[tianocore/edk2] ebba67: SecurityPkg: Add TpmMeasurementLib for SEC phase

sunceping via edk2-commits Wed, 19 Mar 2025 21:23:57 -0700

  Branch: refs/heads/master
  Home:   https://github.com/tianocore/edk2
  Commit: ebba67b75465bb57e9c4907f4064870767f7b5a9
      
https://github.com/tianocore/edk2/commit/ebba67b75465bb57e9c4907f4064870767f7b5a9
  Author: Ceping Sun <cepingx....@intel.com>
  Date:   2025-03-20 (Thu, 20 Mar 2025)


  Changed paths:
    A SecurityPkg/Library/SecTpmMeasurementLib/IntelTdx.c
    A SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLib.c
    A SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLib.inf
    M SecurityPkg/SecurityPkg.dsc

  Log Message:
  -----------
  SecurityPkg: Add TpmMeasurementLib for SEC phase

Add the SecTpmMeasurementLib to support
TpmMeasurementAndLogData in Sec phase.

Cc: Jiewen Yao <jiewen....@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Signed-off-by: Ceping Sun <cepingx....@intel.com>


  Commit: 151326e54224a5a5a40dd8f3d3e05d687c0bf5db
      
https://github.com/tianocore/edk2/commit/151326e54224a5a5a40dd8f3d3e05d687c0bf5db
  Author: Ceping Sun <cepingx....@intel.com>
  Date:   2025-03-20 (Thu, 20 Mar 2025)

  Changed paths:
    M OvmfPkg/OvmfPkg.dec

  Log Message:
  -----------
  OvmfPkg.dec: Add gOvmfFwCfgInfoHobGuid

Since TDVF has to measure FwCfg data from QEMU,
it is required to cache the data with measurement
in early phase. This can avoid changing the measurement
order when reading the FwCfg process, which depends
on multiple factors(depex, order in the firmware volume).

Cc: Erdem Aktas <erdemak...@google.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Min Xu <min.m...@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Elena Reshetova <elena.reshet...@intel.com>
Signed-off-by: Ceping Sun <cepingx....@intel.com>


  Commit: f66078a71324cc2878ff7a3ec71fb9fdcb218785
      
https://github.com/tianocore/edk2/commit/f66078a71324cc2878ff7a3ec71fb9fdcb218785
  Author: Ceping Sun <cepingx....@intel.com>
  Date:   2025-03-20 (Thu, 20 Mar 2025)

  Changed paths:
    M OvmfPkg/Include/Library/PlatformInitLib.h

  Log Message:
  -----------
  OvmfPkg/PlatformInitLib.h: Add QEMU_FW_CFG_CACHE_WORK_AREA

Add QEMU_FW_CFG_CACHE_WORK_AREA in EFI_HOB_PLATFORM_INFO
to support reading from cache in QemuFwCfgLib.

Cc: Erdem Aktas <erdemak...@google.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Min Xu <min.m...@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Elena Reshetova <elena.reshet...@intel.com>
Signed-off-by: Ceping Sun <cepingx....@intel.com>


  Commit: 63408b289565c719b2ae759dc815e147820a8d3e
      
https://github.com/tianocore/edk2/commit/63408b289565c719b2ae759dc815e147820a8d3e
  Author: Ceping Sun <cepingx....@intel.com>
  Date:   2025-03-20 (Thu, 20 Mar 2025)

  Changed paths:
    M OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c

  Log Message:
  -----------
  OvmfPkg/PeilessStartupLib: Build PlatformInfoHob before InitializePlatform

Since the QEMU_FW_CFG_WORK_AREA is saved in EFI_HOB_PLATFORM_INFO
and InitializePlatform would read by QemuFwCfg, TDVF should build
the PlatformInfoHob before InitializePlatform.

Cc: Erdem Aktas <erdemak...@google.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Min Xu <min.m...@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Elena Reshetova <elena.reshet...@intel.com>
Signed-off-by: Ceping Sun <cepingx....@intel.com>


  Commit: be529ef3c9d617209fb6b17206e35b656edc68cf
      
https://github.com/tianocore/edk2/commit/be529ef3c9d617209fb6b17206e35b656edc68cf
  Author: Ceping Sun <cepingx....@intel.com>
  Date:   2025-03-20 (Thu, 20 Mar 2025)

  Changed paths:
    M OvmfPkg/Include/Library/QemuFwCfgLib.h
    A OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgCache.c
    A OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgCacheInit.c
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgLibInternal.h

  Log Message:
  -----------
  OvmfPkg/QemuFwCfgLib: Add FwCfg cache interface

Since TDVF needs to cache and measure FwCfg, it is required to
add an API to support cache with optional measurement and add some
internal interfaces to support cache in QemuFwCfgLib.
The new API is listed below:
  QemuFwCfgInitCache()

