[PATCH 0/3] Introduce SecTpmMeasurementLibTdx

[PATCH 0/3] Introduce SecTpmMeasurementLibTdx

[Min Xu]

SecTpmMeasurementLibTdx is an instance of TpmMeasurement lib in SEC phase.
It provides RTMR based measurement functions for Intel Tdx guest.

Commit a708536dce introduces SecMeasurementLibTdx which provides the same
functions. But it is not an instance of TpmMeasurementLib.
We have updated DxeTpmMeasurementLib (which is an instance of
TpmMeasurementLib) to support RTMR based measurement. To make the design
consistent, SecTpmMeasurementLibTdx is introduced. After that
SecMeasurementLibTdx is removed.

Patch #1:
 Introduce SecMeasurementLibTdx
Patch #2:
 Update OvmfPkg to support MeasureHobList/MeasureFvImage with
 SecMeasurementLibTdx.
Patch #3:
 Remove SecMeasurementLibTdx.

Code: https://github.com/mxu9/edk2/tree/secMeasurementLib.v1
  
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>

Min M Xu (3):
  Security: Add SecTpmMeasurementLibTdx
  OvmfPkg: Implement MeasureHobList/MeasureFvImage
  OvmfPkg: Delete SecMeasurementLibTdx

 OvmfPkg/Include/Library/SecMeasurementLib.h   |  46 ---
 OvmfPkg/IntelTdx/IntelTdxX64.dsc              |   2 +-
 OvmfPkg/Library/PeilessStartupLib/IntelTdx.c  | 186 ++++++++++
 .../PeilessStartupLib/PeilessStartup.c        |   1 -
 .../PeilessStartupInternal.h                  |  36 ++
 .../PeilessStartupLib/PeilessStartupLib.inf   |   2 +-
 .../SecMeasurementLib/SecMeasurementLibTdx.c  | 340 ------------------
 .../SecMeasurementLibTdx.inf                  |  30 --
 OvmfPkg/OvmfPkg.dec                           |   4 -
 .../SecTpmMeasurementLibTdx.c                 | 176 +++++++++
 .../SecTpmMeasurementLibTdx.inf               |  34 ++
 SecurityPkg/SecurityPkg.dsc                   |   2 +
 12 files changed, 436 insertions(+), 423 deletions(-)
 delete mode 100644 OvmfPkg/Include/Library/SecMeasurementLib.h
 delete mode 100644 OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.c
 delete mode 100644 OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf
 create mode 100644 SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.c
 create mode 100644 SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.inf

-- 
2.29.2.windows.2

[PATCH 1/3] Security: Add SecTpmMeasurementLibTdx

[Min Xu]

From: Min M Xu <min.m.xu@intel.com>

SecTpmMeasurementLitTdx is an instance of TpmMeasurementLib. It is
designed to used in a Td guest. This lib measures and logs data, and
extendx the measurement result into a specific RTMR.

SecTpmMeasurementLibTdx is a refactored lib of
OvmfPkg/Library/SecMeasurementLibTdx and it just copies
GetMappedRtmrIndex/TdxMeasureAndLogData from that lib. At the end of
this patch-set SecMeasurementLibTdx will be deleted.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
 .../SecTpmMeasurementLibTdx.c                 | 176 ++++++++++++++++++
 .../SecTpmMeasurementLibTdx.inf               |  34 ++++
 SecurityPkg/SecurityPkg.dsc                   |   2 +
 3 files changed, 212 insertions(+)
 create mode 100644 SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.c
 create mode 100644 SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.inf

diff --git a/SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.c b/SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.c
new file mode 100644
index 000000000000..38887b172dc0
--- /dev/null
+++ b/SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.c
@@ -0,0 +1,176 @@
+/** @file
+  This library is used by other modules to measure data to TPM.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiPei.h>
+#include <Guid/CcEventHob.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/HashLib.h>
+#include <Library/HobLib.h>
+#include <Library/PrintLib.h>
+#include <IndustryStandard/Tpm20.h>
+#include <Protocol/CcMeasurement.h>
+#include <Library/TpmMeasurementLib.h>
+
+#pragma pack(1)
+
+typedef struct {
+  UINT32           Count;
+  TPMI_ALG_HASH    HashAlg;
+  BYTE             Sha384[SHA384_DIGEST_SIZE];
+} TDX_DIGEST_VALUE;
+
+#pragma pack()
+
+#define INVALID_PCR2MR_INDEX  0xFF
+
+/**
+  Get the mapped RTMR index based on the input PCRIndex.
+  RTMR[0]  => PCR[1,7]
+  RTMR[1]  => PCR[2,3,4,5]
+  RTMR[2]  => PCR[8~15]
+  RTMR[3]  => NA
+  Note:
+    PCR[0] is mapped to MRTD and should not appear here.
+    PCR[6] is reserved for OEM. It is not used.
+
+   @param[in] PCRIndex The input PCR index
+
+   @retval UINT8   The mapped RTMR index.
+**/
+UINT8
+GetMappedRtmrIndex (
+  IN UINT32  PCRIndex
+  )
+{
+  UINT8  RtmrIndex;
+
+  if ((PCRIndex == 6) || (PCRIndex == 0) || (PCRIndex > 15)) {
+    DEBUG ((DEBUG_ERROR, "Invalid PCRIndex(%d) map to MR Index.\n", PCRIndex));
+    ASSERT (FALSE);
+    return INVALID_PCR2MR_INDEX;
+  }
+
+  RtmrIndex = 0;
+  if ((PCRIndex == 1) || (PCRIndex == 7)) {
+    RtmrIndex = 0;
+  } else if ((PCRIndex >= 2) && (PCRIndex < 6)) {
+    RtmrIndex = 1;
+  } else if ((PCRIndex >= 8) && (PCRIndex <= 15)) {
+    RtmrIndex = 2;
+  }
+
+  return RtmrIndex;
+}
+
+/**
+  Tpm measure and log data, and extend the measurement result into a specific PCR.
+
+  @param[in]  PcrIndex         PCR Index.
+  @param[in]  EventType        Event type.
+  @param[in]  EventLog         Measurement event log.
+  @param[in]  LogLen           Event log length in bytes.
+  @param[in]  HashData         The start of the data buffer to be hashed, extended.
+  @param[in]  HashDataLen      The length, in bytes, of the buffer referenced by HashData
+
+  @retval EFI_SUCCESS           Operation completed successfully.
+  @retval EFI_UNSUPPORTED       TPM device not available.
+  @retval EFI_OUT_OF_RESOURCES  Out of memory.
+  @retval EFI_DEVICE_ERROR      The operation was unsuccessful.
+**/
+EFI_STATUS
+EFIAPI
+TpmMeasureAndLogData (
+  IN UINT32  PcrIndex,
+  IN UINT32  EventType,
+  IN VOID    *EventLog,
+  IN UINT32  LogLen,
+  IN VOID    *HashData,
+  IN UINT64  HashDataLen
+  )
+{
+  EFI_STATUS          Status;
+  UINT32              RtmrIndex;
+  VOID                *EventHobData;
+  TCG_PCR_EVENT2      *TcgPcrEvent2;
+  UINT8               *DigestBuffer;
+  TDX_DIGEST_VALUE    *TdxDigest;
+  TPML_DIGEST_VALUES  DigestList;
+  UINT8               *Ptr;
+
+  if (!TdIsEnabled ()) {
+    return EFI_UNSUPPORTED;
+  }
+
+  RtmrIndex = GetMappedRtmrIndex (PcrIndex);
+  if (RtmrIndex == INVALID_PCR2MR_INDEX) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  DEBUG ((DEBUG_INFO, "Creating TdTcg2PcrEvent PCR[%d]/RTMR[%d] EventType 0x%x\n", PcrIndex, RtmrIndex, EventType));
+
+  Status = HashAndExtend (
+             RtmrIndex,
+             (VOID *)HashData,
+             HashDataLen,
+             &DigestList
+             );
+
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Failed to HashAndExtend. %r\n", Status));
+    return Status;
+  }
+
+  //
+  // Use TDX_DIGEST_VALUE in the GUID HOB DataLength calculation
+  // to reserve enough buffer to hold TPML_DIGEST_VALUES compact binary
+  // which is limited to a SHA384 digest list
+  //
+  EventHobData = BuildGuidHob (
+                   &gCcEventEntryHobGuid,
+                   sizeof (TcgPcrEvent2->PCRIndex) + sizeof (TcgPcrEvent2->EventType) +
+                   sizeof (TDX_DIGEST_VALUE) +
+                   sizeof (TcgPcrEvent2->EventSize) + LogLen
+                   );
+
+  if (EventHobData == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  Ptr = (UINT8 *)EventHobData;
+  //
+  // Initialize PcrEvent data now
+  //
+  RtmrIndex++;
+  CopyMem (Ptr, &RtmrIndex, sizeof (UINT32));
+  Ptr += sizeof (UINT32);
+  CopyMem (Ptr, &EventType, sizeof (TCG_EVENTTYPE));
+  Ptr += sizeof (TCG_EVENTTYPE);
+
+  DigestBuffer = Ptr;
+
+  TdxDigest          = (TDX_DIGEST_VALUE *)DigestBuffer;
+  TdxDigest->Count   = 1;
+  TdxDigest->HashAlg = TPM_ALG_SHA384;
+  CopyMem (
+    TdxDigest->Sha384,
+    DigestList.digests[0].digest.sha384,
+    SHA384_DIGEST_SIZE
+    );
+
+  Ptr += sizeof (TDX_DIGEST_VALUE);
+
+  CopyMem (Ptr, &LogLen, sizeof (UINT32));
+  Ptr += sizeof (UINT32);
+  CopyMem (Ptr, EventLog, LogLen);
+  Ptr += LogLen;
+
+  Status = EFI_SUCCESS;
+  return Status;
+}
diff --git a/SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.inf b/SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.inf
new file mode 100644
index 000000000000..047d3aa80da6
--- /dev/null
+++ b/SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.inf
@@ -0,0 +1,34 @@
+## @file
+#  Provides RTMR based measurement functions for Intel Tdx guest.
+#
+#  This library provides TpmMeasureAndLogData() in a TDX guest to measure and log data, and
+#  extend the measurement result into a specific RTMR.
+#
+# Copyright (c) 2022, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = SecTpmMeasurementLibTdx
+  FILE_GUID                      = 1aeb641c-0324-47bd-b29d-e59671fc4106
+  MODULE_TYPE                    = BASE
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = TpmMeasurementLib|SEC
+
+[Sources]
+  SecTpmMeasurementLibTdx.c
+
+[Packages]
+  CryptoPkg/CryptoPkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  MdePkg/MdePkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[Guids]
+  gCcEventEntryHobGuid
+
+[LibraryClasses]
+  BaseLib
+  HashLib
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 0d8c997b2f40..d883747474e4 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -95,6 +95,7 @@
 
 [LibraryClasses.X64.SEC]
   HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf
+  TpmMeasurementLib|SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.inf
 
 [LibraryClasses.X64.DXE_DRIVER]
   HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf
@@ -292,6 +293,7 @@
 
 [Components.X64]
   SecurityPkg/Library/HashLibTdx/HashLibTdx.inf
+  SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.inf
 
 [Components.IA32, Components.X64]
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
-- 
2.29.2.windows.2

[PATCH 2/3] OvmfPkg: Implement MeasureHobList/MeasureFvImage

[Min Xu]

From: Min M Xu <min.m.xu@intel.com>

MeasureHobList and MeasureFvImage once were implemented in
SecMeasurementTdxLib. The intention of this patch-set is to refactor
SecMeasurementTdxLib to be an instance of TpmMeasurementLib. So these
2 functions (MeasureHobList/MeasureFvImage) are moved to
PeilessStartupLib. This is because:
1. RTMR based trusted boot is implemented in Config-B (See below link)
2. PeilessStartupLib is designed for PEI-less boot and it is the right
   place to do the measurement for Hoblist and Config-FV.

Config-B: https://edk2.groups.io/g/devel/message/76367

Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
 OvmfPkg/IntelTdx/IntelTdxX64.dsc              |   2 +-
 OvmfPkg/Library/PeilessStartupLib/IntelTdx.c  | 186 ++++++++++++++++++
 .../PeilessStartupLib/PeilessStartup.c        |   1 -
 .../PeilessStartupInternal.h                  |  36 ++++
 .../PeilessStartupLib/PeilessStartupLib.inf   |   2 +-
 5 files changed, 224 insertions(+), 3 deletions(-)

diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
index 43ab8bd089d9..a40f7228b98e 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@@ -527,7 +527,7 @@
   OvmfPkg/IntelTdx/Sec/SecMain.inf {
     <LibraryClasses>
       NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
-      SecMeasurementLib|OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf
+      TpmMeasurementLib|SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.inf
       BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf
       HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf
       NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
diff --git a/OvmfPkg/Library/PeilessStartupLib/IntelTdx.c b/OvmfPkg/Library/PeilessStartupLib/IntelTdx.c
index d240d3b7719f..484fd21057c8 100644
--- a/OvmfPkg/Library/PeilessStartupLib/IntelTdx.c
+++ b/OvmfPkg/Library/PeilessStartupLib/IntelTdx.c
@@ -9,8 +9,34 @@
 #include <Library/DebugLib.h>
 #include <Guid/VariableFormat.h>
 #include <Guid/SystemNvDataGuid.h>
+#include <IndustryStandard/Tpm20.h>
+#include <IndustryStandard/UefiTcgPlatform.h>
+#include <Library/HobLib.h>
+#include <Library/PrintLib.h>
+#include <Library/TpmMeasurementLib.h>
+
 #include "PeilessStartupInternal.h"
 
+#pragma pack(1)
+
+#define HANDOFF_TABLE_DESC  "TdxTable"
+typedef struct {
+  UINT8                      TableDescriptionSize;
+  UINT8                      TableDescription[sizeof (HANDOFF_TABLE_DESC)];
+  UINT64                     NumberOfTables;
+  EFI_CONFIGURATION_TABLE    TableEntry[1];
+} TDX_HANDOFF_TABLE_POINTERS2;
+
+#define FV_HANDOFF_TABLE_DESC  "Fv(XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX)"
+typedef struct {
+  UINT8                   BlobDescriptionSize;
+  UINT8                   BlobDescription[sizeof (FV_HANDOFF_TABLE_DESC)];
+  EFI_PHYSICAL_ADDRESS    BlobBase;
+  UINT64                  BlobLength;
+} FV_HANDOFF_TABLE_POINTERS2;
+
+#pragma pack()
+
 /**
   Check padding data all bit should be 1.
 
@@ -161,3 +187,163 @@ TdxValidateCfv (
 
   return TRUE;
 }
+
+/**
+  Measure the Hoblist passed from the VMM.
+
+  @param[in] VmmHobList    The Hoblist pass the firmware
+
+  @retval EFI_SUCCESS           Fv image is measured successfully
+                                or it has been already measured.
+  @retval Others                Other errors as indicated
+**/
+EFI_STATUS
+EFIAPI
+MeasureHobList (
+  IN CONST VOID  *VmmHobList
+  )
+{
+  EFI_PEI_HOB_POINTERS         Hob;
+  TDX_HANDOFF_TABLE_POINTERS2  HandoffTables;
+  EFI_STATUS                   Status;
+
+  if (!TdIsEnabled ()) {
+    ASSERT (FALSE);
+    return EFI_UNSUPPORTED;
+  }
+
+  Hob.Raw = (UINT8 *)VmmHobList;
+
+  //
+  // Parse the HOB list until end of list.
+  //
+  while (!END_OF_HOB_LIST (Hob)) {
+    Hob.Raw = GET_NEXT_HOB (Hob);
+  }
+
+  //
+  // Init the log event for HOB measurement
+  //
+
+  HandoffTables.TableDescriptionSize = sizeof (HandoffTables.TableDescription);
+  CopyMem (HandoffTables.TableDescription, HANDOFF_TABLE_DESC, sizeof (HandoffTables.TableDescription));
+  HandoffTables.NumberOfTables = 1;
+  CopyGuid (&(HandoffTables.TableEntry[0].VendorGuid), &gUefiOvmfPkgTokenSpaceGuid);
+  HandoffTables.TableEntry[0].VendorTable = (VOID *)VmmHobList;
+
+  Status = TpmMeasureAndLogData (
+             1,                                              // PCRIndex
+             EV_EFI_HANDOFF_TABLES2,                         // EventType
+             (VOID *)&HandoffTables,                         // EventData
+             sizeof (HandoffTables),                         // EventSize
+             (UINT8 *)(UINTN)VmmHobList,                     // HashData
+             (UINTN)((UINT8 *)Hob.Raw - (UINT8 *)VmmHobList) // HashDataLen
+             );
+
+  if (EFI_ERROR (Status)) {
+    ASSERT (FALSE);
+  }
+
+  return Status;
+}
+
+/**
+  Get the FvName from the FV header.
+
+  Causion: The FV is untrusted input.
+
+  @param[in]  FvBase            Base address of FV image.
+  @param[in]  FvLength          Length of FV image.
+
+  @return FvName pointer
+  @retval NULL   FvName is NOT found
+**/
+VOID *
+GetFvName (
+  IN EFI_PHYSICAL_ADDRESS  FvBase,
+  IN UINT64                FvLength
+  )
+{
+  EFI_FIRMWARE_VOLUME_HEADER      *FvHeader;
+  EFI_FIRMWARE_VOLUME_EXT_HEADER  *FvExtHeader;
+
+  if (FvBase >= MAX_ADDRESS) {
+    return NULL;
+  }
+
+  if (FvLength >= MAX_ADDRESS - FvBase) {
+    return NULL;
+  }
+
+  if (FvLength < sizeof (EFI_FIRMWARE_VOLUME_HEADER)) {
+    return NULL;
+  }
+
+  FvHeader = (EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)FvBase;
+  if (FvHeader->ExtHeaderOffset < sizeof (EFI_FIRMWARE_VOLUME_HEADER)) {
+    return NULL;
+  }
+
+  if (FvHeader->ExtHeaderOffset + sizeof (EFI_FIRMWARE_VOLUME_EXT_HEADER) > FvLength) {
+    return NULL;
+  }
+
+  FvExtHeader = (EFI_FIRMWARE_VOLUME_EXT_HEADER *)(UINTN)(FvBase + FvHeader->ExtHeaderOffset);
+
+  return &FvExtHeader->FvName;
+}
+
+/**
+  Measure FV image.
+
+  @param[in]  FvBase            Base address of FV image.
+  @param[in]  FvLength          Length of FV image.
+  @param[in]  PcrIndex          Index of PCR
+
+  @retval EFI_SUCCESS           Fv image is measured successfully
+                                or it has been already measured.
+  @retval EFI_OUT_OF_RESOURCES  No enough memory to log the new event.
+  @retval EFI_DEVICE_ERROR      The command was unsuccessful.
+
+**/
+EFI_STATUS
+EFIAPI
+MeasureFvImage (
+  IN EFI_PHYSICAL_ADDRESS  FvBase,
+  IN UINT64                FvLength,
+  IN UINT8                 PcrIndex
+  )
+{
+  EFI_STATUS                  Status;
+  FV_HANDOFF_TABLE_POINTERS2  FvBlob2;
+  VOID                        *FvName;
+
+  //
+  // Init the log event for FV measurement
+  //
+  FvBlob2.BlobDescriptionSize = sizeof (FvBlob2.BlobDescription);
+  CopyMem (FvBlob2.BlobDescription, FV_HANDOFF_TABLE_DESC, sizeof (FvBlob2.BlobDescription));
+  FvName = GetFvName (FvBase, FvLength);
+  if (FvName != NULL) {
+    AsciiSPrint ((CHAR8 *)FvBlob2.BlobDescription, sizeof (FvBlob2.BlobDescription), "Fv(%g)", FvName);
+  }
+
+  FvBlob2.BlobBase   = FvBase;
+  FvBlob2.BlobLength = FvLength;
+
+  Status = TpmMeasureAndLogData (
+             1,                              // PCRIndex
+             EV_EFI_PLATFORM_FIRMWARE_BLOB2, // EventType
+             (VOID *)&FvBlob2,               // EventData
+             sizeof (FvBlob2),               // EventSize
+             (UINT8 *)(UINTN)FvBase,         // HashData
+             (UINTN)(FvLength)               // HashDataLen
+             );
+
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "The FV which failed to be measured starts at: 0x%x\n", FvBase));
+    ASSERT (FALSE);
+  }
+
+  return Status;
+}
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
index 54236b956c52..fdfefd00d732 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
@@ -20,7 +20,6 @@
 #include <ConfidentialComputingGuestAttr.h>
 #include <Guid/MemoryTypeInformation.h>
 #include <OvmfPlatforms.h>
-#include <Library/SecMeasurementLib.h>
 #include "PeilessStartupInternal.h"
 
