[edk2-devel] [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest

Min Xu Sun, 17 Apr 2022 17:00:19 -0700

RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853


Intel's Trust Domain Extensions (Intel TDX) refers to an Intel technology
that extends Virtual Machines Extensions (VMX) and Multi-Key Total Memory
Encryption (MKTME) with a new kind of virutal machines guest called a
Trust Domain (TD). A TD is desinged to run in a CPU mode that protects the
confidentiality of TD memory contents and the TD's CPU state from other
software, including the hosting Virtual-Machine Monitor (VMM), unless
explicitly shared by the TD itself.

There are 2 configurations for TDVF to upstream. See below link for
the definitions of the 2 configurations.
https://edk2.groups.io/g/devel/message/76367

This patch-set is to enable below features of Config-B in OvmfPkg.
 - Enable RTMR based measurement and measured boot
 - Install CC_MEASUREMENT_PROTOCOL instance in Td guest

The measurement for the other components, such as kernel image, initrd,
will be introduced in the following patch-sets.

Patch 1:
HashLibTdx provides SHA384 service and extend to RTMR registers.

Patch 2:
SecCryptLib is the cryptographic library instance for SEC.

Patch 3 - 8:
These 6 patches are related to RTMR based measurement and
CC Eventlog ACPI table.

Patch 9:
Update IntelTdxX64.dsc/IntelTdxX64.fdf to support RTMR based
measurement and measured boot.

Code at: https://github.com/mxu9/edk2/tree/tdvf_wave4.v3

v3 changes:
 - Refine HashLibBaseCryptoRouterTdx to HashLibTdx
 - Add NULL version algorithms in SecCryptLib.
 - Add SecMeasurementLib which does the measurement in SEC phase.
 - Rebase EDK2 code base. (commit: 91a03f78ba)

v2 changes:
 - Move the definition of EFI_CC_EVENT_HOB_GUID from MdePkg to
   SecurityPkg.
 - Update the definition of EFI_CC_EVENTLOG_ACPI_TABLE based
   on below discussion:
   https://edk2.groups.io/g/devel/message/87396
   https://edk2.groups.io/g/devel/message/87402
 - Update the code base to 94f905b3bf.

Min Xu (9):
  Security: Add HashLibTdx
  CryptoPkg: Add SecCryptLib
  SecurityPkg: Add definition of EFI_CC_EVENT_HOB_GUID
  OvmfPkg: Introduce SecMeasurementLib
  OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV
  OvmfPkg: Add PCDs for LAML/LASA field in CC EVENTLOG ACPI table
  MdePkg: Define CC Measure EventLog ACPI Table
  OvmfPkg/IntelTdx: Add TdTcg2Dxe
  OvmfPkg/IntelTdx: Enable RTMR based measurement and measure boot

 CryptoPkg/CryptoPkg.dsc                       |    4 +
 .../Library/BaseCryptLib/Hash/CryptMd5Null.c  |  163 ++
 .../Library/BaseCryptLib/Hash/CryptSha1Null.c |  166 ++
 .../BaseCryptLib/Hash/CryptSha256Null.c       |  162 ++
 .../Library/BaseCryptLib/Hash/CryptSm3Null.c  |  164 ++
 .../BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c |  152 +
 .../BaseCryptLib/Pk/CryptRsaBasicNull.c       |  121 +
 .../Library/BaseCryptLib/SecCryptLib.inf      |   91 +
 MdePkg/Include/Protocol/CcMeasurement.h       |   21 +
 OvmfPkg/Include/Library/SecMeasurementLib.h   |   46 +
 OvmfPkg/IntelTdx/IntelTdxX64.dsc              |   16 +-
 OvmfPkg/IntelTdx/IntelTdxX64.fdf              |    5 +
 .../IntelTdx/TdTcg2Dxe/MeasureBootPeCoff.c    |  407 +++
 OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c        | 2489 +++++++++++++++++
 OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.inf      |  101 +
 OvmfPkg/Library/PeilessStartupLib/IntelTdx.c  |  163 ++
 .../PeilessStartupLib/PeilessStartup.c        |   31 +
 .../PeilessStartupInternal.h                  |   17 +
 .../PeilessStartupLib/PeilessStartupLib.inf   |    8 +-
 .../SecMeasurementLib/SecMeasurementLibTdx.c  |  340 +++
 .../SecMeasurementLibTdx.inf                  |   30 +
 OvmfPkg/OvmfPkg.dec                           |   10 +
 SecurityPkg/Include/Guid/CcEventHob.h         |   22 +
 SecurityPkg/Library/HashLibTdx/HashLibTdx.c   |  207 ++
 SecurityPkg/Library/HashLibTdx/HashLibTdx.inf |   37 +
 SecurityPkg/SecurityPkg.dec                   |    4 +
 SecurityPkg/SecurityPkg.dsc                   |   10 +
 27 files changed, 4984 insertions(+), 3 deletions(-)
 create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5Null.c
 create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptSha1Null.c
 create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptSha256Null.c
 create mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3Null.c
 create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c
 create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c
 create mode 100644 CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf
 create mode 100644 OvmfPkg/Include/Library/SecMeasurementLib.h
 create mode 100644 OvmfPkg/IntelTdx/TdTcg2Dxe/MeasureBootPeCoff.c
 create mode 100644 OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.c
 create mode 100644 OvmfPkg/IntelTdx/TdTcg2Dxe/TdTcg2Dxe.inf
 create mode 100644 OvmfPkg/Library/PeilessStartupLib/IntelTdx.c
 create mode 100644 OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.c
 create mode 100644 OvmfPkg/Library/SecMeasurementLib/SecMeasurementLibTdx.inf
 create mode 100644 SecurityPkg/Include/Guid/CcEventHob.h
 create mode 100644 SecurityPkg/Library/HashLibTdx/HashLibTdx.c
 create mode 100644 SecurityPkg/Library/HashLibTdx/HashLibTdx.inf

-- 
2.29.2.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#88984): https://edk2.groups.io/g/devel/message/88984
Mute This Topic: https://groups.io/mt/90531003/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH V3 0/9] Enable RTMR based measurement and measure boot for Td guest

Reply via email to