From d51baa02a6f37b3aeb0b2e0772ca446831aca2d2 Mon Sep 17 00:00:00 2001 From: Ceping Sun Date: Wed, 11 Dec 2024 00:29:37 -0500 Subject: OvmfPkg: Update with TdxMeasurementLib Since the tdx measurement APIs are implemented by TdxMeasurementLib, the duplicate code are removed. Cc: Erdem Aktas Cc: Jiewen Yao Cc: Min Xu Cc: Gerd Hoffmann Cc: Elena Reshetova Signed-off-by: Min Xu Signed-off-by: Ceping Sun --- OvmfPkg/Include/Library/TdxHelperLib.h | 73 ---------- OvmfPkg/IntelTdx/IntelTdxX64.dsc | 3 +- OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelper.c | 94 ------------- OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf | 41 ------ OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf | 3 +- OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c | 5 +- OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf | 3 +- OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperCommon.c | 156 ---------------------- OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c | 76 ----------- OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c | 87 +----------- OvmfPkg/OvmfPkgX64.dsc | 4 +- OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.c | 28 ++-- OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf | 4 +- OvmfPkg/Tcg/TdTcg2Pei/TdTcg2Pei.c | 12 +- OvmfPkg/Tcg/TdTcg2Pei/TdTcg2Pei.inf | 3 +- 15 files changed, 39 insertions(+), 553 deletions(-) delete mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelper.c delete mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf delete mode 100644 OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperCommon.c (limited to 'OvmfPkg') diff --git a/OvmfPkg/Include/Library/TdxHelperLib.h b/OvmfPkg/Include/Library/TdxHelperLib.h index 39c2997e08..199aade42f 100644 --- a/OvmfPkg/Include/Library/TdxHelperLib.h +++ b/OvmfPkg/Include/Library/TdxHelperLib.h @@ -11,12 +11,6 @@ #include -#define CC_MR_INDEX_0_MRTD 0 -#define CC_MR_INDEX_1_RTMR0 1 -#define CC_MR_INDEX_2_RTMR1 2 -#define CC_MR_INDEX_3_RTMR2 3 -#define CC_MR_INDEX_INVALID 4 - /** In Tdx guest, some information need to be passed from host VMM to guest firmware. For example, the memory resource, etc. These information are @@ -73,71 +67,4 @@ TdxHelperBuildGuidHobForTdxMeasurement ( VOID ); -/** - According to UEFI Spec 2.10 Section 38.4.1: - The following table shows the TPM PCR index mapping and CC event log measurement - register index interpretation for Intel TDX, where MRTD means Trust Domain Measurement - Register and RTMR means Runtime Measurement Register - // TPM PCR Index | CC Measurement Register Index | TDX-measurement register - // ------------------------------------------------------------------------ - // 0 | 0 | MRTD - // 1, 7 | 1 | RTMR[0] - // 2~6 | 2 | RTMR[1] - // 8~15 | 3 | RTMR[2] - @param[in] PCRIndex Index of the TPM PCR - @retval UINT32 Index of the CC Event Log Measurement Register Index - @retval CC_MR_INDEX_INVALID Invalid MR Index -**/ -UINT32 -EFIAPI -TdxHelperMapPcrToMrIndex ( - IN UINT32 PCRIndex - ); - -/** - * Build GuidHob for Tdx CC measurement event. - * - * @param RtmrIndex RTMR index - * @param EventType Event type - * @param EventData Event data - * @param EventSize Size of event data - * @param HashValue Hash value - * @param HashSize Size of hash - * - * @retval EFI_SUCCESS Successfully build the GuidHobs - * @retval Others Other error as indicated - */ -EFI_STATUS -EFIAPI -TdxHelperBuildTdxMeasurementGuidHob ( - UINT32 RtmrIndex, - UINT32 