The new Internal interfaces are listed below:
  InternalQemuFwCfgCacheReadBytes()
  InternalQemuFwCfgCacheSelectItem()
  InternalQemuFwCfgCacheGetWorkArea()
  InternalQemuFwCfgCacheResetWorkArea()
  InternalQemuFwCfgItemCached()
  InternalQemuFwCfgCacheReading()
  InternalQemuFwCfgInitCache()
  InternalQemuFwCfgCheckOvmfWorkArea()

Cc: Erdem Aktas <erdemak...@google.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Min Xu <min.m...@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Elena Reshetova <elena.reshet...@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Signed-off-by: Ceping Sun <cepingx....@intel.com>


  Commit: fb56dc78efb9e49aa387f22bede1dd2ca2458da5
      
https://github.com/tianocore/edk2/commit/fb56dc78efb9e49aa387f22bede1dd2ca2458da5
  Author: Ceping Sun <cepingx....@intel.com>
  Date:   2025-03-20 (Thu, 20 Mar 2025)

  Changed paths:
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgDxe.c
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgDxeLib.inf
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgLib.c
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgNull.c
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPei.c
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSec.c
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf

  Log Message:
  -----------
  OvmfPkg/QemuFwCfgLib: Support Cache FwCfg with optional measurement

OVMF uses FW_CFG_SELECTOR(0x510) and FW_CFG_IO_DATA(0x511) to
get configuration information from QEMU. From the security perspective
these information shall be measured before they're consumed.

This patch reads the FwCfg items and caches them in a GuidHob. In the
meanwhile these FwCfg items are measured as well. This is to avoid
changing the order when reading the FwCfg process, which depends on
multiple factors(depex, order in the Firmware volume).

Cc: Erdem Aktas <erdemak...@google.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Min Xu <min.m...@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Elena Reshetova <elena.reshet...@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Signed-off-by: Ceping Sun <cepingx....@intel.com>


  Commit: 4d2af7b91a46c8db5550dc0a5e97effe22fc928b
      
https://github.com/tianocore/edk2/commit/4d2af7b91a46c8db5550dc0a5e97effe22fc928b
  Author: Ceping Sun <cepingx....@intel.com>
  Date:   2025-03-20 (Thu, 20 Mar 2025)

  Changed paths:
    M OvmfPkg/Include/Library/PlatformInitLib.h
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgCache.c
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgCacheInit.c
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgDxe.c
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgLib.c
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgLibInternal.h
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPei.c
    M OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSec.c

  Log Message:
  -----------
  OvmfPkg: Refactor QEMU_FW_CFG_CACHE_WORK_AREA

Move QemuFwCfgSupported and QemuFwCfgDmaSupported to the struct
since they will be used as global variables in the DXE phase
along with QEMU_FW_CFG_CACHE_WORK_AREA.

Additionally, change its name to QEMU_FW_CFG_WORK_AREA.

Cc: Erdem Aktas <erdemak...@google.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Min Xu <min.m...@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Elena Reshetova <elena.reshet...@intel.com>
Signed-off-by: Ceping Sun <cepingx....@intel.com>


  Commit: 81c2c92074b39322c28f2f0fafe45fb076d56592
      
https://github.com/tianocore/edk2/commit/81c2c92074b39322c28f2f0fafe45fb076d56592
  Author: Ceping Sun <cepingx....@intel.com>
  Date:   2025-03-20 (Thu, 20 Mar 2025)

  Changed paths:
    M OvmfPkg/PlatformPei/Platform.c

  Log Message:
  -----------
  OvmfPkg/PlatformPei: Cache and measure FwCfg items

Since OVMF would initialize the platform info with FwCfg,
TDVF needs to cache and measure the FwCfg at first.

Cc: Erdem Aktas <erdemak...@google.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Min Xu <min.m...@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Elena Reshetova <elena.reshet...@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Signed-off-by: Ceping Sun <cepingx....@intel.com>


  Commit: 2eac71a1ee084fcb10bbf322928cab925e483ec8
      
https://github.com/tianocore/edk2/commit/2eac71a1ee084fcb10bbf322928cab925e483ec8
  Author: Ceping Sun <cepingx....@intel.com>
  Date:   2025-03-20 (Thu, 20 Mar 2025)

  Changed paths:
    M OvmfPkg/IntelTdx/IntelTdxX64.dsc
    M OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c

  Log Message:
  -----------
  OvmfPkg/IntelTdx: Cache and measure FwCfg

Since OVMF would initialize the platform info with FwCfg,
TDVF needs to cache and measure the FwCfg at first.

Cc: Erdem Aktas <erdemak...@google.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Min Xu <min.m...@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Elena Reshetova <elena.reshet...@intel.com>
Signed-off-by: Min Xu <min.m...@intel.com>
Signed-off-by: Ceping Sun <cepingx....@intel.com>


Compare: https://github.com/tianocore/edk2/compare/425d97caef38...2eac71a1ee08

To unsubscribe from these emails, change your notification settings at 
https://github.com/tianocore/edk2/settings/notifications


_______________________________________________
edk2-commits mailing list
edk2-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-commits

[tianocore/edk2] ebba67: SecurityPkg: Add TpmMeasurementLib for SEC phase

Reply via email to