Add update-tcb-mapping function in migtd-hash tool

liuw1 · liuw1 · commit 02c5090401f2 · 2025-11-20T15:31:22.000+08:00
Signed-off-by: Wei Liu &lt;wei3.liu@intel.com&gt;
diff --git a/config/templates/tcb_mapping.json b/config/templates/tcb_mapping.json
@@ -1 +1 @@
-{"id":"BB9668CA-4EE8-4523-941A-B3B03BE46E03","version":1,"issueDate":"2025-01-01T00:00:00Z","nextUpdate":"2026-01-01T00:00:00Z","mrSigner":"00000000000000000000000000000000","isvProdId":1,"svnMappings":[{"tdMeasurements":{"mrtd":"E2C7DA7CF0D93973480F0A34A6FE52A204EA81B4F1B6CD16018F5B4CAEE7B3B544A9738464A7C95E1705E20687A0ADA6","rtmr0":"518923B0F955D08DA077C96AABA522B9DECEDE61C599CEA6C41889CFBEA4AE4D50529D96FE4D1AFDAFB65E7F95BF23C4","rtmr1":"518923B0F955D08DA077C96AABA522B9DECEDE61C599CEA6C41889CFBEA4AE4D50529D96FE4D1AFDAFB65E7F95BF23C4"},"isvsvn":1}]}
+{"id":"BB9668CA-4EE8-4523-941A-B3B03BE46E03","issueDate":"2025-01-01T00:00:00Z","isvProdId":1,"mrSigner":"00000000000000000000000000000000","nextUpdate":"2026-01-01T00:00:00Z","svnMappings":[{"isvsvn":1,"tdMeasurements":{"mrtd":"7d657d691625088702dbf54f60008dbbfc428328f47f47ab3e39eb3d77dc933a67f95726dcd71317ab7d8c21d07046d2","rtmr0":"518923b0f955d08da077c96aaba522b9decede61c599cea6c41889cfbea4ae4d50529d96fe4d1afdafb65e7f95bf23c4","rtmr1":"5262cd5861ce73ee4ce27a7c961067011090b500b742c621120a5b797ac5950fa28a8276257985305a12f960c9fd48a6"}}],"version":1}
diff --git a/tools/migtd-hash/readme.md b/tools/migtd-hash/readme.md
@@ -32,6 +32,11 @@ popd
   ./target/debug/migtd-hash --manifest config/servtd_info.json --image <migtd.bin> --verbose
   ```
 
+  - Calculate migtd SERVTD_INFO_HASH and update tcb_mapping.json (For policy v2)
+  ```
+  ./target/debug/migtd-hash --manifest config/servtd_info.json --image <migtd.bin> --update-tcb-mapping <tcb_mapping.json> --policy-v2 --verbose
+  ```
+
   - Generate migtd SERVTD_HASH with debug infomation:
   ```
   ./target/debug/migtd-hash --manifest config/servtd_info.json --image <migtd.bin> --servtd-attr 0 --calc-servtd-hash --verbose
diff --git a/tools/migtd-hash/src/main.rs b/tools/migtd-hash/src/main.rs
@@ -2,21 +2,76 @@
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 
+use anyhow::{anyhow, Context};
 use clap::Parser;
 use log::debug;
 use migtd_hash::{
     build_td_info, calculate_servtd_hash, calculate_servtd_info_hash, SERVTD_TYPE_MIGTD,
 };
-use serde_json::json;
+use serde_json::{json, Value};
 use std::{
     fs::{self, File},
-    path::PathBuf,
+    path::{Path, PathBuf},
     process::exit,
 };
 
 const SERVTD_HASH_KEY: &str = "servtdHash";
 const SERVTD_INFO_HASH_KEY: &str = "servtdInfoHash";
 
+fn bytes_to_hex(bytes: &[u8]) -> String {
+    bytes.iter().map(|byte| format!("{:02x}", byte)).collect()
+}
+
+fn update_tcb_mapping_file(
+    path: &Path,
+    mrtd: &[u8],
+    rtmr0: &[u8],
+    rtmr1: &[u8],
+) -> anyhow::Result<()> {
+    let manifest =
+        fs::read_to_string(path).with_context(|| format!("Failed to read {}", path.display()))?;
+    let mut tcb_mapping: Value = serde_json::from_str(&manifest)
+        .with_context(|| format!("Failed to parse {}", path.display()))?;
+
+    let svn_mappings = tcb_mapping
+        .get_mut("svnMappings")
+        .and_then(Value::as_array_mut)
+        .ok_or_else(|| {
+            anyhow!(
+                "'svnMappings' missing or not an array in {}",
+                path.display()
+            )
+        })?;
+    let td_measurements = svn_mappings
+        .get_mut(0)
+        .ok_or_else(|| anyhow!("'svnMappings' array is empty in {}", path.display()))?
+        .get_mut("tdMeasurements")
+        .and_then(Value::as_object_mut)
+        .ok_or_else(|| {
+            anyhow!(
+                "'tdMeasurements' missing or not an object in {}",
+                path.display()
+            )
+        })?;
+
+    for (key, value) in [("mrtd", mrtd), ("rtmr0", rtmr0), ("rtmr1", rtmr1)] {
+        if !td_measurements.contains_key(key) {
+            eprintln!("Warning: '{}' not found in tdMeasurements, adding it.", key);
+        }
+        td_measurements.insert(key.to_string(), Value::String(bytes_to_hex(value)));
+    }
+
+    let serialized = serde_json::to_string(&tcb_mapping).with_context(|| {
+        format!(
+            "Failed to serialize updated tcb mapping for {}",
+            path.display()
+        )
+    })?;
+    fs::write(path, serialized)
+        .with_context(|| format!("Failed to write updated tcb mapping to {}", path.display()))?;
+    println!("Updated {} successfully.", path.display());
+    Ok(())
+}
 #[derive(Clone, Parser)]
 struct Config {
     /// A json format manifest that contains values of TD info fields
@@ -49,6 +104,9 @@ struct Config {
     /// Enable verbose logging
     #[clap(short, long)]
     pub verbose: bool,
+    /// Update the provided tcb_mapping JSON with the generated TD measurements
+    #[clap(long)]
+    pub update_tcb_mapping: Option<PathBuf>,
 }
 