EventType, - UINT8 *EventData, - UINT32 EventSize, - UINT8 *HashValue, - UINT32 HashSize - ); - -/** - * Calculate the sha384 of input Data and extend it to RTMR register. - * - * @param RtmrIndex Index of the RTMR register - * @param DataToHash Data to be hashed - * @param DataToHashLen Length of the data - * @param Digest Hash value of the input data - * @param DigestLen Length of the hash value - * - * @retval EFI_SUCCESS Successfully hash and extend to RTMR - * @retval Others Other errors as indicated - */ -EFI_STATUS -EFIAPI -TdxHelperHashAndExtendToRtmr ( - IN UINT32 RtmrIndex, - IN VOID *DataToHash, - IN UINTN DataToHashLen, - OUT UINT8 *Digest, - IN UINTN DigestLen - ); - #endif diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc index 8a50519ecf..6d3e0a5f1c 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -239,6 +239,7 @@ PrePiLib|EmbeddedPkg/Library/PrePiLib/PrePiLib.inf PeilessStartupLib|OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf + TdxMeasurementLib|OvmfPkg/IntelTdx/TdxMeasurementLib/SecPeiTdxMeasurementLib.inf [LibraryClasses.common.DXE_CORE] HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf @@ -313,7 +314,7 @@ NestedInterruptTplLib|OvmfPkg/Library/NestedInterruptTplLib/NestedInterruptTplLib.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf - TdxHelperLib|OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf + TdxMeasurementLib|OvmfPkg/IntelTdx/TdxMeasurementLib/DxeTdxMeasurementLib.inf [LibraryClasses.common.UEFI_APPLICATION] PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelper.c b/OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelper.c deleted file mode 100644 index 3437132488..0000000000 --- a/OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelper.c +++ /dev/null @@ -1,94 +0,0 @@ -/** @file - TdxHelper Functions which are used in DXE phase - -Copyright (c) 2024, Intel Corporation. All rights reserved.
-SPDX-License-Identifier: BSD-2-Clause-Patent -**/ -#include -#include -#include -#include - -/** - * Build GuidHob for Tdx CC measurement event. - */ -EFI_STATUS -BuildTdxMeasurementGuidHob ( - UINT32 RtmrIndex, - UINT32 EventType, - UINT8 *EventData, - UINT32 EventSize, - UINT8 *HashValue, - UINT32 HashSize - ) -{ - return EFI_UNSUPPORTED; -} - -/** - In Tdx guest, some information need to be passed from host VMM to guest - firmware. For example, the memory resource, etc. These information are - prepared by host VMM and put in TdHob which is described in TdxMetadata. - TDVF processes the TdHob to accept memories. - - @retval EFI_SUCCESS Successfully process the TdHob - @retval Others Other error as indicated -**/ -EFI_STATUS -EFIAPI -TdxHelperProcessTdHob ( - VOID - ) -{ - return EFI_UNSUPPORTED; -} - -/** - In Tdx guest, TdHob is passed from host VMM to guest firmware and it contains - the information of the memory resource. From the security perspective before - it is consumed, it should be measured and extended. - * - * @retval EFI_SUCCESS Successfully measure the TdHob - * @retval Others Other error as indicated - */ -EFI_STATUS -EFIAPI -TdxHelperMeasureTdHob ( - VOID - ) -{ - return EFI_UNSUPPORTED; -} - -/** - * In Tdx guest, Configuration FV (CFV) is treated as external input because it - * may contain the data provided by VMM. From the sucurity perspective Cfv image - * should be measured before it is consumed. - * - * @retval EFI_SUCCESS Successfully measure the CFV image - * @retval Others Other error as indicated - */ -EFI_STATUS -EFIAPI -TdxHelperMeasureCfvImage ( - VOID - ) -{ - return EFI_UNSUPPORTED; -} - -/** - Build the GuidHob for tdx measurements which were done in SEC phase. - The measurement values are stored in WorkArea. - - @retval EFI_SUCCESS The GuidHob is built successfully - @retval Others Other errors as indicated -**/ -EFI_STATUS -EFIAPI -TdxHelperBuildGuidHobForTdxMeasurement ( - VOID - ) -{ - return EFI_UNSUPPORTED; -} diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf b/OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf deleted file mode 100644 index 36be2e4761..0000000000 --- a/OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf +++ /dev/null @@ -1,41 +0,0 @@ -## @file -# TdxHelperLib Dxe instance -# -# This module provides Tdx helper functions in DXE phase. -# Copyright (c) 2024, Intel Corporation. All rights reserved.
-# -# SPDX-License-Identifier: BSD-2-Clause-Patent -# -## - -[Defines] - INF_VERSION = 0x00010005 - BASE_NAME = DxeTdxHelperLib - FILE_GUID = d9568aa2-ace6-11ef-8ef3-733e978530b2 - MODULE_TYPE = BASE - VERSION_STRING = 1.0 - LIBRARY_CLASS = TdxHelperLib|DXE_DRIVER DXE_RUNTIME_DRIVER - -# -# The following information is for reference only and not required by the build tools. -# -# VALID_ARCHITECTURES = X64 -# - -[Sources] - DxeTdxHelper.c - TdxHelperCommon.c - -[Packages] - MdeModulePkg/MdeModulePkg.dec - MdePkg/MdePkg.dec - OvmfPkg/OvmfPkg.dec - SecurityPkg/SecurityPkg.dec - CryptoPkg/CryptoPkg.dec - -[LibraryClasses] - BaseLib - DebugLib - HobLib - PcdLib - BaseCryptLib diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf b/OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf index e929626bc5..ce86a50426 100644 --- a/OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf +++ b/OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf @@ -25,7 +25,6 @@ [Sources] PeiTdxHelper.c TdxMeasurementHob.c - TdxHelperCommon.c [Packages] MdeModulePkg/MdeModulePkg.dec @@ -33,6 +32,7 @@ OvmfPkg/OvmfPkg.dec SecurityPkg/SecurityPkg.dec CryptoPkg/CryptoPkg.dec + UefiCpuPkg/UefiCpuPkg.dec [LibraryClasses] BaseLib @@ -40,6 +40,7 @@ HobLib PcdLib BaseCryptLib + TdxMeasurementLib [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c index 6f8daef4cb..67fc8fe7f2 100644 --- a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c +++ b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c @@ -23,6 +23,7 @@ #include #include #include +#include #define ALIGNED_2MB_MASK 0x1fffff #define MEGABYTE_SHIFT 20 @@ -836,7 +837,7 @@ TdxHelperMeasureTdHob ( Hob.Raw = GET_NEXT_HOB (Hob); } - Status = TdxHelperHashAndExtendToRtmr ( + Status = TdxMeasurementHashAndExtendToRtmr ( 0, (UINT8 *)TdHob, (UINTN)((UINT8 *)Hob.Raw - (UINT8 *)TdHob), @@ -881,7 +882,7 @@ TdxHelperMeasureCfvImage ( UINT8 Digest[SHA384_DIGEST_SIZE]; OVMF_WORK_AREA *WorkArea; - Status = TdxHelperHashAndExtendToRtmr ( + Status = TdxMeasurementHashAndExtendToRtmr ( 0, (UINT8 *)(UINTN)PcdGet32 (PcdOvmfFlashNvStorageVariableBase), (UINT64)PcdGet32 (PcdCfvRawDataSize), diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf index b536eb4ec9..5fbcaabfa0 100644 --- a/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf +++ b/OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf @@ -25,7 +25,6 @@ [Sources] SecTdxHelper.c TdxMeasurementHob.c - TdxHelperCommon.c [Packages] CryptoPkg/CryptoPkg.dec @@ -33,6 +32,7 @@ MdePkg/MdePkg.dec OvmfPkg/OvmfPkg.dec SecurityPkg/SecurityPkg.dec + UefiCpuPkg/UefiCpuPkg.dec [LibraryClasses] BaseLib @@ -42,6 +42,7 @@ PcdLib TdxMailboxLib TdxLib + TdxMeasurementLib [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperCommon.c b/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperCommon.c deleted file mode 100644 index e52ba7bcae..0000000000 --- a/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperCommon.c +++ /dev/null @@ -1,156 +0,0 @@ -/** @file - TdxHelper Common Functions - -Copyright (c) 2024, Intel Corporation. All rights reserved.
-SPDX-License-Identifier: BSD-2-Clause-Patent -**/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -/** - According to UEFI Spec 2.10 Section 38.4.1: - The following table shows the TPM PCR index mapping and CC event log measurement - register index interpretation for Intel TDX, where MRTD means Trust Domain Measurement - Register and RTMR means Runtime Measurement Register - // TPM PCR Index | CC Measurement Register Index | TDX-measurement register - // ------------------------------------------------------------------------ - // 0 | 0 | MRTD - // 1, 7 | 1 | RTMR[0] - // 2~6 | 2 | RTMR[1] - // 8~15 | 3 | RTMR[2] - @param[in] PCRIndex Index of the TPM PCR - @retval UINT32 Index of the CC Event Log Measurement Register Index - @retval CC_MR_INDEX_INVALID Invalid MR Index -**/ -UINT32 -EFIAPI -TdxHelperMapPcrToMrIndex ( - IN UINT32 PCRIndex - ) -{ - UINT32 MrIndex; - - if (PCRIndex > 15) { - ASSERT (FALSE); - return CC_MR_INDEX_INVALID; - } - - MrIndex = 0; - if (PCRIndex == 0) { - MrIndex = CC_MR_INDEX_0_MRTD; - } else if ((PCRIndex == 1) || (PCRIndex == 7)) { - MrIndex = CC_MR_INDEX_1_RTMR0; - } else if ((PCRIndex >= 2) && (PCRIndex <= 6)) { - MrIndex = CC_MR_INDEX_2_RTMR1; - } else if ((PCRIndex >= 8) && (PCRIndex <= 15)) { - MrIndex = CC_MR_INDEX_3_RTMR2; - } - - return MrIndex; -} - -/** - * Calculate the sha384 of input Data and extend it to RTMR register. - * - * @param RtmrIndex Index of the RTMR register - * @param DataToHash Data to be hashed - * @param DataToHashLen Length of the data - * @param Digest Hash value of the input data - * @param DigestLen Length of the hash value - * - * @retval EFI_SUCCESS Successfully hash and extend to RTMR - * @retval Others Other errors as indicated - */ -EFI_STATUS -EFIAPI -TdxHelperHashAndExtendToRtmr ( - IN UINT32 RtmrIndex, - IN VOID *DataToHash, - IN UINTN DataToHashLen, - OUT UINT8 *Digest, - IN UINTN DigestLen - ) -{ - EFI_STATUS Status; - - if ((DataToHash == NULL) || (DataToHashLen == 0)) { - return EFI_INVALID_PARAMETER; - } - - if ((Digest == NULL) || (DigestLen != SHA384_DIGEST_SIZE)) { - return EFI_INVALID_PARAMETER; - } - - // - // Calculate the sha384 of the data - // - if (!Sha384HashAll (DataToHash, DataToHashLen, Digest)) { - return EFI_ABORTED; - } - - // - // Extend to RTMR - // - Status = TdExtendRtmr ( - (UINT32 *)Digest, - SHA384_DIGEST_SIZE, - (UINT8)RtmrIndex - ); - ASSERT (!EFI_ERROR (Status)); - return Status; -} - -/** - * Build GuidHob for Tdx CC measurement event. - */ -EFI_STATUS -BuildTdxMeasurementGuidHob ( - UINT32 RtmrIndex, - UINT32 EventType, - UINT8 *EventData, - UINT32 EventSize, - UINT8 *HashValue, - UINT32 HashSize - ); - -/** - * Build GuidHob for Tdx CC measurement event. - * - * @param RtmrIndex RTMR index - * @param EventType Event type - * @param EventData Event data - * @param EventSize Size of event data - * @param HashValue Hash value - * @param HashSize Size of hash - * - * @retval EFI_SUCCESS Successfully build