntelTdxX64.dsc | 16 +- > OvmfPkg/IntelTdx/IntelTdxX64.fdf | 5 + > .../IntelTdx/TdTcg2Dxe/MeasureBootPeCoff.c | 407 +++ > OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c | 2489 +++++++++++++++++ > OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.inf | 101 + > OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 163 ++ > .../PeilessStartupLib/PeilessStartup.c | 31 + > .../PeilessStartupInternal.h | 17 + > .../PeilessStartupLib/PeilessStartupLib.inf | 8 +- > .../SecMeasurementLib/SecMeasurementLibTdx.c | 340 +++ > .../SecMeasurementLibTdx.inf | 30 + > OvmfPkg/OvmfPkg.dec | 10 + > SecurityPkg/Include/Guid/CcEventHob.h | 22 + > SecurityPkg/Library/HashLibTdx/HashLibTdx.c | 207 ++ > SecurityPkg/Library/HashLibTdx/HashLibTdx.inf | 37 + > SecurityPkg/SecurityPkg.dec | 4 + > SecurityPkg/SecurityPkg.dsc | 10 + > 27 files changed, 4984 insertions(+), 3 deletions(-) > create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5Null.c > create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1Null.c > create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256Null.c > create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3Null.c > create mode 100644 > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c > create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c > create mode 100644 CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf > create mode 100644 OvmfPkg/Include/Library/SecMeasurementLib.h > create mode 100644 OvmfPkg/IntelTdx/TdTcg2Dxe/MeasureBootPeCoff.c > create mode 100644 OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c > create mode 100644 OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.inf > create mode 100644 OvmfPkg/Library/PeilessStartupLib/IntelTdx.c > create mode 100644 > OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.c > create mode 100644 > OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf > create mode 100644 SecurityPkg/Include/Guid/CcEventHob.h > create mode 100644 SecurityPkg/Library/HashLibTdx/HashLibTdx.c > create mode 100644 SecurityPkg/Library/HashLibTdx/HashLibTdx.inf > > -- > 2.29.2.windows.2 > > > > > ^ permalink raw reply [flat|nested] 27+ messages in thread
end of thread, other threads:[~2022-04-21 9:25 UTC | newest] Thread overview: 27+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-04-17 23:59 [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Min Xu 2022-04-17 23:59 ` [PATCH V3 1/9] Security: Add HashLibTdx Min Xu 2022-04-17 23:59 ` [PATCH V3 2/9] CryptoPkg: Add SecCryptLib Min Xu 2022-04-18 15:31 ` [edk2-devel] " Michael D Kinney 2022-04-19 11:45 ` Min Xu 2022-04-17 23:59 ` [PATCH V3 3/9] SecurityPkg: Add definition of EFI_CC_EVENT_HOB_GUID Min Xu 2022-04-17 23:59 ` [PATCH V3 4/9] OvmfPkg: Introduce SecMeasurementLib Min Xu 2022-04-17 23:59 ` [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV Min Xu 2022-04-19 6:58 ` Gerd Hoffmann 2022-04-19 11:12 ` Min Xu 2022-04-19 12:49 ` [edk2-devel] " Gerd Hoffmann 2022-04-19 14:06 ` Yao, Jiewen 2022-04-20 8:16 ` Gerd Hoffmann 2022-04-20 9:46 ` Yao, Jiewen 2022-04-20 16:05 ` Gerd Hoffmann 2022-04-20 14:25 ` James Bottomley 2022-04-20 16:29 ` Gerd Hoffmann 2022-04-20 22:29 ` Yao, Jiewen 2022-04-21 9:14 ` Gerd Hoffmann 2022-04-21 9:24 ` Yao, Jiewen 2022-04-17 23:59 ` [PATCH V3 6/9] OvmfPkg: Add PCDs for LAML/LASA field in CC EVENTLOG ACPI table Min Xu 2022-04-17 23:59 ` [PATCH V3 7/9] MdePkg: Define CC Measure EventLog ACPI Table Min Xu 2022-04-18 1:23 ` Yao, Jiewen 2022-04-18 2:02 ` Min Xu 2022-04-17 23:59 ` [PATCH V3 8/9] OvmfPkg/IntelTdx: Add TdTcg2Dxe Min Xu 2022-04-18 0:00 ` [PATCH V3 9/9] OvmfPkg/IntelTdx: Enable RTMR based measurement and measure boot Min Xu 2022-04-18 1:43 ` [edk2-devel] [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest Yao, Jiewen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox