From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web10.5213.1674006084555228563 for ; Tue, 17 Jan 2023 17:41:26 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=WD8kGel5; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674006084; x=1705542084; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=XBtWdkrhUa8H37GxEvJ6hyaMqpitQHKcx293QV5IfVc=; b=WD8kGel5eBAQ2K8nRg0oBJkhy5GeDgfCFcbmWbbcoNeSdfWi8sEYq9Ng G3i10USGLp/lDGfe0zoFIfve1IkBGXpXWTbne94eKW23DcHYhG8wZsGEh HNdpkWDPhgm1EjB/5K552x34C8gZPIzemLkIFsYXuiCpW6SyhpmZFJMj1 D9l1zWPlyZALI4EiFnA7bKh3I7JjObw8Ru0DDBRvdf4dVfnmFYWkjtUIP G+VnCDJ2Dzr7on3AGFCrqXa+AFHjnnSK9c76wDNu0CIj9dHBIQIidJ36C D5slyDl/wcLjB0cmUJZMx2zZrHDwU5zWKF9Ir4BQ+kIgBNpN5SmHTuqtF w==; X-IronPort-AV: E=McAfee;i="6500,9779,10593"; a="324928152" X-IronPort-AV: E=Sophos;i="5.97,224,1669104000"; d="scan'208";a="324928152" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Jan 2023 17:41:20 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10593"; a="691793260" X-IronPort-AV: E=Sophos;i="5.97,224,1669104000"; d="scan'208";a="691793260" Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by orsmga001.jf.intel.com with ESMTP; 17 Jan 2023 17:41:19 -0800 Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Tue, 17 Jan 2023 17:41:19 -0800 Received: from orsmsx602.amr.corp.intel.com (10.22.229.15) by ORSMSX611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Tue, 17 Jan 2023 17:41:18 -0800 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16 via Frontend Transport; Tue, 17 Jan 2023 17:41:18 -0800 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.104) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Tue, 17 Jan 2023 17:41:17 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Vk4eeoAGja6YZhGfmG+2FQ9f58T9oj8lovsxTDOvUYPEK0KHdrOpQMOlzpe1rviWFfhcouet8gTUqPCE034DC29E51n1SHTFkaftoAyI2k5yoPO2tPwpKYiF23EsCtDxZuO3LKZzwPD5bAoe/r3Mjb4e6u8JJpaJKgaTJ3GC1udgEZ9+eGPTYIkgiYIRQMnQFrXdS08db0ySHMocHlIS+0M1r9TN3vkpIYm2OgHj1E2SFS0nokHYwCD6Wd3YSlWAh7d08fnqy/mwCU5R+BHSSMBz6CjbRMGW1/IgsEsu+wQc+arYY/12leZkC3kM14rzMNfijLljU+u1ho2nO1OIZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lFUYtKvOGxhQwr26o2AmWe8nG+QYNOMRDE1ADcmcKJs=; b=Ex+6Ph0ch/VmT/oJGH6XLtjV1mGI0RUUcUbKwkd5nN2G4Q4sg+OTDtLu+GpZRTsRIL4MNRP6FKeva+wwI+MJA4FQqHkyPE46ks2KtnrsZvuoQEuGQtNHoNqB0U/rW9OTp3t6zaUsAb2ijQQ9MSt/Nv+ihlYNlTB9stBOj/7cpYTTF6IqwOyn0hzxLgxvOCnfEwDATLZ8xt7sB9gH1pFGL9MUAq8wj7AIzfUAIMG08WdCMZhsbyl28Uxuyf83lbDTw6wYzyWaX5D+E3vscg/3j9MHqrptK196TYzZrUysymcXocMBaxq69CXhFLkG3XtK3qcFgtOXeBlUtSM+9102TQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from PH0PR11MB5064.namprd11.prod.outlook.com (2603:10b6:510:3b::15) by DM6PR11MB4689.namprd11.prod.outlook.com (2603:10b6:5:2a0::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13; Wed, 18 Jan 2023 01:41:16 +0000 Received: from PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::d87:9f99:2db2:43d1]) by PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::d87:9f99:2db2:43d1%6]) with mapi id 15.20.6002.012; Wed, 18 Jan 2023 01:41:16 +0000 From: "Min Xu" To: "devel@edk2.groups.io" , "kraxel@redhat.com" CC: "Aktas, Erdem" , James Bottomley , "Yao, Jiewen" , Tom Lendacky , Michael Roth Subject: Re: [edk2-devel] [PATCH V1 1/7] OvmfPkg: Add Tdx measurement data structure in WorkArea Thread-Topic: [edk2-devel] [PATCH V1 1/7] OvmfPkg: Add Tdx measurement data structure in WorkArea Thread-Index: AQHZKkb+kLGHGhsZ0EaxI7fCLdFmVq6ieF4AgADcl8A= Date: Wed, 18 Jan 2023 01:41:15 +0000 Message-ID: References: <20230117074016.1056-1-min.m.xu@intel.com> <20230117074016.1056-2-min.m.xu@intel.com> <20230117112554.opz5cc7edq26raty@sirius.home.kraxel.org> In-Reply-To: <20230117112554.opz5cc7edq26raty@sirius.home.kraxel.org> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: PH0PR11MB5064:EE_|DM6PR11MB4689:EE_ x-ms-office365-filtering-correlation-id: c629615e-78fa-4ecb-ddca-08daf8f516d6 x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: aWk57aLFw1mNpYRR7/8gXA+OMloNAlLHJjM//g09o5Kk/GuGgqlPe9hsGr6K7ys201n0Uxr520SY1Prg3ERs8cZ0hP1TwYR+Ii8LgcO3bB5gSfZC0l8n3Cz9sXb7MwMTXr2nl6zp5NQXxnEY8OeP5eBHMvCI++bzK/NMqbswqCppGhTjFgQjEkHC3Bdd3T5StclwsINxzgsEzhaPUU3Hd/ur0ayNEsLs8IAnUm9Re7IKzEo3d8iv2M59Qcb2Br0eI6bdZwfTKwUY5Qpk1hZagG9uW5f5vd/4us/bknP9CaiJTgHHlXv5YugrktFwHUglPxrpXTWalsE2s/e/1oShCwcAhiQsGmMhkfs22ur5u38QCFqq10YetQ6qPHcxO8p4QHexEdfi3BfcHU60/Ti31TyaTTPE/4FT+vYcy3MVkforCvzPcTXuXV4quGDsQIwQ/pPr7apxeJwvbDac4v6DChqFRyXZEWUAriQOuW6q7Un9OosPl5SyVrnwvdr1/9r1XjXIvSrr7o4G2iOK1k4oh/kwNGqjlkOARSV3G2865QyzDEbYrWETq0KxPRxTjJut8kGf9Pga5+Qf9CLzHP0UO9LzKuqH8hLnoDcATfNBjjdk+jNBLpO8HbMi1YRr/yHbLPY341zCFuC/DjdqSg8l+D0ef45MoCEMOjh/Moi4mEgUlKXyCJjTOFeS/x7ZrI9H/Dr0T6TQXRCzYFVimGZNoh4+twr/oIuc+z/kBrFykNk= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB5064.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(396003)(136003)(366004)(346002)(376002)(39860400002)(451199015)(86362001)(8676002)(33656002)(71200400001)(4326008)(9686003)(26005)(66476007)(66946007)(76116006)(66446008)(186003)(66556008)(64756008)(41300700001)(6506007)(38100700002)(54906003)(2906002)(7696005)(478600001)(122000001)(966005)(38070700005)(82960400001)(316002)(5660300002)(83380400001)(52536014)(55016003)(110136005)(8936002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?tFFgMR+DTepwzHj/Qq2oZmt6MQJ6rhxF+ceZBP/bNZYAPENdx6tkfnlxm9VF?= =?us-ascii?Q?Yebv1+EvGAlKq1qkEXIydYYr/gxXBALiJIXBTEjpZp3mKSXa/OtZkHfmMVKU?