From: James Bottomley <jejb@linux.ibm.com>
To: devel@edk2.groups.io
Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com,
ashish.kalra@amd.com, brijesh.singh@amd.com, tobin@ibm.com,
david.kaplan@amd.com, jon.grimm@amd.com, thomas.lendacky@amd.com,
jejb@linux.ibm.com, frankeh@us.ibm.com,
"Dr . David Alan Gilbert" <dgilbert@redhat.com>
Subject: [PATCH 3/4] OvmfPkg: create a SEV secret area in the AmdSev memfd
Date: Wed, 11 Nov 2020 16:13:15 -0800 [thread overview]
Message-ID: <20201112001316.11341-4-jejb@linux.ibm.com> (raw)
In-Reply-To: <20201112001316.11341-1-jejb@linux.ibm.com>
SEV needs an area to place an injected secret where OVMF can find it
and pass it up as a ConfigurationTable. This patch implements the
area itself as an addition to the SEV enhanced reset vector. The
reset vector scheme allows additions but not removals. If the size of
the reset vector is 22, it only contains the AP reset IP, but if it is
30 (or greater) it contains the SEV secret page location and size.
Signed-off-by: James Bottomley <jejb@linux.ibm.com>
---
OvmfPkg/OvmfPkg.dec | 5 +++++
OvmfPkg/AmdSev/AmdSevX64.fdf | 3 +++
OvmfPkg/ResetVector/ResetVector.inf | 4 ++++
OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 4 ++++
OvmfPkg/ResetVector/ResetVector.nasmb | 2 ++
5 files changed, 18 insertions(+)
diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 3fbf7a0ee1..b00f083417 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -117,6 +117,7 @@
gLinuxEfiInitrdMediaGuid = {0x5568e427, 0x68fc, 0x4f3d, {0xac, 0x74, 0xca, 0x55, 0x52, 0x31, 0xcc, 0x68}}
gQemuKernelLoaderFsMediaGuid = {0x1428f772, 0xb64a, 0x441e, {0xb8, 0xc3, 0x9e, 0xbd, 0xd7, 0xf8, 0x93, 0xc7}}
gGrubFileGuid = {0xb5ae312c, 0xbc8a, 0x43b1, {0x9c, 0x62, 0xeb, 0xb8, 0x26, 0xdd, 0x5d, 0x07}}
+ gSevLaunchSecretGuid = {0xadf956ad, 0xe98c, 0x484c, {0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47}}
[Ppis]
# PPI whose presence in the PPI database signals that the TPM base address
@@ -304,6 +305,10 @@
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|0|UINT32|0x40
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize|0|UINT32|0x41
+ ## The base address and size of the SEV Launch Secret Area
+ gSevLaunchSecretGuid.PcdSevLaunchSecretBase|0x0|UINT32|0
+ gSevLaunchSecretGuid.PcdSevLaunchSecretSize|0x0|UINT32|1
+
[PcdsDynamic, PcdsDynamicEx]
gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 689386612d..1fd38b3fe2 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -59,6 +59,9 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmf
0x00B000|0x001000
gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize
+0x00C000|0x001000
+gSevLaunchSecretGuid.PcdSevLaunchSecretBase|gSevLaunchSecretGuid.PcdSevLaunchSecretSize
+
0x010000|0x010000
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf
index a53ae6c194..72fd78eef4 100644
--- a/OvmfPkg/ResetVector/ResetVector.inf
+++ b/OvmfPkg/ResetVector/ResetVector.inf
@@ -43,3 +43,7 @@
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
+
+[FixedPcd]
+ gSevLaunchSecretGuid.PcdSevLaunchSecretBase
+ gSevLaunchSecretGuid.PcdSevLaunchSecretSize
diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
index 980e0138e7..7d3214e55d 100644
--- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
+++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
@@ -35,6 +35,8 @@ ALIGN 16
; the build time RIP value. The GUID must always be 48 bytes from the
; end of the firmware.
