From nobody Sun Feb  8 17:21:24 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+87169+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+87169+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=intel.com
ARC-Seal: i=1; a=rsa-sha256; t=1646180906; cv=none;
	d=zohomail.com; s=zohoarc;
	b=SzlGbAq1lyVgxVOxi7ASB89lbWWOvDbS1syq5nOAqgrg9GFWzI2z24qLUYDmNdIf8fYpue8mxUXF4JUCjmcvI5nFd2loeM+5P9pdB0dDaKEMq4RVqfgCAA6en5Yp9DHLNLFqQ2vLN3l8OyRj2W60RPLZ5uTa1SZZnmdEfdsRqjo=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1646180906;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=mv0DFhDEivRs6dDNsgS6ZflNgt4ydr4XbpyWuSzaxdo=;
	b=JHALoYOGHZK5FTvvh2XcjjpkIc0b2B7ZTvvg9PFG7qb/KXYnLPN2jIq4aeksZtL5/fhp5yznKT+Y/sNb2k0b0ZJHL5wvfn4QgRuJvEhMtVTk2ImaiY3AlarDAY7qT+0sQQ+BA9Z4joXtEsBrx1l79vVZHnGlcjolsDYulCQwSVo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+87169+1787277+3901457@groups.io;
	dmarc=fail header.from=<min.m.xu@intel.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1646180906208199.54572931690666;
 Tue, 1 Mar 2022 16:28:26 -0800 (PST)
Return-Path: <bounce+27952+87169+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id hNlgYY1788612xyNY8vAlooz;
 Tue, 01 Mar 2022 16:28:25 -0800
X-Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
 by mx.groups.io with SMTP id smtpd.web09.2274.1646180902366421497
 for <devel@edk2.groups.io>;
 Tue, 01 Mar 2022 16:28:25 -0800
X-IronPort-AV: E=McAfee;i="6200,9189,10273"; a="253006526"
X-IronPort-AV: E=Sophos;i="5.90,146,1643702400";
   d="scan'208";a="253006526"
X-Received: from orsmga004.jf.intel.com ([10.7.209.38])
  by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 01 Mar 2022 16:28:24 -0800
X-IronPort-AV: E=Sophos;i="5.90,146,1643702400";
   d="scan'208";a="641482157"
X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.238.2.184])
  by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 01 Mar 2022 16:28:21 -0800
From: "Min Xu" <min.m.xu@intel.com>
To: devel@edk2.groups.io
Cc: Min Xu <min.m.xu@intel.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Gerd Hoffmann <kraxel@redhat.com>
Subject: [edk2-devel] [PATCH 1/8] Security: Add HashLibBaseCryptoRouterTdx
Date: Wed,  2 Mar 2022 08:28:00 +0800
Message-Id: <20220302002807.982-2-min.m.xu@intel.com>
In-Reply-To: <20220302002807.982-1-min.m.xu@intel.com>
References: <20220302002807.982-1-min.m.xu@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,min.m.xu@intel.com
X-Gm-Message-State: jNUInQseRtLnoI7bs8Z7E8Tqx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1646180905;
 bh=gQ9k6IFcgexUAoBSU8F4dvG5HabduWj2sXp8YMhy/gI=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=jtbTvKaM+yuMs6TiDWt4KKf+SQKJzbgCdwt0zo4ob3LjYLZBeFhYtawAUBUGvDM+R22
 prJ/fUse7ubjNFn4QoKZ6NbANbwjEfbv0IvO9PlbfNBmDeKZ7vM7X9/r1rOStXevUO5em
 LjLqQPBJIwPbUyclLS6LtfYlmvMXpNNYODU=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1646180908560100006
Content-Type: text/plain; charset="utf-8"

RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3853

This library provides hash service by registered hash handler in Td
guest. It redirects hash request to each individual hash handler
(currently only SHA384 is supported). After that the hash value is
extended to Td RTMR registers which is similar to TPM PCRs.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
---
 .../HashLibBaseCryptoRouterTdx.c              | 214 ++++++++++++++++++
 .../HashLibBaseCryptoRouterTdx.inf            |  41 ++++
 SecurityPkg/SecurityPkg.dsc                   |  10 +
 3 files changed, 265 insertions(+)
 create mode 100644 SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBase=
CryptoRouterTdx.c
 create mode 100644 SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBase=
CryptoRouterTdx.inf

diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoR=
outerTdx.c b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoR=
outerTdx.c
new file mode 100644
index 000000000000..77e2a14c19be
--- /dev/null
+++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTd=
x.c
@@ -0,0 +1,214 @@
+/** @file
+  This library is BaseCrypto router for Tdx.
