Skip to content

Commit

Permalink
OvmfPkg/TdxDxe: setup TPM device instance for vTPM in TdxDxe
Browse files Browse the repository at this point in the history
The TPM device instance is not set before DXE in peiless boot. Move the
work of setting the device instance and Tpm2HashMask PCDs to `TdxDxe` if
the `MeasurementType` is vTPM.

Signed-off-by: Jiaqi Gao <[email protected]>
  • Loading branch information
gaojiaqi7 committed Aug 20, 2024
1 parent 32f6d36 commit c28d00e
Show file tree
Hide file tree
Showing 4 changed files with 82 additions and 2 deletions.
13 changes: 12 additions & 1 deletion OvmfPkg/IntelTdx/IntelTdxX64.dsc
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,7 @@
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf

!include OvmfPkg/Include/Dsc/ShellLibs.dsc.inc
!include OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc

[LibraryClasses.common]
AmdSvsmLib|UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.inf
Expand Down Expand Up @@ -529,6 +530,8 @@

gEfiMdePkgTokenSpaceGuid.PcdFSBClock|1000000000

!include OvmfPkg/Include/Dsc/OvmfTpmPcds.dsc.inc

################################################################################
#
# Components Section - list of all EDK II Modules needed by this Platform.
Expand Down Expand Up @@ -727,7 +730,10 @@
OvmfPkg/PlatformDxe/Platform.inf
OvmfPkg/IoMmuDxe/IoMmuDxe.inf

OvmfPkg/TdxDxe/TdxDxe.inf
OvmfPkg/TdxDxe/TdxDxe.inf {
<LibraryClasses>
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
}

#
# Variable driver stack (non-SMM)
Expand All @@ -751,3 +757,8 @@
HashLib|OvmfPkg/Library/HashLibTdx/HashLibTdx.inf
NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
}

#
# TPM support
#
!include OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc
5 changes: 5 additions & 0 deletions OvmfPkg/IntelTdx/IntelTdxX64.fdf
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,11 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
#
INF OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf

#
# TPM support
#
!include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc

################################################################################

[FV.NCCFV]
Expand Down
60 changes: 59 additions & 1 deletion OvmfPkg/TdxDxe/TdxDxe.c
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@
#include <Library/TdxLib.h>
#include <TdxAcpiTable.h>
#include <Library/MemEncryptTdxLib.h>
#include <WorkArea.h>
#include <Library/Tpm2CommandLib.h>
#include <Library/Tpm2DeviceLib.h>

#define ALIGNED_2MB_MASK 0x1fffff
EFI_HANDLE mTdxDxeHandle = NULL;
Expand Down Expand Up @@ -301,6 +304,58 @@ SetMmioSharedBit (
return EFI_SUCCESS;
}

#ifdef TDX_PEI_LESS_BOOT
STATIC
EFI_STATUS
SetVtpmDeviceInstance (
VOID
)
{
EFI_STATUS Status;
OVMF_WORK_AREA *WorkArea;
UINTN Size;
UINT32 TpmHashAlgorithmBitmap;
UINT32 TpmActivePcrBanks;

DEBUG ((DEBUG_INFO, ">>%a\n", __func__));

WorkArea = (OVMF_WORK_AREA *)FixedPcdGet32 (PcdOvmfWorkAreaBase);
if (WorkArea == NULL) {
return EFI_INVALID_PARAMETER;
}

if (WorkArea->TdxWorkArea.SecTdxWorkArea.MeasurementType == TDX_MEASUREMENT_TYPE_VTPM)
{
// Set PcdTpmInstanceGuid
Size = sizeof (gEfiTpmDeviceInstanceTpm20DtpmGuid);
Status = PcdSetPtrS (
PcdTpmInstanceGuid,
&Size,
&gEfiTpmDeviceInstanceTpm20DtpmGuid
);
ASSERT_EFI_ERROR (Status);
if (EFI_ERROR(Status)) {
DEBUG((DEBUG_ERROR, "Set PcdTpmInstanceGuid failed with %r\n", Status));
}

Status = Tpm2RequestUseTpm ();
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "TPM2 not detected!\n"));
return Status;
}

// Determine the current TPM support and the Platform PCR mask.
Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &TpmActivePcrBanks);
ASSERT_EFI_ERROR (Status);
// Set active pcr banks
Status = PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks);
ASSERT_RETURN_ERROR (Status);
}

return EFI_SUCCESS;
}
#endif

EFI_STATUS
EFIAPI
TdxDxeEntryPoint (
Expand Down Expand Up @@ -339,9 +394,12 @@ TdxDxeEntryPoint (
// need to set PCDs based on these information.
//
SetPcdSettings (PlatformInfo);
// In Pei-less boot, the `TpmInstance` Pcd shall be set if virtual TPM
// is detected.
SetVtpmDeviceInstance();
#endif

if (!TdIsEnabled () || TdpIsEnabled ()) {
if (!TdIsEnabled () || TdpIsEnabled ()) {
//
// If it is Non-Td guest, we install gEfiMpInitLibMpDepProtocolGuid so that
// MpInitLib will be used in CpuDxe driver.
Expand Down
6 changes: 6 additions & 0 deletions OvmfPkg/TdxDxe/TdxDxe.inf
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
MdePkg/MdePkg.dec
UefiCpuPkg/UefiCpuPkg.dec
OvmfPkg/OvmfPkg.dec
SecurityPkg/SecurityPkg.dec

[LibraryClasses]
BaseLib
Expand All @@ -39,12 +40,14 @@
HobLib
TdxMailboxLib
MemEncryptTdxLib
Tpm2CommandLib

[Depex]
TRUE

[Guids]
gUefiOvmfPkgPlatformInfoGuid ## CONSUMES
gEfiTpmDeviceInstanceTpm20DtpmGuid ## CONSUMES

[Protocols]
gQemuAcpiTableNotifyProtocolGuid ## CONSUMES
Expand All @@ -71,3 +74,6 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask

0 comments on commit c28d00e

Please sign in to comment.