From nobody Mon Feb 9 14:33:54 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+75573+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+75573+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1621945616; cv=none; d=zohomail.com; s=zohoarc; b=ZTqxsCEU2H/3+r6WVEGlT2B+nyMHOg8IgCn5cFn8FzXInQkqWy952XxAJ9cK/rVSVWyD0U9q/nwHpI0YLI/JDUI64uURHiTy6nqfYTIbnOQ9todq87IkaONgpsR1LVxkhOZ+9tFyzB3AD/c3zYXTTjVslJcapsBuUZCiPepjkGg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1621945616; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=tE21Nq4WzuLV4WVhSyEndzjswuJm/9fVWk59fb/E3aA=; b=Xp3OeZlYv6TQWj+QjKY2U8Bz4tJJkg7/zh4dWzFlYlRMne/8go/qdUzeiuAgx/ymsRz7JnSkvJDEKHtoo5lnNCZ0oDXzmH/3f6uYvdgsiUz8L0EXEFFfU7u2IRCIhMHuUyZ/VrHPy6Sq8a5lr9z13mmDzk3t/0pdaVe1QD2picc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+75573+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1621945616329857.2028487637687; Tue, 25 May 2021 05:26:56 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id r1AvYY1788612x53N02WAvQl; Tue, 25 May 2021 05:26:54 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web08.5735.1621920689848506006 for ; Mon, 24 May 2021 22:31:29 -0700 X-Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14P53lhn051080; Tue, 25 May 2021 01:31:27 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 38rtjy8y9t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 25 May 2021 01:31:27 -0400 X-Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 14P5Mun4158799; Tue, 25 May 2021 01:31:26 -0400 X-Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com with ESMTP id 38rtjy8y8s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 25 May 2021 01:31:26 -0400 X-Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.0.43/8.16.0.43) with SMTP id 14P5Rf1L027660; Tue, 25 May 2021 05:31:25 GMT X-Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by ppma02wdc.us.ibm.com with ESMTP id 38psk9cdq1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 25 May 2021 05:31:25 +0000 X-Received: from b01ledav001.gho.pok.ibm.com (b01ledav001.gho.pok.ibm.com [9.57.199.106]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 14P5VOpf29753778 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 25 May 2021 05:31:24 GMT X-Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 65E3B2805A; Tue, 25 May 2021 05:31:24 +0000 (GMT) X-Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1ADD628060; Tue, 25 May 2021 05:31:24 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b01ledav001.gho.pok.ibm.com (Postfix) with ESMTP; Tue, 25 May 2021 05:31:24 +0000 (GMT) From: Dov Murik To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v1 5/8] OvmfPkg/AmdSev: Add library to find encrypted hashes for the FwCfg device Date: Tue, 25 May 2021 05:31:13 +0000 Message-Id: <20210525053116.1533673-6-dovmurik@linux.ibm.com> In-Reply-To: <20210525053116.1533673-1-dovmurik@linux.ibm.com> References: <20210525053116.1533673-1-dovmurik@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: RyQTjJtX8Ub9y55kfdYaf5CWEA6brvCW X-Proofpoint-ORIG-GUID: uTsHHrNlk8WDbWdAyyMhj7FOPEwoxZ7e Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: iZeMRszYr9EWdvutjkUHJczHx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1621945614; bh=/MyZ55VQ9ZIpGtkdk463KsNuYvPxkZ7Yl/Htgx38fAA=; h=Cc:Date:From:Reply-To:Subject:To; b=Q9ilgn9FvebOavup0OJYl13xIUjef8VTGVh6Wok7LcX6tvy6vVblCMjal6ZeEOWm9Kf rfq53OewzEEAn1TTmpwQzg5jEhelxvJrdGESgCAY0Sn2g9L8IUIynYHCJd43RaAMEqeuj gyDxF8Ysm6ZC4FF0G1J2oIbKxZ00ej7aLlA= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" From: James Bottomley The library finds and checks out the encrypted page from the memfd and installs a finder routine for GUID described hashes if it checks out OK. Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Signed-off-by: James Bottomley Signed-off-by: Dov Murik --- OvmfPkg/OvmfPkg.dec | 4 + OvmfPkg/AmdSev/AmdSevX64.dsc | 1 + OvmfPkg/AmdSev/Library/SevHashFinderLib/SevHashFinderLib.inf | 34 ++++++ OvmfPkg/AmdSev/Include/Library/SevHashFinderLib.h | 47 ++++++++ OvmfPkg/AmdSev/Library/SevHashFinderLib/SevHashFinderLib.c | 126 +++++++= +++++++++++++ 5 files changed, 212 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 7cd29a60a436..36f0a2cb4cf9 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -18,8 +18,12 @@ [Defines] [Includes] Include Csm/Include + AmdSev/Include =20 [LibraryClasses] + ## @libraryclass Functions for extracting Sev Hashes from the MEMFD + SevHashFinderLib|AmdSev/Include/Library/SevHashFinderLib.h + ## @libraryclass Access bhyve's firmware control interface. BhyveFwCtlLib|Include/Library/BhyveFwCtlLib.h =20 diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index f820e81fad27..b4484ca07614 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -118,6 +118,7 @@ [SkuIds] !include MdePkg/MdeLibs.dsc.inc =20 [LibraryClasses] + SevHashFinderLib|OvmfPkg/AmdSev/Library/SevHashFinderLib/SevHashFinderLi= b.inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseAcpiTimerLib.inf ResetSystemLib|OvmfPkg/Library/ResetSystemLib/BaseResetSystemLib.inf diff --git a/OvmfPkg/AmdSev/Library/SevHashFinderLib/SevHashFinderLib.inf b= /OvmfPkg/AmdSev/Library/SevHashFinderLib/SevHashFinderLib.inf new file mode 100644 index 000000000000..79ebf51baed0 --- /dev/null +++ b/OvmfPkg/AmdSev/Library/SevHashFinderLib/SevHashFinderLib.inf @@ -0,0 +1,34 @@ +## @file +# Provides the Secure Verification services for AMD SEV firmware config +# +# Copyright (C) 2021 James Bottomley, IBM Corporation. +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D SevHashFinderLib + FILE_GUID =3D d8ef4e22-991a-4134-b285-1d970cfe2ca6 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D SevHashFinderLib + CONSTRUCTOR =3D SevHashFinderLibConstructor + +[Sources] + SevHashFinderLib.c + +[Packages] + CryptoPkg/CryptoPkg.dec + MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec + +[LibraryClasses] + BaseCryptLib + BaseMemoryLib + PcdLib + +[FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize diff --git a/OvmfPkg/AmdSev/Include/Library/SevHashFinderLib.h b/OvmfPkg/Am= dSev/Include/Library/SevHashFinderLib.h new file mode 100644 index 000000000000..79d5039a649b --- /dev/null +++ b/OvmfPkg/AmdSev/Include/Library/SevHashFinderLib.h @@ -0,0 +1,47 @@ +/** @file + Validate a hash against that in the Sev Hash table + + Copyright (C) 2021 James Bottomley, IBM Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#ifndef __SEV_HASH_FINDER_LIB_H__ +#define __SEV_HASH_FINDER_LIB_H__ + +/** + The Sev Hash table must be in encrypted memory and has the table + and its entries described by + + |UINT16 | + + With the whole table GUID being 9438d606-4f22-4cc9-b479-a793d411fd21 + + The current possible table entries are for the kernel, the initrd + and the cmdline: + + 4de79437-abd2-427f-b835-d5b172d2045b kernel + 44baf731-3a2f-4bd7-9af1-41e29169781d initrd + 97d02dd8-bd20-4c94-aa78-e7714d36ab2a cmdline + + The size of the entry is used to identify the hash, but the + expectation is that it will be 32 bytes of SHA-256. +**/ + +#define SEV_HASH_TABLE_GUID \ + (GUID) { 0x9438d606, 0x4f22, 0x4cc9, { 0xb4, 0x79, 0xa7, 0x93, 0xd4, 0x1= 1, 0xfd, 0x21 } } +#define SEV_KERNEL_HASH_GUID \ + (GUID) { 0x4de79437, 0xabd2, 0x427f, { 0xb8, 0x35, 0xd5, 0xb1, 0x72, 0xd= 2, 0x04, 0x5b } } +#define SEV_INITRD_HASH_GUID \ + (GUID) { 0x44baf731, 0x3a2f, 0x4bd7, { 0x9a, 0xf1, 0x41, 0xe2, 0x91, 0x6= 9, 0x78, 0x1d } } +#define SEV_CMDLINE_HASH_GUID \ + (GUID) { 0x97d02dd8, 0xbd20, 0x4c94, { 0xaa, 0x78, 0xe7, 0x71, 0x4d, 0x3= 6, 0xab, 