From nobody Sun Feb 8 21:41:43 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+82795+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+82795+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1635397212; cv=none; d=zohomail.com; s=zohoarc; b=WnB+vl0SIwGKwHZVi6WZpaT3nxSn6hP9zsYWAI6pAJTU+aKO4Q/yvINdFNngw+/1pgoH1oDW5mmwhVvLJgaDHO8vTZ6H8ZuwO9Zb2b8GassdAbEx4q+Yh+zKM2AVZ5dfV8EAumVWKcPpYs6Pwa6esYf7PwoTEhBz4VFvgttTlhE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1635397212; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=cgxhYyNVF3fnPbB6Pp/LccxFFYGST7QhzAOmOOWHpMg=; b=iAzLElvrxg1H2livq7HgcVl1UUMpgd/rLSY45CztgFHlLYw/z36qmyUduaQXvQy44BCie/8JS1qzS+Ak7vA8NpALqVK2C3d7yRqAA23hMKdwOPrViURka3hfHWjUcWIGAenxWhT2Y1uZO3e5RyyA5TWqnAp0GKx6Rtc/HrQPqSM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+82795+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1635397212199897.430753920165; Wed, 27 Oct 2021 22:00:12 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id Kbn9YY1788612xJZ7VDrI9FJ; Wed, 27 Oct 2021 22:00:11 -0700 X-Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web08.7256.1635397209852794289 for ; Wed, 27 Oct 2021 22:00:10 -0700 X-IronPort-AV: E=McAfee;i="6200,9189,10150"; a="291160658" X-IronPort-AV: E=Sophos;i="5.87,188,1631602800"; d="scan'208";a="291160658" X-Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Oct 2021 22:00:09 -0700 X-IronPort-AV: E=Sophos;i="5.87,188,1631602800"; d="scan'208";a="498214327" X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.238.4.37]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Oct 2021 22:00:06 -0700 From: "Min Xu" To: devel@edk2.groups.io Cc: Min Xu , Michael D Kinney , Liming Gao , Zhiguang Liu , Jiewen Yao , Jian J Wang , Ken Lu , Sami Mujawar Subject: [edk2-devel] [PATCH V3 1/3] MdePkg: Introduce TeeMeasurementProtocol for TEE Guest firmware Date: Thu, 28 Oct 2021 12:59:27 +0800 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,min.m.xu@intel.com X-Gm-Message-State: HQGwW8tQEqFQSQwGFN488ZFux1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1635397211; bh=/yn4BbsWV3va5qLR8you2ZAHV7dUglcdhaZ7EKkxeAU=; h=Cc:Date:From:Reply-To:Subject:To; b=cnOTdysJJqRi92jZsl94M69n+3EHrLDXO2Tb//J8SZ9o4wW92qWy4tXtmM+jnLqKgQw NNN8UgvXUxb0snjDbDRMjVCxQDpAxyApeQPEyl5iKcjinp3GQ0Jumi1UbTeEp+kk839rA ClPa1fTfmzCmtW/TD6DIZVMHzBk820ORBDc= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1635397213159100005 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3625 If TEE Guest firmware supports measurement and an event is created, TEE Guest firmware is designed to report the event log with the same data structure in TCG-Platform-Firmware-Profile specification with EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 format. The TEE Guest firmware supports measurement. It is designed to produce EFI_TEE_MEASUREMENT_PROTOCOL with new GUID EFI_TEE_MEASUREMENT_PROTOCOL_GUID to report event log and provides hash capability. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Cc: Jiewen Yao Cc: Jian J Wang Cc: Ken Lu Cc: Sami Mujawar Signed-off-by: Min Xu --- MdePkg/Include/Protocol/TdProtocol.h | 36 +++ MdePkg/Include/Protocol/TeeMeasurement.h | 296 +++++++++++++++++++++++ MdePkg/MdePkg.dec | 3 + 3 files changed, 335 insertions(+) create mode 100644 MdePkg/Include/Protocol/TdProtocol.h create mode 100644 MdePkg/Include/Protocol/TeeMeasurement.h diff --git a/MdePkg/Include/Protocol/TdProtocol.h b/MdePkg/Include/Protocol= /TdProtocol.h new file mode 100644 index 000000000000..8d938b00f3c0 --- /dev/null +++ b/MdePkg/Include/Protocol/TdProtocol.h @@ -0,0 +1,36 @@ +/** @file + TDX specific definitions for EFI_TEE_MEASUREMENT_PROTOCOL + +Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef TD_PROTOCOL_H_ +#define TD_PROTOCOL_H_ + +#define TDX_MR_INDEX_MRTD 0 +#define TDX_MR_INDEX_RTMR0 1 +#define TDX_MR_INDEX_RTMR1 2 +#define TDX_MR_INDEX_RTMR2 3 +#define TDX_MR_INDEX_RTMR3 4 + +/** + In current version, we use below mapping: + PCR0 -> MRTD (Index 0) + PCR1 -> RTMR0 (Index 1) + PCR2~6 -> RTMR1 (Index 2) + PCR7 -> RTMR0 (Index 1) + PCR8~15 -> RTMR2 (Index 3) + +typedef +EFI_STATUS +(EFIAPI * EFI_TEE_MAP_PCR_TO_MR_INDEX) ( + IN EFI_TEE_MEASUREMENT_PROTOCOL *This, + IN TCG_PCRINDEX PcrIndex, + OUT EFI_TEE_MR_INDEX *MrIndex + ); + +**/ + +#endif diff --git a/MdePkg/Include/Protocol/TeeMeasurement.h b/MdePkg/Include/Prot= ocol/TeeMeasurement.h new file mode 100644 index 000000000000..3f3c71e3dba0 --- /dev/null +++ b/MdePkg/Include/Protocol/TeeMeasurement.h @@ -0,0 +1,296 @@ +/** @file + If TEE Guest firmware supports measurement and an event is created, + TEE Guest firmware is designed to report the event log with the same + data structure in TCG-Platform-Firmware-Profile specification with + EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 format. + + The TEE Guest firmware supports measurement, the TEE Guest Firmware is + designed to produce EFI_TEE_MEASUREMENT_PROTOCOL with new GUID + EFI_TEE_MEASUREMENT_PROTOCOL_GUID to report event log and provides hash + capability. + +Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef TEE_MEASUREMENT_PROTOCOL_H_ +#define TEE_MEASUREMENT_PROTOCOL_H_ + +#include +#include + +#define EFI_TEE_MEASUREMENT_PROTOCOL_GUID \ + { 0x96751a3d, 0x72f4, 0x41a6, { 0xa7, 0x94, 0xed, 0x5d, 0x0e, 0x67, 0xae= , 0x6b }} +extern EFI_GUID gEfiTeeMeasurementProtocolGuid; + +typedef struct _EFI_TEE_MEASUREMENT_PROTOCOL EFI_TEE_MEASUREMENT_PROTOCOL; + +typedef struct { + UINT8 Major; + UINT8 Minor; +} EFI_TEE_VERSION; + +// +// EFI_TEE Type/SubType definition +// +#define EFI_TEE_TYPE_NONE 0 +#define EFI_TEE_TYPE_SEV 1 +#define EFI_TEE_TYPE_TDX 2 + +typedef struct { + UINT8 Type; + UINT8 SubType; +} EFI_TEE_TYPE; + +typedef UINT32 EFI_TEE_EVENT_LOG_BITMAP; +typedef UINT32 EFI_TEE_EVENT_LOG_FORMAT; +typedef UINT32 EFI_TEE_EVENT_ALGORITHM_BITMAP; +typedef UINT32 EFI_TEE_MR_INDEX; + +#define EFI_TEE_EVENT_LOG_FORMAT_TCG_2 0x00000002 +#define EFI_TEE_BOOT_HASH_ALG_SHA384 0x00000004 + +// +// This bit is shall be set when an event shall be extended but not logged. +// +#define EFI_TEE_FLAG_EXTEND_ONLY 0x0000000000000001 +// +// This bit shall be set when the intent is to measure a PE/COFF image. +// +#define EFI_TEE_FLAG_PE_COFF_IMAGE 0x0000000000000010 + +#pragma pack (1) + +#define EFI_TEE_EVENT_HEADER_VERSION 1 + +typedef struct { + // + // Size of the event header itself (sizeof(EFI_TEE_EVENT_HEADER)). + // + UINT32 HeaderSize; + // + // Header version. For this version of this specification, the value sha= ll be 1. + // + UINT16 HeaderVersion; + // + // Index of the MR (measurement register) that shall be extended. + // + EFI_TEE_MR_INDEX MrIndex; + // + // Type of the event that shall be extended (and optionally logged). + // + UINT32 EventType; +} EFI_TEE_EVENT_HEADER; + +typedef struct { + // + // Total size of the event including the Size component, the header and = the Event data. + // + UINT32 Size; + EFI_TEE_EVENT_HEADER Header; + UINT8 Event[1]; +} EFI_TEE_EVENT; + +#pragma pack() + + +typedef struct { + // + // Allocated size of the structure + // + UINT8 Size; + // + // Version of the EFI_TEE_BOOT_SERVICE_CAPABILITY structure itself. + // For this version of the protocol, the Major version shall be set to 1 + // and the Minor version shall be set to 0. + // + EFI_TEE_VERSION StructureVersion; + // + // Version of the EFI TEE Measurement protocol. + // For this version of the protocol, the Major version shall be set to 1 + // and the Minor version shall be set to 0. + // + EFI_TEE_VERSION ProtocolVersion; + // + // Supported hash algorithms + // + EFI_TEE_EVENT_ALGORITHM_BITMAP HashAlgorithmBitmap; + // + // Bitmap of supported event log formats + // + EFI_TEE_EVENT_LOG_BITMAP SupportedEventLogs; + + // + // Indicates the TEE type + // + EFI_TEE_TYPE TeeType; +} EFI_TEE_BOOT_SERVICE_CAPABILITY; + +/** + The EFI_TEE_MEASUREMENT_PROTOCOL GetCapability function call provides pr= otocol + capability information and state information. + + @param[in] This Indicates the calling context + @param[in, out] ProtocolCapability The caller allocates memory for a EFI= _TEE_BOOT_SERVICE_CAPABILITY + structure and sets the size field to = the size of the structure allocated. + The callee fills in the fields with t= he EFI TEE BOOT Service capability + information and the current TEE infor= mation. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_DEVICE_ERROR The command was unsuccessful. + The ProtocolCapability variable will not = be populated. + @retval EFI_INVALID_PARAMETER One or more of the parameters are incorre= ct. + The ProtocolCapability variable will not = be populated. + @retval EFI_BUFFER_TOO_SMALL The ProtocolCapability variable is too sm= all to hold the full response. + It will be partially populated (required = Size field will be set). +**/ +typedef +EFI_STATUS +(EFIAPI *EFI_TEE_GET_CAPABILITY) ( + IN EFI_TEE_MEASUREMENT_PROTOCOL *This, + IN OUT EFI_TEE_BOOT_SERVICE_CAPABILITY *ProtocolCapability + ); + +/** + The EFI_TEE_MEASUREMENT_PROTOCOL Get Event Log function call allows a ca= ller to + retrieve the address of a given event log and its last entry. + + @param[in] This Indicates the calling context + @param[in] EventLogFormat The type of the event log for which the i= nformation is requested. + @param[out] EventLogLocation A pointer to the memory address of the ev= ent log. + @param[out] EventLogLastEntry If the Event Log contains more than one e= ntry, this is a pointer to the + address of the start of the last entry in= the event log in memory. + @param[out] EventLogTruncated If the Event Log is missing at least one = entry because an event would + have exceeded the area allocated for even= ts, this value is set to TRUE. + Otherwise, the value will be FALSE and th= e Event Log will be complete. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_INVALID_PARAMETER One or more of the parameters are incorre= ct + (e.g. asking for an event log whose forma= t is not supported). +**/ +typedef +EFI_STATUS +(EFIAPI *EFI_TEE_GET_EVENT_LOG) ( + IN EFI_TEE_MEASUREMENT_PROTOCOL *This, + IN EFI_TEE_EVENT_LOG_FORMAT EventLogFormat, + OUT EFI_PHYSICAL_ADDRESS *EventLogLocation, + OUT EFI_PHYSICAL_ADDRESS *EventLogLastEntry, + OUT BOOLEAN *EventLogTruncated + ); + +/** + The EFI_TEE_MEASUREMENT_PROTOCOL HashLogExtendEvent function call provid= es + callers with an opportunity to extend and optionally log events without = requiring + knowledge of actual TEE commands. + The extend operation will occur even if this function cannot create an e= vent + log entry (e.g. due to the event log being full). + + @param[in] This Indicates the calling context + @param[in] Flags Bitmap providing additional information. + @param[in] DataToHash Physical address of the start of the data= buffer to be hashed. + @param[in] DataToHashLen The length in bytes of the buffer referen= ced by DataToHash. + @param[in] EfiTeeEvent Pointer to data buffer containing informa= tion about the event. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_DEVICE_ERROR The command was unsuccessful. + @retval EFI_VOLUME_FULL The extend operation occurred, but the ev= ent could not be written to one or more event logs. + @retval EFI_INVALID_PARAMETER One or more of the parameters are incorre= ct. + @retval EFI_UNSUPPORTED The PE/COFF image type is not supported. +**/ +typedef +EFI_STATUS +(EFIAPI * EFI_TEE_HASH_LOG_EXTEND_EVENT) ( + IN EFI_TEE_MEASUREMENT_PROTOCOL *This, + IN UINT64 Flags, + IN EFI_PHYSICAL_ADDRESS DataToHash, + IN UINT64 DataToHashLen, + IN EFI_TEE_EVENT *EfiTeeEvent + ); + +/** + The EFI_TEE_MEASUREMENT_PROTOCOL MapPcrToMrIndex function call provides = callers + the info on TPM PCR <-> TEE MR mapping information. + + @param[in] This Indicates the calling context + @param[in] PcrIndex TPM PCR index. + @param[out] MrIndex TEE MR index. + + @retval EFI_SUCCESS The MrIndex is returned. + @retval EFI_INVALID_PARAMETER The MrIndex is NULL. + @retval EFI_UNSUPPORTED The PcrIndex is invalid. +**/ +typedef +EFI_STATUS +(EFIAPI * EFI_TEE_MAP_PCR_TO_MR_INDEX) ( + IN EFI_TEE_MEASUREMENT_PROTOCOL *This, + IN TCG_PCRINDEX PcrIndex, + OUT EFI_TEE_MR_INDEX *MrIndex + ); + +struct _EFI_TEE_MEASUREMENT_PROTOCOL { + EFI_TEE_GET_CAPABILITY GetCapability; + EFI_TEE_GET_EVENT_LOG GetEventLog; + EFI_TEE_HASH_LOG_EXTEND_EVENT HashLogExtendEvent; + EFI_TEE_MAP_PCR_TO_MR_INDEX MapPcrToMrIndex; +}; + +// +// TEE event log +// + +#pragma pack(1) + +// +// Crypto Agile Log Entry Format. +// It is similar with TCG_PCR_EVENT2 except the field of MrIndex and PCRIn= dex. +// +typedef struct { + EFI_TEE_MR_INDEX MrIndex; + UINT32 EventType; + TPML_DIGEST_VALUES Digests; + UINT32 EventSize; + UINT8 Event[1]; +} TEE_EVENT; + +// +// EFI TEE Event Header +// It is similar with TCG_PCR_EVENT2_HDR except the field of MrIndex and P= CRIndex +// +typedef struct { + EFI_TEE_MR_INDEX MrIndex; + UINT32 EventType; + TPML_DIGEST_VALUES Digests; + UINT32 EventSize; +} TEE_EVENT_HDR; + +#pragma pack() + +// +// Log entries after Get Event Log service +// + +#define EFI_TEE_FINAL_EVENTS_TABLE_VERSION 1 + +typedef struct { + // + // The version of this structure. It shall be set to 1. + // + UINT64 Version; + // + // Number of events recorded after invocation of GetEventLog API + // + UINT64 NumberOfEvents; + // + // List of events of type TEE_EVENT. + // + //TEE_EVENT Event[1]; +} EFI_TEE_FINAL_EVENTS_TABLE; + + +#define EFI_TEE_FINAL_EVENTS_TABLE_GUID \ + {0xdd4a4648, 0x2de7, 0x4665, {0x96, 0x4d, 0x21, 0xd9, 0xef, 0x5f, 0xb4, = 0x46}} + +extern EFI_GUID gEfiTeeFinalEventsTableGuid; + +#endif diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index 8b18415b107a..cfb3fa3adc83 100644 --- a/MdePkg/MdePkg.dec +++ b/MdePkg/MdePkg.dec @@ -1011,6 +1011,9 @@ ## Include/Protocol/PcdInfo.h gGetPcdInfoProtocolGuid =3D { 0x5be40f57, 0xfa68, 0x4610, { 0xbb,= 0xbf, 0xe9, 0xc5, 0xfc, 0xda, 0xd3, 0x65 } } =20 + ## Include/Protocol/TeeMeasurement.h + gEfiTeeMeasurementProtocolGuid =3D { 0x96751a3d, 0x72f4, 0x41a6, { 0xa7,= 0x94, 0xed, 0x5d, 0x0e, 0x67, 0xae, 0x6b }} + # # Protocols defined in PI1.0. # --=20 2.29.2.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#82795): https://edk2.groups.io/g/devel/message/82795 Mute This Topic: https://groups.io/mt/86646137/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-