Add SVSM based vTPM

Add this as a new device in TPM2DeviceLibDTpm. The SVSM vTPM has no physical presence interface, so handle detecting this device before that check. The detection is done by sending a SVSM_VTPM_QUERY to the SVSM. Co-developed-by: Claudio Carvalho <[email protected]> Signed-off-by: Claudio Carvalho <[email protected]> Signed-off-by: James Bottomley <[email protected]>
coconut-svsm · Mar 14, 2024 · d965a1b · d965a1b
1 parent db38985
commit d965a1b
Show file tree

Hide file tree

Showing 10 changed files with 430 additions and 82 deletions.
diff --git a/OvmfPkg/Library/CcExitLib/CcExitSvsm.c b/OvmfPkg/Library/CcExitLib/CcExitSvsm.c
@@ -530,3 +530,84 @@ CcExitSnpVmsaRmpAdjust (
   return CcExitSnpSvsmPresent () ? SvsmVmsaRmpAdjust (Vmsa, ApicId, SetVmsa)
                                  : BaseVmsaRmpAdjust (Vmsa, ApicId, SetVmsa);
 }
+
+/**
+  Perform a SVSM_VTPM_CMD operation
+
+  Send the specified TPM command buffer to the SVSM vTPM.
+
+  @param[in, out] Buffer    The buffer should contain a marshalled TPM
+                            command. It will be used to return the
+                            marshalled TPM response.
+
+  @retval TRUE              The Command was processed
+  @retval FALSE             The Command was not processed
+
+**/
+BOOLEAN
+EFIAPI
+CcExitSnpVtpmCommand (
+  IN OUT UINT8  *Buffer
+  )
+{
+  SVSM_CALL_DATA  SvsmCallData;
+  SVSM_FUNCTION   Function;
+  UINTN           Ret;
+
+  if (!CcExitSnpSvsmPresent ())
+    return FALSE;
+
+  Function.Id.Protocol = 2;
+  Function.Id.CallId = 1;
+
+  SvsmCallData.Caa = SvsmGetCaa ();
+  SvsmCallData.RaxIn = Function.Uint64;
+  SvsmCallData.RcxIn = (UINT64)(UINTN)Buffer;
+
+  Ret = SvsmMsrProtocol (&SvsmCallData);
+  return (Ret == 0) ? TRUE : FALSE;
+}
+
+/**
+  Perform a SVSM_VTPM_QUERY operation
+
+  Query the support provided by the SVSM vTPM.
+
+  @param[out] PlatformCommands    Will contain a bitmap indicating the
+                                  supported vTPM platform commands.
+  @param[out] Features            Will contain a bitmap indicating the
+                                  supported vTPM features.
+
+  @retval TRUE                    The query was processed
+  @retval FALSE                   The query was not processed
+
+**/
+BOOLEAN
+EFIAPI
+CcExitSnpVtpmQuery (
+  OUT UINT64 *PlatformCommands,
+  OUT UINT64 *Features
+  )
+{
+  SVSM_CALL_DATA  SvsmCallData;
+  SVSM_FUNCTION   Function;
+  UINTN           Ret;
+
+  if (!CcExitSnpSvsmPresent ())
+    return FALSE;
+
+  Function.Id.Protocol = 2;
+  Function.Id.CallId = 0;
+
+  SvsmCallData.Caa = SvsmGetCaa ();
+  SvsmCallData.RaxIn = Function.Uint64;
+
+  Ret = SvsmMsrProtocol (&SvsmCallData);
+
+  if (Ret)
+    return FALSE;
+
+  *PlatformCommands = SvsmCallData.RcxOut;
+  *Features = SvsmCallData.RdxOut;
+  return TRUE;
+}
diff --git a/SecurityPkg/Include/Library/Tpm2DeviceLib.h b/SecurityPkg/Include/Library/Tpm2DeviceLib.h
@@ -15,12 +15,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 // Used in PcdActiveTpmInterfaceType to identify TPM interface type
 //
 typedef enum {
-  Tpm2PtpInterfaceTis,
-  Tpm2PtpInterfaceFifo,
-  Tpm2PtpInterfaceCrb,
-  Tpm2PtpInterfaceMax,
-} TPM2_PTP_INTERFACE_TYPE;
-
+  Tpm2PtpInterfaceTis,
+  Tpm2PtpInterfaceFifo,
+  Tpm2PtpInterfaceCrb,
+  Tpm2PtpInterfaceSvsm,
+  Tpm2PtpInterfaceMax,
+} TPM2_PTP_INTERFACE_TYPE;
+
 /**
   This service enables the sending of commands to the TPM2.
 

diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.h b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.h
@@ -61,7 +61,42 @@ GetCachedIdleByPass (
 **/
 EFI_STATUS
 InternalTpm2DeviceLibDTpmCommonConstructor (
-  VOID
-  );
-
-#endif // _TPM2_DEVICE_LIB_DTPM_H_
+  VOID
+  );
+
+/**
+  Check if the SVSM based TPM supports the SEND_TPM_COMMAND
+  platform command.
+
+  @retval TRUE    SEND_TPM_COMMAND is supported.
+  @retval FALSE   SEND_TPM_COMMAND is not supported.
+
+**/
+BOOLEAN
+Tpm2IsSvsmTpmCommandSupported (
+  VOID
+  );
+
+/**
+  Send a command to TPM for execution and return response data.
+
+  @param[in]      BufferIn      Buffer for command data.
+  @param[in]      SizeIn        Size of command data.
+  @param[out]     BufferOut     Buffer for response data.
+  @param[in, out] SizeOut       Size of response data.
+
+  @retval EFI_SUCCESS           Operation completed successfully.
+  @retval EFI_BUFFER_TOO_SMALL  Response data buffer is too small.
+  @retval EFI_DEVICE_ERROR      Unexpected device behavior.
+  @retval EFI_UNSUPPORTED       Unsupported TPM version
+
+**/
+EFI_STATUS
+Tpm2SvsmTpmCommand (
+  IN     UINT8                 *BufferIn,
+  IN     UINT32                SizeIn,
+  OUT    UINT8                 *BufferOut,
+  IN OUT UINT32                *SizeOut
+  );
+
+#endif // _TPM2_DEVICE_LIB_DTPM_H_
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
@@ -30,27 +30,30 @@
 #
 #  VALID_ARCHITECTURES           = IA32 X64
 #
-
-[Sources]
-  Tpm2Tis.c
-  Tpm2Ptp.c
-  Tpm2DeviceLibDTpm.c
-  Tpm2DeviceLibDTpmBase.c
+
+[Sources]
+  Tpm2Tis.c
+  Tpm2Svsm.c
+  Tpm2Ptp.c
+  Tpm2DeviceLibDTpm.c
+  Tpm2DeviceLibDTpmBase.c
   Tpm2DeviceLibDTpm.h
 
-[Packages]
-  MdePkg/MdePkg.dec
-  SecurityPkg/SecurityPkg.dec
-
-[LibraryClasses]
-  BaseLib
+[Packages]
+  MdePkg/MdePkg.dec
+  SecurityPkg/SecurityPkg.dec
+  UefiCpuPkg/UefiCpuPkg.dec
+
+[LibraryClasses]
+  BaseLib
   BaseMemoryLib
   IoLib
-  TimerLib
-  DebugLib
-  PcdLib
-
-[Pcd]
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress            ## CONSUMES
+  TimerLib
+  DebugLib
+  PcdLib
+  CcExitLib
+
+[Pcd]
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress            ## CONSUMES
   gEfiSecurityPkgTokenSpaceGuid.PcdActiveTpmInterfaceType    ## PRODUCES
   gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass             ## PRODUCES
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmStandaloneMm.inf b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmStandaloneMm.inf
@@ -30,25 +30,28 @@
 #
 #  VALID_ARCHITECTURES           = IA32 X64
 #
-
-[Sources]
-  Tpm2Tis.c
-  Tpm2Ptp.c
-  Tpm2DeviceLibDTpm.c
-  Tpm2DeviceLibDTpmStandaloneMm.c
+
+[Sources]
+  Tpm2Tis.c
+  Tpm2Svsm.c
+  Tpm2Ptp.c
+  Tpm2DeviceLibDTpm.c
+  Tpm2DeviceLibDTpmStandaloneMm.c
   Tpm2DeviceLibDTpm.h
 