+
+Copyright (c) 2021 - 2022, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiPei.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/HashLib.h>
+#include <Library/TdxLib.h>
+#include <Protocol/CcMeasurement.h>
+#include "HashLibBaseCryptoRouterCommon.h"
+
+//
+// Currently TDX supports SHA384.
+//
+#define TDX_HASH_COUNT  1
+HASH_INTERFACE  mHashInterface[TDX_HASH_COUNT] =3D {
+  {
+    { 0 }, NULL, NULL, NULL
+  }
+};
+
+UINTN        mHashInterfaceCount      =3D 0;
+HASH_HANDLE  mHashCtx[TDX_HASH_COUNT] =3D { 0 };
+
+/**
+  Start hash sequence.
+
+  @param HashHandle Hash handle.
+
+  @retval EFI_SUCCESS          Hash sequence start and HandleHandle return=
ed.
+  @retval EFI_OUT_OF_RESOURCES No enough resource to start hash.
+**/
+EFI_STATUS
+EFIAPI
+HashStart (
+  OUT HASH_HANDLE  *HashHandle
+  )
+{
+  HASH_HANDLE  *HashCtx;
+
+  if (mHashInterfaceCount =3D=3D 0) {
+    ASSERT (FALSE);
+    return EFI_UNSUPPORTED;
+  }
+
+  HashCtx =3D mHashCtx;
+  mHashInterface[0].HashInit (&HashCtx[0]);
+
+  *HashHandle =3D (HASH_HANDLE)HashCtx;
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Update hash sequence data.
+
+  @param HashHandle    Hash handle.
+  @param DataToHash    Data to be hashed.
+  @param DataToHashLen Data size.
+
+  @retval EFI_SUCCESS     Hash sequence updated.
+**/
+EFI_STATUS
+EFIAPI
+HashUpdate (
+  IN HASH_HANDLE  HashHandle,
+  IN VOID         *DataToHash,
+  IN UINTN        DataToHashLen
+  )
+{
+  HASH_HANDLE  *HashCtx;
+
+  if (mHashInterfaceCount =3D=3D 0) {
+    ASSERT (FALSE);
+    return EFI_UNSUPPORTED;
+  }
+
+  HashCtx =3D (HASH_HANDLE *)HashHandle;
+  mHashInterface[0].HashUpdate (HashCtx[0], DataToHash, DataToHashLen);
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Hash sequence complete and extend to PCR.
+
+  @param HashHandle    Hash handle.
+  @param PcrIndex      PCR to be extended.
+  @param DataToHash    Data to be hashed.
+  @param DataToHashLen Data size.
+  @param DigestList    Digest list.
+
+  @retval EFI_SUCCESS     Hash sequence complete and DigestList is returne=
d.
+**/
+EFI_STATUS
+EFIAPI
+HashCompleteAndExtend (
+  IN HASH_HANDLE          HashHandle,
+  IN TPMI_DH_PCR          PcrIndex,
+  IN VOID                 *DataToHash,
+  IN UINTN                DataToHashLen,
+  OUT TPML_DIGEST_VALUES  *DigestList
+  )
+{
+  TPML_DIGEST_VALUES  Digest;
+  HASH_HANDLE         *HashCtx;
+  EFI_STATUS          Status;
+
+  if (mHashInterfaceCount =3D=3D 0) {
+    ASSERT (FALSE);
+    return EFI_UNSUPPORTED;
+  }
+
+  HashCtx =3D (HASH_HANDLE *)HashHandle;
+  ZeroMem (DigestList, sizeof (*DigestList));
+
+  mHashInterface[0].HashUpdate (HashCtx[0], DataToHash, DataToHashLen);
+  mHashInterface[0].HashFinal (HashCtx[0], &Digest);
+  Tpm2SetHashToDigestList (DigestList, &Digest);
+
+  ASSERT (DigestList->count =3D=3D 1 && DigestList->digests[0].hashAlg =3D=
=3D TPM_ALG_SHA384);
+
+  Status =3D TdExtendRtmr (
+             (UINT32 *)DigestList->digests[0].digest.sha384,
+             SHA384_DIGEST_SIZE,
+             (UINT8)PcrIndex
+             );
+
+  ASSERT (!EFI_ERROR (Status));
+  return Status;
+}
+
+/**
+  Hash data and extend to RTMR.
+
+  @param PcrIndex      PCR to be extended.
+  @param DataToHash    Data to be hashed.
+  @param DataToHashLen Data size.
+  @param DigestList    Digest list.
+
+  @retval EFI_SUCCESS     Hash data and DigestList is returned.
