From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5])
 by mx.groups.io with SMTP id smtpd.web09.15821.1605140069990377592
 for <devel@edk2.groups.io>;
 Wed, 11 Nov 2020 16:14:30 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@ibm.com header.s=pp1 header.b=FniyPlzQ;
 spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: jejb@linux.ibm.com)
Received: from pps.filterd (m0098419.ppops.net [127.0.0.1])
	by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 0AC02fIi087346;
	Wed, 11 Nov 2020 19:14:28 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject
 : date : message-id : in-reply-to : references : mime-version :
 content-transfer-encoding; s=pp1;
 bh=K+va8++z9VNJSEMjnuDFKpuG4mhY+7zlhJTZhb9V/QI=;
 b=FniyPlzQEk2W8y+eiF7RkbPgzItFnL4QkIwvYy4CgzxWp5TM6ccJHpLz5i6cFw4Nks/P
 J4Za8DXaTsWo/a+T9XjnNvcqjqA/oFvzesNWv4NnhrKlizWFDC0k/dJ1QVLxeo4SdFcz
 QVl662e+uMZOV9fGYQ23Ntn9D7yjkSsbuJJHx8euMeGJY1LZv6cnZNNqtcDCpTHHldl6
 vN/I3k5/yDKK7dtAHaBsY/jmjNV3jDRZ/sPg0Ybug4UIJdpBjSRfuNjH6ScNW4FK31ZE
 nzgxu52kSmLGSfLqhpNproJZmU3z+trbpGvYT3CgJ5tSvRwxrdPEoqCbDwYuA+B9g4Zn 6A== 
Received: from pps.reinject (localhost [127.0.0.1])
	by mx0b-001b2d01.pphosted.com with ESMTP id 34rf0yvwqc-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 11 Nov 2020 19:14:28 -0500
Received: from m0098419.ppops.net (m0098419.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 0AC02mSu088126;
	Wed, 11 Nov 2020 19:14:27 -0500
Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26])
	by mx0b-001b2d01.pphosted.com with ESMTP id 34rf0yvwq4-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 11 Nov 2020 19:14:27 -0500
Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1])
	by ppma04wdc.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 0AC088S1028047;
	Thu, 12 Nov 2020 00:14:27 GMT
Received: from b03cxnp07028.gho.boulder.ibm.com (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15])
	by ppma04wdc.us.ibm.com with ESMTP id 34q5nexct0-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 12 Nov 2020 00:14:27 +0000
Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
	by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 0AC0EOv84784744
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 12 Nov 2020 00:14:24 GMT
Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id DDB2E7805F;
	Thu, 12 Nov 2020 00:14:23 +0000 (GMT)
Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id A43C77805C;
	Thu, 12 Nov 2020 00:14:21 +0000 (GMT)
Received: from jarvis.int.hansenpartnership.com (unknown [9.85.162.106])
	by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
	Thu, 12 Nov 2020 00:14:21 +0000 (GMT)
From: James Bottomley <jejb@linux.ibm.com>
To: devel@edk2.groups.io
Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com, ashish.kalra@amd.com,
        brijesh.singh@amd.com, tobin@ibm.com, david.kaplan@amd.com,
        jon.grimm@amd.com, thomas.lendacky@amd.com, jejb@linux.ibm.com,
        frankeh@us.ibm.com, "Dr . David Alan Gilbert" <dgilbert@redhat.com>
Subject: [PATCH 4/4] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table
Date: Wed, 11 Nov 2020 16:13:16 -0800
Message-Id: <20201112001316.11341-5-jejb@linux.ibm.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20201112001316.11341-1-jejb@linux.ibm.com>
References: <20201112001316.11341-1-jejb@linux.ibm.com>
MIME-Version: 1.0
X-TM-AS-GCONF: 00
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312,18.0.737
 definitions=2020-11-11_12:2020-11-10,2020-11-11 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 suspectscore=1
 spamscore=0 mlxscore=0 adultscore=0 impostorscore=0 lowpriorityscore=0
 clxscore=1015 priorityscore=1501 mlxlogscore=999 bulkscore=0
 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2009150000 definitions=main-2011110136
Content-Transfer-Encoding: quoted-printable

This is to allow the boot loader (grub) to pick up the secret area.
The Configuration Table simply points to the base and size (in
physical memory) and this area is covered by a Boot time HOB, meaning
that the secret will be freed after ExitBootServices, by which time it
should be consumed anyway.

Signed-off-by: James Bottomley <jejb@linux.ibm.com>
---
 OvmfPkg/AmdSev/AmdSevX64.dsc                  |  3 ++
 OvmfPkg/AmdSev/AmdSevX64.fdf                  |  3 ++
 .../SevLaunchSecret/SecretDxe/SecretDxe.inf   | 38 +++++++++++++++
 .../SevLaunchSecret/SecretPei/SecretPei.inf   | 46 +++++++++++++++++++
 .../SevLaunchSecret/SecretDxe/SecretDxe.c     | 29 ++++++++++++
 .../SevLaunchSecret/SecretPei/SecretPei.c     | 26 +++++++++++
 6 files changed, 145 insertions(+)
 create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf
 create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf
 create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.c
 create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.c

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 7d3663150e..eb8cc9d60a 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -698,6 +698,7 @@
   OvmfPkg/SmmAccess/SmmAccessPei.inf=0D
 !endif=0D
   UefiCpuPkg/CpuMpPei/CpuMpPei.inf=0D
+  OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf=0D
 =0D
 !if $(TPM_ENABLE) =3D=3D TRUE=0D
   OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf=0D
@@ -1007,6 +1008,8 @@
   }=0D
 !endif=0D
 =0D
+  OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf=0D
+=0D
   #=0D
   # TPM support=0D
   #=0D
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 1fd38b3fe2..65ee4d993b 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -146,6 +146,7 @@ INF  MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
 INF  OvmfPkg/SmmAccess/SmmAccessPei.inf=0D
 !endif=0D
 INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf=0D
+INF  OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf=0D
 =0D
 !if $(TPM_ENABLE) =3D=3D TRUE=0D
 INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf=0D
@@ -290,6 +291,8 @@ INF  ShellPkg/Application/Shell/Shell.inf
 =0D
 INF MdeModulePkg/Logo/LogoDxe.inf=0D
 =0D
+INF OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf=0D
+=0D
 #=0D
 # Network modules=0D
 #=0D
diff --git a/OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf b/OvmfP=
kg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf
new file mode 100644
index 0000000000..085162e5c4
--- /dev/null
+++ b/OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf
@@ -0,0 +1,38 @@
+## @file=0D
+#  Sev Secret configuration Table installer=0D
+#=0D
+#  Copyright (C) 2020 James Bottomley, IBM Corporation.=0D
+#=0D
+#  SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+#=0D
+##=0D
+=0D
+[Defines]=0D
+  INF_VERSION                    =3D 0x00010005=0D
+  BASE_NAME                      =3D SecretDxe=0D
+  FILE_GUID                      =3D 6e2b9619-8810-4e9d-a177-d432bb9abeda=
=0D
+  MODULE_TYPE                    =3D DXE_DRIVER=0D
+  VERSION_STRING                 =3D 1.0=0D
+  ENTRY_POINT                    =3D InitializeSecretDxe=0D
+=0D
+[Sources]=0D
+  SecretDxe.c=0D
+=0D
+[Packages]=0D
+  OvmfPkg/OvmfPkg.dec=0D
+  MdePkg/MdePkg.dec=0D
+=0D
+[LibraryClasses]=0D
+  UefiBootServicesTableLib=0D
+  UefiDriverEntryPoint=0D
+  UefiLib=0D
+=0D
+[Guids]=0D
+  gSevLaunchSecretGuid=0D
+=0D
+[FixedPcd]=0D
+  gSevLaunchSecretGuid.PcdSevLaunchSecretBase=0D
+  gSevLaunchSecretGuid.PcdSevLaunchSecretSize=0D
+=0D
+[Depex]=0D
+  TRUE=0D
diff --git a/OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf b/OvmfP=
