diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc index 0931ce061a..54bca10bc9 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -210,6 +210,7 @@ TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf !include OvmfPkg/Include/Dsc/ShellLibs.dsc.inc +!include OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc [LibraryClasses.common] AmdSvsmLib|UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.inf @@ -529,6 +530,8 @@ gEfiMdePkgTokenSpaceGuid.PcdFSBClock|1000000000 +!include OvmfPkg/Include/Dsc/OvmfTpmPcds.dsc.inc + ################################################################################ # # Components Section - list of all EDK II Modules needed by this Platform. @@ -727,7 +730,10 @@ OvmfPkg/PlatformDxe/Platform.inf OvmfPkg/IoMmuDxe/IoMmuDxe.inf - OvmfPkg/TdxDxe/TdxDxe.inf + OvmfPkg/TdxDxe/TdxDxe.inf { + + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf + } # # Variable driver stack (non-SMM) @@ -751,3 +757,8 @@ HashLib|OvmfPkg/Library/HashLibTdx/HashLibTdx.inf NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf } + + # + # TPM support + # + !include OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.fdf b/OvmfPkg/IntelTdx/IntelTdxX64.fdf index ce5d542048..def4e103a8 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.fdf +++ b/OvmfPkg/IntelTdx/IntelTdxX64.fdf @@ -257,6 +257,11 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf # INF OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf +# +# TPM support +# +!include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc + ################################################################################ [FV.NCCFV] diff --git a/OvmfPkg/TdxDxe/TdxDxe.c b/OvmfPkg/TdxDxe/TdxDxe.c index f150d08cd6..88cd341375 100644 --- a/OvmfPkg/TdxDxe/TdxDxe.c +++ b/OvmfPkg/TdxDxe/TdxDxe.c @@ -32,6 +32,9 @@ #include #include #include +#include +#include +#include #define ALIGNED_2MB_MASK 0x1fffff EFI_HANDLE mTdxDxeHandle = NULL; @@ -301,6 +304,58 @@ SetMmioSharedBit ( return EFI_SUCCESS; } +#ifdef TDX_PEI_LESS_BOOT +STATIC +EFI_STATUS +SetVtpmDeviceInstance ( + VOID + ) +{ + EFI_STATUS Status; + OVMF_WORK_AREA *WorkArea; + UINTN Size; + UINT32 TpmHashAlgorithmBitmap; + UINT32 TpmActivePcrBanks; + + DEBUG ((DEBUG_INFO, ">>%a\n", __func__)); + + WorkArea = (OVMF_WORK_AREA *)FixedPcdGet32 (PcdOvmfWorkAreaBase); + if (WorkArea == NULL) { + return EFI_INVALID_PARAMETER; + } + + if (WorkArea->TdxWorkArea.SecTdxWorkArea.MeasurementType == TDX_MEASUREMENT_TYPE_VTPM) + { + // Set PcdTpmInstanceGuid + Size = sizeof (gEfiTpmDeviceInstanceTpm20DtpmGuid); + Status = PcdSetPtrS ( + PcdTpmInstanceGuid, + &Size, + &gEfiTpmDeviceInstanceTpm20DtpmGuid + ); + ASSERT_EFI_ERROR (Status); + if (EFI_ERROR(Status)) { + DEBUG((DEBUG_ERROR, "Set PcdTpmInstanceGuid failed with %r\n", Status)); + } + + Status = Tpm2RequestUseTpm (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "TPM2 not detected!\n")); + return Status; + } + + // Determine the current TPM support and the Platform PCR mask. + Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &TpmActivePcrBanks); + ASSERT_EFI_ERROR (Status); + // Set active pcr banks + Status = PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks); + ASSERT_RETURN_ERROR (Status); + } + + return EFI_SUCCESS; +} +#endif + EFI_STATUS EFIAPI TdxDxeEntryPoint ( @@ -339,9 +394,12 @@ TdxDxeEntryPoint ( // need to set PCDs based on these information. // SetPcdSettings (PlatformInfo); + // In Pei-less boot, the `TpmInstance` Pcd shall be set if virtual TPM + // is detected. + SetVtpmDeviceInstance(); #endif - if (!TdIsEnabled () || TdpIsEnabled ()) { + if (!TdIsEnabled () || TdpIsEnabled ()) { // // If it is Non-Td guest, we install gEfiMpInitLibMpDepProtocolGuid so that // MpInitLib will be used in CpuDxe driver. diff --git a/OvmfPkg/TdxDxe/TdxDxe.inf b/OvmfPkg/TdxDxe/TdxDxe.inf index 9793562884..00b35770a5 100644 --- a/OvmfPkg/TdxDxe/TdxDxe.inf +++ b/OvmfPkg/TdxDxe/TdxDxe.inf @@ -26,6 +26,7 @@ MdePkg/MdePkg.dec UefiCpuPkg/UefiCpuPkg.dec OvmfPkg/OvmfPkg.dec + SecurityPkg/SecurityPkg.dec [LibraryClasses] BaseLib @@ -39,12 +40,14 @@ HobLib TdxMailboxLib MemEncryptTdxLib + Tpm2CommandLib [Depex] TRUE [Guids] gUefiOvmfPkgPlatformInfoGuid ## CONSUMES + gEfiTpmDeviceInstanceTpm20DtpmGuid ## CONSUMES [Protocols] gQemuAcpiTableNotifyProtocolGuid ## CONSUMES @@ -71,3 +74,6 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask