OvmfPkg: Cache and measure FwCfg

OvmfPkg/Include/Library/QemuFwCfgLib.h

@@ -164,4 +164,23 @@ QemuFwCfgFindFile (
   OUT  UINTN                 *Size
   );
 
+/**
+  OVMF reads configuration data from QEMU via fw_cfg.
+  For Td-Guest VMM is out of TCB and the configuration data is untrusted.
+  From the security perpective the configuration data shall be measured
+  before it is consumed.
+  This function reads the fw_cfg items and cached them. In the meanwhile these
+  fw_cfg items are measured as well. This is to avoid changing the order when
+  reading the fw_cfg process, which depends on multiple factors(depex, order in
+  the Firmware volume).
+
+  @retval  RETURN_SUCCESS   - Successfully cache with measurement
+  @retval  Others           - As the error code indicates
+ */
+RETURN_STATUS
+EFIAPI
+QemuFwCfgInitCache (
+  VOID
+  );
+
 #endif

OvmfPkg/Include/Library/TdxHelperLib.h

@@ -11,12 +11,6 @@
 
 #include <PiPei.h>
 
-#define   CC_MR_INDEX_0_MRTD   0
-#define   CC_MR_INDEX_1_RTMR0  1
-#define   CC_MR_INDEX_2_RTMR1  2
-#define   CC_MR_INDEX_3_RTMR2  3
-#define   CC_MR_INDEX_INVALID  4
-
 /**
   In Tdx guest, some information need to be passed from host VMM to guest
   firmware. For example, the memory resource, etc. These information are
@@ -73,71 +67,4 @@ TdxHelperBuildGuidHobForTdxMeasurement (
   VOID
   );
 
-/**
-  According to UEFI Spec 2.10 Section 38.4.1:
-    The following table shows the TPM PCR index mapping and CC event log measurement
-  register index interpretation for Intel TDX, where MRTD means Trust Domain Measurement
-   Register and RTMR means Runtime Measurement Register
-    // TPM PCR Index | CC Measurement Register Index | TDX-measurement register
-    //  ------------------------------------------------------------------------
-    // 0             |   0                           |   MRTD
-    // 1, 7          |   1                           |   RTMR[0]
-    // 2~6           |   2                           |   RTMR[1]
-    // 8~15          |   3                           |   RTMR[2]
-  @param[in] PCRIndex Index of the TPM PCR
-  @retval    UINT32               Index of the CC Event Log Measurement Register Index
-  @retval    CC_MR_INDEX_INVALID  Invalid MR Index
-**/
-UINT32
-EFIAPI
-TdxHelperMapPcrToMrIndex (
-  IN  UINT32  PCRIndex
-  );
-
-/**
- * Build GuidHob for Tdx CC measurement event.
- *
- * @param RtmrIndex     RTMR index
- * @param EventType     Event type
- * @param EventData     Event data
- * @param EventSize     Size of event data
- * @param HashValue     Hash value
- * @param HashSize      Size of hash
- *
- * @retval EFI_SUCCESS  Successfully build the GuidHobs
- * @retval Others       Other error as indicated
- */
-EFI_STATUS
-EFIAPI
-TdxHelperBuildTdxMeasurementGuidHob (
-  UINT32  RtmrIndex,
-  UINT32  EventType,
-  UINT8   *EventData,
-  UINT32  EventSize,
-  UINT8   *HashValue,
-  UINT32  HashSize
-  );
-
-/**
- * Calculate the sha384 of input Data and extend it to RTMR register.
- *
- * @param RtmrIndex       Index of the RTMR register
- * @param DataToHash      Data to be hashed
- * @param DataToHashLen   Length of the data
- * @param Digest          Hash value of the input data
- * @param DigestLen       Length of the hash value
- *
- * @retval EFI_SUCCESS    Successfully hash and extend to RTMR
- * @retval Others         Other errors as indicated
- */
-EFI_STATUS
-EFIAPI
-TdxHelperHashAndExtendToRtmr (
-  IN UINT32  RtmrIndex,
-  IN VOID    *DataToHash,
-  IN UINTN   DataToHashLen,
-  OUT UINT8  *Digest,
-  IN  UINTN  DigestLen
-  );
-
 #endif

OvmfPkg/Include/Library/TdxMeasurementLib.h

@@ -0,0 +1,87 @@
+/** @file
+  TdxMeasurementLib header file
+
+  Copyright (c) 2024, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef TDX_MEASUREMENT_LIB_H
+#define TDX_MEASUREMENT_LIB_H
+
+#include <PiPei.h>
+
+#define   CC_MR_INDEX_0_MRTD   0
+#define   CC_MR_INDEX_1_RTMR0  1
+#define   CC_MR_INDEX_2_RTMR1  2
+#define   CC_MR_INDEX_3_RTMR2  3
+#define   CC_MR_INDEX_INVALID  4
+
+/**
+  According to UEFI Spec 2.10 Section 38.4.1:
+    The following table shows the TPM PCR index mapping and CC event log measurement
+  register index interpretation for Intel TDX, where MRTD means Trust Domain Measurement
+   Register and RTMR means Runtime Measurement Register
+    // TPM PCR Index | CC Measurement Register Index | TDX-measurement register
+    //  ------------------------------------------------------------------------
+    // 0             |   0                           |   MRTD
+    // 1, 7          |   1                           |   RTMR[0]
+    // 2~6           |   2                           |   RTMR[1]
+    // 8~15          |   3                           |   RTMR[2]
+  @param[in] PCRIndex Index of the TPM PCR
+  @retval    UINT32               Index of the CC Event Log Measurement Register Index
+  @retval    CC_MR_INDEX_INVALID  Invalid MR Index
+**/
+UINT32
+EFIAPI
+TdxMapPcrToMrIndex (
+  IN  UINT32  PCRIndex
+  );
+
+/**
+ * Build GuidHob for Tdx CC measurement event.
+ *
+ * @param RtmrIndex     RTMR index
+ * @param EventType     Event type
+ * @param EventData     Event data
+ * @param EventSize     Size of event data
+ * @param HashValue     Hash value
+ * @param HashSize      Size of hash
+ *
+ * @retval EFI_SUCCESS  Successfully build the GuidHobs
+ * @retval Others       Other error as indicated
+ */
+EFI_STATUS
+EFIAPI
+TdxBuildTdxMeasurementGuidHob (
+  UINT32  RtmrIndex,
+  UINT32  EventType,
+  UINT8   *EventData,
+  UINT32  EventSize,
+  UINT8   *HashValue,
+  UINT32  HashSize
+  );
+
+/**
+ * Calculate the sha384 of input Data and extend it to RTMR register.
+ *
+ * @param RtmrIndex       Index of the RTMR register
+ * @param DataToHash      Data to be hashed
+ * @param DataToHashLen   Length of the data
+ * @param Digest          Hash value of the input data
+ * @param DigestLen       Length of the hash value
+ *
+ * @retval EFI_SUCCESS    Successfully hash and extend to RTMR
+ * @retval Others         Other errors as indicated
+ */
+EFI_STATUS
+EFIAPI
+TdxHashAndExtendToRtmr (
+  IN UINT32  RtmrIndex,
+  IN VOID    *DataToHash,
+  IN UINTN   DataToHashLen,
+  OUT UINT8  *Digest,
+  IN  UINTN  DigestLen
+  );
+
+#endif

OvmfPkg/IntelTdx/IntelTdxX64.dsc

@@ -239,6 +239,9 @@
   PrePiLib|EmbeddedPkg/Library/PrePiLib/PrePiLib.inf
   PeilessStartupLib|OvmfPkg/Library/PeilessStartupLib/PeilessStartupLib.inf
   CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf
+  TdxMeasurementLib|OvmfPkg/IntelTdx/TdxMeasurementLib/SecPeiTdxMeasurementLib.inf
+  TdxHelperLib|OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf
+  TpmMeasurementLib|OvmfPkg/Library/SecTpmMeasurementLib/SecTpmMeasurementLib.inf
 
 [LibraryClasses.common.DXE_CORE]
   HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf
@@ -313,7 +316,7 @@
   NestedInterruptTplLib|OvmfPkg/Library/NestedInterruptTplLib/NestedInterruptTplLib.inf
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
   QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
-  TdxHelperLib|OvmfPkg/IntelTdx/TdxHelperLib/DxeTdxHelperLib.inf
+  TdxMeasurementLib|OvmfPkg/IntelTdx/TdxMeasurementLib/DxeTdxMeasurementLib.inf
 
 [LibraryClasses.common.UEFI_APPLICATION]
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -544,7 +547,6 @@
   OvmfPkg/IntelTdx/Sec/SecMain.inf {
     <LibraryClasses>
       NULL|MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaCustomDecompressLib.inf
-      NULL|OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf
       BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SecCryptLib.inf
   }
 

OvmfPkg/IntelTdx/Sec/SecMain.inf

@@ -50,6 +50,7 @@
   PeilessStartupLib
   PlatformInitLib
   CcProbeLib
+  TdxHelperLib
 
 [Pcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase

OvmfPkg/IntelTdx/TdxHelperLib/PeiTdxHelperLib.inf

@@ -25,7 +25,6 @@
 [Sources]
   PeiTdxHelper.c
   TdxMeasurementHob.c
-  TdxHelperCommon.c
 
 [Packages]
   MdeModulePkg/MdeModulePkg.dec
@@ -40,6 +39,7 @@
   HobLib
   PcdLib
   BaseCryptLib
+  TdxMeasurementLib
 
 [FixedPcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase

OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelper.c

@@ -23,6 +23,7 @@
 #include <WorkArea.h>
 #include <ConfidentialComputingGuestAttr.h>
 #include <Library/TdxHelperLib.h>
+#include <Library/TdxMeasurementLib.h>
 
 #define ALIGNED_2MB_MASK  0x1fffff
 #define MEGABYTE_SHIFT    20
@@ -836,7 +837,7 @@ TdxHelperMeasureTdHob (
     Hob.Raw = GET_NEXT_HOB (Hob);
   }
 
-  Status = TdxHelperHashAndExtendToRtmr (
+  Status = TdxHashAndExtendToRtmr (
              0,
              (UINT8 *)TdHob,
              (UINTN)((UINT8 *)Hob.Raw - (UINT8 *)TdHob),
@@ -881,7 +882,7 @@ TdxHelperMeasureCfvImage (
   UINT8           Digest[SHA384_DIGEST_SIZE];
   OVMF_WORK_AREA  *WorkArea;
 
-  Status = TdxHelperHashAndExtendToRtmr (
+  Status = TdxHashAndExtendToRtmr (
              0,
              (UINT8 *)(UINTN)PcdGet32 (PcdOvmfFlashNvStorageVariableBase),
              (UINT64)PcdGet32 (PcdCfvRawDataSize),

OvmfPkg/IntelTdx/TdxHelperLib/SecTdxHelperLib.inf

@@ -25,7 +25,6 @@
 [Sources]
   SecTdxHelper.c
   TdxMeasurementHob.c
-  TdxHelperCommon.c
 
 [Packages]
   CryptoPkg/CryptoPkg.dec
@@ -42,6 +41,7 @@
   PcdLib
   TdxMailboxLib
   TdxLib
+  TdxMeasurementLib
 
 [FixedPcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase