[PATCH 4/4] OvmfPkg: Call MeasureKernelBlob after fetch from fw_cfg


Min Xu
 

In QemuKernelLoaderFsDxeEntrypoint we use FetchBlob to read the content
of the kernel/initrd/cmdline from the QEMU fw_cfg interface. Insert a
call to MeasureKernelBlob after fetching to allow BlobMeasurementLib
implementations to add a measurement step for these blobs.

This will allow confidential computing OVMF builds to add measurement
mechanisms for these blobs that originate from an untrusted source
(QEMU).

In current platforms in OvmfPkg, only IntelTdx supports blob measurement.
So OvmfPkg/IntelTdx/IntelTdxX64.dsc is updated to use
OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurementLibTdx.inf. Other
dsc are using the null implementation of BlobMeasurementLibNull.inf.

Cc: Ard Biesheuvel <ardb+tianocore@...>
Cc: Jordan Justen <jordan.l.justen@...>
Cc: Ashish Kalra <ashish.kalra@...>
Cc: Brijesh Singh <brijesh.singh@...>
Cc: Erdem Aktas <erdemaktas@...>
Cc: James Bottomley <jejb@...>
Cc: Jiewen Yao <jiewen.yao@...>
Cc: Sami Mujawar <sami.mujawar@...>
Cc: Tom Lendacky <thomas.lendacky@...>
Cc: Gerd Hoffmann <kraxel@...>
Signed-off-by: Min Xu <min.m.xu@...>
---
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 +
.../QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 13 +++++++++++++
2 files changed, 14 insertions(+)

diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
index 00bc1255bc4e..2887047316b6 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@@ -611,6 +611,7 @@
OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
<LibraryClasses>
NULL|OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierLibNull.inf
+ NULL|OvmfPkg/IntelTdx/BlobMeasurementLibTdx/BlobMeasurementLibTdx.inf
}
OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
OvmfPkg/Virtio10Dxe/Virtio10.inf
diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
index d4f3cd92255f..6720dae1d06c 100644
--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
@@ -18,6 +18,7 @@
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/BlobVerifierLib.h>
+#include <Library/BlobMeasurementLib.h>
#include <Library/DebugLib.h>
#include <Library/DevicePathLib.h>
#include <Library/MemoryAllocationLib.h>
@@ -1074,6 +1075,18 @@ QemuKernelLoaderFsDxeEntrypoint (
goto FreeBlobs;
}

+ if ((CurrentBlob->Data > 0) && (CurrentBlob->Size > 0)) {
+ Status = MeasureKernelBlob (
+ CurrentBlob->Name,
+ sizeof (CurrentBlob->Name),
+ CurrentBlob->Data,
+ CurrentBlob->Size
+ );
+ if (EFI_ERROR (Status)) {
+ goto FreeBlobs;
+ }
+ }
+
mTotalBlobBytes += CurrentBlob->Size;
}

--
2.29.2.windows.2