From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Xu, Min M" <min.m.xu@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>,
"Justen, Jordan L" <jordan.l.justen@intel.com>,
Ashish Kalra <ashish.kalra@amd.com>,
"Brijesh Singh" <brijesh.singh@amd.com>,
"Aktas, Erdem" <erdemaktas@google.com>,
"James Bottomley" <jejb@linux.ibm.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
"Sami Mujawar" <sami.mujawar@arm.com>,
Gerd Hoffmann <kraxel@redhat.com>
Subject: Re: [PATCH 0/4] Measure kernel blob
Date: Mon, 23 May 2022 09:29:33 +0000 [thread overview]
Message-ID: <MW4PR11MB5872C09B77ABD5B8234F377D8CD49@MW4PR11MB5872.namprd11.prod.outlook.com> (raw)
In-Reply-To: <cover.1653284206.git.min.m.xu@intel.com>
Hi
I am not clear about the design. Some questions:
1. This should be generic feature for trusted boot. Not TDX specific. Right?
2. Why we need BlobMeasurementLib?
We already have TpmMeasurementLib. Why we cannot use it?
3. Why we need BlobMeasurementLibTdx?
Even if we really need BlobMeasurementLib, the flow should be: ->BlobMeasurementLib->TpmMeasurementLib->TpmMeasurementLibTdx
4. Why we need BlobMeasurementLibNull?
We already have TpmMeasurementLibNull. What is benefit to add one more NULL MeasurementLib?
Thank you
Yao Jiewen
> -----Original Message-----
> From: Xu, Min M <min.m.xu@intel.com>
> Sent: Monday, May 23, 2022 1:56 PM
> To: devel@edk2.groups.io
> Cc: Xu, Min M <min.m.xu@intel.com>; Ard Biesheuvel
> <ardb+tianocore@kernel.org>; Justen, Jordan L <jordan.l.justen@intel.com>;
> Ashish Kalra <ashish.kalra@amd.com>; Brijesh Singh <brijesh.singh@amd.com>;
> Aktas, Erdem <erdemaktas@google.com>; James Bottomley
> <jejb@linux.ibm.com>; Yao, Jiewen <jiewen.yao@intel.com>; Tom Lendacky
> <thomas.lendacky@amd.com>; Sami Mujawar <sami.mujawar@arm.com>;
> Gerd Hoffmann <kraxel@redhat.com>
> Subject: [PATCH 0/4] Measure kernel blob
>
> Kernel blobs include the kernel image, initrd, command line. These are
> external inputs from host VMM. In some platforms,such as Tdx environment,
> Host VMM is treated as un-trusted. So these external inputs should be
> measured.
>
> This patch-set imports a new library class (BlobMeasurementLib). It is
> designed to do the blob measurement, including the kernel blob
> measurement. In the future, it will do other blob measurement, such as
> measuring ACPI table which is also passed from host VMM.
>
> The code is at: https://github.com/mxu9/edk2/tree/MeasureKernelBlob.v1
>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Ashish Kalra <ashish.kalra@amd.com>
> Cc: Brijesh Singh <brijesh.singh@amd.com>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Cc: James Bottomley <jejb@linux.ibm.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Min Xu <min.m.xu@intel.com>
>
> Min Xu (4):
> OvmfPkg: Add library class BlobMeasurementLib with null implementation
> OvmfPkg: Add BlobMeasurementLibNull to dsc
> OvmfPkg: Implement BlobMeasurementLibTdx
> OvmfPkg: Call MeasureKernelBlob after fetch from fw_cfg
>
> ArmVirtPkg/ArmVirtQemu.dsc | 1 +
> ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
> OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +
> OvmfPkg/CloudHv/CloudHvX64.dsc | 1 +
> OvmfPkg/Include/Library/BlobMeasurementLib.h | 38 ++++++++
> .../BlobMeasurementLibTdx/BlobMeasurement.c | 87 +++++++++++++++++++
> .../BlobMeasurementLibTdx.inf | 30 +++++++
> OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 +
> .../BlobMeasurementLibNull.c | 34 ++++++++
> .../BlobMeasurementLibNull.inf | 24 +++++
> OvmfPkg/Microvm/MicrovmX64.dsc | 1 +
> OvmfPkg/OvmfPkg.dec | 3 +
> OvmfPkg/OvmfPkgIa32.dsc | 1 +
> OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
> OvmfPkg/OvmfPkgX64.dsc | 1 +
> OvmfPkg/OvmfXen.dsc | 1 +
> .../QemuKernelLoaderFsDxe.c | 13 +++
> 17 files changed, 240 insertions(+)
> create mode 100644 OvmfPkg/Include/Library/BlobMeasurementLib.h
> create mode 100644
> OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurement.c
> create mode 100644
> OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurementLibTdx.inf
> create mode 100644
> OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.c
> create mode 100644
> OvmfPkg/Library/BlobMeasurementLibNull/BlobMeasurementLibNull.inf
>
> --
> 2.29.2.windows.2
next prev parent reply other threads:[~2022-05-23 9:29 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-23 5:55 [PATCH 0/4] Measure kernel blob Min Xu
2022-05-23 5:55 ` [PATCH 1/4] OvmfPkg: Add library class BlobMeasurementLib with null implementation Min Xu
2022-05-23 5:55 ` [PATCH 2/4] OvmfPkg: Add BlobMeasurementLibNull to dsc Min Xu
2022-05-23 5:55 ` [PATCH 3/4] OvmfPkg: Implement BlobMeasurementLibTdx Min Xu
2022-05-23 8:14 ` Gerd Hoffmann
2022-05-23 5:55 ` [PATCH 4/4] OvmfPkg: Call MeasureKernelBlob after fetch from fw_cfg Min Xu
2022-05-23 9:29 ` Yao, Jiewen [this message]
[not found] ` <16F1B1F290429BFD.18186@groups.io>
2022-05-23 9:36 ` [edk2-devel] [PATCH 0/4] Measure kernel blob Yao, Jiewen
2022-05-23 11:13 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MW4PR11MB5872C09B77ABD5B8234F377D8CD49@MW4PR11MB5872.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox