Enable Tdx measurement in OvmfPkgX64 #3993
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 From the perspective of security any external input should be measured and extended to some registers (TPM PCRs or TDX RTMR registers). There are below 2 external input in a Td guest: - TdHob - Configuration FV (CFV) TdHob contains the resource information passed from VMM, such as unaccepted memory region. CFV contains the configurations, such as secure boot variables. TdHob and CFV should be measured and extended to RTMRs before they're consumed. TdHob is consumed in the very early stage of boot process. At that moment the memory service is not ready. Cfv is consumed in PlatformPei to initialize the EmuVariableNvStore. To make the implementation simple and clean, these 2 external input are measured and extended to RTMRs in SEC phase. That is to say the tdx measurement is only supported in SEC phase. After the measurement the hash values are stored in WorkArea. Then after the Hob service is available, these 2 measurement values are retrieved and GuidHobs for these 2 tdx measurements are generated. This patch defines the structure of TDX_MEASUREMENTS_DATA in SEC_TDX_WORK_AREA to store above 2 tdx measurements. It can be extended to store more tdx measurements if needed in the future. Cc: Erdem Aktas <[email protected]> Cc: James Bottomley <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Tom Lendacky <[email protected]> Cc: Michael Roth <[email protected]> Acked-by: Gerd Hoffmann <[email protected]> Reviewed-by: Jiewen Yao <[email protected]> Signed-off-by: Min Xu <[email protected]>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 TdxHelperLib provides below helper functions for a td-guest. - TdxHelperProcessTdHob - TdxHelperMeasureTdHob - TdxHelperMeasureCfvImage - TdxHelperBuildGuidHobForTdxMeasurement TdxHelperLibNull is the NULL instance of TdxHelperLib. Cc: Erdem Aktas <[email protected]> Cc: James Bottomley <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Tom Lendacky <[email protected]> Cc: Michael Roth <[email protected]> Acked-by: Gerd Hoffmann <[email protected]> Reviewed-by: Jiewen Yao <[email protected]> Signed-off-by: Min Xu <[email protected]>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 TdxHelperLib provides below helper functions for a td-guest. - TdxHelperProcessTdHob - TdxHelperMeasureTdHob - TdxHelperMeasureCfvImage - TdxHelperBuildGuidHobForTdxMeasurement SecTdxHelperLib is the SEC instance of TdxHelperLib. It implements 4 functions for tdx in SEC phase: - TdxHelperProcessTdHob consumes TdHob to accept un-accepted memories. Before the TdHob is consumed, it is first validated. - TdxHelperMeasureTdHob measure/extend TdHob and store the measurement value in workarea. - TdxHelperMeasureCfvImage measure/extend the Configuration FV image and store the measurement value in workarea. - TdxHelperBuildGuidHobForTdxMeasurement builds GuidHob for tdx measurement. This patch implements the stubs of the functions. The actual implementations are in the following patches. Because they are moved from other files. Cc: Erdem Aktas <[email protected]> Cc: James Bottomley <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Tom Lendacky <[email protected]> Cc: Michael Roth <[email protected]> Acked-by: Gerd Hoffmann <[email protected]> Reviewed-by: Jiewen Yao <[email protected]> Signed-off-by: Min Xu <[email protected]>
…TERS2 BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 FV_HANDOFF_TABLE_POINTERS2 once was defined in IntelTdx.c. Its structure is same as PLATFORM_FIRMWARE_BLOB2_STRUCT which is defined in Library/TcgEventLogRecordLib.h. So this patch reuse the define of PLATFORM_FIRMWARE_BLOB2_STRUCT as FV_HANDOFF_TABLE_POINTERS2. Furthermore FV_HANDOFF_TABLE_POINTERS2 is renamed as CFV_HANDOFF_TABLE_POINTERS2 so that the name is more meaningful. Cc: Erdem Aktas <[email protected]> Cc: James Bottomley <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Tom Lendacky <[email protected]> Cc: Michael Roth <[email protected]> Acked-by: Gerd Hoffmann <[email protected]> Reviewed-by: Jiewen Yao <[email protected]> Signed-off-by: Min Xu <[email protected]>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 MeasureHobList once was implemented in PeilessStartupLib and it does measurement and logging for TdHob in one go, using TpmMeasureAndLogData(). But it doesn't work in SEC. This patch splits MeasureHobList into 2 functions and implement them in SecTdxHelperLib. - TdxHelperMeasureTdHob - TdxHelperBuildGuidHobForTdxMeasurement TdxHelperMeasureTdHob measures the TdHob and stores the hash value in WorkArea. TdxHelperBuildGuidHobForTdxMeasurement builds GuidHob for the measurement based on the hash value in WorkArea. After these 2 functions are introduced, PeilessStartupLib should also be updated: - Call these 2 functions instead of the MeasureHobList - Delete the duplicated codes in PeilessStartupLib Cc: Erdem Aktas <[email protected]> Cc: James Bottomley <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Tom Lendacky <[email protected]> Cc: Michael Roth <[email protected]> Acked-by: Gerd Hoffmann <[email protected]> Reviewed-by: Jiewen Yao <[email protected]> Signed-off-by: Min Xu <[email protected]>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 MeasureFvImage once was implemented in PeilessStartupLib and it does measurement and logging for Configuration FV (Cfv) image in one go, using TpmMeasureAndLogData(). But it doesn't work in SEC. This patch splits MeasureFvImage into 2 functions and implement them in SecTdxHelperLib. - TdxHelperMeasureCfvImage - TdxHelperBuildGuidHobForTdxMeasurement TdxHelperMeasureCfvImage measures the Cfv image and stores the hash value in WorkArea. TdxHelperBuildGuidHobForTdxMeasurement builds GuidHob for the measurement based on the hash value in WorkArea. After these 2 functions are introduced, PeilessStartupLib should also be updated: - Call these 2 functions instead of the MeasureFvImage - Delete the duplicated codes in PeilessStartupLib Cc: Erdem Aktas <[email protected]> Cc: James Bottomley <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Tom Lendacky <[email protected]> Cc: Michael Roth <[email protected]> Acked-by: Gerd Hoffmann <[email protected]> Reviewed-by: Jiewen Yao <[email protected]> Signed-off-by: Min Xu <[email protected]>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 ProcessHobList once was implemented in PlatformInitLib and it walks thru TdHob list and accept un-accepted memories. This patch moves the codes to SecTdxHelperLib and rename ProcessHobList as TdxHelperProcessTdHob After TdxHelperProcessTdHob is introduced, below changes are applied: - Call TdxHelperProcessTdHob instead of ProcessHobList in SecMain.c (in both OvmfPkgX64/Sec and IntelTdx/Sec). - Delete the duplicated codes in PlatformInitLib Cc: Erdem Aktas <[email protected]> Cc: James Bottomley <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Tom Lendacky <[email protected]> Cc: Michael Roth <[email protected]> Acked-by: Gerd Hoffmann <[email protected]> Reviewed-by: Jiewen Yao <[email protected]> Signed-off-by: Min Xu <[email protected]>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 TdHob and Configuration FV (Cfv) are external inputs from VMM. From the security perspective, they should be measured before they're consumed. This patch measures TdHob and Cfv and stores the measurement values in WorkArea. After TdHob and Configuration FV (Cfv) are measured in SecMain, the same measurements in PeilessStartupLib are deleted. Cc: Erdem Aktas <[email protected]> Cc: James Bottomley <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Tom Lendacky <[email protected]> Cc: Michael Roth <[email protected]> Reviewed-by: Jiewen Yao <[email protected]> Signed-off-by: Min Xu <[email protected]> Acked-by: Gerd Hoffmann <[email protected]>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 TdxHelperLib provides below helper functions for a td-guest. - TdxHelperProcessTdHob - TdxHelperMeasureTdHob - TdxHelperMeasureCfvImage - TdxHelperBuildGuidHobForTdxMeasurement PeiTdxHelperLib is the PEI instance of TdxHelperLib. It implements 1 function for tdx in PEI phase. Other functions are not supported in PEI phase. - TdxHelperBuildGuidHobForTdxMeasurement builds GuidHob for tdx measurement in PEI phase. Cc: Erdem Aktas <[email protected]> Cc: James Bottomley <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Tom Lendacky <[email protected]> Cc: Michael Roth <[email protected]> Acked-by: Gerd Hoffmann <[email protected]> Reviewed-by: Jiewen Yao <[email protected]> Signed-off-by: Min Xu <[email protected]>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 TdHob and Configuration FV (Cfv) are external inputs from VMM. From the security perspective, they should be measured before they're consumed. This patch measures TdHob and Cfv and stores the measurement values in WorkArea. Cc: Erdem Aktas <[email protected]> Cc: James Bottomley <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Tom Lendacky <[email protected]> Cc: Michael Roth <[email protected]> Acked-by: Gerd Hoffmann <[email protected]> Reviewed-by: Jiewen Yao <[email protected]> Signed-off-by: Min Xu <[email protected]>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 TdxHelperBuildGuidHobForTdxMeasurement is called in PlatformPei to build GuidHob for Tdx measurement. Cc: Erdem Aktas <[email protected]> Cc: James Bottomley <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Tom Lendacky <[email protected]> Cc: Michael Roth <[email protected]> Acked-by: Gerd Hoffmann <[email protected]> Reviewed-by: Jiewen Yao <[email protected]> Signed-off-by: Min Xu <[email protected]>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 This patch enables Tdx measurement in OvmfPkgX64 with below changes: 1) CC_MEASUREMENT_ENABLE is introduced in OvmfPkgX64.dsc. This flag indicates if Intel TDX measurement is enabled in OvmfPkgX64. Its default value is FALSE. 2) Include TdTcg2Dxe in OvmfPkgX64 so that CC_MEASUREMENT_PROTOCOL is installed in a Td-guest. TdTcg2Dxe is controlled by TDX_MEASUREMENT_ENABLE because it is only valid when Intel TDX measurement is enabled. 3) OvmfTpmLibs.dsc.inc and OvmfTpmSecurityStub.dsc.inc are updated because DxeTpm2MeasureBootLib.inf and DxeTpmMeasurementLib.inf should be included to support CC_MEASUREMENT_PROTOCOL. Cc: Erdem Aktas <[email protected]> Cc: James Bottomley <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Tom Lendacky <[email protected]> Cc: Michael Roth <[email protected]> Acked-by: Gerd Hoffmann <[email protected]> Reviewed-by: Jiewen Yao <[email protected]> Signed-off-by: Min Xu <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243
Tdx measurement (RTMR based measurement) is enabled in OvmfPkg/IntelTdx.
This patch-set enables the feature in OvmfPkgX64 as well.
Patch #1:
Introduce TDX_MEASUREMETNS_DATA in SEC_TDX_WORK_AREA. That is because
the RTMR measurement of TdHob and Configuration FV (CFV) are executed
in very early stage of boot process. At that time the memory service is
not ready and the measurement values have to be stored in OvmfWorkArea.
Patch #2:
Introduce TdxHelperLibNull which is the NULL instance of TdxHelperLib.
Patch #3:
Introduce SecTdxHelperLib which is the instance of TdxHelperLib for SEC
Phase. This patch adds the stubs of TdxHelperLib functions. The actual
implementation are in the following patches.
Patch #4:
Re-use the data struct of PLATFORM_FIRMWARE_BLOB2_STRUCT for
FV_HANDOFF_TABLE_POINTERS2.
Patch #5-7:
These 3 patches move the functions ( which were implemented in
PeilessStartupLib and PlatformInitLib ) to TdxHelperLib. So that they
can be called in both OvmfPkgX64 and IntelTdxX64.
Patch #8:
Do tdx measurement in SecMain in IntelTdxX64 and delete the duplicated
code in PeilessStartupLib.
Patch #9-12:
These 4 patches are the changes for OvmfPkgX64 to enable Tdx
measurement.
Code: https://github.com/mxu9/edk2/tree/TdxMeasurementInOvmfX64.v6
v6 changes:
the name is more accurate.
v5 changes:
to simplify testing. https://edk2.groups.io/g/devel/message/99209
v4 changes:
TdxHelperBuildGuidHobForTdxMeasurement is split into 4 patches (5-8).
need to allocate memory in SEC phase.
v3 changes:
Library/TcgEventLogRecordLib.h.
introduced for Tdx-measurement.
Patch#3 implements TdxHelperMeasureTdHob and TdxHelperMeasureCfvImage.
Patch#9 implements TdxHelperProcessTdHob. This is to make the patches
more reviewable. The duplicated codes of TdxHelperProcessTdHob are
deleted in Patch#9 as well.
of PeilessStartupLib are in one patch (OVMF doesn't respect -acpitable QEMU parameter #5). Because the implmentation
of TdxHelperBuildGuidHobForTdxMeasurement was once in PeilessStartupLib.
v2 changes:
more reviewable.
OvmfPkgX64 is supported in SEC phase.
Cc: Erdem Aktas [email protected]
Cc: James Bottomley [email protected]
Cc: Jiewen Yao [email protected]
Cc: Gerd Hoffmann [email protected]
Cc: Tom Lendacky [email protected]
Cc: Michael Roth [email protected]
Signed-off-by: Min Xu [email protected]
Min M Xu (12):
OvmfPkg: Add Tdx measurement data structure in WorkArea
OvmfPkg/IntelTdx: Add TdxHelperLibNull
OvmfPkg/IntelTdx: Add SecTdxHelperLib
OvmfPkg/PeilessStartupLib: Update the define of
FV_HANDOFF_TABLE_POINTERS2
OvmfPkg: Refactor MeasureHobList
OvmfPkg: Refactor MeaureFvImage
OvmfPkg: Refactor ProcessHobList
OvmfPkg/IntelTdx: Measure TdHob and Configuration FV in SecMain
OvmfPkg/IntelTdx: Add PeiTdxHelperLib
OvmfPkg/OvmfPkgX64: Measure TdHob and Configuration FV in SecMain
OvmfPkg/PlatformPei: Build GuidHob for Tdx measurement
OvmfPkg: Support Tdx measurement in OvmfPkgX64
OvmfPkg/AmdSev/AmdSevX64.dsc | 5 +-
OvmfPkg/CloudHv/CloudHvX64.dsc | 5 +-
OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc | 10 +-
.../Include/Dsc/OvmfTpmSecurityStub.dsc.inc | 8 +
OvmfPkg/Include/Library/PlatformInitLib.h | 17 -
OvmfPkg/Include/Library/TdxHelperLib.h | 70 ++
OvmfPkg/Include/WorkArea.h | 25 +-
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 4 +-
OvmfPkg/IntelTdx/Sec/SecMain.c | 17 +-
OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelper.c | 91 +++
.../IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf | 48 ++
.../TdxHelperLib/SecTdxHelper.c} | 304 +++----
.../IntelTdx/TdxHelperLib/SecTdxHelperLib.inf | 53 ++
.../TdxHelperLib/TdxHelperLibNull.inf | 32 +
OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c | 79 ++
.../IntelTdx/TdxHelperLib/TdxMeasurementHob.c | 259 ++++++
OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 196 -----
.../PeilessStartupLib/PeilessStartup.c | 16 +-
.../PeilessStartupInternal.h | 36 -
.../PeilessStartupLib/PeilessStartupLib.inf | 6 -
OvmfPkg/Library/PlatformInitLib/IntelTdx.c | 768 ------------------
.../Library/PlatformInitLib/IntelTdxNull.c | 20 -
.../PlatformInitLib/PlatformInitLib.inf | 1 -
OvmfPkg/Microvm/MicrovmX64.dsc | 5 +-
OvmfPkg/OvmfPkg.dec | 4 +
OvmfPkg/OvmfPkgX64.dsc | 20 +-
OvmfPkg/OvmfPkgX64.fdf | 7 +
OvmfPkg/PlatformPei/IntelTdx.c | 3 +
OvmfPkg/Sec/SecMain.c | 17 +-
29 files changed, 915 insertions(+), 1211 deletions(-)
create mode 100644 OvmfPkg/Include/Library/TdxHelperLib.h
create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelper.c
create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf
copy OvmfPkg/{Library/PlatformInitLib/IntelTdx.c => IntelTdx/TdxHelperLib/SecTdxHelper.c} (80%)
create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf
create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperLibNull.inf
create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c
create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c
delete mode 100644 OvmfPkg/Library/PeilessStartupLib/IntelTdx.c