[edk2-devel] [PATCH V2 1/1] OvmfPkg/AcpiPlatformDxe: Measure ACPI table from QEMU in TDVF
Min Xu
min.m.xu at intel.com
Tue Jan 17 12:57:32 UTC 2023
From: Min M Xu <min.m.xu at intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=4245
The ACPI tables are downloaded from QEMU. From the security perspective
they should be measured and extended before installation. So that they
can be audited later.
The measurement leverages the TpmMeasurementLib which is available when
TPM or Confidential Computing measurement protocol is installed. But in
some cases none of the measurement protocol is installed. In this case
the measurement will be skipped.
Cc: Erdem Aktas <erdemaktas at google.com>
Cc: James Bottomley <jejb at linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Gerd Hoffmann <kraxel at redhat.com>
Cc: Tom Lendacky <thomas.lendacky at amd.com>
Cc: Michael Roth <michael.roth at amd.com>
Signed-off-by: Min Xu <min.m.xu at intel.com>
---
OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf | 1 +
OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c | 26 +++++++++++++++++++++
2 files changed, 27 insertions(+)
diff --git a/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf b/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf
index 8939dde42549..3fd0483b50eb 100644
--- a/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf
+++ b/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf
@@ -46,6 +46,7 @@
UefiBootServicesTableLib
UefiDriverEntryPoint
HobLib
+ TpmMeasurementLib
[Protocols]
gEfiAcpiTableProtocolGuid # PROTOCOL ALWAYS_CONSUMED
diff --git a/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c b/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c
index f0d81d6fd73d..a7f14f8e25f4 100644
--- a/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c
+++ b/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c
@@ -10,6 +10,7 @@
#include <IndustryStandard/Acpi.h> // EFI_ACPI_DESCRIPTION_HEADER
#include <IndustryStandard/QemuLoader.h> // QEMU_LOADER_FNAME_SIZE
+#include <IndustryStandard/UefiTcgPlatform.h>
#include <Library/BaseLib.h> // AsciiStrCmp()
#include <Library/BaseMemoryLib.h> // CopyMem()
#include <Library/DebugLib.h> // DEBUG()
@@ -18,6 +19,7 @@
#include <Library/QemuFwCfgLib.h> // QemuFwCfgFindFile()
#include <Library/QemuFwCfgS3Lib.h> // QemuFwCfgS3Enabled()
#include <Library/UefiBootServicesTableLib.h> // gBS
+#include <Library/TpmMeasurementLib.h>
#include "AcpiPlatform.h"
@@ -1032,6 +1034,30 @@ Process2ndPassCmdAddPointer (
goto RollbackSeenPointer;
}
+ //
+ // Measure the ACPI table downloaded from QEMU before it is installed.
+ //
+ Status = TpmMeasureAndLogData (
+ 1,
+ EV_PLATFORM_CONFIG_FLAGS,
+ EV_POSTCODE_INFO_ACPI_DATA,
+ ACPI_DATA_LEN,
+ (VOID *)(UINTN)PointerValue,
+ TableSize
+ );
+ //
+ // TPM & Confidential Computing measurement protocol may not be installed.
+ // So EFI_NOT_FOUND is ignored.
+ //
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((
+ DEBUG_ERROR,
+ "Measure ACPI table failed! Status = %r\n",
+ Status
+ ));
+ goto RollbackSeenPointer;
+ }
+
Status = AcpiProtocol->InstallAcpiTable (
AcpiProtocol,
(VOID *)(UINTN)PointerValue,
--
2.29.2.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98689): https://edk2.groups.io/g/devel/message/98689
Mute This Topic: https://groups.io/mt/96328899/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list