From nobody Sun May 19 15:20:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+98992+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98992+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1674613479; cv=none; d=zohomail.com; s=zohoarc; b=gb6DeEifX7B/sqt5WCmG5FkcHwzGYLENLvCigK+1ECt5y+m5UMyz99xHv1JZAPFfQAOmcJ6nA0FBBPsEP5dtwsStaIk3ZQacT0iSwJPe4//4tMFA4lU8WbMZupRgIVcOp9sKbRc8Le5GJQ7BxVd9MdiNRl2oFnbYqzC+STg8bx0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1674613479; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=5wxeHwKvbX49Kvefa65IOm2zr/19qMRvWuK4jQACQ+U=; b=nxfuHaKxNcX/MldJJ/qL+b15mUl+volJIyUvxG9PWObLv1Tw4RHJyROkO+Cix3J2gkR3bxhS/3U5SMJ6EVEYW7MkHRbUP+9xPq4k1hZzWNdHvvaSZvOHePTJ7B0z7l5IlrKQcOgQsZFlMkpH957pQZp6idPLhs4CCz/d4i69Ogg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98992+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 167461347934569.02083539079092; Tue, 24 Jan 2023 18:24:39 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id lbLrYY1788612xR91zXVSIWG; Tue, 24 Jan 2023 18:24:39 -0800 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.36048.1674613475961755380 for ; Tue, 24 Jan 2023 18:24:38 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="306128784" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="306128784" X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:38 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="804844191" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="804844191" X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.254.209.204]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:35 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky , Michael Roth Subject: [edk2-devel] [PATCH V3 1/9] OvmfPkg: Add Tdx measurement data structure in WorkArea Date: Wed, 25 Jan 2023 10:23:51 +0800 Message-Id: <20230125022359.1645-2-min.m.xu@intel.com> In-Reply-To: <20230125022359.1645-1-min.m.xu@intel.com> References: <20230125022359.1645-1-min.m.xu@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,min.m.xu@intel.com X-Gm-Message-State: 1sODTIfehJ5kZ2G0fPrj7n0Qx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674613479; bh=mG1W8n8eW6jY0+9w2AMTpMhN3X0pxfEzcwW1yvWcK1A=; h=Cc:Date:From:Reply-To:Subject:To; b=hjCEvHt0HT4m+SjnSMYtmPPljGPtpZPZEwdP9ZxLWXbt0Kjw5ya70ERh/sQ4gHKnWqM w89vBNb5IpbrNkxPDjUYvYPumKpj3M6n71I0hmfGYeir1vmpeLx4HuLQsAqt0Q0I37hGF xSbwgRXdXTiGvHsuKRuJBbAekmaUpMKGoJs= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674613483252100002 Content-Type: text/plain; charset="utf-8" From: Min M Xu BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4243 From the perspective of security any external input should be measured and extended to some registers (TPM PCRs or TDX RTMR registers). There are below 2 external input in a Td guest: - TdHob - Configuration FV (CFV) TdHob contains the resource information passed from VMM, such as unaccepted memory region. CFV contains the configurations, such as secure boot variables. TdHob and CFV should be measured and extended to RTMRs before they're consumed. TdHob is consumed in the very early stage of boot process. At that moment the memory service is not ready. Cfv is consumed in PlatformPei to initialize the EmuVariableNvStore. To make the implementation simple and clean, these 2 external input are measured and extended to RTMRs in SEC phase. That is to say the tdx measurement is only supported in SEC phase. After the measurement the hash values are stored in WorkArea. Then after the Hob service is available, these 2 measurement values are retrieved and GuidHobs for these 2 tdx measurements are generated. This patch defines the structure of TDX_MEASUREMENTS_DATA in SEC_TDX_WORK_AREA to store above 2 tdx measurements. It can be extended to store more tdx measurements if needed in the future. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Cc: Michael Roth Acked-by: Gerd Hoffmann Signed-off-by: Min Xu --- OvmfPkg/Include/WorkArea.h | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/OvmfPkg/Include/WorkArea.h b/OvmfPkg/Include/WorkArea.h index 6c3702b716f0..b1c7045ce18c 100644 --- a/OvmfPkg/Include/WorkArea.h +++ b/OvmfPkg/Include/WorkArea.h @@ -11,6 +11,7 @@ #define __OVMF_WORK_AREA_H__ =20 #include +#include =20 // // Confidential computing work area header definition. Any change @@ -64,13 +65,27 @@ typedef struct _SEV_WORK_AREA { SEC_SEV_ES_WORK_AREA SevEsWorkArea; } SEV_WORK_AREA; =20 +// +// Start of TDX Specific WorkArea definition +// + +#define TDX_MEASUREMENT_TDHOB_BITMASK 0x1 +#define TDX_MEASUREMENT_CFVIMG_BITMASK 0x2 + +typedef struct _TDX_MEASUREMENTS_DATA { + UINT32 MeasurementsBitmap; + UINT8 TdHobHashValue[SHA384_DIGEST_SIZE]; + UINT8 CfvImgHashValue[SHA384_DIGEST_SIZE]; +} TDX_MEASUREMENTS_DATA; + // // The TDX work area definition // typedef struct _SEC_TDX_WORK_AREA { - UINT32 PageTableReady; - UINT32 Gpaw; - UINT64 HobList; + UINT32 PageTableReady; + UINT32 Gpaw; + UINT64 HobList; + TDX_MEASUREMENTS_DATA TdxMeasurementsData; } SEC_TDX_WORK_AREA; =20 typedef struct _TDX_WORK_AREA { @@ -78,6 +93,10 @@ typedef struct _TDX_WORK_AREA { SEC_TDX_WORK_AREA SecTdxWorkArea; } TDX_WORK_AREA; =20 +// +// End of TDX Specific WorkArea definition +// + typedef union { CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER Header; SEV_WORK_AREA SevWorkArea; --=20 2.29.2.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98992): https://edk2.groups.io/g/devel/message/98992 Mute This Topic: https://groups.io/mt/96513450/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 19 15:20:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+98993+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98993+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1674613482; cv=none; d=zohomail.com; s=zohoarc; b=BpGDrhaeZu1HZUkFiETYHN9DLAfREi+0Dymw1UzHKzsYxiXUt5w/NeEbvng9TWVpasI9SGmx0FnGAIJ8vU7KfLDFN3yAIB3sCF/RlwmVa9gUIXwIck7Lk6ZoU+y/7wk6n4KDf1RofR7L37pTNxgrmzeeo/kFT7wXx19fwt5VMlo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1674613482; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=ksM5xHNF1hYG0bTlr22dlXi8bMoNplzUIHwTsxjL2WU=; b=FDf//H8g6Nwts8HJ7Yi5IogYz6krr/yEr/9j08U96srnAF6PF/8hEzzO7AdsAE2QZ346eDaYyBJE/U6TL21BIN8RliJzSXZ+uO5cjEtvNnov9hFZ6WbEAFSxmfwmDKUIBVGdhkFPyAgUGYbLlhxfmkMrZ/Ge4UhfW+EDvF+7VK8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98993+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674613482835243.57274899851268; Tue, 24 Jan 2023 18:24:42 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id Tf9iYY1788612xAJHKFWyNJ0; Tue, 24 Jan 2023 18:24:42 -0800 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.36048.1674613475961755380 for ; Tue, 24 Jan 2023 18:24:41 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="306128820" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="306128820" X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:40 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="804844245" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="804844245" X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.254.209.204]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:37 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky , Michael Roth Subject: [edk2-devel] [PATCH V3 2/9] OvmfPkg/IntelTdx: Add TdxHelperLibNull Date: Wed, 25 Jan 2023 10:23:52 +0800 Message-Id: <20230125022359.1645-3-min.m.xu@intel.com> In-Reply-To: <20230125022359.1645-1-min.m.xu@intel.com> References: <20230125022359.1645-1-min.m.xu@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,min.m.xu@intel.com X-Gm-Message-State: sF9KXUP2JqcwvcYDrX32G62Lx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674613482; bh=H6CvIRQVwp0osLBUY3YDqFgY+NxZhawdRjAJkle4MOI=; h=Cc:Date:From:Reply-To:Subject:To; b=t4j8SlGV+fChWtssS1KtOO2Puceklcg09A9mg2GOVbsV62khhjv4LwkEyH5ehWUAGi8 83X7GpXGd5aCLUD2Uu4jJL9+QhNgb/j8N3txVUfWsOGvWYK1zXb0xk3nT1ySIM6O/BsJS mjihJwDyFQS6OA/E315q7V1CrhZH+MXinRk= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674613483278100004 Content-Type: text/plain; charset="utf-8" From: Min M Xu BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4243 TdxHelperLib provides below helper functions for a td-guest. - TdxHelperProcessTdHob - TdxHelperMeasureTdHob - TdxHelperMeasureCfvImage - TdxHelperBuildGuidHobForTdxMeasurement TdxHelperLibNull is the NULL instance of TdxHelperLib. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Cc: Michael Roth Acked-by: Gerd Hoffmann Signed-off-by: Min Xu --- OvmfPkg/Include/Library/TdxHelperLib.h | 70 ++++++++++++++++ .../TdxHelperLib/TdxHelperLibNull.inf | 32 ++++++++ OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c | 79 +++++++++++++++++++ OvmfPkg/OvmfPkg.dec | 4 + 4 files changed, 185 insertions(+) create mode 100644 OvmfPkg/Include/Library/TdxHelperLib.h create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperLibNull.inf create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c diff --git a/OvmfPkg/Include/Library/TdxHelperLib.h b/OvmfPkg/Include/Libra= ry/TdxHelperLib.h new file mode 100644 index 000000000000..199aade42f8e --- /dev/null +++ b/OvmfPkg/Include/Library/TdxHelperLib.h @@ -0,0 +1,70 @@ +/** @file + TdxHelperLib header file + + Copyright (c) 2021 - 2023, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef TDX_HELPER_LIB_H +#define TDX_HELPER_LIB_H + +#include + +/** + In Tdx guest, some information need to be passed from host VMM to guest + firmware. For example, the memory resource, etc. These information are + prepared by host VMM and put in TdHob which is described in TdxMetadata. + TDVF processes the TdHob to accept memories. + + @retval EFI_SUCCESS Successfully process the TdHob + @retval Others Other error as indicated +**/ +EFI_STATUS +EFIAPI +TdxHelperProcessTdHob ( + VOID + ); + +/** + In Tdx guest, TdHob is passed from host VMM to guest firmware and it con= tains + the information of the memory resource. From the security perspective be= fore + it is consumed, it should be measured and extended. + * + * @retval EFI_SUCCESS Successfully measure the TdHob + * @retval Others Other error as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperMeasureTdHob ( + VOID + ); + +/** + * In Tdx guest, Configuration FV (CFV) is treated as external input becau= se it + * may contain the data provided by VMM. From the sucurity perspective Cfv= image + * should be measured before it is consumed. + * + * @retval EFI_SUCCESS Successfully measure the CFV image + * @retval Others Other error as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperMeasureCfvImage ( + VOID + ); + +/** + Build the GuidHob for tdx measurements which were done in SEC phase. + The measurement values are stored in WorkArea. + + @retval EFI_SUCCESS The GuidHob is built successfully + @retval Others Other errors as indicated +**/ +EFI_STATUS +EFIAPI +TdxHelperBuildGuidHobForTdxMeasurement ( + VOID + ); + +#endif diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperLibNull.inf b/OvmfPkg/I= ntelTdx/TdxHelperLib/TdxHelperLibNull.inf new file mode 100644 index 000000000000..27d07b3886cf --- /dev/null +++ b/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperLibNull.inf @@ -0,0 +1,32 @@ +## @file +# TdxHelperLib NULL instance +# +# Copyright (c) 2021 - 2023, Intel Corporation. All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D TdxHelperLibNull + FILE_GUID =3D 853603b2-53ea-463d-93e6-35d09a79e358 + MODULE_TYPE =3D BASE + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D TdxHelperLib + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D X64 +# + +[Sources] + TdxHelperNull.c + +[Packages] + MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec + +[LibraryClasses] + BaseLib diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c b/OvmfPkg/IntelT= dx/TdxHelperLib/TdxHelperNull.c new file mode 100644 index 000000000000..a2125190d6aa --- /dev/null +++ b/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c @@ -0,0 +1,79 @@ +/** @file + NULL instance of TdxHelperLib + + Copyright (c) 2022 - 2023, Intel Corporation. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include + +/** + In Tdx guest, some information need to be passed from host VMM to guest + firmware. For example, the memory resource, etc. These information are + prepared by host VMM and put in TdHob which is described in TdxMetadata. + TDVF processes the TdHob to accept memories. + + @retval EFI_SUCCESS Successfully process the TdHob + @retval Others Other error as indicated +**/ +EFI_STATUS +EFIAPI +TdxHelperProcessTdHob ( + VOID + ) +{ + return EFI_UNSUPPORTED; +} + +/** + In Tdx guest, TdHob is passed from host VMM to guest firmware and it con= tains + the information of the memory resource. From the security perspective be= fore + it is consumed, it should be measured and extended. + * + * @retval EFI_SUCCESS Successfully measure the TdHob + * @retval Others Other error as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperMeasureTdHob ( + VOID + ) +{ + return EFI_UNSUPPORTED; +} + +/** + * In Tdx guest, Configuration FV (CFV) is treated as external input becau= se it + * may contain the data provided by VMM. From the sucurity perspective Cfv= image + * should be measured before it is consumed. + * + * @retval EFI_SUCCESS Successfully measure the CFV image + * @retval Others Other error as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperMeasureCfvImage ( + VOID + ) +{ + return EFI_UNSUPPORTED; +} + +/** + Build the GuidHob for tdx measurements which were done in SEC phase. + The measurement values are stored in WorkArea. + + @retval EFI_SUCCESS The GuidHob is built successfully + @retval Others Other errors as indicated +**/ +EFI_STATUS +EFIAPI +TdxHelperBuildGuidHobForTdxMeasurement ( + VOID + ) +{ + return EFI_UNSUPPORTED; +} diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 1b521f2604ff..f30225d7656d 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -98,6 +98,10 @@ # SerializeVariablesLib|Include/Library/SerializeVariablesLib.h =20 + ## @libraryclass TdxHelper + # + TdxHelperLib|Include/Library/TdxHelperLib.h + ## @libraryclass Declares utility functions for virtio device drivers. VirtioLib|Include/Library/VirtioLib.h =20 --=20 2.29.2.