 #define GET_GPAW_INIT_STATE(INFO)  ((UINT8) ((INFO) & 0x3f))
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h
index dd79b8a06b44..74b5f46552c2 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h
@@ -69,4 +69,40 @@ TdxValidateCfv (
   IN UINT32  TdxCfvSize
   );
 
+/**
+  Measure the Hoblist passed from the VMM.
+
+  @param[in] VmmHobList    The Hoblist pass the firmware
+
+  @retval EFI_SUCCESS           Fv image is measured successfully
+                                or it has been already measured.
+  @retval Others                Other errors as indicated
+**/
+EFI_STATUS
+EFIAPI
+MeasureHobList (
+  IN CONST VOID  *VmmHobList
+  );
+
+/**
+  Measure FV image.
+
+  @param[in]  FvBase            Base address of FV image.
+  @param[in]  FvLength          Length of FV image.
+  @param[in]  PcrIndex          Index of PCR
+
+  @retval EFI_SUCCESS           Fv image is measured successfully
+                                or it has been already measured.
+  @retval EFI_OUT_OF_RESOURCES  No enough memory to log the new event.
+  @retval EFI_DEVICE_ERROR      The command was unsuccessful.
+
+**/
+EFI_STATUS
+EFIAPI
+MeasureFvImage (
+  IN EFI_PHYSICAL_ADDRESS  FvBase,
+  IN UINT64                FvLength,
+  IN UINT8                 PcrIndex
+  );
+
 #endif
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
index c5d291f02bcd..def50b4b019e 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
@@ -58,7 +58,7 @@
   QemuFwCfgLib
   PlatformInitLib
   HashLib
-  SecMeasurementLib
+  TpmMeasurementLib
 
 [Guids]
   gEfiHobMemoryAllocModuleGuid
-- 
2.29.2.windows.2

[PATCH 3/3] OvmfPkg: Delete SecMeasurementLibTdx

[Min Xu]

From: Min M Xu <min.m.xu@intel.com>

The feature of SecMeasurementLibTdx is replaced by SecTpmMeasurementLibTdx
(which is in SecurityPkg). So SecMeasurementLibTdx is deleted.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
 OvmfPkg/Include/Library/SecMeasurementLib.h   |  46 ---
 .../SecMeasurementLib/SecMeasurementLibTdx.c  | 340 ------------------
 .../SecMeasurementLibTdx.inf                  |  30 --
 OvmfPkg/OvmfPkg.dec                           |   4 -
 4 files changed, 420 deletions(-)
 delete mode 100644 OvmfPkg/Include/Library/SecMeasurementLib.h
 delete mode 100644 OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.c
 delete mode 100644 OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf

diff --git a/OvmfPkg/Include/Library/SecMeasurementLib.h b/OvmfPkg/Include/Library/SecMeasurementLib.h
deleted file mode 100644
index ca7a7dc3a9b2..000000000000
--- a/OvmfPkg/Include/Library/SecMeasurementLib.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/** @file
-
-  Copyright (c) 2021, Intel Corporation. All rights reserved.<BR>
-
-  SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef SEC_MEASUREMENT_LIB_H_
-#define SEC_MEASUREMENT_LIB_H_
-
-/**
-  Measure the Hoblist passed from the VMM.
-
-  @param[in] VmmHobList    The Hoblist pass the firmware
-
-  @retval EFI_SUCCESS           Fv image is measured successfully
-                                or it has been already measured.
-  @retval Others                Other errors as indicated
-**/
-EFI_STATUS
-EFIAPI
-MeasureHobList (
-  IN CONST VOID  *VmmHobList
-  );
-
-/**
-  Measure FV image.
-
-  @param[in]  FvBase            Base address of FV image.
-  @param[in]  FvLength          Length of FV image.
-  @param[in]  PcrIndex          Index of PCR
-
-  @retval EFI_SUCCESS           Fv image is measured successfully
-                                or it has been already measured.
-  @retval Others                Other errors as indicated
-**/
-EFI_STATUS
-EFIAPI
-MeasureFvImage (
-  IN EFI_PHYSICAL_ADDRESS  FvBase,
-  IN UINT64                FvLength,
-  IN UINT8                 PcrIndex
-  );
-
-#endif
diff --git a/OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.c b/OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.c
deleted file mode 100644
index 274fda1e563e..000000000000
--- a/OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.c
+++ /dev/null
@@ -1,340 +0,0 @@
-/** @file
-*
-*  Copyright (c) 2021, Intel Corporation. All rights reserved.<BR>
-*  SPDX-License-Identifier: BSD-2-Clause-Patent
-*
-**/
-
-#include <PiPei.h>
-#include <Guid/CcEventHob.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/DebugLib.h>
-#include <Library/HashLib.h>
-#include <Library/HobLib.h>
-#include <Library/PrintLib.h>
-#include <IndustryStandard/Tpm20.h>
-#include <Protocol/CcMeasurement.h>
-#include <Library/SecMeasurementLib.h>
-
-#pragma pack(1)
-
-typedef struct {
-  UINT32           count;
-  TPMI_ALG_HASH    hashAlg;
-  BYTE             sha384[SHA384_DIGEST_SIZE];
-} TDX_DIGEST_VALUE;
-
-#define HANDOFF_TABLE_DESC  "TdxTable"
-typedef struct {
-  UINT8                      TableDescriptionSize;
-  UINT8                      TableDescription[sizeof (HANDOFF_TABLE_DESC)];
-  UINT64                     NumberOfTables;
-  EFI_CONFIGURATION_TABLE    TableEntry[1];
-} TDX_HANDOFF_TABLE_POINTERS2;
-
-#define FV_HANDOFF_TABLE_DESC  "Fv(XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX)"
-typedef struct {
-  UINT8                   BlobDescriptionSize;
-  UINT8                   BlobDescription[sizeof (FV_HANDOFF_TABLE_DESC)];
-  EFI_PHYSICAL_ADDRESS    BlobBase;
-  UINT64                  BlobLength;
-} FV_HANDOFF_TABLE_POINTERS2;
-
-#pragma pack()
-
-#define INVALID_PCR2MR_INDEX  0xFF
-
-/**
-    RTMR[0]  => PCR[1,7]
-    RTMR[1]  => PCR[2,3,4,5]
-    RTMR[2]  => PCR[8~15]
-    RTMR[3]  => NA
-  Note:
-    PCR[0] is mapped to MRTD and should not appear here.
-    PCR[6] is reserved for OEM. It is not used.
-**/
-UINT8
-GetMappedRtmrIndex (
-  UINT32  PCRIndex
-  )
-{
-  UINT8  RtmrIndex;
-
-  if ((PCRIndex == 6) || (PCRIndex == 0) || (PCRIndex > 15)) {
-    DEBUG ((DEBUG_ERROR, "Invalid PCRIndex(%d) map to MR Index.\n", PCRIndex));
-    ASSERT (FALSE);
-    return INVALID_PCR2MR_INDEX;
-  }
-
-  RtmrIndex = 0;
-  if ((PCRIndex == 1) || (PCRIndex == 7)) {
-    RtmrIndex = 0;
-  } else if ((PCRIndex >= 2) && (PCRIndex < 6)) {
-    RtmrIndex = 1;
-  } else if ((PCRIndex >= 8) && (PCRIndex <= 15)) {
-    RtmrIndex = 2;
-  }
-
-  return RtmrIndex;
-}
-
-/**
-  Tpm measure and log data, and extend the measurement result into a specific PCR.
-
-  @param[in]  PcrIndex         PCR Index.
-  @param[in]  EventType        Event type.
-  @param[in]  EventLog         Measurement event log.
-  @param[in]  LogLen           Event log length in bytes.
-  @param[in]  HashData         The start of the data buffer to be hashed, extended.
-  @param[in]  HashDataLen      The length, in bytes, of the buffer referenced by HashData
-  @retval EFI_SUCCESS               Operation completed successfully.
-  @retval EFI_UNSUPPORTED       TPM device not available.
-  @retval EFI_OUT_OF_RESOURCES  Out of memory.
-  @retval EFI_DEVICE_ERROR      The operation was unsuccessful.
-**/
-EFI_STATUS
-EFIAPI
-TdxMeasureAndLogData (
-  IN UINT32  PcrIndex,
-  IN UINT32  EventType,
-  IN VOID    *EventLog,
-  IN UINT32  LogLen,
-  IN VOID    *HashData,
-  IN UINT64  HashDataLen
-  )
-{
-  EFI_STATUS          Status;
-  UINT32              RtmrIndex;
-  VOID                *EventHobData;
-  TCG_PCR_EVENT2      *TcgPcrEvent2;
-  UINT8               *DigestBuffer;
-  TDX_DIGEST_VALUE    *TdxDigest;
-  TPML_DIGEST_VALUES  DigestList;
-  UINT8               *Ptr;
-
-  RtmrIndex = GetMappedRtmrIndex (PcrIndex);
-  if (RtmrIndex == INVALID_PCR2MR_INDEX) {
-    return EFI_INVALID_PARAMETER;
-  }
-
-  DEBUG ((DEBUG_INFO, "Creating TdTcg2PcrEvent PCR[%d]/RTMR[%d] EventType 0x%x\n", PcrIndex, RtmrIndex, EventType));
-
-  Status = HashAndExtend (
-             RtmrIndex,
-             (VOID *)HashData,
-             HashDataLen,
-             &DigestList
-             );
-
-  if (EFI_ERROR (Status)) {
-    DEBUG ((DEBUG_INFO, "Failed to HashAndExtend. %r\n", Status));
-    return Status;
-  }
-
-  //
-  // Use TDX_DIGEST_VALUE in the GUID HOB DataLength calculation
-  // to reserve enough buffer to hold TPML_DIGEST_VALUES compact binary
-  // which is limited to a SHA384 digest list
-  //
-  EventHobData = BuildGuidHob (
-                   &gCcEventEntryHobGuid,
-                   sizeof (TcgPcrEvent2->PCRIndex) + sizeof (TcgPcrEvent2->EventType) +
-                   sizeof (TDX_DIGEST_VALUE) +
-                   sizeof (TcgPcrEvent2->EventSize) + LogLen
-                   );
-
-  if (EventHobData == NULL) {
-    return EFI_OUT_OF_RESOURCES;
-  }
-
-  Ptr = (UINT8 *)EventHobData;
-  //
-  // Initialize PcrEvent data now
-  //
-  RtmrIndex++;
-  CopyMem (Ptr, &RtmrIndex, sizeof (UINT32));
-  Ptr += sizeof (UINT32);
-  CopyMem (Ptr, &EventType, sizeof (TCG_EVENTTYPE));
-  Ptr += sizeof (TCG_EVENTTYPE);
-