0x2a } } + +EFI_STATUS +EFIAPI +ValidateHashEntry ( + IN CONST GUID *Guid, + IN CONST VOID *Buf, + UINT32 BufSize +); + +#endif diff --git a/OvmfPkg/AmdSev/Library/SevHashFinderLib/SevHashFinderLib.c b/O= vmfPkg/AmdSev/Library/SevHashFinderLib/SevHashFinderLib.c new file mode 100644 index 000000000000..9cb999ae8cad --- /dev/null +++ b/OvmfPkg/AmdSev/Library/SevHashFinderLib/SevHashFinderLib.c @@ -0,0 +1,126 @@ +/** @file + SEV Hash finder library to locate the SEV encrypted hash table + + Copyright (C) 2021 James Bottomley, IBM Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include +#include +#include +#include +#include + +#pragma pack (1) +typedef struct { + GUID Guid; + UINT16 Len; + UINT8 Data[]; +} HASH_TABLE; +#pragma pack () + +STATIC HASH_TABLE *mHashTable; +STATIC UINT16 mHashTableSize; + +EFI_STATUS +EFIAPI +ValidateHashEntry ( + IN CONST GUID *Guid, + IN CONST VOID *Buf, + UINT32 BufSize + ) +{ + INT32 Len; + HASH_TABLE *Entry; + UINT8 Hash[SHA256_DIGEST_SIZE]; + + if (mHashTable =3D=3D NULL || mHashTableSize =3D=3D 0) { + DEBUG ((DEBUG_ERROR, + "%a: Verifier Called but no hash table discoverd in MEMFD\n", + __FUNCTION__)); + return EFI_ACCESS_DENIED; + } + + Sha256HashAll (Buf, BufSize, Hash); + + for (Entry =3D mHashTable, Len =3D 0; + Len < (INT32)mHashTableSize; + Len +=3D Entry->Len, + Entry =3D (HASH_TABLE *)((UINT8 *)Entry + Entry->Len)) { + UINTN EntrySize; + EFI_STATUS Status; + + if (!CompareGuid (&Entry->Guid, Guid)) { + continue; + } + + DEBUG ((DEBUG_INFO, "%a: Found GUID %g in table\n", __FUNCTION__, Guid= )); + + // + // Verify that the buffer's hash is identical to the hash table entry + // + EntrySize =3D Entry->Len - sizeof (Entry->Guid) - sizeof (Entry->Len); + if (EntrySize !=3D SHA256_DIGEST_SIZE) { + DEBUG ((DEBUG_ERROR, "%a: Hash has the wrong size %d !=3D %d\n", + __FUNCTION__, EntrySize, SHA256_DIGEST_SIZE)); + return EFI_ACCESS_DENIED; + } + if (CompareMem (Entry->Data, Hash, EntrySize) =3D=3D 0) { + Status =3D EFI_SUCCESS; + DEBUG ((DEBUG_INFO, "%a: Hash Comparison succeeded\n", __FUNCTION__)= ); + } else { + Status =3D EFI_ACCESS_DENIED; + DEBUG ((DEBUG_ERROR, "%a: Hash Comparison Failed\n", __FUNCTION__)); + } + return Status; + } + DEBUG ((DEBUG_ERROR, "%a: Hash GUID %g not found in table\n", __FUNCTION= __, + Guid)); + return EFI_ACCESS_DENIED; +} + +/** + Register security measurement handler. + + This function always returns success, even if the table + can't be found. It only returns errors if an actual use + is made of the non-existent table because that indicates it + should have been present. + + @param ImageHandle ImageHandle of the loaded driver. + @param SystemTable Pointer to the EFI System Table. + + @retval EFI_SUCCESS The verifier tables were set up correctly +**/ +EFI_STATUS +EFIAPI +SevHashFinderLibConstructor ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + HASH_TABLE *Ptr =3D (void *)FixedPcdGet64 (PcdQemuHashTableBase); + UINT32 Size =3D FixedPcdGet32 (PcdQemuHashTableSize); + + mHashTable =3D NULL; + mHashTableSize =3D 0; + + if (Ptr =3D=3D NULL || Size =3D=3D 0) { + return EFI_SUCCESS; + } + + if (!CompareGuid (&Ptr->Guid, &SEV_HASH_TABLE_GUID)) { + return EFI_SUCCESS; + } + + DEBUG ((DEBUG_INFO, "%a: found Injected Hash in secure location\n", + __FUNCTION__)); + + mHashTable =3D (HASH_TABLE *)Ptr->Data; + mHashTableSize =3D Ptr->Len - sizeof (Ptr->Guid) - sizeof (Ptr->Len); + + DEBUG ((DEBUG_INFO, "%a: Ptr=3D%p, Size=3D%d\n", __FUNCTION__, mHashTabl= e, + mHashTableSize)); + + return EFI_SUCCESS; +} --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#75573): https://edk2.groups.io/g/devel/message/75573 Mute This Topic: https://groups.io/mt/83074457/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-