OvmfPkg/OvmfPkgX64: Measure TdHob and Configuration FV in SecMain

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243

TdHob and Configuration FV (Cfv) are external inputs from VMM. From the
security perspective, they should be measured before they're consumed.
This patch measures TdHob and Cfv and stores the measurement values in
WorkArea.

Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Michael Roth <michael.roth@amd.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
This commit is contained in:
Min M Xu 2023-02-03 11:31:45 +08:00 committed by mergify[bot]
parent d92db8a086
commit 6ea50514c1
1 changed files with 13 additions and 0 deletions

View File

@ -760,6 +760,19 @@ SecCoreStartupWithStack (
#if defined (TDX_GUEST_SUPPORTED)
if (CcProbe () == CcGuestTypeIntelTdx) {
//
// From the security perspective all the external input should be measured before
// it is consumed. TdHob and Configuration FV (Cfv) image are passed from VMM
// and should be measured here.
//
if (EFI_ERROR (TdxHelperMeasureTdHob ())) {
CpuDeadLoop ();
}
if (EFI_ERROR (TdxHelperMeasureCfvImage ())) {
CpuDeadLoop ();
}
//
// For Td guests, the memory map info is in TdHobLib. It should be processed
// first so that the memory is accepted. Otherwise access to the unaccepted