[edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td HobList and Configuration FV

Gerd Hoffmann kraxel at redhat.com
Thu Apr 21 09:14:30 UTC 2022 

On Wed, Apr 20, 2022 at 10:29:11PM +0000, Yao, Jiewen wrote:
> The Root-of-Trust for Measurement (RTM) for TDX is TDX-Module. The TDX-Module will enforce the MRTD calculation for the TDVF code.
> Then TDVF can then act as Chain-of-Trust for Measurement (CTM) to setup RTMR and continue the rest.
> 
> It is described in [TDX-Module] Chapter 11, [TDVF] Chapter 8.
> 
> [TDX-Module] https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-module-1.0-public-spec-v0.931.pdf
> [TDVF] https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.01.pdf

Ok.  So it all works via TDH.MEM.PAGE.ADD (initial set of accepted
pages) and TDH.MR.EXTEND (measure into MRTD) functions.

Looking at our binary ...

# virt-fw-dump -i Build/IntelTdx/DEBUG_GCC5/FV/OVMF.fd --ovmf-meta
image=Build/IntelTdx/DEBUG_GCC5/FV/OVMF.fd
  resetvector size=0x9b0
    [ ... sev metadata snipped ... ]
    guid:TdxMetadataOffset size=0x16 data=50080000
      mbase=0xffc84000 msize=0x37c000 type=BFV (code) fbase=0x84000 fsize=0x37c000 flags=0x1
      mbase=0xffc00000 msize=0x84000 type=CFV (vars) fbase=0x0 fsize=0x84000
      mbase=0x810000 msize=0x10000 type=MEM
      mbase=0x80b000 msize=0x2000 type=MEM
      mbase=0x809000 msize=0x2000 type=TD Hob
      mbase=0x800000 msize=0x6000 type=MEM

... BFV is measured (bit 0 of flags) whereas CFV and TD Hob are only
added but not measured.

Adding CFV and TH Hob to the initial launch measurement should be
possible by just updating flags, correct?

I think this should be done for the CFV.  The firmware will be loaded
via "qemu -bios OVMF.fd".  No separate images for CODE and VARS. So
splitting the measurement looks rather pointless to me.

TD Hob could be part of the initial launch measurement too, which would
avoid the need to measure anything in SEC.  On the other hand the that
would make the launch measurement depend not only on the firmware image
but also the guest configuration (memory size), which would likely make
things more complexity elsewhere, so probably not a good idea.

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89179): https://edk2.groups.io/g/devel/message/89179
Mute This Topic: https://groups.io/mt/90531017/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list