Reviewed-by: Jiewen Yao <jiewen....@intel.com> > -----Original Message----- > From: Xu, Min M <min.m...@intel.com> > Sent: Thursday, February 2, 2023 5:03 PM > To: devel@edk2.groups.io > Cc: Xu, Min M <min.m...@intel.com>; Aktas, Erdem > <erdemak...@google.com>; James Bottomley <j...@linux.ibm.com>; Yao, > Jiewen <jiewen....@intel.com>; Gerd Hoffmann <kra...@redhat.com>; Tom > Lendacky <thomas.lenda...@amd.com>; Michael Roth > <michael.r...@amd.com> > Subject: [PATCH V3 1/1] OvmfPkg/AcpiPlatformDxe: Measure ACPI table from > QEMU in TDVF > > From: Min M Xu <min.m...@intel.com> > > https://bugzilla.tianocore.org/show_bug.cgi?id=4245 > > QEMU provides the following three files for guest to install the ACPI > tables: > - etc/acpi/rsdp > - etc/acpi/tables > - etc/table-loader > > "etc/acpi/rsdp" and "etc/acpi/tables" are similar, they are only kept > separate because they have different allocation requirements in SeaBIOS. > > Both of these fw_cfg files contain preformatted ACPI payload. > "etc/acpi/rsdp" contains only the RSDP table, while "etc/acpi/tables" > contains all other tables, concatenated. To be noted, the tables in these > two files have been filled in by qemu, but two kinds of fields are > incomplete: pointers to other tables and checksums (which depend on the > pointers). > > "/etc/table-loader" is a linker/loader which provides the commands to > "patch" the tables in "etc/acpi/tables" and then install them. "Patch" > means to fill the pointers and compute the checksum. > > From the security perspective these 3 files are the raw data downloaded > from qemu. They should be measured and extended before they're consumed. > > Cc: Erdem Aktas <erdemak...@google.com> > Cc: James Bottomley <j...@linux.ibm.com> > Cc: Jiewen Yao <jiewen....@intel.com> > Cc: Gerd Hoffmann <kra...@redhat.com> > Cc: Tom Lendacky <thomas.lenda...@amd.com> > Cc: Michael Roth <michael.r...@amd.com> > Signed-off-by: Min Xu <min.m...@intel.com> > --- > OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf | 1 + > OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c | 32 +++++++++++++++++++++ > 2 files changed, 33 insertions(+) > > diff --git a/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf > b/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf > index 8939dde42549..3fd0483b50eb 100644 > --- a/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf > +++ b/OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf > @@ -46,6 +46,7 @@ > UefiBootServicesTableLib > UefiDriverEntryPoint > HobLib > + TpmMeasurementLib > > [Protocols] > gEfiAcpiTableProtocolGuid # PROTOCOL ALWAYS_CONSUMED > diff --git a/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c > b/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c > index f0d81d6fd73d..68abc34f2280 100644 > --- a/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c > +++ b/OvmfPkg/AcpiPlatformDxe/QemuFwCfgAcpi.c > @@ -10,6 +10,7 @@ > > #include <IndustryStandard/Acpi.h> // EFI_ACPI_DESCRIPTION_HEADER > #include <IndustryStandard/QemuLoader.h> // QEMU_LOADER_FNAME_SIZE > +#include <IndustryStandard/UefiTcgPlatform.h> > #include <Library/BaseLib.h> // AsciiStrCmp() > #include <Library/BaseMemoryLib.h> // CopyMem() > #include <Library/DebugLib.h> // DEBUG() > @@ -18,6 +19,7 @@ > #include <Library/QemuFwCfgLib.h> // QemuFwCfgFindFile() > #include <Library/QemuFwCfgS3Lib.h> // QemuFwCfgS3Enabled() > #include <Library/UefiBootServicesTableLib.h> // gBS > +#include <Library/TpmMeasurementLib.h> > > #include "AcpiPlatform.h" > > @@ -415,6 +417,21 @@ ProcessCmdAllocate ( > (UINT64)Blob->Size, > (UINT64)(UINTN)Blob->Base > )); > + > + // > + // Measure the data which is downloaded from QEMU. > + // It has to be done before it is consumed. Because the data will > + // be updated in the following operations. > + // > + TpmMeasureAndLogData ( > + 1, > + EV_PLATFORM_CONFIG_FLAGS, > + EV_POSTCODE_INFO_ACPI_DATA, > + ACPI_DATA_LEN, > + (VOID *)(UINTN)Blob->Base, > + Blob->Size > + ); > + > return EFI_SUCCESS; > > FreeBlob: > @@ -1126,6 +1143,21 @@ InstallQemuFwCfgTables ( > QemuFwCfgSelectItem (FwCfgItem); > QemuFwCfgReadBytes (FwCfgSize, LoaderStart); > RestorePciDecoding (OriginalPciAttributes, OriginalPciAttributesCount); > + > + // > + // Measure the "etc/table-loader" which is downloaded from QEMU. > + // It has to be done before it is consumed. Because it would be > + // updated in the following operations. > + // > + TpmMeasureAndLogData ( > + 1, > + EV_PLATFORM_CONFIG_FLAGS, > + EV_POSTCODE_INFO_ACPI_DATA, > + ACPI_DATA_LEN, > + (VOID *)(UINTN)LoaderStart, > + FwCfgSize > + ); > + > LoaderEnd = LoaderStart + FwCfgSize / sizeof *LoaderEntry; > > AllocationsRestrictedTo32Bit = NULL; > -- > 2.29.2.windows.2
-=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#99509): https://edk2.groups.io/g/devel/message/99509 Mute This Topic: https://groups.io/mt/96696644/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-