the GuidHobs - * @retval Others Other error as indicated - */ -EFI_STATUS -EFIAPI -TdxHelperBuildTdxMeasurementGuidHob ( - UINT32 RtmrIndex, - UINT32 EventType, - UINT8 *EventData, - UINT32 EventSize, - UINT8 *HashValue, - UINT32 HashSize - ) -{ - return BuildTdxMeasurementGuidHob ( - RtmrIndex, - EventType, - EventData, - EventSize, - HashValue, - HashSize - ); -} diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c b/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c index ecadca0783..7c3aa2d145 100644 --- a/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c +++ b/OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c @@ -78,79 +78,3 @@ TdxHelperBuildGuidHobForTdxMeasurement ( { return EFI_UNSUPPORTED; } - -/** - According to UEFI Spec 2.10 Section 38.4.1: - The following table shows the TPM PCR index mapping and CC event log measurement - register index interpretation for Intel TDX, where MRTD means Trust Domain Measurement - Register and RTMR means Runtime Measurement Register - // TPM PCR Index | CC Measurement Register Index | TDX-measurement register - // ------------------------------------------------------------------------ - // 0 | 0 | MRTD - // 1, 7 | 1 | RTMR[0] - // 2~6 | 2 | RTMR[1] - // 8~15 | 3 | RTMR[2] - @param[in] PCRIndex Index of the TPM PCR - @retval UINT32 Index of the CC Event Log Measurement Register Index - @retval CC_MR_INDEX_INVALID Invalid MR Index -**/ -UINT32 -EFIAPI -TdxHelperMapPcrToMrIndex ( - IN UINT32 PCRIndex - ) -{ - return CC_MR_INDEX_INVALID; -} - -/** - * Calculate the sha384 of input Data and extend it to RTMR register. - * - * @param RtmrIndex Index of the RTMR register - * @param DataToHash Data to be hashed - * @param DataToHashLen Length of the data - * @param Digest Hash value of the input data - * @param DigestLen Length of the hash value - * - * @retval EFI_SUCCESS Successfully hash and extend to RTMR - * @retval Others Other errors as indicated - */ -EFI_STATUS -EFIAPI -TdxHelperHashAndExtendToRtmr ( - IN UINT32 RtmrIndex, - IN VOID *DataToHash, - IN UINTN DataToHashLen, - OUT UINT8 *Digest, - IN UINTN DigestLen - ) -{ - return EFI_UNSUPPORTED; -} - -/** - * Build GuidHob for Tdx CC measurement event. - * - * @param RtmrIndex RTMR index - * @param EventType Event type - * @param EventData Event data - * @param EventSize Size of event data - * @param HashValue Hash value - * @param HashSize Size of hash - * - * @retval EFI_SUCCESS Successfully build the GuidHobs - * @retval Others Other error as indicated - */ -EFI_STATUS -EFIAPI -TdxHelperBuildTdxMeasurementGuidHob ( - UINT32 RtmrIndex, - UINT32 EventType, - UINT8 *EventData, - UINT32 EventSize, - UINT8 *HashValue, - UINT32 HashSize - ) -{ - return EFI_UNSUPPORTED; -} diff --git a/OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c b/OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c index 42c51a191f..9a2220be71 100644 --- a/OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c +++ b/OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c @@ -17,6 +17,7 @@ #include #include #include +#include #pragma pack(1) @@ -33,88 +34,6 @@ typedef struct { #define FV_HANDOFF_TABLE_DESC "Fv(XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX)" typedef PLATFORM_FIRMWARE_BLOB2_STRUCT CFV_HANDOFF_TABLE_POINTERS2; -/** - * Build GuidHob for Tdx measurement. - * - * Tdx measurement includes the measurement of TdHob and CFV. They're measured - * and extended to RTMR registers in