kg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf
new file mode 100644
index 0000000000..b154dcc74e
--- /dev/null
+++ b/OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf
@@ -0,0 +1,46 @@
+## @file=0D
+#  PEI support for SEV Secrets=0D
+#=0D
+#  Copyright (C) 2020 James Bottomley, IBM Corporation.=0D
+#=0D
+#  SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+#=0D
+##=0D
+=0D
+[Defines]=0D
+  INF_VERSION                    =3D 0x00010005=0D
+  BASE_NAME                      =3D SecretPei=0D
+  FILE_GUID                      =3D 45260dde-0c3c-4b41-a226-ef3803fac7d4=
=0D
+  MODULE_TYPE                    =3D PEIM=0D
+  VERSION_STRING                 =3D 1.0=0D
+  ENTRY_POINT                    =3D InitializeSecretPei=0D
+=0D
+#=0D
+# The following information is for reference only and not required by the =
build tools.=0D
+#=0D
+#  VALID_ARCHITECTURES           =3D IA32 X64 EBC=0D
+#=0D
+=0D
+[Sources]=0D
+  SecretPei.c=0D
+=0D
+[Packages]=0D
+  OvmfPkg/OvmfPkg.dec=0D
+  MdePkg/MdePkg.dec=0D
+  MdeModulePkg/MdeModulePkg.dec=0D
+=0D
+[LibraryClasses]=0D
+  BaseLib=0D
+  DebugLib=0D
+  HobLib=0D
+  PeiServicesLib=0D
+  PeiServicesTablePointerLib=0D
+  PeimEntryPoint=0D
+  PcdLib=0D
+=0D
+[FixedPcd]=0D
+  gSevLaunchSecretGuid.PcdSevLaunchSecretBase=0D
+  gSevLaunchSecretGuid.PcdSevLaunchSecretSize=0D
+=0D
+[Depex]=0D
+  TRUE=0D
diff --git a/OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.c b/OvmfPkg=
/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.c
new file mode 100644
index 0000000000..b40bbe1eb9
--- /dev/null
+++ b/OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.c
@@ -0,0 +1,29 @@
+/** @file=0D
+  SEV Secret configuration table constructor=0D
+=0D
+  Copyright (C) 2020 James Bottomley, IBM Corporation.=0D
+  SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+**/=0D
+#include <PiDxe.h>=0D
+#include <Library/UefiLib.h>=0D
+#include <Library/UefiDriverEntryPoint.h>=0D
+#include <Library/UefiBootServicesTableLib.h>=0D
+=0D
+struct {=0D
+  UINT32        base;=0D
+  UINT32        size;=0D
+} secretDxeTable =3D {=0D
+  FixedPcdGet32(PcdSevLaunchSecretBase),=0D
+  FixedPcdGet32(PcdSevLaunchSecretSize),=0D
+};=0D
+=0D
+EFI_STATUS=0D
+EFIAPI=0D
+InitializeSecretDxe(=0D
+  IN EFI_HANDLE           ImageHandle,=0D
+  IN EFI_SYSTEM_TABLE     *SystemTable=0D
+  )=0D
+{=0D
+  return gBS->InstallConfigurationTable (&gSevLaunchSecretGuid,=0D
+                                         &secretDxeTable);=0D
+}=0D
diff --git a/OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.c b/OvmfPkg=
/AmdSev/SevLaunchSecret/SecretPei/SecretPei.c
new file mode 100644
index 0000000000..16b49792ad
--- /dev/null
+++ b/OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.c
@@ -0,0 +1,26 @@
+/** @file=0D
+  SEV Secret boot time HOB placement=0D
+=0D
+  Copyright (C) 2020 James Bottomley, IBM Corporation.=0D
+  SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+**/=0D
+#include <PiPei.h>=0D
+#include <Library/BaseLib.h>=0D
+#include <Library/DebugLib.h>=0D
+#include <Library/HobLib.h>=0D
+#include <Library/PcdLib.h>=0D
+=0D
+EFI_STATUS=0D
+EFIAPI=0D
+InitializeSecretPei (=0D
+  IN       EFI_PEI_FILE_HANDLE  FileHandle,=0D
+  IN CONST EFI_PEI_SERVICES     **PeiServices=0D
+  )=0D
+{=0D
+  BuildMemoryAllocationHob (=0D
+    PcdGet32 (PcdSevLaunchSecretBase),=0D
+    PcdGet32 (PcdSevLaunchSecretSize),=0D
+    EfiBootServicesData);=0D
+=0D
+  return EFI_SUCCESS;=0D
+}=0D
--=20
2.26.2