-  DigestBuffer = Ptr;
-
-  TdxDigest          = (TDX_DIGEST_VALUE *)DigestBuffer;
-  TdxDigest->count   = 1;
-  TdxDigest->hashAlg = TPM_ALG_SHA384;
-  CopyMem (
-    TdxDigest->sha384,
-    DigestList.digests[0].digest.sha384,
-    SHA384_DIGEST_SIZE
-    );
-
-  Ptr += sizeof (TDX_DIGEST_VALUE);
-
-  CopyMem (Ptr, &LogLen, sizeof (UINT32));
-  Ptr += sizeof (UINT32);
-  CopyMem (Ptr, EventLog, LogLen);
-  Ptr += LogLen;
-
-  Status = EFI_SUCCESS;
-  return Status;
-}
-
-/**
-  Measure the Hoblist passed from the VMM.
-
-  @param[in] VmmHobList    The Hoblist pass the firmware
-
-  @retval EFI_SUCCESS           Fv image is measured successfully
-                                or it has been already measured.
-  @retval Others                Other errors as indicated
-**/
-EFI_STATUS
-EFIAPI
-MeasureHobList (
-  IN CONST VOID  *VmmHobList
-  )
-{
-  EFI_PEI_HOB_POINTERS         Hob;
-  TDX_HANDOFF_TABLE_POINTERS2  HandoffTables;
-  EFI_STATUS                   Status;
-
-  if (!TdIsEnabled ()) {
-    ASSERT (FALSE);
-    return EFI_UNSUPPORTED;
-  }
-
-  Hob.Raw = (UINT8 *)VmmHobList;
-
-  //
-  // Parse the HOB list until end of list.
-  //
-  while (!END_OF_HOB_LIST (Hob)) {
-    Hob.Raw = GET_NEXT_HOB (Hob);
-  }
-
-  //
-  // Init the log event for HOB measurement
-  //
-
-  HandoffTables.TableDescriptionSize = sizeof (HandoffTables.TableDescription);
-  CopyMem (HandoffTables.TableDescription, HANDOFF_TABLE_DESC, sizeof (HandoffTables.TableDescription));
-  HandoffTables.NumberOfTables = 1;
-  CopyGuid (&(HandoffTables.TableEntry[0].VendorGuid), &gUefiOvmfPkgTokenSpaceGuid);
-  HandoffTables.TableEntry[0].VendorTable = (VOID *)VmmHobList;
-
-  Status = TdxMeasureAndLogData (
-             1,                                              // PCRIndex
-             EV_EFI_HANDOFF_TABLES2,                         // EventType
-             (VOID *)&HandoffTables,                         // EventData
-             sizeof (HandoffTables),                         // EventSize
-             (UINT8 *)(UINTN)VmmHobList,                     // HashData
-             (UINTN)((UINT8 *)Hob.Raw - (UINT8 *)VmmHobList) // HashDataLen
-             );
-
-  if (EFI_ERROR (Status)) {
-    ASSERT (FALSE);
-  }
-
-  return Status;
-}
-
-/**
-  Get the FvName from the FV header.
-
-  Causion: The FV is untrusted input.
-
-  @param[in]  FvBase            Base address of FV image.
-  @param[in]  FvLength          Length of FV image.
-
-  @return FvName pointer
-  @retval NULL   FvName is NOT found
-**/
-VOID *
-GetFvName (
-  IN EFI_PHYSICAL_ADDRESS  FvBase,
-  IN UINT64                FvLength
-  )
-{
-  EFI_FIRMWARE_VOLUME_HEADER      *FvHeader;
-  EFI_FIRMWARE_VOLUME_EXT_HEADER  *FvExtHeader;
-
-  if (FvBase >= MAX_ADDRESS) {
-    return NULL;
-  }
-
-  if (FvLength >= MAX_ADDRESS - FvBase) {
-    return NULL;
-  }
-
-  if (FvLength < sizeof (EFI_FIRMWARE_VOLUME_HEADER)) {
-    return NULL;
-  }
-
-  FvHeader = (EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)FvBase;
-  if (FvHeader->ExtHeaderOffset < sizeof (EFI_FIRMWARE_VOLUME_HEADER)) {
-    return NULL;
-  }
-
-  if (FvHeader->ExtHeaderOffset + sizeof (EFI_FIRMWARE_VOLUME_EXT_HEADER) > FvLength) {
-    return NULL;
-  }
-
-  FvExtHeader = (EFI_FIRMWARE_VOLUME_EXT_HEADER *)(UINTN)(FvBase + FvHeader->ExtHeaderOffset);
-
-  return &FvExtHeader->FvName;
-}
-
-/**
-  Measure FV image.
-
-  @param[in]  FvBase            Base address of FV image.
-  @param[in]  FvLength          Length of FV image.
-  @param[in]  PcrIndex          Index of PCR
-
-  @retval EFI_SUCCESS           Fv image is measured successfully
-                                or it has been already measured.
-  @retval EFI_OUT_OF_RESOURCES  No enough memory to log the new event.
-  @retval EFI_DEVICE_ERROR      The command was unsuccessful.
-
-**/
-EFI_STATUS
-EFIAPI
-MeasureFvImage (
-  IN EFI_PHYSICAL_ADDRESS  FvBase,
-  IN UINT64                FvLength,
-  IN UINT8                 PcrIndex
-  )
-{
-  EFI_STATUS                  Status;
-  FV_HANDOFF_TABLE_POINTERS2  FvBlob2;
-  VOID                        *FvName;
-
-  //
-  // Init the log event for FV measurement
-  //
-  FvBlob2.BlobDescriptionSize = sizeof (FvBlob2.BlobDescription);
-  CopyMem (FvBlob2.BlobDescription, FV_HANDOFF_TABLE_DESC, sizeof (FvBlob2.BlobDescription));
-  FvName = GetFvName (FvBase, FvLength);
-  if (FvName != NULL) {
-    AsciiSPrint ((CHAR8 *)FvBlob2.BlobDescription, sizeof (FvBlob2.BlobDescription), "Fv(%g)", FvName);
-  }
-
-  FvBlob2.BlobBase   = FvBase;
-  FvBlob2.BlobLength = FvLength;
-
-  Status = TdxMeasureAndLogData (
-             1,                              // PCRIndex
-             EV_EFI_PLATFORM_FIRMWARE_BLOB2, // EventType
-             (VOID *)&FvBlob2,               // EventData
-             sizeof (FvBlob2),               // EventSize
-             (UINT8 *)(UINTN)FvBase,         // HashData
-             (UINTN)(FvLength)               // HashDataLen
-             );
-
-  if (EFI_ERROR (Status)) {
-    DEBUG ((DEBUG_ERROR, "The FV which failed to be measured starts at: 0x%x\n", FvBase));
-    ASSERT (FALSE);
-  }
-
-  return Status;
-}
diff --git a/OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf b/OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf
deleted file mode 100644
index 6215df5af8fc..000000000000
--- a/OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf
+++ /dev/null
@@ -1,30 +0,0 @@
-#/** @file
-#
-#  Copyright (c) 2021, Intel Corporation. All rights reserved.<BR>
-#  SPDX-License-Identifier: BSD-2-Clause-Patent
-#
-#**/
-
-[Defines]
-  INF_VERSION                    = 0x00010005
-  BASE_NAME                      = SecMeasurementLibTdx
-  FILE_GUID                      = 3e3fc69d-e834-40e9-96ed-e1e721f41883
-  MODULE_TYPE                    = BASE
-  VERSION_STRING                 = 1.0
-  LIBRARY_CLASS                  = SecMeasurementLib
-
-[Sources]
-  SecMeasurementLibTdx.c
-
-[Packages]
-  MdePkg/MdePkg.dec
-  OvmfPkg/OvmfPkg.dec
-  CryptoPkg/CryptoPkg.dec
-  SecurityPkg/SecurityPkg.dec
-
-[Guids]
-  gCcEventEntryHobGuid
-  gUefiOvmfPkgTokenSpaceGuid
-
-[LibraryClasses]
-  HashLib
diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 5fe487f82d1a..7b114a5e63b2 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -125,10 +125,6 @@
   #
   PeilessStartupLib|Include/Library/PeilessStartupLib.h
 
-  ##  @libraryclass  SecMeasurementLib
-  #
-  SecMeasurementLib|Include/Library/SecMeasurementLib.h
-
 [Guids]
   gUefiOvmfPkgTokenSpaceGuid            = {0x93bb96af, 0xb9f2, 0x4eb8, {0x94, 0x62, 0xe0, 0xba, 0x74, 0x56, 0x42, 0x36}}
   gEfiXenInfoGuid                       = {0xd3b46f3b, 0xd441, 0x1244, {0x9a, 0x12, 0x0, 0x12, 0x27, 0x3f, 0xc1, 0x4d}}
-- 
2.29.2.windows.2

Re: [PATCH 0/3] Introduce SecTpmMeasurementLibTdx

[Yao, Jiewen]

Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

> -----Original Message-----
> From: Xu, Min M <min.m.xu@intel.com>
> Sent: Sunday, June 5, 2022 9:03 AM
> To: devel@edk2.groups.io
> Cc: Xu, Min M <min.m.xu@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> Wang, Jian J <jian.j.wang@intel.com>; Aktas, Erdem
> <erdemaktas@google.com>; James Bottomley <jejb@linux.ibm.com>; Tom
> Lendacky <thomas.lendacky@amd.com>; Gerd Hoffmann <kraxel@redhat.com>
> Subject: [PATCH 0/3] Introduce SecTpmMeasurementLibTdx
> 
> SecTpmMeasurementLibTdx is an instance of TpmMeasurement lib in SEC phase.
> It provides RTMR based measurement functions for Intel Tdx guest.
> 
> Commit a708536dce introduces SecMeasurementLibTdx which provides the
> same
> functions. But it is not an instance of TpmMeasurementLib.
> We have updated DxeTpmMeasurementLib (which is an instance of
> TpmMeasurementLib) to support RTMR based measurement. To make the
> design
> consistent, SecTpmMeasurementLibTdx is introduced. After that
> SecMeasurementLibTdx is removed.
> 
> Patch #1:
>  Introduce SecMeasurementLibTdx
> Patch #2:
>  Update OvmfPkg to support MeasureHobList/MeasureFvImage with
>  SecMeasurementLibTdx.
> Patch #3:
>  Remove SecMeasurementLibTdx.
> 
> Code: https://github.com/mxu9/edk2/tree/secMeasurementLib.v1
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Cc: James Bottomley <jejb@linux.ibm.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Min Xu <min.m.xu@intel.com>
> 
> Min M Xu (3):
>   Security: Add SecTpmMeasurementLibTdx
>   OvmfPkg: Implement MeasureHobList/MeasureFvImage
>   OvmfPkg: Delete SecMeasurementLibTdx
> 
>  OvmfPkg/Include/Library/SecMeasurementLib.h   |  46 ---
>  OvmfPkg/IntelTdx/IntelTdxX64.dsc              |   2 +-
>  OvmfPkg/Library/PeilessStartupLib/IntelTdx.c  | 186 ++++++++++
>  .../PeilessStartupLib/PeilessStartup.c        |   1 -
>  .../PeilessStartupInternal.h                  |  36 ++
>  .../PeilessStartupLib/PeilessStartupLib.inf   |   2 +-
>  .../SecMeasurementLib/SecMeasurementLibTdx.c  | 340 ------------------
>  .../SecMeasurementLibTdx.inf                  |  30 --
>  OvmfPkg/OvmfPkg.dec                           |   4 -
>  .../SecTpmMeasurementLibTdx.c                 | 176 +++++++++
>  .../SecTpmMeasurementLibTdx.inf               |  34 ++
>  SecurityPkg/SecurityPkg.dsc                   |   2 +
>  12 files changed, 436 insertions(+), 423 deletions(-)
>  delete mode 100644 OvmfPkg/Include/Library/SecMeasurementLib.h
>  delete mode 100644
> OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.c
>  delete mode 100644
> OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf
>  create mode 100644
> SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.c
>  create mode 100644
> SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.inf
> 
> --
> 2.29.2.windows.2

Re: [PATCH 0/3] Introduce SecTpmMeasurementLibTdx

[Gerd Hoffmann]

On Sun, Jun 05, 2022 at 09:02:45AM +0800, Min Xu wrote:
> SecTpmMeasurementLibTdx is an instance of TpmMeasurement lib in SEC phase.
> It provides RTMR based measurement functions for Intel Tdx guest.
> 
> Commit a708536dce introduces SecMeasurementLibTdx which provides the same
> functions. But it is not an instance of TpmMeasurementLib.
> We have updated DxeTpmMeasurementLib (which is an instance of
> TpmMeasurementLib) to support RTMR based measurement. To make the design
> consistent, SecTpmMeasurementLibTdx is introduced. After that
> SecMeasurementLibTdx is removed.

So, what is the difference?  Just make the calling convention compatible
with TpmMeasurementLib?

take care,
  Gerd

Re: [edk2-devel] [PATCH 0/3] Introduce SecTpmMeasurementLibTdx

[Yao, Jiewen]

Merged https://github.com/tianocore/edk2/pull/2951

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen
> Sent: Sunday, June 5, 2022 10:10 AM
> To: Xu, Min M <min.m.xu@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Aktas, Erdem
> <erdemaktas@google.com>; James Bottomley <jejb@linux.ibm.com>; Tom
> Lendacky <thomas.lendacky@amd.com>; Gerd Hoffmann <kraxel@redhat.com>
> Subject: Re: [edk2-devel] [PATCH 0/3] Introduce SecTpmMeasurementLibTdx
> 
> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> 
> > -----Original Message-----
> > From: Xu, Min M <min.m.xu@intel.com>
> > Sent: Sunday, June 5, 2022 9:03 AM
> > To: devel@edk2.groups.io
> > Cc: Xu, Min M <min.m.xu@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> > Wang, Jian J <jian.j.wang@intel.com>; Aktas, Erdem
> > <erdemaktas@google.com>; James Bottomley <jejb@linux.ibm.com>; Tom
> > Lendacky <thomas.lendacky@amd.com>; Gerd Hoffmann
> <kraxel@redhat.com>
> > Subject: [PATCH 0/3] Introduce SecTpmMeasurementLibTdx
> >
> > SecTpmMeasurementLibTdx is an instance of TpmMeasurement lib in SEC
> phase.
> > It provides RTMR based measurement functions for Intel Tdx guest.
> >
> > Commit a708536dce introduces SecMeasurementLibTdx which provides the
> > same
> > functions. But it is not an instance of TpmMeasurementLib.
> > We have updated DxeTpmMeasurementLib (which is an instance of
> > TpmMeasurementLib) to support RTMR based measurement. To make the
> > design
> > consistent, SecTpmMeasurementLibTdx is introduced. After that
> > SecMeasurementLibTdx is removed.
> >
> > Patch #1:
> >  Introduce SecMeasurementLibTdx
> > Patch #2:
> >  Update OvmfPkg to support MeasureHobList/MeasureFvImage with
> >  SecMeasurementLibTdx.
> > Patch #3:
> >  Remove SecMeasurementLibTdx.
> >
> > Code: https://github.com/mxu9/edk2/tree/secMeasurementLib.v1
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Erdem Aktas <erdemaktas@google.com>
> > Cc: James Bottomley <jejb@linux.ibm.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Tom Lendacky <thomas.lendacky@amd.com>
> > Cc: Gerd Hoffmann <kraxel@redhat.com>
> > Signed-off-by: Min Xu <min.m.xu@intel.com>
> >
> > Min M Xu (3):
> >   Security: Add SecTpmMeasurementLibTdx
> >   OvmfPkg: Implement MeasureHobList/MeasureFvImage
> >   OvmfPkg: Delete SecMeasurementLibTdx
> >
> >  OvmfPkg/Include/Library/SecMeasurementLib.h   |  46 ---
> >  OvmfPkg/IntelTdx/IntelTdxX64.dsc              |   2 +-
> >  OvmfPkg/Library/PeilessStartupLib/IntelTdx.c  | 186 ++++++++++
> >  .../PeilessStartupLib/PeilessStartup.c        |   1 -
> >  .../PeilessStartupInternal.h                  |  36 ++
> >  .../PeilessStartupLib/PeilessStartupLib.inf   |   2 +-
> >  .../SecMeasurementLib/SecMeasurementLibTdx.c  | 340 ------------------
> >  .../SecMeasurementLibTdx.inf                  |  30 --
> >  OvmfPkg/OvmfPkg.dec                           |   4 -
> >  .../SecTpmMeasurementLibTdx.c                 | 176 +++++++++
> >  .../SecTpmMeasurementLibTdx.inf               |  34 ++
> >  SecurityPkg/SecurityPkg.dsc                   |   2 +
> >  12 files changed, 436 insertions(+), 423 deletions(-)
> >  delete mode 100644 OvmfPkg/Include/Library/SecMeasurementLib.h
> >  delete mode 100644
> > OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.c
> >  delete mode 100644
> > OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf
> >  create mode 100644
> > SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.c
> >  create mode 100644
> > SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.inf
> >
> > --
> > 2.29.2.windows.2
> 
> 
> 
> 
> 

Re: [PATCH 0/3] Introduce SecTpmMeasurementLibTdx

[Yao, Jiewen]

The previous patch created a new instance SecTpmMeasurementLibTdx, which is not a best idea.

If we can use the existing instance, there is no need to create a new one. Just create a new instance.

Thank you
Yao Jiewen

> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Tuesday, June 7, 2022 6:35 PM
> To: Xu, Min M <min.m.xu@intel.com>
> Cc: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Aktas, Erdem <erdemaktas@google.com>; James
> Bottomley <jejb@linux.ibm.com>; Tom Lendacky <thomas.lendacky@amd.com>
> Subject: Re: [PATCH 0/3] Introduce SecTpmMeasurementLibTdx
> 
> On Sun, Jun 05, 2022 at 09:02:45AM +0800, Min Xu wrote:
> > SecTpmMeasurementLibTdx is an instance of TpmMeasurement lib in SEC
> phase.
> > It provides RTMR based measurement functions for Intel Tdx guest.
> >
> > Commit a708536dce introduces SecMeasurementLibTdx which provides the
> same
> > functions. But it is not an instance of TpmMeasurementLib.
> > We have updated DxeTpmMeasurementLib (which is an instance of
> > TpmMeasurementLib) to support RTMR based measurement. To make the
> design
> > consistent, SecTpmMeasurementLibTdx is introduced. After that
> > SecMeasurementLibTdx is removed.
> 
> So, what is the difference?  Just make the calling convention compatible
> with TpmMeasurementLib?
> 
> take care,
>   Gerd