From nobody Mon Feb  9 23:38:54 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+99223+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+99223+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=intel.com
ARC-Seal: i=1; a=rsa-sha256; t=1674914371; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Xl9PlMXrgpo54HSmh+lc/rjjQKxVZdapAGonNUgZIc2WUgSmvZu5eyJjP32V6epygmH6mGtrG5w4kVvASkV7zhkVxBzqhtXDQQwdbouYrdSrjXpIaTKbOIFiw1VlwJaW/X3O5GF1pLj/ZSkykx0tZpoK9UF8w6V57ZmWNI0QU78=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1674914371;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=p7xKvTlxOXHU57qMO+F2u4aenCQNiB/uByv9SweHfcA=;
	b=UrGHG+77lk6ULC3NXRife0ENucIBR5Dal8oOWkBNOk8bQzUsov7lX08sd59h5Q+/YTmcPLETuWZIuy2JE8BVR9LRfkl2iXciooozjIDR5W3MCIMjtox6WRW3w+chB31Iw6y968y63Rez6WLN7PouqVtXK+TuThi/+jvDib0bVSc=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+99223+1787277+3901457@groups.io;
	dmarc=fail header.from=<min.m.xu@intel.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1674914371892823.3686393248761;
 Sat, 28 Jan 2023 05:59:31 -0800 (PST)
Return-Path: <bounce+27952+99223+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id J2VcYY1788612xO2olZXCcqV;
 Sat, 28 Jan 2023 05:59:31 -0800
X-Received: from mga06.intel.com (mga06.intel.com [134.134.136.31])
 by mx.groups.io with SMTP id smtpd.web10.13668.1674914336767550554
 for <devel@edk2.groups.io>;
 Sat, 28 Jan 2023 05:59:31 -0800
X-IronPort-AV: E=McAfee;i="6500,9779,10604"; a="389670882"
X-IronPort-AV: E=Sophos;i="5.97,254,1669104000";
   d="scan'208";a="389670882"
X-Received: from orsmga004.jf.intel.com ([10.7.209.38])
  by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 28 Jan 2023 05:59:30 -0800
X-IronPort-AV: E=McAfee;i="6500,9779,10604"; a="787512764"
X-IronPort-AV: E=Sophos;i="5.97,254,1669104000";
   d="scan'208";a="787512764"
X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.255.31.196])
  by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 28 Jan 2023 05:59:28 -0800
From: "Min Xu" <min.m.xu@intel.com>
To: devel@edk2.groups.io
Cc: Min M Xu <min.m.xu@intel.com>,
	Erdem Aktas <erdemaktas@google.com>,
	James Bottomley <jejb@linux.ibm.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Gerd Hoffmann <kraxel@redhat.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	Michael Roth <michael.roth@amd.com>
Subject: [edk2-devel] [PATCH V5 13/13] OvmfPkg: Support Tdx measurement in
 OvmfPkgX64
Date: Sat, 28 Jan 2023 21:58:42 +0800
Message-Id: <20230128135842.980-14-min.m.xu@intel.com>
In-Reply-To: <20230128135842.980-1-min.m.xu@intel.com>
References: <20230128135842.980-1-min.m.xu@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,min.m.xu@intel.com
X-Gm-Message-State: hKHOObtKsbDkIMpFdpHbVc1Xx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1674914371;
 bh=BDTLRzoBtCaOuKc0ZBBeifEOZlFPbJmLZC4J3Jnrp4A=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=fabZwByNX1t3QMtiNssDQRsa7q/aF4SCUxpll93uoE0DJZhj7nRa9n6cE5TA3syX6Kg
 x1mR0yQ7Gyy/1pHyNSmkxHK8VqfJaWgsivRWq+BxxpePywEz7Zz/8A+EUgA5altdcuLgS
 YbJoOZXvaKdeLShqQ4guE8ea8sMI489tauI=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1674914373050100009
Content-Type: text/plain; charset="utf-8"

From: Min M Xu <min.m.xu@intel.com>

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4243

This patch enables Tdx measurement in OvmfPkgX64 with below changes:
1) TDX_MEASUREMENT_ENABLE is introduced in OvmfPkgX64.dsc. This flag
   indicates if Intel TDX measurement is enabled in OvmfPkgX64. Its
   default value is FALSE.
2) Include TdTcg2Dxe in OvmfPkgX64 so that CC_MEASUREMENT_PROTOCOL
   is installed in a Td-guest. TdTcg2Dxe is controlled by
   TDX_MEASUREMENT_ENABLE because it is only valid when Intel TDX
   measurement is enabled.
3) OvmfTpmLibs.dsc.inc and OvmfTpmSecurityStub.dsc.inc are updated
   because DxeTpm2MeasureBootLib.inf and DxeTpmMeasurementLib.inf
   should be included to support CC_MEASUREMENT_PROTOCOL.

Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Michael Roth <michael.roth@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
---
 OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc         | 10 +++++++++-
 OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc |  8 ++++++++
 OvmfPkg/OvmfPkgX64.dsc                          | 12 ++++++++++++
 OvmfPkg/OvmfPkgX64.fdf                          |  7 +++++++
 4 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc b/OvmfPkg/Include/Dsc/=
OvmfTpmLibs.dsc.inc
index cd1a899d68f7..680f1b398592 100644
--- a/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc
+++ b/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc
@@ -10,9 +10,17 @@
   Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeT=
cg2PhysicalPresenceLib.inf
   Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibN=
ull.inf
-  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure=
mentLib.inf
 !else
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeT=
cg2PhysicalPresenceLib.inf
+!endif
+
+!if $(TPM2_ENABLE) =3D=3D TRUE || $(TDX_MEASUREMENT_ENABLE) =3D=3D TRUE
+  #
+  # DxeTpmMeasurementLib supports measurement functions for both TPM and C=
onfidential Computing.
+  # It should be controlled by TPM2_ENABLE and TDX_MEASUREMENT_ENABLE.
+  #
+  TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure=
mentLib.inf
+!else
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem=
entLibNull.inf
 !endif
=20
diff --git a/OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc b/OvmfPkg/Incl=
ude/Dsc/OvmfTpmSecurityStub.dsc.inc
index e9ab2fca7bc7..f3db62397aff 100644
--- a/OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
+++ b/OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
@@ -6,5 +6,13 @@
 !if $(TPM1_ENABLE) =3D=3D TRUE
       NULL|SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.i=
nf
 !endif
+!endif
+
+!if $(TPM2_ENABLE) =3D=3D TRUE || $(TDX_MEASUREMENT_ENABLE) =3D=3D TRUE
+      #
+      # DxeTpm2MeasureBootLib provides security service of TPM2 measure bo=
ot and
+      # Confidential Computing (CC) measure boot. It should be controlled =
by
+      # TPM2_ENABLE and TDX_MEASUREMENT_ENABLE
+      #
       NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib=
.inf
 !endif
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index a13299c18cfd..2cbb578926f9 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -32,6 +32,7 @@
   DEFINE SECURE_BOOT_ENABLE      =3D FALSE
   DEFINE SMM_REQUIRE             =3D FALSE
   DEFINE SOURCE_DEBUG_ENABLE     =3D FALSE
+  DEFINE TDX_MEASUREMENT_ENABLE  =3D FALSE
=20
 !include OvmfPkg/Include/Dsc/OvmfTpmDefines.dsc.inc
=20
@@ -1104,6 +1105,17 @@
   }
 !endif
=20
+  #
+  # Cc Measurement Protocol for Td guest
+  #
+!if $(TDX_MEASUREMENT_ENABLE) =3D=3D TRUE
+  SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf {
+    <LibraryClasses>
+      HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf
+      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384=
.inf
+  }
+!endif
+
   #
   # TPM support
   #
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 8c02dfe11e37..b4f11ee40a34 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -402,6 +402,13 @@ INF  MdeModulePkg/Universal/FaultTolerantWriteDxe/Faul=
tTolerantWriteDxe.inf
 INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
 !endif
=20
+#
+# EFI_CC_MEASUREMENT_PROTOCOL
+#
+!if $(TDX_MEASUREMENT_ENABLE) =3D=3D TRUE
+INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf
+!endif
+
 #
 # TPM support
 #
--=20
2.29.2.windows.2



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99223): https://edk2.groups.io/g/devel/message/99223
Mute This Topic: https://groups.io/mt/96587230/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-