From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web12.6201.1627412956374995356 for ; Tue, 27 Jul 2021 12:09:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=hWdd1VIh; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: dovmurik@linux.ibm.com) Received: from pps.filterd (m0187473.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16RJ5Qoa118410; Tue, 27 Jul 2021 15:09:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : mime-version; s=pp1; bh=k05ZlYM9DLaBdBIWz2BpejiEYt0MbXRfQ1pNxBkcEzU=; b=hWdd1VIholJ0edoL+fLzyQaJeNd2z75yeJ/fSqo0si6ti7jIM5vq6UwDPshSv7BxoZcL 24IBMdtPmhA0xfbxdrX/6vbtQ4zlvOMN8Qupllt8NQZFyJR1Xs1iBEncNoBGClwjlkXY iuyNzxg8g9rMEAyqajZj50FmL/SRFf0e32sUQ/MzNuWMaw6L636L4/+ES55P1KsgPVxo bw5bDOTdY/kCG0tun10T03RevL0ekTv+a5Ms03K4DRD1gDhwW+394NmaRzv4ta2FPKKc C2ILnoOrTpp5RH1IIX26MJc2ZCX8LH8HdT2KUghcuHeNLHyRRmn7U507MQ0r0oc8Vbiu 6w== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3a2qpd0yt8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 27 Jul 2021 15:09:13 -0400 Received: from m0187473.ppops.net (m0187473.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16RJ5YSj119418; Tue, 27 Jul 2021 15:08:43 -0400 Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com with ESMTP id 3a2qpd0wnh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 27 Jul 2021 15:08:42 -0400 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16RIuMJN021814; Tue, 27 Jul 2021 19:08:06 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma01dal.us.ibm.com with ESMTP id 3a2362h2pn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 27 Jul 2021 19:08:06 +0000 Received: from b01ledav003.gho.pok.ibm.com (b01ledav003.gho.pok.ibm.com [9.57.199.108]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16RJ7UCM35651890 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 27 Jul 2021 19:07:31 GMT Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C78E0B206A; Tue, 27 Jul 2021 19:07:30 +0000 (GMT) Received: from b01ledav003.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8D0A4B2068; Tue, 27 Jul 2021 19:07:30 +0000 (GMT) Received: from localhost.localdomain (unknown [9.2.130.16]) by b01ledav003.gho.pok.ibm.com (Postfix) with ESMTP; Tue, 27 Jul 2021 19:07:30 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [PATCH v5 09/11] OvmfPkg/AmdSev: reserve MEMFD space for for firmware config hashes Date: Tue, 27 Jul 2021 19:07:22 +0000 Message-Id: <20210727190724.3586867-10-dovmurik@linux.ibm.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210727190724.3586867-1-dovmurik@linux.ibm.com> References: <20210727190724.3586867-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: jVtl-voGtKd1cEOj1lnKJd6pAHErria9 X-Proofpoint-GUID: DUDgLE_EQguyYjHPCqqKNViVHh-C8mM5 X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.790 definitions=2021-07-27_13:2021-07-27,2021-07-27 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 lowpriorityscore=0 bulkscore=0 spamscore=0 malwarescore=0 adultscore=0 impostorscore=0 clxscore=1015 phishscore=0 mlxlogscore=999 suspectscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2107270113 Content-Transfer-Encoding: quoted-printable From: James Bottomley Split the existing 4KB page reserved for SEV launch secrets into two parts: first 3KB for SEV launch secrets and last 1KB for firmware config hashes. The area of the firmware config hashes will be attested (measured) by the PSP and thus the untrusted VMM can't pass in different files from what the guest owner allows. Declare this in the Reset Vector table using GUID 7255371f-3a3b-4b04-927b-1da6efa8d454 and a uint32_t table of a base and size value (similar to the structure used to declare the launch secret block). Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Co-developed-by: Dov Murik Signed-off-by: Dov Murik Signed-off-by: James Bottomley Reviewed-by: Tom Lendacky Reviewed-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 6 ++++++ OvmfPkg/AmdSev/AmdSevX64.fdf | 5 ++++- OvmfPkg/ResetVector/ResetVector.inf | 2 ++ OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 20 ++++++++++++++++++++ OvmfPkg/ResetVector/ResetVector.nasmb | 2 ++ 5 files changed, 34 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index f82228d69cc2..2ab27f0c73c2 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -324,6 +324,12 @@ [PcdsFixedAtBuild] gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|0x0|UINT32|0x42=0D gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize|0x0|UINT32|0x43=0D =0D + ## The base address and size of a hash table confirming allowed=0D + # parameters to be passed in via the Qemu firmware configuration=0D + # device=0D + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|0x0|UINT32|0x47=0D + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize|0x0|UINT32|0x48=0D +=0D [PcdsDynamic, PcdsDynamicEx]=0D gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2=0D gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x1= 0=0D diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf index 9977b0f00a18..0a89749700c3 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.fdf +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf @@ -59,9 +59,12 @@ [FD.MEMFD] 0x00B000|0x001000=0D gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.P= cdSevEsWorkAreaSize=0D =0D -0x00C000|0x001000=0D +0x00C000|0x000C00=0D gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGu= id.PcdSevLaunchSecretSize=0D =0D +0x00CC00|0x000400=0D +gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|gUefiOvmfPkgTokenSpaceGuid= .PcdQemuHashTableSize=0D +=0D 0x00D000|0x001000=0D gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecGhcbBackupSize=0D =0D diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese= tVector.inf index dc38f68919cd..d028c92d8cfa 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -47,3 +47,5 @@ [Pcd] [FixedPcd]=0D gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase=0D gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize=0D + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase=0D + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize=0D diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVe= ctor/Ia16/ResetVectorVtf0.asm index 9c0b5853a46f..7ec3c6e980c3 100644 --- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm +++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm @@ -47,7 +47,27 @@ TIMES (15 - ((guidedStructureEnd - guidedStructureStart = + 15) % 16)) DB 0 ;=0D guidedStructureStart:=0D =0D +; SEV Hash Table Block=0D ;=0D +; This describes the guest ram area where the hypervisor should=0D +; install a table describing the hashes of certain firmware configuration= =0D +; device files that would otherwise be passed in unchecked. The current=0D +; use is for the kernel, initrd and command line values, but others may be= =0D +; added. The data format is:=0D +;=0D +; base physical address (32 bit word)=0D +; table length (32 bit word)=0D +;=0D +; GUID (SEV FW config hash block): 7255371f-3a3b-4b04-927b-1da6efa8d454=0D +;=0D +sevFwHashBlockStart:=0D + DD SEV_FW_HASH_BLOCK_BASE=0D + DD SEV_FW_HASH_BLOCK_SIZE=0D + DW sevFwHashBlockEnd - sevFwHashBlockStart=0D + DB 0x1f, 0x37, 0x55, 0x72, 0x3b, 0x3a, 0x04, 0x4b=0D + DB 0x92, 0x7b, 0x1d, 0xa6, 0xef, 0xa8, 0xd4, 0x54=0D +sevFwHashBlockEnd:=0D +=0D ; SEV Secret block=0D ;=0D ; This describes the guest ram area where the hypervisor should=0D diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index 5fbacaed5f9d..8d0bab02f8cb 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -88,5 +88,7 @@ %define SEV_ES_AP_RESET_IP FixedPcdGet32 (PcdSevEsWorkAreaBase)=0D %define SEV_LAUNCH_SECRET_BASE FixedPcdGet32 (PcdSevLaunchSecretBase)=0D %define SEV_LAUNCH_SECRET_SIZE FixedPcdGet32 (PcdSevLaunchSecretSize)=0D + %define SEV_FW_HASH_BLOCK_BASE FixedPcdGet32 (PcdQemuHashTableBase)=0D + %define SEV_FW_HASH_BLOCK_SIZE FixedPcdGet32 (PcdQemuHashTableSize)=0D %include "Ia16/ResetVectorVtf0.asm"=0D =0D --=20 2.25.1