-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v2] Add support for a SVSM vTPM #6527
base: master
Are you sure you want to change the base?
Conversation
e98ebd4
to
1706e02
Compare
6c2105e
to
ae3eb31
Compare
Thanks for the update. In general I am OK with this approach to use NULL file and another lib instance, if you do not like NULL instance. However, the biggest problem of this patch is that the AMD SVSM vTPM is totally irrelevant to TCG defined PTP. Mixing SVSM and PTP will cause lots of confusing. It is also weird to me, because TCG PTP spec never defines SVSM. Here is my suggestion:
please using following code in a new C wrapper - Tpm2DeviceLibDTpmSvsm.c
I think the mail function Tpm2Svsm.c does not need to change. We only need move the caller to another place. One more thing, if we finally really include SVSM into SecurityPkg. I recommend having one more reviewer to help me maintain the code. To achieve this, please consider adding following section in maintainers.txt
Thought? |
ae3eb31
to
c26c6bc
Compare
/* Max req/resp buffer size */ | ||
#define TPM_PLATFORM_MAX_BUFFER 4096 | ||
|
||
STATIC UINT8 Tpm2SvsmBuffer[TPM_PLATFORM_MAX_BUFFER]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are commands sent prior to having access to dynamic memory allocation? This expands the flash description size another 4KiB and kicks over some limits we have.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that a new issue? Does it work with one of the previous versions of these patches?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, if we don't have to allocate a 4k buffer statically we should not do that, but go AllocatePool
+ FreePool
instead.
One common trick which can be used to allocate memory in case the pool allocator is not up yet is to create a HOB instead. Drawback is that HOBs can't be freed, but it should be possible to have a small communication buffer to probe for the svsm vtpm protocol being present and only create a (larger) HOB in case we actually need it.
Add protocol and call numbers as defined in the "Secure VM Service Module for SEV-SNP Guests" Publication # 58019 Revision: 1.00 https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58019.pdf Signed-off-by: Oliver Steffen <[email protected]>
Make use of the named protocol and call constants for SVSM communication. Signed-off-by: Oliver Steffen <[email protected]>
We need to stub the SVSM vTPM protocol in the UefiCpuPkg in order to support a SEV-SNP guest running under a SVSM at VMPL1 or lower. Cc: Ray Ni <[email protected]> Cc: Rahul Kumar <[email protected]> Cc: Gerd Hoffmann <[email protected]> Cc: Jiaxin Wu <[email protected]> Co-authored-by: James Bottomley <[email protected]> Signed-off-by: Claudio Carvalho <[email protected]> Signed-off-by: Oliver Steffen <[email protected]>
Add call numbers for the SVSM vTPM protocol, as defined in the "Secure VM Service Module for SEV-SNP Guests" Publication # 58019 Revision: 1.00 Signed-off-by: Oliver Steffen <[email protected]>
As described in the SVSM specification, guest components can call to the SVSM vTPM through the vTPM protocol (protocol-id 2). The SVSM vTPM protocol follows the Microsoft TPM Simulator interface (MSSIM) and supports two services: - SVSM_VTPM_QUERY (call-id 0): query MSSIM commands and vTPM features supported. - SVSM_VTPM_CMD (call-id 1): send a MSSIM command to be run by the vTPM and get the result. This patch adds support for SVSM_VTPM_QUERY and SVSM_VTPM_CMD to invoke a SVSM when the guest is running at VMPL0. Cc: Ard Biesheuvel <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Gerd Hoffmann <[email protected]> Co-authored-by: James Bottomley <[email protected]> Signed-off-by: Claudio Carvalho <[email protected]> Signed-off-by: Oliver Steffen <[email protected]>
A some of functions implemented in Tpm2Ptp.c are forward declared in a couple of places. To clean this up, introduce a header that contains these declarations in a central place and use it instead. Signed-off-by: Oliver Steffen <[email protected]>
SEV-SNP provides a feature known as VM Privilege Level (VMPL), which allows for services to be run in the guest at different privilege levels. By running at VMPL0 (most privileged VM level), the SVSM can be used to provide privileged services, e.g. a virtual TPM, for the guest rather than trust such services from the hypervisor. This patch adds a DTpm driver to communicate with a virtual TPM running in the SVSM. The driver follows the vTPM protocol documented in the SVSM specification. SVSM vTPM functionality is available as new device and instance libraries, which can be consumed optionally, keeping changes to the regular TPM implementation minimal. Cc: Jiewen Yao <[email protected]> Co-authored-by: James Bottomley <[email protected]> Signed-off-by: Claudio Carvalho <[email protected]> Signed-off-by: Oliver Steffen <[email protected]>
Switch over to Tpm2InstanceLibDTpmSvsm as the Tpm2 implementation to support vTPMs provided by an SVSM. Signed-off-by: Oliver Steffen <[email protected]>
Add a reviewer for the TPM2 code under SecurityPkg/ related to SVSM vTPM. Signed-off-by: Oliver Steffen <[email protected]>
c26c6bc
to
7c97b37
Compare
SecurityPkg: SVSM related modules | ||
F: SecurityPkg/Library/Tpm2DeviceLibDTpm/*Svsm* | ||
R: Oliver Steffen <[email protected]> [osteffenrh] | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tlendacky do you want to be listed here too?
Or anybody else?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, should probably list me as well.
Description
This is version 2 of #5770.
This series adds a DTpm driver to communicate with a virtual TPM running in the Secure VM Service Module (SVSM), enabling OVMF to do measured boot in SEV-SNP confidential VMs.
SEV-SNP provides a feature known as VM Privilege Level (VMPL), which allows for services to be run in the guest at different privilege levels. By running at VMPL0 (most priviledged VM level), the SVSM can be used to provide privileged services, e.g. virtual TPM, for the guest rather than trust such services from the hypervisor.
As described in the SVSM specification, guest components can call to the SVSM vTPM through the vTPM protocol (protocol-id 2).
The vTPM protocol follows the Microsoft TPM Simulator interface (MSSIM) and it supports two services:
The SVSM vTPM protocol is also added in this series.
How This Was Tested
This was tested with the latest COCONUT-SVSM upstream code (commit 0b8feaf9), which provides vTPM service. The instructions to build and run a guest under a SVSM can be found in the INSTALL.md.
The OVMF boot message log below shows that it was able to find the SVSM vTPM and also use it for measured boot.
It was checked that the existing TPM support still works by launching Ovmf (x64) in Qemu
with a regular software TPM.
Integration Instructions
N/A
Changes since v1:
Cc: @cclaudio