+**/
+EFI_STATUS
+EFIAPI
+HashAndExtend (
+  IN TPMI_DH_PCR          PcrIndex,
+  IN VOID                 *DataToHash,
+  IN UINTN                DataToHashLen,
+  OUT TPML_DIGEST_VALUES  *DigestList
+  )
+{
+  HASH_HANDLE  HashHandle;
+  EFI_STATUS   Status;
+
+  if (mHashInterfaceCount =3D=3D 0) {
+    ASSERT (FALSE);
+    return EFI_UNSUPPORTED;
+  }
+
+  ASSERT (TdIsEnabled ());
+
+  HashStart (&HashHandle);
+  HashUpdate (HashHandle, DataToHash, DataToHashLen);
+  Status =3D HashCompleteAndExtend (HashHandle, PcrIndex, NULL, 0, DigestL=
ist);
+
+  return Status;
+}
+
+/**
+  This service register Hash.
+
+  @param HashInterface  Hash interface
+
+  @retval EFI_SUCCESS          This hash interface is registered successfu=
lly.
+  @retval EFI_UNSUPPORTED      System does not support register this inter=
face.
+  @retval EFI_ALREADY_STARTED  System already register this interface.
+**/
+EFI_STATUS
+EFIAPI
+RegisterHashInterfaceLib (
+  IN HASH_INTERFACE  *HashInterface
+  )
+{
+  UINT32  HashMask;
+
+  ASSERT (TdIsEnabled ());
+
+  //
+  // Check allow
+  //
+  HashMask =3D Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);
+  ASSERT (HashMask =3D=3D HASH_ALG_SHA384);
+
+  if (HashMask !=3D HASH_ALG_SHA384) {
+    return EFI_UNSUPPORTED;
+  }
+
+  if (mHashInterfaceCount >=3D ARRAY_SIZE (mHashInterface)) {
+    ASSERT (FALSE);
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  CopyMem (&mHashInterface[mHashInterfaceCount], HashInterface, sizeof (*H=
ashInterface));
+  mHashInterfaceCount++;
+
+  return EFI_SUCCESS;
+}
diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoR=
outerTdx.inf b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCrypt=
oRouterTdx.inf
new file mode 100644
index 000000000000..f6b1353d0041
--- /dev/null
+++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTd=
x.inf
@@ -0,0 +1,41 @@
+## @file
+#  Provides hash service by registered hash handler in Tdx.
+#
+#  This library is BaseCrypto router. It will redirect hash request to eac=
h individual
+#  hash handler registered. Currently only SHA384 is supported in this rou=
ter.
+#
+# Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    =3D 0x00010005
+  BASE_NAME                      =3D HashLibBaseCryptoRouterTdx
+  MODULE_UNI_FILE                =3D HashLibBaseCryptoRouter.uni
+  FILE_GUID                      =3D 77F6EA3E-1ABA-4467-A447-926E8CEB2D13
+  MODULE_TYPE                    =3D BASE
+  VERSION_STRING                 =3D 1.0
+  LIBRARY_CLASS                  =3D HashLib|SEC DXE_DRIVER
+
+#
+# The following information is for reference only and not required by the =
build tools.
+#
+#  VALID_ARCHITECTURES           =3D X64
+#
+
+[Sources]
+  HashLibBaseCryptoRouterCommon.h
+  HashLibBaseCryptoRouterCommon.c
+  HashLibBaseCryptoRouterTdx.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  DebugLib
+  PcdLib
+  TdxLib
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 73a93c2285b1..b23701ad124e 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -72,6 +72,7 @@
   MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibN=
ull.inf
   SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo=
otVariableLib.inf
   SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro=
visionLib/SecureBootVariableProvisionLib.inf
+  TdxLib|MdePkg/Library/TdxLib/TdxLib.inf
=20
 [LibraryClasses.ARM, LibraryClasses.AARCH64]
   #
@@ -92,6 +93,12 @@
 [LibraryClasses.RISCV64]
   RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
=20
+[LibraryClasses.X64.SEC]
+  HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRou=
terTdx.inf
+
+[LibraryClasses.X64.DXE_DRIVER]
+  HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRou=
terTdx.inf
+
 [LibraryClasses.common.PEIM]
   PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf
   PeiServicesLib|MdePkg/Library/PeiServicesLib/PeiServicesLib.inf
@@ -283,6 +290,9 @@
   #
   SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
=20
+[Components.X64]
+  SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.i=
nf
+
 [Components.IA32, Components.X64]
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx=
e.inf
=20
--=20
2.29.2.windows.2



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#87169): https://edk2.groups.io/g/devel/message/87169
Mute This Topic: https://groups.io/mt/89491512/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-