-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OvmfPkg: Create SP800155 HOBs from QemuFwCfgFile #5738
Conversation
7b0aeaa
to
eb5438d
Compare
75fead7
to
aebc11d
Compare
I've opened https://bugzilla.tianocore.org/show_bug.cgi?id=4782 regarding the false positive in PatchCheck. |
From a design point of view I think the HOB should be created by OVMF instead of being passed in from the VMM. Looking at the fields in tdTCG_Sp800_155_PlatformId_Event3 most of it isn't new.
Independent from the above the code has a bunch of problems:
|
Oh right an additional problem is in the event string lengths themselves. That would mean fully interpreting the struct and therefore knowing its exact beginning and end. Would you be okay with just a concatenation of PlatformIdEvent structs? |
Good point. When interpreting the struct anyway it's also possible to check the Firmware* fields and PcdFirmware* match.
Looks good to me. The fw_cfg file should be in |
e5a4c48
to
1c12370
Compare
We don't provide smbios data in our hypervisor, so I'm not fully confident in my ability to test cross-checking. At first I added a whole event interpretation for every field, but then thought better of it just for simplicity. If we're interpreting the data, we should interpret as little as we need to. I've just stuck with a stream of uint16-sized strings that must sum to the size of the FwCfg file (including the size of the sizes). If someone wants to add further validation when SMBIOS is present, that seems like an acceptable follow-up. |
13acb4f
to
2202757
Compare
Hmm? While most of I'd also suggest to move the code to a new source file. |
97cf45a
to
79bbdb2
Compare
@kraxel As long as you have the event length a priori, you don't need to parse the event to determine the length, which is why I made the format a file with size S with contents uint16str ..., where a uint16str is The event gets stored in a HOB, which has its own HobLength which Tcg2Dxe uses for determining I've moved the logic to PlatformId.c and PlatformId.h. |
20b1225
to
dec9cda
Compare
Hmm. I liked the approach without the header more. Sure, the drawback is that you have to parse the complete event to figure what the size is. The advantage is that you can apply some checks, such as checking |
I've gone back to interpreting the whole event, and this time I'm storing the different pointers in a local struct for those debug messages you alluded to, and perhaps extra checking if someone wants to add that. |
Thanks, looks much better to me. Minor nit: The strings are supposed to be NULL-terminated according to the comments. I'd suggest to verify this is actually the case. With that in place you can drop also your hand-rolled A common prefix for the DEBUG messages would be good I think, to make clear what the context is and to allow for an easy grep in the logfile. |
cde186a
to
20362ba
Compare
I've added a fixup commit because I noticed an outdated claim in the PlatformId.h header. |
Jiewen, could you help confirm the change in MdePkg TCG Platform definition? |
@jyao1 for ease of review https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Platform-Firmware-Profile-Version-1.06-Revision-52_pub.pdf has the event definition on page 167 |
@mdkinney @makubacki there seems to be a problem with this PR: even though I don't object to the contents of the third patch that Dionna added, it is kind of strange that doing so did not invalidate my review. I think this is a rather fundamental problem, given that I may rely on other maintainers' Reviewed-by before setting the 'push' label, but it is not guaranteed that the version they reviewed is the same version that gets merged in the end. Could we clear all reviews when the PR changes? |
@jyao1 Any comments? Would like to move this forward if possible. |
Usually we use one PR to resolve one issue only. One is only for dup field removal in MdePkg – I can approve it immediately. |
Yes, that is my biggest worry on this patch. |
The TCG_Sp800_155_PlatformId_Event2 and 3 structures both list the platform model string twice, which is incorrect according to the TCG PC Client Platform Firmware Profile. Also add constant definitions for the locator types added in the December 2023 revision. Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
Signed firmware measurements are allowed to be passed along to in the TCG and CC event logs according to the TCG PC Client Platform Firware Profile. The event logs include events that Tcg2Dxe reads from appropriately GUIDed HOBs, so allow opt/org.tianocode/sp800155evt/%d to pass along events that the VMM sees fit to provide. One event per number, starting from 0, increasing by 1 until there are no more contiguous files. The VMM may provide reference measurements through UEFI variables that it references from the SP800-155 event3 structure given the appropriate RIM locator type, or via URL, etc. Each event read from fw_cfg, is written one-by-one to a EFI_HOB_GUID_TYPE HOB created for the event. The name they target gTcg800155PlatformIdEventHobGuid for the later Dxe driver to use to extend the event log. Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
Signed firmware measurements are allowed to be passed along to in the TCG and CC event logs according to the TCG PC Client Platform Firware Profile. The event logs include events that Tcg2Dxe reads from appropriately GUIDed HOBs, so allow etc/sp800155evts to pass along events that the VMM sees fit to provide.
The VMM may provide reference measurements through UEFI variables that it references from the SP800-155 event3 structure given the appropriate RIM locator type, or via URL, etc.
After the HOBs are read from fw_cfg, they are verified for internal consistency. The SEV-SNP/TDX threat model includes attacks from the VMM, so without this checking, the host VMM could corrupt data.
Description
How This Was Tested
Internally on Google's vmm integration test framework.
Integration Instructions
mkdir -p /tmp/efivars
and put the ovmf_x64_csm_debug.fd.signed contents in/tmp/efivars/FirmwareRIM-a2858e46-a37f-456a-8c79-0c1fe48b65ff
extract
command (cli binary released asgcetcbendorsement
):For extra good measure that the contents are as expected, you may run
The
verify
command will attempt to download https://pki.goog/cloud_integrity/GCE-cc-tcb-root_1.crt to verify the signature. A local path to the root certificate may also be provided with--root_cert
.