Test

MdePkg/Include/Library/TdxLib.h

@@ -89,4 +89,28 @@ TdVCpuNum (
   VOID
   );
 
+/**
+  According to UEFI Spec 2.10 Section 38.4.1:
+    The following table shows the TPM PCR index mapping and CC event log measurement
+  register index interpretation for Intel TDX, where MRTD means Trust Domain Measurement
+   Register and RTMR means Runtime Measurement Register
+
+    // TPM PCR Index | CC Measurement Register Index | TDX-measurement register
+    //  ------------------------------------------------------------------------
+    // 0             |   0                           |   MRTD
+    // 1, 7          |   1                           |   RTMR[0]
+    // 2~6           |   2                           |   RTMR[1]
+    // 8~15          |   3                           |   RTMR[2]
+
+  @param[in] PCRIndex Index of the TPM PCR
+
+  @retval    UINT32               Index of the CC Event Log Measurement Register Index
+  @retval    CC_MR_INDEX_INVALID  Invalid MR Index
+**/
+UINT32
+EFIAPI
+MapPcrToMrIndex (
+  IN  UINT32  PCRIndex
+  );
+
 #endif

MdePkg/Include/Protocol/CcMeasurement.h

@@ -56,6 +56,8 @@ typedef UINT32 EFI_CC_MR_INDEX;
 #define TDX_MR_INDEX_RTMR2  3
 #define TDX_MR_INDEX_RTMR3  4
 
+#define TDX_MR_INDEX_INVALID  5
+
 #define EFI_CC_EVENT_LOG_FORMAT_TCG_2  0x00000002
 #define EFI_CC_BOOT_HASH_ALG_SHA384    0x00000004
 

MdePkg/Library/TdxLib/Measurement.c

@@ -0,0 +1,57 @@
+/** @file
+
+  Extends one of the RTMR measurement registers in TDCS with the provided
+  extension data in memory.
+
+  Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Uefi/UefiBaseType.h>
+#include <Protocol/CcMeasurement.h>
+
+/**
+  According to UEFI Spec 2.10 Section 38.4.1:
+    The following table shows the TPM PCR index mapping and CC event log measurement
+  register index interpretation for Intel TDX, where MRTD means Trust Domain Measurement
+   Register and RTMR means Runtime Measurement Register
+
+    // TPM PCR Index | CC Measurement Register Index | TDX-measurement register
+    //  ------------------------------------------------------------------------
+    // 0             |   0                           |   MRTD
+    // 1, 7          |   1                           |   RTMR[0]
+    // 2~6           |   2                           |   RTMR[1]
+    // 8~15          |   3                           |   RTMR[2]
+
+  @param[in] PCRIndex Index of the TPM PCR
+
+  @retval    UINT32               Index of the CC Event Log Measurement Register Index
+  @retval    CC_MR_INDEX_INVALID  Invalid MR Index
+**/
+UINT32
+EFIAPI
+MapPcrToMrIndex (
+  IN  UINT32  PCRIndex
+  )
+{
+  UINT32  MrIndex;
+
+  MrIndex = TDX_MR_INDEX_INVALID;
+
+  if (PCRIndex > 15) {
+    return TDX_MR_INDEX_INVALID;
+  }
+
+  if (PCRIndex == 0) {
+    MrIndex = TDX_MR_INDEX_MRTD;
+  } else if ((PCRIndex == 1) || (PCRIndex == 7)) {
+    MrIndex = TDX_MR_INDEX_RTMR0;
+  } else if ((PCRIndex >= 2) && (PCRIndex <= 6)) {
+    MrIndex = TDX_MR_INDEX_RTMR1;
+  } else if ((PCRIndex >= 8) && (PCRIndex <= 15)) {
+    MrIndex = TDX_MR_INDEX_RTMR2;
+  }
+
+  return MrIndex;
+}

MdePkg/Library/TdxLib/TdxLib.inf

@@ -27,6 +27,7 @@
   AcceptPages.c
   Rtmr.c
   TdInfo.c
+  Measurement.c
 
 [Packages]
   MdePkg/MdePkg.dec

MdePkg/Library/TdxLib/TdxLibNull.c

@@ -9,6 +9,7 @@
 
 #include <Uefi/UefiBaseType.h>
 #include <Library/TdxLib.h>
+#include <Protocol/CcMeasurement.h>
 
 /**
   This function accepts a pending private page, and initialize the page to
@@ -104,3 +105,30 @@ TdVCpuNum (
 {
   return 0;
 }
+
+/**
+  According to UEFI Spec 2.10 Section 38.4.1:
+    The following table shows the TPM PCR index mapping and CC event log measurement
+  register index interpretation for Intel TDX, where MRTD means Trust Domain Measurement
+   Register and RTMR means Runtime Measurement Register
+
+    // TPM PCR Index | CC Measurement Register Index | TDX-measurement register
+    //  ------------------------------------------------------------------------
+    // 0             |   0                           |   MRTD
+    // 1, 7          |   1                           |   RTMR[0]
+    // 2~6           |   2                           |   RTMR[1]
+    // 8~15          |   3                           |   RTMR[2]
+
+  @param[in] PCRIndex Index of the TPM PCR
+
+  @retval    UINT32               Index of the CC Event Log Measurement Register Index
+  @retval    CC_MR_INDEX_INVALID  Invalid MR Index
+**/
+UINT32
+EFIAPI
+MapPcrToMrIndex (
+  IN  UINT32  PCRIndex
+  )
+{
+  return TDX_MR_INDEX_INVALID;
+}

OvmfPkg/AmdSev/AmdSevX64.dsc

@@ -583,6 +583,7 @@
   OvmfPkg/PlatformPei/PlatformPei.inf {
     <LibraryClasses>
       NULL|OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperLibNull.inf
+      BaseCryptLib|CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
   }
   UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf
   UefiCpuPkg/CpuMpPei/CpuMpPei.inf

OvmfPkg/CloudHv/CloudHvX64.dsc

@@ -684,6 +684,7 @@
   OvmfPkg/PlatformPei/PlatformPei.inf {
     <LibraryClasses>
       NULL|OvmfPkg/IntelTdx/TdxHelperLib/TdxHelperLibNull.inf
+      BaseCryptLib|CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
   }
   UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf {
     <LibraryClasses>

OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc

@@ -33,6 +33,16 @@
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
 !endif
 
+!if $(TPM2_ENABLE) == TRUE || $(CC_MEASUREMENT_ENABLE) == TRUE
+  #
+  # TpmMeasurementLib supports measurement functions for both TPM and Confidential Computing.
+  # It should be controlled by TPM2_ENABLE and CC_MEASUREMENT_ENABLE.
+  #
+  TpmMeasurementLib|SecurityPkg/Library/PeiTpmMeasurementLib/PeiTpmMeasurementLib.inf
+!else
+  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+!endif
+
 [LibraryClasses.common.DXE_DRIVER]
 !if $(TPM2_ENABLE) == TRUE
 !if $(TPM1_ENABLE) == TRUE

OvmfPkg/Include/Library/QemuFwCfgLib.h

@@ -164,4 +164,23 @@ QemuFwCfgFindFile (
   OUT  UINTN                 *Size
   );
 
+/**
+  OVMF reads configuration data from QEMU via fw_cfg.
+  For Td-Guest VMM is out of TCB and the configuration data is untrusted.
+  From the security perpective the configuration data shall be measured
+  before it is consumed.
+  This function reads the fw_cfg items and cached them. In the meanwhile these
+  fw_cfg items are measured as well. This is to avoid changing the order when
+  reading the fw_cfg process, which depends on multiple factors(depex, order in
+  the Firmware volume).
+
+  @retval  RETURN_SUCCESS   - Successfully cache with measurement
+  @retval  Others           - As the error code indicates
+ */
+RETURN_STATUS
+EFIAPI
+QemuFwCfgInitCache (
+  VOID
+  );
+
 #endif

OvmfPkg/IntelTdx/IntelTdxX64.dsc

@@ -548,6 +548,7 @@
       NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
       NULL|OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf
       BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf
+      TpmMeasurementLib|SecurityPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLib.inf
   }
 
   #

OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c

@@ -21,6 +21,8 @@
 #include <ConfidentialComputingGuestAttr.h>
 #include <Guid/MemoryTypeInformation.h>
 #include <OvmfPlatforms.h>
+#include <Base.h>
+#include <Library/QemuFwCfgLib.h>
 #include "PeilessStartupInternal.h"
 
 #define GET_GPAW_INIT_STATE(INFO)  ((UINT8) ((INFO) & 0x3f))
@@ -47,6 +49,10 @@ InitializePlatform (
   DEBUG ((DEBUG_INFO, "InitializePlatform in Pei-less boot\n"));
   PlatformDebugDumpCmos ();
 
+  if (RETURN_ERROR (QemuFwCfgInitCache ())) {
+    DEBUG ((DEBUG_ERROR, "QemuFwCfgInitCache failed !\n"));
+  }
+
   PlatformInfoHob->DefaultMaxCpuNumber = 64;
   PlatformInfoHob->PcdPciMmio64Size    = 0x800000000;