[PATCH v2 4/6] OvmfPkg: create a SEV secret area in the AmdSev memfd

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "James Bottomley" <jejb@linux.ibm.com>
To: devel@edk2.groups.io
Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com,
	ashish.kalra@amd.com, brijesh.singh@amd.com, tobin@ibm.com,
	david.kaplan@amd.com, jon.grimm@amd.com, thomas.lendacky@amd.com,
	jejb@linux.ibm.com, frankeh@us.ibm.com,
	"Dr . David Alan Gilbert" <dgilbert@redhat.com>,
	Laszlo Ersek <lersek@redhat.com>
Subject: [PATCH v2 4/6] OvmfPkg: create a SEV secret area in the AmdSev memfd
Date: Fri, 20 Nov 2020 10:45:19 -0800	[thread overview]
Message-ID: <20201120184521.19437-5-jejb@linux.ibm.com> (raw)
In-Reply-To: <20201120184521.19437-1-jejb@linux.ibm.com>

SEV needs an area to place an injected secret where OVMF can find it
and pass it up as a ConfigurationTable.  This patch implements the
area itself as an addition to the SEV enhanced reset vector table using
an additional guid (4c2eb361-7d9b-4cc3-8081-127c90d3d294).

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077
Signed-off-by: James Bottomley <jejb@linux.ibm.com>

---

v2: move guid to OVMF token space, separate patches
---
 OvmfPkg/OvmfPkg.dec                          |  6 ++++++
 OvmfPkg/ResetVector/ResetVector.inf          |  4 ++++
 OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 14 ++++++++++++++
 OvmfPkg/ResetVector/ResetVector.nasmb        |  2 ++
 4 files changed, 26 insertions(+)

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 3fbf7a0ee1a4..7d27f8e16040 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -304,6 +304,12 @@ [PcdsFixedAtBuild]
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|0|UINT32|0x40
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize|0|UINT32|0x41
 
+  ## The base address and size of the SEV Launch Secret Area provisioned
+  #  after remote attestation.  If this is set in the .fdf, the platform
+  #  is responsible for protecting the area from DXE phase overwrites.
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|0x0|UINT32|0x42
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize|0x0|UINT32|0x43
+
 [PcdsDynamic, PcdsDynamicEx]
   gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10
diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf
index a53ae6c194ae..dc38f68919cd 100644
--- a/OvmfPkg/ResetVector/ResetVector.inf
+++ b/OvmfPkg/ResetVector/ResetVector.inf
@@ -43,3 +43,7 @@ [Pcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
+
+[FixedPcd]
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
index baf9d09f3625..8d6600f17310 100644
--- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
+++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
@@ -47,6 +47,20 @@ TIMES (32 - ((guidedStructureEnd - guidedStructureStart) % 32)) DB 0
 ;
 guidedStructureStart:
 
+;
+; SEV Secret block Guid: 4c2eb361-7d9b-4cc3-8081-127c90d3d294
+;
+; This describes the guest ram area where the hypervisor may have
+; injected the secret
+;
+sevSecretBlockStart:
+    DD      SEV_LAUNCH_SECRET_BASE
+    DD      SEV_LAUNCH_SECRET_SIZE
+    DW      sevSecretBlockEnd - sevSecretBlockStart
+    DB      0x61, 0xB3, 0x2E, 0x4C, 0x9B, 0x7D, 0xC3, 0x4C
+    DB      0x80, 0x81, 0x12, 0x7C, 0x90, 0xD3, 0xD2, 0x94
+sevSecretBlockEnd:
+
 ;
 ; SEV-ES Processor Reset support
 ;
diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb
index 4913b379a993..c5e0fe93abf4 100644
--- a/OvmfPkg/ResetVector/ResetVector.nasmb
+++ b/OvmfPkg/ResetVector/ResetVector.nasmb
@@ -83,5 +83,7 @@
 %include "Main.asm"
 
   %define SEV_ES_AP_RESET_IP  FixedPcdGet32 (PcdSevEsWorkAreaBase)
+  %define SEV_LAUNCH_SECRET_BASE  FixedPcdGet32 (PcdSevLaunchSecretBase)
+  %define SEV_LAUNCH_SECRET_SIZE  FixedPcdGet32 (PcdSevLaunchSecretSize)
 %include "Ia16/ResetVectorVtf0.asm"
 
-- 
2.26.2

next prev parent reply	other threads:[~2020-11-20 18:45 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-20 18:45 [PATCH v2 0/6] SEV Encrypted Boot for Ovmf James Bottomley
2020-11-20 18:45 ` [PATCH v2 1/6] OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF James Bottomley
2020-11-23 18:01   ` Laszlo Ersek
2020-11-23 23:25     ` James Bottomley
2020-11-23 23:43       ` Laszlo Ersek
2020-11-20 18:45 ` [PATCH v2 2/6] OvmfPkg/AmdSev: add Grub Firmware Volume Package James Bottomley
2020-11-23 21:08   ` Laszlo Ersek
2020-11-24  6:38     ` James Bottomley
2020-11-24  8:23       ` Laszlo Ersek
2020-11-24 14:54         ` Laszlo Ersek
2020-11-24 15:58           ` Laszlo Ersek
2020-11-24 16:22             ` [edk2-devel] " James Bottomley
2020-11-24 23:22               ` Laszlo Ersek
2020-11-24 23:42                 ` James Bottomley
2020-11-25  1:27                   ` James Bottomley
2020-11-25 14:01                     ` Laszlo Ersek
2020-11-25 16:02                       ` James Bottomley
2020-11-25 17:09                         ` James Bottomley
2020-11-25 18:17                           ` James Bottomley
2020-11-25 19:20                             ` Laszlo Ersek
2020-11-25 20:11                               ` James Bottomley
2020-11-25 18:35                           ` Laszlo Ersek
2020-11-25 19:08                             ` Laszlo Ersek
2020-11-25 19:14                               ` Laszlo Ersek
2020-11-20 18:45 ` [PATCH v2 3/6] OvmfPkg: convert ES Reset Block structure to be guided James Bottomley
2020-11-23 22:16   ` Laszlo Ersek
2020-11-24 14:57     ` Lendacky, Thomas
2020-11-24 19:07       ` James Bottomley
2020-11-24 23:19         ` Laszlo Ersek
2020-11-24 19:05     ` James Bottomley
2020-11-24 23:15       ` Laszlo Ersek
2020-11-20 18:45 ` James Bottomley [this message]
2020-11-23 22:28   ` [PATCH v2 4/6] OvmfPkg: create a SEV secret area in the AmdSev memfd Laszlo Ersek
2020-11-20 18:45 ` [PATCH v2 5/6] OvmfPkg/AmdSev: assign and protect the Sev Secret area James Bottomley
2020-11-23 22:38   ` Laszlo Ersek
2020-11-20 18:45 ` [PATCH v2 6/6] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table James Bottomley
2020-11-23 22:56   ` Laszlo Ersek

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:3fbf7a0ee1a dfblob:7d27f8e1604 dfblob:a53ae6c194a
dfblob:dc38f68919c dfblob:baf9d09f362 dfblob:8d6600f1731
dfblob:4913b379a99 dfblob:c5e0fe93abf )
 OR (
bs:"[PATCH v2 4/6] OvmfPkg: create a SEV secret area in the AmdSev memfd" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201120184521.19437-5-jejb@linux.ibm.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox