From nobody Sun Feb 8 21:48:48 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+90588+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90588+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1655519546; cv=none; d=zohomail.com; s=zohoarc; b=i+Qu3iBnjb7SdmF1SL8cG+XZZiYpu/kV/lf/7fPn+N3tO0WQ5AiTbZvqYgFF7owKGjL9NWq8UcjJH02yVAwLVpheTJu1+s80mNNm2eaPrG7PG2zpdURUoxRPQL+Mjfc17Z4P3k3hFjfq9irnWcPYQbT4NJySgfaJ8O2QGBR62bg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1655519546; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=xswbFh9sbt5Ut/GRV7/yFPvquqZYQ/TxUh70i+VDMIY=; b=N3ISqeyBNm7RMFhGd9jg9xFvMx3gKAeaHoI9CwOlws/O1/BIVJWG3pFO0ZuBxXHxQ1ObXw6lQxoSaKbN634h/qZKy0n5R+730o7nIi8RBq4pQDwzVzVW2Xb3bwhM6iexnOt+mRLM4HRhp0YAhvohVxoMhmI8Zvv1c41jGFb9WRU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90588+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1655519546093697.3795283355689; Fri, 17 Jun 2022 19:32:26 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id x6ngYY1788612xIBwqvWLVHH; Fri, 17 Jun 2022 19:32:25 -0700 X-Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web08.5676.1655519541534598350 for ; Fri, 17 Jun 2022 19:32:25 -0700 X-IronPort-AV: E=McAfee;i="6400,9594,10380"; a="280355753" X-IronPort-AV: E=Sophos;i="5.92,306,1650956400"; d="scan'208";a="280355753" X-Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Jun 2022 19:32:24 -0700 X-IronPort-AV: E=Sophos;i="5.92,306,1650956400"; d="scan'208";a="642270316" X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.249.173.231]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Jun 2022 19:32:22 -0700 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Gerd Hoffmann , Tom Lendacky Subject: [edk2-devel] [PATCH 2/3] OvmfPkg: Validate Cfv integrity in Tdx guest Date: Sat, 18 Jun 2022 10:32:02 +0800 Message-Id: <7d0710ff12be66b838fa2893f48d0837da7c2cec.1655518585.git.min.m.xu@intel.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,min.m.xu@intel.com X-Gm-Message-State: e60xmMjhxYrG3PLBAsz7r7QAx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1655519545; bh=QolCPS/51KCmKd5Yuq3opfSXkSzyNlaHgK8PktAqoSY=; h=Cc:Date:From:Reply-To:Subject:To; b=Pmx2joQkAP4ibFpOXx3wfbLxu/fPb644s+ZdnpJe030DUnbQucAjrz4nSsYraE+Dk8V 4kxG5XZDfSCwY4B4ZwlrEyquCqQ1uoj6cpjH2ScpcxVl76AnNOWYAQuXnRLknoVOcKiCA 7G6oDnqe/VAexOrfXIJ+T4mV9FL638YHcz4= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1655519546672100005 Content-Type: text/plain; charset="utf-8" From: Min M Xu Validate Configurtion FV (CFV) in Tdx guest. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Gerd Hoffmann Cc: Tom Lendacky Signed-off-by: Min Xu --- OvmfPkg/Sec/SecMain.c | 8 ++++++++ OvmfPkg/Sec/SecMain.inf | 2 ++ 2 files changed, 10 insertions(+) diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 1167d22a68cc..f6c00b8dab96 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -768,6 +768,14 @@ SecCoreStartupWithStack ( if (ProcessTdxHobList () !=3D EFI_SUCCESS) { CpuDeadLoop (); } + + // + // Config FV (Cfv) contains the configuration information and its inte= grity + // should be validated. + // + if (!TdxValidateCfv ((UINT8 *)(UINTN)FixedPcdGet32 (PcdCfvBase), Fixed= PcdGet32 (PcdCfvRawDataSize))) { + CpuDeadLoop (); + } } =20 #endif diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf index 561a840f29c5..ae0094a15eda 100644 --- a/OvmfPkg/Sec/SecMain.inf +++ b/OvmfPkg/Sec/SecMain.inf @@ -84,6 +84,8 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdCfvBase + gUefiOvmfPkgTokenSpaceGuid.PcdCfvRawDataSize =20 [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire --=20 2.29.2.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90588): https://edk2.groups.io/g/devel/message/90588 Mute This Topic: https://groups.io/mt/91835109/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-