From: "Min Xu" <min.m.xu@intel.com>
To: devel@edk2.groups.io
Cc: Min Xu <min.m.xu@intel.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
Jordan Justen <jordan.l.justen@intel.com>,
Ashish Kalra <ashish.kalra@amd.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Erdem Aktas <erdemaktas@google.com>,
James Bottomley <jejb@linux.ibm.com>,
Jiewen Yao <jiewen.yao@intel.com>,
Sami Mujawar <sami.mujawar@arm.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Gerd Hoffmann <kraxel@redhat.com>
Subject: [PATCH 4/4] OvmfPkg: Call MeasureKernelBlob after fetch from fw_cfg
Date: Mon, 23 May 2022 13:55:42 +0800 [thread overview]
Message-ID: <c27a97ab34fb80a27f409ca6be8a618cf6415277.1653284206.git.min.m.xu@intel.com> (raw)
In-Reply-To: <cover.1653284206.git.min.m.xu@intel.com>
In QemuKernelLoaderFsDxeEntrypoint we use FetchBlob to read the content
of the kernel/initrd/cmdline from the QEMU fw_cfg interface. Insert a
call to MeasureKernelBlob after fetching to allow BlobMeasurementLib
implementations to add a measurement step for these blobs.
This will allow confidential computing OVMF builds to add measurement
mechanisms for these blobs that originate from an untrusted source
(QEMU).
In current platforms in OvmfPkg, only IntelTdx supports blob measurement.
So OvmfPkg/IntelTdx/IntelTdxX64.dsc is updated to use
OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurementLibTdx.inf. Other
dsc are using the null implementation of BlobMeasurementLibNull.inf.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 +
.../QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 13 +++++++++++++
2 files changed, 14 insertions(+)
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
index 00bc1255bc4e..2887047316b6 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@@ -611,6 +611,7 @@
OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
<LibraryClasses>
NULL|OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierLibNull.inf
+ NULL|OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurementLibTdx.inf
}
OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
OvmfPkg/Virtio10Dxe/Virtio10.inf
diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
index d4f3cd92255f..6720dae1d06c 100644
--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
@@ -18,6 +18,7 @@
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/BlobVerifierLib.h>
+#include <Library/BlobMeasurementLib.h>
#include <Library/DebugLib.h>
#include <Library/DevicePathLib.h>
#include <Library/MemoryAllocationLib.h>
@@ -1074,6 +1075,18 @@ QemuKernelLoaderFsDxeEntrypoint (
goto FreeBlobs;
}
+ if ((CurrentBlob->Data > 0) && (CurrentBlob->Size > 0)) {
+ Status = MeasureKernelBlob (
+ CurrentBlob->Name,
+ sizeof (CurrentBlob->Name),
+ CurrentBlob->Data,
+ CurrentBlob->Size
+ );
+ if (EFI_ERROR (Status)) {
+ goto FreeBlobs;
+ }
+ }
+
mTotalBlobBytes += CurrentBlob->Size;
}
--
2.29.2.windows.2
next prev parent reply other threads:[~2022-05-23 5:56 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-23 5:55 [PATCH 0/4] Measure kernel blob Min Xu
2022-05-23 5:55 ` [PATCH 1/4] OvmfPkg: Add library class BlobMeasurementLib with null implementation Min Xu
2022-05-23 5:55 ` [PATCH 2/4] OvmfPkg: Add BlobMeasurementLibNull to dsc Min Xu
2022-05-23 5:55 ` [PATCH 3/4] OvmfPkg: Implement BlobMeasurementLibTdx Min Xu
2022-05-23 8:14 ` Gerd Hoffmann
2022-05-23 5:55 ` Min Xu [this message]
2022-05-23 9:29 ` [PATCH 0/4] Measure kernel blob Yao, Jiewen
[not found] ` <16F1B1F290429BFD.18186@groups.io>
2022-05-23 9:36 ` [edk2-devel] " Yao, Jiewen
2022-05-23 11:13 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c27a97ab34fb80a27f409ca6be8a618cf6415277.1653284206.git.min.m.xu@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox