tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-07-29 08:34:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

OvmfPkg: Update with TdxMeasurementLib

Browse Source 
Since the tdx measurement APIs are implemented by
TdxMeasurementLib, the duplicate code are removed.

Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
This commit is contained in:
Ceping Sun 2024-12-11 00:29:37 -05:00 committed by mergify[bot]
parent 6f73428d06
commit d51baa02a6
15 changed files with 39 additions and 553 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
OvmfPkg/Include/Library/TdxHelperLib.h
View File

@ -11,12 +11,6 @@
#include <PiPei.h> #include <PiPei.h>
#define CC_MR_INDEX_0_MRTD 0
#define CC_MR_INDEX_1_RTMR0 1
#define CC_MR_INDEX_2_RTMR1 2
#define CC_MR_INDEX_3_RTMR2 3
#define CC_MR_INDEX_INVALID 4
/** /**
In Tdx guest, some information need to be passed from host VMM to guest In Tdx guest, some information need to be passed from host VMM to guest
firmware. For example, the memory resource, etc. These information are firmware. For example, the memory resource, etc. These information are
@ -73,71 +67,4 @@ TdxHelperBuildGuidHobForTdxMeasurement (
VOID VOID
); );
/**
According to UEFI Spec 2.10 Section 38.4.1:
The following table shows the TPM PCR index mapping and CC event log measurement
register index interpretation for Intel TDX, where MRTD means Trust Domain Measurement
Register and RTMR means Runtime Measurement Register
// TPM PCR Index | CC Measurement Register Index | TDX-measurement register
// ------------------------------------------------------------------------
// 0 | 0 | MRTD
// 1, 7 | 1 | RTMR[0]
// 2~6 | 2 | RTMR[1]
// 8~15 | 3 | RTMR[2]
@param[in] PCRIndex Index of the TPM PCR
@retval UINT32 Index of the CC Event Log Measurement Register Index
@retval CC_MR_INDEX_INVALID Invalid MR Index
**/
UINT32
EFIAPI
TdxHelperMapPcrToMrIndex (
IN UINT32 PCRIndex
);
/**
* Build GuidHob for Tdx CC measurement event.
*
* @param RtmrIndex RTMR index
* @param EventType Event type
* @param EventData Event data
* @param EventSize Size of event data
* @param HashValue Hash value
* @param HashSize Size of hash
*
* @retval EFI_SUCCESS Successfully build the GuidHobs
* @retval Others Other error as indicated
*/
EFI_STATUS
EFIAPI
TdxHelperBuildTdxMeasurementGuidHob (
UINT32 RtmrIndex,
UINT32 EventType,
UINT8 *EventData,
UINT32 EventSize,
UINT8 *HashValue,
UINT32 HashSize
);
/**
* Calculate the sha384 of input Data and extend it to RTMR register.
*
* @param RtmrIndex Index of the RTMR register
* @param DataToHash Data to be hashed
* @param DataToHashLen Length of the data
* @param Digest Hash value of the input data
* @param DigestLen Length of the hash value
*
* @retval EFI_SUCCESS Successfully hash and extend to RTMR
* @retval Others Other errors as indicated
*/
EFI_STATUS
EFIAPI
TdxHelperHashAndExtendToRtmr (
IN UINT32 RtmrIndex,
IN VOID *DataToHash,
IN UINTN DataToHashLen,
OUT UINT8 *Digest,
IN UINTN DigestLen
);
#endif #endif

3
OvmfPkg/IntelTdx/IntelTdxX64.dsc
View File

@ -239,6 +239,7 @@
PrePiLib|EmbeddedPkg/Library/PrePiLib/PrePiLib.inf PrePiLib|EmbeddedPkg/Library/PrePiLib/PrePiLib.inf
PeilessStartupLib|OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf PeilessStartupLib|OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
TdxMeasurementLib|OvmfPkg/IntelTdx/TdxMeasurementLib/SecPeiTdxMeasurementLib.inf
[LibraryClasses.common.DXE_CORE] [LibraryClasses.common.DXE_CORE]
HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf
@ -313,7 +314,7 @@
NestedInterruptTplLib|OvmfPkg/Library/NestedInterruptTplLib/NestedInterruptTplLib.inf NestedInterruptTplLib|OvmfPkg/Library/NestedInterruptTplLib/NestedInterruptTplLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
TdxHelperLib|OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf TdxMeasurementLib|OvmfPkg/IntelTdx/TdxMeasurementLib/DxeTdxMeasurementLib.inf
[LibraryClasses.common.UEFI_APPLICATION] [LibraryClasses.common.UEFI_APPLICATION]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf

94
OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelper.c
View File

@ -1,94 +0,0 @@
/** @file
TdxHelper Functions which are used in DXE phase
Copyright (c) 2024, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Base.h>
#include <Library/DebugLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/TdxHelperLib.h>
/**
* Build GuidHob for Tdx CC measurement event.
*/
EFI_STATUS
BuildTdxMeasurementGuidHob (
UINT32 RtmrIndex,
UINT32 EventType,
UINT8 *EventData,
UINT32 EventSize,
UINT8 *HashValue,
UINT32 HashSize
)
{
return EFI_UNSUPPORTED;
}
/**
In Tdx guest, some information need to be passed from host VMM to guest
firmware. For example, the memory resource, etc. These information are
prepared by host VMM and put in TdHob which is described in TdxMetadata.
TDVF processes the TdHob to accept memories.
@retval EFI_SUCCESS Successfully process the TdHob
@retval Others Other error as indicated
**/
EFI_STATUS
EFIAPI
TdxHelperProcessTdHob (
VOID
)
{
return EFI_UNSUPPORTED;
}
/**
In Tdx guest, TdHob is passed from host VMM to guest firmware and it contains
the information of the memory resource. From the security perspective before
it is consumed, it should be measured and extended.
*
* @retval EFI_SUCCESS Successfully measure the TdHob
* @retval Others Other error as indicated
*/
EFI_STATUS
EFIAPI
TdxHelperMeasureTdHob (
VOID
)
{
return EFI_UNSUPPORTED;
}
/**
* In Tdx guest, Configuration FV (CFV) is treated as external input because it
* may contain the data provided by VMM. From the sucurity perspective Cfv image
* should be measured before it is consumed.
*
* @retval EFI_SUCCESS Successfully measure the CFV image
* @retval Others Other error as indicated
*/
EFI_STATUS
EFIAPI
TdxHelperMeasureCfvImage (
VOID
)
{
return EFI_UNSUPPORTED;
}
/**
Build the GuidHob for tdx measurements which were done in SEC phase.
The measurement values are stored in WorkArea.
@retval EFI_SUCCESS The GuidHob is built successfully
@retval Others Other errors as indicated
**/
EFI_STATUS
EFIAPI
TdxHelperBuildGuidHobForTdxMeasurement (
VOID
)
{
return EFI_UNSUPPORTED;
}

41
OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf
View File

@ -1,41 +0,0 @@
## @file
# TdxHelperLib Dxe instance
#
# This module provides Tdx helper functions in DXE phase.
# Copyright (c) 2024, Intel Corporation. All rights reserved.<BR>
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = DxeTdxHelperLib
FILE_GUID = d9568aa2-ace6-11ef-8ef3-733e978530b2
MODULE_TYPE = BASE
VERSION_STRING = 1.0
LIBRARY_CLASS = TdxHelperLib|DXE_DRIVER DXE_RUNTIME_DRIVER
#
# The following information is for reference only and not required by the build tools.
#
# VALID_ARCHITECTURES = X64
#
[Sources]
DxeTdxHelper.c
TdxHelperCommon.c
[Packages]
MdeModulePkg/MdeModulePkg.dec
MdePkg/MdePkg.dec
OvmfPkg/OvmfPkg.dec
SecurityPkg/SecurityPkg.dec
CryptoPkg/CryptoPkg.dec
[LibraryClasses]
BaseLib
DebugLib
HobLib
PcdLib
BaseCryptLib

3
OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf
View File

@ -25,7 +25,6 @@
[Sources] [Sources]
PeiTdxHelper.c PeiTdxHelper.c
TdxMeasurementHob.c TdxMeasurementHob.c
TdxHelperCommon.c
[Packages] [Packages]
MdeModulePkg/MdeModulePkg.dec MdeModulePkg/MdeModulePkg.dec
@ -33,6 +32,7 @@
OvmfPkg/OvmfPkg.dec OvmfPkg/OvmfPkg.dec
SecurityPkg/SecurityPkg.dec SecurityPkg/SecurityPkg.dec
CryptoPkg/CryptoPkg.dec CryptoPkg/CryptoPkg.dec
UefiCpuPkg/UefiCpuPkg.dec
[LibraryClasses] [LibraryClasses]
BaseLib BaseLib
@ -40,6 +40,7 @@
HobLib HobLib
PcdLib PcdLib
BaseCryptLib BaseCryptLib
TdxMeasurementLib
[FixedPcd] [FixedPcd]
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase

5
OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c
View File

@ -23,6 +23,7 @@
#include <WorkArea.h> #include <WorkArea.h>
#include <ConfidentialComputingGuestAttr.h> #include <ConfidentialComputingGuestAttr.h>
#include <Library/TdxHelperLib.h> #include <Library/TdxHelperLib.h>
#include <Library/TdxMeasurementLib.h>
#define ALIGNED_2MB_MASK 0x1fffff #define ALIGNED_2MB_MASK 0x1fffff
#define MEGABYTE_SHIFT 20 #define MEGABYTE_SHIFT 20
@ -836,7 +837,7 @@ TdxHelperMeasureTdHob (
Hob.Raw = GET_NEXT_HOB (Hob); Hob.Raw = GET_NEXT_HOB (Hob);
} }
Status = TdxHelperHashAndExtendToRtmr ( Status = TdxMeasurementHashAndExtendToRtmr (
0, 0,
(UINT8 *)TdHob, (UINT8 *)TdHob,
(UINTN)((UINT8 *)Hob.Raw - (UINT8 *)TdHob), (UINTN)((UINT8 *)Hob.Raw - (UINT8 *)TdHob),
@ -881,7 +882,7 @@ TdxHelperMeasureCfvImage (
UINT8 Digest[SHA384_DIGEST_SIZE]; UINT8 Digest[SHA384_DIGEST_SIZE];
OVMF_WORK_AREA *WorkArea; OVMF_WORK_AREA *WorkArea;
Status = TdxHelperHashAndExtendToRtmr ( Status = TdxMeasurementHashAndExtendToRtmr (
0, 0,
(UINT8 *)(UINTN)PcdGet32 (PcdOvmfFlashNvStorageVariableBase), (UINT8 *)(UINTN)PcdGet32 (PcdOvmfFlashNvStorageVariableBase),
(UINT64)PcdGet32 (PcdCfvRawDataSize), (UINT64)PcdGet32 (PcdCfvRawDataSize),

3
OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf
View File

@ -25,7 +25,6 @@
[Sources] [Sources]
SecTdxHelper.c SecTdxHelper.c
TdxMeasurementHob.c TdxMeasurementHob.c
TdxHelperCommon.c
[Packages] [Packages]
CryptoPkg/CryptoPkg.dec CryptoPkg/CryptoPkg.dec
@ -33,6 +32,7 @@
MdePkg/MdePkg.dec MdePkg/MdePkg.dec
OvmfPkg/OvmfPkg.dec OvmfPkg/OvmfPkg.dec
SecurityPkg/SecurityPkg.dec SecurityPkg/SecurityPkg.dec
UefiCpuPkg/UefiCpuPkg.dec
[LibraryClasses] [LibraryClasses]
BaseLib BaseLib
@ -42,6 +42,7 @@
PcdLib PcdLib
TdxMailboxLib TdxMailboxLib
TdxLib TdxLib
TdxMeasurementLib
[FixedPcd] [FixedPcd]
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase

156
OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperCommon.c
View File

@ -1,156 +0,0 @@
/** @file
TdxHelper Common Functions
Copyright (c) 2024, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <PiPei.h>
#include <Ppi/CcMeasurement.h>
#include <Library/DebugLib.h>
#include <Library/PeiServicesLib.h>
#include <Library/TdxLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/BaseCryptLib.h>
#include <Library/HobLib.h>
#include <Library/TdxHelperLib.h>
/**
According to UEFI Spec 2.10 Section 38.4.1:
The following table shows the TPM PCR index mapping and CC event log measurement
register index interpretation for Intel TDX, where MRTD means Trust Domain Measurement
Register and RTMR means Runtime Measurement Register
// TPM PCR Index | CC Measurement Register Index | TDX-measurement register
// ------------------------------------------------------------------------
// 0 | 0 | MRTD
// 1, 7 | 1 | RTMR[0]
// 2~6 | 2 | RTMR[1]
// 8~15 | 3 | RTMR[2]
@param[in] PCRIndex Index of the TPM PCR
@retval UINT32 Index of the CC Event Log Measurement Register Index
@retval CC_MR_INDEX_INVALID Invalid MR Index
**/
UINT32
EFIAPI
TdxHelperMapPcrToMrIndex (
IN UINT32 PCRIndex
)
{
UINT32 MrIndex;
if (PCRIndex > 15) {
ASSERT (FALSE);
return CC_MR_INDEX_INVALID;
}
MrIndex = 0;
if (PCRIndex == 0) {
MrIndex = CC_MR_INDEX_0_MRTD;
} else if ((PCRIndex == 1) || (PCRIndex == 7)) {
MrIndex = CC_MR_INDEX_1_RTMR0;
} else if ((PCRIndex >= 2) && (PCRIndex <= 6)) {
MrIndex = CC_MR_INDEX_2_RTMR1;
} else if ((PCRIndex >= 8) && (PCRIndex <= 15)) {
MrIndex = CC_MR_INDEX_3_RTMR2;
}
return MrIndex;
}
/**
* Calculate the sha384 of input Data and extend it to RTMR register.
*
* @param RtmrIndex Index of the RTMR register
* @param DataToHash Data to be hashed
* @param DataToHashLen Length of the data
* @param Digest Hash value of the input data
* @param DigestLen Length of the hash value
*
* @retval EFI_SUCCESS Successfully hash and extend to RTMR
* @retval Others Other errors as indicated
*/
EFI_STATUS
EFIAPI
TdxHelperHashAndExtendToRtmr (
IN UINT32 RtmrIndex,
IN VOID *DataToHash,
IN UINTN DataToHashLen,
OUT UINT8 *Digest,
IN UINTN DigestLen
)
{
EFI_STATUS Status;
if ((DataToHash == NULL) || (DataToHashLen == 0)) {
return EFI_INVALID_PARAMETER;
}
if ((Digest == NULL) || (DigestLen != SHA384_DIGEST_SIZE)) {
return EFI_INVALID_PARAMETER;
}
//
// Calculate the sha384 of the data
//
if (!Sha384HashAll (DataToHash, DataToHashLen, Digest)) {
return EFI_ABORTED;
}
//
// Extend to RTMR
//
Status = TdExtendRtmr (
(UINT32 *)Digest,
SHA384_DIGEST_SIZE,
(UINT8)RtmrIndex
);
ASSERT (!EFI_ERROR (Status));
return Status;
}
/**
* Build GuidHob for Tdx CC measurement event.
*/
EFI_STATUS
BuildTdxMeasurementGuidHob (
UINT32 RtmrIndex,
UINT32 EventType,
UINT8 *EventData,
UINT32 EventSize,
UINT8 *HashValue,
UINT32 HashSize
);
/**
* Build GuidHob for Tdx CC measurement event.
*
* @param RtmrIndex RTMR index
* @param EventType Event type
* @param EventData Event data
* @param EventSize Size of event data
* @param HashValue Hash value
* @param HashSize Size of hash
*
* @retval EFI_SUCCESS Successfully build the GuidHobs
* @retval Others Other error as indicated
*/
EFI_STATUS
EFIAPI
TdxHelperBuildTdxMeasurementGuidHob (
UINT32 RtmrIndex,
UINT32 EventType,
UINT8 *EventData,
UINT32 EventSize,
UINT8 *HashValue,
UINT32 HashSize
)
{
return BuildTdxMeasurementGuidHob (
RtmrIndex,
EventType,
EventData,
EventSize,
HashValue,
HashSize
);
}