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98993): https://edk2.groups.io/g/devel/message/98993 Mute This Topic: https://groups.io/mt/96513451/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 19 15:20:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+98994+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98994+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1674613484; cv=none; d=zohomail.com; s=zohoarc; b=SgcmBAGdZc4iHBBFUa5J4/0WeL1hX0iB7TxmsrI362+o5Jo55ee/voiiNQ1ZHOGYpQWj3ra0elWMR53fms0hIT2oRTAkFSDDI0nUNIVvEnTcVxrC/8XObAxmp1+se669deINuw9bnZCEKHL7+DHcqHKCfB5S+TuSpWIfxchF4Xg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1674613484; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=lG8/kPgzlFlART2+OHJhmBeUxSHZvUz5Jyzp8LFdXM4=; b=YHYltYDc9GcHyHGwnZa2xWFAnDtX37v1ZohhrzFXULewbQQMpRwZUFPWSO/vf19NN9ZZGIjCdlmuLU5mEvOYKx+cnNyKv3eHqFnUW7CKdp846abbtUlAJyirkk6UqiUy+yTSKOwMzVC//xEyI7kfp2Y9+QWiv5Ejui+q4G1p8Yg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98994+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674613484779634.9165379549016; Tue, 24 Jan 2023 18:24:44 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id QyjKYY1788612xBQUegwhUxr; Tue, 24 Jan 2023 18:24:44 -0800 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.36048.1674613475961755380 for ; Tue, 24 Jan 2023 18:24:43 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="306128832" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="306128832" X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:42 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="804844288" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="804844288" X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.254.209.204]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:40 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky , Michael Roth Subject: [edk2-devel] [PATCH V3 3/9] OvmfPkg/IntelTdx: Add SecTdxHelperLib Date: Wed, 25 Jan 2023 10:23:53 +0800 Message-Id: <20230125022359.1645-4-min.m.xu@intel.com> In-Reply-To: <20230125022359.1645-1-min.m.xu@intel.com> References: <20230125022359.1645-1-min.m.xu@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,min.m.xu@intel.com X-Gm-Message-State: LX3uu7GaEj9xDmdxL7X3t9JWx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674613484; bh=9FVzpqCwvklVUF7m/cMRSdXNqXu0wDQ7n0i5XXZfAOk=; h=Cc:Date:From:Reply-To:Subject:To; b=iImWNNfOKcpi8/KeWVeYZfL3ne+JMR68Fqep4Cro66PcQyZ+ZEcx5p4XwBsKyV8s9pc p2pWVTvvi4Z6M1nIefP0RznZtMpDZppN/Zv6qkg3eOK9K1iV7KdlIDOdMOefAQ4qSFnB3 a2uBLY8Rx2ePTY8PY03XrDiPlsBrz/aJtRM= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674613485315100010 Content-Type: text/plain; charset="utf-8" From: Min M Xu BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4243 TdxHelperLib provides below helper functions for a td-guest. - TdxHelperProcessTdHob - TdxHelperMeasureTdHob - TdxHelperMeasureCfvImage - TdxHelperBuildGuidHobForTdxMeasurement SecTdxHelperLib is the SEC instance of TdxHelperLib. It implements 4 functions for tdx in SEC phase: - TdxHelperProcessTdHob consumes TdHob to accept un-accepted memories. Before the TdHob is consumed, it is first validated. - TdxHelperMeasureTdHob measure/extend TdHob and store the measurement value in workarea. - TdxHelperMeasureCfvImage measure/extend the Configuration FV image and store the measurement value in workarea. - TdxHelperBuildGuidHobForTdxMeasurement builds GuidHob for tdx measurement. This patch implements TdxHelperMeasureTdHob and TdxHelperMeasureCfvImage. TdxHelperProcessTdHob and TdxHelperBuildGuidHobForTdxMeasurement will be implemented in the following patches. Because these 2 functions are to be moved from other files, such as PlatformInitLib/IntelTdx.c. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Cc: Michael Roth Signed-off-by: Min Xu --- OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c | 221 ++++++++++++++++++ .../IntelTdx/TdxHelperLib/SecTdxHelperLib.inf | 52 +++++ 2 files changed, 273 insertions(+) create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c b/OvmfPkg/IntelTd= x/TdxHelperLib/SecTdxHelper.c new file mode 100644 index 000000000000..2cb12bd9c7e1 --- /dev/null +++ b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c @@ -0,0 +1,221 @@ +/** @file + TdxHelper Functions which are used in SEC phase + + Copyright (c) 2022 - 2023, Intel Corporation. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** + In Tdx guest, some information need to be passed from host VMM to guest + firmware. For example, the memory resource, etc. These information are + prepared by host VMM and put in TdHob which is described in TdxMetadata. + TDVF processes the TdHob to accept memories. + + @retval EFI_SUCCESS Successfully process the TdHob + @retval Others Other error as indicated +**/ +EFI_STATUS +EFIAPI +TdxHelperProcessTdHob ( + VOID + ) +{ + return EFI_UNSUPPORTED; +} + +// +// SHA512_CTX is defined in and its size is 216 bytes. +// It can be built successfully with GCC5 compiler but failed with VS2019. +// The error code showed in VS2019 is that "openssl/sha.h" cannot be found. +// To overcome this error SHA512_CTX_SIZE is defined. +// +#define SHA512_CTX_SIZ 216 + +/** + * Calculate the sha384 of input Data and extend it to RTMR register. + * + * @param RtmrIndex Index of the RTMR register + * @param DataToHash Data to be hashed + * @param DataToHashLen Length of the data + * @param Digest Hash value of the input data + * @param DigestLen Length of the hash value + * + * @retval EFI_SUCCESS Successfully hash and extend to RTMR + * @retval Others Other errors as indicated + */ +STATIC +EFI_STATUS +HashAndExtendToRtmr ( + IN UINT32 RtmrIndex, + IN VOID *DataToHash, + IN UINTN DataToHashLen, + OUT UINT8 *Digest, + IN UINTN DigestLen + ) +{ + EFI_STATUS Status; + UINT8 Sha384Ctx[SHA512_CTX_SIZ]; + + if ((DataToHash =3D=3D NULL) || (DataToHashLen =3D=3D 0)) { + return EFI_INVALID_PARAMETER; + } + + if ((Digest =3D=3D NULL) || (DigestLen !=3D SHA384_DIGEST_SIZE)) { + return EFI_INVALID_PARAMETER; + } + + // + // Calculate the sha384 of the data + // + Sha384Init (Sha384Ctx); + Sha384Update (Sha384Ctx, DataToHash, DataToHashLen); + Sha384Final (Sha384Ctx, Digest); + + // + // Extend to RTMR + // + Status =3D TdExtendRtmr ( + (UINT32 *)Digest, + SHA384_DIGEST_SIZE, + (UINT8)RtmrIndex + ); + + ASSERT (!EFI_ERROR (Status)); + return Status; +} + +/** + In Tdx guest, TdHob is passed from host VMM to guest firmware and it con= tains + the information of the memory resource. From the security perspective be= fore + it is consumed, it should be measured and extended. + * + * @retval EFI_SUCCESS Successfully measure the TdHob + * @retval Others Other error as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperMeasureTdHob ( + VOID + ) +{ + EFI_PEI_HOB_POINTERS Hob; + EFI_STATUS Status; + UINT8 Digest[SHA384_DIGEST_SIZE]; + OVMF_WORK_AREA *WorkArea; + VOID *TdHob; + + TdHob =3D (VOID *)(UINTN)FixedPcdGet32 (PcdOvmfSecGhcbBase); + Hob.Raw =3D (UINT8 *)TdHob; + + // + // Walk thru the TdHob list until end of list. + // + while (!END_OF_HOB_LIST (Hob)) { + Hob.Raw =3D GET_NEXT_HOB (Hob); + } + + Status =3D HashAndExtendToRtmr ( + 0, + (UINT8 *)TdHob, + (UINTN)((UINT8 *)Hob.Raw - (UINT8 *)TdHob), + Digest, + SHA384_DIGEST_SIZE + ); + + if (EFI_ERROR (Status)) { + return Status; + } + + // + // This function is called in SEC phase and at that moment the Hob servi= ce + // is not available. So the TdHob measurement value is stored in workare= a. + // + WorkArea =3D (OVMF_WORK_AREA *)FixedPcdGet32 (PcdOvmfWorkAreaBase); + if (WorkArea =3D=3D NULL) { + return EFI_DEVICE_ERROR; + } + + WorkArea->TdxWorkArea.SecTdxWorkArea.TdxMeasurementsData.MeasurementsBit= map |=3D TDX_MEASUREMENT_TDHOB_BITMASK; + CopyMem (WorkArea->TdxWorkArea.SecTdxWorkArea.TdxMeasurementsData.TdHobH= ashValue, Digest, SHA384_DIGEST_SIZE); + + return EFI_SUCCESS; +} + +/** + * In Tdx guest, Configuration FV (CFV) is treated as external input becau= se it + * may contain the data provided by VMM. From the sucurity perspective Cfv= image + * should be measured before it is consumed. + * + * @retval EFI_SUCCESS Successfully measure the CFV image + * @retval Others Other error as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperMeasureCfvImage ( + VOID + ) +{ + EFI_STATUS Status; + UINT8 Digest[SHA384_DIGEST_SIZE]; + OVMF_WORK_AREA *WorkArea; + + Status =3D HashAndExtendToRtmr ( + 0, + (UINT8 *)(UINTN)PcdGet32 (PcdOvmfFlashNvStorageVariableBase), + (UINT64)PcdGet32 (PcdCfvRawDataSize), + Digest, + SHA384_DIGEST_SIZE + ); + + if (EFI_ERROR (Status)) { + return Status; + } + + // + // This function is called in SEC phase and at that moment the Hob servi= ce + // is not available. So CfvImage measurement value is stored in workarea. + // + WorkArea =3D (OVMF_WORK_AREA *)FixedPcdGet32 (PcdOvmfWorkAreaBase); + if (WorkArea =3D=3D NULL) { + return EFI_DEVICE_ERROR; + } + + WorkArea->TdxWorkArea.SecTdxWorkArea.TdxMeasurementsData.MeasurementsBit= map |=3D TDX_MEASUREMENT_CFVIMG_BITMASK; + CopyMem (WorkArea->TdxWorkArea.SecTdxWorkArea.TdxMeasurementsData.CfvImg= HashValue, Digest, SHA384_DIGEST_SIZE); + + return EFI_SUCCESS; +} + +/** + Build the GuidHob for tdx measurements which were done in SEC phase. + The measurement values are stored in WorkArea. + + @retval EFI_SUCCESS The GuidHob is built successfully + @retval Others Other errors as indicated +**/ +EFI_STATUS +EFIAPI +TdxHelperBuildGuidHobForTdxMeasurement ( + VOID + ) +{ + return EFI_UNSUPPORTED; +} diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf b/OvmfPkg/In= telTdx/TdxHelperLib/SecTdxHelperLib.inf new file mode 100644 index 000000000000..3c6b96f7759a --- /dev/null +++ b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf @@ -0,0 +1,52 @@ +## @file +# TdxHelperLib SEC instance +# +# This module provides Tdx helper functions in SEC phase. +# Copyright (c) 2021 - 2023, Intel Corporation. All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D SecTdxHelperLib + FILE_GUID =3D ba69ac6b-0c59-4472-899d-b684590ec1e9 + MODULE_TYPE =3D BASE + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D TdxHelperLib|SEC + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D X64 +# + +[Sources] + SecTdxHelper.c + +[Packages] + CryptoPkg/CryptoPkg.dec + MdeModulePkg/MdeModulePkg.dec + MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + BaseLib + BaseCryptLib + DebugLib + HobLib + PcdLib + TdxMailboxLib + TdxLib + +[FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageVariableBase + gUefiOvmfPkgTokenSpaceGuid.PcdCfvRawDataSize + +[Guids] + gCcEventEntryHobGuid --=20 2.29.2.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98994): https://edk2.groups.io/g/devel/message/98994 Mute This Topic: https://groups.io/mt/96513452/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 19 15:20:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+98995+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98995+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1674613486; cv=none; d=zohomail.com; s=zohoarc; b=D42Up5nA2i1MkM53syilTlAXmPT3NobGcVgRgJV91/S4yIAta7XmmLkcMukO6ngeZvwRbFHBUJTBj51iQeOvUjp4O5ziL231UzE1K6l+KX+aJYAdoCtE9a94hCL0EBDX/j4D2BqxrltjdcTuF+QnkgBU+5Vy5FaUw9WpW+HSqSY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1674613486; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=OrO85JQV00aIezI/8yiIdnmEbeyF5mzLc6h58OgNlhA=; b=NOxv9CWvXKOMTlPSGhWsmahiGZGFqbgpRr79ATW5yg5ABI4Zrc5hgPqKa+oMkEfYQlh9DttcuRZvJPSY9lYoOdI2oguCyUPTPYKZQXA198zIBTPttmet2IVFa+I46LFKDvwv1TYdHUE4YbtBTq/k4dq6A8oIqO15oQWs2lsTUJs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98995+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674613486808993.2543695058355; Tue, 24 Jan 2023 18:24:46 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id rWRsYY1788612xq3QtAt4DsL; Tue, 24 Jan 2023 18:24:46 -0800 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.36048.1674613475961755380 for ; Tue, 24 Jan 2023 18:24:45 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="306128857" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="306128857" X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:45 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="804844334" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="804844334" X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.254.209.204]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:42 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky , Michael Roth Subject: [edk2-devel] [PATCH V3 4/9] OvmfPkg/IntelTdx: Update tdx measurement in SEC phase Date: Wed, 25 Jan 2023 10:23:54 +0800 Message-Id: <20230125022359.1645-5-min.m.xu@intel.com> In-Reply-To: <20230125022359.1645-1-min.m.xu@intel.com> References: <20230125022359.1645-1-min.m.xu@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,min.m.xu@intel.com X-Gm-Message-State: QxIgTUp0cDuj2koWdu1B0uxox1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674613486; bh=FjSMGWKpeW+rheyTZVbEYgfcxRRjtzl2nsJmkWOFA3o=; h=Cc:Date:From:Reply-To:Subject:To; b=TB7wWVF4xP2azGSLSy47ypDDvdMEp7xJhpU154ZcRxCw1HdWGItpkmRJ2kuvZ86XasP Tj1lQwmuxFhiRfH+QleBRjOtnxpSr0jOIHuJb/m/cs+vbpkN/pkMmry26IpFqlUiKjdNc 0VzCV3lwVlCrlpEg9eHMgixmPd8asWt35kA= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674613487341100014 Content-Type: text/plain; charset="utf-8" From: Min M Xu BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4243 After TdxHelperLib is instroduced, the SecMain.c in IntelTdx is updated with the new functions provided by TdxHelperLib. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Cc: Michael Roth Acked-by: Gerd Hoffmann Signed-off-by: Min Xu --- OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 + OvmfPkg/IntelTdx/Sec/SecMain.c | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX6= 4.dsc index 0f1e970fbbb3..920f1c6080d4 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -549,6 +549,7 @@ NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompre= ssLib.inf TpmMeasurementLib|SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMea= surementLibTdx.inf + NULL|OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384= .inf diff --git a/OvmfPkg/IntelTdx/Sec/SecMain.c b/OvmfPkg/IntelTdx/Sec/SecMain.c index ab01ec9ab19c..ccb217b709a0 100644 --- a/OvmfPkg/IntelTdx/Sec/SecMain.c +++ b/OvmfPkg/IntelTdx/Sec/SecMain.c @@ -24,7 +24,7 @@ #include #include #include -#include +#include #include #include =20 @@ -62,12 +62,25 @@ SecCoreStartupWithStack ( volatile UINT8 *Table; =20 if (CcProbe () =3D=3D CcGuestTypeIntelTdx) { + // + // From the security perspective all the external input should be meas= ured before + // it is consumed. TdHob and Configuration FV (Cfv) image are passed f= rom VMM + // and should be measured here. + // + if (EFI_ERROR (TdxHelperMeasureTdHob ())) { + CpuDeadLoop (); + } + + if (EFI_ERROR (TdxHelperMeasureCfvImage ())) { + CpuDeadLoop (); + } + // // For Td guests, the memory map info is in TdHobLib. It should be pro= cessed // first so that the memory is accepted. Otherwise access to the unacc= epted // memory will trigger tripple fault. // - if (ProcessTdxHobList () !=3D EFI_SUCCESS) { + if (TdxHelperProcessTdHob () !=3D EFI_SUCCESS) { CpuDeadLoop (); } } --=20 2.29.2.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98995): https://edk2.groups.io/g/devel/message/98995 Mute This Topic: https://groups.io/mt/96513454/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 19 15:20:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+98996+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98996+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1674613490; cv=none; d=zohomail.com; s=zohoarc; b=c6nG6w5h8EfBwTt48+tFoujlRG3JtG/wffJ2Bc1ERfrcEGsphjjaWpxeiyaqygpMCnkMu1liRFa+IAZp3uBfGVbqLJx6nE1SCozQlVjZYhEPVKNscuKamPtN70NDa/nLmzYbG/xz0n8N9rj3Jt7Z7y/9AQ+t9m8MAl/i1M/bewU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1674613490; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=My2MK33L1/H4m/GwfBxqexwoedV9TEeGQNq8fT0WRG0=; b=DQFBC2dUV2Ez5bSkC/jh7/oBKnSgmPE3HRmaP3DyWJDEG075tE9cxoJEasP7hURY4YpAF+Ph88XD4tTII9inV8itKfDgjRAI7TL6u31WZKwUpuF/AGZ4Qk/IqSrpLQaozMWdtIAmwU5MPWWvol3J5AlE1FBFO9eh38NUGIbil6I= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98996+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674613490085289.18496617941116; Tue, 24 Jan 2023 18:24:50 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id Gl9UYY1788612xp2LPKqnSel; Tue, 24 Jan 2023 18:24:49 -0800 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.36048.1674613475961755380 for ; Tue, 24 Jan 2023 18:24:49 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="306128886" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="306128886" X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:47 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="804844381" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="804844381" X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.254.209.204]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:45 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky , Michael Roth Subject: [edk2-devel] [PATCH V3 5/9] OvmfPkg/TdxHelperLib: Implement TdxHelperBuildGuidHobForTdxMeasurement Date: Wed, 25 Jan 2023 10:23:55 +0800 Message-Id: <20230125022359.1645-6-min.m.xu@intel.com> In-Reply-To: <20230125022359.1645-1-min.m.xu@intel.com> References: <20230125022359.1645-1-min.m.xu@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,min.m.xu@intel.com X-Gm-Message-State: HT4LhdXWMYPnFT2o32Zj9mqEx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674613489; bh=I+BgouIE95qClgee9UvkGQIFm0P6DisbcQ6G64ZAY1s=; h=Cc:Date:From:Reply-To:Subject:To; b=QvszwdCHw4pB3bLckDixdTMWPnUe3yhh7GNgS9Rv0FJVmNJ/K/RfSSCydscQ1SnghLA 46pVXYKThCEMJNKq/jZZ2ZJxvBS5u/13Eiy7L0URDNd4PysGhi5Z3EzRDTVgkwaArg+SE jmDr6+thN7MnN/1lHkBoadQdHGouf355RGE= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674613491333100001 Content-Type: text/plain; charset="utf-8" From: Min M Xu BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4243 TdxHelperBuildGuidHobForTdxMeasurement builds GuidHob for tdx-measurement which is measured in SEC phase. The implementation is movded from PeilessStartupLib/IntelTdx.c. After TdxHelperBuildGuidHobForTdxMeasurement is implemented PeilessStartup is updated as well. It calls TdxHelperBuildGuidHobForTdxMeasurement to build the GuidHob for Tdx measurement. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Cc: Michael Roth Signed-off-by: Min Xu --- OvmfPkg/IntelTdx/IntelTdxX64.dsc | 3 - OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c | 16 ++ .../IntelTdx/TdxHelperLib/SecTdxHelperLib.inf | 1 + .../IntelTdx/TdxHelperLib/TdxMeasurementHob.c | 262 ++++++++++++++++++ OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 196 ------------- .../PeilessStartupLib/PeilessStartup.c | 16 +- .../PeilessStartupInternal.h | 36 --- .../PeilessStartupLib/PeilessStartupLib.inf | 3 - 8 files changed, 282 insertions(+), 251 deletions(-) create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c delete mode 100644 OvmfPkg/Library/PeilessStartupLib/IntelTdx.c diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX6= 4.dsc index 920f1c6080d4..41de2e942817 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -548,11 +548,8 @@ OvmfPkg/IntelTdx/Sec/SecMain.inf { NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompre= ssLib.inf - TpmMeasurementLib|SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMea= surementLibTdx.inf NULL|OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf - HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf - NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384= .inf } =20 # diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c b/OvmfPkg/IntelTd= x/TdxHelperLib/SecTdxHelper.c index 2cb12bd9c7e1..c87693bcd700 100644 --- a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c +++ b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c @@ -23,6 +23,18 @@ #include #include =20 +/** + Build the GuidHob for tdx measurements which were done in SEC phase. + The measurement values are stored in WorkArea. + + @retval EFI_SUCCESS The GuidHob is built successfully + @retval Others Other errors as indicated +**/ +EFI_STATUS +InternalBuildGuidHobForTdxMeasurement ( + VOID + ); + /** In Tdx guest, some information need to be passed from host VMM to guest firmware. For example, the memory resource, etc. These information are @@ -217,5 +229,9 @@ TdxHelperBuildGuidHobForTdxMeasurement ( VOID ) { + #ifdef TDX_PEI_LESS_BOOT + return InternalBuildGuidHobForTdxMeasurement (); + #else return EFI_UNSUPPORTED; + #endif } diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf b/OvmfPkg/In= telTdx/TdxHelperLib/SecTdxHelperLib.inf index 3c6b96f7759a..d17b84c01f20 100644 --- a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf +++ b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf @@ -24,6 +24,7 @@ =20 [Sources] SecTdxHelper.c + TdxMeasurementHob.c =20 [Packages] CryptoPkg/CryptoPkg.dec diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c b/OvmfPkg/In= telTdx/TdxHelperLib/TdxMeasurementHob.c new file mode 100644 index 000000000000..f917ed1f8356 --- /dev/null +++ b/OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c @@ -0,0 +1,262 @@ +/** @file + Build GuidHob for tdx measurement. + + Copyright (c) 2022 - 2023, Intel Corporation. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#pragma pack(1) + +#define HANDOFF_TABLE_DESC "TdxTable" +typedef struct { + UINT8 TableDescriptionSize; + UINT8 TableDescription[sizeof (HANDOFF_TABLE_DESC)]; + UINT64 NumberOfTables; + EFI_CONFIGURATION_TABLE TableEntry[1]; +} TDX_HANDOFF_TABLE_POINTERS2; + +#pragma pack() + +#define FV_HANDOFF_TABLE_DESC "Fv(XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX)" +typedef PLATFORM_FIRMWARE_BLOB2_STRUCT CFV_HANDOFF_TABLE_POINTERS2; + +/** + * Build GuidHob for Tdx measurement. + * + * Tdx measurement includes the measurement of TdHob and CFV. They're meas= ured + * and extended to RTMR registers in SEC phase. Because at that moment the= Hob + * service are not available. So the values of the measurement are saved in + * workarea and will be built into GuidHob after the Hob service is ready. + * + * @param RtmrIndex RTMR index + * @param EventType Event type + * @param EventData Event data + * @param EventSize Size of event data + * @param HashValue Hash value + * @param HashSize Size of hash + * + * @retval EFI_SUCCESS Successfully build the GuidHobs + * @retval Others Other error as indicated + */ +STATIC +EFI_STATUS +BuildTdxMeasurementGuidHob ( + UINT32 RtmrIndex, + UINT32 EventType, + UINT8 *EventData, + UINT32 EventSize, + UINT8 *HashValue, + UINT32 HashSize + ) +{ + VOID *EventHobData; + UINT8 *Ptr; + TPML_DIGEST_VALUES *TdxDigest; + + if (HashSize !=3D SHA384_DIGEST_SIZE) { + return EFI_INVALID_PARAMETER; + } + + #define TDX_DIGEST_VALUE_LEN (sizeof (UINT32) + sizeof (TPMI_ALG_HASH) = + SHA384_DIGEST_SIZE) + + EventHobData =3D BuildGuidHob ( + &gCcEventEntryHobGuid, + sizeof (TCG_PCRINDEX) + sizeof (TCG_EVENTTYPE) + + TDX_DIGEST_VALUE_LEN + + sizeof (UINT32) + EventSize + ); + + if (EventHobData =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + Ptr =3D (UINT8 *)EventHobData; + + // + // There are 2 types of measurement registers in TDX: MRTD and RTMR[0-3]. + // According to UEFI Spec 2.10 Section 38.4.1, RTMR[0-3] is mapped to Mr= Index[1-4]. + // So RtmrIndex must be increased by 1 before the event log is created. + // + RtmrIndex++; + CopyMem (Ptr, &RtmrIndex, sizeof (UINT32)); + Ptr +=3D sizeof (UINT32); + + CopyMem (Ptr, &EventType, sizeof (TCG_EVENTTYPE)); + Ptr +=3D sizeof (TCG_EVENTTYPE); + + TdxDigest =3D (TPML_DIGEST_VALUES *)Ptr; + TdxDigest->count =3D 1; + TdxDigest->digests[0].hashAlg =3D TPM_ALG_SHA384; + CopyMem ( + TdxDigest->digests[0].digest.sha384, + HashValue, + SHA384_DIGEST_SIZE + ); + Ptr +=3D TDX_DIGEST_VALUE_LEN; + + CopyMem (Ptr, &EventSize, sizeof (UINT32)); + Ptr +=3D sizeof (UINT32); + + CopyMem (Ptr, (VOID *)EventData, EventSize); + Ptr +=3D EventSize; + + return EFI_SUCCESS; +} + +/** + Get the FvName from the FV header. + Causion: The FV is untrusted input. + @param[in] FvBase Base address of FV image. + @param[in] FvLength Length of FV image. + @return FvName pointer + @retval NULL FvName is NOT found +**/ +STATIC +VOID * +GetFvName ( + IN EFI_PHYSICAL_ADDRESS FvBase, + IN UINT64 FvLength + ) +{ + EFI_FIRMWARE_VOLUME_HEADER *FvHeader; + EFI_FIRMWARE_VOLUME_EXT_HEADER *FvExtHeader; + + if (FvBase >=3D MAX_ADDRESS) { + return NULL; + } + + if (FvLength >=3D MAX_ADDRESS - FvBase) { + return NULL; + } + + if (FvLength < sizeof (EFI_FIRMWARE_VOLUME_HEADER)) { + return NULL; + } + + FvHeader =3D (EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)FvBase; + if (FvHeader->ExtHeaderOffset < sizeof (EFI_FIRMWARE_VOLUME_HEADER)) { + return NULL; + } + + if (FvHeader->ExtHeaderOffset + sizeof (EFI_FIRMWARE_VOLUME_EXT_HEADER) = > FvLength) { + return NULL; + } + + FvExtHeader =3D (EFI_FIRMWARE_VOLUME_EXT_HEADER *)(UINTN)(FvBase + FvHea= der->ExtHeaderOffset); + + return &FvExtHeader->FvName; +} + +/** + Build the GuidHob for tdx measurements which were done in SEC phase. + The measurement values are stored in WorkArea. + + @retval EFI_SUCCESS The GuidHob is built successfully + @retval Others Other errors as indicated +**/ +EFI_STATUS +InternalBuildGuidHobForTdxMeasurement ( + VOID + ) +{ + EFI_STATUS Status; + OVMF_WORK_AREA *WorkArea; + VOID *TdHobList; + TDX_HANDOFF_TABLE_POINTERS2 HandoffTables; + VOID *FvName; + CFV_HANDOFF_TABLE_POINTERS2 FvBlob2; + EFI_PHYSICAL_ADDRESS FvBase; + UINT64 FvLength; + UINT8 *HashValue; + + if (!TdIsEnabled ()) { + ASSERT (FALSE); + return EFI_UNSUPPORTED; + } + + WorkArea =3D (OVMF_WORK_AREA *)FixedPcdGet32 (PcdOvmfWorkAreaBase); + if (WorkArea =3D=3D NULL) { + return EFI_ABORTED; + } + + Status =3D EFI_SUCCESS; + + // + // Build the GuidHob for TdHob measurement + // + TdHobList =3D (VOID *)(UINTN)FixedPcdGet32 (PcdOvmfSecGhcbBase); + if (WorkArea->TdxWorkArea.SecTdxWorkArea.TdxMeasurementsData.Measurement= sBitmap & TDX_MEASUREMENT_TDHOB_BITMASK) { + HashValue =3D WorkArea->TdxWorkArea.SecTdxWor= kArea.TdxMeasurementsData.TdHobHashValue; + HandoffTables.TableDescriptionSize =3D sizeof (HandoffTables.TableDesc= ription); + CopyMem (HandoffTables.TableDescription, HANDOFF_TABLE_DESC, sizeof (H= andoffTables.TableDescription)); + HandoffTables.NumberOfTables =3D 1; + CopyGuid (&(HandoffTables.TableEntry[0].VendorGuid), &gUefiOvmfPkgToke= nSpaceGuid); + HandoffTables.TableEntry[0].VendorTable =3D TdHobList; + + Status =3D BuildTdxMeasurementGuidHob ( + 0, // RtmrIndex + EV_EFI_HANDOFF_TABLES2, // EventType + (UINT8 *)(UINTN)&HandoffTables, // EventData + sizeof (HandoffTables), // EventSize + HashValue, // HashValue + SHA384_DIGEST_SIZE // HashSize + ); + } + + if (EFI_ERROR (Status)) { + ASSERT (FALSE); + return Status; + } + + // + // Build the GuidHob for Cfv measurement + // + if (WorkArea->TdxWorkArea.SecTdxWorkArea.TdxMeasurementsData.Measurement= sBitmap & TDX_MEASUREMENT_CFVIMG_BITMASK) { + HashValue =3D WorkArea->TdxWorkArea.SecTdxWorkArea.T= dxMeasurementsData.CfvImgHashValue; + FvBase =3D (UINT64)PcdGet32 (PcdOvmfFlashNvStorag= eVariableBase); + FvLength =3D (UINT64)PcdGet32 (PcdCfvRawDataSize); + FvBlob2.BlobDescriptionSize =3D sizeof (FvBlob2.BlobDescription); + CopyMem (FvBlob2.BlobDescription, FV_HANDOFF_TABLE_DESC, sizeof (FvBlo= b2.BlobDescription)); + FvName =3D GetFvName (FvBase, FvLength); + if (FvName !=3D NULL) { + AsciiSPrint ((CHAR8 *)FvBlob2.BlobDescription, sizeof (FvBlob2.BlobD= escription), "Fv(%g)", FvName); + } + + FvBlob2.BlobBase =3D FvBase; + FvBlob2.BlobLength =3D FvLength; + + Status =3D BuildTdxMeasurementGuidHob ( + 0, // RtmrIndex + EV_EFI_PLATFORM_FIRMWARE_BLOB2, // EventType + (VOID *)&FvBlob2, // EventData + sizeof (FvBlob2), // EventSize + HashValue, // HashValue + SHA384_DIGEST_SIZE // HashSize + ); + } + + if (EFI_ERROR (Status)) { + ASSERT (FALSE); + return Status; + } + + return EFI_SUCCESS; +} diff --git a/OvmfPkg/Library/PeilessStartupLib/IntelTdx.c b/OvmfPkg/Library= /PeilessStartupLib/IntelTdx.c deleted file mode 100644 index 216c413caad5..000000000000 --- a/OvmfPkg/Library/PeilessStartupLib/IntelTdx.c +++ /dev/null @@ -1,196 +0,0 @@ -/** @file - Copyright (c) 2022, Intel Corporation. All rights reserved.
- SPDX-License-Identifier: BSD-2-Clause-Patent -**/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "PeilessStartupInternal.h" - -#pragma pack(1) - -#define HANDOFF_TABLE_DESC "TdxTable" -typedef struct { - UINT8 TableDescriptionSize; - UINT8 TableDescription[sizeof (HANDOFF_TABLE_DESC)]; - UINT64 NumberOfTables; - EFI_CONFIGURATION_TABLE TableEntry[1]; -} TDX_HANDOFF_TABLE_POINTERS2; - -#define FV_HANDOFF_TABLE_DESC "Fv(XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX)" -typedef struct { - UINT8 BlobDescriptionSize; - UINT8 BlobDescription[sizeof (FV_HANDOFF_TABLE_DESC)]; - EFI_PHYSICAL_ADDRESS BlobBase; - UINT64 BlobLength; -} FV_HANDOFF_TABLE_POINTERS2; - -#pragma pack() - -/** - Measure the Hoblist passed from the VMM. - - @param[in] VmmHobList The Hoblist pass the firmware - - @retval EFI_SUCCESS Fv image is measured successfully - or it has been already measured. - @retval Others Other errors as indicated -**/ -EFI_STATUS -EFIAPI -MeasureHobList ( - IN CONST VOID *VmmHobList - ) -{ - EFI_PEI_HOB_POINTERS Hob; - TDX_HANDOFF_TABLE_POINTERS2 HandoffTables; - EFI_STATUS Status; - - if (!TdIsEnabled ()) { - ASSERT (FALSE); - return EFI_UNSUPPORTED; - } - - Hob.Raw =3D (UINT8 *)VmmHobList; - - // - // Parse the HOB list until end of list. - // - while (!END_OF_HOB_LIST (Hob)) { - Hob.Raw =3D GET_NEXT_HOB (Hob); - } - - // - // Init the log event for HOB measurement - // - - HandoffTables.TableDescriptionSize =3D sizeof (HandoffTables.TableDescri= ption); - CopyMem (HandoffTables.TableDescription, HANDOFF_TABLE_DESC, sizeof (Han= doffTables.TableDescription)); - HandoffTables.NumberOfTables =3D 1; - CopyGuid (&(HandoffTables.TableEntry[0].VendorGuid), &gUefiOvmfPkgTokenS= paceGuid); - HandoffTables.TableEntry[0].VendorTable =3D (VOID *)VmmHobList; - - Status =3D TpmMeasureAndLogData ( - 1, // PCRIndex - EV_EFI_HANDOFF_TABLES2, // EventType - (VOID *)&HandoffTables, // EventData - sizeof (HandoffTables), // EventSize - (UINT8 *)(UINTN)VmmHobList, // HashData - (UINTN)((UINT8 *)Hob.Raw - (UINT8 *)VmmHobList) // HashDataLen - ); - - if (EFI_ERROR (Status)) { - ASSERT (FALSE); - } - - return Status; -} - -/** - Get the FvName from the FV header. - - Causion: The FV is untrusted input. - - @param[in] FvBase Base address of FV image. - @param[in] FvLength Length of FV image. - - @return FvName pointer - @retval NULL FvName is NOT found -**/ -VOID * -GetFvName ( - IN EFI_PHYSICAL_ADDRESS FvBase, - IN UINT64 FvLength - ) -{ - EFI_FIRMWARE_VOLUME_HEADER *FvHeader; - EFI_FIRMWARE_VOLUME_EXT_HEADER *FvExtHeader; - - if (FvBase >=3D MAX_ADDRESS) { - return NULL; - } - - if (FvLength >=3D MAX_ADDRESS - FvBase) { - return NULL; - } - - if (FvLength < sizeof (EFI_FIRMWARE_VOLUME_HEADER)) { - return NULL; - } - - FvHeader =3D (EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)FvBase; - if (FvHeader->ExtHeaderOffset < sizeof (EFI_FIRMWARE_VOLUME_HEADER)) { - return NULL; - } - - if (FvHeader->ExtHeaderOffset + sizeof (EFI_FIRMWARE_VOLUME_EXT_HEADER) = > FvLength) { - return NULL; - } - - FvExtHeader =3D (EFI_FIRMWARE_VOLUME_EXT_HEADER *)(UINTN)(FvBase + FvHea= der->ExtHeaderOffset); - - return &FvExtHeader->FvName; -} - -/** - Measure FV image. - - @param[in] FvBase Base address of FV image. - @param[in] FvLength Length of FV image. - @param[in] PcrIndex Index of PCR - - @retval EFI_SUCCESS Fv image is measured successfully - or it has been already measured. - @retval EFI_OUT_OF_RESOURCES No enough memory to log the new event. - @retval EFI_DEVICE_ERROR The command was unsuccessful. - -**/ -EFI_STATUS -EFIAPI -MeasureFvImage ( - IN EFI_PHYSICAL_ADDRESS FvBase, - IN UINT64 FvLength, - IN UINT8 PcrIndex - ) -{ - EFI_STATUS Status; - FV_HANDOFF_TABLE_POINTERS2 FvBlob2; - VOID *FvName; - - // - // Init the log event for FV measurement - // - FvBlob2.BlobDescriptionSize =3D sizeof (FvBlob2.BlobDescription); - CopyMem (FvBlob2.BlobDescription, FV_HANDOFF_TABLE_DESC, sizeof (FvBlob2= .BlobDescription)); - FvName =3D GetFvName (FvBase, FvLength); - if (FvName !