Adding CFV and TD_HOB to MRTD is technically possible, but not desired. In a typical trust boot use case, the verifier should have a way to distinguish the *code* from *configuration*. If you look at the TCG specification, the TPM has 24 PCRs. 8 of them are allocated for BIOS. Each PCRs record one type of measurements. Technically, you can merge all PCR into one. But no one will do that in reality.
I would say: merging everything into one MRTD is a terrible idea. Thank you Yao Jiewen > -----Original Message----- > From: Gerd Hoffmann <kra...@redhat.com> > Sent: Thursday, April 21, 2022 5:15 PM > To: Yao, Jiewen <jiewen....@intel.com> > Cc: James Bottomley <j...@linux.ibm.com>; devel@edk2.groups.io; Xu, Min M > <min.m...@intel.com>; Ard Biesheuvel <ardb+tianoc...@kernel.org>; Justen, > Jordan L <jordan.l.jus...@intel.com>; Brijesh Singh <brijesh.si...@amd.com>; > Aktas, Erdem <erdemak...@google.com>; Tom Lendacky > <thomas.lenda...@amd.com> > Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td > HobList and Configuration FV > > On Wed, Apr 20, 2022 at 10:29:11PM +0000, Yao, Jiewen wrote: > > The Root-of-Trust for Measurement (RTM) for TDX is TDX-Module. The TDX- > Module will enforce the MRTD calculation for the TDVF code. > > Then TDVF can then act as Chain-of-Trust for Measurement (CTM) to setup > RTMR and continue the rest. > > > > It is described in [TDX-Module] Chapter 11, [TDVF] Chapter 8. > > > > [TDX-Module] > https://www.intel.com/content/dam/develop/external/us/en/documents/tdx- > module-1.0-public-spec-v0.931.pdf > > [TDVF] > https://www.intel.com/content/dam/develop/external/us/en/documents/tdx- > virtual-firmware-design-guide-rev-1.01.pdf > > Ok. So it all works via TDH.MEM.PAGE.ADD (initial set of accepted > pages) and TDH.MR.EXTEND (measure into MRTD) functions. > > Looking at our binary ... > > # virt-fw-dump -i Build/IntelTdx/DEBUG_GCC5/FV/OVMF.fd --ovmf-meta > image=Build/IntelTdx/DEBUG_GCC5/FV/OVMF.fd > resetvector size=0x9b0 > [ ... sev metadata snipped ... ] > guid:TdxMetadataOffset size=0x16 data=50080000 > mbase=0xffc84000 msize=0x37c000 type=BFV (code) fbase=0x84000 > fsize=0x37c000 flags=0x1 > mbase=0xffc00000 msize=0x84000 type=CFV (vars) fbase=0x0 fsize=0x84000 > mbase=0x810000 msize=0x10000 type=MEM > mbase=0x80b000 msize=0x2000 type=MEM > mbase=0x809000 msize=0x2000 type=TD Hob > mbase=0x800000 msize=0x6000 type=MEM > > ... BFV is measured (bit 0 of flags) whereas CFV and TD Hob are only > added but not measured. > > Adding CFV and TH Hob to the initial launch measurement should be > possible by just updating flags, correct? > > I think this should be done for the CFV. The firmware will be loaded > via "qemu -bios OVMF.fd". No separate images for CODE and VARS. So > splitting the measurement looks rather pointless to me. > > TD Hob could be part of the initial launch measurement too, which would > avoid the need to measure anything in SEC. On the other hand the that > would make the launch measurement depend not only on the firmware image > but also the guest configuration (memory size), which would likely make > things more complexity elsewhere, so probably not a good idea. > > take care, > Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89181): https://edk2.groups.io/g/devel/message/89181 Mute This Topic: https://groups.io/mt/90531017/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
