Request to use td-payload-reference-calculator to calculate kernel, cmdline and initrd eventlog digests

[jiazhang0]

td-payload-reference-calculator is a common tool to calculate the typical artifacts for TDX.

Currently, kernel, cmdline and initrd eventlog digests are required to be calculated and verified when using TDVF + QEMU Kernel Direct Boot for CoCo.

Note that kernel eventlog digest is pre-processed by QEMU Kernel Direct Boot logic prior to PE authenticode. Here is the pseudocode and qemu source code references:

+               // https://github.com/qemu/qemu/blob/9c74490bff6c8886a922008d0c9ce6cae70dd17e/hw/i386/x86.c#L999
+               puts("patching @0x210 (type_of_loader) to 0xb0 ...");
+               p[0x210] = 0xb0;
+
+               // https://github.com/qemu/qemu/blob/9c74490bff6c8886a922008d0c9ce6cae70dd17e/hw/i386/x86.c#L1003
+               puts("patching @0x211 (loadflags) to 0x81 ...");
+               p[0x211] = 0x81;
+
+               // https://github.com/qemu/qemu/blob/9c74490bff6c8886a922008d0c9ce6cae70dd17e/hw/i386/x86.c#L1004
+               puts("patching @0x224 (heap_end_ptr) to 0xfe00 ...");
+               *(uint16_t *)(p + 0x224) = 0xfe00;
+
+               // https://github.com/qemu/qemu/blob/9c74490bff6c8886a922008d0c9ce6cae70dd17e/hw/i386/x86.c#L962
+               puts("patching @0x228 (cmd_line_ptr) to 0x20000");
+               *(uint32_t *)(p + 0x228) = 0x20000;

where p is the pointer to the base address of kernel image. There is a demo program https://github.com/jiazhang0/sbsigntools to calculate the kernel eventlog digest with 2 modes:

• normal mode: the tool uses regular PE authenticode spec to calculate the kernel eventlog digest. However, the resulting digest doesn't match the one seen in CCEL eventlog if using TDVF + QEMU Kernel Direct Boot.
• patching mode: Add -Q option to enable this mode. In this mode, the kernel image loaded into memory will be patched as above method prior to uses regular PE authenticode spec to calculate the kernel eventlog digest. The resulting digest will match the one seen in CCEL eventlog if using TDVF + QEMU Kernel Direct Boot.

[jyao1]

I think we may need two different mode for td-payload-reference-calculator. 1) Non-UEFI based, such as Td-shim 2) UEFI based, such as TDVF/OVMF

NOTE: This tool can only calculate the one measured by the TDVF or td-shim. If a component is measured in Linux (such as initrd by Grub or Linux EFI-stub), then it is not calculated here.

[OuyangHang33]

I will check this one