From nobody Tue Feb 10 04:13:37 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+98997+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98997+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1674613517; cv=none; d=zohomail.com; s=zohoarc; b=YTiGNSHKRUI0v3OoBu2bF34M2bIXuVZxq7fb6/4OSUrUQcewxBMp4SBoH/gYQU0wA3WjjURIhpcIlbHErPbXJF+6T3Cz+ljvNghWzVgyg5X5PiCETv7bSLhJ9pJ2txpA9lBFzpMdoU0PFn4k+eRSa4V789+yu0eHpoMC6LguFcU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1674613517; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=60HfxpNc5cbOsBoZyv/UjTda3xq+X9ocTN0eoXRHZqQ=; b=RLgE6HCJbNSPtEnqB/hxaJ7enjG9Ma/2dR86OVWePM5hlS321K5b2QQrPMfNWyDgBTXnILD3ABvc9hv+DgVly1y5HWLkTf0uNg3gXGsh/sCD+q2A4Wyqh9F3g8LeuwiJoDrF3FaSVmWulaq0mE2aBCGszW5v//Rm2qB9T4Irlxw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98997+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674613517054488.9354834675112; Tue, 24 Jan 2023 18:25:17 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id eB3VYY1788612xXBPmjapPP7; Tue, 24 Jan 2023 18:25:16 -0800 X-Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.36062.1674613516015515685 for ; Tue, 24 Jan 2023 18:25:16 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="306128895" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="306128895" X-Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:49 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10600"; a="804844430" X-IronPort-AV: E=Sophos;i="5.97,244,1669104000"; d="scan'208";a="804844430" X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.254.209.204]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2023 18:24:47 -0800 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky , Michael Roth Subject: [edk2-devel] [PATCH V3 6/9] OvmfPkg: Enable Tdx measurement in OvmfPkgX64 Date: Wed, 25 Jan 2023 10:23:56 +0800 Message-Id: <20230125022359.1645-7-min.m.xu@intel.com> In-Reply-To: <20230125022359.1645-1-min.m.xu@intel.com> References: <20230125022359.1645-1-min.m.xu@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,min.m.xu@intel.com X-Gm-Message-State: PAdyynqiqfFKYFrumFAXjh56x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674613516; bh=glR2FDlkkM95so0dMhPXWOf0n0XHv0NAT3ieJE6Vtn8=; h=Cc:Date:From:Reply-To:Subject:To; b=UcS4LKDtQPaQdnFxYEwtteVs28ast3fA7w1P5W0LzIK0vTU3xuySGfgFG7A+C1HMXsJ wuc2Y1XQ5ZiktuILIE2bGj9nvStjfvjLx/HWPAuMZwPKA/RRMr8gla5KY5qeyHEJytPxL V+VgjNXb8U9HP7JDKiBlS/NjySm2jmKT35U= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674613517759100002 Content-Type: text/plain; charset="utf-8" From: Min M Xu BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4243 This patch enables Tdx measurement in OvmfPkgX64 with below changes: 1) TDX_MEASUREMENT_ENABLE is introduced in OvmfPkgX64.dsc. This flag indicates if Intel TDX measurement is enabled in OvmfPkgX64. Its default value is FALSE. 2) Update SecMain.c with the functions provided by TdxHelperLib 3) Include TdTcg2Dxe in OvmfPkgX64 so that CC_MEASUREMENT_PROTOCOL is installed in a Td-guest. TdTcg2Dxe is controlled by TDX_MEASUREMENT_ENABLE because it is only valid when Intel TDX measurement is enabled. 3) OvmfTpmLibs.dsc.inc and OvmfTpmSecurityStub.dsc.inc are updated because DxeTpm2MeasureBootLib.inf and DxeTpmMeasurementLib.inf should be included to support CC_MEASUREMENT_PROTOCOL. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Cc: Michael Roth Acked-by: Gerd Hoffmann Signed-off-by: Min Xu --- OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc | 10 +++++++++- OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc | 8 ++++++++ OvmfPkg/OvmfPkgX64.dsc | 15 ++++++++++++++- OvmfPkg/OvmfPkgX64.fdf | 7 +++++++ OvmfPkg/Sec/SecMain.c | 17 +++++++++++++++-- 5 files changed, 53 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc b/OvmfPkg/Include/Dsc/= OvmfTpmLibs.dsc.inc index cd1a899d68f7..680f1b398592 100644 --- a/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc +++ b/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc @@ -10,9 +10,17 @@ Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeT= cg2PhysicalPresenceLib.inf Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibN= ull.inf - TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure= mentLib.inf !else Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeT= cg2PhysicalPresenceLib.inf +!endif + +!if $(TPM2_ENABLE) =3D=3D TRUE || $(TDX_MEASUREMENT_ENABLE) =3D=3D TRUE + # + # DxeTpmMeasurementLib supports measurement functions for both TPM and C= onfidential Computing. + # It should be controlled by TPM2_ENABLE and TDX_MEASUREMENT_ENABLE. + # + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure= mentLib.inf +!else TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf !endif =20 diff --git a/OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/Incl= ude/Dsc/OvmfTpmSecurityStub.dsc.inc index e9ab2fca7bc7..f3db62397aff 100644 --- a/OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc +++ b/OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc @@ -6,5 +6,13 @@ !if $(TPM1_ENABLE) =3D=3D TRUE NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.i= nf !endif +!endif + +!if $(TPM2_ENABLE) =3D=3D TRUE || $(TDX_MEASUREMENT_ENABLE) =3D=3D TRUE + # + # DxeTpm2MeasureBootLib provides security service of TPM2 measure bo= ot and + # Confidential Computing (CC) measure boot. It should be controlled = by + # TPM2_ENABLE and TDX_MEASUREMENT_ENABLE + # NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib= .inf !endif diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 3f970a79a08a..839535d56bab 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -32,6 +32,7 @@ DEFINE SECURE_BOOT_ENABLE =3D FALSE DEFINE SMM_REQUIRE =3D FALSE DEFINE SOURCE_DEBUG_ENABLE =3D FALSE + DEFINE TDX_MEASUREMENT_ENABLE =3D FALSE =20 !include OvmfPkg/Include/Dsc/OvmfTpmDefines.dsc.inc =20 @@ -724,7 +725,8 @@ OvmfPkg/Sec/SecMain.inf { NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompre= ssLib.inf - NULL|OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf + NULL|OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf } =20 # @@ -1100,6 +1102,17 @@ } !endif =20 + # + # Cc Measurement Protocol for Td guest + # +!if $(TDX_MEASUREMENT_ENABLE) =3D=3D TRUE + SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf { + + HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf + NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384= .inf + } +!endif + # # TPM support # diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 8c02dfe11e37..b4f11ee40a34 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -402,6 +402,13 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/Faul= tTolerantWriteDxe.inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !endif =20 +# +# EFI_CC_MEASUREMENT_PROTOCOL +# +!if $(TDX_MEASUREMENT_ENABLE) =3D=3D TRUE +INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf +!endif + # # TPM support # diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 1167d22a68cc..4bb3b641701e 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -29,7 +29,7 @@ #include #include #include -#include +#include #include #include "AmdSev.h" =20 @@ -760,12 +760,25 @@ SecCoreStartupWithStack ( =20 #if defined (TDX_GUEST_SUPPORTED) if (CcProbe () =3D=3D CcGuestTypeIntelTdx) { + // + // From the security perspective all the external input should be meas= ured before + // it is consumed. TdHob and Configuration FV (Cfv) image are passed f= rom VMM + // and should be measured here. + // + if (EFI_ERROR (TdxHelperMeasureTdHob ())) { + CpuDeadLoop (); + } + + if (EFI_ERROR (TdxHelperMeasureCfvImage ())) { + CpuDeadLoop (); + } + // // For Td guests, the memory map info is in TdHobLib. It should be pro= cessed // first so that the memory is accepted. Otherwise access to the unacc= epted // memory will trigger tripple fault. // - if (ProcessTdxHobList () !=3D EFI_SUCCESS) { + if (TdxHelperProcessTdHob () !=3D EFI_SUCCESS) { CpuDeadLoop (); } } --=20 2.29.2.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98997): https://edk2.groups.io/g/devel/message/98997 Mute This Topic: https://groups.io/mt/96513459/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-