=3D NULL) { - AsciiSPrint ((CHAR8 *)FvBlob2.BlobDescription, sizeof (FvBlob2.BlobDes= cription), "Fv(%g)", FvName); - } - - FvBlob2.BlobBase =3D FvBase; - FvBlob2.BlobLength =3D FvLength; - - Status =3D TpmMeasureAndLogData ( - 1, // PCRIndex - EV_EFI_PLATFORM_FIRMWARE_BLOB2, // EventType - (VOID *)&FvBlob2, // EventData - sizeof (FvBlob2), // EventSize - (UINT8 *)(UINTN)FvBase, // HashData - (UINTN)(FvLength) // HashDataLen - ); - - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "The FV which failed to be measured starts at: 0x= %x\n", FvBase)); - ASSERT (FALSE); - } - - return Status; -} diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c b/OvmfPkg/L= ibrary/PeilessStartupLib/PeilessStartup.c index 928120d183ba..164aa2d61911 100644 --- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c +++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -139,13 +140,11 @@ PeilessStartup ( UINT32 DxeCodeSize; TD_RETURN_DATA TdReturnData; VOID *VmmHobList; - UINT8 *CfvBase; =20 Status =3D EFI_SUCCESS; BootFv =3D NULL; VmmHobList =3D NULL; SecCoreData =3D (EFI_SEC_PEI_HAND_OFF *)Context; - CfvBase =3D (UINT8 *)(UINTN)FixedPcdGet32 (PcdCfvBase); =20 ZeroMem (&PlatformInfoHob, sizeof (PlatformInfoHob)); =20 @@ -177,18 +176,9 @@ PeilessStartup ( =20 if (TdIsEnabled ()) { // - // Measure HobList + // Build GuidHob for the tdx measurements which were done in SEC phase. // - Status =3D MeasureHobList (VmmHobList); - if (EFI_ERROR (Status)) { - ASSERT (FALSE); - CpuDeadLoop (); - } - - // - // Measure Tdx CFV - // - Status =3D MeasureFvImage ((EFI_PHYSICAL_ADDRESS)(UINTN)CfvBase, Fixed= PcdGet32 (PcdCfvRawDataSize), 1); + Status =3D TdxHelperBuildGuidHobForTdxMeasurement (); if (EFI_ERROR (Status)) { ASSERT (FALSE); CpuDeadLoop (); diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h b/O= vmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h index f56bc3578e5e..158196271962 100644 --- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h +++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h @@ -58,40 +58,4 @@ EFIAPI ConstructSecHobList ( ); =20 -/** - Measure the Hoblist passed from the VMM. - - @param[in] VmmHobList The Hoblist pass the firmware - - @retval EFI_SUCCESS Fv image is measured successfully - or it has been already measured. - @retval Others Other errors as indicated -**/ -EFI_STATUS -EFIAPI -MeasureHobList ( - IN CONST VOID *VmmHobList - ); - -/** - Measure FV image. - - @param[in] FvBase Base address of FV image. - @param[in] FvLength Length of FV image. - @param[in] PcrIndex Index of PCR - - @retval EFI_SUCCESS Fv image is measured successfully - or it has been already measured. - @retval EFI_OUT_OF_RESOURCES No enough memory to log the new event. - @retval EFI_DEVICE_ERROR The command was unsuccessful. - -**/ -EFI_STATUS -EFIAPI -MeasureFvImage ( - IN EFI_PHYSICAL_ADDRESS FvBase, - IN UINT64 FvLength, - IN UINT8 PcrIndex - ); - #endif diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf b/Ovmf= Pkg/Library/PeilessStartupLib/PeilessStartupLib.inf index 5c6eb1597bea..5682f0697cfd 100644 --- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf +++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf @@ -29,7 +29,6 @@ PeilessStartup.c Hob.c DxeLoad.c - IntelTdx.c X64/VirtualMemory.c =20 [Packages] @@ -57,8 +56,6 @@ PrePiLib QemuFwCfgLib PlatformInitLib - HashLib - TpmMeasurementLib =20 [Guids] gEfiHobMemoryAllocModuleGuid --=20 2.29.2.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98996): https://edk2.groups.io/g/devel/message/98996 Mute This Topic: https://groups.io/mt/96513455/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 19 15:20:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+98997+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98997+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1674613517; cv=none; d=zohomail.com; s=zohoarc; b=YTiGNSHKRUI0v3OoBu2bF34M2bIXuVZxq7fb6/4OSUrUQcewxBMp4SBoH/gYQU0wA3WjjURIhpcIlbHErPbXJF+6T3Cz+ljvNghWzVgyg5X5PiCETv7bSLhJ9pJ2txpA9lBFzpMdoU0PFn4k+eRSa4V789+yu0eHpoMC6LguFcU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1674613517; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=60HfxpNc5cbOsBoZyv/UjTda3xq+X9ocTN0eoXRHZqQ=; b=RLgE6HCJbNSPtEnqB/hxaJ7enjG9Ma/2dR86OVWePM5hlS321K5b2QQrPMfNWyDgBTXnILD3ABvc9hv+DgVly1y5HWLkTf0uNg3gXGsh/sCD+q2A4Wyqh9F3g8LeuwiJoDrF3FaSVmWulaq0mE2aBCGszW5v//Rm2qB9T4Irlxw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98997+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674613517054488.9354834675112; Tue, 24 Jan 2023 18:25:17 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id eB3VYY1788612xXBPmjapPP7; Tue, 24 Jan 2023 18:25:16 -0800 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.36062.1674613516015515685 for ; Tue, 24 Jan 2023 18:25:16 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="306128895" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="306128895" X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:49 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="804844430" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="804844430" X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.254.209.204]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:47 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky , Michael Roth Subject: [edk2-devel] [PATCH V3 6/9] OvmfPkg: Enable Tdx measurement in OvmfPkgX64 Date: Wed, 25 Jan 2023 10:23:56 +0800 Message-Id: <20230125022359.1645-7-min.m.xu@intel.com> In-Reply-To: <20230125022359.1645-1-min.m.xu@intel.com> References: <20230125022359.1645-1-min.m.xu@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,min.m.xu@intel.com X-Gm-Message-State: PAdyynqiqfFKYFrumFAXjh56x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674613516; bh=glR2FDlkkM95so0dMhPXWOf0n0XHv0NAT3ieJE6Vtn8=; h=Cc:Date:From:Reply-To:Subject:To; b=UcS4LKDtQPaQdnFxYEwtteVs28ast3fA7w1P5W0LzIK0vTU3xuySGfgFG7A+C1HMXsJ wuc2Y1XQ5ZiktuILIE2bGj9nvStjfvjLx/HWPAuMZwPKA/RRMr8gla5KY5qeyHEJytPxL V+VgjNXb8U9HP7JDKiBlS/NjySm2jmKT35U= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674613517759100002 Content-Type: text/plain; charset="utf-8" From: Min M Xu BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4243 This patch enables Tdx measurement in OvmfPkgX64 with below changes: 1) TDX_MEASUREMENT_ENABLE is introduced in OvmfPkgX64.dsc. This flag indicates if Intel TDX measurement is enabled in OvmfPkgX64. Its default value is FALSE. 2) Update SecMain.c with the functions provided by TdxHelperLib 3) Include TdTcg2Dxe in OvmfPkgX64 so that CC_MEASUREMENT_PROTOCOL is installed in a Td-guest. TdTcg2Dxe is controlled by TDX_MEASUREMENT_ENABLE because it is only valid when Intel TDX measurement is enabled. 3) OvmfTpmLibs.dsc.inc and OvmfTpmSecurityStub.dsc.inc are updated because DxeTpm2MeasureBootLib.inf and DxeTpmMeasurementLib.inf should be included to support CC_MEASUREMENT_PROTOCOL. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Cc: Michael Roth Acked-by: Gerd Hoffmann Signed-off-by: Min Xu --- OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc | 10 +++++++++- OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc | 8 ++++++++ OvmfPkg/OvmfPkgX64.dsc | 15 ++++++++++++++- OvmfPkg/OvmfPkgX64.fdf | 7 +++++++ OvmfPkg/Sec/SecMain.c | 17 +++++++++++++++-- 5 files changed, 53 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc b/OvmfPkg/Include/Dsc/= OvmfTpmLibs.dsc.inc index cd1a899d68f7..680f1b398592 100644 --- a/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc +++ b/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc @@ -10,9 +10,17 @@ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeT= cg2PhysicalPresenceLib.inf Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibN= ull.inf - TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure= mentLib.inf !else Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeT= cg2PhysicalPresenceLib.inf +!endif + +!if $(TPM2_ENABLE) =3D=3D TRUE || $(TDX_MEASUREMENT_ENABLE) =3D=3D TRUE + # + # DxeTpmMeasurementLib supports measurement functions for both TPM and C= onfidential Computing. + # It should be controlled by TPM2_ENABLE and TDX_MEASUREMENT_ENABLE. + # + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure= mentLib.inf +!else TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf !endif =20 diff --git a/OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/Incl= ude/Dsc/OvmfTpmSecurityStub.dsc.inc index e9ab2fca7bc7..f3db62397aff 100644 --- a/OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc +++ b/OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc @@ -6,5 +6,13 @@ !if $(TPM1_ENABLE) =3D=3D TRUE NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.i= nf !endif +!endif + +!if $(TPM2_ENABLE) =3D=3D TRUE || $(TDX_MEASUREMENT_ENABLE) =3D=3D TRUE + # + # DxeTpm2MeasureBootLib provides security service of TPM2 measure bo= ot and + # Confidential Computing (CC) measure boot. It should be controlled = by + # TPM2_ENABLE and TDX_MEASUREMENT_ENABLE + # NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib= .inf !endif diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 3f970a79a08a..839535d56bab 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -32,6 +32,7 @@ DEFINE SECURE_BOOT_ENABLE =3D FALSE DEFINE SMM_REQUIRE =3D FALSE DEFINE SOURCE_DEBUG_ENABLE =3D FALSE + DEFINE TDX_MEASUREMENT_ENABLE =3D FALSE =20 !include OvmfPkg/Include/Dsc/OvmfTpmDefines.dsc.inc =20 @@ -724,7 +725,8 @@ OvmfPkg/Sec/SecMain.inf { NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompre= ssLib.inf - NULL|OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf + NULL|OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf } =20 # @@ -1100,6 +1102,17 @@ } !endif =20 + # + # Cc Measurement Protocol for Td guest + # +!if $(TDX_MEASUREMENT_ENABLE) =3D=3D TRUE + SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf { + + HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384= .inf + } +!endif + # # TPM support # diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 8c02dfe11e37..b4f11ee40a34 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -402,6 +402,13 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/Faul= tTolerantWriteDxe.inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !endif =20 +# +# EFI_CC_MEASUREMENT_PROTOCOL +# +!if $(TDX_MEASUREMENT_ENABLE) =3D=3D TRUE +INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf +!endif + # # TPM support # diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 1167d22a68cc..4bb3b641701e 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -29,7 +29,7 @@ #include #include #include -#include +#include #include #include "AmdSev.h" =20 @@ -760,12 +760,25 @@ SecCoreStartupWithStack ( =20 #if defined (TDX_GUEST_SUPPORTED) if (CcProbe () =3D=3D CcGuestTypeIntelTdx) { + // + // From the security perspective all the external input should be meas= ured before + // it is consumed. TdHob and Configuration FV (Cfv) image are passed f= rom VMM + // and should be measured here. + // + if (EFI_ERROR (TdxHelperMeasureTdHob ())) { + CpuDeadLoop (); + } + + if (EFI_ERROR (TdxHelperMeasureCfvImage ())) { + CpuDeadLoop (); + } + // // For Td guests, the memory map info is in TdHobLib. It should be pro= cessed // first so that the memory is accepted. Otherwise access to the unacc= epted // memory will trigger tripple fault. // - if (ProcessTdxHobList () !=3D EFI_SUCCESS) { + if (TdxHelperProcessTdHob () !=3D EFI_SUCCESS) { CpuDeadLoop (); } } --=20 2.29.2.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98997): https://edk2.groups.io/g/devel/message/98997 Mute This Topic: https://groups.io/mt/96513459/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 19 15:20:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+98998+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98998+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1674613518; cv=none; d=zohomail.com; s=zohoarc; b=dnU+zcXsP8/nd50Q1iHZmpX2VWL60xgWTeqU4qpx7lr0T1RUSEvMx6fjIYUt39FZNAIuG9GWXg51TYIHAiSlFDZ8L7Q/M0Z05038FFv9nm8N9y2RwUnVWymptzig7mW6ABhaaXpDX5r2TYUz8EEyMaN52nzlqQMlGmBm8vdO5WU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1674613518; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=Z47qao+LmFWkLwbe3k8eyxgYYQXWmo8Wc0JKY0eygys=; b=JA8HqD9LS54wZmauggayrmVs9fWbHCdDEb3lNHWTZaCw9yIqsFh3oxpE/jhQsebAxWoqqpB2NUaI2QMOFG/3s2TbzRPyHfQaRYWXfIa7UudqIwEZ141nk9IgCd6qk6t6EBab5v6rT3OeiAjhUtuE92r+wdXX1jEzDA9L6YeE76s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98998+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674613518039734.3332356974657; Tue, 24 Jan 2023 18:25:18 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id HcaGYY1788612xMIHbI4dD5m; Tue, 24 Jan 2023 18:25:17 -0800 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.36062.1674613516015515685 for ; Tue, 24 Jan 2023 18:25:16 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="306128906" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="306128906" X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:52 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="804844461" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="804844461" X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.254.209.204]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:50 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky , Michael Roth Subject: [edk2-devel] [PATCH V3 7/9] OvmfPkg/IntelTdx: Add PeiTdxHelperLib Date: Wed, 25 Jan 2023 10:23:57 +0800 Message-Id: <20230125022359.1645-8-min.m.xu@intel.com> In-Reply-To: <20230125022359.1645-1-min.m.xu@intel.com> References: <20230125022359.1645-1-min.m.xu@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,min.m.xu@intel.com X-Gm-Message-State: uX2Jw6d8uwqn8m5J6HTLFzMvx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674613517; bh=TWbd6J8zcTeaL4ALtSq1a2v82bIYoTMa4OgCWa0sKtI=; h=Cc:Date:From:Reply-To:Subject:To; b=wNtlCpciiiRnZz5jH2EXbWgws1EfbC1vZGuNo5V1/r1XuSqbgqLehgqwInf598FohQ9 MUdic4E2qpF1iPXmDYC9rAtQvIAownEoaBpFtxBl2aqWwIUoosCk2Xpg/cqi3yXr0VBfG QYR2hrqZxIfV6x1C1LsKvrAIU9nfcCT2JwY= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674613519454100006 Content-Type: text/plain; charset="utf-8" From: Min M Xu BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4243 TdxHelperLib provides below helper functions for a td-guest. - TdxHelperProcessTdHob - TdxHelperMeasureTdHob - TdxHelperMeasureCfvImage - TdxHelperBuildGuidHobForTdxMeasurement PeiTdxHelperLib is the PEI instance of TdxHelperLib. It implements 1 function for tdx in PEI phase. Other functions are not supported in PEI phase. - TdxHelperBuildGuidHobForTdxMeasurement builds GuidHob for tdx measurement in PEI phase. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Cc: Michael Roth Acked-by: Gerd Hoffmann Signed-off-by: Min Xu --- OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelper.c | 91 +++++++++++++++++++ .../IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf | 48 ++++++++++ 2 files changed, 139 insertions(+) create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelper.c create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelper.c b/OvmfPkg/IntelTd= x/TdxHelperLib/PeiTdxHelper.c new file mode 100644 index 000000000000..91ab53ed14ad --- /dev/null +++ b/OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelper.c @@ -0,0 +1,91 @@ +/** @file + TdxHelper Functions which are used in PEI phase + + Copyright (c) 2022 - 2023, Intel Corporation. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include + +/** + Build the GuidHob for tdx measurements which were done in SEC phase. + The measurement values are stored in WorkArea. + + @retval EFI_SUCCESS The GuidHob is built successfully + @retval Others Other errors as indicated +**/ +EFI_STATUS +InternalBuildGuidHobForTdxMeasurement ( + VOID + ); + +/** + In Tdx guest, some information need to be passed from host VMM to guest + firmware. For example, the memory resource, etc. These information are + prepared by host VMM and put in TdHob which is described in TdxMetadata. + TDVF processes the TdHob to accept memories. + + @retval EFI_SUCCESS Successfully process the TdHob + @retval Others Other error as indicated +**/ +EFI_STATUS +EFIAPI +TdxHelperProcessTdHob ( + VOID + ) +{ + return EFI_UNSUPPORTED; +} + +/** + In Tdx guest, TdHob is passed from host VMM to guest firmware and it con= tains + the information of the memory resource. From the security perspective be= fore + it is consumed, it should be measured and extended. + * + * @retval EFI_SUCCESS Successfully measure the TdHob + * @retval Others Other error as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperMeasureTdHob ( + VOID + ) +{ + return EFI_UNSUPPORTED; +} + +/** + * In Tdx guest, Configuration FV (CFV) is treated as external input becau= se it + * may contain the data provided by VMM. From the sucurity perspective Cfv= image + * should be measured before it is consumed. + * + * @retval EFI_SUCCESS Successfully measure the CFV image + * @retval Others Other error as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperMeasureCfvImage ( + VOID + ) +{ + return EFI_UNSUPPORTED; +} + +/** + Build the GuidHob for tdx measurements which were done in SEC phase. + The measurement values are stored in WorkArea. + + @retval EFI_SUCCESS The GuidHob is built successfully + @retval Others Other errors as indicated +**/ +EFI_STATUS +EFIAPI +TdxHelperBuildGuidHobForTdxMeasurement ( + VOID + ) +{ + return InternalBuildGuidHobForTdxMeasurement (); +} diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf b/OvmfPkg/In= telTdx/TdxHelperLib/PeiTdxHelperLib.inf new file mode 100644 index 000000000000..ad3b6c1da62b --- /dev/null +++ b/OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf @@ -0,0 +1,48 @@ +## @file +# TdxHelperLib PEI instance +# +# This module provides Tdx helper functions in PEI phase. +# Copyright (c) 2021 - 2023, Intel Corporation. All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D PeiTdxHelperLib + FILE_GUID =3D 4d22289d-3bde-4501-a737-7719f3215065 + MODULE_TYPE =3D BASE + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D TdxHelperLib|PEIM + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D X64 +# + +[Sources] + PeiTdxHelper.c + TdxMeasurementHob.c + +[Packages] + MdeModulePkg/MdeModulePkg.dec + MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + BaseLib + DebugLib + HobLib + PcdLib + +[FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageVariableBase + gUefiOvmfPkgTokenSpaceGuid.PcdCfvRawDataSize + +[Guids] + gCcEventEntryHobGuid --=20 2.29.2.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98998): https://edk2.groups.io/g/devel/message/98998 Mute This Topic: https://groups.io/mt/96513461/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 19 15:20:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+99000+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+99000+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1674613519; cv=none; d=zohomail.com; s=zohoarc; b=KY5LxS16bdzDYkHgpFMZ28MfqVWpOBOwzrfmESR5Nl7YGJTwFc1zXS8Km69asfCtiAWs7wxjzvy5KiwDH/QkDY6O37XzHetMQXIJWnvbyJLGNkgv5dKB35diZgh6nazz4WX7GgC3WNUZeK3GrAG1J7c2ZN+uZQVpLgdtZ5C8gC4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1674613519; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=D5haIrszlUSc68hkLwBUGWbIzKcQ1aR/qqCNAdhgo1w=; b=madVsV4B5t6MitqAoIBGU9IcbBsjnPOPhLaDXffT6pftJsR9pUzPjdErbx/F48B9jQMZ49wjdvIiQqJQXyD3QAuUwKbyG9tdXB6TQq4tE/7TaTHCXcfHAfVG00modngB5+sltPFryfk4p4uoOd2TYSqjwk71AuBWDD50vtLez7o= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+99000+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674613519137615.9257253825235; Tue, 24 Jan 2023 18:25:19 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id CqTQYY1788612xytTqX85TB8; Tue, 24 Jan 2023 18:25:18 -0800 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.36062.1674613516015515685 for ; Tue, 24 Jan 2023 18:25:18 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="306128912" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="306128912" X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:54 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="804844491" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="804844491" X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.254.209.204]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:52 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky , Michael Roth Subject: [edk2-devel] [PATCH V3 8/9] OvmfPkg/PlatformPei: Build GuidHob for Tdx measurement Date: Wed, 25 Jan 2023 10:23:58 +0800 Message-Id: <20230125022359.1645-9-min.m.xu@intel.com> In-Reply-To: <20230125022359.1645-1-min.m.xu@intel.com> References: <20230125022359.1645-1-min.m.xu@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,min.m.xu@intel.com X-Gm-Message-State: ZxSTN2Q9pcw3IP8H1uBxQ1tTx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674613518; bh=34K/23VxAoeYkg/FwXUigKchrl7M9SBzMO2liLVX0DQ=; h=Cc:Date:From:Reply-To:Subject:To; b=mTCNjMSM9U2ji90mtxn0DWPVya3ifZ762lbQZdUJTqMZrsarU9AhbUwSRcswC2N/NOq aQRz3x7GVpZpx26xwWjbgHg+oZbsXfb+Geb/B0V14SxfpeQ2Wc33C9jsDQoQlRQrdLQKQ BfCkNakBPKxhvk1HCdea8oGX+gRlrTwBHHo= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674613519422100005 Content-Type: text/plain; charset="utf-8" From: Min M Xu BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4243 TdxHelperBuildGuidHobForTdxMeasurement is called in PlatformPei to build GuidHob for Tdx measurement. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Cc: Michael Roth Acked-by: Gerd Hoffmann Signed-off-by: Min Xu --- OvmfPkg/AmdSev/AmdSevX64.dsc | 5 ++++- OvmfPkg/CloudHv/CloudHvX64.dsc | 5 ++++- OvmfPkg/Microvm/MicrovmX64.dsc | 5 ++++- OvmfPkg/OvmfPkgX64.dsc | 5 ++++- OvmfPkg/PlatformPei/IntelTdx.c | 3 +++ 5 files changed, 19 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index 36100f5fdc11..1cebd6b4bcc2 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -570,7 +570,10 @@ } MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf =20 - OvmfPkg/PlatformPei/PlatformPei.inf + OvmfPkg/PlatformPei/PlatformPei.inf { + + NULL|OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperLibNull.inf + } UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf UefiCpuPkg/CpuMpPei/CpuMpPei.inf OvmfPkg/AmdSev/SecretPei/SecretPei.inf diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc index 7326417eab62..fc5e73158a71 100644 --- a/OvmfPkg/CloudHv/CloudHvX64.dsc +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc @@ -678,7 +678,10 @@ } MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf =20 - OvmfPkg/PlatformPei/PlatformPei.inf + OvmfPkg/PlatformPei/PlatformPei.inf { + + NULL|OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperLibNull.inf + } UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf { !if $(SMM_REQUIRE) =3D=3D TRUE diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc index 2d53b5c2950d..1161e1f39bf2 100644 --- a/OvmfPkg/Microvm/MicrovmX64.dsc +++ b/OvmfPkg/Microvm/MicrovmX64.dsc @@ -679,7 +679,10 @@ } MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf =20 - OvmfPkg/PlatformPei/PlatformPei.inf + OvmfPkg/PlatformPei/PlatformPei.inf { + + NULL|OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperLibNull.inf + } UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf UefiCpuPkg/CpuMpPei/CpuMpPei.inf =20 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 839535d56bab..2cbb578926f9 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -747,7 +747,10 @@ } MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf =20 - OvmfPkg/PlatformPei/PlatformPei.inf + OvmfPkg/PlatformPei/PlatformPei.inf { + + NULL|OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf + } UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf { !if $(SMM_REQUIRE) =3D=3D TRUE diff --git a/OvmfPkg/PlatformPei/IntelTdx.c b/OvmfPkg/PlatformPei/IntelTdx.c index 3c1ddbfafd80..3d625cabd844 100644 --- a/OvmfPkg/PlatformPei/IntelTdx.c +++ b/OvmfPkg/PlatformPei/IntelTdx.c @@ -18,6 +18,7 @@ #include #include #include +#include #include #include #include @@ -39,6 +40,8 @@ IntelTdxInitialize ( return; } =20 + TdxHelperBuildGuidHobForTdxMeasurement (); + PcdStatus =3D PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrIntelT= dx); ASSERT_RETURN_ERROR (PcdStatus); =20 --=20 2.29.2.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#99000): https://edk2.groups.io/g/devel/message/99000 Mute This Topic: https://groups.io/mt/96513463/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 19 15:20:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+98999+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98999+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1674613523; cv=none; d=zohomail.com; s=zohoarc; b=GGpSmas2Xw+Vxp3F/6MfaKX8VrkWHTaiFM5Lpe9Ym4+cXt4Zcy5CLZ1BSUCswyVZAbzjz9zPILSHvM792o+eAKTkfHRXqn45lWIS8DLwqMDLO4BwQ88t2dHS5EfgD2ABSVWLF/HZiZfIwtWg9YVZEVBlPcD7yv4DXIpHjCeqKao= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1674613523; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=yWjBYrjrxWdR4xBwLfKmmrlGuC7zzoyDNCAIk4zHMSc=; b=ELFi9mDZsKmCOOvAS4+kYk60zRFHERS/s4eo10SaSct5lC4WHcjq0TXI526K9qYKvrkHgvIdPwUUsVW7zJdmr/Mt0U1xIKxkZCQyN0OnbMv4n4IMYAh+Q8L7LCkeK2TOuKBhhKE7Il0f84HV7kyz1f1ajG+Wne5iLGVZ3dbOM70= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98999+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674613523985826.9520580735548; Tue, 24 Jan 2023 18:25:23 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id SCcPYY1788612xrBhHtR94bK; Tue, 24 Jan 2023 18:25:23 -0800 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.36062.1674613516015515685 for ; Tue, 24 Jan 2023 18:25:18 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="306128919" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="306128919" X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:57 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="804844497" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="804844497" X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.254.209.204]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:54 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky , Michael Roth Subject: [edk2-devel] [PATCH V3 9/9] OvmfPkg/TdxHelperLib: Implement TdxHelperProcessTdHob Date: Wed, 25 Jan 2023 10:23:59 +0800 Message-Id: <20230125022359.1645-10-min.m.xu@intel.com> In-Reply-To: <20230125022359.1645-1-min.m.xu@intel.com> References: <20230125022359.1645-1-min.m.xu@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,min.m.xu@intel.com X-Gm-Message-State: RdC6rR7Y5uAi5JCz4bqxLjSvx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674613523; bh=XI12g9NFY9UhRXyM2zApaVWyio5OEAC3lbBKEidc4Sg=; h=Cc:Date:From:Reply-To:Subject:To; b=ZwlDFVM8e4F2U8P4XNY8kEzwXg6dgXP0JfVhOaxgGELxzc33Yl/AF+FPJD7oW8M1T2h 8ZyM4gsS4x3KmP4tknxrA0Nya7b997lnJWKb5BBLVUVrbobcoyKH/odPy4Puhaf2XGX5W B3wgZSBb3iULU5MqX4AYINCUGYenkiIehFE= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674613525504100001 Content-Type: text/plain; charset="utf-8" From: Min M Xu BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4243 The implementation of TdxHelperProcessTdHob is moved from PlatformInitLib/IntelTdx.c. Its counterpart in PlatformInitLib is ProcessTdxHobList. After it is implemented, the duplicated codes in PlatformInitLib are deleted. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Cc: Michael Roth Signed-off-by: Min Xu Acked-by: Gerd Hoffmann --- OvmfPkg/Include/Library/PlatformInitLib.h | 17 - OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c | 754 ++++++++++++++++- OvmfPkg/Library/PlatformInitLib/IntelTdx.c | 768 ------------------ .../Library/PlatformInitLib/IntelTdxNull.c | 20 - .../PlatformInitLib/PlatformInitLib.inf | 1 - 5 files changed, 753 insertions(+), 807 deletions(-) diff --git a/OvmfPkg/Include/Library/PlatformInitLib.h b/OvmfPkg/Include/Li= brary/PlatformInitLib.h index 051b31191194..57b18b94d9b8 100644 --- a/OvmfPkg/Include/Library/PlatformInitLib.h +++ b/OvmfPkg/Include/Library/PlatformInitLib.h @@ -210,23 +210,6 @@ PlatformMaxCpuCountInitialization ( IN OUT EFI_HOB_PLATFORM_INFO *PlatformInfoHob ); =20 -/** - In Tdx guest, some information need to be passed from host VMM to guest - firmware. For example, the memory resource, etc. These information are - prepared by host VMM and put in HobList which is described in TdxMetadat= a. - - Information in HobList is treated as external input. From the security - perspective before it is consumed, it should be validated. - - @retval EFI_SUCCESS Successfully process the hoblist - @retval Others Other error as indicated -**/ -EFI_STATUS -EFIAPI -ProcessTdxHobList ( - VOID - ); - /** In Tdx guest, the system memory is passed in TdHob by host VMM. So the major task of PlatformTdxPublishRamRegions is to walk thru the diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c b/OvmfPkg/IntelTd= x/TdxHelperLib/SecTdxHelper.c index c87693bcd700..82242d37d1ed 100644 --- a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c +++ b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c @@ -18,11 +18,20 @@ #include #include #include +#include +#include #include #include #include #include =20 +#define ALIGNED_2MB_MASK 0x1fffff +#define MEGABYTE_SHIFT 20 + +#define ACCEPT_CHUNK_SIZE SIZE_32MB +#define AP_STACK_SIZE SIZE_16KB +#define APS_STACK_SIZE(CpusNum) (ALIGN_VALUE(CpusNum*AP_STACK_SIZE, SIZE_= 2MB)) + /** Build the GuidHob for tdx measurements which were done in SEC phase. The measurement values are stored in WorkArea. @@ -35,6 +44,720 @@ InternalBuildGuidHobForTdxMeasurement ( VOID ); =20 +/** + This function will be called to accept pages. Only BSP accepts pages. + + TDCALL(ACCEPT_PAGE) supports the accept page size of 4k and 2M. To + simplify the implementation, the Memory to be accpeted is splitted + into 3 parts: + ----------------- <-- StartAddress1 (not 2M aligned) + | part 1 | Length1 < 2M + |---------------| <-- StartAddress2 (2M aligned) + | | Length2 =3D Integer multiples of 2M + | part 2 | + | | + |---------------| <-- StartAddress3 + | part 3 | Length3 < 2M + |---------------| + + @param[in] PhysicalAddress Start physical adress + @param[in] PhysicalEnd End physical address + + @retval EFI_SUCCESS Accept memory successfully + @retval Others Other errors as indicated +**/ +STATIC +EFI_STATUS +EFIAPI +BspAcceptMemoryResourceRange ( + IN EFI_PHYSICAL_ADDRESS PhysicalAddress, + IN EFI_PHYSICAL_ADDRESS PhysicalEnd + ) +{ + EFI_STATUS Status; + UINT32 AcceptPageSize; + UINT64 StartAddress1; + UINT64 StartAddress2; + UINT64 StartAddress3; + UINT64 TotalLength; + UINT64 Length1; + UINT64 Length2; + UINT64 Length3; + UINT64 Pages; + + AcceptPageSize =3D FixedPcdGet32 (PcdTdxAcceptPageSize); + TotalLength =3D PhysicalEnd - PhysicalAddress; + StartAddress1 =3D 0; + StartAddress2 =3D 0; + StartAddress3 =3D 0; + Length1 =3D 0; + Length2 =3D 0; + Length3 =3D 0; + + if (TotalLength =3D=3D 0) { + return EFI_SUCCESS; + } + + if (ALIGN_VALUE (PhysicalAddress, SIZE_2MB) !