[V3] Enable TDX measurement to RTMR register

[kenplusplus]

Intel Trust Domain Extensions(Intel TDX) refers to an Intel technology
that extends Virtual Machine Extensions(VMX) and Multi-Key Total Memory
Encryption(MK-TME) with a new kind of virtual machine guest called a
Trust Domain(TD)[1]. A TD runs in a CPU mode that protects the confidentiality
of its memory contents and its CPU state from any other software, including
the hosting Virtual Machine Monitor (VMM).

Trust Domain Virtual Firmware (TDVF) is required to provide Intel TDX
implementation and service for EFI_CC_MEASUREMENT_PROTOCOL[2]. The bugzilla
for TDVF is at https://bugzilla.tianocore.org/show_bug.cgi?id=3625.

To support CC measurement/attestation with Intel TDX technology, following 4
RTMR registers will be extended by TDX service like TPM/TPM2 PCR:

• RTMR[0] is for TDVF configuration
• RTMR[1] is for the TD OS loader and kernel
• RTMR[2] is for the OS application
• RTMR[3] is reserved for special usage only

This patch adds TDX Implementation for CC Measurement protocol along with
TPM/TPM2 protocol.

References:
[1] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf
[2] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.pdf
[3] https://software.intel.com/content/dam/develop/external/us/en/documents/intel-tdx-guest-hypervisor-communication-interface-1.0-344426-002.pdf

Signed-off-by: Lu Ken [email protected]

[kenplusplus]

@frozencemetery are you OK for merging this patch, appreciate! May I know when is next release?

[frozencemetery]

Other than project style which I guess we'll clean up on merge, my understanding is that this is fine and we're just waiting on the grub patchset and a release to be planned.

[kenplusplus]

Other than project style which I guess we'll clean up on merge, my understanding is that this is fine and we're just waiting on the grub patchset and a release to be planned.

@frozencemetery Harwood, I just send V4 pacthset for Grub at https://www.mail-archive.com/[email protected]/msg34541.html

[kenplusplus]

Other than project style which I guess we'll clean up on merge, my understanding is that this is fine and we're just waiting on the grub patchset and a release to be planned.

@frozencemetery Harwood, I just send V4 pacthset for Grub at https://www.mail-archive.com/[email protected]/msg34541.html

@frozencemetery Sound like grub2 got reviewed pass by Danial https://www.mail-archive.com/[email protected]/msg34556.html

[kenplusplus]

Other than project style which I guess we'll clean up on merge, my understanding is that this is fine and we're just waiting on the grub patchset and a release to be planned.

@frozencemetery Harwood, I just send V4 pacthset for Grub at https://www.mail-archive.com/[email protected]/msg34541.html

@frozencemetery Sound like grub2 got reviewed pass by Danial https://www.mail-archive.com/[email protected]/msg34556.html

grub2 patch merged at https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ef8679b645a63eb9eb191bb9539d7d25a9d6ff3b

[vathpela]

What's cc->get_capability() for? How does cc_log_event_raw() get away with not using it at all?

[kenplusplus]

What's cc->get_capability() for? How does cc_log_event_raw() get away with not using it at all?

@vathpela cc->get_capability() will not impact the common logic of cc_log_event_raw().

• cc->get_capability() will return CC_TYPE for different vendor's CC like Intel TDX, AMD SEV, ARM CCA. But for whatever CC_TYPE, cc_log_event_raw() should be same.
• cc->get_capability() is defined in edk2 for protocol backward compability with TCG, but TCG use this interface for different TPM version like TPM 1.2, 2.0, since different TPM version uses different event log structure.
• CC_TYPE in cc->get_capability() is added according to community feedback from AMD/ARM. Till now there is not vendor-variant structure or logic in cc_log_event_raw().