76
OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c
View File

@ -78,79 +78,3 @@ TdxHelperBuildGuidHobForTdxMeasurement (
{ {
return EFI_UNSUPPORTED; return EFI_UNSUPPORTED;
} }
/**
According to UEFI Spec 2.10 Section 38.4.1:
The following table shows the TPM PCR index mapping and CC event log measurement
register index interpretation for Intel TDX, where MRTD means Trust Domain Measurement
Register and RTMR means Runtime Measurement Register
// TPM PCR Index | CC Measurement Register Index | TDX-measurement register
// ------------------------------------------------------------------------
// 0 | 0 | MRTD
// 1, 7 | 1 | RTMR[0]
// 2~6 | 2 | RTMR[1]
// 8~15 | 3 | RTMR[2]
@param[in] PCRIndex Index of the TPM PCR
@retval UINT32 Index of the CC Event Log Measurement Register Index
@retval CC_MR_INDEX_INVALID Invalid MR Index
**/
UINT32
EFIAPI
TdxHelperMapPcrToMrIndex (
IN UINT32 PCRIndex
)
{
return CC_MR_INDEX_INVALID;
}
/**
* Calculate the sha384 of input Data and extend it to RTMR register.
*
* @param RtmrIndex Index of the RTMR register
* @param DataToHash Data to be hashed
* @param DataToHashLen Length of the data
* @param Digest Hash value of the input data
* @param DigestLen Length of the hash value
*
* @retval EFI_SUCCESS Successfully hash and extend to RTMR
* @retval Others Other errors as indicated
*/
EFI_STATUS
EFIAPI
TdxHelperHashAndExtendToRtmr (
IN UINT32 RtmrIndex,
IN VOID *DataToHash,
IN UINTN DataToHashLen,
OUT UINT8 *Digest,
IN UINTN DigestLen
)
{
return EFI_UNSUPPORTED;
}
/**
* Build GuidHob for Tdx CC measurement event.
*
* @param RtmrIndex RTMR index
* @param EventType Event type
* @param EventData Event data
* @param EventSize Size of event data
* @param HashValue Hash value
* @param HashSize Size of hash
*
* @retval EFI_SUCCESS Successfully build the GuidHobs
* @retval Others Other error as indicated
*/
EFI_STATUS
EFIAPI
TdxHelperBuildTdxMeasurementGuidHob (
UINT32 RtmrIndex,
UINT32 EventType,
UINT8 *EventData,
UINT32 EventSize,
UINT8 *HashValue,
UINT32 HashSize
)
{
return EFI_UNSUPPORTED;
}

87
OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c
View File

@ -17,6 +17,7 @@
#include <Library/PrintLib.h> #include <Library/PrintLib.h>
#include <Library/TcgEventLogRecordLib.h> #include <Library/TcgEventLogRecordLib.h>
#include <WorkArea.h> #include <WorkArea.h>
#include <Library/TdxMeasurementLib.h>
#pragma pack(1) #pragma pack(1)
@ -33,88 +34,6 @@ typedef struct {
#define FV_HANDOFF_TABLE_DESC "Fv(XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX)" #define FV_HANDOFF_TABLE_DESC "Fv(XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX)"
typedef PLATFORM_FIRMWARE_BLOB2_STRUCT CFV_HANDOFF_TABLE_POINTERS2; typedef PLATFORM_FIRMWARE_BLOB2_STRUCT CFV_HANDOFF_TABLE_POINTERS2;
/**
* Build GuidHob for Tdx measurement.
*
* Tdx measurement includes the measurement of TdHob and CFV. They're measured
* and extended to RTMR registers in SEC phase. Because at that moment the Hob
* service are not available. So the values of the measurement are saved in
* workarea and will be built into GuidHob after the Hob service is ready.
*
* @param RtmrIndex RTMR index
* @param EventType Event type
* @param EventData Event data
* @param EventSize Size of event data
* @param HashValue Hash value
* @param HashSize Size of hash
*
* @retval EFI_SUCCESS Successfully build the GuidHobs
* @retval Others Other error as indicated
*/
EFI_STATUS
BuildTdxMeasurementGuidHob (
UINT32 RtmrIndex,
UINT32 EventType,
UINT8 *EventData,
UINT32 EventSize,
UINT8 *HashValue,
UINT32 HashSize
)
{
VOID *EventHobData;
UINT8 *Ptr;
TPML_DIGEST_VALUES *TdxDigest;
if (HashSize != SHA384_DIGEST_SIZE) {
return EFI_INVALID_PARAMETER;
}
#define TDX_DIGEST_VALUE_LEN (sizeof (UINT32) + sizeof (TPMI_ALG_HASH) + SHA384_DIGEST_SIZE)
EventHobData = BuildGuidHob (
&gCcEventEntryHobGuid,
sizeof (TCG_PCRINDEX) + sizeof (TCG_EVENTTYPE) +
TDX_DIGEST_VALUE_LEN +
sizeof (UINT32) + EventSize
);
if (EventHobData == NULL) {
return EFI_OUT_OF_RESOURCES;
}
Ptr = (UINT8 *)EventHobData;
//
// There are 2 types of measurement registers in TDX: MRTD and RTMR[0-3].
// According to UEFI Spec 2.10 Section 38.4.1, RTMR[0-3] is mapped to MrIndex[1-4].
// So RtmrIndex must be increased by 1 before the event log is created.
//
RtmrIndex++;
CopyMem (Ptr, &RtmrIndex, sizeof (UINT32));
Ptr += sizeof (UINT32);
CopyMem (Ptr, &EventType, sizeof (TCG_EVENTTYPE));
Ptr += sizeof (TCG_EVENTTYPE);
TdxDigest = (TPML_DIGEST_VALUES *)Ptr;
TdxDigest->count = 1;
TdxDigest->digests[0].hashAlg = TPM_ALG_SHA384;
CopyMem (
TdxDigest->digests[0].digest.sha384,
HashValue,
SHA384_DIGEST_SIZE
);
Ptr += TDX_DIGEST_VALUE_LEN;
CopyMem (Ptr, &EventSize, sizeof (UINT32));
Ptr += sizeof (UINT32);
CopyMem (Ptr, (VOID *)EventData, EventSize);
Ptr += EventSize;
return EFI_SUCCESS;
}
/** /**
Get the FvName from the FV header. Get the FvName from the FV header.
@ -207,7 +126,7 @@ InternalBuildGuidHobForTdxMeasurement (
CopyGuid (&(HandoffTables.TableEntry[0].VendorGuid), &gUefiOvmfPkgTokenSpaceGuid); CopyGuid (&(HandoffTables.TableEntry[0].VendorGuid), &gUefiOvmfPkgTokenSpaceGuid);
HandoffTables.TableEntry[0].VendorTable = TdHobList; HandoffTables.TableEntry[0].VendorTable = TdHobList;
Status = BuildTdxMeasurementGuidHob ( Status = TdxMeasurementBuildGuidHob (
0, // RtmrIndex 0, // RtmrIndex
EV_EFI_HANDOFF_TABLES2, // EventType EV_EFI_HANDOFF_TABLES2, // EventType
(UINT8 *)(UINTN)&HandoffTables, // EventData (UINT8 *)(UINTN)&HandoffTables, // EventData
@ -239,7 +158,7 @@ InternalBuildGuidHobForTdxMeasurement (
FvBlob2.BlobBase = FvBase; FvBlob2.BlobBase = FvBase;
FvBlob2.BlobLength = FvLength; FvBlob2.BlobLength = FvLength;
Status = BuildTdxMeasurementGuidHob ( Status = TdxMeasurementBuildGuidHob (
0, // RtmrIndex 0, // RtmrIndex
EV_EFI_PLATFORM_FIRMWARE_BLOB2, // EventType EV_EFI_PLATFORM_FIRMWARE_BLOB2, // EventType
(VOID *)&FvBlob2, // EventData (VOID *)&FvBlob2, // EventData

