Branch: refs/heads/master
Home: https://github.com/tianocore/edk2
Commit: 6ba931bebf598cde1f7bd92e0cf386740e659019
https://github.com/tianocore/edk2/commit/6ba931bebf598cde1f7bd92e0cf386740e659019
Author: Min M Xu <min.m...@intel.com>
Date: 2023-02-04 (Sat, 04 Feb 2023)
Changed paths:
M OvmfPkg/Include/WorkArea.h
Log Message:
-----------
OvmfPkg: Add Tdx measurement data structure in WorkArea
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243
>From the perspective of security any external input should be measured
and extended to some registers (TPM PCRs or TDX RTMR registers).
There are below 2 external input in a Td guest:
- TdHob
- Configuration FV (CFV)
TdHob contains the resource information passed from VMM, such as
unaccepted memory region. CFV contains the configurations, such as
secure boot variables.
TdHob and CFV should be measured and extended to RTMRs before they're
consumed. TdHob is consumed in the very early stage of boot process.
At that moment the memory service is not ready. Cfv is consumed in
PlatformPei to initialize the EmuVariableNvStore. To make the
implementation simple and clean, these 2 external input are measured
and extended to RTMRs in SEC phase. That is to say the tdx measurement
is only supported in SEC phase.
After the measurement the hash values are stored in WorkArea. Then after
the Hob service is available, these 2 measurement values are retrieved
and GuidHobs for these 2 tdx measurements are generated.
This patch defines the structure of TDX_MEASUREMENTS_DATA in
SEC_TDX_WORK_AREA to store above 2 tdx measurements. It can be extended
to store more tdx measurements if needed in the future.
Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: Michael Roth <michael.r...@amd.com>
Acked-by: Gerd Hoffmann <kra...@redhat.com>
Reviewed-by: Jiewen Yao <jiewen....@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Commit: d3109e5f185dfa411bf5b94df574a3dc841786e9
https://github.com/tianocore/edk2/commit/d3109e5f185dfa411bf5b94df574a3dc841786e9
Author: Min M Xu <min.m...@intel.com>
Date: 2023-02-04 (Sat, 04 Feb 2023)
Changed paths:
A OvmfPkg/Include/Library/TdxHelperLib.h
A OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperLibNull.inf
A OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperNull.c
M OvmfPkg/OvmfPkg.dec
Log Message:
-----------
OvmfPkg/IntelTdx: Add TdxHelperLibNull
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243
TdxHelperLib provides below helper functions for a td-guest.
- TdxHelperProcessTdHob
- TdxHelperMeasureTdHob
- TdxHelperMeasureCfvImage
- TdxHelperBuildGuidHobForTdxMeasurement
TdxHelperLibNull is the NULL instance of TdxHelperLib.
Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: Michael Roth <michael.r...@amd.com>
Acked-by: Gerd Hoffmann <kra...@redhat.com>
Reviewed-by: Jiewen Yao <jiewen....@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Commit: d09c1d4b88949b6061fc8850ee4a2849f8930752
https://github.com/tianocore/edk2/commit/d09c1d4b88949b6061fc8850ee4a2849f8930752
Author: Min M Xu <min.m...@intel.com>
Date: 2023-02-04 (Sat, 04 Feb 2023)
Changed paths:
A OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c
A OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf
Log Message:
-----------
OvmfPkg/IntelTdx: Add SecTdxHelperLib
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243
TdxHelperLib provides below helper functions for a td-guest.
- TdxHelperProcessTdHob
- TdxHelperMeasureTdHob
- TdxHelperMeasureCfvImage
- TdxHelperBuildGuidHobForTdxMeasurement
SecTdxHelperLib is the SEC instance of TdxHelperLib. It implements 4
functions for tdx in SEC phase:
- TdxHelperProcessTdHob consumes TdHob to accept un-accepted memories.
Before the TdHob is consumed, it is first validated.
- TdxHelperMeasureTdHob measure/extend TdHob and store the measurement
value in workarea.
- TdxHelperMeasureCfvImage measure/extend the Configuration FV image and
store the measurement value in workarea.
- TdxHelperBuildGuidHobForTdxMeasurement builds GuidHob for tdx
measurement.
