Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cache measure fwcfg.v3 #6399

Draft
wants to merge 12 commits into
base: master
Choose a base branch
from
Draft

Cache measure fwcfg.v3 #6399

wants to merge 12 commits into from

Conversation

mxu9
Copy link
Contributor

@mxu9 mxu9 commented Nov 4, 2024

Description

<Include a description of the change and why this change was made.>

<For each item, place an "x" in between [ and ] if true. Example: [x] (you can also check items in GitHub UI)>

<Create the PR as a Draft PR if it is only created to run CI checks.>

<Delete lines in <> tags before creating the PR.>

  • Breaking change?
    • Breaking change - Does this PR cause a break in build or boot behavior?
    • Examples: Does it add a new library class or move a module to a different repo.
  • Impacts security?
    • Security - Does this PR have a direct security impact?
    • Examples: Crypto algorithm change or buffer overflow fix.
  • Includes tests?
    • Tests - Does this PR include any explicit test code?
    • Examples: Unit tests or integration tests.

How This Was Tested

<Describe the test(s) that were run to verify the changes.>

Integration Instructions

<Describe how these changes should be integrated. Use N/A if nothing is required.>

@mxu9 mxu9 marked this pull request as draft November 4, 2024 00:56
@sunceping @mxu9
SecurityPkg/Ppi: Add gEdkiiCcPpi for CC Measurement in PEI phase
534e5a7 
Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
@sunceping @mxu9
OvmfPkg/TdTcg2Pei: Add TdTcg2Pei to install gEdkiiCcPpi
723812d 
Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
@sunceping @mxu9
SecurityPkg: Add TpmMeasurementLib for SEC phase
8a288b1 
Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
@sunceping @mxu9
SecurityPkg/PeiTpmMeasurementLib: Support CcMeasurement
a04699e 
Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
@sunceping @mxu9
OvmfPkg: Update OvmfTpmLibs.dsc.inc to add PeiTpmMeasurementLib.inf
613d3a8 
Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
@sunceping @mxu9
OvmfPkg: Update OvmfPkgX64.dsc to support TdTcg2Pei
1e9fe51 
Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
@sunceping @mxu9
OvmfPkg.dec: Add gOvmfFwCfgInfoHobGuid
ffa3e76 
Since TDVF have to measure fw_cfg data from QEMU,
it is reqiured to cache the data with measurement
in early phase, that can avoid changing the measurement
order when reading the fw_cfg process, which depends
on multipe factors(depex, order in the firmware volume).

Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
@sunceping @mxu9
OvmfPkg: Add BaseCryptLib for PlatformPei.inf
c002bb1 
Since the TdxHelperLib is used for measurement
in PEI phase, it required TDVF to add the library.
And for other platform, it is null.

Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
@sunceping @mxu9
OvmfPkg/QemuFwCfgLib: Add fwcfg cache interface
5cd2511 
Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
@sunceping @mxu9
OvmfPkg/QemuFwCfgLib: Support Cache FwCfg with optional measurement
0e26db3 
OVMF uses FW_CFG_SELECTOR(0x510) and FW_CFG_IO_DATA(0x511) to
get configuration infomation from QEMU. From the security perspective
these information shall be measured before they're consumed.

This patch reads the fw_cfg items and cached them in a GuidHob. In the
meanwhile these fw_cfg items are measured as well. This is to avoid
changing the order when  reading the fw_cfg process, which depends on
multiple factors(depex, order in  the Firmware volume).

Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
@sunceping @mxu9
OvmfPkg/PlatformPei: Cache and measure FW_CFG items
a28a0ac 
Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
@sunceping @mxu9
OvmfPkg/PeilessStartupLib: Cache and measure FW_CFG item
7550f1b 
Signed-off-by: Min Xu <min.m.xu@intel.com>
Signed-off-by: Ceping Sun <cepingx.sun@intel.com>
@mdkinney
Copy link
Member

mdkinney commented Nov 4, 2024

Please rebase to pick up fix for CI check failures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ardbiesheuvel ardbiesheuvel Awaiting requested review from ardbiesheuvel

@elmarco elmarco Awaiting requested review from elmarco

@jongwu jongwu Awaiting requested review from jongwu

@jyao1 jyao1 Awaiting requested review from jyao1

@kraxel kraxel Awaiting requested review from kraxel

@mdroth mdroth Awaiting requested review from mdroth

@ruleof2 ruleof2 Awaiting requested review from ruleof2

@tlendacky tlendacky Awaiting requested review from tlendacky

@weltling weltling Awaiting requested review from weltling

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mxu9 @mdkinney @sunceping