From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web09.15821.1605140069990377592 for ; Wed, 11 Nov 2020 16:14:30 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=FniyPlzQ; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: jejb@linux.ibm.com) Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 0AC02fIi087346; Wed, 11 Nov 2020 19:14:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=K+va8++z9VNJSEMjnuDFKpuG4mhY+7zlhJTZhb9V/QI=; b=FniyPlzQEk2W8y+eiF7RkbPgzItFnL4QkIwvYy4CgzxWp5TM6ccJHpLz5i6cFw4Nks/P J4Za8DXaTsWo/a+T9XjnNvcqjqA/oFvzesNWv4NnhrKlizWFDC0k/dJ1QVLxeo4SdFcz QVl662e+uMZOV9fGYQ23Ntn9D7yjkSsbuJJHx8euMeGJY1LZv6cnZNNqtcDCpTHHldl6 vN/I3k5/yDKK7dtAHaBsY/jmjNV3jDRZ/sPg0Ybug4UIJdpBjSRfuNjH6ScNW4FK31ZE nzgxu52kSmLGSfLqhpNproJZmU3z+trbpGvYT3CgJ5tSvRwxrdPEoqCbDwYuA+B9g4Zn 6A== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 34rf0yvwqc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Nov 2020 19:14:28 -0500 Received: from m0098419.ppops.net (m0098419.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 0AC02mSu088126; Wed, 11 Nov 2020 19:14:27 -0500 Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0b-001b2d01.pphosted.com with ESMTP id 34rf0yvwq4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Nov 2020 19:14:27 -0500 Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 0AC088S1028047; Thu, 12 Nov 2020 00:14:27 GMT Received: from b03cxnp07028.gho.boulder.ibm.com (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15]) by ppma04wdc.us.ibm.com with ESMTP id 34q5nexct0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 12 Nov 2020 00:14:27 +0000 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 0AC0EOv84784744 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Nov 2020 00:14:24 GMT Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DDB2E7805F; Thu, 12 Nov 2020 00:14:23 +0000 (GMT) Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A43C77805C; Thu, 12 Nov 2020 00:14:21 +0000 (GMT) Received: from jarvis.int.hansenpartnership.com (unknown [9.85.162.106]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP; Thu, 12 Nov 2020 00:14:21 +0000 (GMT) From: James Bottomley To: devel@edk2.groups.io Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com, ashish.kalra@amd.com, brijesh.singh@amd.com, tobin@ibm.com, david.kaplan@amd.com, jon.grimm@amd.com, thomas.lendacky@amd.com, jejb@linux.ibm.com, frankeh@us.ibm.com, "Dr . David Alan Gilbert" Subject: [PATCH 4/4] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table Date: Wed, 11 Nov 2020 16:13:16 -0800 Message-Id: <20201112001316.11341-5-jejb@linux.ibm.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20201112001316.11341-1-jejb@linux.ibm.com> References: <20201112001316.11341-1-jejb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312,18.0.737 definitions=2020-11-11_12:2020-11-10,2020-11-11 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 suspectscore=1 spamscore=0 mlxscore=0 adultscore=0 impostorscore=0 lowpriorityscore=0 clxscore=1015 priorityscore=1501 mlxlogscore=999 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2011110136 Content-Transfer-Encoding: quoted-printable This is to allow the boot loader (grub) to pick up the secret area. The Configuration Table simply points to the base and size (in physical memory) and this area is covered by a Boot time HOB, meaning that the secret will be freed after ExitBootServices, by which time it should be consumed anyway. Signed-off-by: James Bottomley --- OvmfPkg/AmdSev/AmdSevX64.dsc | 3 ++ OvmfPkg/AmdSev/AmdSevX64.fdf | 3 ++ .../SevLaunchSecret/SecretDxe/SecretDxe.inf | 38 +++++++++++++++ .../SevLaunchSecret/SecretPei/SecretPei.inf | 46 +++++++++++++++++++ .../SevLaunchSecret/SecretDxe/SecretDxe.c | 29 ++++++++++++ .../SevLaunchSecret/SecretPei/SecretPei.c | 26 +++++++++++ 6 files changed, 145 insertions(+) create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.c create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.c diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index 7d3663150e..eb8cc9d60a 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -698,6 +698,7 @@ OvmfPkg/SmmAccess/SmmAccessPei.inf=0D !endif=0D UefiCpuPkg/CpuMpPei/CpuMpPei.inf=0D + OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf=0D =0D !if $(TPM_ENABLE) =3D=3D TRUE=0D OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf=0D @@ -1007,6 +1008,8 @@ }=0D !endif=0D =0D + OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf=0D +=0D #=0D # TPM support=0D #=0D diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf index 1fd38b3fe2..65ee4d993b 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.fdf +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf @@ -146,6 +146,7 @@ INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf INF OvmfPkg/SmmAccess/SmmAccessPei.inf=0D !endif=0D INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf=0D +INF OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf=0D =0D !if $(TPM_ENABLE) =3D=3D TRUE=0D INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf=0D @@ -290,6 +291,8 @@ INF ShellPkg/Application/Shell/Shell.inf =0D INF MdeModulePkg/Logo/LogoDxe.inf=0D =0D +INF OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf=0D +=0D #=0D # Network modules=0D #=0D diff --git a/OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf b/OvmfP= kg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf new file mode 100644 index 0000000000..085162e5c4 --- /dev/null +++ b/OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf @@ -0,0 +1,38 @@ +## @file=0D +# Sev Secret configuration Table installer=0D +#=0D +# Copyright (C) 2020 James Bottomley, IBM Corporation.=0D +#=0D +# SPDX-License-Identifier: BSD-2-Clause-Patent=0D +#=0D +##=0D +=0D +[Defines]=0D + INF_VERSION =3D 0x00010005=0D + BASE_NAME =3D SecretDxe=0D + FILE_GUID =3D 6e2b9619-8810-4e9d-a177-d432bb9abeda= =0D + MODULE_TYPE =3D DXE_DRIVER=0D + VERSION_STRING =3D 1.0=0D + ENTRY_POINT =3D InitializeSecretDxe=0D +=0D +[Sources]=0D + SecretDxe.c=0D +=0D +[Packages]=0D + OvmfPkg/OvmfPkg.dec=0D + MdePkg/MdePkg.dec=0D +=0D +[LibraryClasses]=0D + UefiBootServicesTableLib=0D + UefiDriverEntryPoint=0D + UefiLib=0D +=0D +[Guids]=0D + gSevLaunchSecretGuid=0D +=0D +[FixedPcd]=0D + gSevLaunchSecretGuid.PcdSevLaunchSecretBase=0D + gSevLaunchSecretGuid.PcdSevLaunchSecretSize=0D +=0D +[Depex]=0D + TRUE=0D diff --git a/OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf b/OvmfP= kg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf new file mode 100644 index 0000000000..b154dcc74e --- /dev/null +++ b/OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf @@ -0,0 +1,46 @@ +## @file=0D +# PEI support for SEV Secrets=0D +#=0D +# Copyright (C) 2020 James Bottomley, IBM Corporation.=0D +#=0D +# SPDX-License-Identifier: BSD-2-Clause-Patent=0D +#=0D +##=0D +=0D +[Defines]=0D + INF_VERSION =3D 0x00010005=0D + BASE_NAME =3D SecretPei=0D + FILE_GUID =3D 45260dde-0c3c-4b41-a226-ef3803fac7d4= =0D + MODULE_TYPE =3D PEIM=0D + VERSION_STRING =3D 1.0=0D + ENTRY_POINT =3D InitializeSecretPei=0D +=0D +#=0D +# The following information is for reference only and not required by the = build tools.=0D +#=0D +# VALID_ARCHITECTURES =3D IA32 X64 EBC=0D +#=0D +=0D +[Sources]=0D + SecretPei.c=0D +=0D +[Packages]=0D + OvmfPkg/OvmfPkg.dec=0D + MdePkg/MdePkg.dec=0D + MdeModulePkg/MdeModulePkg.dec=0D +=0D +[LibraryClasses]=0D + BaseLib=0D + DebugLib=0D + HobLib=0D + PeiServicesLib=0D + PeiServicesTablePointerLib=0D + PeimEntryPoint=0D + PcdLib=0D +=0D +[FixedPcd]=0D + gSevLaunchSecretGuid.PcdSevLaunchSecretBase=0D + gSevLaunchSecretGuid.PcdSevLaunchSecretSize=0D +=0D +[Depex]=0D + TRUE=0D diff --git a/OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.c b/OvmfPkg= /AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.c new file mode 100644 index 0000000000..b40bbe1eb9 --- /dev/null +++ b/OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.c @@ -0,0 +1,29 @@ +/** @file=0D + SEV Secret configuration table constructor=0D +=0D + Copyright (C) 2020 James Bottomley, IBM Corporation.=0D + SPDX-License-Identifier: BSD-2-Clause-Patent=0D +**/=0D +#include =0D +#include =0D +#include =0D +#include =0D +=0D +struct {=0D + UINT32 base;=0D + UINT32 size;=0D +} secretDxeTable =3D {=0D + FixedPcdGet32(PcdSevLaunchSecretBase),=0D + FixedPcdGet32(PcdSevLaunchSecretSize),=0D +};=0D +=0D +EFI_STATUS=0D +EFIAPI=0D +InitializeSecretDxe(=0D + IN EFI_HANDLE ImageHandle,=0D + IN EFI_SYSTEM_TABLE *SystemTable=0D + )=0D +{=0D + return gBS->InstallConfigurationTable (&gSevLaunchSecretGuid,=0D + &secretDxeTable);=0D +}=0D diff --git a/OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.c b/OvmfPkg= /AmdSev/SevLaunchSecret/SecretPei/SecretPei.c new file mode 100644 index 0000000000..16b49792ad --- /dev/null +++ b/OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.c @@ -0,0 +1,26 @@ +/** @file=0D + SEV Secret boot time HOB placement=0D +=0D + Copyright (C) 2020 James Bottomley, IBM Corporation.=0D + SPDX-License-Identifier: BSD-2-Clause-Patent=0D +**/=0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +=0D +EFI_STATUS=0D +EFIAPI=0D +InitializeSecretPei (=0D + IN EFI_PEI_FILE_HANDLE FileHandle,=0D + IN CONST EFI_PEI_SERVICES **PeiServices=0D + )=0D +{=0D + BuildMemoryAllocationHob (=0D + PcdGet32 (PcdSevLaunchSecretBase),=0D + PcdGet32 (PcdSevLaunchSecretSize),=0D + EfiBootServicesData);=0D +=0D + return EFI_SUCCESS;=0D +}=0D --=20 2.26.2