This patch implements the stubs of the functions. The actual
implementations are in the following patches. Because they are moved from
other files.
Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: Michael Roth <michael.r...@amd.com>
Acked-by: Gerd Hoffmann <kra...@redhat.com>
Reviewed-by: Jiewen Yao <jiewen....@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Commit: d59279f8ce640caad9e372184a962fad5c578310
https://github.com/tianocore/edk2/commit/d59279f8ce640caad9e372184a962fad5c578310
Author: Min M Xu <min.m...@intel.com>
Date: 2023-02-04 (Sat, 04 Feb 2023)
Changed paths:
M OvmfPkg/Library/PeilessStartupLib/IntelTdx.c
Log Message:
-----------
OvmfPkg/PeilessStartupLib: Update the define of FV_HANDOFF_TABLE_POINTERS2
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243
FV_HANDOFF_TABLE_POINTERS2 once was defined in IntelTdx.c. Its structure
is same as PLATFORM_FIRMWARE_BLOB2_STRUCT which is defined in
Library/TcgEventLogRecordLib.h. So this patch reuse the define of
PLATFORM_FIRMWARE_BLOB2_STRUCT as FV_HANDOFF_TABLE_POINTERS2. Furthermore
FV_HANDOFF_TABLE_POINTERS2 is renamed as CFV_HANDOFF_TABLE_POINTERS2
so that the name is more meaningful.
Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: Michael Roth <michael.r...@amd.com>
Acked-by: Gerd Hoffmann <kra...@redhat.com>
Reviewed-by: Jiewen Yao <jiewen....@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Commit: f41acc651feec13fac8bea305da5ef0523508a53
https://github.com/tianocore/edk2/commit/f41acc651feec13fac8bea305da5ef0523508a53
Author: Min M Xu <min.m...@intel.com>
Date: 2023-02-04 (Sat, 04 Feb 2023)
Changed paths:
M OvmfPkg/IntelTdx/IntelTdxX64.dsc
M OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c
M OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf
A OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c
M OvmfPkg/Library/PeilessStartupLib/IntelTdx.c
M OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
M OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h
Log Message:
-----------
OvmfPkg: Refactor MeasureHobList
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243
MeasureHobList once was implemented in PeilessStartupLib and it does
measurement and logging for TdHob in one go, using TpmMeasureAndLogData().
But it doesn't work in SEC.
This patch splits MeasureHobList into 2 functions and implement them in
SecTdxHelperLib.
- TdxHelperMeasureTdHob
- TdxHelperBuildGuidHobForTdxMeasurement
TdxHelperMeasureTdHob measures the TdHob and stores the hash value in
WorkArea. TdxHelperBuildGuidHobForTdxMeasurement builds GuidHob for the
measurement based on the hash value in WorkArea.
After these 2 functions are introduced, PeilessStartupLib should also be
updated:
- Call these 2 functions instead of the MeasureHobList
- Delete the duplicated codes in PeilessStartupLib
Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: Michael Roth <michael.r...@amd.com>
Acked-by: Gerd Hoffmann <kra...@redhat.com>
Reviewed-by: Jiewen Yao <jiewen....@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Commit: 852ae4cd80f37e2521160e5b1f12c7dcca2d6048
https://github.com/tianocore/edk2/commit/852ae4cd80f37e2521160e5b1f12c7dcca2d6048
Author: Min M Xu <min.m...@intel.com>
Date: 2023-02-04 (Sat, 04 Feb 2023)
Changed paths:
M OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c
M OvmfPkg/IntelTdx/TdxHelperLib/TdxMeasurementHob.c
R OvmfPkg/Library/PeilessStartupLib/IntelTdx.c
M OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
M OvmfPkg/Library/PeilessStartupLib/PeilessStartupInternal.h
M OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
Log Message:
-----------
OvmfPkg: Refactor MeaureFvImage
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243
MeasureFvImage once was implemented in PeilessStartupLib and it does
measurement and logging for Configuration FV (Cfv) image in one go,
using TpmMeasureAndLogData(). But it doesn't work in SEC.
