[edk2-devel] [PATCH V2 1/1] OvmfPkg/AcpiPlatformDxe: Measure ACPI table from QEMU in TDVF

[Min Xu]

From: Min M Xu <min.m...@intel.com>

https://bugzilla.tianocore.org/show_bug.cgi?id=4245

The ACPI tables are downloaded from QEMU. From the security perspective
they should be measured and extended before installation. So that they
can be audited later.

The measurement leverages the TpmMeasurementLib which is available when
TPM or Confidential Computing measurement protocol is installed. But in
some cases none of the measurement protocol is installed. In this case
the measurement will be skipped.

Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: Michael Roth <michael.r...@amd.com>
Signed-off-by: Min Xu <min.m...@intel.com>
---
 OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf |  1 +
 OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c     | 26 +++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf 
b/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf
index 8939dde42549..3fd0483b50eb 100644
--- a/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf
+++ b/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf
@@ -46,6 +46,7 @@
   UefiBootServicesTableLib
   UefiDriverEntryPoint
   HobLib
+  TpmMeasurementLib
 
 [Protocols]
   gEfiAcpiTableProtocolGuid                     # PROTOCOL ALWAYS_CONSUMED
diff --git a/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c 
b/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c
index f0d81d6fd73d..a7f14f8e25f4 100644
--- a/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c
+++ b/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c
@@ -10,6 +10,7 @@
 
 #include <IndustryStandard/Acpi.h>            // EFI_ACPI_DESCRIPTION_HEADER
 #include <IndustryStandard/QemuLoader.h>      // QEMU_LOADER_FNAME_SIZE
+#include <IndustryStandard/UefiTcgPlatform.h>
 #include <Library/BaseLib.h>                  // AsciiStrCmp()
 #include <Library/BaseMemoryLib.h>            // CopyMem()
 #include <Library/DebugLib.h>                 // DEBUG()
@@ -18,6 +19,7 @@
 #include <Library/QemuFwCfgLib.h>             // QemuFwCfgFindFile()
 #include <Library/QemuFwCfgS3Lib.h>           // QemuFwCfgS3Enabled()
 #include <Library/UefiBootServicesTableLib.h> // gBS
+#include <Library/TpmMeasurementLib.h>
 
 #include "AcpiPlatform.h"
 
@@ -1032,6 +1034,30 @@ Process2ndPassCmdAddPointer (
     goto RollbackSeenPointer;
   }
 
+  //
+  // Measure the ACPI table downloaded from QEMU before it is installed.
+  //
+  Status = TpmMeasureAndLogData (
+             1,
+             EV_PLATFORM_CONFIG_FLAGS,
+             EV_POSTCODE_INFO_ACPI_DATA,
+             ACPI_DATA_LEN,
+             (VOID *)(UINTN)PointerValue,
+             TableSize
+             );
+  //
+  // TPM & Confidential Computing measurement protocol may not be installed.
+  // So EFI_NOT_FOUND is ignored.
+  //
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    DEBUG ((
+      DEBUG_ERROR,
+      "Measure ACPI table failed! Status = %r\n",
+      Status
+      ));
+    goto RollbackSeenPointer;
+  }
+
   Status = AcpiProtocol->InstallAcpiTable (
                            AcpiProtocol,
                            (VOID *)(UINTN)PointerValue,
-- 
2.29.2.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98689): https://edk2.groups.io/g/devel/message/98689
Mute This Topic: https://groups.io/mt/96328899/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-