From b6b1fdb0731d893339597d2c8f415b7f41c02230 Mon Sep 17 00:00:00 2001 From: Ceping Sun Date: Tue, 26 Nov 2024 21:22:28 -0500 Subject: [PATCH] OvmfPkg/TdxHelperLib: Refactor for new APIs Add below APIs to support the implementation for CC measurement. - TdxHelperMapPcrToMrIndex - TdxHelperHashAndExtendToRtmr - TdxHelperBuildTdxMeasurementGuidHob Cc: Erdem Aktas Cc: Jiewen Yao Cc: Min Xu Cc: Gerd Hoffmann Cc: Elena Reshetova Signed-off-by: Min Xu Signed-off-by: Ceping Sun --- OvmfPkg/Include/Library/TdxHelperLib.h | 73 ++++++++ OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelper.c | 94 +++++++++++ .../IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf | 41 +++++ .../IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf | 3 + OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c | 56 +------ .../IntelTdx/TdxHelperLib/SecTdxHelperLib.inf | 1 + .../IntelTdx/TdxHelperLib/TdxHelperCommon.c | 156 ++++++++++++++++++ OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c | 77 +++++++++ .../IntelTdx/TdxHelperLib/TdxMeasurementHob.c | 1 - 9 files changed, 447 insertions(+), 55 deletions(-) create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelper.c create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf create mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperCommon.c diff --git a/OvmfPkg/Include/Library/TdxHelperLib.h b/OvmfPkg/Include/Library/TdxHelperLib.h index 199aade42f..39c2997e08 100644 --- a/OvmfPkg/Include/Library/TdxHelperLib.h +++ b/OvmfPkg/Include/Library/TdxHelperLib.h @@ -11,6 +11,12 @@ #include +#define CC_MR_INDEX_0_MRTD 0 +#define CC_MR_INDEX_1_RTMR0 1 +#define CC_MR_INDEX_2_RTMR1 2 +#define CC_MR_INDEX_3_RTMR2 3 +#define CC_MR_INDEX_INVALID 4 + /** In Tdx guest, some information need to be passed from host VMM to guest firmware. For example, the memory resource, etc. These information are @@ -67,4 +73,71 @@ TdxHelperBuildGuidHobForTdxMeasurement ( VOID ); +/** + According to UEFI Spec 2.10 Section 38.4.1: + The following table shows the TPM PCR index mapping and CC event log measurement + register index interpretation for Intel TDX, where MRTD means Trust Domain Measurement + Register and RTMR means Runtime Measurement Register + // TPM PCR Index | CC Measurement Register Index | TDX-measurement register + // ------------------------------------------------------------------------ + // 0 | 0 | MRTD + // 1, 7 | 1 | RTMR[0] + // 2~6 | 2 | RTMR[1] + // 8~15 | 3 | RTMR[2] + @param[in] PCRIndex Index of the TPM PCR + @retval UINT32 Index of the CC Event Log Measurement Register Index + @retval CC_MR_INDEX_INVALID Invalid MR Index +**/ +UINT32 +EFIAPI +TdxHelperMapPcrToMrIndex ( + IN UINT32 PCRIndex + ); + +/** + * Build GuidHob for Tdx CC measurement event. + * + * @param RtmrIndex RTMR index + * @param EventType Event type + * @param EventData Event data + * @param EventSize Size of event data + * @param HashValue Hash value + * @param HashSize Size of hash + * + * @retval EFI_SUCCESS Successfully build the GuidHobs + * @retval Others Other error as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperBuildTdxMeasurementGuidHob ( + UINT32 RtmrIndex, + UINT32 EventType, + UINT8 *EventData, + UINT32 EventSize, + UINT8 *HashValue, + UINT32 HashSize + ); + +/** + * Calculate the sha384 of input Data and extend it to RTMR register. + * + * @param RtmrIndex Index of the RTMR register + * @param DataToHash Data to be hashed + * @param DataToHashLen Length of the data + * @param Digest Hash value of the input data + * @param DigestLen Length of the hash value + * + * @retval EFI_SUCCESS Successfully hash and extend to RTMR + * @retval Others Other errors as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperHashAndExtendToRtmr ( + IN UINT32 RtmrIndex, + IN VOID *DataToHash, + IN UINTN DataToHashLen, + OUT UINT8 *Digest, + IN UINTN DigestLen + ); + #endif diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelper.c b/OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelper.c new file mode 100644 index 0000000000..3437132488 --- /dev/null +++ b/OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelper.c @@ -0,0 +1,94 @@ +/** @file + TdxHelper Functions which are used in DXE phase + +Copyright (c) 2024, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent +**/ +#include +#include +#include +#include + +/** + * Build GuidHob for Tdx CC measurement event. + */ +EFI_STATUS +BuildTdxMeasurementGuidHob ( + UINT32 RtmrIndex, + UINT32 EventType, + UINT8 *EventData, + UINT32 EventSize, + UINT8 *HashValue, + UINT32 HashSize + ) +{ + return EFI_UNSUPPORTED; +} + +/** + In Tdx guest, some information need to be passed from host VMM to guest + firmware. For example, the memory resource, etc. These information are + prepared by host VMM and put in TdHob which is described in TdxMetadata. + TDVF processes the TdHob to accept memories. + + @retval EFI_SUCCESS Successfully process the TdHob + @retval Others Other error as indicated +**/ +EFI_STATUS +EFIAPI +TdxHelperProcessTdHob ( + VOID + ) +{ + return EFI_UNSUPPORTED; +} + +/** + In Tdx guest, TdHob is passed from host VMM to guest firmware and it contains + the information of the memory resource. From the security perspective before + it is consumed, it should be measured and extended. + * + * @retval EFI_SUCCESS Successfully measure the TdHob + * @retval Others Other error as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperMeasureTdHob ( + VOID + ) +{ + return EFI_UNSUPPORTED; +} + +/** + * In Tdx guest, Configuration FV (CFV) is treated as external input because it + * may contain the data provided by VMM. From the sucurity perspective Cfv image + * should be measured before it is consumed. + * + * @retval EFI_SUCCESS Successfully measure the CFV image + * @retval Others Other error as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperMeasureCfvImage ( + VOID + ) +{ + return EFI_UNSUPPORTED; +} + +/** + Build the GuidHob for tdx measurements which were done in SEC phase. + The measurement values are stored in WorkArea. + + @retval EFI_SUCCESS The GuidHob is built successfully + @retval Others Other errors as indicated +**/ +EFI_STATUS +EFIAPI +TdxHelperBuildGuidHobForTdxMeasurement ( + VOID + ) +{ + return EFI_UNSUPPORTED; +} diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf b/OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf new file mode 100644 index 0000000000..36be2e4761 --- /dev/null +++ b/OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf @@ -0,0 +1,41 @@ +## @file +# TdxHelperLib Dxe instance +# +# This module provides Tdx helper functions in DXE phase. +# Copyright (c) 2024, Intel Corporation. All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = DxeTdxHelperLib + FILE_GUID = d9568aa2-ace6-11ef-8ef3-733e978530b2 + MODULE_TYPE = BASE + VERSION_STRING = 1.0 + LIBRARY_CLASS = TdxHelperLib|DXE_DRIVER DXE_RUNTIME_DRIVER + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = X64 +# + +[Sources] + DxeTdxHelper.c + TdxHelperCommon.c + +[Packages] + MdeModulePkg/MdeModulePkg.dec + MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec + SecurityPkg/SecurityPkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + DebugLib + HobLib + PcdLib + BaseCryptLib diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf b/OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf index ad3b6c1da6..e929626bc5 100644 --- a/OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf +++ b/OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf @@ -25,18 +25,21 @@ [Sources] PeiTdxHelper.c TdxMeasurementHob.c + TdxHelperCommon.c [Packages] MdeModulePkg/MdeModulePkg.dec MdePkg/MdePkg.dec OvmfPkg/OvmfPkg.dec SecurityPkg/SecurityPkg.dec + CryptoPkg/CryptoPkg.dec [LibraryClasses] BaseLib DebugLib HobLib PcdLib + BaseCryptLib [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c index 19e9b1bf54..6f8daef4cb 100644 --- a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c +++ b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c @@ -806,58 +806,6 @@ TdxHelperProcessTdHob ( return Status; } -/** - * Calculate the sha384 of input Data and extend it to RTMR register. - * - * @param RtmrIndex Index of the RTMR register - * @param DataToHash Data to be hashed - * @param DataToHashLen Length of the data - * @param Digest Hash value of the input data - * @param DigestLen Length of the hash value - * - * @retval EFI_SUCCESS Successfully hash and extend to RTMR - * @retval Others Other errors as indicated - */ -STATIC -EFI_STATUS -HashAndExtendToRtmr ( - IN UINT32 RtmrIndex, - IN VOID *DataToHash, - IN UINTN DataToHashLen, - OUT UINT8 *Digest, - IN UINTN DigestLen - ) -{ - EFI_STATUS Status; - - if ((DataToHash == NULL) || (DataToHashLen == 0)) { - return EFI_INVALID_PARAMETER; - } - - if ((Digest == NULL) || (DigestLen != SHA384_DIGEST_SIZE)) { - return EFI_INVALID_PARAMETER; - } - - // - // Calculate the sha384 of the data - // - if (!Sha384HashAll (DataToHash, DataToHashLen, Digest)) { - return EFI_ABORTED; - } - - // - // Extend to RTMR - // - Status = TdExtendRtmr ( - (UINT32 *)Digest, - SHA384_DIGEST_SIZE, - (UINT8)RtmrIndex - ); - - ASSERT (!EFI_ERROR (Status)); - return Status; -} - /** In Tdx guest, TdHob is passed from host VMM to guest firmware and it contains the information of the memory resource. From the security perspective before @@ -888,7 +836,7 @@ TdxHelperMeasureTdHob ( Hob.Raw = GET_NEXT_HOB (Hob); } - Status = HashAndExtendToRtmr ( + Status = TdxHelperHashAndExtendToRtmr ( 0, (UINT8 *)TdHob, (UINTN)((UINT8 *)Hob.Raw - (UINT8 *)TdHob), @@ -933,7 +881,7 @@ TdxHelperMeasureCfvImage ( UINT8 Digest[SHA384_DIGEST_SIZE]; OVMF_WORK_AREA *WorkArea; - Status = HashAndExtendToRtmr ( + Status = TdxHelperHashAndExtendToRtmr ( 0, (UINT8 *)(UINTN)PcdGet32 (PcdOvmfFlashNvStorageVariableBase), (UINT64)PcdGet32 (PcdCfvRawDataSize), diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf index d17b84c01f..b536eb4ec9 100644 --- a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf +++ b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf @@ -25,6 +25,7 @@ [Sources] SecTdxHelper.c TdxMeasurementHob.c + TdxHelperCommon.c [Packages] CryptoPkg/CryptoPkg.dec diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperCommon.c b/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperCommon.c new file mode 100644 index 0000000000..e52ba7bcae --- /dev/null +++ b/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperCommon.c @@ -0,0 +1,156 @@ +/** @file + TdxHelper Common Functions + +Copyright (c) 2024, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** + According to UEFI Spec 2.10 Section 38.4.1: + The following table shows the TPM PCR index mapping and CC event log measurement + register index interpretation for Intel TDX, where MRTD means Trust Domain Measurement + Register and RTMR means Runtime Measurement Register + // TPM PCR Index | CC Measurement Register Index | TDX-measurement register + // ------------------------------------------------------------------------ + // 0 | 0 | MRTD + // 1, 7 | 1 | RTMR[0] + // 2~6 | 2 | RTMR[1] + // 8~15 | 3 | RTMR[2] + @param[in] PCRIndex Index of the TPM PCR + @retval UINT32 Index of the CC Event Log Measurement Register Index + @retval CC_MR_INDEX_INVALID Invalid MR Index +**/ +UINT32 +EFIAPI +TdxHelperMapPcrToMrIndex ( + IN UINT32 PCRIndex + ) +{ + UINT32 MrIndex; + + if (PCRIndex > 15) { + ASSERT (FALSE); + return CC_MR_INDEX_INVALID; + } + + MrIndex = 0; + if (PCRIndex == 0) { + MrIndex = CC_MR_INDEX_0_MRTD; + } else if ((PCRIndex == 1) || (PCRIndex == 7)) { + MrIndex = CC_MR_INDEX_1_RTMR0; + } else if ((PCRIndex >= 2) && (PCRIndex <= 6)) { + MrIndex = CC_MR_INDEX_2_RTMR1; + } else if ((PCRIndex >= 8) && (PCRIndex <= 15)) { + MrIndex = CC_MR_INDEX_3_RTMR2; + } + + return MrIndex; +} + +/** + * Calculate the sha384 of input Data and extend it to RTMR register. + * + * @param RtmrIndex Index of the RTMR register + * @param DataToHash Data to be hashed + * @param DataToHashLen Length of the data + * @param Digest Hash value of the input data + * @param DigestLen Length of the hash value + * + * @retval EFI_SUCCESS Successfully hash and extend to RTMR + * @retval Others Other errors as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperHashAndExtendToRtmr ( + IN UINT32 RtmrIndex, + IN VOID *DataToHash, + IN UINTN DataToHashLen, + OUT UINT8 *Digest, + IN UINTN DigestLen + ) +{ + EFI_STATUS Status; + + if ((DataToHash == NULL) || (DataToHashLen == 0)) { + return EFI_INVALID_PARAMETER; + } + + if ((Digest == NULL) || (DigestLen != SHA384_DIGEST_SIZE)) { + return EFI_INVALID_PARAMETER; + } + + // + // Calculate the sha384 of the data + // + if (!Sha384HashAll (DataToHash, DataToHashLen, Digest)) { + return EFI_ABORTED; + } + + // + // Extend to RTMR + // + Status = TdExtendRtmr ( + (UINT32 *)Digest, + SHA384_DIGEST_SIZE, + (UINT8)RtmrIndex + ); + ASSERT (!EFI_ERROR (Status)); + return Status; +} + +/** + * Build GuidHob for Tdx CC measurement event. + */ +EFI_STATUS +BuildTdxMeasurementGuidHob ( + UINT32 RtmrIndex, + UINT32 EventType, + UINT8 *EventData, + UINT32 EventSize, + UINT8 *HashValue, + UINT32 HashSize + ); + +/** + * Build GuidHob for Tdx CC measurement event. + * + * @param RtmrIndex RTMR index + * @param EventType Event type + * @param EventData Event data + * @param EventSize Size of event data + * @param HashValue Hash value + * @param HashSize Size of hash + * + * @retval EFI_SUCCESS Successfully build the GuidHobs + * @retval Others Other error as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperBuildTdxMeasurementGuidHob ( + UINT32 RtmrIndex, + UINT32 EventType, + UINT8 *EventData, + UINT32 EventSize, + UINT8 *HashValue, + UINT32 HashSize + ) +{ + return BuildTdxMeasurementGuidHob ( + RtmrIndex, + EventType, + EventData, + EventSize, + HashValue, + HashSize + ); +} diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c b/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c index a2125190d6..ecadca0783 100644 --- a/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c +++ b/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c @@ -9,6 +9,7 @@ #include #include +#include /** In Tdx guest, some information need to be passed from host VMM to guest @@ -77,3 +78,79 @@ TdxHelperBuildGuidHobForTdxMeasurement ( { return EFI_UNSUPPORTED; } + +/** + According to UEFI Spec 2.10 Section 38.4.1: + The following table shows the TPM PCR index mapping and CC event log measurement + register index interpretation for Intel TDX, where MRTD means Trust Domain Measurement + Register and RTMR means Runtime Measurement Register + // TPM PCR Index | CC Measurement Register Index | TDX-measurement register + // ------------------------------------------------------------------------ + // 0 | 0 | MRTD + // 1, 7 | 1 | RTMR[0] + // 2~6 | 2 | RTMR[1] + // 8~15 | 3 | RTMR[2] + @param[in] PCRIndex Index of the TPM PCR + @retval UINT32 Index of the CC Event Log Measurement Register Index + @retval CC_MR_INDEX_INVALID Invalid MR Index +**/ +UINT32 +EFIAPI +TdxHelperMapPcrToMrIndex ( + IN UINT32 PCRIndex + ) +{ + return CC_MR_INDEX_INVALID; +} + +/** + * Calculate the sha384 of input Data and extend it to RTMR register. + * + * @param RtmrIndex Index of the RTMR register + * @param DataToHash Data to be hashed + * @param DataToHashLen Length of the data + * @param Digest Hash value of the input data + * @param DigestLen Length of the hash value + * + * @retval EFI_SUCCESS Successfully hash and extend to RTMR + * @retval Others Other errors as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperHashAndExtendToRtmr ( + IN UINT32 RtmrIndex, + IN VOID *DataToHash, + IN UINTN DataToHashLen, + OUT UINT8 *Digest, + IN UINTN DigestLen + ) +{ + return EFI_UNSUPPORTED; +} + +/** + * Build GuidHob for Tdx CC measurement event. + * + * @param RtmrIndex RTMR index + * @param EventType Event type + * @param EventData Event data + * @param EventSize Size of event data + * @param HashValue Hash value + * @param HashSize Size of hash + * + * @retval EFI_SUCCESS Successfully build the GuidHobs + * @retval Others Other error as indicated + */ +EFI_STATUS +EFIAPI +TdxHelperBuildTdxMeasurementGuidHob ( + UINT32 RtmrIndex, + UINT32 EventType, + UINT8 *EventData, + UINT32 EventSize, + UINT8 *HashValue, + UINT32 HashSize + ) +{ + return EFI_UNSUPPORTED; +} diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c b/OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c index a4c7095cff..42c51a191f 100644 --- a/OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c +++ b/OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c @@ -51,7 +51,6 @@ typedef PLATFORM_FIRMWARE_BLOB2_STRUCT CFV_HANDOFF_TABLE_POINTERS2; * @retval EFI_SUCCESS Successfully build the GuidHobs * @retval Others Other error as indicated */ -STATIC EFI_STATUS BuildTdxMeasurementGuidHob ( UINT32 RtmrIndex,