= =?us-ascii?Q?YL9AbfjQR1o4sbqQ5Ai4aQgd8shnHk+mVTA5jC4zYk+Wbgf0c/+QvMGrUtxM?= =?us-ascii?Q?K3uyjydWSz4O2PghBJJpZPr5by1tezPErNKZy68U6dq1qZccE5dW1uvo2H8N?= =?us-ascii?Q?DrRKsN/BRBakQVWFUV1K0Erturb22E5hjLwyqvnD7q/PuXAJmJ6Ah3BXC5Qk?= =?us-ascii?Q?ZpM2PB6p9dwRynn4ex0PSLE5DMvqS0LT3E/tUG0cUMfxJSJfa7+g5xFWhcKe?= =?us-ascii?Q?9uGRglPTy0cxrSWvdv2c7cCWagwIk+q3jTo/IFxg6/wbNPbihxYfLbbEucKS?= =?us-ascii?Q?uPWY0bjXIm6U8LlXS/yjMpje/vCmmvx7qhmKrmo/AYLTfFyf3zmes+uheMaN?= =?us-ascii?Q?bgs+UpN3G2TKYR1VGB8Iia7ojp55Rbwn4OTmGYmx0Ivz0xrpm6+bKfk6EJ9Q?= =?us-ascii?Q?H9u9zAK3u+v2LQagm9OA3Oo8OYvyBCqMKZVT3ZGVPpIKbiA6FoPRLhUt9hgE?= =?us-ascii?Q?FvLLB40SsFTIH04gvCqAuxH+B2nS0JL57rpvMFj044E3tRwoUlNxUjne20vi?= =?us-ascii?Q?Bkydg+qsGpYcpwv+GYPn6c7tX7CF0Mne/ENsnE+uVniOF77m4mADFFdzZcNl?= =?us-ascii?Q?lmuQekOEEdqjpspdMh8GhFnAV6I7Fy5U/aRwVdpkI81c80Y3gXmCK8tvkMy5?= =?us-ascii?Q?WVkmMCWumwp1mCl0f6fc3IO3zB9zW6LOHCCW03r8BYoN0jW+4KqnJ2tUiqhp?= =?us-ascii?Q?3cYbjVHS2tYf93C8LyGLTJvKtWTyEqP5ojbv3wYsQpy1VdOI8cmXqAVqo0AS?= =?us-ascii?Q?plvJD5IMmeVXZ7DOdhXX/Knc8tGY0Sd3sDCXtCQ82DFbhb+5Lzk1LXJUvIiL?= =?us-ascii?Q?1Z9K7CoVbHESxtrnf9vtFUQPsSFetbjzpVBCnfkE422vCITGDepczo6lqSCP?= =?us-ascii?Q?ji1+lKxAhook5I4VLO44Y+WRL7hT5LHymdCgZzuKw1J0L5gqOUu2Td4HWcqk?= =?us-ascii?Q?l+kNkApi+mgCuhwORGDCcOqXnwtoapQGR6pMLigv82DV7CLCdgJo4iJ1ZNOn?= =?us-ascii?Q?zGqJRvdgUWD01LrJxy6UkHs107x6Vgq1baIWorBwK4Nd6bgAhb0J0HuKRfkI?= =?us-ascii?Q?kANYj6ccjrMFJ93fRYywMWfoh14hIc6Ko7ilG7Nf40qZ47Dg+K26+WGSVoI2?= =?us-ascii?Q?YGhJWtwGhEqF2t0Uyyz/l59eq4MBxD4siB3EvcMmZBT38q/raX+W171eyh1t?= =?us-ascii?Q?nOsqGLSkNZEaDkZRHT+rpeUogLK4ARlRONabaaptFPExtoWox+kC10d0l2+X?= =?us-ascii?Q?JHU8oT/sL9MZPXXt3kJGoXC02/7kO/5OKy3HMifmOQ6f2kdT85sDtHb8nWHU?= =?us-ascii?Q?qRSUWRm9DJue/zco//HkIyqWuA5rhbcI6DWBUtvduBmukey6bVB+70LyhM2I?= =?us-ascii?Q?Z7rFGABth5HbKDCGMjZ9GCJtsmxUYaHtVE1/3YSgD6RCZ2N9028uPdVr9ZLy?= =?us-ascii?Q?hy1vhmVWSNc6S1nBUK+tUcxdLnbNOpv2uIgL+y0x?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5064.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: c629615e-78fa-4ecb-ddca-08daf8f516d6 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jan 2023 01:41:16.0046 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: UE1Fggl6gHGgt7LKZv2YfovKmUUGM7R/kFmflmoEOKrIruLyeYwdlmi3qikgEfQBhauWHJZirTSSysFYAXVGtQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4689 Return-Path: min.m.xu@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable On January 17, 2023 7:26 PM, Gerd Hoffmann wrote: > On Tue, Jan 17, 2023 at 03:40:10PM +0800, Min Xu wrote: > > From: Min M Xu > > > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4243 > > > > From the perspective of security any external input should be measured > > and extended to some