OvmfPkg/IntelTdx: Measure TdHob and Configuration FV in SecMain

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243 TdHob and Configuration FV (Cfv) are external inputs from VMM. From the security perspective, they should be measured before they're consumed. This patch measures TdHob and Cfv and stores the measurement values in WorkArea. After TdHob and Configuration FV (Cfv) are measured in SecMain, the same measurements in PeilessStartupLib are deleted. Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Michael Roth <michael.roth@amd.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Min Xu <min.m.xu@intel.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com>
2023-02-03 11:31:43 +08:00 · 2023-02-03 11:31:43 +08:00 · 019621d078
parent c0984d1ff2
commit 019621d078
4 changed files with 14 additions and 24 deletions
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@ -548,11 +548,8 @@
  OvmfPkg/IntelTdx/Sec/SecMain.inf {
    <LibraryClasses>
      NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
-      TpmMeasurementLib|SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLibTdx.inf
      NULL|OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf
      BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf
-      HashLib|SecurityPkg/Library/HashLibTdx/HashLibTdx.inf
-      NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
  }

  #
--- a/OvmfPkg/IntelTdx/Sec/SecMain.c
+++ b/OvmfPkg/IntelTdx/Sec/SecMain.c
@ -62,6 +62,19 @@ SecCoreStartupWithStack (
  volatile UINT8        *Table;

  if (CcProbe () == CcGuestTypeIntelTdx) {
+    //
+    // From the security perspective all the external input should be measured before
+    // it is consumed. TdHob and Configuration FV (Cfv) image are passed from VMM
+    // and should be measured here.
+    //
+    if (EFI_ERROR (TdxHelperMeasureTdHob ())) {
+      CpuDeadLoop ();
+    }
+
+    if (EFI_ERROR (TdxHelperMeasureCfvImage ())) {
+      CpuDeadLoop ();
+    }
+
    //
    // For Td guests, the memory map info is in TdHobLib. It should be processed
    // first so that the memory is accepted. Otherwise access to the unaccepted
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
@ -176,25 +176,7 @@ PeilessStartup (

  if (TdIsEnabled ()) {
    //
-    // Measure HobList
-    //
-    Status = TdxHelperMeasureTdHob ();
-    if (EFI_ERROR (Status)) {
-      ASSERT (FALSE);
-      CpuDeadLoop ();
-    }
-
-    //
-    // Measure Tdx CFV
-    //
-    Status = TdxHelperMeasureCfvImage ();
-    if (EFI_ERROR (Status)) {
-      ASSERT (FALSE);
-      CpuDeadLoop ();
-    }
-
-    //
-    // Build GuidHob for tdx measurement
+    // Build GuidHob for the tdx measurements which were done in SEC phase.
    //
    Status = TdxHelperBuildGuidHobForTdxMeasurement ();
    if (EFI_ERROR (Status)) {
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
@ -56,8 +56,6 @@
  PrePiLib
  QemuFwCfgLib
  PlatformInitLib
-  HashLib
-  TpmMeasurementLib

 [Guids]
  gEfiHobMemoryAllocModuleGuid