Re: [PATCH v1] efi/libstub: Add Confidential Computing (CC) measurement support
From: Kuppuswamy Sathyanarayanan
Date: Sat Feb 03 2024 - 17:44:31 EST
On 2/3/24 8:59 AM, Ard Biesheuvel wrote:
> (cc Ilias)
>
> On Sat, 3 Feb 2024 at 08:58, Kuppuswamy Sathyanarayanan
> <sathyanarayanan.kuppuswamy@xxxxxxxxxxxxxxx> wrote:
>> If the virtual firmware implements TPM support, TCG2 protocol will be
>> used for kernel measurements and event logging support. But in CC
>> environment, not all platforms support or enable the TPM feature. UEFI
>> specification [1] exposes protocol and interfaces used for kernel
>> measurements in CC platforms without TPM support.
>>
>> Currently, the efi-stub only supports the kernel related measurements
>> for the platform that supports TCG2 protocol. So, extend it add
>> CC measurement protocol (EFI_CC_MEASUREMENT_PROTOCOL) and event logging
>> support. Event logging format in the CC environment is the same as
>> TCG2.
>>
>> More details about the EFI CC measurements and logging can be found
>> in [1].
>>
>> Link: https://uefi.org/specs/UEFI/2.10/38_Confidential_Computing.html#efi-cc-measurement-protocol [1]
>> Signed-off-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@xxxxxxxxxxxxxxx>
>> ---
>> .../firmware/efi/libstub/efi-stub-helper.c | 113 +++++++++++++-----
>> drivers/firmware/efi/libstub/efistub.h | 73 +++++++++++
>> include/linux/efi.h | 1 +
>> 3 files changed, 159 insertions(+), 28 deletions(-)
>>
>> diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
>> index bfa30625f5d0..e323b768048f 100644
>> --- a/drivers/firmware/efi/libstub/efi-stub-helper.c
>> +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
>> @@ -219,50 +219,107 @@ static const struct {
>> },
>> };
>>
>> +static efi_status_t tcg2_efi_measure(efi_tcg2_protocol_t *tcg2,
>> + unsigned long load_addr,
>> + unsigned long load_size,
>> + enum efistub_event event)
>> +{
>> + struct efi_measured_event {
>> + efi_tcg2_event_t event_data;
>> + efi_tcg2_tagged_event_t tagged_event;
>> + u8 tagged_event_data[];
>> + } *evt;
>> + int size = sizeof(*evt) + events[event].event_data_len;
>> + efi_status_t status;
>> +
>> + status = efi_bs_call(allocate_pool, EFI_LOADER_DATA, size,
>> + (void **)&evt);
>> + if (status != EFI_SUCCESS)
>> + return status;
>> +
>> + evt->event_data = (struct efi_tcg2_event){
>> + .event_size = size,
>> + .event_header.header_size = sizeof(evt->event_data.event_header),
>> + .event_header.header_version = EFI_TCG2_EVENT_HEADER_VERSION,
>> + .event_header.pcr_index = events[event].pcr_index,
>> + .event_header.event_type = EV_EVENT_TAG,
>> + };
>> +
>> + evt->tagged_event = (struct efi_tcg2_tagged_event){
>> + .tagged_event_id = events[event].event_id,
>> + .tagged_event_data_size = events[event].event_data_len,
>> + };
>> +
>> + memcpy(evt->tagged_event_data, events[event].event_data,
>> + events[event].event_data_len);
>> +
>> + status = efi_call_proto(tcg2, hash_log_extend_event, 0,
>> + load_addr, load_size, &evt->event_data);
>> + efi_bs_call(free_pool, evt);
>> +
>> + return status;
>> +}
>> +
>> +static efi_status_t cc_efi_measure(efi_cc_protocol_t *cc,
>> + unsigned long load_addr,
>> + unsigned long load_size,
>> + enum efistub_event event)
>> +{
>> + efi_cc_mr_index_t mr;
>> + efi_cc_event_t *evt;
>> + efi_status_t status;
>> + size_t size;
>> +
>> + status = efi_call_proto(cc, map_pcr_to_mr_index, events[event].pcr_index, &mr);
>> + if (status != EFI_SUCCESS) {
>> + efi_err("CC_MEASURE: PCR to MR mapping failed\n");
>> + return status;
>> + }
>> +
>> + size = sizeof(*evt) + events[event].event_data_len;
>> + status = efi_bs_call(allocate_pool, EFI_LOADER_DATA, size, (void **)&evt);
>> + if (status != EFI_SUCCESS) {
>> + efi_err("CC_MEASURE: Allocating event struct failed\n");
>> + return status;
>> + }
>> +
>> + evt->event_size = size;
>> + evt->event_header.header_size = sizeof(evt->event_header);
>> + evt->event_header.header_version = EFI_CC_EVENT_HEADER_VERSION;
>> + evt->event_header.mr_index = mr;
>> + evt->event_header.event_type = EV_EVENT_TAG;
>> + memcpy(evt->event_data, events[event].event_data, events[event].event_data_len);
>> +
> Why does this look entirely different from the TCG2 version? What
> happened to the tagged event?
