OvmfPkg/AcpiPlatformDxe: Measure ACPI table from QEMU in TDVF #3997
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
https://bugzilla.tianocore.org/show_bug.cgi?id=4245 QEMU provides the following three files for guest to install the ACPI tables: - etc/acpi/rsdp - etc/acpi/tables - etc/table-loader "etc/acpi/rsdp" and "etc/acpi/tables" are similar, they are only kept separate because they have different allocation requirements in SeaBIOS. Both of these fw_cfg files contain preformatted ACPI payload. "etc/acpi/rsdp" contains only the RSDP table, while "etc/acpi/tables" contains all other tables, concatenated. To be noted, the tables in these two files have been filled in by qemu, but two kinds of fields are incomplete: pointers to other tables and checksums (which depend on the pointers). "/etc/table-loader" is a linker/loader which provides the commands to "patch" the tables in "etc/acpi/tables" and then install them. "Patch" means to fill the pointers and compute the checksum. From the security perspective these 3 files are the raw data downloaded from qemu. They should be measured and extended before they're consumed. Cc: Erdem Aktas <erdemaktas@google.com> Cc: James Bottomley <jejb@linux.ibm.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Michael Roth <michael.roth@amd.com> Signed-off-by: Min Xu <min.m.xu@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com>
smo4201
added a commit
to Fraunhofer-AISEC/tpm-pcr-tools
that referenced
this pull request
Nov 22, 2023
In recent versions of OVMF, the files passed from QEMU to the VM are measured into PCR1 as EV_PLATFORM_CONFIG_FLAGS. Introduce new config flags to hand over the files with the data passed from QEMU to the VM (etc/acpi-tables, etc/acpi-rsdb, etc/table-loader and etc/tpm/log) to enable the calculation of PCR1. For details on the OVMF changes, see: tianocore/edk2#3997
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://bugzilla.tianocore.org/show_bug.cgi?id=4245
QEMU provides the following three files for guest to install the ACPI tables:
"etc/acpi/rsdp" and "etc/acpi/tables" are similar, they are only kept separate because they have different allocation requirements in SeaBIOS.
Both of these fw_cfg files contain preformatted ACPI payload. "etc/acpi/rsdp" contains only the RSDP table, while "etc/acpi/tables" contains all other tables, concatenated. To be noted, the tables in these two files have been filled in by qemu, but two kinds of fields are incomplete: pointers to other tables and checksums (which depend on the pointers).
"/etc/table-loader" is a linker/loader which provides the commands to "patch" the tables in "etc/acpi/tables" and then install them. "Patch" means to fill the pointers and compute the checksum.
From the security perspective these 3 files are the raw data downloaded from qemu. They should be measured and extended before they're consumed.
Cc: Erdem Aktas erdemaktas@google.com
Cc: James Bottomley jejb@linux.ibm.com
Cc: Jiewen Yao jiewen.yao@intel.com
Cc: Gerd Hoffmann kraxel@redhat.com
Cc: Tom Lendacky thomas.lendacky@amd.com
Cc: Michael Roth michael.roth@amd.com
Signed-off-by: Min Xu min.m.xu@intel.com
Reviewed-by: Jiewen Yao jiewen.yao@intel.com
Acked-by: Gerd Hoffmann kraxel@redhat.com