From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mx.groups.io with SMTP id smtpd.web09.19309.1650533123587731057 for ; Thu, 21 Apr 2022 02:25:24 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=DifP+DOw; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1650533123; x=1682069123; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=xevvpp+0DG/2K2brJFBzvoyj7c4wRSbyFYAnIJaBeRw=; b=DifP+DOwucODaqrigHhqhpSQgmAtrue+hmiKM5DZ19Czb5QCZuuYgmRs D+6ZAJp+K9TfotgJMGN6Eh6mzIpXdam0zShIA8tInxOuLmkvqKsqVChbG XvI0LWmiBPqDnwKflel6USsHWO2tD9giWudB80/Po+0uahzhGY042QJNX 0ih/08ulg/25Iu67s4cugvshnA9T4iTeVYPbUtK/ttveXk0t5ctespjU7 03YeZ1CFD4pfVRmhN5Yz2cItYSwdcm3nAR56kXDih+/nX7V8QOi5/REjD YoU6g4iAe+CF2Ln+X37DJTILqAuNNVnRsYc0wq+HGpC83NFsuatlJYCW3 g==; X-IronPort-AV: E=McAfee;i="6400,9594,10323"; a="261895720" X-IronPort-AV: E=Sophos;i="5.90,278,1643702400"; d="scan'208";a="261895720" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Apr 2022 02:25:22 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.90,278,1643702400"; d="scan'208";a="555674292" Received: from orsmsx605.amr.corp.intel.com ([10.22.229.18]) by orsmga007.jf.intel.com with ESMTP; 21 Apr 2022 02:25:22 -0700 Received: from orsmsx603.amr.corp.intel.com (10.22.229.16) by ORSMSX605.amr.corp.intel.com (10.22.229.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Thu, 21 Apr 2022 02:25:22 -0700 Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27 via Frontend Transport; Thu, 21 Apr 2022 02:25:22 -0700 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.109) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.27; Thu, 21 Apr 2022 02:25:21 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IKK5X6cTGQ/BrimJZGqRiqMUA06JfOKRtdkoe3z0oX8JLTH51ojrEz3eVGWGLsgeSEaVzHHQXxKFgLTdQiDEJa0CQvZuhskq9nCWknqJ5TC94gicE75pd+iI3n24Thhx/R5myT+Zy+ymm85Us2coQCwhykSPPjIGT1T3WjLcSoIu9UlgkGa7k1QQ3RooN3CyNwMhCcCHiNjXwqoMTeYk8dVkIf3j47a7lu6SJ4++KfRh7OI6LdSNH1o/lt18Xqixo71BHDqzgZcqer7DSm34HWKxs9flzyyJiF347RbPJIJSNk8rUHR6LqQ3V7BUpHHit9cZclrvrgqC3F9YjP8HVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=e8DsyhKK4RsTbqwRiak8eOCBUiRKNLsunIYo4mC5ngw=; b=a2v4C0Mx+9japWQ/l+OFGEL9Gsi7dovSsyhZyrEGJPTdnQPohnlQVQ5Wh3EduEP/51y9ufKFBszN+nOHCMG+zMocQN26s9pVRrhS5NHn9t4N7oeSldNpct31i4oIg9Bwszzz4wth1cB/nCAr1avyYimHKT8RO33HrPiQt1OYtGKt14oKdzZConSdx1yvvXtgM4TTLj05gZhtXN4sfwwO9lXsgLpuZTrpHmuFD61G98b8HnP2oHoAfTxWADXT63YB+awdSAK9WC7PUFJVvpgB7eLbLyUFmrAOwlTH+VzkQny3HZnoBHWt26Tp3K4O8m78zJLBLAIdOivW9++SolpEWw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by PH0PR11MB5625.namprd11.prod.outlook.com (2603:10b6:510:ea::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Thu, 21 Apr 2022 09:24:49 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::d55d:28c1:bfab:3dd]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::d55d:28c1:bfab:3dd%5]) with