From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (NAM12-MW2-obe.outbound.protection.outlook.com [40.107.244.58]) by mx.groups.io with SMTP id smtpd.web10.41.1622070706274569273 for ; Wed, 26 May 2021 16:11:46 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=KM2JBTag; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.244.58, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J3fHgNEzFg6iBiAWoWHqaks5vLiXSnCvc7DPJVOE8mjJe9o2896ZFlS5AhWL8M+BOqKFBa0WWIelhPVoafyUlkWIUfh8mb7gBiTQosKwQtuDAD3J7XW9cUYoAdKjW5L5uMNzAKnef0VMOz7+zrABbLKy3esc7jFJ7vfmCRGmZKV47FVems2Qas/nKOKS9udpAVCJJRl7ls6Fz8fF92aMmRkQ+SD3Y3BF7YWg/N9jXRMfPPOa7GDrEJPSiHyovACJx4JFXBSXj8Wnbg+ADlnYUlqJG792vBIHClpsx8GQrZdBqmYCglJwr7uPmSS98+Ev2A18FF4fhHEw6u28wzTXOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AUGxfujD1fPykjpHUud7OIC8C7+gJUXjLwvi33a11z4=; b=cUFd1Y14XMX82ZPs2hvZymbdp48D0vseph9A/zPQycwnqEfIbhn+100aFTgk/etz5nESGC9WsOx1iWqJTxK5bPx1SSkzzQdRuJr76ZieX+9DgQHMKFRMRCIUJORBz9g/1qiVl+3quZ6vorOI3tqGN/F5ZGZVPafHUOXCaKudzTe+L9yxJqyF7idOXTIaaoazPU3xq+x7aOx9B7tA7QgFv9vhdZPDsU4zWSzMcrdW3DyDtk/9jg1YbR+0FaSb+6ZwldAAcOm8ptG7Z7hTBRapnC5qhLC3ukhWizWeCrxZnRo+y1UU41JwP23W0tO6GkrTzQQrO8TldXAONYq9NmT7Tw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AUGxfujD1fPykjpHUud7OIC8C7+gJUXjLwvi33a11z4=; b=KM2JBTagfX5sk+QYKyaEhOaeWfW/xTkQJ7SJGhQlQlJplhVqS/p5QoT51PmLBqVId9S4f9GXzzMvFkBYhf0D291jgesXsVgRyYwxdCDSRzMUpRHSxRcoDwSmzDosXWJ7q+gaaentG4DH763KAMURCbR0BfXKV+sF5N5FJdmOs6o= Authentication-Results: linux.ibm.com; dkim=none (message not signed) header.d=none;linux.ibm.com; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.23; Wed, 26 May 2021 23:11:42 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::9898:5b48:a062:db94]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::9898:5b48:a062:db94%6]) with mapi id 15.20.4150.023; Wed, 26 May 2021 23:11:42 +0000 From: "Brijesh Singh" To: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Laszlo Ersek , Erdem Aktas , Eric Dong , Ray Ni , Rahul Kumar , devel@edk2.groups.io CC: Brijesh Singh , Ard Biesheuvel Subject: [PATCH RFC v3 05/22] OvmfPkg: reserve Secrets page in MEMFD Date: Wed, 26 May 2021 18:11:01 -0500 Message-ID: <20210526231118.12946-6-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210526231118.12946-1-brijesh.singh@amd.com> References: <20210526231118.12946-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA0PR11CA0202.namprd11.prod.outlook.com (2603:10b6:806:1bc::27) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA0PR11CA0202.namprd11.prod.outlook.com (2603:10b6:806:1bc::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.21 via Frontend Transport; Wed, 26 May 2021 23:11:40 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: dc07fc8f-fee0-42ab-d5e2-08d9209b9eb8 X-MS-TrafficTypeDiagnostic: SN6PR12MB2718: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: e0F3yBkWlJjaHKpkYFKvNCfuOf2Ij4z4PhvlTZiZjLezG4yYjbksP2Wb+2rh3uTEqpbT4tdp/J8518UQpL3vfkRYZPzqOkzNBMPaYKXKpLoy0TduDTcPsQpxErzlV++Sm1Hzha8sxrZGX+eHNuhLmzDaAhqDFbcwD8BVkcMhtPU1KewFLz9ThjozKIk8x7pk9BQcQrg2Fj0BpLvnZsukcL9fqPTmcCo0uC941tAK5FnhH1xaAJZXGINbKBz1sRtWSdTljmpksi58J7U8c7YNVquPfq3OS/IgQzs9P4rAr1KX80hMmU8qtno/qvtZZ6cxmTBzirsmgxoMkH+MZTaJILjbxmeVXQ/mzlHDuSsewS3/vkmmJr7FIpB4ehHPB4NXG3paVhL3+4MhiLe6LYrFLBxo/hvmPbBd4DBGqL+56UpgOxnECs8zvLEeggwHg0kml0ZrIAs1+LhWoPTV68CnCz/G1kKUmaAQ1By4o98ABsqlQjeBwrcx+c/IQofHGqBKOQlopFT+eysEpHm202ww+uZrIYgFpfUQfa+0sIkOkuyev/RqF2/VcgtoP2PZekua9VTOAbfB1NWFMVKRlTMArD8srOYFOAVyWMPpgFijVo1Xchgf+mtWHdvdWsIRT+Ukz/jRxg/lBr+TVjdzqnYYrSffXvWg5aTCegiq+vzGyuA58J6+AoxaXVQ2/D0FXClo4NoYrnNAT6j+od/XIUEus0+BsVaJbNYvC3FKtqbOQQikJpmhjPM4LhCFurL7ElnHxc+sQws+7R6mXuyqtvsnWxNPWRRiQOHUcZ3/WtVw1fo= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(136003)(366004)(346002)(396003)(376002)(6486002)(26005)(2616005)(6666004)(478600001)(956004)(66476007)(36756003)(1076003)(8676002)(7696005)(52116002)(8936002)(44832011)(86362001)(38100700002)(38350700002)(83380400001)(54906003)(2906002)(921005)(4326008)(186003)(66946007)(7416002)(5660300002)(316002)(19627235002)(66556008)(966005)(110136005)(16526019);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?0t8fpdia7n2ri4NFyxGP5fWKSMqemaYgw8mPfWZJQaxTL6zVqNGrD9nNUrvF?= =?us-ascii?Q?Inz8bm8U7St2Cck6xmVkg7Cuj0YTs0dmzKAdWSM1GBOjMWeaXbXLJQDzN5j/?= =?us-ascii?Q?dygtDjB/H4j41Z32K5YIj3c1m6D36/x9fRUP1xhvw+6I5O/z0S6OPUpVmw7T?= =?us-ascii?Q?GTi+LSW7aofe/5gLVgNW8jatF82nMmUKJIQ2s4BpJmMx52Ji0tHcMX4LZEFQ?= =?us-ascii?Q?ndb3qrP5JWjtFrPptcUIAE1peHEqDgBHWKGEquLKUlKLPRRz4eZROV1bKAGL?= =?us-ascii?Q?ZQdPYspsx9mi0Z6W4X+dLLcvrp2ltSfHVb9TkI7KHXFN8id7UygRig3ULWJl?= =?us-ascii?Q?y9h4W1mWfTAV/aGAqIPd/6PFoVN5B4gBUZxmdlMR5EU60pcxRYWlhnHJ9kSt?= =?us-ascii?Q?7D8ZyLgM/njLlKumq/cTta8jdztt4omGpVUrWu3U6u4dTs+cqJ4JBgH7XwX2?= =?us-ascii?Q?a5Pn925NOTLAhCejDUF9AFrzOw0riybJ6su/yYRkqstHbbRVy70bFTlg3XUN?= =?us-ascii?Q?kNRowNtf4DOPiJB7sSlfa3z40sgPxmoy39pZvbCQ8eQeseRTMWOtAAfiNqbJ?= =?us-ascii?Q?dG0z6Urr/qZaUZdvix1Ak9Nud10Bmkh5jNf6veL23d/omcfByr7G/OoBN+hS?= =?us-ascii?Q?cPU7D+aNxxK4H3I3SRB6fnzgmH7fxwzTZYPERmZ3LORwYzBLfx9rHH9ciJa5?= =?us-ascii?Q?0wpCKrCqKUDXH9uscc7tAs5oBG4Kow5XWbzmyDJBDtl/GHIBi3qnSmNu/Etd?= =?us-ascii?Q?5KMwqIIg/Y58yaTceTGt+x4E1LkG6KeN5oAGi23V6fvZuemuQmIFb+kpwLzM?= =?us-ascii?Q?z/lS+ZnuWgC7P4fWLX5H8PDIhdQNEIOltQNuuU02vj53gEOVgXPfgK5ZYYZG?= =?us-ascii?Q?5douMGCNUNQs2k3KwXBJ51GKuX6oGBMjcj7BGZzmqA4alq97eD39prydnvi1?= =?us-ascii?Q?8ih1U+fb6AQ+RbxxuIR5Olp2HFHpio3OJAqWr6wV/rr4fOPLLR+KlujWeJRs?= =?us-ascii?Q?4LUTINlhs5AKzCUIO7ET2uSnlMvVntIy52tBsq/UsLl37T3iIVh9xqYUozIn?= =?us-ascii?Q?YsRwbvRtUPHzpbPv/x4UG0I+h9rbCou3TI+yEjYk0yZmmUTVKUhRAWZCA6W8?= =?us-ascii?Q?gHcTB9X6vyTOMirJeS5oyCq7mIEuUEP+fxwZEmc78CmA69fy+U1SMl5zQ8ZR?= =?us-ascii?Q?O9l3OvMbCfZKEBIySTVjzjjxUn7qZbs3pb9AwBn8M0JOzxc9oHXTC9CROm34?= =?us-ascii?Q?Go72Emtk3Gw+dfxBjLt7waFFFGoG/YghRKuRBzrF1/QIzGgehe2k/XGtWQ8K?= =?us-ascii?Q?v/dWQfVW7vTzZwJucksdjs8w?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: dc07fc8f-fee0-42ab-d5e2-08d9209b9eb8 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2021 23:11:40.8956 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: W8TwqdRKO4Vor7VkQFZEE09VkgZupUbD8Vq+N7Xn5iYHn2Kkr2aev7Zxt/BmblVxzoZGY2GVmfs61sd8u/AWIQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2718 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 When AMD SEV is enabled in the guest VM, a hypervisor need to insert a secrets page. When SEV-SNP is enabled, the secrets page contains the VM platform communication keys. The guest BIOS and OS can use this key to communicate with the SEV firmware to get attesation report. See the SEV-SNP firmware spec for more details for the content of the secrets page. When SEV and SEV-ES is enabled, the secrets page contains the information provided by the guest owner after the attestation. See the SEV LAUNCH_SECRET command for more details. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Cc: Erdem Aktas Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkgX64.dsc | 2 ++ OvmfPkg/OvmfPkgX64.fdf | 5 +++++ OvmfPkg/AmdSev/SecretPei/SecretPei.inf | 1 + OvmfPkg/AmdSev/SecretPei/SecretPei.c | 15 ++++++++++++++- 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 999738dc39cd..ea08e1fabc65 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -716,6 +716,7 @@ [Components] OvmfPkg/SmmAccess/SmmAccessPei.inf !endif UefiCpuPkg/CpuMpPei/CpuMpPei.inf + OvmfPkg/AmdSev/SecretPei/SecretPei.inf =20 !if $(TPM_ENABLE) =3D=3D TRUE OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf @@ -966,6 +967,7 @@ [Components] OvmfPkg/PlatformDxe/Platform.inf OvmfPkg/AmdSevDxe/AmdSevDxe.inf OvmfPkg/IoMmuDxe/IoMmuDxe.inf + OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf =20 !if $(SMM_REQUIRE) =3D=3D TRUE OvmfPkg/SmmAccess/SmmAccess2Dxe.inf diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index d6be798fcadd..9126b8eb5014 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -88,6 +88,9 @@ [FD.MEMFD] 0x00C000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecGhcbBackupSize =20 +0x00D000|0x001000 +gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGu= id.PcdSevLaunchSecretSize + 0x010000|0x010000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecPeiTempRamSize =20 @@ -179,6 +182,7 @@ [FV.PEIFV] INF SecurityPkg/Tcg/TcgPei/TcgPei.inf INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf !endif +INF OvmfPkg/AmdSev/SecretPei/SecretPei.inf =20 ##########################################################################= ###### =20 @@ -314,6 +318,7 @@ [FV.DXEFV] INF ShellPkg/Application/Shell/Shell.inf =20 INF MdeModulePkg/Logo/LogoDxe.inf +INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf =20 # # Network modules diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.inf b/OvmfPkg/AmdSev/Secret= Pei/SecretPei.inf index 08be156c4bc0..9265f8adee12 100644 --- a/OvmfPkg/AmdSev/SecretPei/SecretPei.inf +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf @@ -26,6 +26,7 @@ [LibraryClasses] HobLib PeimEntryPoint PcdLib + MemEncryptSevLib =20 [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPe= i/SecretPei.c index ad491515dd5d..51eb094555aa 100644 --- a/OvmfPkg/AmdSev/SecretPei/SecretPei.c +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c @@ -7,6 +7,7 @@ #include #include #include +#include =20 EFI_STATUS EFIAPI @@ -15,10 +16,22 @@ InitializeSecretPei ( IN CONST EFI_PEI_SERVICES **PeiServices ) { + UINTN Type; + + // + // The location of the secret page should be marked reserved so that gue= st OS + // does not treated as a system RAM. + // + if (MemEncryptSevSnpIsEnabled ()) { + Type =3D EfiReservedMemoryType; + } else { + Type =3D EfiBootServicesData; + } + BuildMemoryAllocationHob ( PcdGet32 (PcdSevLaunchSecretBase), PcdGet32 (PcdSevLaunchSecretSize), - EfiBootServicesData + Type ); =20 return EFI_SUCCESS; --=20 2.17.1