4
OvmfPkg/OvmfPkgX64.dsc
View File

@ -297,6 +297,7 @@
CcExitLib|OvmfPkg/Library/CcExitLib/SecCcExitLib.inf CcExitLib|OvmfPkg/Library/CcExitLib/SecCcExitLib.inf
MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf
CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
TdxMeasurementLib|OvmfPkg/IntelTdx/TdxMeasurementLib/SecPeiTdxMeasurementLib.inf
[LibraryClasses.common.PEI_CORE] [LibraryClasses.common.PEI_CORE]
HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf
@ -345,6 +346,7 @@
MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
TdxMeasurementLib|OvmfPkg/IntelTdx/TdxMeasurementLib/SecPeiTdxMeasurementLib.inf
TdxHelperLib|OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf TdxHelperLib|OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf
[LibraryClasses.common.DXE_CORE] [LibraryClasses.common.DXE_CORE]
@ -433,7 +435,7 @@
NestedInterruptTplLib|OvmfPkg/Library/NestedInterruptTplLib/NestedInterruptTplLib.inf NestedInterruptTplLib|OvmfPkg/Library/NestedInterruptTplLib/NestedInterruptTplLib.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
TdxHelperLib|OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf TdxMeasurementLib|OvmfPkg/IntelTdx/TdxMeasurementLib/DxeTdxMeasurementLib.inf
[LibraryClasses.common.UEFI_APPLICATION] [LibraryClasses.common.UEFI_APPLICATION]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf

28
OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.c
View File

@ -44,7 +44,7 @@
#include <Protocol/CcMeasurement.h> #include <Protocol/CcMeasurement.h>
#include <Guid/CcEventHob.h> #include <Guid/CcEventHob.h>
#include <Library/TdxLib.h> #include <Library/TdxLib.h>
#include <Library/TdxHelperLib.h> #include <Library/TdxMeasurementLib.h>
#define PERF_ID_CC_TCG2_DXE 0x3130 #define PERF_ID_CC_TCG2_DXE 0x3130
@ -940,7 +940,7 @@ TdMapPcrToMrIndex (
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
*MrIndex = TdxHelperMapPcrToMrIndex (PCRIndex); *MrIndex = TdxMeasurementMapPcrToMrIndex (PCRIndex);
return *MrIndex == CC_MR_INDEX_INVALID ? EFI_INVALID_PARAMETER : EFI_SUCCESS; return *MrIndex == CC_MR_INDEX_INVALID ? EFI_INVALID_PARAMETER : EFI_SUCCESS;
} }
@ -1607,7 +1607,7 @@ MeasureHandoffTables (
Status = GetProcessorsCpuLocation (&ProcessorLocBuf, &ProcessorNum); Status = GetProcessorsCpuLocation (&ProcessorLocBuf, &ProcessorNum);
if (!EFI_ERROR (Status)) { if (!EFI_ERROR (Status)) {
CcEvent.MrIndex = TdxHelperMapPcrToMrIndex (1); CcEvent.MrIndex = TdxMeasurementMapPcrToMrIndex (1);
CcEvent.EventType = EV_TABLE_OF_DEVICES; CcEvent.EventType = EV_TABLE_OF_DEVICES;
CcEvent.EventSize = sizeof (HandoffTables); CcEvent.EventSize = sizeof (HandoffTables);
@ -1829,7 +1829,7 @@ ReadAndMeasureBootVariable (
) )
{ {
return ReadAndMeasureVariable ( return ReadAndMeasureVariable (
TdxHelperMapPcrToMrIndex (1), TdxMeasurementMapPcrToMrIndex (1),
EV_EFI_VARIABLE_BOOT, EV_EFI_VARIABLE_BOOT,
VarName, VarName,
VendorGuid, VendorGuid,
@ -1860,7 +1860,7 @@ ReadAndMeasureSecureVariable (
) )
{ {
return ReadAndMeasureVariable ( return ReadAndMeasureVariable (
TdxHelperMapPcrToMrIndex (7), TdxMeasurementMapPcrToMrIndex (7),
EV_EFI_VARIABLE_DRIVER_CONFIG, EV_EFI_VARIABLE_DRIVER_CONFIG,
VarName, VarName,
VendorGuid, VendorGuid,
@ -1968,7 +1968,7 @@ MeasureAllSecureVariables (
Status = GetVariable2 (EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid, &Data, &DataSize); Status = GetVariable2 (EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid, &Data, &DataSize);
if (!EFI_ERROR (Status)) { if (!EFI_ERROR (Status)) {
Status = MeasureVariable ( Status = MeasureVariable (
TdxHelperMapPcrToMrIndex (7), TdxMeasurementMapPcrToMrIndex (7),
EV_EFI_VARIABLE_DRIVER_CONFIG, EV_EFI_VARIABLE_DRIVER_CONFIG,
EFI_IMAGE_SECURITY_DATABASE2, EFI_IMAGE_SECURITY_DATABASE2,
&gEfiImageSecurityDatabaseGuid, &gEfiImageSecurityDatabaseGuid,
@ -1998,7 +1998,7 @@ MeasureLaunchOfFirmwareDebugger (
{ {
CC_EVENT_HDR CcEvent; CC_EVENT_HDR CcEvent;
CcEvent.MrIndex = TdxHelperMapPcrToMrIndex (7); CcEvent.MrIndex = TdxMeasurementMapPcrToMrIndex (7);
CcEvent.EventType = EV_EFI_ACTION; CcEvent.EventType = EV_EFI_ACTION;
CcEvent.EventSize = sizeof (FIRMWARE_DEBUGGER_EVENT_STRING) - 1; CcEvent.EventSize = sizeof (FIRMWARE_DEBUGGER_EVENT_STRING) - 1;
return TdxDxeHashLogExtendEvent ( return TdxDxeHashLogExtendEvent (
@ -2057,7 +2057,7 @@ MeasureSecureBootPolicy (
// There might be a case that we need measure UEFI image from DriverOrder, besides BootOrder. So // There might be a case that we need measure UEFI image from DriverOrder, besides BootOrder. So
// the Authority measurement happen before ReadToBoot event. // the Authority measurement happen before ReadToBoot event.
// //
Status = MeasureSeparatorEvent (TdxHelperMapPcrToMrIndex (7)); Status = MeasureSeparatorEvent (TdxMeasurementMapPcrToMrIndex (7));
DEBUG ((DEBUG_INFO, "MeasureSeparatorEvent - %r\n", Status)); DEBUG ((DEBUG_INFO, "MeasureSeparatorEvent - %r\n", Status));
return; return;
} }
@ -2102,7 +2102,7 @@ OnReadyToBoot (
// 1. This is the first boot attempt. // 1. This is the first boot attempt.
// //
Status = TdMeasureAction ( Status = TdMeasureAction (
TdxHelperMapPcrToMrIndex (4), TdxMeasurementMapPcrToMrIndex (4),
EFI_CALLING_EFI_APPLICATION EFI_CALLING_EFI_APPLICATION
); );
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
@ -2140,7 +2140,7 @@ OnReadyToBoot (
// 6. Not first attempt, meaning a return from last attempt // 6. Not first attempt, meaning a return from last attempt
// //
Status = TdMeasureAction ( Status = TdMeasureAction (
TdxHelperMapPcrToMrIndex (4), TdxMeasurementMapPcrToMrIndex (4),
EFI_RETURNING_FROM_EFI_APPLICATION EFI_RETURNING_FROM_EFI_APPLICATION
); );
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
@ -2152,7 +2152,7 @@ OnReadyToBoot (
// TCG PC Client PFP spec Section 2.4.4.5 Step 4 // TCG PC Client PFP spec Section 2.4.4.5 Step 4
// //
Status = TdMeasureAction ( Status = TdMeasureAction (
TdxHelperMapPcrToMrIndex (4), TdxMeasurementMapPcrToMrIndex (4),
EFI_CALLING_EFI_APPLICATION EFI_CALLING_EFI_APPLICATION
); );
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
@ -2190,7 +2190,7 @@ OnExitBootServices (
// Measure invocation of ExitBootServices, // Measure invocation of ExitBootServices,
// //
Status = TdMeasureAction ( Status = TdMeasureAction (
TdxHelperMapPcrToMrIndex (5), TdxMeasurementMapPcrToMrIndex (5),
EFI_EXIT_BOOT_SERVICES_INVOCATION EFI_EXIT_BOOT_SERVICES_INVOCATION
); );
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
@ -2201,7 +2201,7 @@ OnExitBootServices (
// Measure success of ExitBootServices // Measure success of ExitBootServices
// //
Status = TdMeasureAction ( Status = TdMeasureAction (
TdxHelperMapPcrToMrIndex (5), TdxMeasurementMapPcrToMrIndex (5),
EFI_EXIT_BOOT_SERVICES_SUCCEEDED EFI_EXIT_BOOT_SERVICES_SUCCEEDED
); );
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
@ -2231,7 +2231,7 @@ OnExitBootServicesFailed (
// Measure Failure of ExitBootServices, // Measure Failure of ExitBootServices,
// //
Status = TdMeasureAction ( Status = TdMeasureAction (
TdxHelperMapPcrToMrIndex (5), TdxMeasurementMapPcrToMrIndex (5),
EFI_EXIT_BOOT_SERVICES_FAILED EFI_EXIT_BOOT_SERVICES_FAILED
); );
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {

4
OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf
View File

@ -31,7 +31,7 @@
MdeModulePkg/MdeModulePkg.dec MdeModulePkg/MdeModulePkg.dec
SecurityPkg/SecurityPkg.dec SecurityPkg/SecurityPkg.dec
CryptoPkg/CryptoPkg.dec CryptoPkg/CryptoPkg.dec
OvmfPkg/OvmfPkg.dec UefiCpuPkg/UefiCpuPkg.dec
[LibraryClasses] [LibraryClasses]
MemoryAllocationLib MemoryAllocationLib
@ -50,7 +50,7 @@
PeCoffLib PeCoffLib
TpmMeasurementLib TpmMeasurementLib
TdxLib TdxLib
TdxHelperLib TdxMeasurementLib
[Guids] [Guids]
## SOMETIMES_CONSUMES ## Variable:L"SecureBoot" ## SOMETIMES_CONSUMES ## Variable:L"SecureBoot"

12
OvmfPkg/Tcg/TdTcg2Pei/TdTcg2Pei.c
View File

@ -14,7 +14,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/BaseMemoryLib.h> #include <Library/BaseMemoryLib.h>
#include <Library/BaseCryptLib.h> #include <Library/BaseCryptLib.h>
#include <Library/HobLib.h> #include <Library/HobLib.h>
#include <Library/TdxHelperLib.h> #include <Library/TdxMeasurementLib.h>
/** /**
Do a hash operation on a data buffer, extend a specific RTMR with the hash result, Do a hash operation on a data buffer, extend a specific RTMR with the hash result,
@ -47,7 +47,7 @@ TdxPeiHashLogExtendEvent (
EFI_STATUS Status; EFI_STATUS Status;
UINT8 Digest[SHA384_DIGEST_SIZE]; UINT8 Digest[SHA384_DIGEST_SIZE];
Status = TdxHelperHashAndExtendToRtmr ( Status = TdxMeasurementHashAndExtendToRtmr (
MrIndex - 1, MrIndex - 1,
HashData, HashData,
(UINTN)HashDataLen, (UINTN)HashDataLen,
@ -56,11 +56,11 @@ TdxPeiHashLogExtendEvent (
); );
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "%a: HashAndExtendToRtmr failed with %r\n", __func__, Status)); DEBUG ((DEBUG_ERROR, "%a: TdxMeasurementHashAndExtendToRtmr failed with %r\n", __func__, Status));
return Status; return Status;
} }
Status = TdxHelperBuildTdxMeasurementGuidHob ( Status = TdxMeasurementBuildGuidHob (
MrIndex - 1, MrIndex - 1,
EventType, EventType,
EventData, EventData,
@ -70,7 +70,7 @@ TdxPeiHashLogExtendEvent (
); );
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "%a: BuildTdxMeasurementGuidHob failed with %r\n", __func__, Status)); DEBUG ((DEBUG_ERROR, "%a: TdxMeasurementBuildGuidHob failed with %r\n", __func__, Status));
} }
return Status; return Status;
@ -150,7 +150,7 @@ TdMapPcrToMrIndex (
OUT UINT32 *MrIndex OUT UINT32 *MrIndex
) )
{ {
*MrIndex = TdxHelperMapPcrToMrIndex (PCRIndex); *MrIndex = TdxMeasurementMapPcrToMrIndex (PCRIndex);
return EFI_SUCCESS; return EFI_SUCCESS;
} }

3
OvmfPkg/Tcg/TdTcg2Pei/TdTcg2Pei.inf
View File

@ -27,6 +27,7 @@
MdePkg/MdePkg.dec MdePkg/MdePkg.dec
SecurityPkg/SecurityPkg.dec SecurityPkg/SecurityPkg.dec
CryptoPkg/CryptoPkg.dec CryptoPkg/CryptoPkg.dec
UefiCpuPkg/UefiCpuPkg.dec
OvmfPkg/OvmfPkg.dec OvmfPkg/OvmfPkg.dec
[LibraryClasses] [LibraryClasses]
@ -38,7 +39,7 @@
PrintLib PrintLib
TdxLib TdxLib
BaseCryptLib BaseCryptLib
TdxHelperLib TdxMeasurementLib
[Ppis] [Ppis]
gEdkiiCcPpiGuid gEdkiiCcPpiGuid