Hello, Todays OVMF/edk2 master branch is breaking AMD SEV-ES guest boot with OvmfX64 package, where as sev-es guest boots fine with AmdSev package. Git bisect pointed to below commit as bad, going back to previous commit i.e ddc43e7a SEV-ES guest boots fine with OvmfX64 package: commit 506740982bba199f12e75f6cfda510c30aa4e7c6 Author: Gerd Hoffmann Date:   Mon Apr 22 12:47:28 2024 +0200     OvmfPkg/VirtHstiDxe: add code flash check     Detects qemu config issue: code pflash is writable.     Checked for both PC and Q35.     Cc: Ard Biesheuvel     Cc: Jiewen Yao     Cc: Konstantin Kostiuk     Signed-off-by: Gerd Hoffmann     Reviewed-by: Jiewen Yao QEMU commandline used: qemu-system-x86_64 \ -machine q35,confidential-guest-support=sev0,vmport=off \ -object sev-guest,id=sev0,cbitpos=51,policy=0x5,reduced-phys-bits=1,kernel-hashes=off \ -name guest=vm,debug-threads=on \ -drive if=pflash,format=raw,unit=0,file=,readonly  \ -cpu EPYC-Milan-v2 \ -m 4096 \ -smp 1,cores=1,threads=1,dies=1,sockets=1 \ -drive file=22.04-serverfull.qcow2,index=0,media=disk,format=qcow2 \ --enable-kvm \ --nographic Component levels used in test: qemu: v8.2.2 host_kernel and guest_kernel: v6.8.2 ovmf: current master of https://github.com/tianocore/edk2, Head: 86c8d69 Attaching guest serial log. Thanks, Aithal, Srikanth On 4/22/2024 4:17 PM, Gerd Hoffmann via groups.io wrote: > Detects qemu config issue: code pflash is writable. > Checked for both PC and Q35. > > Cc: Ard Biesheuvel > Cc: Jiewen Yao > Cc: Konstantin Kostiuk > Signed-off-by: Gerd Hoffmann > Reviewed-by: Jiewen Yao > --- > OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf | 2 ++ > OvmfPkg/VirtHstiDxe/VirtHstiDxe.h | 13 +++++++++++ > OvmfPkg/VirtHstiDxe/QemuCommon.c | 36 +++++++++++++++++++++++++++++ > OvmfPkg/VirtHstiDxe/VirtHstiDxe.c | 4 ++++ > 4 files changed, 55 insertions(+) > create mode 100644 OvmfPkg/VirtHstiDxe/QemuCommon.c > > diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf > index b6bdd1f22e83..9514933011e8 100644 > --- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf > +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf > @@ -22,6 +22,7 @@ [Sources] > VirtHstiDxe.c > QemuPC.c > QemuQ35.c > + QemuCommon.c > Flash.c > > [Packages] > @@ -48,6 +49,7 @@ [FeaturePcd] > gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire > > [Pcd] > + gUefiOvmfPkgTokenSpaceGuid.PcdBfvBase > gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageVariableBase > > [Depex] > diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h > index ceff41c03711..f8bdcfe8f219 100644 > --- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h > +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h > @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > > #define VIRT_HSTI_BYTE0_SMM_SMRAM_LOCK BIT0 > #define VIRT_HSTI_BYTE0_SMM_SECURE_VARS_FLASH BIT1 > +#define VIRT_HSTI_BYTE0_READONLY_CODE_FLASH BIT2 > > typedef struct { > // ADAPTER_INFO_PLATFORM_SECURITY > @@ -67,6 +68,18 @@ VirtHstiQemuPCVerify ( > VOID > ); > > +/* QemuCommon.c */ > + > +VOID > +VirtHstiQemuCommonInit ( > + VIRT_ADAPTER_INFO_PLATFORM_SECURITY *VirtHsti > + ); > + > +VOID > +VirtHstiQemuCommonVerify ( > + VOID > + ); > + > /* Flash.c */ > > #define QEMU_FIRMWARE_FLASH_UNKNOWN 0 > diff --git a/OvmfPkg/VirtHstiDxe/QemuCommon.c b/OvmfPkg/VirtHstiDxe/QemuCommon.c > new file mode 100644 > index 000000000000..4ab3fe2d6e63 > --- /dev/null > +++ b/OvmfPkg/VirtHstiDxe/QemuCommon.c > @@ -0,0 +1,36 @@ > +/** @file > + > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include > +#include > + > +#include "VirtHstiDxe.h" > + > +VOID > +VirtHstiQemuCommonInit ( > + VIRT_ADAPTER_INFO_PLATFORM_SECURITY *VirtHsti > + ) > +{ > + VirtHstiSetSupported (VirtHsti, 0, VIRT_HSTI_BYTE0_READONLY_CODE_FLASH); > +} > + > +VOID > +VirtHstiQemuCommonVerify ( > + VOID > + ) > +{ > + CHAR16 *ErrorMsg; > + > + switch (VirtHstiQemuFirmwareFlashCheck (PcdGet32 (PcdBfvBase))) { > + case QEMU_FIRMWARE_FLASH_WRITABLE: > + ErrorMsg = L"qemu code pflash is writable"; > + break; > + default: > + ErrorMsg = NULL; > + } > + > + VirtHstiTestResult (ErrorMsg, 0, VIRT_HSTI_BYTE0_READONLY_CODE_FLASH); > +} > diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c > index 74e5e6bd9d4f..b6e53a1219d1 100644 > --- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c > +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c > @@ -104,9 +104,11 @@ VirtHstiOnReadyToBoot ( > switch (VirtHstiGetHostBridgeDevId ()) { > case INTEL_82441_DEVICE_ID: > VirtHstiQemuPCVerify (); > + VirtHstiQemuCommonVerify (); > break; > case INTEL_Q35_MCH_DEVICE_ID: > VirtHstiQemuQ35Verify (); > + VirtHstiQemuCommonVerify (); > break; > default: > ASSERT (FALSE); > @@ -142,9 +144,11 @@ VirtHstiDxeEntrypoint ( > switch (DevId) { > case INTEL_82441_DEVICE_ID: > VirtHsti = VirtHstiQemuPCInit (); > + VirtHstiQemuCommonInit (VirtHsti); > break; > case INTEL_Q35_MCH_DEVICE_ID: > VirtHsti = VirtHstiQemuQ35Init (); > + VirtHstiQemuCommonInit (VirtHsti); > break; > default: > DEBUG ((DEBUG_INFO, "%a: unknown platform (0x%x)\n", __func__, DevId)); -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118171): https://edk2.groups.io/g/devel/message/118171 Mute This Topic: https://groups.io/mt/105667072/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-