I am not sure if we really need router here. TDX only supports SHA384. What if we just provide HashLibTdx?
If we really want to provide a router, then it should be HashLibCCRouter. And TDX should be the NULL instance. Thank you Yao Jiewen > -----Original Message----- > From: Xu, Min M <min.m...@intel.com> > Sent: Friday, April 8, 2022 2:39 PM > To: devel@edk2.groups.io > Cc: Xu, Min M <min.m...@intel.com>; Yao, Jiewen <jiewen....@intel.com>; > Wang, Jian J <jian.j.w...@intel.com>; Gerd Hoffmann <kra...@redhat.com> > Subject: [PATCH V2 1/8] Security: Add HashLibBaseCryptoRouterTdx > > RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 > > This library provides hash service by registered hash handler in Td > guest. It redirects hash request to each individual hash handler > (currently only SHA384 is supported). After that the hash value is > extended to Td RTMR registers which is similar to TPM PCRs. > > Cc: Jiewen Yao <jiewen....@intel.com> > Cc: Jian J Wang <jian.j.w...@intel.com> > Cc: Gerd Hoffmann <kra...@redhat.com> > Signed-off-by: Min Xu <min.m...@intel.com> > --- > .../HashLibBaseCryptoRouterTdx.c | 214 ++++++++++++++++++ > .../HashLibBaseCryptoRouterTdx.inf | 41 ++++ > SecurityPkg/SecurityPkg.dsc | 10 + > 3 files changed, 265 insertions(+) > create mode 100644 > SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.c > create mode 100644 > SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.inf > > diff --git > a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx. > c > b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx. > c > new file mode 100644 > index 000000000000..77e2a14c19be > --- /dev/null > +++ > b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx. > c > @@ -0,0 +1,214 @@ > +/** @file > + This library is BaseCrypto router for Tdx. > + > +Copyright (c) 2021 - 2022, Intel Corporation. All rights reserved. <BR> > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include <PiPei.h> > +#include <Library/BaseLib.h> > +#include <Library/BaseMemoryLib.h> > +#include <Library/DebugLib.h> > +#include <Library/PcdLib.h> > +#include <Library/HashLib.h> > +#include <Library/TdxLib.h> > +#include <Protocol/CcMeasurement.h> > +#include "HashLibBaseCryptoRouterCommon.h" > + > +// > +// Currently TDX supports SHA384. > +// > +#define TDX_HASH_COUNT 1 > +HASH_INTERFACE mHashInterface[TDX_HASH_COUNT] = { > + { > + { 0 }, NULL, NULL, NULL > + } > +}; > + > +UINTN mHashInterfaceCount = 0; > +HASH_HANDLE mHashCtx[TDX_HASH_COUNT] = { 0 }; > + > +/** > + Start hash sequence. > + > + @param HashHandle Hash handle. > + > + @retval EFI_SUCCESS Hash sequence start and HandleHandle returned. > + @retval EFI_OUT_OF_RESOURCES No enough resource to start hash. > +**/ > +EFI_STATUS > +EFIAPI > +HashStart ( > + OUT HASH_HANDLE *HashHandle > + ) > +{ > + HASH_HANDLE *HashCtx; > + > + if (mHashInterfaceCount == 0) { > + ASSERT (FALSE); > + return EFI_UNSUPPORTED; > + } > + > + HashCtx = mHashCtx; > + mHashInterface[0].HashInit (&HashCtx[0]); > + > + *HashHandle = (HASH_HANDLE)HashCtx; > + > + return EFI_SUCCESS; > +} > + > +/** > + Update hash sequence data. > + > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval EFI_SUCCESS Hash sequence updated. > +**/ > +EFI_STATUS > +EFIAPI > +HashUpdate ( > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > + ) > +{ > + HASH_HANDLE *HashCtx; > + > + if (mHashInterfaceCount == 0) { > + ASSERT (FALSE); > + return EFI_UNSUPPORTED; > + } > + > + HashCtx = (HASH_HANDLE *)HashHandle; > + mHashInterface[0].HashUpdate (HashCtx[0], DataToHash, DataToHashLen); > + > + return EFI_SUCCESS; > +} > + > +/** > + Hash sequence complete and extend to PCR. > + > + @param HashHandle Hash handle. > + @param PcrIndex PCR to be extended. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + @param DigestList Digest list. > + > + @retval EFI_SUCCESS Hash sequence complete and DigestList is returned. > +**/ > +EFI_STATUS > +EFIAPI > +HashCompleteAndExtend ( > + IN HASH_HANDLE HashHandle, > + IN TPMI_DH_PCR PcrIndex, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen, > + OUT TPML_DIGEST_VALUES *DigestList > + ) > +{ > + TPML_DIGEST_VALUES Digest; > + HASH_HANDLE *HashCtx; > + EFI_STATUS Status; > + > + if (mHashInterfaceCount == 0) { > + ASSERT (FALSE); > + return EFI_UNSUPPORTED; > + } > + > + HashCtx = (HASH_HANDLE *)HashHandle; > + ZeroMem (DigestList, sizeof (*DigestList)); > + > + mHashInterface[0].HashUpdate (HashCtx[0], DataToHash, DataToHashLen); > + mHashInterface[0].HashFinal (HashCtx[0], &Digest); > + Tpm2SetHashToDigestList (DigestList, &Digest); > + > + ASSERT (DigestList->count == 1 && DigestList->digests[0].hashAlg == > TPM_ALG_SHA384); > + > + Status = TdExtendRtmr ( > + (UINT32 *)DigestList->digests[0].digest.sha384, > + SHA384_DIGEST_SIZE, > + (UINT8)PcrIndex > + ); > + > + ASSERT (!EFI_ERROR (Status)); > + return Status; > +} > + > +/** > + Hash data and extend to RTMR. > + > + @param PcrIndex PCR to be extended. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + @param DigestList Digest list. > + > + @retval EFI_SUCCESS Hash data and DigestList is returned. > +**/ > +EFI_STATUS > +EFIAPI > +HashAndExtend ( > + IN TPMI_DH_PCR PcrIndex, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen, > + OUT TPML_DIGEST_VALUES *DigestList > + ) > +{ > + HASH_HANDLE HashHandle; > + EFI_STATUS Status; > + > + if (mHashInterfaceCount == 0) { > + ASSERT (FALSE); > + return EFI_UNSUPPORTED; > + } > + > + ASSERT (TdIsEnabled ()); > + > + HashStart (&HashHandle); > + HashUpdate (HashHandle, DataToHash, DataToHashLen); > + Status = HashCompleteAndExtend (HashHandle, PcrIndex, NULL, 0, DigestList); > + > + return Status; > +} > + > +/** > + This service register Hash. > + > + @param HashInterface Hash interface > + > + @retval EFI_SUCCESS This hash interface is registered > successfully. > + @retval EFI_UNSUPPORTED System does not support register this > interface. > + @retval EFI_ALREADY_STARTED System already register this interface. > +**/ > +EFI_STATUS > +EFIAPI > +RegisterHashInterfaceLib ( > + IN HASH_INTERFACE *HashInterface > + ) > +{ > + UINT32 HashMask; > + > + ASSERT (TdIsEnabled ()); > + > + // > + // Check allow > + // > + HashMask = Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid); > + ASSERT (HashMask == HASH_ALG_SHA384); > + > + if (HashMask != HASH_ALG_SHA384) { > + return EFI_UNSUPPORTED; > + } > + > + if (mHashInterfaceCount >= ARRAY_SIZE (mHashInterface)) { > + ASSERT (FALSE); > + return EFI_OUT_OF_RESOURCES; > + } > + > + CopyMem (&mHashInterface[mHashInterfaceCount], HashInterface, sizeof > (*HashInterface)); > + mHashInterfaceCount++; > + > + return EFI_SUCCESS; > +} > diff --git > a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.i > nf > b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.i > nf > new file mode 100644 > index 000000000000..f6b1353d0041 > --- /dev/null > +++ > b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.i > nf > @@ -0,0 +1,41 @@ > +## @file > +# Provides hash service by registered hash handler in Tdx. > +# > +# This library is BaseCrypto router. It will redirect hash request to each > individual > +# hash handler registered. Currently only SHA384 is supported in this > router. > +# > +# Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.<BR> > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION = 0x00010005 > + BASE_NAME = HashLibBaseCryptoRouterTdx > + MODULE_UNI_FILE = HashLibBaseCryptoRouter.uni > + FILE_GUID = 77F6EA3E-1ABA-4467-A447-926E8CEB2D13 > + MODULE_TYPE = BASE > + VERSION_STRING = 1.0 > + LIBRARY_CLASS = HashLib|SEC DXE_DRIVER > + > +# > +# The following information is for reference only and not required by the > build > tools. > +# > +# VALID_ARCHITECTURES = X64 > +# > + > +[Sources] > + HashLibBaseCryptoRouterCommon.h > + HashLibBaseCryptoRouterCommon.c > + HashLibBaseCryptoRouterTdx.c > + > +[Packages] > + MdePkg/MdePkg.dec > + SecurityPkg/SecurityPkg.dec > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + DebugLib > + PcdLib > + TdxLib > diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc > index 73a93c2285b1..b23701ad124e 100644 > --- a/SecurityPkg/SecurityPkg.dsc > +++ b/SecurityPkg/SecurityPkg.dsc > @@ -72,6 +72,7 @@ > > MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockM > emoryLibNull.inf > > SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBoot > VariableLib.inf > > SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisi > onLib/SecureBootVariableProvisionLib.inf > + TdxLib|MdePkg/Library/TdxLib/TdxLib.inf > > [LibraryClasses.ARM, LibraryClasses.AARCH64] > # > @@ -92,6 +93,12 @@ > [LibraryClasses.RISCV64] > RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf > > +[LibraryClasses.X64.SEC] > + > HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRout > erTdx.inf > + > +[LibraryClasses.X64.DXE_DRIVER] > + > HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRout > erTdx.inf > + > [LibraryClasses.common.PEIM] > PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf > PeiServicesLib|MdePkg/Library/PeiServicesLib/PeiServicesLib.inf > @@ -283,6 +290,9 @@ > # > SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf > > +[Components.X64] > + > SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterTdx.inf > + > [Components.IA32, Components.X64] > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx > e.inf > > -- > 2.29.2.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#88596): https://edk2.groups.io/g/devel/message/88596 Mute This Topic: https://groups.io/mt/90330662/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