=3D PhysicalAddress) { + StartAddress1 =3D PhysicalAddress; + Length1 =3D ALIGN_VALUE (PhysicalAddress, SIZE_2MB) - PhysicalAd= dress; + if (Length1 >=3D TotalLength) { + Length1 =3D TotalLength; + } + + PhysicalAddress +=3D Length1; + TotalLength -=3D Length1; + } + + if (TotalLength > SIZE_2MB) { + StartAddress2 =3D PhysicalAddress; + Length2 =3D TotalLength & ~(UINT64)ALIGNED_2MB_MASK; + PhysicalAddress +=3D Length2; + TotalLength -=3D Length2; + } + + if (TotalLength) { + StartAddress3 =3D PhysicalAddress; + Length3 =3D TotalLength; + } + + Status =3D EFI_SUCCESS; + if (Length1 > 0) { + Pages =3D Length1 / SIZE_4KB; + Status =3D TdAcceptPages (StartAddress1, Pages, SIZE_4KB); + if (EFI_ERROR (Status)) { + return Status; + } + } + + if (Length2 > 0) { + Pages =3D Length2 / AcceptPageSize; + Status =3D TdAcceptPages (StartAddress2, Pages, AcceptPageSize); + if (EFI_ERROR (Status)) { + return Status; + } + } + + if (Length3 > 0) { + Pages =3D Length3 / SIZE_4KB; + Status =3D TdAcceptPages (StartAddress3, Pages, SIZE_4KB); + ASSERT (!EFI_ERROR (Status)); + if (EFI_ERROR (Status)) { + return Status; + } + } + + return Status; +} + +/** + * This function is called by BSP and APs to accept memory. + * Note: + * The input PhysicalStart/PhysicalEnd indicates the whole memory region + * to be accepted. BSP or AP only accepts one piece in the whole memory re= gion. + * + * @param CpuIndex vCPU index + * @param CpusNum Total vCPU number of a Tdx guest + * @param PhysicalStart Start address of a memory region which is to be = accepted + * @param PhysicalEnd End address of a memory region which is to be ac= cepted + * + * @retval EFI_SUCCESS Successfully accept the memory + * @retval Other Other errors as indicated + */ +STATIC +EFI_STATUS +EFIAPI +BspApAcceptMemoryResourceRange ( + UINT32 CpuIndex, + UINT32 CpusNum, + EFI_PHYSICAL_ADDRESS PhysicalStart, + EFI_PHYSICAL_ADDRESS PhysicalEnd + ) +{ + UINT64 Status; + UINT64 Pages; + UINT64 Stride; + UINT64 AcceptPageSize; + EFI_PHYSICAL_ADDRESS PhysicalAddress; + + AcceptPageSize =3D (UINT64)(UINTN)FixedPcdGet32 (PcdTdxAcceptPageSize); + + Status =3D EFI_SUCCESS; + Stride =3D (UINTN)CpusNum * ACCEPT_CHUNK_SIZE; + PhysicalAddress =3D PhysicalStart + ACCEPT_CHUNK_SIZE * (UINTN)CpuIndex; + + while (!EFI_ERROR (Status) && PhysicalAddress < PhysicalEnd) { + Pages =3D MIN (ACCEPT_CHUNK_SIZE, PhysicalEnd - PhysicalAddress) / Ac= ceptPageSize; + Status =3D TdAcceptPages (PhysicalAddress, Pages, (UINT32)(UINTN)Accep= tPageSize); + ASSERT (!EFI_ERROR (Status)); + PhysicalAddress +=3D Stride; + } + + return EFI_SUCCESS; +} + +/** + * This function is called by APs to accept memory. + * + * @param CpuIndex vCPU index of an AP + * @param PhysicalStart Start address of a memory region which is to be = accepted + * @param PhysicalEnd End address of a memory region which is to be ac= cepted + * + * @retval EFI_SUCCESS Successfully accept the memory + * @retval Others Other errors as indicated + */ +STATIC +EFI_STATUS +EFIAPI +ApAcceptMemoryResourceRange ( + UINT32 CpuIndex, + EFI_PHYSICAL_ADDRESS PhysicalStart, + EFI_PHYSICAL_ADDRESS PhysicalEnd + ) +{ + UINT64 Status; + TD_RETURN_DATA TdReturnData; + + Status =3D TdCall (TDCALL_TDINFO, 0, 0, 0, &TdReturnData); + if (Status !=3D TDX_EXIT_REASON_SUCCESS) { + ASSERT (FALSE); + return EFI_ABORTED; + } + + if ((CpuIndex =3D=3D 0) || (CpuIndex >=3D TdReturnData.TdInfo.NumVcpus))= { + ASSERT (FALSE); + return EFI_ABORTED; + } + + return BspApAcceptMemoryResourceRange (CpuIndex, TdReturnData.TdInfo.Num= Vcpus, PhysicalStart, PhysicalEnd); +} + +/** + * This function is called by BSP. It coordinates BSP/APs to accept memory= together. + * + * @param PhysicalStart Start address of a memory region which is to b= e accepted + * @param PhysicalEnd End address of a memory region which is to be = accepted + * @param APsStackAddress APs stack address + * @param CpusNum Total vCPU number of the Tdx guest + * + * @retval EFI_SUCCESS Successfully accept the memory + * @retval Others Other errors as indicated + */ +STATIC +EFI_STATUS +EFIAPI +MpAcceptMemoryResourceRange ( + IN EFI_PHYSICAL_ADDRESS PhysicalStart, + IN EFI_PHYSICAL_ADDRESS PhysicalEnd, + IN OUT EFI_PHYSICAL_ADDRESS APsStackAddress, + IN UINT32 CpusNum + ) +{ + UINT64 Length; + EFI_STATUS Status; + + Length =3D PhysicalEnd - PhysicalStart; + + DEBUG ((DEBUG_INFO, "MpAccept : 0x%llx - 0x%llx (0x%llx)\n", PhysicalSta= rt, PhysicalEnd, Length)); + + if (Length =3D=3D 0) { + return EFI_SUCCESS; + } + + // + // The start address is not 2M aligned. BSP first accept the part which = is not 2M aligned. + // + if (ALIGN_VALUE (PhysicalStart, SIZE_2MB) !=3D PhysicalStart) { + Length =3D MIN (ALIGN_VALUE (PhysicalStart, SIZE_2MB) - PhysicalStart,= Length); + Status =3D BspAcceptMemoryResourceRange (PhysicalStart, PhysicalStart = + Length); + ASSERT (Status =3D=3D EFI_SUCCESS); + + PhysicalStart +=3D Length; + Length =3D PhysicalEnd - PhysicalStart; + } + + if (Length =3D=3D 0) { + return EFI_SUCCESS; + } + + // + // BSP will accept the memory by itself if the memory is not big enough = compared with a chunk. + // + if (Length <=3D ACCEPT_CHUNK_SIZE) { + return BspAcceptMemoryResourceRange (PhysicalStart, PhysicalEnd); + } + + // + // Now APs are asked to accept the memory together. + // + MpSerializeStart (); + + MpSendWakeupCommand ( + MpProtectedModeWakeupCommandAcceptPages, + (UINT64)(UINTN)ApAcceptMemoryResourceRange, + PhysicalStart, + PhysicalEnd, + APsStackAddress, + AP_STACK_SIZE + ); + + // + // Now BSP does its job. + // + BspApAcceptMemoryResourceRange (0, CpusNum, PhysicalStart, PhysicalEnd); + + MpSerializeEnd (); + + return EFI_SUCCESS; +} + +/** + BSP accept a small piece of memory which will be used as APs stack. + + @param[in] VmmHobList The Hoblist pass the firmware + @param[in] APsStackSize APs stack size + @param[out] PhysicalAddressEnd The physical end address of accepted m= emory in phase-1 + + @retval EFI_SUCCESS Process the HobList successfully + @retval Others Other errors as indicated +**/ +STATIC +EFI_STATUS +EFIAPI +AcceptMemoryForAPsStack ( + IN CONST VOID *VmmHobList, + IN UINT32 APsStackSize, + OUT EFI_PHYSICAL_ADDRESS *PhysicalAddressEnd + ) +{ + EFI_STATUS Status; + EFI_PEI_HOB_POINTERS Hob; + EFI_PHYSICAL_ADDRESS PhysicalEnd; + EFI_PHYSICAL_ADDRESS PhysicalStart; + UINT64 ResourceLength; + BOOLEAN MemoryRegionFound; + + ASSERT (VmmHobList !=3D NULL); + + Status =3D EFI_SUCCESS; + Hob.Raw =3D (UINT8 *)VmmHobList; + MemoryRegionFound =3D FALSE; + + DEBUG ((DEBUG_INFO, "AcceptMemoryForAPsStack with APsStackSize=3D0x%x\n"= , APsStackSize)); + + // + // Parse the HOB list until end of list or matching type is found. + // + while (!END_OF_HOB_LIST (Hob) && !MemoryRegionFound) { + if (Hob.Header->HobType =3D=3D EFI_HOB_TYPE_RESOURCE_DESCRIPTOR) { + DEBUG ((DEBUG_INFO, "\nResourceType: 0x%x\n", Hob.ResourceDescriptor= ->ResourceType)); + + if (Hob.ResourceDescriptor->ResourceType =3D=3D BZ3937_EFI_RESOURCE_= MEMORY_UNACCEPTED) { + ResourceLength =3D Hob.ResourceDescriptor->ResourceLength; + PhysicalStart =3D Hob.ResourceDescriptor->PhysicalStart; + PhysicalEnd =3D PhysicalStart + ResourceLength; + + DEBUG ((DEBUG_INFO, "ResourceAttribute: 0x%x\n", Hob.ResourceDescr= iptor->ResourceAttribute)); + DEBUG ((DEBUG_INFO, "PhysicalStart: 0x%llx\n", PhysicalStart)); + DEBUG ((DEBUG_INFO, "ResourceLength: 0x%llx\n", ResourceLength)); + DEBUG ((DEBUG_INFO, "Owner: %g\n\n", &Hob.ResourceDescriptor->Owne= r)); + + if (ResourceLength >=3D APsStackSize) { + MemoryRegionFound =3D TRUE; + if (ResourceLength > ACCEPT_CHUNK_SIZE) { + PhysicalEnd =3D Hob.ResourceDescriptor->PhysicalStart + APsSta= ckSize; + } + } + + Status =3D BspAcceptMemoryResourceRange ( + Hob.ResourceDescriptor->PhysicalStart, + PhysicalEnd + ); + if (EFI_ERROR (Status)) { + break; + } + } + } + + Hob.Raw =3D GET_NEXT_HOB (Hob); + } + + ASSERT (MemoryRegionFound); + *PhysicalAddressEnd =3D PhysicalEnd; + + return Status; +} + +/** + BSP and APs work togeter to accept memory which is under the address of = 4G. + + @param[in] VmmHobList The Hoblist pass the firmware + @param[in] CpusNum Number of vCPUs + @param[in] APsStackStartAddres Start address of APs stack + @param[in] PhysicalAddressStart Start physical address which to be accep= ted + + @retval EFI_SUCCESS Process the HobList successfully + @retval Others Other errors as indicated +**/ +STATIC +EFI_STATUS +EFIAPI +AcceptMemory ( + IN CONST VOID *VmmHobList, + IN UINT32 CpusNum, + IN EFI_PHYSICAL_ADDRESS APsStackStartAddress, + IN EFI_PHYSICAL_ADDRESS PhysicalAddressStart + ) +{ + EFI_STATUS Status; + EFI_PEI_HOB_POINTERS Hob; + EFI_PHYSICAL_ADDRESS PhysicalStart; + EFI_PHYSICAL_ADDRESS PhysicalEnd; + EFI_PHYSICAL_ADDRESS AcceptMemoryEndAddress; + + Status =3D EFI_SUCCESS; + AcceptMemoryEndAddress =3D BASE_4GB; + + ASSERT (VmmHobList !=3D NULL); + Hob.Raw =3D (UINT8 *)VmmHobList; + + DEBUG ((DEBUG_INFO, "AcceptMemory under address of 4G\n")); + + // + // Parse the HOB list until end of list or matching type is found. + // + while (!END_OF_HOB_LIST (Hob)) { + if (Hob.Header->HobType =3D=3D EFI_HOB_TYPE_RESOURCE_DESCRIPTOR) { + if (Hob.ResourceDescriptor->ResourceType =3D=3D BZ3937_EFI_RESOURCE_= MEMORY_UNACCEPTED) { + PhysicalStart =3D Hob.ResourceDescriptor->PhysicalStart; + PhysicalEnd =3D PhysicalStart + Hob.ResourceDescriptor->Resource= Length; + + if (PhysicalEnd <=3D PhysicalAddressStart) { + // this memory region has been accepted. Skipped it. + Hob.Raw =3D GET_NEXT_HOB (Hob); + continue; + } + + if (PhysicalStart >=3D AcceptMemoryEndAddress) { + // this memory region is not to be accepted. And we're done. + break; + } + + if (PhysicalStart >=3D PhysicalAddressStart) { + // this memory region has not been acceted. + } else if ((PhysicalStart < PhysicalAddressStart) && (PhysicalEnd = > PhysicalAddressStart)) { + // part of the memory region has been accepted. + PhysicalStart =3D PhysicalAddressStart; + } + + // then compare the PhysicalEnd with AcceptMemoryEndAddress + if (PhysicalEnd >=3D AcceptMemoryEndAddress) { + PhysicalEnd =3D AcceptMemoryEndAddress; + } + + DEBUG ((DEBUG_INFO, "ResourceAttribute: 0x%x\n", Hob.ResourceDescr= iptor->ResourceAttribute)); + DEBUG ((DEBUG_INFO, "PhysicalStart: 0x%llx\n", Hob.ResourceDescrip= tor->PhysicalStart)); + DEBUG ((DEBUG_INFO, "ResourceLength: 0x%llx\n", Hob.ResourceDescri= ptor->ResourceLength)); + DEBUG ((DEBUG_INFO, "Owner: %g\n\n", &Hob.ResourceDescriptor->Owne= r)); + + // Now we're ready to accept memory [PhysicalStart, PhysicalEnd) + if (CpusNum =3D=3D 1) { + Status =3D BspAcceptMemoryResourceRange (PhysicalStart, Physical= End); + } else { + Status =3D MpAcceptMemoryResourceRange ( + PhysicalStart, + PhysicalEnd, + APsStackStartAddress, + CpusNum + ); + } + + if (EFI_ERROR (Status)) { + ASSERT (FALSE); + break; + } + + if (PhysicalEnd =3D=3D AcceptMemoryEndAddress) { + break; + } + } + } + + Hob.Raw =3D GET_NEXT_HOB (Hob); + } + + return Status; +} + +/** + Check the value whether in the valid list. + + @param[in] Value A value + @param[in] ValidList A pointer to valid list + @param[in] ValidListLength Length of valid list + + @retval TRUE The value is in valid list. + @retval FALSE The value is not in valid list. + +**/ +STATIC +BOOLEAN +EFIAPI +IsInValidList ( + IN UINT32 Value, + IN UINT32 *ValidList, + IN UINT32 ValidListLength + ) +{ + UINT32 index; + + if (ValidList =3D=3D NULL) { + return FALSE; + } + + for (index =3D 0; index < ValidListLength; index++) { + if (ValidList[index] =3D=3D Value) { + return TRUE; + } + } + + return FALSE; +} + +/** + Check the integrity of VMM Hob List. + + @param[in] VmmHobList A pointer to Hob List + + @retval TRUE The Hob List is valid. + @retval FALSE The Hob List is invalid. + +**/ +STATIC +BOOLEAN +EFIAPI +ValidateHobList ( + IN CONST VOID *VmmHobList + ) +{ + EFI_PEI_HOB_POINTERS Hob; + UINT32 EFI_BOOT_MODE_LIST[] =3D { + BOOT_WITH_FULL_CONFIGURATION, + BOOT_WITH_MINIMAL_CONFIGURATION, + BOOT_ASSUMING_NO_CONFIGURATION_CHANGES, + BOOT_WITH_FULL_CONFIGURATION_PLUS_DIAGNOSTICS, + BOOT_WITH_DEFAULT_SETTINGS, + BOOT_ON_S4_RESUME, + BOOT_ON_S5_RESUME, + BOOT_WITH_MFG_MODE_SETTINGS, + BOOT_ON_S2_RESUME, + BOOT_ON_S3_RESUME, + BOOT_ON_FLASH_UPDATE, + BOOT_IN_RECOVERY_MODE + }; + + UINT32 EFI_RESOURCE_TYPE_LIST[] =3D { + EFI_RESOURCE_SYSTEM_MEMORY, + EFI_RESOURCE_MEMORY_MAPPED_IO, + EFI_RESOURCE_IO, + EFI_RESOURCE_FIRMWARE_DEVICE, + EFI_RESOURCE_MEMORY_MAPPED_IO_PORT, + EFI_RESOURCE_MEMORY_RESERVED, + EFI_RESOURCE_IO_RESERVED, + BZ3937_EFI_RESOURCE_MEMORY_UNACCEPTED + }; + + if (VmmHobList =3D=3D NULL) { + DEBUG ((DEBUG_ERROR, "HOB: HOB data pointer is NULL\n")); + return FALSE; + } + + Hob.Raw =3D (UINT8 *)VmmHobList; + + // + // Parse the HOB list until end of list or matching type is found. + // + while (!END_OF_HOB_LIST (Hob)) { + if (Hob.Header->Reserved !=3D (UINT32)0) { + DEBUG ((DEBUG_ERROR, "HOB: Hob header Reserved filed should be zero\= n")); + return FALSE; + } + + if (Hob.Header->HobLength =3D=3D 0) { + DEBUG ((DEBUG_ERROR, "HOB: Hob header LEANGTH should not be zero\n")= ); + return FALSE; + } + + switch (Hob.Header->HobType) { + case EFI_HOB_TYPE_HANDOFF: + if (Hob.Header->HobLength !