 fn main() {
@@ -157,11 +215,11 @@ fn main() {
     if let Some(output_td_info) = config.output_td_info {
         debug!("Writing TD Info to: {:?}", output_td_info);
         let td_info_json = json!({
-            "mrtd": td_info.mrtd.iter().map(|b| format!("{:02x}", b)).collect::<String>(),
-            "rtmr0": td_info.rtmr0.iter().map(|b| format!("{:02x}", b)).collect::<String>(),
-            "rtmr1": td_info.rtmr1.iter().map(|b| format!("{:02x}", b)).collect::<String>(),
-            "rtmr2": td_info.rtmr2.iter().map(|b| format!("{:02x}", b)).collect::<String>(),
-            "rtmr3": td_info.rtmr3.iter().map(|b| format!("{:02x}", b)).collect::<String>(),
+            "mrtd": bytes_to_hex(&td_info.mrtd),
+            "rtmr0": bytes_to_hex(&td_info.rtmr0),
+            "rtmr1": bytes_to_hex(&td_info.rtmr1),
+            "rtmr2": bytes_to_hex(&td_info.rtmr2),
+            "rtmr3": bytes_to_hex(&td_info.rtmr3),
         });
 
         fs::write(
@@ -174,6 +232,19 @@ fn main() {
         })
     }
 
+    debug!("Updating tcb_mapping file...");
+    if let Some(tcb_mapping_path) = &config.update_tcb_mapping {
+        if let Err(e) = update_tcb_mapping_file(
+            tcb_mapping_path,
+            &td_info.mrtd,
+            &td_info.rtmr0,
+            &td_info.rtmr1,
+        ) {
+            eprintln!("Failed to update tcb_mapping file: {}", e);
+            exit(1);
+        }
+    }
+
     debug!("Calculating servtd_info_hash...");
     let servtd_info_hash = calculate_servtd_info_hash(td_info).unwrap_or_else(|e| {
         eprintln!("Failed to calculate hash: {:?}", e);

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		-{"id":"BB9668CA-4EE8-4523-941A-B3B03BE46E03","version":1,"issueDate":"2025-01-01T00:00:00Z","nextUpdate":"2026-01-01T00:00:00Z","mrSigner":"00000000000000000000000000000000","isvProdId":1,"svnMappings":[{"tdMeasurements":{"mrtd":"E2C7DA7CF0D93973480F0A34A6FE52A204EA81B4F1B6CD16018F5B4CAEE7B3B544A9738464A7C95E1705E20687A0ADA6","rtmr0":"518923B0F955D08DA077C96AABA522B9DECEDE61C599CEA6C41889CFBEA4AE4D50529D96FE4D1AFDAFB65E7F95BF23C4","rtmr1":"518923B0F955D08DA077C96AABA522B9DECEDE61C599CEA6C41889CFBEA4AE4D50529D96FE4D1AFDAFB65E7F95BF23C4"},"isvsvn":1}]}
	`1`	+{"id":"BB9668CA-4EE8-4523-941A-B3B03BE46E03","issueDate":"2025-01-01T00:00:00Z","isvProdId":1,"mrSigner":"00000000000000000000000000000000","nextUpdate":"2026-01-01T00:00:00Z","svnMappings":[{"isvsvn":1,"tdMeasurements":{"mrtd":"7d657d691625088702dbf54f60008dbbfc428328f47f47ab3e39eb3d77dc933a67f95726dcd71317ab7d8c21d07046d2","rtmr0":"518923b0f955d08da077c96aaba522b9decede61c599cea6c41889cfbea4ae4d50529d96fe4d1afdafb65e7f95bf23c4","rtmr1":"5262cd5861ce73ee4ce27a7c961067011090b500b742c621120a5b797ac5950fa28a8276257985305a12f960c9fd48a6"}}],"version":1}