AmdSev: Add firmware file plugin to verifier

Dov Murik Tue, 25 May 2021 05:26:55 -0700

From: James Bottomley <j...@linux.ibm.com>

Provide a library verifier that plugs into the QemuKernelLoaderFs
hooks to verify the hashes against the SEV hash table (stored in
encrypted memory).


The verifier is enabled when SEV memory encryption is active.

Cc: Laszlo Ersek <ler...@redhat.com>
Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org>
Cc: Jordan Justen <jordan.l.jus...@intel.com>
Cc: Ashish Kalra <ashish.ka...@amd.com>
Cc: Brijesh Singh <brijesh.si...@amd.com>
Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Min Xu <min.m...@intel.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Signed-off-by: James Bottomley <j...@linux.ibm.com>
---
 OvmfPkg/AmdSev/AmdSevX64.dsc                                 |  5 +-
 OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.inf | 30 ++++++++++
 OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.c   | 60 
++++++++++++++++++++
 3 files changed, 94 insertions(+), 1 deletion(-)

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index b4484ca07614..bfb16798b3b7 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -697,7 +697,10 @@ [Components]
       NULL|MdeModulePkg/Library/BootManagerUiLib/BootManagerUiLib.inf
       
NULL|MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootMaintenanceManagerUiLib.inf
   }
-  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
+    <LibraryClasses>
+      NULL|OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.inf
+  }
   OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
   OvmfPkg/Virtio10Dxe/Virtio10.inf
   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
diff --git a/OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.inf 
b/OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.inf
new file mode 100644
index 000000000000..86d099455d55
--- /dev/null
+++ b/OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.inf
@@ -0,0 +1,30 @@
+##  @file
+#  Provides the Secure Verification services for AMD SEV firmware config
+#
+#  Copyright (C) 2021 James Bottomley, IBM Corporation.
+#
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = SevFwCfgVerifier
+  FILE_GUID                      = 33457c78-aae2-4511-9188-ac1fe88d03de
+  MODULE_TYPE                    = DXE_DRIVER
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = NULL|DXE_DRIVER DXE_RUNTIME_DRIVER 
DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
+  CONSTRUCTOR                    = SevFwCfgVerifierConstructor
+
+[Sources]
+  SevFwCfgVerifier.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  OvmfPkg/OvmfPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  DebugLib
+  MemEncryptSevLib
+  SevHashFinderLib
diff --git a/OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.c 
b/OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.c
new file mode 100644
index 000000000000..53b617a72aa9
--- /dev/null
+++ b/OvmfPkg/AmdSev/Library/SevFwCfgVerifier/SevFwCfgVerifier.c
@@ -0,0 +1,60 @@
+/** @file
+  AMD SEV Firmware Config file verifier
+
+  Copyright (C) 2021 James Bottomley, IBM Corporation.
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/DebugLib.h>
+#include <Library/MemEncryptSevLib.h>
+#include <Library/QemuFwCfgLib.h>
+#include <Library/SevHashFinderLib.h>
+
+STATIC EFI_STATUS
+EFIAPI
+SevFwCfgVerifier (
+  IN  CONST CHAR16    *Name,
+  IN  VOID            *Buffer,
+  IN  UINTN           Size
+  )
+{
+  DEBUG ((DEBUG_INFO, "%a: Validating Hash of %s\n", __FUNCTION__, Name));
+
+  if (StrCmp (Name, L"kernel") == 0) {
+    return ValidateHashEntry (&SEV_KERNEL_HASH_GUID, Buffer, Size);
+  }
+  if (StrCmp (Name, L"initrd") == 0) {
+    return ValidateHashEntry (&SEV_INITRD_HASH_GUID, Buffer, Size);
+  }
+
+  DEBUG ((DEBUG_ERROR, "%a: Failed to find Filename %s", __FUNCTION__, Name));
+  return EFI_SECURITY_VIOLATION;
+}
+
+/**
+  Register security measurement handler.
+
+  @param  ImageHandle   ImageHandle of the loaded driver.
+  @param  SystemTable   Pointer to the EFI System Table.
+
+  @retval EFI_SUCCESS   The handlers were registered successfully.
+**/
+EFI_STATUS
+EFIAPI
+SevFwCfgVerifierConstructor (
+  IN EFI_HANDLE        ImageHandle,
+  IN EFI_SYSTEM_TABLE  *SystemTable
+  )
+{
+  if (MemEncryptSevIsEnabled ()) {
+    DEBUG ((DEBUG_INFO, "Enabling hash verification of fw_cfg files"));
+    return RegisterFwCfgVerifier (SevFwCfgVerifier);
+  } else {
+    //
+    // Don't install verifier if SEV isn't enabled
+    //
+    DEBUG ((DEBUG_INFO, "NOT Enabling hash verification of fw_cfg files"));
+    return EFI_SUCCESS;
+  }
+}
-- 
2.25.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#75570): https://edk2.groups.io/g/devel/message/75570
Mute This Topic: https://groups.io/mt/83074454/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH v1 6/8] OvmfPkg/AmdSev: Add firmware file plugin to verifier

Reply via email to