The Root-of-Trust for Measurement (RTM) for TDX is TDX-Module. The TDX-Module will enforce the MRTD calculation for the TDVF code. Then TDVF can then act as Chain-of-Trust for Measurement (CTM) to setup RTMR and continue the rest.
It is described in [TDX-Module] Chapter 11, [TDVF] Chapter 8. [TDX-Module] https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-module-1.0-public-spec-v0.931.pdf [TDVF] https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.01.pdf > -----Original Message----- > From: Gerd Hoffmann <kra...@redhat.com> > Sent: Thursday, April 21, 2022 12:29 AM > To: James Bottomley <j...@linux.ibm.com> > Cc: Yao, Jiewen <jiewen....@intel.com>; devel@edk2.groups.io; Xu, Min M > <min.m...@intel.com>; Ard Biesheuvel <ardb+tianoc...@kernel.org>; Justen, > Jordan L <jordan.l.jus...@intel.com>; Brijesh Singh <brijesh.si...@amd.com>; > Aktas, Erdem <erdemak...@google.com>; Tom Lendacky > <thomas.lenda...@amd.com> > Subject: Re: [edk2-devel] [PATCH V3 5/9] OvmfPkg/IntelTdx: Measure Td > HobList and Configuration FV > > Hi, > > > > So, no matter what the order is, you'll figure the system got > > > compromised after the fact, when checking the hashes later, and in > > > turn take actions like refusing to hand out secrets to the > > > compromised system. > > > > Not if the code falsifies the measurement both in the log and to the > > TPM. That's why the requirement of measured boot is you start with a > > small rom based root of trust, which can't be updated because it's in > > rom. It measures the next stage (usually PEI) before executing it so > > that the measurement in the TPM would change if the next stage (which > > is often in flash) got compromised, so any tampering is certain to be > > detected and if the compromised code tries to falsify the log, the log > > now wouldn't match the TPM, so it can't evade detection. > > How do we establish the root of trust in case of TDX? We don't have a > real rom in virtual machines ... > > Does the tdx firmware measure the firmware code before running it? > > Why handle CFV and BFV differently? Wouldn't it be easier to have the > tdx firmware simply measure the complete OVMF.fd image, given that tdx > doesn't support flash and thus we don't have the code/vars split in the > first place? > > The TD HobList is prepared by the hypervisor and present at launch time, > so possibly the tdx firmware could measure it too before handing over > control to the guest? > > take care, > Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89159): https://edk2.groups.io/g/devel/message/89159 Mute This Topic: https://groups.io/mt/90531017/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
