Question on the RTMR measurement events in tools/tdx-measure/rtmr/rtmr.go

[jkr0103]

I applied the patches contrast/packages/by-name/qemu-tdx-static on top of Qemu 9.0.2 download using pull-ppa-source --ppa ppa:kobuk-team/tdx-release qemu as mentioned here and contrast/packages/by-name/OVMF-TDX on top of edk2 master for OVMF.

Launched the TD guest following the canonical instructions and using the manually built Qemu and OVMF.fd.

Executed the tdx_eventlogs and contrast/tools/tdx-measure and compare the events from both the tools and listed in the below table.

Below are the observasions for:

RTMR1: tdx_eventlogs logs three event logs EV_EFI_GPT_EVENT, EV_EFI_BOOT_SERVICES_APPLICATION (E.F.I.\.u.b.u.n.t.u.\.s.h.i.m.x.6.4...e.f.i.) and EV_EFI_BOOT_SERVICES_APPLICATION (\.E.F.I.\.u.b.u.n.t.u.\.g.r.u.b.x.6.4...e.f.i.) which are not seen with contrast/tools/tdx-measure instead tdx-measure reports another event for Kernel hash measurement.

Any reason why tdx-measure doesn't have these three events but instead have kennel hash?

RTMR2:
eventlog tool logs extra three events EV_IPL, MokList, EV_IPL, MokListX and EV_IPL, MokListTrusted but tdx-measure doesn't measure these events. Any reason for that?

Register	Events and raw data	Patches Qemu & TDVF & run tdx_eventlogs vs contrast/tools/tdx-measure
RTMR1	Calling EFI Application from Boot Option	Hash Matches
RTMR1	Separator	Hash Matches
RTMR1	Kernel hash	Seen with contrast/tools/tdx-measure only
RTMR1	EV_EFI_GPT_EVENT	Seen with tdx_eventlogs only
RTMR1	EV_EFI_BOOT_SERVICES_APPLICATION, .E.F.I..u.b.u.n.t.u..s.h.i.m.x.6.4...e.f.i.	Seen with tdx_eventlogs only
RTMR1	EV_EFI_BOOT_SERVICES_APPLICATION, .E.F.I..u.b.u.n.t.u..g.r.u.b.x.6.4...e.f.i.	Seen with tdx_eventlogs only
RTMR1	Exit Boot Services Invocation	Hash Matches
RTMR1	Exit Boot Services Returned with Success"	Hash Matches
RTMR2	EV_IPL, MokList	Seen with tdx_eventlogs only
RTMR2	EV_IPL, MokListX	Seen with tdx_eventlogs only
RTMR2	EV_IPL, MokListTrusted	Seen with tdx_eventlogs only
RTMR2	EV_EVENT_TAG, LOADED_IMAGE::LoadOptions, rtmr.hashAndExtend(cmdLine)	Hash Matches
RTMR2	EV_EVENT_TAG, Linux initrd., rtmr.hashAndExtend(initrdFile)	Hash Matches

[katexochen]

Hi @jkr0103, thanks for your question!

Contrast isn't using the Ubuntu image from cannonical/tdx. We build our own NixOS images for the CVM guest (or Azure Linux, on AKS).

I applied the patches contrast/packages/by-name/qemu-tdx-static on top of Qemu 9.0.2 download using pull-ppa-source --ppa ppa:kobuk-team/tdx-release qemu

The QEMU version we use for TDX is 8.2.2, see contrast/packages/by-name/qemu-tdx-static/package.nix

and contrast/packages/by-name/OVMF-TDX on top of edk2 master for OVMF

OVMF version we use is 202411, see https://search.nixos.org/packages?channel=unstable&from=0&size=2&sort=relevance&type=packages&query=ovmf

RTMR1 | EV_EFI_BOOT_SERVICES_APPLICATION, .E.F.I..u.b.u.n.t.u..g.r.u.b.x.6.4...e.f.i. | Seen with tdx_eventlogs only

This is the measurement of grub, our image doesn't use grub but systemd-boot.

RTMR2 | EV_IPL, MokList | Seen with tdx_eventlogs only
RTMR2 | EV_IPL, MokListX | Seen with tdx_eventlogs only
RTMR2 | EV_IPL, MokListTrusted | Seen with tdx_eventlogs only

If I remember correctly, these are secure boot measurements. We don't use secure boot in the Contrast image.

[jkr0103]

Thanks for the clarifications.

I also see some hard coded hash values here for RTMR0.

Any idea, how these values are retrieved and related components/binaries?

[katexochen]

Any idea, how these values are retrieved

They were taken from an event log and put there as constants for now. The things that being measured there are pinned for our setup, so the measurements aren't expected to change.

You can check out the code that creates these measurements here and the call site here.

[jkr0103]

Thanks a lot for the valuable info. I will check the links for measurements.