registers (TPM PCRs or TDX RTMR registers). > > > > There are below 2 external input in a Td guest: > > - TdHob > > - Configuration FV (CFV) > > > > TdHob contains the resource information passed from VMM, such as > > unaccepted memory region. CFV contains the configurations, such as > > secure boot variables. > > > > TdHob and CFV should be measured and extended to RTMRs before they're > > consumed. TdHob is consumed in the very early stage of boot process. > > At that moment the memory service is not ready. Cfv is consumed in > > PlatformPei to initialize the EmuVariableNvStore. To make the > > implementation simple and clean, these 2 external input are measured > > and extended to RTMRs in SEC phase. The measurement values are stored > > in WorkArea. Then after the Hob service is available, these 2 > > measurement values are retrieved and GuidHobs for these 2 tdx > > measurements are generated. >=20 > So the measurement is done early and the hashes are stored to create the > event log entries later, correct? Yes. >=20 > Why both TdHob and CFV are handled this way? It should be needed for > TdHob only, right? The work area has a fixed size, IMHO we should not st= ore > data there unless we absolutely have to, and for CFV I don't see the > justification. In our first design CFV was measured and extended in PEI phase. Because CFV= is consumed in PlatformInitEmuVariableNvStore.=20 But then we find a problem. That we must either refactor the HashLibBaseCry= ptoRouterPei or introduce a new HashLib in PEI phase. 1) If HashLibBaseCryptoRouterPei is to be refactored to support tdx-measure= ment, then it must detect the tdx-guest in run-time so that it can determin= e to call Tpm2PcrExtend or call TdxExtendRtmr.=20 2) If we import a new HashLib in PEI phase, we are facing another problem, = that we have to load either the new HashLib or HashLibBaseCryptoRouterPei i= n run-time. Cfv is measured and extended in both OvmfPkgX64 and IntelTdxX64. Our curren= t design reduces the code duplication of measurement, as well as the genera= tion of GuidHob for the measurement. We have the helper function in SEC pha= se to do the measurement for TdHob, it's easy to measure Cfv as well. From = the security perspective, the earlier the Cfv is measured/extended the bett= er. As to the work-area, now the size of work-area is 4096 bytes. Before this p= atch TDX uses 4+16 bytes. TDX_MEASUREMENTS_DATA uses 4+48+48=3D100 bytes. S= o totally 120 bytes are used. I don't think the size is a problem. And if C= fv is measured in SEC phase, then its measurement value has to be stored in= work-area. Based on above consideration, we finally propose this solution. Thanks Min