[edk2-devel] [PATCH V3 1/1] OvmfPkg/AcpiPlatformDxe: Measure ACPI table from QEMU in TDVF

Thu, 02 Feb 2023 01:03:33 -0800 

From: Min M Xu <min.m...@intel.com>

https://bugzilla.tianocore.org/show_bug.cgi?id=4245

QEMU provides the following three files for guest to install the ACPI
tables:
 - etc/acpi/rsdp
 - etc/acpi/tables
 - etc/table-loader

"etc/acpi/rsdp" and "etc/acpi/tables" are similar, they are only kept
separate because they have different allocation requirements in SeaBIOS.

Both of these fw_cfg files contain preformatted ACPI payload.
"etc/acpi/rsdp" contains only the RSDP table, while "etc/acpi/tables"
contains all other tables, concatenated. To be noted, the tables in these
two files have been filled in by qemu, but two kinds of fields are
incomplete: pointers to other tables and checksums (which depend on the
pointers).

"/etc/table-loader" is a linker/loader which provides the commands to
"patch" the tables in "etc/acpi/tables" and then install them. "Patch"
means to fill the pointers and compute the checksum.

>From the security perspective these 3 files are the raw data downloaded
from qemu. They should be measured and extended before they're consumed.

Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: Michael Roth <michael.r...@amd.com>
Signed-off-by: Min Xu <min.m...@intel.com>
---
 OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf |  1 +
 OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c     | 32 +++++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf 
b/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf
index 8939dde42549..3fd0483b50eb 100644
--- a/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf
+++ b/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf
@@ -46,6 +46,7 @@
   UefiBootServicesTableLib
   UefiDriverEntryPoint
   HobLib
+  TpmMeasurementLib
 
 [Protocols]
   gEfiAcpiTableProtocolGuid                     # PROTOCOL ALWAYS_CONSUMED
diff --git a/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c 
b/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c
index f0d81d6fd73d..68abc34f2280 100644
--- a/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c
+++ b/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c
@@ -10,6 +10,7 @@
 
 #include <IndustryStandard/Acpi.h>            // EFI_ACPI_DESCRIPTION_HEADER
 #include <IndustryStandard/QemuLoader.h>      // QEMU_LOADER_FNAME_SIZE
+#include <IndustryStandard/UefiTcgPlatform.h>
 #include <Library/BaseLib.h>                  // AsciiStrCmp()
 #include <Library/BaseMemoryLib.h>            // CopyMem()
 #include <Library/DebugLib.h>                 // DEBUG()
@@ -18,6 +19,7 @@
 #include <Library/QemuFwCfgLib.h>             // QemuFwCfgFindFile()
 #include <Library/QemuFwCfgS3Lib.h>           // QemuFwCfgS3Enabled()
 #include <Library/UefiBootServicesTableLib.h> // gBS
+#include <Library/TpmMeasurementLib.h>
 
 #include "AcpiPlatform.h"
 
@@ -415,6 +417,21 @@ ProcessCmdAllocate (
     (UINT64)Blob->Size,
     (UINT64)(UINTN)Blob->Base
     ));
+
+  //
+  // Measure the data which is downloaded from QEMU.
+  // It has to be done before it is consumed. Because the data will
+  // be updated in the following operations.
+  //
+  TpmMeasureAndLogData (
+    1,
+    EV_PLATFORM_CONFIG_FLAGS,
+    EV_POSTCODE_INFO_ACPI_DATA,
+    ACPI_DATA_LEN,
+    (VOID *)(UINTN)Blob->Base,
+    Blob->Size
+    );
+
   return EFI_SUCCESS;
 
 FreeBlob:
@@ -1126,6 +1143,21 @@ InstallQemuFwCfgTables (
   QemuFwCfgSelectItem (FwCfgItem);
   QemuFwCfgReadBytes (FwCfgSize, LoaderStart);
   RestorePciDecoding (OriginalPciAttributes, OriginalPciAttributesCount);
+
+  //
+  // Measure the "etc/table-loader" which is downloaded from QEMU.
+  // It has to be done before it is consumed. Because it would be
+  // updated in the following operations.
+  //
+  TpmMeasureAndLogData (
+    1,
+    EV_PLATFORM_CONFIG_FLAGS,
+    EV_POSTCODE_INFO_ACPI_DATA,
+    ACPI_DATA_LEN,
+    (VOID *)(UINTN)LoaderStart,
+    FwCfgSize
+    );
+
   LoaderEnd = LoaderStart + FwCfgSize / sizeof *LoaderEntry;
 
   AllocationsRestrictedTo32Bit = NULL;
-- 
2.29.2.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99441): https://edk2.groups.io/g/devel/message/99441
Mute This Topic: https://groups.io/mt/96696644/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to