Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OvmfPkg: Cache and measure FwCfg #6522

Draft
wants to merge 8 commits into
base: master
Choose a base branch
from
Draft

OvmfPkg: Cache and measure FwCfg #6522

wants to merge 8 commits into from

Conversation

sunceping
Copy link
Contributor

@sunceping sunceping commented Dec 10, 2024
edited
Loading

OVMF uses FW_CFG_SELECTOR(0x510) and FW_CFG_IO_DATA(0x511) to
get configuration information from QEMU. From the security perspective
these information shall be measured before they're consumed.

Currently, multiple factors(depex, order in the Firmware volume) would impact the
measurement order when reading the fwcfg process.

This PR add a HOB to cache and measure the fwcfg items at first when initializing
the platform, it is to avoid changing the measurement order.

below fwcfg items are cached/measured in TDVF:

  • "etc/e820" -- only cached
  • "etc/system-states" -- only cached
  • "etc/extra-pci-roots" -- cached and measured
  • "etc/boot-menu-wait" -- cached and measured
  • "etc/reserved-memory-end" -- cached and measured
  • "opt/ovmf/X-PciMmio64Mb" -- cached and measured
  • "bootorder" -- cached and measured

Cc: Erdem Aktas [email protected]
Cc: Jiewen Yao [email protected]
Cc: Min Xu [email protected]
Cc: Gerd Hoffmann [email protected]
Cc: Elena Reshetova [email protected]
Signed-off-by: Min Xu [email protected]
Signed-off-by: Ceping Sun [email protected]
<Include a description of the change and why this change was made.>

<For each item, place an "x" in between [ and ] if true. Example: [x] (you can also check items in GitHub UI)>

<Create the PR as a Draft PR if it is only created to run CI checks.>

<Delete lines in <> tags before creating the PR.>

  • Breaking change?
    • Breaking change - Does this PR cause a break in build or boot behavior?
    • Examples: Does it add a new library class or move a module to a different repo.
  • Impacts security?
    • Security - Does this PR have a direct security impact?
    • Examples: Crypto algorithm change or buffer overflow fix.
  • Includes tests?
    • Tests - Does this PR include any explicit test code?
    • Examples: Unit tests or integration tests.

How This Was Tested

<Describe the test(s) that were run to verify the changes.>

Integration Instructions

<Describe how these changes should be integrated. Use N/A if nothing is required.>

@sunceping sunceping force-pushed the cache_and_measure_partial_fw_cfg.v1 branch 4 times, most recently from 99c21c3 to e720b42 Compare December 12, 2024 01:33
@sunceping
OvmfPkg.dec: Add gOvmfFwCfgInfoHobGuid
66b6c90 
Since TDVF have to measure fw_cfg data from QEMU,
it is required to cache the data with measurement
in early phase, that can avoid changing the measurement
order when reading the fw_cfg process, which depends
on multiple factors(depex, order in the firmware volume).

Cc: Erdem Aktas <[email protected]>
Cc: Jiewen Yao <[email protected]>
Cc: Min Xu <[email protected]>
Cc: Gerd Hoffmann <[email protected]>
Cc: Elena Reshetova <[email protected]>
Signed-off-by: Ceping Sun <[email protected]>
@sunceping
OvmfPkg: Add TdxMeasurementLib
ec08865 
Split below tdx measurement APIs into a single library.
- TdxMapPcrToMrIndex
- TdxHashAndExtendToRtmr
- TdxBuildTdxMeasurementGuidHob

Cc: Erdem Aktas <[email protected]>
Cc: Jiewen Yao <[email protected]>
Cc: Min Xu <[email protected]>
Cc: Gerd Hoffmann <[email protected]>
Cc: Elena Reshetova <[email protected]>
Signed-off-by: Min Xu <[email protected]>
Signed-off-by: Ceping Sun <[email protected]>
@sunceping
OvmfPkg: Update with TdxMeasurementLib
a139ba3 
Since the tdx measurement APIs are building by
TdxMeasurementLib, remove the duplicate code and
update the definitions.

Cc: Erdem Aktas <[email protected]>
Cc: Jiewen Yao <[email protected]>
Cc: Min Xu <[email protected]>
Cc: Gerd Hoffmann <[email protected]>
Cc: Elena Reshetova <[email protected]>
Signed-off-by: Min Xu <[email protected]>
Signed-off-by: Ceping Sun <[email protected]>
@sunceping
OvmfPkg: Add TpmMeasurementLib for SEC phase
25e5a2a 
Add the SecTpmMeasurementLib to support
TpmMeasurementAndLogData in Sec phase.

Cc: Erdem Aktas <[email protected]>
Cc: Jiewen Yao <[email protected]>
Cc: Min Xu <[email protected]>
Cc: Gerd Hoffmann <[email protected]>
Cc: Elena Reshetova <[email protected]>
Signed-off-by: Min Xu <[email protected]>
Signed-off-by: Ceping Sun <[email protected]>
@sunceping sunceping force-pushed the cache_and_measure_partial_fw_cfg.v1 branch from e720b42 to 09124f2 Compare December 19, 2024 08:09
@sunceping
OvmfPkg/QemuFwCfgLib: Add FwCfg cache interface
3684c46 
Since TDVF needs to cache and measure fwcfg, it is required to
add a API to support cache with optional measurement and add some
internal interface to support cache in QemuFwCfgLib.
The API like below:
  QemuFwCfgInitCache()
Internal interface like below:
  InternalQemuFwCfgCacheReadBytes()
  InternalQemuFwCfgCacheSelectItem()
  InternalQemuFwCfgCacheGetWorkArea()
  InternalQemuFwCfgCacheResetWorkArea()
  InternalQemuFwCfgCacheEnable()
  InternalQemuFwCfgItemCached()
  InternalQemuFwCfgCacheReading()
  InternalQemuFwCfgCacheFirstItem()
  InternalQemuFwCfgItemInCacheList()
  InternalQemuFwCfgInitCache()

Cc: Erdem Aktas <[email protected]>
Cc: Jiewen Yao <[email protected]>
Cc: Min Xu <[email protected]>
Cc: Gerd Hoffmann <[email protected]>
Cc: Elena Reshetova <[email protected]>
Signed-off-by: Min Xu <[email protected]>
Signed-off-by: Ceping Sun <[email protected]>
@sunceping
OvmfPkg/QemuFwCfgLib: Support Cache FwCfg with optional measurement
f51aaf0 
OVMF uses FW_CFG_SELECTOR(0x510) and FW_CFG_IO_DATA(0x511) to
get configuration information from QEMU. From the security perspective
these information shall be measured before they're consumed.

This patch reads the fw_cfg items and cached them in a GuidHob. In the
meanwhile these fw_cfg items are measured as well. This is to avoid
changing the order when reading the fw_cfg process, which depends on
multiple factors(depex, order in the Firmware volume).

Cc: Erdem Aktas <[email protected]>
Cc: Jiewen Yao <[email protected]>
Cc: Min Xu <[email protected]>
Cc: Gerd Hoffmann <[email protected]>
Cc: Elena Reshetova <[email protected]>
Signed-off-by: Min Xu <[email protected]>
Signed-off-by: Ceping Sun <[email protected]>
@sunceping
OvmfPkg/PlatformPei: Cache and measure FwCfg items
383d699 
Since OVMF would initialize the platform info with fwcfg,
TDVF needs to cache and measure the fwcfg at first.

Cc: Erdem Aktas <[email protected]>
Cc: Jiewen Yao <[email protected]>
Cc: Min Xu <[email protected]>
Cc: Gerd Hoffmann <[email protected]>
Cc: Elena Reshetova <[email protected]>
Signed-off-by: Min Xu <[email protected]>
Signed-off-by: Ceping Sun <[email protected]>
@sunceping
OvmfPkg/PeilessStartupLib: Cache and measure FwCfg item
a0c618c 
Since OVMF would initialize the platform info with fwcfg,
TDVF needs to cache and measure the fwcfg at first.

Cc: Erdem Aktas <[email protected]>
Cc: Jiewen Yao <[email protected]>
Cc: Min Xu <[email protected]>
Cc: Gerd Hoffmann <[email protected]>
Cc: Elena Reshetova <[email protected]>
Signed-off-by: Min Xu <[email protected]>
Signed-off-by: Ceping Sun <[email protected]>
@sunceping sunceping force-pushed the cache_and_measure_partial_fw_cfg.v1 branch from 09124f2 to a0c618c Compare December 20, 2024 01:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sunceping