mapi id 15.20.5186.013; Thu, 21 Apr 2022 09:24:49 +0000 From: "Yao, Jiewen" To: Gerd Hoffmann CC: James Bottomley , "devel@edk2.groups.io" , "Xu, Min M" , Ard Biesheuvel , "Justen, Jordan L" , Brijesh Singh , "Aktas, Erdem" , Tom Lendacky Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV Thread-Topic: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV Thread-Index: AQHYU95iMIYlb1sFBkiJhG2nbXFPI6z3L/KAgAAUaWCAATHnAIAAZvKAgAAim4CAAGKcsIAAtkIAgAABRnA= Date: Thu, 21 Apr 2022 09:24:49 +0000 Message-ID: References: <1992c4538efeb3cd3d2e53bd02f2dd24663e9825.1650239544.git.min.m.xu@intel.com> <20220419065851.mwjpm6jaeu3zudjk@sirius.home.kraxel.org> <20220419124901.idh7zaff3os6532f@sirius.home.kraxel.org> <20220420081656.nl4sykhnwzugynm5@sirius.home.kraxel.org> <56d4a5fab3cda814d1d33a6e3f6987a0313129f5.camel@linux.ibm.com> <20220420162915.k234kumo33jgqsg6@sirius.home.kraxel.org> <20220421091430.55zgdocsn6h4z5dy@sirius.home.kraxel.org> In-Reply-To: <20220421091430.55zgdocsn6h4z5dy@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.401.20 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 595be305-abd8-4acf-8e38-08da2378c8a5 x-ms-traffictypediagnostic: PH0PR11MB5625:EE_ x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Z201qmrumhKPVzHonc6Xx6PlddOBcFyRWHbPqFhKyKzVPRAWT/KZm9Ic4xNp1rohpAxCjjUau4ElWr2/haybpSWxOKe8Cxkyabik8PubRD4QAjJg332nvgCBDicaBmvQZBGdwAGfAPLDv/dV/BXtzP07sxW0buzOAzZ48NVNEriStWYZQQhh6R1gCEnoFTOtppFwWi6AU7h/gTr3LUD2FskQNiY8DWxCtOWTbq91xnmvyuNJgD99UmkmAv/WcqWWqDviq6ep/e/O1JA2YumKNARjLr0583qdxGhEyNgin+9vOvZsarDQAF+3Yghd1PQbfWnpONV38GBSOxa+wu3W5A50acxxrqksxSHH5dFtd4L/RJxjosdpUoCJtCtqTSdaznJABLCvgDb2DRzBHTsNEBInAyiIM5Y6qY2WzFcuhHeR2FcK01DpBBqjkxxfKawxyLx8XwRvCAhzBK6U3gpAeW6eqwlYkAhDHQPQEzExJJdN69CyLrd1eJnkzC0pNpbD3xP8pNpgOwL+/y4pTnG3TUyC+G+Z6+fJa/O2ey4aWVQXf045VSvnHttOGhW8PCCKAvlhW7yq2NCRLTwuKEfX82d1akDY15/tZf2Pie7/5Kg+brPSKiQY6wGAHJdGZCiRFkzw0iVWgwmKcjr/oQ0FKHpAeyKdMlNNLf5u+vm9j9FCZOCyXb2z5NMJ2aNTDNVBekehur7hsmLmONLORFReG3nsankWfy5Q0IcKVgtB8+PplLfvv8L41faDTnWyYj+bE5g3xcoJvcv1adHLfu6nKUxuye+6MTWl6RRMaPB9QJc= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(64756008)(122000001)(86362001)(38100700002)(8676002)(66446008)(66946007)(66476007)(186003)(76116006)(6916009)(316002)(55016003)(54906003)(4326008)(83380400001)(19627235002)(2906002)(508600001)(9686003)(53546011)(966005)(66556008)(8936002)(26005)(52536014)(82960400001)(6506007)(71200400001)(33656002)(7696005)(5660300002)(38070700005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?HAlPWHuNCASl1uh4QxMNDVbmKrftssX+UdbN+VxBXK67yZKpOt1KbVIMn8+J?= =?us-ascii?Q?UAdJn+Ywd9KeexJ7FAk0iP5+h/6mjOXewPwSIgxK7cnfkz60LPSTOppjZaIb?= =?us-ascii?Q?io78veJjRdrTHkHWBedD/4pGylUa1qqH8bV7CY/cqJxZRi8eqAHemfxwccyj?= =?us-ascii?Q?6diQkI6yjAqEGxVBvwBMAouTLlPmbpYV6NeFlkZzcKfhgiI9U+9KkIKXERTd?= =?us-ascii?Q?jjCjoPjVBw+NZ4QyAZ0m30OYWXe2DHtuWrhIAXutOPdBTwDKLo8V1d9s8ROb?= =?us-ascii?Q?hwOtDYqDnlHFcIX3i7Yj9moe/r/fUbE9OkJlaDZds4rnhFifKwWjh3twSMmh?= =?us-ascii?Q?3uz3w+fCuOyewwdjAYcq8Q7Xot9OUAh4qOGLw2WgRcxmqG+cIcUtakH0Kqyy?= =?us-ascii?Q?u665ECNqKKT/wF6stgWvM6tqzlJtFw4CNws8bllaxp9ZED5V0Blj9VMgcQTu?= =?us-ascii?Q?zoQDhrK1mClQ/8+8apaUj7GquM61cGZ9IdgUyZ5/qLueC5PLcC1abOwqsrZE?= =?us-ascii?Q?L/ueAsGUOsKzknzNhn6I3PuZ6U7LAvHcDysY6OCkTvrDl2uz1jgrGyAxjarG?= =?us-ascii?Q?VEr3fVxHuIP7mDlf56DnqpVx2JZveHRXEk4i4Nmq1MmCsdtMz231rX66LQEA?= =?us-ascii?Q?xfHbgUjiR71lJlcU+W7qdUovX1/A/eAYPJyTR0td+K2a9pKW2d8YxCygl9v6?= =?us-ascii?Q?XR/CozMxBOxOQuoXXCsc+obqnJZJgBMPVFSTt0sj+LryPhAvTS3Mt3Dyp4zA?= =?us-ascii?Q?S6MPQNsO3SZO1OoL24dT2bErCfhMLArvR0TYAP3E+XkSYlbRmR1T968YpLNc?= =?us-ascii?Q?obwYe5nG4LGw5W1MvEx7ywgMNCQ/SQLA9GJcNWHj9ptdiLu9hVIWfJ5dAtqI?= =?us-ascii?Q?qNhVHWw2x9cB/6qBs2ofCXA5acXvBPbP+QvL4fiLChYQYFHNrxKSHgKev0dM?= =?us-ascii?Q?+RalG6cHTvCk6TcOaBYmsslcXPppL8tUjRzt9Bm369lcgkEaZxbIAgwzbDqU?= =?us-ascii?Q?HMOuvdLZP2Vq+7ZrPnEf2B4SZ2PyrJRYfMjaIIl3IcJpxV08AQXQ2+lYgDIK?= =?us-ascii?Q?OfCbpaUyMP1YRLK5Yyot2CROZaUMWhzyzW1RP6jtELp3ottmHa5o44IIAX+j?= =?us-ascii?Q?OJjN01cYHaU0Cq+i1v3PKI1GP0nqmH1cqtbTeRjSbHOUzy1WWGpFHAr6jTM7?= =?us-ascii?Q?T6neP5ARpTVzlLEJbLlWqNbdqLUdYWEhUrn1fovl2ehEyhG6/q9fJjnNieYz?= =?us-ascii?Q?k0qd7zVi47fgQyWlqxPe4nPg3GHPxWYBNtYCRZ15hXsnO+3I/b4ns5Ao6L9f?= =?us-ascii?Q?oApOupOAQDueFMMDU2OQQHRLMk0F9nEC4TGk5SSJVFRW1gzNyjuUbUhbNifr?= =?us-ascii?Q?NODpTFqVfLv6J2K7hKh9x1hTIqFAiPA/cBRiP2y0YMQr0tMjL1NAmL7ereti?= =?us-ascii?Q?qpDzvXQ5teSnIQ3uyuxJqEceLQd9+5YebhflxVC7Z1JqXx9Pz25y4dE++IB6?= =?us-ascii?Q?RZ354jMbeHAQu73qVqp/tBhAo+VdNkCkUhPi2Wjo1a56ITI/xiFjw/vof8Zv?= =?us-ascii?Q?DfufykdJUWa4jiFmWo8mo99awtEefuE8jbA3TaqZmTAH0Ja+S3mYdxEGqEDF?= =?us-ascii?Q?Tpf7gEODn/SMnR0cd4Y/8PpfT66EthxcNcUnNIj9bBWx12DoCvKCZaMBjfbH?= =?us-ascii?Q?Vyz7DwhXnDzoz6NQY6h6Zk+ZhaAGdhfL1Y44tq7EmX1sQOjvT6XiaUycb1uL?= =?us-ascii?Q?xCjQvE9/Sg=3D=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 595be305-abd8-4acf-8e38-08da2378c8a5 X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Apr 2022 09:24:49.5062 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 1BihoIpDS6wLTWEco80eE3LIsd7gDDPIsdS0SXxa1Nh84sI4CEsx0tGP8nbzt4KXdqMk+NcRKKKX+CdVblLzGg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5625 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Adding CFV and TD_HOB to MRTD is technically possible, but not desired. In a typical trust boot use case, the verifier should have a way to disting= uish the *code* from *configuration*. If you look at the TCG specification, the TPM has 24 PCRs. 8 of them are al= located for BIOS. Each PCRs record one type of