From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5])
 by mx.groups.io with SMTP id smtpd.web12.113.1605897948688217877
 for <devel@edk2.groups.io>;
 Fri, 20 Nov 2020 10:45:48 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@ibm.com header.s=pp1 header.b=eKI88sto;
 spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: jejb@linux.ibm.com)
Received: from pps.filterd (m0098413.ppops.net [127.0.0.1])
	by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 0AKIYukq143840;
	Fri, 20 Nov 2020 13:45:47 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject
 : date : message-id : in-reply-to : references : mime-version :
 content-transfer-encoding; s=pp1;
 bh=lOpun/RzCOPUYkSVopiZ8Qcqi4vnrQLMA7IYDMYPea4=;
 b=eKI88stoSaTGdco/CLbhqBMsIdc4a8rvH4mdfhBHvug18N1sTsYIpoBiwe6duSW30olJ
 McJ2aF0dScz0hnBe2rTrq0/h/aQ/YkvHe+5clXaGg3MQOfrt1E6q0rkxJLuSMND9RCCL
 k1a/y2zHsmMWuHTr2WB8FI2nP+Qb1sNGXe1deifelJ+JtonEctkgGSmQnhR63TqJyeVg
 ObXJPbv+3NB0OyAciTcB6UPGyRYJ36GB3xg4zE7hO7qgJGAwnzNrRPL6MFrq5QSOE0l6
 ZtOBrwoHlXcoKmD94u3p+vjjRt9xVJEcZauLxwtkBr0VwMOMbAYZmaEPCsVp1dSn5lkD Jw== 
Received: from pps.reinject (localhost [127.0.0.1])
	by mx0b-001b2d01.pphosted.com with ESMTP id 34xgsndmsr-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Fri, 20 Nov 2020 13:45:46 -0500
Received: from m0098413.ppops.net (m0098413.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 0AKIabAL155507;
	Fri, 20 Nov 2020 13:45:46 -0500
Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11])
	by mx0b-001b2d01.pphosted.com with ESMTP id 34xgsndmsj-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Fri, 20 Nov 2020 13:45:46 -0500
Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1])
	by ppma03dal.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 0AKIRa4O017690;
	Fri, 20 Nov 2020 18:45:45 GMT
Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20])
	by ppma03dal.us.ibm.com with ESMTP id 34w263fs8q-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Fri, 20 Nov 2020 18:45:45 +0000
Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234])
	by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 0AKIjfNH32637280
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 20 Nov 2020 18:45:41 GMT
Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id CE3066A04F;
	Fri, 20 Nov 2020 18:45:41 +0000 (GMT)
Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 773B06A047;
	Fri, 20 Nov 2020 18:45:39 +0000 (GMT)
Received: from jarvis.int.hansenpartnership.com (unknown [9.80.207.206])
	by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP;
	Fri, 20 Nov 2020 18:45:39 +0000 (GMT)
From: "James Bottomley" <jejb@linux.ibm.com>
To: devel@edk2.groups.io
Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com, ashish.kalra@amd.com,
        brijesh.singh@amd.com, tobin@ibm.com, david.kaplan@amd.com,
        jon.grimm@amd.com, thomas.lendacky@amd.com, jejb@linux.ibm.com,
        frankeh@us.ibm.com, "Dr . David Alan Gilbert" <dgilbert@redhat.com>,
        Laszlo Ersek <lersek@redhat.com>
Subject: [PATCH v2 6/6] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table
Date: Fri, 20 Nov 2020 10:45:21 -0800
Message-Id: <20201120184521.19437-7-jejb@linux.ibm.com>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20201120184521.19437-1-jejb@linux.ibm.com>
References: <20201120184521.19437-1-jejb@linux.ibm.com>
MIME-Version: 1.0
X-TM-AS-GCONF: 00
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312,18.0.737
 definitions=2020-11-20_12:2020-11-20,2020-11-20 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 spamscore=0
 bulkscore=0 priorityscore=1501 lowpriorityscore=0 impostorscore=0
 mlxlogscore=999 phishscore=0 mlxscore=0 clxscore=1015 suspectscore=0
 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2009150000 definitions=main-2011200124
Content-Transfer-Encoding: 8bit

Now that the secret area is protected by a boot time HOB, extract its
location details into a configuration table referenced by
gSevLaunchSecretGuid so the boot loader or OS can locate it before a
call to ExitBootServices().

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077
Signed-off-by: James Bottomley <jejb@linux.ibm.com>
---
 OvmfPkg/OvmfPkg.dec                    |  1 +
 OvmfPkg/AmdSev/AmdSevX64.dsc           |  1 +
 OvmfPkg/AmdSev/AmdSevX64.fdf           |  1 +
 OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf | 37 ++++++++++++++++++++++++++
 OvmfPkg/Include/Guid/SevLaunchSecret.h | 28 +++++++++++++++++++
 OvmfPkg/AmdSev/SecretDxe/SecretDxe.c   | 25 +++++++++++++++++
 6 files changed, 93 insertions(+)
 create mode 100644 OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
 create mode 100644 OvmfPkg/Include/Guid/SevLaunchSecret.h
 create mode 100644 OvmfPkg/AmdSev/SecretDxe/SecretDxe.c

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 7d27f8e16040..8a294116efaa 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -117,6 +117,7 @@ [Guids]
   gLinuxEfiInitrdMediaGuid              = {0x5568e427, 0x68fc, 0x4f3d, {0xac, 0x74, 0xca, 0x55, 0x52, 0x31, 0xcc, 0x68}}
   gQemuKernelLoaderFsMediaGuid          = {0x1428f772, 0xb64a, 0x441e, {0xb8, 0xc3, 0x9e, 0xbd, 0xd7, 0xf8, 0x93, 0xc7}}
   gGrubFileGuid                         = {0xb5ae312c, 0xbc8a, 0x43b1, {0x9c, 0x62, 0xeb, 0xb8, 0x26, 0xdd, 0x5d, 0x07}}
+  gSevLaunchSecretGuid                  = {0xadf956ad, 0xe98c, 0x484c, {0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47}}
 
 [Ppis]
   # PPI whose presence in the PPI database signals that the TPM base address
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index a3f75a626e5e..fa2d1d20d551 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -812,6 +812,7 @@ [Components]
       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
   }
 !endif
+  OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
   OvmfPkg/AmdSev/Grub/Grub.inf
 !if $(BUILD_SHELL) == TRUE
   ShellPkg/Application/Shell/Shell.inf {
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index c628e6d8f6e7..b60ff6227a4f 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -269,6 +269,7 @@ [FV.DXEFV]
 !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
 INF  OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
 !endif
+INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
 INF  OvmfPkg/AmdSev/Grub/Grub.inf
 !if $(BUILD_SHELL) == TRUE
 INF  ShellPkg/Application/Shell/Shell.inf
diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
new file mode 100644
index 000000000000..62ab00a3d382
--- /dev/null
+++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
@@ -0,0 +1,37 @@
+## @file
+#  Sev Secret configuration Table installer
+#
+#  Copyright (C) 2020 James Bottomley, IBM Corporation.
+#
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = SecretDxe
+  FILE_GUID                      = 6e2b9619-8810-4e9d-a177-d432bb9abeda
+  MODULE_TYPE                    = DXE_DRIVER
+  VERSION_STRING                 = 1.0
+  ENTRY_POINT                    = InitializeSecretDxe
+
+[Sources]
+  SecretDxe.c
+
+[Packages]
+  OvmfPkg/OvmfPkg.dec
+  MdePkg/MdePkg.dec
+
+[LibraryClasses]
+  UefiBootServicesTableLib
+  UefiDriverEntryPoint
+
+[Guids]
+  gSevLaunchSecretGuid
+
+[FixedPcd]
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
+
+[Depex]
+  TRUE
diff --git a/OvmfPkg/Include/Guid/SevLaunchSecret.h b/OvmfPkg/Include/Guid/SevLaunchSecret.h
new file mode 100644
index 000000000000..fa5f3830bc2b
--- /dev/null
+++ b/OvmfPkg/Include/Guid/SevLaunchSecret.h
@@ -0,0 +1,28 @@
+ /** @file
+   UEFI Configuration Table for exposing the SEV Launch Secret location to UEFI
+   applications (boot loaders).
+
+   Copyright (C) 2020 James Bottomley, IBM Corporation.
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ **/
+
+#ifndef SEV_LAUNCH_SECRET_H_
+#define SEV_LAUNCH_SECRET_H_
+
+#include <Uefi/UefiBaseType.h>
+
+#define SEV_LAUNCH_SECRET_GUID                          \
+  { 0xadf956ad,                                         \
+    0xe98c,                                             \
+    0x484c,                                             \
+    { 0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47 }, \
+  }
+
+typedef struct {
+  UINT32 Base;
+  UINT32 Size;
+} SEV_LAUNCH_SECRET_LOCATION;
+
+extern EFI_GUID gSevLaunchSecretGuid;
+
+#endif // SEV_LAUNCH_SECRET_H_
diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
new file mode 100644
index 000000000000..e5a1624e3cd7
--- /dev/null
+++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
@@ -0,0 +1,25 @@
+/** @file
+  SEV Secret configuration table constructor
+
+  Copyright (C) 2020 James Bottomley, IBM Corporation.
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <PiDxe.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Guid/SevLaunchSecret.h>
+
+STATIC SEV_LAUNCH_SECRET_LOCATION mSecretDxeTable = {
+  FixedPcdGet32 (PcdSevLaunchSecretBase),
+  FixedPcdGet32 (PcdSevLaunchSecretSize),
+};
+
+EFI_STATUS
+EFIAPI
+InitializeSecretDxe(
+  IN EFI_HANDLE           ImageHandle,
+  IN EFI_SYSTEM_TABLE     *SystemTable
+  )
+{
+  return gBS->InstallConfigurationTable (&gSevLaunchSecretGuid,
+                                         &mSecretDxeTable);
+}
-- 
2.26.2