=3D sizeof (EFI_HOB_HANDOFF_INFO_TABLE)= ) { + DEBUG ((DEBUG_ERROR, "HOB: Hob length is not equal corresponding= hob structure. Type: 0x%04x\n", EFI_HOB_TYPE_HANDOFF)); + return FALSE; + } + + if (IsInValidList (Hob.HandoffInformationTable->BootMode, EFI_BOOT= _MODE_LIST, ARRAY_SIZE (EFI_BOOT_MODE_LIST)) =3D=3D FALSE) { + DEBUG ((DEBUG_ERROR, "HOB: Unknow HandoffInformationTable BootMo= de type. Type: 0x%08x\n", Hob.HandoffInformationTable->BootMode)); + return FALSE; + } + + if ((Hob.HandoffInformationTable->EfiFreeMemoryTop % 4096) !=3D 0)= { + DEBUG ((DEBUG_ERROR, "HOB: HandoffInformationTable EfiFreeMemory= Top address must be 4-KB aligned to meet page restrictions of UEFI.\ + Address: 0x%016lx\n", Hob.HandoffInformatio= nTable->EfiFreeMemoryTop)); + return FALSE; + } + + break; + + case EFI_HOB_TYPE_RESOURCE_DESCRIPTOR: + if (Hob.Header->HobLength !=3D sizeof (EFI_HOB_RESOURCE_DESCRIPTOR= )) { + DEBUG ((DEBUG_ERROR, "HOB: Hob length is not equal corresponding= hob structure. Type: 0x%04x\n", EFI_HOB_TYPE_RESOURCE_DESCRIPTOR)); + return FALSE; + } + + if (IsInValidList (Hob.ResourceDescriptor->ResourceType, EFI_RESOU= RCE_TYPE_LIST, ARRAY_SIZE (EFI_RESOURCE_TYPE_LIST)) =3D=3D FALSE) { + DEBUG ((DEBUG_ERROR, "HOB: Unknow ResourceDescriptor ResourceTyp= e type. Type: 0x%08x\n", Hob.ResourceDescriptor->ResourceType)); + return FALSE; + } + + if ((Hob.ResourceDescriptor->ResourceAttribute & (~(EFI_RESOURCE_A= TTRIBUTE_PRESENT | + EFI_RESOURCE_A= TTRIBUTE_INITIALIZED | + EFI_RESOURCE_A= TTRIBUTE_TESTED | + EFI_RESOURCE_A= TTRIBUTE_READ_PROTECTED | + EFI_RESOURCE_A= TTRIBUTE_WRITE_PROTECTED | + EFI_RESOURCE_A= TTRIBUTE_EXECUTION_PROTECTED | + EFI_RESOURCE_A= TTRIBUTE_PERSISTENT | + EFI_RESOURCE_A= TTRIBUTE_SINGLE_BIT_ECC | + EFI_RESOURCE_A= TTRIBUTE_MULTIPLE_BIT_ECC | + EFI_RESOURCE_A= TTRIBUTE_ECC_RESERVED_1 | + EFI_RESOURCE_A= TTRIBUTE_ECC_RESERVED_2 | + EFI_RESOURCE_A= TTRIBUTE_UNCACHEABLE | + EFI_RESOURCE_A= TTRIBUTE_WRITE_COMBINEABLE | + EFI_RESOURCE_A= TTRIBUTE_WRITE_THROUGH_CACHEABLE | + EFI_RESOURCE_A= TTRIBUTE_WRITE_BACK_CACHEABLE | + EFI_RESOURCE_A= TTRIBUTE_16_BIT_IO | + EFI_RESOURCE_A= TTRIBUTE_32_BIT_IO | + EFI_RESOURCE_A= TTRIBUTE_64_BIT_IO | + EFI_RESOURCE_A= TTRIBUTE_UNCACHED_EXPORTED | + EFI_RESOURCE_A= TTRIBUTE_READ_PROTECTABLE | + EFI_RESOURCE_A= TTRIBUTE_WRITE_PROTECTABLE | + EFI_RESOURCE_A= TTRIBUTE_EXECUTION_PROTECTABLE | + EFI_RESOURCE_A= TTRIBUTE_PERSISTABLE | + EFI_RESOURCE_A= TTRIBUTE_READ_ONLY_PROTECTED | + EFI_RESOURCE_A= TTRIBUTE_READ_ONLY_PROTECTABLE | + EFI_RESOURCE_A= TTRIBUTE_MORE_RELIABLE))) !=3D 0) + { + DEBUG ((DEBUG_ERROR, "HOB: Unknow ResourceDescriptor ResourceAtt= ribute type. Type: 0x%08x\n", Hob.ResourceDescriptor->ResourceAttribute)); + return FALSE; + } + + break; + + // EFI_HOB_GUID_TYPE is variable length data, so skip check + case EFI_HOB_TYPE_GUID_EXTENSION: + break; + + case EFI_HOB_TYPE_FV: + if (Hob.Header->HobLength !=3D sizeof (EFI_HOB_FIRMWARE_VOLUME)) { + DEBUG ((DEBUG_ERROR, "HOB: Hob length is not equal corresponding= hob structure. Type: 0x%04x\n", EFI_HOB_TYPE_FV)); + return FALSE; + } + + break; + + case EFI_HOB_TYPE_FV2: + if (Hob.Header->HobLength !=3D sizeof (EFI_HOB_FIRMWARE_VOLUME2)) { + DEBUG ((DEBUG_ERROR, "HOB: Hob length is not equal corresponding= hob structure. Type: 0x%04x\n", EFI_HOB_TYPE_FV2)); + return FALSE; + } + + break; + + case EFI_HOB_TYPE_FV3: + if (Hob.Header->HobLength !=3D sizeof (EFI_HOB_FIRMWARE_VOLUME3)) { + DEBUG ((DEBUG_ERROR, "HOB: Hob length is not equal corresponding= hob structure. Type: 0x%04x\n", EFI_HOB_TYPE_FV3)); + return FALSE; + } + + break; + + case EFI_HOB_TYPE_CPU: + if (Hob.Header->HobLength !=3D sizeof (EFI_HOB_CPU)) { + DEBUG ((DEBUG_ERROR, "HOB: Hob length is not equal corresponding= hob structure. Type: 0x%04x\n", EFI_HOB_TYPE_CPU)); + return FALSE; + } + + for (UINT32 index =3D 0; index < 6; index++) { + if (Hob.Cpu->Reserved[index] !=3D 0) { + DEBUG ((DEBUG_ERROR, "HOB: Cpu Reserved field will always be s= et to zero.\n")); + return FALSE; + } + } + + break; + + default: + DEBUG ((DEBUG_ERROR, "HOB: Hob type is not know. Type: 0x%04x\n", = Hob.Header->HobType)); + return FALSE; + } + + // Get next HOB + Hob.Raw =3D (UINT8 *)(Hob.Raw + Hob.Header->HobLength); + } + + return TRUE; +} + +/** + Processing the incoming HobList for the TDX + + Firmware must parse list, and accept the pages of memory before their ca= n be + use by the guest. + + @param[in] VmmHobList The Hoblist pass the firmware + + @retval EFI_SUCCESS Process the HobList successfully + @retval Others Other errors as indicated + +**/ +STATIC +EFI_STATUS +EFIAPI +ProcessHobList ( + IN CONST VOID *VmmHobList + ) +{ + EFI_STATUS Status; + UINT32 CpusNum; + EFI_PHYSICAL_ADDRESS PhysicalEnd; + EFI_PHYSICAL_ADDRESS APsStackStartAddress; + + CpusNum =3D GetCpusNum (); + + // + // If there are mutli-vCPU in a TDX guest, accept memory is split into 2= phases. + // Phase-1 accepts a small piece of memory by BSP. This piece of memory + // is used to setup AP's stack. + // After that phase-2 accepts a big piece of memory by BSP/APs. + // + // TDVF supports 4K and 2M accept-page-size. The memory which can be acc= peted + // in 2M accept-page-size must be 2M aligned and multiple 2M. So we align + // APsStackSize to 2M size aligned. + // + if (CpusNum > 1) { + Status =3D AcceptMemoryForAPsStack (VmmHobList, APS_STACK_SIZE (CpusNu= m), &PhysicalEnd); + ASSERT (Status =3D=3D EFI_SUCCESS); + APsStackStartAddress =3D PhysicalEnd - APS_STACK_SIZE (CpusNum); + } else { + PhysicalEnd =3D 0; + APsStackStartAddress =3D 0; + } + + Status =3D AcceptMemory (VmmHobList, CpusNum, APsStackStartAddress, Phys= icalEnd); + ASSERT (Status =3D=3D EFI_SUCCESS); + + return Status; +} + /** In Tdx guest, some information need to be passed from host VMM to guest firmware. For example, the memory resource, etc. These information are @@ -50,7 +773,36 @@ TdxHelperProcessTdHob ( VOID ) { - return EFI_UNSUPPORTED; + EFI_STATUS Status; + VOID *TdHob; + TD_RETURN_DATA TdReturnData; + + TdHob =3D (VOID *)(UINTN)FixedPcdGet32 (PcdOvmfSecGhcbBase); + Status =3D TdCall (TDCALL_TDINFO, 0, 0, 0, &TdReturnData); + if (EFI_ERROR (Status)) { + return Status; + } + + DEBUG (( + DEBUG_INFO, + "Intel Tdx Started with (GPAW: %d, Cpus: %d)\n", + TdReturnData.TdInfo.Gpaw, + TdReturnData.TdInfo.NumVcpus + )); + + // + // Validate HobList + // + if (ValidateHobList (TdHob) =3D=3D FALSE) { + return EFI_INVALID_PARAMETER; + } + + // + // Process Hoblist to accept memory + // + Status =3D ProcessHobList (TdHob); + + return Status; } =20 // diff --git a/OvmfPkg/Library/PlatformInitLib/IntelTdx.c b/OvmfPkg/Library/P= latformInitLib/IntelTdx.c index 6cb63139cba0..ada8592ddd5a 100644 --- a/OvmfPkg/Library/PlatformInitLib/IntelTdx.c +++ b/OvmfPkg/Library/PlatformInitLib/IntelTdx.c @@ -16,779 +16,11 @@ #include #include #include -#include -#include #include -#include -#include -#include #include #include #include =20 -#define ALIGNED_2MB_MASK 0x1fffff -#define MEGABYTE_SHIFT 20 - -#define ACCEPT_CHUNK_SIZE SIZE_32MB -#define AP_STACK_SIZE SIZE_16KB -#define APS_STACK_SIZE(CpusNum) (ALIGN_VALUE(CpusNum*AP_STACK_SIZE, SIZE_= 2MB)) - -/** - This function will be called to accept pages. Only BSP accepts pages. - - TDCALL(ACCEPT_PAGE) supports the accept page size of 4k and 2M. To - simplify the implementation, the Memory to be accpeted is splitted - into 3 parts: - ----------------- <-- StartAddress1 (not 2M aligned) - | part 1 | Length1 < 2M - |---------------| <-- StartAddress2 (2M aligned) - | | Length2 =3D Integer multiples of 2M - | part 2 | - | | - |---------------| <-- StartAddress3 - | part 3 | Length3 < 2M - |---------------| - - @param[in] PhysicalAddress Start physical adress - @param[in] PhysicalEnd End physical address - - @retval EFI_SUCCESS Accept memory successfully - @retval Others Other errors as indicated -**/ -EFI_STATUS -EFIAPI -BspAcceptMemoryResourceRange ( - IN EFI_PHYSICAL_ADDRESS PhysicalAddress, - IN EFI_PHYSICAL_ADDRESS PhysicalEnd - ) -{ - EFI_STATUS Status; - UINT32 AcceptPageSize; - UINT64 StartAddress1; - UINT64 StartAddress2; - UINT64 StartAddress3; - UINT64 TotalLength; - UINT64 Length1; - UINT64 Length2; - UINT64 Length3; - UINT64 Pages; - - AcceptPageSize =3D FixedPcdGet32 (PcdTdxAcceptPageSize); - TotalLength =3D PhysicalEnd - PhysicalAddress; - StartAddress1 =3D 0; - StartAddress2 =3D 0; - StartAddress3 =3D 0; - Length1 =3D 0; - Length2 =3D 0; - Length3 =3D 0; - - if (TotalLength =3D=3D 0) { - return EFI_SUCCESS; - } - - if (ALIGN_VALUE (PhysicalAddress, SIZE_2MB) !=3D PhysicalAddress) { - StartAddress1 =3D PhysicalAddress; - Length1 =3D ALIGN_VALUE (PhysicalAddress, SIZE_2MB) - PhysicalAd= dress; - if (Length1 >=3D TotalLength) { - Length1 =3D TotalLength; - } - - PhysicalAddress +=3D Length1; - TotalLength -=3D Length1; - } - - if (TotalLength > SIZE_2MB) { - StartAddress2 =3D PhysicalAddress; - Length2 =3D TotalLength & ~(UINT64)ALIGNED_2MB_MASK; - PhysicalAddress +=3D Length2; - TotalLength -=3D Length2; - } - - if (TotalLength) { - StartAddress3 =3D PhysicalAddress; - Length3 =3D TotalLength; - } - - Status =3D EFI_SUCCESS; - if (Length1 > 0) { - Pages =3D Length1 / SIZE_4KB; - Status =3D TdAcceptPages (StartAddress1, Pages, SIZE_4KB); - if (EFI_ERROR (Status)) { - return Status; - } - } - - if (Length2 > 0) { - Pages =3D Length2 / AcceptPageSize; - Status =3D TdAcceptPages (StartAddress2, Pages, AcceptPageSize); - if (EFI_ERROR (Status)) { - return Status; - } - } - - if (Length3 > 0) { - Pages =3D Length3 / SIZE_4KB; - Status =3D TdAcceptPages (StartAddress3, Pages, SIZE_4KB); - ASSERT (!EFI_ERROR (Status)); - if (EFI_ERROR (Status)) { - return Status; - } - } - - return Status; -} - -/** - * This function is called by BSP and APs to accept memory. - * Note: - * The input PhysicalStart/PhysicalEnd indicates the whole memory region - * to be accepted. BSP or AP only accepts one piece in the whole memory re= gion. - * - * @param CpuIndex vCPU index - * @param CpusNum Total vCPU number of a Tdx guest - * @param PhysicalStart Start address of a memory region which is to be = accepted - * @param PhysicalEnd End address of a memory region which is to be ac= cepted - * - * @retval EFI_SUCCESS Successfully accept the memory - * @retval Other Other errors as indicated - */ -STATIC -EFI_STATUS -EFIAPI -BspApAcceptMemoryResourceRange ( - UINT32 CpuIndex, - UINT32 CpusNum, - EFI_PHYSICAL_ADDRESS PhysicalStart, - EFI_PHYSICAL_ADDRESS PhysicalEnd - ) -{ - UINT64 Status; - UINT64 Pages; - UINT64 Stride; - UINT64 AcceptPageSize; - EFI_PHYSICAL_ADDRESS PhysicalAddress; - - AcceptPageSize =3D (UINT64)(UINTN)FixedPcdGet32 (PcdTdxAcceptPageSize); - - Status =3D EFI_SUCCESS; - Stride =3D (UINTN)CpusNum * ACCEPT_CHUNK_SIZE; - PhysicalAddress =3D PhysicalStart + ACCEPT_CHUNK_SIZE * (UINTN)CpuIndex; - - while (!EFI_ERROR (Status) && PhysicalAddress < PhysicalEnd) { - Pages =3D MIN (ACCEPT_CHUNK_SIZE, PhysicalEnd - PhysicalAddress) / Ac= ceptPageSize; - Status =3D TdAcceptPages (PhysicalAddress, Pages, (UINT32)(UINTN)Accep= tPageSize); - ASSERT (!EFI_ERROR (Status)); - PhysicalAddress +=3D Stride; - } - - return EFI_SUCCESS; -} - -/** - * This function is called by APs to accept memory. - * - * @param CpuIndex vCPU index of an AP - * @param PhysicalStart Start address of a memory region which is to be = accepted - * @param PhysicalEnd End address of a memory region which is to be ac= cepted - * - * @retval EFI_SUCCESS Successfully accept the memory - * @retval Others Other errors as indicated - */ -STATIC -EFI_STATUS -EFIAPI -ApAcceptMemoryResourceRange ( - UINT32 CpuIndex, - EFI_PHYSICAL_ADDRESS PhysicalStart, - EFI_PHYSICAL_ADDRESS PhysicalEnd - ) -{ - UINT64 Status; - TD_RETURN_DATA TdReturnData; - - Status =3D TdCall (TDCALL_TDINFO, 0, 0, 0, &TdReturnData); - if (Status !=3D TDX_EXIT_REASON_SUCCESS) { - ASSERT (FALSE); - return EFI_ABORTED; - } - - if ((CpuIndex =3D=3D 0) || (CpuIndex >=3D TdReturnData.TdInfo.NumVcpus))= { - ASSERT (FALSE); - return EFI_ABORTED; - } - - return BspApAcceptMemoryResourceRange (CpuIndex, TdReturnData.TdInfo.Num= Vcpus, PhysicalStart, PhysicalEnd); -} - -/** - * This function is called by BSP. It coordinates BSP/APs to accept memory= together. - * - * @param PhysicalStart Start address of a memory region which is to b= e accepted - * @param PhysicalEnd End address of a memory region which is to be = accepted - * @param APsStackAddress APs stack address - * @param CpusNum Total vCPU number of the Tdx guest - * - * @retval EFI_SUCCESS Successfully accept the memory - * @retval Others Other errors as indicated - */ -EFI_STATUS -EFIAPI -MpAcceptMemoryResourceRange ( - IN EFI_PHYSICAL_ADDRESS PhysicalStart, - IN EFI_PHYSICAL_ADDRESS PhysicalEnd, - IN OUT EFI_PHYSICAL_ADDRESS APsStackAddress, - IN UINT32 CpusNum - ) -{ - UINT64 Length; - EFI_STATUS Status; - - Length =3D PhysicalEnd - PhysicalStart; - - DEBUG ((DEBUG_INFO, "MpAccept : 0x%llx - 0x%llx (0x%llx)\n", PhysicalSta= rt, PhysicalEnd, Length)); - - if (Length =3D=3D 0) { - return EFI_SUCCESS; - } - - // - // The start address is not 2M aligned. BSP first accept the part which = is not 2M aligned. - // - if (ALIGN_VALUE (PhysicalStart, SIZE_2MB) !=3D PhysicalStart) { - Length =3D MIN (ALIGN_VALUE (PhysicalStart, SIZE_2MB) - PhysicalStart,= Length); - Status =3D BspAcceptMemoryResourceRange (PhysicalStart, PhysicalStart = + Length); - ASSERT (Status =3D=3D EFI_SUCCESS); - - PhysicalStart +=3D Length; - Length =3D PhysicalEnd - PhysicalStart; - } - - if (Length =3D=3D 0) { - return EFI_SUCCESS; - } - - // - // BSP will accept the memory by itself if the memory is not big enough = compared with a chunk. - // - if (Length <=3D ACCEPT_CHUNK_SIZE) { - return BspAcceptMemoryResourceRange (PhysicalStart, PhysicalEnd); - } - - // - // Now APs are asked to accept the memory together. - // - MpSerializeStart (); - - MpSendWakeupCommand ( - MpProtectedModeWakeupCommandAcceptPages, - (UINT64)(UINTN)ApAcceptMemoryResourceRange, - PhysicalStart, - PhysicalEnd, - APsStackAddress, - AP_STACK_SIZE - ); - - // - // Now BSP does its job. - // - BspApAcceptMemoryResourceRange (0, CpusNum, PhysicalStart, PhysicalEnd); - - MpSerializeEnd (); - - return EFI_SUCCESS; -} - -/** - BSP accept a small piece of memory which will be used as APs stack. - - @param[in] VmmHobList The Hoblist pass the firmware - @param[in] APsStackSize APs stack size - @param[out] PhysicalAddressEnd The physical end address of accepted m= emory in phase-1 - - @retval EFI_SUCCESS Process the HobList successfully - @retval Others Other errors as indicated -**/ -EFI_STATUS -EFIAPI -AcceptMemoryForAPsStack ( - IN CONST VOID *VmmHobList, - IN UINT32 APsStackSize, - OUT EFI_PHYSICAL_ADDRESS *PhysicalAddressEnd - ) -{ - EFI_STATUS Status; - EFI_PEI_HOB_POINTERS Hob; - EFI_PHYSICAL_ADDRESS PhysicalEnd; - EFI_PHYSICAL_ADDRESS PhysicalStart; - UINT64 ResourceLength; - BOOLEAN MemoryRegionFound; - - ASSERT (VmmHobList !=3D NULL); - - Status =3D EFI_SUCCESS; - Hob.Raw =3D (UINT8 *)VmmHobList; - MemoryRegionFound =3D FALSE; - - DEBUG ((DEBUG_INFO, "AcceptMemoryForAPsStack with APsStackSize=3D0x%x\n"= , APsStackSize)); - - // - // Parse the HOB list until end of list or matching type is found. - // - while (!END_OF_HOB_LIST (Hob) && !MemoryRegionFound) { - if (Hob.Header->HobType =3D=3D EFI_HOB_TYPE_RESOURCE_DESCRIPTOR) { - DEBUG ((DEBUG_INFO, "\nResourceType: 0x%x\n", Hob.ResourceDescriptor= ->ResourceType)); - - if (Hob.ResourceDescriptor->ResourceType =3D=3D BZ3937_EFI_RESOURCE_= MEMORY_UNACCEPTED) { - ResourceLength =3D Hob.ResourceDescriptor->ResourceLength; - PhysicalStart =3D Hob.ResourceDescriptor->PhysicalStart; - PhysicalEnd =3D PhysicalStart + ResourceLength; - - DEBUG ((DEBUG_INFO, "ResourceAttribute: 0x%x\n", Hob.ResourceDescr= iptor->ResourceAttribute)); - DEBUG ((DEBUG_INFO, "PhysicalStart: 0x%llx\n", PhysicalStart)); - DEBUG ((DEBUG_INFO, "ResourceLength: 0x%llx\n", ResourceLength)); - DEBUG ((DEBUG_INFO, "Owner: %g\n\n", &Hob.ResourceDescriptor->Owne= r)); - - if (ResourceLength >=3D APsStackSize) { - MemoryRegionFound =3D TRUE; - if (ResourceLength > ACCEPT_CHUNK_SIZE) { - PhysicalEnd =3D Hob.ResourceDescriptor->PhysicalStart + APsSta= ckSize; - } - } - - Status =3D BspAcceptMemoryResourceRange ( - Hob.ResourceDescriptor->PhysicalStart, - PhysicalEnd - ); - if (EFI_ERROR (Status)) { - break; - } - } - } - - Hob.Raw =3D GET_NEXT_HOB (Hob); - } - - ASSERT (MemoryRegionFound); - *PhysicalAddressEnd =3D PhysicalEnd; - - return Status; -} - -/** - BSP and APs work togeter to accept memory which is under the address of = 4G. - - @param[in] VmmHobList The Hoblist pass the firmware - @param[in] CpusNum Number of vCPUs - @param[in] APsStackStartAddres Start address of APs stack - @param[in] PhysicalAddressStart Start physical address which to be accep= ted - - @retval EFI_SUCCESS Process the HobList successfully - @retval Others Other errors as indicated -**/ -EFI_STATUS -EFIAPI -AcceptMemory ( - IN CONST VOID *VmmHobList, - IN UINT32 CpusNum, - IN EFI_PHYSICAL_ADDRESS APsStackStartAddress, - IN EFI_PHYSICAL_ADDRESS PhysicalAddressStart - ) -{ - EFI_STATUS Status; - EFI_PEI_HOB_POINTERS Hob; - EFI_PHYSICAL_ADDRESS PhysicalStart; - EFI_PHYSICAL_ADDRESS PhysicalEnd; - EFI_PHYSICAL_ADDRESS AcceptMemoryEndAddress; - - Status =3D EFI_SUCCESS; - AcceptMemoryEndAddress =3D BASE_4GB; - - ASSERT (VmmHobList !=3D NULL); - Hob.Raw =3D (UINT8 *)VmmHobList; - - DEBUG ((DEBUG_INFO, "AcceptMemory under address of 4G\n")); - - // - // Parse the HOB list until end of list or matching type is found. - // - while (!END_OF_HOB_LIST (Hob)) { - if (Hob.Header->HobType =3D=3D EFI_HOB_TYPE_RESOURCE_DESCRIPTOR) { - if (Hob.ResourceDescriptor->ResourceType =3D=3D BZ3937_EFI_RESOURCE_= MEMORY_UNACCEPTED) { - PhysicalStart =3D Hob.ResourceDescriptor->PhysicalStart; - PhysicalEnd =3D PhysicalStart + Hob.ResourceDescriptor->Resource= Length; - - if (PhysicalEnd <=3D PhysicalAddressStart) { - // this memory region has been accepted. Skipped it. - Hob.Raw =3D GET_NEXT_HOB (Hob); - continue; - } - - if (PhysicalStart >=3D AcceptMemoryEndAddress) { - // this memory region is not to be accepted. And we're done. - break; - } - - if (PhysicalStart >=3D PhysicalAddressStart) { - // this memory region has not been acceted. - } else if ((PhysicalStart < PhysicalAddressStart) && (PhysicalEnd = > PhysicalAddressStart)) { - // part of the memory region has been accepted. - PhysicalStart =3D PhysicalAddressStart; - } - - // then compare the PhysicalEnd with AcceptMemoryEndAddress - if (PhysicalEnd >=3D AcceptMemoryEndAddress) { - PhysicalEnd =3D AcceptMemoryEndAddress; - } - - DEBUG ((DEBUG_INFO, "ResourceAttribute: 0x%x\n", Hob.ResourceDescr= iptor->ResourceAttribute)); - DEBUG ((DEBUG_INFO, "PhysicalStart: 0x%llx\n", Hob.ResourceDescrip= tor->PhysicalStart)); - DEBUG ((DEBUG_INFO, "ResourceLength: 0x%llx\n", Hob.ResourceDescri= ptor->ResourceLength)); - DEBUG ((DEBUG_INFO, "Owner: %g\n\n", &Hob.ResourceDescriptor->Owne= r)); - - // Now we're ready to accept memory [PhysicalStart, PhysicalEnd) - if (CpusNum =3D=3D 1) { - Status =3D BspAcceptMemoryResourceRange (PhysicalStart, Physical= End); - } else { - Status =3D MpAcceptMemoryResourceRange ( - PhysicalStart, - PhysicalEnd, - APsStackStartAddress, - CpusNum - ); - } - - if (EFI_ERROR (Status)) { - ASSERT (FALSE); - break; - } - - if (PhysicalEnd =3D=3D AcceptMemoryEndAddress) { - break; - } - } - } - - Hob.Raw =3D GET_NEXT_HOB (Hob); - } - - return Status; -} - -/** - Check the value whether in the valid list. - - @param[in] Value A value - @param[in] ValidList A pointer to valid list - @param[in] ValidListLength Length of valid list - - @retval TRUE The value is in valid list. - @retval FALSE The value is not in valid list. - -**/ -BOOLEAN -EFIAPI -IsInValidList ( - IN UINT32 Value, - IN UINT32 *ValidList, - IN UINT32 ValidListLength - ) -{ - UINT32 index; - - if (ValidList =3D=3D NULL) { - return FALSE; - } - - for (index =3D 0; index < ValidListLength; index++) { - if (ValidList[index] =3D=3D Value) { - return TRUE; - } - } - - return FALSE; -} - -/** - Check the integrity of VMM Hob List. - - @param[in] VmmHobList A pointer to Hob List - - @retval TRUE The Hob List is valid. - @retval FALSE The Hob List is invalid. - -**/ -BOOLEAN -EFIAPI -ValidateHobList ( - IN CONST VOID *VmmHobList - ) -{ - EFI_PEI_HOB_POINTERS Hob; - UINT32 EFI_BOOT_MODE_LIST[] =3D { - BOOT_WITH_FULL_CONFIGURATION, - BOOT_WITH_MINIMAL_CONFIGURATION, - BOOT_ASSUMING_NO_CONFIGURATION_CHANGES, - BOOT_WITH_FULL_CONFIGURATION_PLUS_DIAGNOSTICS, - BOOT_WITH_DEFAULT_SETTINGS, - BOOT_ON_S4_RESUME, - BOOT_ON_S5_RESUME, - BOOT_WITH_MFG_MODE_SETTINGS, - BOOT_ON_S2_RESUME, - BOOT_ON_S3_RESUME, - BOOT_ON_FLASH_UPDATE, - BOOT_IN_RECOVERY_MODE - }; - - UINT32 EFI_RESOURCE_TYPE_LIST[] =3D { - EFI_RESOURCE_SYSTEM_MEMORY, - EFI_RESOURCE_MEMORY_MAPPED_IO, - EFI_RESOURCE_IO, - EFI_RESOURCE_FIRMWARE_DEVICE, - EFI_RESOURCE_MEMORY_MAPPED_IO_PORT, - EFI_RESOURCE_MEMORY_RESERVED, - EFI_RESOURCE_IO_RESERVED, - BZ3937_EFI_RESOURCE_MEMORY_UNACCEPTED - }; - - if (VmmHobList =3D=3D NULL) { - DEBUG ((DEBUG_ERROR, "HOB: HOB data pointer is NULL\n")); - return FALSE; - } - - Hob.Raw =3D (UINT8 *)VmmHobList; - - // - // Parse the HOB list until end of list or matching type is found. - // - while (!END_OF_HOB_LIST (Hob)) { - if (Hob.Header->Reserved !=3D (UINT32)0) { - DEBUG ((DEBUG_ERROR, "HOB: Hob header Reserved filed should be zero\= n")); - return FALSE; - } - - if (Hob.Header->HobLength =3D=3D 0) { - DEBUG ((DEBUG_ERROR, "HOB: Hob header LEANGTH should not be zero\n")= ); - return FALSE; - } - - switch (Hob.Header->HobType) { - case EFI_HOB_TYPE_HANDOFF: - if (Hob.Header->HobLength !=3D sizeof (EFI_HOB_HANDOFF_INFO_TABLE)= ) { - DEBUG ((DEBUG_ERROR, "HOB: Hob length is not equal corresponding= hob structure. Type: 0x%04x\n", EFI_HOB_TYPE_HANDOFF)); - return FALSE; - } - - if (IsInValidList (Hob.HandoffInformationTable->BootMode, EFI_BOOT= _MODE_LIST, ARRAY_SIZE (EFI_BOOT_MODE_LIST)) =3D=3D FALSE) { - DEBUG ((DEBUG_ERROR, "HOB: Unknow HandoffInformationTable BootMo= de type. Type: 0x%08x\n", Hob.HandoffInformationTable->BootMode)); - return FALSE; - } - - if ((Hob.HandoffInformationTable->EfiFreeMemoryTop % 4096) !=3D 0)= { - DEBUG ((DEBUG_ERROR, "HOB: HandoffInformationTable EfiFreeMemory= Top address must be 4-KB aligned to meet page restrictions of UEFI.\ - Address: 0x%016lx\n", Hob.HandoffInformatio= nTable->EfiFreeMemoryTop)); - return FALSE; - } - - break; - - case EFI_HOB_TYPE_RESOURCE_DESCRIPTOR: - if (Hob.Header->HobLength !=3D sizeof (EFI_HOB_RESOURCE_DESCRIPTOR= )) { - DEBUG ((DEBUG_ERROR, "HOB: Hob length is not equal corresponding= hob structure. Type: 0x%04x\n", EFI_HOB_TYPE_RESOURCE_DESCRIPTOR)); - return FALSE; - } - - if (IsInValidList (Hob.ResourceDescriptor->ResourceType, EFI_RESOU= RCE_TYPE_LIST, ARRAY_SIZE (EFI_RESOURCE_TYPE_LIST)) =3D=3D FALSE) { - DEBUG ((DEBUG_ERROR, "HOB: Unknow ResourceDescriptor ResourceTyp= e type. Type: 0x%08x\n", Hob.ResourceDescriptor->ResourceType)); - return FALSE; - } - - if ((Hob.ResourceDescriptor->ResourceAttribute & (~(EFI_RESOURCE_A= TTRIBUTE_PRESENT | - EFI_RESOURCE_A= TTRIBUTE_INITIALIZED | - EFI_RESOURCE_A= TTRIBUTE_TESTED | - EFI_RESOURCE_A= TTRIBUTE_READ_PROTECTED | - EFI_RESOURCE_A= TTRIBUTE_WRITE_PROTECTED | - EFI_RESOURCE_A= TTRIBUTE_EXECUTION_PROTECTED | - EFI_RESOURCE_A= TTRIBUTE_PERSISTENT | - EFI_RESOURCE_A= TTRIBUTE_SINGLE_BIT_ECC | - EFI_RESOURCE_A= TTRIBUTE_MULTIPLE_BIT_ECC | - EFI_RESOURCE_A= TTRIBUTE_ECC_RESERVED_1 | - EFI_RESOURCE_A= TTRIBUTE_ECC_RESERVED_2 | - EFI_RESOURCE_A= TTRIBUTE_UNCACHEABLE | - EFI_RESOURCE_A= TTRIBUTE_WRITE_COMBINEABLE | - EFI_RESOURCE_A= TTRIBUTE_WRITE_THROUGH_CACHEABLE | - EFI_RESOURCE_A= TTRIBUTE_WRITE_BACK_CACHEABLE | - EFI_RESOURCE_A= TTRIBUTE_16_BIT_IO | - EFI_RESOURCE_A= TTRIBUTE_32_BIT_IO | - EFI_RESOURCE_A= TTRIBUTE_64_BIT_IO | - EFI_RESOURCE_A= TTRIBUTE_UNCACHED_EXPORTED | - EFI_RESOURCE_A= TTRIBUTE_READ_PROTECTABLE | - EFI_RESOURCE_A= TTRIBUTE_WRITE_PROTECTABLE | - EFI_RESOURCE_A= TTRIBUTE_EXECUTION_PROTECTABLE | - EFI_RESOURCE_A= TTRIBUTE_PERSISTABLE | - EFI_RESOURCE_A= TTRIBUTE_READ_ONLY_PROTECTED | - EFI_RESOURCE_A= TTRIBUTE_READ_ONLY_PROTECTABLE | - EFI_RESOURCE_A= TTRIBUTE_MORE_RELIABLE))) !=3D 0) - { - DEBUG ((DEBUG_ERROR, "HOB: Unknow ResourceDescriptor ResourceAtt= ribute type. Type: 0x%08x\n", Hob.ResourceDescriptor->ResourceAttribute)); - return FALSE; - } - - break; - - // EFI_HOB_GUID_TYPE is variable length data, so skip check - case EFI_HOB_TYPE_GUID_EXTENSION: - break; - - case EFI_HOB_TYPE_FV: - if (Hob.Header->HobLength !=3D sizeof (EFI_HOB_FIRMWARE_VOLUME)) { - DEBUG ((DEBUG_ERROR, "HOB: Hob length is not equal corresponding= hob structure. Type: 0x%04x\n", EFI_HOB_TYPE_FV)); - return FALSE; - } - - break; - - case EFI_HOB_TYPE_FV2: - if (Hob.Header->HobLength !=3D sizeof (EFI_HOB_FIRMWARE_VOLUME2)) { - DEBUG ((DEBUG_ERROR, "HOB: Hob length is not equal corresponding= hob structure. Type: 0x%04x\n", EFI_HOB_TYPE_FV2)); - return FALSE; - } - - break; - - case EFI_HOB_TYPE_FV3: - if (Hob.Header->HobLength !=3D sizeof (EFI_HOB_FIRMWARE_VOLUME3)) { - DEBUG ((DEBUG_ERROR, "HOB: Hob length is not equal corresponding= hob structure. Type: 0x%04x\n", EFI_HOB_TYPE_FV3)); - return FALSE; - } - - break; - - case EFI_HOB_TYPE_CPU: - if (Hob.Header->HobLength !=3D sizeof (EFI_HOB_CPU)) { - DEBUG ((DEBUG_ERROR, "HOB: Hob length is not equal corresponding= hob structure. Type: 0x%04x\n", EFI_HOB_TYPE_CPU)); - return FALSE; - } - - for (UINT32 index =3D 0; index < 6; index++) { - if (Hob.Cpu->Reserved[index] !=3D 0) { - DEBUG ((DEBUG_ERROR, "HOB: Cpu Reserved field will always be s= et to zero.\n")); - return FALSE; - } - } - - break; - - default: - DEBUG ((DEBUG_ERROR, "HOB: Hob type is not know. Type: 0x%04x\n", = Hob.Header->HobType)); - return FALSE; - } - - // Get next HOB - Hob.Raw =3D (UINT8 *)(Hob.Raw + Hob.Header->HobLength); - } - - return TRUE; -} - -/** - Processing the incoming HobList for the TDX - - Firmware must parse list, and accept the pages of memory before their ca= n be - use by the guest. - - @param[in] VmmHobList The Hoblist pass the firmware - - @retval EFI_SUCCESS Process the HobList successfully - @retval Others Other errors as indicated - -**/ -EFI_STATUS -EFIAPI -ProcessHobList ( - IN CONST VOID *VmmHobList - ) -{ - EFI_STATUS Status; - UINT32 CpusNum; - EFI_PHYSICAL_ADDRESS PhysicalEnd; - EFI_PHYSICAL_ADDRESS APsStackStartAddress; - - CpusNum =3D GetCpusNum (); - - // - // If there are mutli-vCPU in a TDX guest, accept memory is split into 2= phases. - // Phase-1 accepts a small piece of memory by BSP. This piece of memory - // is used to setup AP's stack. - // After that phase-2 accepts a big piece of memory by BSP/APs. - // - // TDVF supports 4K and 2M accept-page-size. The memory which can be acc= peted - // in 2M accept-page-size must be 2M aligned and multiple 2M. So we align - // APsStackSize to 2M size aligned. - // - if (CpusNum > 1) { - Status =3D AcceptMemoryForAPsStack (VmmHobList, APS_STACK_SIZE (CpusNu= m), &PhysicalEnd); - ASSERT (Status =3D=3D EFI_SUCCESS); - APsStackStartAddress =3D PhysicalEnd - APS_STACK_SIZE (CpusNum); - } else { - PhysicalEnd =3D 0; - APsStackStartAddress =3D 0; - } - - Status =3D AcceptMemory (VmmHobList, CpusNum, APsStackStartAddress, Phys= icalEnd); - ASSERT (Status =3D=3D EFI_SUCCESS); - - return Status; -} - -/** - In Tdx guest, some information need to be passed from host VMM to guest - firmware. For example, the memory resource, etc. These information are - prepared by host VMM and put in HobList which is described in TdxMetadat= a. - - Information in HobList is treated as external input. From the security - perspective before it is consumed, it should be validated. - - @retval EFI_SUCCESS Successfully process the hoblist - @retval Others Other error as indicated -**/ -EFI_STATUS -EFIAPI -ProcessTdxHobList ( - VOID - ) -{ - EFI_STATUS Status; - VOID *TdHob; - TD_RETURN_DATA TdReturnData; - - TdHob =3D (VOID *)(UINTN)FixedPcdGet32 (PcdOvmfSecGhcbBase); - Status =3D TdCall (TDCALL_TDINFO, 0, 0, 0, &TdReturnData); - if (EFI_ERROR (Status)) { - return Status; - } - - DEBUG (( - DEBUG_INFO, - "Intel Tdx Started with (GPAW: %d, Cpus: %d)\n", - TdReturnData.TdInfo.Gpaw, - TdReturnData.TdInfo.NumVcpus - )); - - // - // Validate HobList - // - if (ValidateHobList (TdHob) =3D=3D FALSE) { - return EFI_INVALID_PARAMETER; - } - - // - // Process Hoblist to accept memory - // - Status =3D ProcessHobList (TdHob); - - return Status; -} - /** * Build ResourceDescriptorHob for the unaccepted memory region. * This memory region may be splitted into 2 parts because of lazy accept. diff --git a/OvmfPkg/Library/PlatformInitLib/IntelTdxNull.c b/OvmfPkg/Libra= ry/PlatformInitLib/IntelTdxNull.c index 3ebe582af8de..7a7c2fb1f6f5 100644 --- a/OvmfPkg/Library/PlatformInitLib/IntelTdxNull.c +++ b/OvmfPkg/Library/PlatformInitLib/IntelTdxNull.c @@ -9,26 +9,6 @@ =20 #include =20 -/** - In Tdx guest, some information need to be passed from host VMM to guest - firmware. For example, the memory resource, etc. These information are - prepared by host VMM and put in HobList which is described in TdxMetadat= a. - - Information in HobList is treated as external input. From the security - perspective before it is consumed, it should be validated. - - @retval EFI_SUCCESS Successfully process the hoblist - @retval Others Other error as indicated -**/ -EFI_STATUS -EFIAPI -ProcessTdxHobList ( - VOID - ) -{ - return EFI_UNSUPPORTED; -} - /** In Tdx guest, the system memory is passed in TdHob by host VMM. So the major task of PlatformTdxPublishRamRegions is to walk thru the diff --git a/OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf b/OvmfPkg/= Library/PlatformInitLib/PlatformInitLib.inf index 140216979a54..86a82ad3e084 100644 --- a/OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf +++ b/OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf @@ -52,7 +52,6 @@ PcdLib PciLib PeiHardwareInfoLib - TdxMailboxLib =20 [LibraryClasses.X64] TdxLib --=20 2.29.2.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98999): https://edk2.groups.io/g/devel/message/98999 Mute This Topic: https://groups.io/mt/96513462/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-