Re: [PATCH V2 0/3] Introduce TdProtocol into EDK2


Sami Mujawar
 

Hi Min,

Thank you for this patch.

I think it would greatly help if the EFI_TD_PROTOCOL is changed to something more architecture neutral. As I understand, this patch series is removing the dependency on TPM for measurement and is instead providing a lightweight interface for extending measurements for Confidential Compute Architecture (CCA) guests.

Considering this, it would be good to generalise EFI_TD_PROTOCOL as a Confidential Compute Architecture Measurement (CCAM) protocol.
In fact, your v2 series demonstrates this need with the introduction of MEASURE_BOOT_PROTOCOLS in "[PATCH V2 2/3] SecurityPkg: Support TdProtocol in DxeTpm2MeasureBootLib [https://edk2.groups.io/g/devel/message/81651]".

As it stands, I feel most of the code can be reused/common. Some interfaces may need to use an architecture specific library, and some configuration options would need to be defined using PCDs.

Kindly let me know your thoughts.

Regards,

Sami Mujawar

´╗┐On 08/10/2021, 06:24, "devel@edk2.groups.io on behalf of Min Xu via groups.io" <devel@edk2.groups.io on behalf of min.m.xu=intel.com@groups.io> wrote:

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3625

If TD-Guest firmware supports measurement and an event is created,
TD-Guest firmware is designed to report the event log with the same data
structure in TCG-Platform-Firmware-Profile specification with
EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 format.

The TD-Guest firmware supports measurement, the TD Guest Firmware is
designed to produce EFI_TD_PROTOCOL with new GUID EFI_TD_PROTOCOL_GUID
to report event log and provides hash capability.

https://software.intel.com/content/dam/develop/external/us/en/documents/
intel-tdx-guest-hypervisor-communication-interface-1.0-344426-002.pdf
Section 4.3.2 includes the EFI_TD_PROTOCOL.

Patch #1:
Introduce the TD Protocol definition into MdePkg

Patch #2:
Update DxeTpm2MeasureBootLib to support TD based measure boot.

Patch #3:
Update DxeTpmMeasurementLib to support TD based measurement.

Code is at https://github.com/mxu9/edk2/tree/td_protocol.v2

v2 changes:
- TD based measure boot is implemented in DxeTpm2MeasureBootLib.
This minimize the code changes.
- TD based measurement is added. It is implemented in
DxeTpmMeasurementLib.
- Fix the typo in comments.

Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Ken Lu <ken.lu@intel.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>

Min Xu (3):
MdePkg: Introduce TdProtocol for TD-Guest firmware
SecurityPkg: Support TdProtocol in DxeTpm2MeasureBootLib
SecurityPkg: Support TdProtocol in DxeTpmMeasurementLib

MdePkg/Include/Protocol/TdProtocol.h | 305 +++++++++++++++
MdePkg/MdePkg.dec | 3 +
.../DxeTpm2MeasureBootLib.c | 346 ++++++++++++++----
.../DxeTpm2MeasureBootLib.inf | 1 +
.../DxeTpmMeasurementLib.c | 87 ++++-
.../DxeTpmMeasurementLib.inf | 1 +
6 files changed, 672 insertions(+), 71 deletions(-)
create mode 100644 MdePkg/Include/Protocol/TdProtocol.h

--
2.29.2.windows.2

Join devel@edk2.groups.io to automatically receive all group messages.