measurements. Technically, you can merge all PCR into one. But no one will do that in rea= lity. I would say: merging everything into one MRTD is a terrible idea. Thank you Yao Jiewen > -----Original Message----- > From: Gerd Hoffmann > Sent: Thursday, April 21, 2022 5:15 PM > To: Yao, Jiewen > Cc: James Bottomley ; devel@edk2.groups.io; Xu, Min M > ; Ard Biesheuvel ; Justen, > Jordan L ; Brijesh Singh ; > Aktas, Erdem ; Tom Lendacky > > Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td > HobList and Configuration FV >=20 > On Wed, Apr 20, 2022 at 10:29:11PM +0000, Yao, Jiewen wrote: > > The Root-of-Trust for Measurement (RTM) for TDX is TDX-Module. The TDX- > Module will enforce the MRTD calculation for the TDVF code. > > Then TDVF can then act as Chain-of-Trust for Measurement (CTM) to setup > RTMR and continue the rest. > > > > It is described in [TDX-Module] Chapter 11, [TDVF] Chapter 8. > > > > [TDX-Module] > https://www.intel.com/content/dam/develop/external/us/en/documents/tdx- > module-1.0-public-spec-v0.931.pdf > > [TDVF] > https://www.intel.com/content/dam/develop/external/us/en/documents/tdx- > virtual-firmware-design-guide-rev-1.01.pdf >=20 > Ok. So it all works via TDH.MEM.PAGE.ADD (initial set of accepted > pages) and TDH.MR.EXTEND (measure into MRTD) functions. >=20 > Looking at our binary ... >=20 > # virt-fw-dump -i Build/IntelTdx/DEBUG_GCC5/FV/OVMF.fd --ovmf-meta > image=3DBuild/IntelTdx/DEBUG_GCC5/FV/OVMF.fd > resetvector size=3D0x9b0 > [ ... sev metadata snipped ... ] > guid:TdxMetadataOffset size=3D0x16 data=3D50080000 > mbase=3D0xffc84000 msize=3D0x37c000 type=3DBFV (code) fbase=3D0x840= 00 > fsize=3D0x37c000 flags=3D0x1 > mbase=3D0xffc00000 msize=3D0x84000 type=3DCFV (vars) fbase=3D0x0 fs= ize=3D0x84000 > mbase=3D0x810000 msize=3D0x10000 type=3DMEM > mbase=3D0x80b000 msize=3D0x2000 type=3DMEM > mbase=3D0x809000 msize=3D0x2000 type=3DTD Hob > mbase=3D0x800000 msize=3D0x6000 type=3DMEM >=20 > ... BFV is measured (bit 0 of flags) whereas CFV and TD Hob are only > added but not measured. >=20 > Adding CFV and TH Hob to the initial launch measurement should be > possible by just updating flags, correct? >=20 > I think this should be done for the CFV. The firmware will be loaded > via "qemu -bios OVMF.fd". No separate images for CODE and VARS. So > splitting the measurement looks rather pointless to me. >=20 > TD Hob could be part of the initial launch measurement too, which would > avoid the need to measure anything in SEC. On the other hand the that > would make the launch measurement depend not only on the firmware image > but also the guest configuration (memory size), which would likely make > things more complexity elsewhere, so probably not a good idea. >=20 > take care, > Gerd