This patch splits MeasureFvImage into 2 functions and implement them in
SecTdxHelperLib.
- TdxHelperMeasureCfvImage
- TdxHelperBuildGuidHobForTdxMeasurement
TdxHelperMeasureCfvImage measures the Cfv image and stores the hash value
in WorkArea. TdxHelperBuildGuidHobForTdxMeasurement builds GuidHob for the
measurement based on the hash value in WorkArea.
After these 2 functions are introduced, PeilessStartupLib should also be
updated:
- Call these 2 functions instead of the MeasureFvImage
- Delete the duplicated codes in PeilessStartupLib
Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: Michael Roth <michael.r...@amd.com>
Acked-by: Gerd Hoffmann <kra...@redhat.com>
Reviewed-by: Jiewen Yao <jiewen....@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Commit: c0984d1ff28325a8f1c76e23a79141cbb12c3e4f
https://github.com/tianocore/edk2/commit/c0984d1ff28325a8f1c76e23a79141cbb12c3e4f
Author: Min M Xu <min.m...@intel.com>
Date: 2023-02-04 (Sat, 04 Feb 2023)
Changed paths:
M OvmfPkg/Include/Library/PlatformInitLib.h
M OvmfPkg/IntelTdx/Sec/SecMain.c
M OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c
M OvmfPkg/Library/PlatformInitLib/IntelTdx.c
M OvmfPkg/Library/PlatformInitLib/IntelTdxNull.c
M OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf
M OvmfPkg/OvmfPkgX64.dsc
M OvmfPkg/Sec/SecMain.c
Log Message:
-----------
OvmfPkg: Refactor ProcessHobList
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243
ProcessHobList once was implemented in PlatformInitLib and it walks thru
TdHob list and accept un-accepted memories.
This patch moves the codes to SecTdxHelperLib and rename ProcessHobList
as TdxHelperProcessTdHob
After TdxHelperProcessTdHob is introduced, below changes are applied:
- Call TdxHelperProcessTdHob instead of ProcessHobList in SecMain.c
(in both OvmfPkgX64/Sec and IntelTdx/Sec).
- Delete the duplicated codes in PlatformInitLib
Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: Michael Roth <michael.r...@amd.com>
Acked-by: Gerd Hoffmann <kra...@redhat.com>
Reviewed-by: Jiewen Yao <jiewen....@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Commit: 019621d0780df546637a4a032994f123eb91037d
https://github.com/tianocore/edk2/commit/019621d0780df546637a4a032994f123eb91037d
Author: Min M Xu <min.m...@intel.com>
Date: 2023-02-04 (Sat, 04 Feb 2023)
Changed paths:
M OvmfPkg/IntelTdx/IntelTdxX64.dsc
M OvmfPkg/IntelTdx/Sec/SecMain.c
M OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
M OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
Log Message:
-----------
OvmfPkg/IntelTdx: Measure TdHob and Configuration FV in SecMain
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243
TdHob and Configuration FV (Cfv) are external inputs from VMM. From the
security perspective, they should be measured before they're consumed.
This patch measures TdHob and Cfv and stores the measurement values in
WorkArea.
After TdHob and Configuration FV (Cfv) are measured in SecMain, the
same measurements in PeilessStartupLib are deleted.
Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: Michael Roth <michael.r...@amd.com>
Reviewed-by: Jiewen Yao <jiewen....@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Acked-by: Gerd Hoffmann <kra...@redhat.com>
Commit: d92db8a0866ebcf58223e1019ceb4ccf4fb21f6a
https://github.com/tianocore/edk2/commit/d92db8a0866ebcf58223e1019ceb4ccf4fb21f6a
Author: Min M Xu <min.m...@intel.com>
Date: 2023-02-04 (Sat, 04 Feb 2023)
Changed paths:
A OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelper.c
A OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf
Log Message:
-----------
OvmfPkg/IntelTdx: Add PeiTdxHelperLib
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243
TdxHelperLib provides below helper functions for a td-guest.
- TdxHelperProcessTdHob
- TdxHelperMeasureTdHob
- TdxHelperMeasureCfvImage
- TdxHelperBuildGuidHobForTdxMeasurement
PeiTdxHelperLib is the PEI instance of TdxHelperLib. It implements 1
function for tdx in PEI phase. Other functions are not supported in
PEI phase.
- TdxHelperBuildGuidHobForTdxMeasurement builds GuidHob for tdx
measurement in PEI phase.
Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: Michael Roth <michael.r...@amd.com>
Acked-by: Gerd Hoffmann <kra...@redhat.com>
Reviewed-by: Jiewen Yao <jiewen....@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Commit: 6ea50514c145642ea133937174e0ffe9348cd894
https://github.com/tianocore/edk2/commit/6ea50514c145642ea133937174e0ffe9348cd894
Author: Min M Xu <min.m...@intel.com>
Date: 2023-02-04 (Sat, 04 Feb 2023)
Changed paths:
M OvmfPkg/Sec/SecMain.c
Log Message:
-----------
OvmfPkg/OvmfPkgX64: Measure TdHob and Configuration FV in SecMain
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243
TdHob and Configuration FV (Cfv) are external inputs from VMM. From the
security perspective, they should be measured before they're consumed.
This patch measures TdHob and Cfv and stores the measurement values in
WorkArea.
Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: Michael Roth <michael.r...@amd.com>
Acked-by: Gerd Hoffmann <kra...@redhat.com>
Reviewed-by: Jiewen Yao <jiewen....@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Commit: 1f9bd937b3bc991ff5e273b37793896a6821b06a
https://github.com/tianocore/edk2/commit/1f9bd937b3bc991ff5e273b37793896a6821b06a
Author: Min M Xu <min.m...@intel.com>
Date: 2023-02-04 (Sat, 04 Feb 2023)
Changed paths:
M OvmfPkg/AmdSev/AmdSevX64.dsc
M OvmfPkg/CloudHv/CloudHvX64.dsc
M OvmfPkg/Microvm/MicrovmX64.dsc
M OvmfPkg/OvmfPkgX64.dsc
M OvmfPkg/PlatformPei/IntelTdx.c
Log Message:
-----------
OvmfPkg/PlatformPei: Build GuidHob for Tdx measurement
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243
TdxHelperBuildGuidHobForTdxMeasurement is called in PlatformPei to build
GuidHob for Tdx measurement.
Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: Michael Roth <michael.r...@amd.com>
Acked-by: Gerd Hoffmann <kra...@redhat.com>
Reviewed-by: Jiewen Yao <jiewen....@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Commit: 4d37059d8e1eeda124270a158416795605327cbd
https://github.com/tianocore/edk2/commit/4d37059d8e1eeda124270a158416795605327cbd
Author: Min M Xu <min.m...@intel.com>
Date: 2023-02-04 (Sat, 04 Feb 2023)
Changed paths:
M OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc
M OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
M OvmfPkg/OvmfPkgX64.dsc
M OvmfPkg/OvmfPkgX64.fdf
Log Message:
-----------
OvmfPkg: Support Tdx measurement in OvmfPkgX64
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4243
This patch enables Tdx measurement in OvmfPkgX64 with below changes:
1) CC_MEASUREMENT_ENABLE is introduced in OvmfPkgX64.dsc. This flag
indicates if Intel TDX measurement is enabled in OvmfPkgX64. Its
default value is FALSE.
2) Include TdTcg2Dxe in OvmfPkgX64 so that CC_MEASUREMENT_PROTOCOL
is installed in a Td-guest. TdTcg2Dxe is controlled by
TDX_MEASUREMENT_ENABLE because it is only valid when Intel TDX
measurement is enabled.
3) OvmfTpmLibs.dsc.inc and OvmfTpmSecurityStub.dsc.inc are updated
because DxeTpm2MeasureBootLib.inf and DxeTpmMeasurementLib.inf
should be included to support CC_MEASUREMENT_PROTOCOL.
Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: Michael Roth <michael.r...@amd.com>
Acked-by: Gerd Hoffmann <kra...@redhat.com>
Reviewed-by: Jiewen Yao <jiewen....@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Compare: https://github.com/tianocore/edk2/compare/935343cf1639...4d37059d8e1e
_______________________________________________
edk2-commits mailing list
edk2-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-commits