SEC phase. Because at that moment the Hob - * service are not available. So the values of the measurement are saved in - * workarea and will be built into GuidHob after the Hob service is ready. - * - * @param RtmrIndex RTMR index - * @param EventType Event type - * @param EventData Event data - * @param EventSize Size of event data - * @param HashValue Hash value - * @param HashSize Size of hash - * - * @retval EFI_SUCCESS Successfully build the GuidHobs - * @retval Others Other error as indicated - */ -EFI_STATUS -BuildTdxMeasurementGuidHob ( - UINT32 RtmrIndex, - UINT32 EventType, - UINT8 *EventData, - UINT32 EventSize, - UINT8 *HashValue, - UINT32 HashSize - ) -{ - VOID *EventHobData; - UINT8 *Ptr; - TPML_DIGEST_VALUES *TdxDigest; - - if (HashSize != SHA384_DIGEST_SIZE) { - return EFI_INVALID_PARAMETER; - } - - #define TDX_DIGEST_VALUE_LEN (sizeof (UINT32) + sizeof (TPMI_ALG_HASH) + SHA384_DIGEST_SIZE) - - EventHobData = BuildGuidHob ( - &gCcEventEntryHobGuid, - sizeof (TCG_PCRINDEX) + sizeof (TCG_EVENTTYPE) + - TDX_DIGEST_VALUE_LEN + - sizeof (UINT32) + EventSize - ); - - if (EventHobData == NULL) { - return EFI_OUT_OF_RESOURCES; - } - - Ptr = (UINT8 *)EventHobData; - - // - // There are 2 types of measurement registers in TDX: MRTD and RTMR[0-3]. - // According to UEFI Spec 2.10 Section 38.4.1, RTMR[0-3] is mapped to MrIndex[1-4]. - // So RtmrIndex must be increased by 1 before the event log is created. - // - RtmrIndex++; - CopyMem (Ptr, &RtmrIndex, sizeof (UINT32)); - Ptr += sizeof (UINT32); - - CopyMem (Ptr, &EventType, sizeof (TCG_EVENTTYPE)); - Ptr += sizeof (TCG_EVENTTYPE); - - TdxDigest = (TPML_DIGEST_VALUES *)Ptr; - TdxDigest->count = 1; - TdxDigest->digests[0].hashAlg = TPM_ALG_SHA384; - CopyMem ( - TdxDigest->digests[0].digest.sha384, - HashValue, - SHA384_DIGEST_SIZE - ); - Ptr += TDX_DIGEST_VALUE_LEN; - - CopyMem (Ptr, &EventSize, sizeof (UINT32)); - Ptr += sizeof (UINT32); - - CopyMem (Ptr, (VOID *)EventData, EventSize); - Ptr += EventSize; - - return EFI_SUCCESS; -} - /** Get the FvName from the FV header. @@ -207,7 +126,7 @@ InternalBuildGuidHobForTdxMeasurement ( CopyGuid (&(HandoffTables.TableEntry[0].VendorGuid), &gUefiOvmfPkgTokenSpaceGuid); HandoffTables.TableEntry[0].VendorTable = TdHobList; - Status = BuildTdxMeasurementGuidHob ( + Status = TdxMeasurementBuildGuidHob ( 0, // RtmrIndex EV_EFI_HANDOFF_TABLES2, // EventType (UINT8 *)(UINTN)&HandoffTables, // EventData @@ -239,7 +158,7 @@ InternalBuildGuidHobForTdxMeasurement ( FvBlob2.BlobBase = FvBase; FvBlob2.BlobLength = FvLength; - Status = BuildTdxMeasurementGuidHob ( + Status = TdxMeasurementBuildGuidHob ( 0, // RtmrIndex EV_EFI_PLATFORM_FIRMWARE_BLOB2, // EventType (VOID *)&FvBlob2, // EventData diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 8678e62c22..437fbd5776 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -297,6 +297,7 @@ CcExitLib|OvmfPkg/Library/CcExitLib/SecCcExitLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf + TdxMeasurementLib|OvmfPkg/IntelTdx/TdxMeasurementLib/SecPeiTdxMeasurementLib.inf [LibraryClasses.common.PEI_CORE] HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf @@ -345,6 +346,7 @@ MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf + TdxMeasurementLib|OvmfPkg/IntelTdx/TdxMeasurementLib/SecPeiTdxMeasurementLib.inf TdxHelperLib|OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf [LibraryClasses.common.DXE_CORE] @@ -433,7 +435,7 @@ NestedInterruptTplLib|OvmfPkg/Library/NestedInterruptTplLib/NestedInterruptTplLib.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf - TdxHelperLib|OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf + TdxMeasurementLib|OvmfPkg/IntelTdx/TdxMeasurementLib/DxeTdxMeasurementLib.inf [LibraryClasses.common.UEFI_APPLICATION] PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf diff --git a/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.c b/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.c index ab23caa4be..5287cda4d0 100644 --- a/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.c +++ b/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.c @@ -44,7 +44,7 @@ #include #include #include -#include +#include #define PERF_ID_CC_TCG2_DXE 0x3130 @@ -940,7 +940,7 @@ TdMapPcrToMrIndex ( return EFI_INVALID_PARAMETER; } - *MrIndex = TdxHelperMapPcrToMrIndex (PCRIndex); + *MrIndex = TdxMeasurementMapPcrToMrIndex (PCRIndex); return *MrIndex == CC_MR_INDEX_INVALID ? EFI_INVALID_PARAMETER : EFI_SUCCESS; } @@ -1607,7 +1607,7 @@ MeasureHandoffTables ( Status = GetProcessorsCpuLocation (&ProcessorLocBuf, &ProcessorNum); if (!EFI_ERROR (Status)) { - CcEvent.MrIndex = TdxHelperMapPcrToMrIndex (1); + CcEvent.MrIndex = TdxMeasurementMapPcrToMrIndex (1); CcEvent.EventType = EV_TABLE_OF_DEVICES; CcEvent.EventSize = sizeof (HandoffTables); @@ -1829,7 +1829,7 @@ ReadAndMeasureBootVariable ( ) { return ReadAndMeasureVariable ( - TdxHelperMapPcrToMrIndex (1), + TdxMeasurementMapPcrToMrIndex (1), EV_EFI_VARIABLE_BOOT, VarName, VendorGuid, @@ -1860,7 +1860,7 @@ ReadAndMeasureSecureVariable ( ) { return ReadAndMeasureVariable ( - TdxHelperMapPcrToMrIndex (7), + TdxMeasurementMapPcrToMrIndex (7), EV_EFI_VARIABLE_DRIVER_CONFIG, VarName, VendorGuid, @@ -1968,7 +1968,7 @@ MeasureAllSecureVariables ( Status = GetVariable2 (EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid, &Data, &DataSize); if (!EFI_ERROR (Status)) { Status = MeasureVariable ( - TdxHelperMapPcrToMrIndex (7), + TdxMeasurementMapPcrToMrIndex (7), EV_EFI_VARIABLE_DRIVER_CONFIG, EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid, @@ -1998,7 +1998,7 @@ MeasureLaunchOfFirmwareDebugger ( { CC_EVENT_HDR CcEvent; - CcEvent.MrIndex = TdxHelperMapPcrToMrIndex (7); + CcEvent.MrIndex = TdxMeasurementMapPcrToMrIndex (7); CcEvent.EventType = EV_EFI_ACTION; CcEvent.EventSize = sizeof (FIRMWARE_DEBUGGER_EVENT_STRING) - 1; return TdxDxeHashLogExtendEvent ( @@ -2057,7 +2057,7 @@ MeasureSecureBootPolicy ( // There might be a case that we need measure UEFI image from DriverOrder, besides BootOrder. So // the Authority measurement happen before ReadToBoot event. // - Status = MeasureSeparatorEvent (TdxHelperMapPcrToMrIndex (7)); + Status = MeasureSeparatorEvent (TdxMeasurementMapPcrToMrIndex (7)); DEBUG ((DEBUG_INFO, "MeasureSeparatorEvent - %r\n", Status)); return; } @@ -2102,7 +2102,7 @@ OnReadyToBoot ( // 1. This is the first boot attempt. // Status = TdMeasureAction ( - TdxHelperMapPcrToMrIndex (4), + TdxMeasurementMapPcrToMrIndex (4), EFI_CALLING_EFI_APPLICATION ); if (EFI_ERROR (Status)) { @@ -2140,7 +2140,7 @@ OnReadyToBoot ( // 6. Not first attempt, meaning a return from last attempt // Status = TdMeasureAction ( - TdxHelperMapPcrToMrIndex (4), + TdxMeasurementMapPcrToMrIndex (4), EFI_RETURNING_FROM_EFI_APPLICATION ); if (EFI_ERROR (Status)) { @@ -2152,7 +2152,7 @@ OnReadyToBoot ( // TCG PC Client PFP spec Section 2.4.4.5 Step 4 // Status = TdMeasureAction ( - TdxHelperMapPcrToMrIndex (4), + TdxMeasurementMapPcrToMrIndex (4), EFI_CALLING_EFI_APPLICATION ); if (EFI_ERROR (Status)) { @@ -2190,7 +2190,7 @@ OnExitBootServices ( // Measure invocation of ExitBootServices, // Status = TdMeasureAction ( - TdxHelperMapPcrToMrIndex (5), + TdxMeasurementMapPcrToMrIndex (5), EFI_EXIT_BOOT_SERVICES_INVOCATION ); if (EFI_ERROR (Status)) { @@ -2201,7 +2201,7 @@ OnExitBootServices ( // Measure success of ExitBootServices // Status = TdMeasureAction ( - TdxHelperMapPcrToMrIndex (5), + TdxMeasurementMapPcrToMrIndex (5), EFI_EXIT_BOOT_SERVICES_SUCCEEDED ); if (EFI_ERROR (Status)) { @@ -2231,7 +2231,7 @@ OnExitBootServicesFailed ( // Measure Failure of ExitBootServices, // Status = TdMeasureAction ( - TdxHelperMapPcrToMrIndex (5), + TdxMeasurementMapPcrToMrIndex (5), EFI_EXIT_BOOT_SERVICES_FAILED ); if (EFI_ERROR (Status)) { diff --git a/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf b/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf index 5daaefda95..0c2d116cc7 100644 --- a/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf +++ b/OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf @@ -31,7 +31,7 @@ MdeModulePkg/MdeModulePkg.dec SecurityPkg/SecurityPkg.dec CryptoPkg/CryptoPkg.dec - OvmfPkg/OvmfPkg.dec + UefiCpuPkg/UefiCpuPkg.dec [LibraryClasses] MemoryAllocationLib @@ -50,7 +50,7 @@ PeCoffLib TpmMeasurementLib TdxLib - TdxHelperLib + TdxMeasurementLib [Guids] ## SOMETIMES_CONSUMES ## Variable:L"SecureBoot" diff --git a/OvmfPkg/Tcg/TdTcg2Pei/TdTcg2Pei.c b/OvmfPkg/Tcg/TdTcg2Pei/TdTcg2Pei.c index 1c1168c9fa..8f26528440 100644 --- a/OvmfPkg/Tcg/TdTcg2Pei/TdTcg2Pei.c +++ b/OvmfPkg/Tcg/TdTcg2Pei/TdTcg2Pei.c @@ -14,7 +14,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include -#include +#include /** Do a hash operation on a data buffer, extend a specific RTMR with the hash result, @@ -47,7 +47,7 @@ TdxPeiHashLogExtendEvent ( EFI_STATUS Status; UINT8 Digest[SHA384_DIGEST_SIZE]; - Status = TdxHelperHashAndExtendToRtmr ( + Status = TdxMeasurementHashAndExtendToRtmr ( MrIndex - 1, HashData, (UINTN)HashDataLen, @@ -56,11 +56,11 @@ TdxPeiHashLogExtendEvent ( ); if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "%a: HashAndExtendToRtmr failed with %r\n", __func__, Status)); + DEBUG ((DEBUG_ERROR, "%a: TdxMeasurementHashAndExtendToRtmr failed with %r\n", __func__, Status)); return Status; } - Status = TdxHelperBuildTdxMeasurementGuidHob ( + Status = TdxMeasurementBuildGuidHob ( MrIndex - 1, EventType, EventData, @@ -70,7 +70,7 @@ TdxPeiHashLogExtendEvent ( ); if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "%a: BuildTdxMeasurementGuidHob failed with %r\n", __func__, Status)); + DEBUG ((DEBUG_ERROR, "%a: TdxMeasurementBuildGuidHob failed with %r\n", __func__, Status)); } return Status; @@ -150,7 +150,7 @@ TdMapPcrToMrIndex ( OUT UINT32 *MrIndex ) { - *MrIndex = TdxHelperMapPcrToMrIndex (PCRIndex); + *MrIndex = TdxMeasurementMapPcrToMrIndex (PCRIndex); return EFI_SUCCESS; } diff --git a/OvmfPkg/Tcg/TdTcg2Pei/TdTcg2Pei.inf b/OvmfPkg/Tcg/TdTcg2Pei/TdTcg2Pei.inf index f7e3723b2f..9d16692db4 100644 --- a/OvmfPkg/Tcg/TdTcg2Pei/TdTcg2Pei.inf +++ b/OvmfPkg/Tcg/TdTcg2Pei/TdTcg2Pei.inf @@ -27,6 +27,7 @@ MdePkg/MdePkg.dec SecurityPkg/SecurityPkg.dec CryptoPkg/CryptoPkg.dec + UefiCpuPkg/UefiCpuPkg.dec OvmfPkg/OvmfPkg.dec [LibraryClasses] @@ -38,7 +39,7 @@ PrintLib TdxLib BaseCryptLib - TdxHelperLib + TdxMeasurementLib [Ppis] gEdkiiCcPpiGuid -- cgit