Sorry, I misunderstood the event data related comment in the EFI_CC_EVENT
definition in UEFI spec. I thought we have copy the event data directly. But
after checking the EV_EVENT_TAG format in the TCG specification, I know
that my understanding is incorrect. I will add tagged event info and send
v2 version.
Copied from UEFI 2.10, section "38.2.4. EFI_CC_MEASUREMENT_PROTOCOL.HashLogExtendEvent"
typedef struct {
//
// Total size of the event including the Size component,
// the header and the Event data.
//
UINT32 Size;
EFI_CC_EVENT_HEADER Header;
UINT8 Event[1];
} EFI_CC_EVENT;
>> + status = efi_call_proto(cc, hash_log_extend_event, 0, load_addr, load_size, evt);
>> + efi_bs_call(free_pool, evt);
>> +
>> + return status;
>> +}
>> static efi_status_t efi_measure_tagged_event(unsigned long load_addr,
>> unsigned long load_size,
>> enum efistub_event event)
>> {
>> efi_guid_t tcg2_guid = EFI_TCG2_PROTOCOL_GUID;
>> + efi_guid_t cc_guid = EFI_CC_MEASUREMENT_PROTOCOL_GUID;
>> + efi_cc_protocol_t *cc = NULL;
>> efi_tcg2_protocol_t *tcg2 = NULL;
>> efi_status_t status;
>>
>> efi_bs_call(locate_protocol, &tcg2_guid, NULL, (void **)&tcg2);
>> if (tcg2) {
>> - struct efi_measured_event {
>> - efi_tcg2_event_t event_data;
>> - efi_tcg2_tagged_event_t tagged_event;
>> - u8 tagged_event_data[];
>> - } *evt;
>> - int size = sizeof(*evt) + events[event].event_data_len;
>> -
>> - status = efi_bs_call(allocate_pool, EFI_LOADER_DATA, size,
>> - (void **)&evt);
>> + status = tcg2_efi_measure(tcg2, load_addr, load_size, event);
>> if (status != EFI_SUCCESS)
>> goto fail;
>>
>> - evt->event_data = (struct efi_tcg2_event){
>> - .event_size = size,
>> - .event_header.header_size = sizeof(evt->event_data.event_header),
>> - .event_header.header_version = EFI_TCG2_EVENT_HEADER_VERSION,
>> - .event_header.pcr_index = events[event].pcr_index,
>> - .event_header.event_type = EV_EVENT_TAG,
>> - };
>> -
>> - evt->tagged_event = (struct efi_tcg2_tagged_event){
>> - .tagged_event_id = events[event].event_id,
>> - .tagged_event_data_size = events[event].event_data_len,
>> - };
>> -
>> - memcpy(evt->tagged_event_data, events[event].event_data,
>> - events[event].event_data_len);
>> -
>> - status = efi_call_proto(tcg2, hash_log_extend_event, 0,
>> - load_addr, load_size, &evt->event_data);
>> - efi_bs_call(free_pool, evt);
>> + return EFI_SUCCESS;
>> + }
>>
>> + efi_bs_call(locate_protocol, &cc_guid, NULL, (void **)&cc);
>> + if (cc) {
>> + status = cc_efi_measure(cc, load_addr, load_size, event);
>> if (status != EFI_SUCCESS)
>> goto fail;
>> +
>> return EFI_SUCCESS;
>> }
>>
>> diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h
>> index 212687c30d79..dbdeb2ad7a93 100644
>> --- a/drivers/firmware/efi/libstub/efistub.h
>> +++ b/drivers/firmware/efi/libstub/efistub.h
>> @@ -882,6 +882,79 @@ union efi_tcg2_protocol {
>> } mixed_mode;
>> };
>>
>> +typedef struct {
>> + u8 major;
>> + u8 minor;
>> +} efi_cc_version_t;
>> +
>> +typedef struct {
>> + u8 type;
>> + u8 sub_type;
>> +} efi_cc_type_t;
>> +
>> +/* EFI CC type/subtype defines */
>> +#define EFI_CC_TYPE_NONE 0
>> +#define EFI_CC_TYPE_AMD_SEV 1
>> +#define EFI_CC_TYPE_INTEL_TDX 2
>> +
>> +typedef u32 efi_cc_mr_index_t;
>> +
>> +typedef struct {
>> + u32 event_size;
>> + struct {
>> + u32 header_size;
>> + u16 header_version;
>> + u32 mr_index;
>> + u32 event_type;
>> + } __packed event_header;
>> + u8 event_data[0];
>> +} __packed efi_cc_event_t;
>> +
>> +typedef u32 efi_cc_event_log_bitmap_t;
>> +typedef u32 efi_cc_event_log_format_t;
>> +typedef u32 efi_cc_event_algorithm_bitmap_t;
>> +
>> +typedef struct {
>> + u8 size;
>> + efi_cc_version_t structure_version;
>> + efi_cc_version_t protocol_version;
>> + efi_cc_event_algorithm_bitmap_t hash_algorithm_bitmap;
>> + efi_cc_event_log_bitmap_t supported_event_logs;
>> + efi_cc_type_t cc_type;
>> +} efi_cc_boot_service_cap_t;
>> +
>> +#define EFI_CC_EVENT_HEADER_VERSION 1
>> +
>> +#define EFI_CC_BOOT_HASH_ALG_SHA384 0x00000004
>> +
>> +typedef union efi_cc_protocol efi_cc_protocol_t;
>> +
>> +union efi_cc_protocol {
>> + struct {
>> + efi_status_t (__efiapi *get_capability)(efi_cc_protocol_t *,
>> + efi_cc_boot_service_cap_t *);
>> + efi_status_t (__efiapi *get_event_log)(efi_cc_protocol_t *,
>> + efi_cc_event_log_format_t,
>> + efi_physical_addr_t *,
>> + efi_physical_addr_t *,
>> + efi_bool_t *);
>> + efi_status_t (__efiapi *hash_log_extend_event)(efi_cc_protocol_t *,
>> + u64,
>> + efi_physical_addr_t,
>> + u64,
>> + const efi_cc_event_t *);
>> + efi_status_t (__efiapi *map_pcr_to_mr_index)(efi_cc_protocol_t *,
>> + u32,
>> + efi_cc_mr_index_t *);
>> + };
>> + struct {
>> + u32 get_capability;
>> + u32 get_event_log;
>> + u32 hash_log_extend_event;
>> + u32 map_pcr_to_mr_index;
>> + } mixed_mode;
>> +};
>> +
>> struct riscv_efi_boot_protocol {
>> u64 revision;
>>
>> diff --git a/include/linux/efi.h b/include/linux/efi.h
>> index c74f47711f0b..2f57fec2e629 100644
>> --- a/include/linux/efi.h
>> +++ b/include/linux/efi.h
>> @@ -400,6 +400,7 @@ void efi_native_runtime_setup(void);
>> #define EFI_CERT_X509_GUID EFI_GUID(0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72)
>> #define EFI_CERT_X509_SHA256_GUID EFI_GUID(0x3bd2a492, 0x96c0, 0x4079, 0xb4, 0x20, 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed)
>> #define EFI_CC_BLOB_GUID EFI_GUID(0x067b1f5f, 0xcf26, 0x44c5, 0x85, 0x54, 0x93, 0xd7, 0x77, 0x91, 0x2d, 0x42)
>> +#define EFI_CC_MEASUREMENT_PROTOCOL_GUID EFI_GUID(0x96751a3d, 0x72f4, 0x41a6, 0xa7, 0x94, 0xed, 0x5d, 0x0e, 0x67, 0xae, 0x6b)
>>
>> /*
>> * This GUID is used to pass to the kernel proper the struct screen_info
>> --
>> 2.25.1
>>
--
Sathyanarayanan Kuppuswamy
Linux Kernel Developer