;
+; 0xffffffc2 (-0x3e) - Base Location of the SEV Launch Secret
+; 0xffffffc6 (-0x3a) - Size of SEV Launch Secret
; 0xffffffca (-0x36) - IP value
; 0xffffffcc (-0x34) - CS segment base [31:16]
; 0xffffffce (-0x32) - Size of the SEV-ES reset block
@@ -51,6 +53,8 @@ ALIGN 16
TIMES (32 - (sevEsResetBlockEnd - sevEsResetBlockStart)) DB 0
sevEsResetBlockStart:
+ DD SEV_LAUNCH_SECRET_BASE
+ DD SEV_LAUNCH_SECRET_SIZE
DD SEV_ES_AP_RESET_IP
DW sevEsResetBlockEnd - sevEsResetBlockStart
DB 0xDE, 0x71, 0xF7, 0x00, 0x7E, 0x1A, 0xCB, 0x4F
diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb
index 4913b379a9..c5e0fe93ab 100644
--- a/OvmfPkg/ResetVector/ResetVector.nasmb
+++ b/OvmfPkg/ResetVector/ResetVector.nasmb
@@ -83,5 +83,7 @@
%include "Main.asm"
%define SEV_ES_AP_RESET_IP FixedPcdGet32 (PcdSevEsWorkAreaBase)
+ %define SEV_LAUNCH_SECRET_BASE FixedPcdGet32 (PcdSevLaunchSecretBase)
+ %define SEV_LAUNCH_SECRET_SIZE FixedPcdGet32 (PcdSevLaunchSecretSize)
%include "Ia16/ResetVectorVtf0.asm"
--
2.26.2
next prev parent reply other threads:[~2020-11-12 0:14 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-12 0:13 [PATCH 0/4] SEV Encrypted Boot for Ovmf James Bottomley
2020-11-12 0:13 ` [PATCH 1/4] OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF James Bottomley
2020-11-16 19:11 ` [edk2-devel] " Laszlo Ersek
2020-11-16 20:00 ` James Bottomley
2020-11-12 0:13 ` [PATCH 2/4] OvmfPkg/AmdSev: add Grub Firmware Volume Package James Bottomley
2020-11-16 20:42 ` [edk2-devel] " Laszlo Ersek
2020-11-17 0:05 ` Laszlo Ersek
2020-11-18 23:00 ` James Bottomley
2020-11-19 7:59 ` Laszlo Ersek
2020-11-12 0:13 ` James Bottomley [this message]
2020-11-16 22:46 ` [edk2-devel] [PATCH 3/4] OvmfPkg: create a SEV secret area in the AmdSev memfd Laszlo Ersek
2020-11-18 20:23 ` James Bottomley
2020-11-19 7:50 ` Laszlo Ersek
2020-11-19 19:41 ` Brijesh Singh
2020-11-20 6:29 ` jejb
2020-11-20 10:59 ` Laszlo Ersek
2020-11-18 20:39 ` Lendacky, Thomas
2020-11-19 7:51 ` Laszlo Ersek
2020-11-12 0:13 ` [PATCH 4/4] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table James Bottomley
2020-11-17 0:12 ` [edk2-devel] " Laszlo Ersek
2020-11-12 16:21 ` [PATCH 0/4] SEV Encrypted Boot for Ovmf Ashish Kalra
2020-11-12 16:34 ` Dr. David Alan Gilbert
2020-11-12 17:07 ` James Bottomley
2020-11-12 17:22 ` Ashish Kalra
2020-11-12 17:32 ` Brijesh Singh
2020-11-12 19:38 ` Dr. David Alan Gilbert
2020-11-12 21:56 ` Brijesh Singh
2020-11-12 22:50 ` James Bottomley
2020-11-15 14:08 ` Brijesh Singh
2020-11-12 19:44 ` James Bottomley
2020-11-13 2:04 ` [edk2-devel] " James Bottomley
2020-11-13 22:41 ` Laszlo Ersek
2020-11-16 18:50 ` Laszlo Ersek
2020-11-16 18:56 ` Laszlo Ersek
2020-11-16 19:55 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201112001316.11341-4-jejb@linux.ibm.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox