From: Min M Xu <[email protected]> https://bugzilla.tianocore.org/show_bug.cgi?id=4245
The ACPI tables are downloaded from QEMU. From the security perspective they should be measured and extended before installation. So that they can be audited later. The measurement leverages the TpmMeasurementLib which is available when TPM or Confidential Computing measurement protocol is installed. But in some cases none of the measurement protocol is installed. In this case the measurement will be skipped. Cc: Erdem Aktas <[email protected]> Cc: James Bottomley <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Tom Lendacky <[email protected]> Cc: Michael Roth <[email protected]> Signed-off-by: Min Xu <[email protected]> --- OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf | 1 + OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c | 26 +++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf b/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf index 8939dde42549..3fd0483b50eb 100644 --- a/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf +++ b/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf @@ -46,6 +46,7 @@ UefiBootServicesTableLib UefiDriverEntryPoint HobLib + TpmMeasurementLib [Protocols] gEfiAcpiTableProtocolGuid # PROTOCOL ALWAYS_CONSUMED diff --git a/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c b/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c index f0d81d6fd73d..a7f14f8e25f4 100644 --- a/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c +++ b/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c @@ -10,6 +10,7 @@ #include <IndustryStandard/Acpi.h> // EFI_ACPI_DESCRIPTION_HEADER #include <IndustryStandard/QemuLoader.h> // QEMU_LOADER_FNAME_SIZE +#include <IndustryStandard/UefiTcgPlatform.h> #include <Library/BaseLib.h> // AsciiStrCmp() #include <Library/BaseMemoryLib.h> // CopyMem() #include <Library/DebugLib.h> // DEBUG() @@ -18,6 +19,7 @@ #include <Library/QemuFwCfgLib.h> // QemuFwCfgFindFile() #include <Library/QemuFwCfgS3Lib.h> // QemuFwCfgS3Enabled() #include <Library/UefiBootServicesTableLib.h> // gBS +#include <Library/TpmMeasurementLib.h> #include "AcpiPlatform.h" @@ -1032,6 +1034,30 @@ Process2ndPassCmdAddPointer ( goto RollbackSeenPointer; } + // + // Measure the ACPI table downloaded from QEMU before it is installed. + // + Status = TpmMeasureAndLogData ( + 1, + EV_PLATFORM_CONFIG_FLAGS, + EV_POSTCODE_INFO_ACPI_DATA, + ACPI_DATA_LEN, + (VOID *)(UINTN)PointerValue, + TableSize + ); + // + // TPM & Confidential Computing measurement protocol may not be installed. + // So EFI_NOT_FOUND is ignored. + // + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { + DEBUG (( + DEBUG_ERROR, + "Measure ACPI table failed! Status = %r\n", + Status + )); + goto RollbackSeenPointer; + } + Status = AcpiProtocol->InstallAcpiTable ( AcpiProtocol, (VOID *)(UINTN)PointerValue, -- 2.29.2.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98689): https://edk2.groups.io/g/devel/message/98689 Mute This Topic: https://groups.io/mt/96328899/21656 Group Owner: [email protected] Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