-[Packages]
-  MdePkg/MdePkg.dec
-  SecurityPkg/SecurityPkg.dec
-
-[LibraryClasses]
-  BaseLib
+[Packages]
+  MdePkg/MdePkg.dec
+  SecurityPkg/SecurityPkg.dec
+  UefiCpuPkg/UefiCpuPkg.dec
+
+[LibraryClasses]
+  BaseLib
   BaseMemoryLib
   IoLib
-  TimerLib
-  DebugLib
-  PcdLib
-
-[Pcd]
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress            ## CONSUMES
+  TimerLib
+  DebugLib
+  PcdLib
+  CcExitLib
+
+[Pcd]
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress            ## CONSUMES
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
@@ -26,27 +26,30 @@
 #
 #  VALID_ARCHITECTURES           = IA32 X64
 #
-
-[Sources]
-  Tpm2Tis.c
-  Tpm2Ptp.c
-  Tpm2InstanceLibDTpm.c
-  Tpm2DeviceLibDTpmBase.c
+
+[Sources]
+  Tpm2Tis.c
+  Tpm2Svsm.c
+  Tpm2Ptp.c
+  Tpm2InstanceLibDTpm.c
+  Tpm2DeviceLibDTpmBase.c
   Tpm2DeviceLibDTpm.h
 
-[Packages]
-  MdePkg/MdePkg.dec
-  SecurityPkg/SecurityPkg.dec
-
-[LibraryClasses]
-  BaseLib
+[Packages]
+  MdePkg/MdePkg.dec
+  SecurityPkg/SecurityPkg.dec
+  UefiCpuPkg/UefiCpuPkg.dec
+
+[LibraryClasses]
+  BaseLib
   BaseMemoryLib
   IoLib
-  TimerLib
-  DebugLib
-  PcdLib
-
-[Pcd]
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress          ## CONSUMES
+  TimerLib
+  DebugLib
+  PcdLib
+  CcExitLib
+
+[Pcd]
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress          ## CONSUMES
   gEfiSecurityPkgTokenSpaceGuid.PcdActiveTpmInterfaceType  ## PRODUCES
   gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass             ## PRODUCES
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
@@ -436,12 +436,17 @@ Tpm2GetPtpInterface (
   IN VOID  *Register
   )
 {
-  PTP_CRB_INTERFACE_IDENTIFIER   InterfaceId;
-  PTP_FIFO_INTERFACE_CAPABILITY  InterfaceCapability;
-
-  if (!Tpm2IsPtpPresence (Register)) {
-    return Tpm2PtpInterfaceMax;
-  }
+  PTP_CRB_INTERFACE_IDENTIFIER   InterfaceId;
+  PTP_FIFO_INTERFACE_CAPABILITY  InterfaceCapability;
+
+  if (Tpm2IsSvsmTpmCommandSupported ()) {
+    DEBUG((DEBUG_INFO, "Found SVSM TPM\n"));
+    return Tpm2PtpInterfaceSvsm;
+  }
+
+  if (!Tpm2IsPtpPresence (Register)) {
+    return Tpm2PtpInterfaceMax;
+  }
 
   //
   // Check interface id
@@ -613,12 +618,19 @@ DTpm2SubmitCommand (
                (TIS_PC_REGISTERS_PTR)(UINTN)PcdGet64 (PcdTpmBaseAddress),
                InputParameterBlock,
                InputParameterBlockSize,
-               OutputParameterBlock,
-               OutputParameterBlockSize
-               );
-    default:
-      return EFI_NOT_FOUND;
-  }
+               OutputParameterBlock,
+               OutputParameterBlockSize
+               );
+    case Tpm2PtpInterfaceSvsm:
+      return Tpm2SvsmTpmCommand (
+	       InputParameterBlock,
+               InputParameterBlockSize,
+               OutputParameterBlock,
+               OutputParameterBlockSize
+               );
+    default:
+      return EFI_NOT_FOUND;
+  }
 }
 
 /**
@@ -640,10 +652,12 @@ DTpm2RequestUseTpm (
   switch (PtpInterface) {
     case Tpm2PtpInterfaceCrb:
       return PtpCrbRequestUseTpm ((PTP_CRB_REGISTERS_PTR)(UINTN)PcdGet64 (PcdTpmBaseAddress));
-    case Tpm2PtpInterfaceFifo:
-    case Tpm2PtpInterfaceTis:
-      return TisPcRequestUseTpm ((TIS_PC_REGISTERS_PTR)(UINTN)PcdGet64 (PcdTpmBaseAddress));
-    default:
-      return EFI_NOT_FOUND;
-  }
+    case Tpm2PtpInterfaceFifo:
+    case Tpm2PtpInterfaceTis:
+      return TisPcRequestUseTpm ((TIS_PC_REGISTERS_PTR)(UINTN)PcdGet64 (PcdTpmBaseAddress));
+    case Tpm2PtpInterfaceSvsm:
+      return EFI_SUCCESS;
+    default:
+      return EFI_NOT_FOUND;
+  }
 }