[edk2-devel] [PATCH V3 1/1] UefiCpuPkg: Extend measurement of microcode patches to TPM
Longlong Yang
longlong.yang at intel.com
Tue Dec 14 03:02:11 UTC 2021
Hi Ray,
The order is required by the hash function.
By measuring an object, we first need to get the hash or the digest of that object, and then extend the hash/digest or measurement to TPM device. If there are more than one microcode patches applied to CPU, we need to measure all of those patches. My design on measuring multiple microcode patches is that we first pack those patches into a single binary blob, and then measure the binary blob by calling TpmMeasureAndLogData function. In TpmMeasureAndLogData function, the hash of binary blob will be calculated. If the order got changed, then the hash will change too, and then the attestation will be impacted. Therefore we need make sure if microcode didn't get updated, then the hash/digest should the same every time we measure them. So we should sort the patches to make sure the binary blob is device specific same.
BRs
Longlong
-----Original Message-----
From: Ni, Ray <ray.ni at intel.com>
Sent: Tuesday, December 14, 2021 9:57 AM
To: Yang, Longlong <longlong.yang at intel.com>; devel at edk2.groups.io
Cc: Dong, Eric <eric.dong at intel.com>; Kumar, Rahul1 <rahul1.kumar at intel.com>; Yao, Jiewen <jiewen.yao at intel.com>; Xu, Min M <min.m.xu at intel.com>; Zhang, Qi1 <qi1.zhang at intel.com>
Subject: RE: [PATCH V3 1/1] UefiCpuPkg: Extend measurement of microcode patches to TPM
> +
> + //
> + // The order matters when packing all applied microcode patches to a single binary blob.
> + // Therefore it is a must to do sorting before packing.
> + // NOTE: We assumed that the order of address of every microcode
> + patch in RAM is the same // with the order of those in the
> + Microcode Firmware Volume in FLASH. If any future updates // made this assumption untenable, then needs a new solution to measure microcode patches.
> + //
Can you explain the above comments?
If you only measure the microcode which will be applied to CPU, why do you care about the order?
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#84780): https://edk2.groups.io/g/devel/message/84780
Mute This Topic: https://groups.io/mt/87706159/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list