From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.79]) by mx.groups.io with SMTP id smtpd.web10.874.1631557202199811456 for ; Mon, 13 Sep 2021 11:20:03 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=vGX2dUuZ; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.94.79, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l9MiWlILLGCbodHHivwXqvBss/diIulFFZ7J6UkwAWv8i0hF+2mamcXfMFzAWNbFgPboVlwsF13icy1qmjLwRA9UZVdYwB27dDmtBMxwQ3zZbTWh+uumGhSQHnmABz7bvwya/IwvpBEky+KtBkhHLj8TIGbLg+HgyBuufFK2nMVtvUIHdXYOkcX3psgJPqJLggr0Cx9AKfsZDrmxZsJCdn+Tq0ByOPFA7+QDWFXAgvSqtQYVbKNaWlbF0buESbtVmCzG0/eEjy4laJO+awdMvzPGPoLGkqrikfEl3zQPDbErDN6V8EGjBYujskWVnfb/8hR7WuH8XKWRbY+1DPZNFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=uUu5V9AjFOFkAJFojyTCEPwNFx12ICdxFdSjUYEu0BQ=; b=ajP3XVtkaml6Ecst1ZsAcA6tJ+D1FGpg7i/QtlUvKuh33zrT/T8aMMJVHhMs0xexx7Ftm4PQX/SBgk7husQ2uQKdrGqTFIGNmR8AppM6uZ+anjNSXG31P/9hN2Lztzxl0AaB0D9aTlwOhDIp4MazYCOHPY/npBgS3yQbYvbu/crjQuCSaWRRw2cGQqZ77GlG2aAhesA18MVjy3Zpi+e8DYuIQISqsgh+C5eHJoDijHD1iHee7ZQtzc58otYxtMe6N6C2wJJLVZOc7wtdjPik02xcaYsbIbtF7n3JQrIo2YJzWRO3lttu2bW0I26eXgtNwKPIlCgXjN51Iov35LRiFA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uUu5V9AjFOFkAJFojyTCEPwNFx12ICdxFdSjUYEu0BQ=; b=vGX2dUuZetCSiauk4vi4cbckiuxAfns15fVke7goMQ0duN5zh1nfMoAS8rb6e611d8NTw898aUXzQoAvTo4wahYGpP4yuz0sExhi9gfKLboBDlvkod76G7z8fQABxXKgL52LQP0NZ7HiqXYt45m3vtUp9C5WiaiMWfL5C1XkXlY= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:01 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:01 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [PATCH v7 04/31] OvmfPkg: reserve SNP secrets page Date: Mon, 13 Sep 2021 13:19:14 -0500 Message-ID: <20210913181941.23405-5-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:00 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6250a73f-e400-48c5-cec1-08d976e319cd X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4941; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: L9aTzSA+R/Dx2lBU4cqgVMR040DkmSQxmtjM1Tk/jOP9ZMNdGiFwI/ZNxbiBC7wxBfftjjm5Uwn6SFgDhyO7SB+fXlm4+EN6qC1keeXey3KxVkFMjXnH9xyLeckkgRCt7zGtnpHEb/84HyzMwL10WVVxxX9Ky+QvClflVMy7N6Ab+qvrC5z0KhF5jn3DHkfNR1hksqROkzxu5/WawAEgNVWfSAsB1Kd2HY9zY7NYpA42F/1Mz6crpmuw7YC8a8rvkkjrELJVuF/xhZpVpVkBujcuKA+UDB2oP6oAGxsEXHYs0w4JqKuF8hOwhgfFQWcHA4/KARhAlW7Y1mGLhzjuEfhE8r0D5xnPE3xtIzSK68QsIKzsCOI1jU5bpDtEWofJGu1E5MdNF3Mj+Y4y9nShK2CjZ0qb2C4N4fFZ/enK2WmGzuK3dPAStRb0QXwnlel8BCk0jlrQD8cZS49P0Ll6yIFm40GIDzjJ5o0hqhckOLYiwucYsNGl+Q8o9wsI1xYDN3XQwQlrTTItw9oZ4NOD6qcLnhsZ7piPqtwcpD3kSRdMHcqm3YbBBmuZUIvAe1qO5nPDHH44Z2g/fzikTe60Tx+SvwZ3JkLYdZaQC4HoTsnajpkUEyZM+/B7X7Jd8JWiSXmnOVFtVuq/KRLYw1irl2aiyiVm8LUH9u3GOWK+Ojo6HVUyZMj57CO4KiMAup0llbTsQ6sNIvS3jYhXuoZu4E7WTbJYsYaJLqWijCBtWVqmYUM1gzcQUmOdzf+87Pi1rjdYmqvRNA/h/pp7qdV02qYwtWGw8ALhZJDhvAsSRtU= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(346002)(39860400002)(366004)(376002)(136003)(83380400001)(478600001)(86362001)(8936002)(966005)(6486002)(8676002)(186003)(6916009)(2906002)(38350700002)(38100700002)(26005)(36756003)(19627235002)(956004)(2616005)(66946007)(6666004)(66556008)(54906003)(5660300002)(52116002)(44832011)(66476007)(316002)(4326008)(1076003)(7696005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?1SpYqWTmTqiYMKCQjXDChe64CFnGpF8tK88ppa4bqhLuUN+HNWwsM0XfMxpH?= =?us-ascii?Q?AXJhaZ0q9XbhJSiQNhHvVzqtL9XEGLjfITdMw2HVWOdVIA6uHTXRFYR2jBXl?= =?us-ascii?Q?6uP6AYpDr6NRCB2L5VGDD3XYYZWeIdwQtaX0k54twoSTgatI9a1l8z7NSUGn?= =?us-ascii?Q?1L9t4hO9WlQ4JNCY/WT8ngbjBjZF014Yq4X1AsB7XRDxiKRM80hH+BS80tC/?= =?us-ascii?Q?Elz/jfoxSyiLEvC9Z/U4XpnWdk5Ea+sObt8Wx/C9PMNwuNgOgJsm79yji0nP?= =?us-ascii?Q?cwWr2pF2SaPmHC2suphjSC69ST3Ah1fQpvearEGsFzkg9oJRBaExlfDZK3W8?= =?us-ascii?Q?8ESno5QZ83rbq5UOvyNH1YwlfOa+xt8OLDtlH3DRNdAHKqrnF8otprZtpfiD?= =?us-ascii?Q?YUKXmBCrbUQsjJZ0fwRgJy3ABtveWM2GGcBwLRiT/Bb18qAamV4x5Js0YN2j?= =?us-ascii?Q?hYGkfvY7LzI1ouh0wMdlQMe+PQfoEHqDaVv//lrx2vGOdk7jDv121EiqDXjv?= =?us-ascii?Q?mZCxnVmE8Ommqa8f5Vy8exxMowCDHGHqwIxLKgy6sLJA/UB7ttmLWewsTrKS?= =?us-ascii?Q?IuU11Nceofww9FIKFs/Z4eBO6hA2kwhyhpt1sNSuAwKqfdoUt+ZtIOsuas8m?= =?us-ascii?Q?zKKU0G6jfe2x6WhncPW5ZIWOSbvFdcsVQXmXFc+S76ysXe3GWlGjzcaPWQC8?= =?us-ascii?Q?GnlHTtbbzT/BXgPJC8i32RZADJuw0GD8WoWgHvtm0mSSMtfF+BqnjT3LcraF?= =?us-ascii?Q?adYm5I539zaMNYxXffmAFahT7ORYz2xoIz3YEK2YoTLiEPCVGVNgeoFxjJFs?= =?us-ascii?Q?3idPnVEJ1OQY2TAVW0UFcEyfEAX3upePkjiqClIX/4+52ZSjlbB2XArTpoHQ?= =?us-ascii?Q?IZu5+xOs8UadX5W2u4N7sMLYsUfPXfAXYezni3ibn1WaWiwcokWUbBNdxBBR?= =?us-ascii?Q?WYnsHt3r+fDXFJY73E/oBwqGJKvWq9EQaGNCxi1rUhxNbKPuTJJgcUxQltFd?= =?us-ascii?Q?N1xgy2KI2KRYMjrCqL39OJR1J1rDM9zYXMEVxRv/1pDvEsejKs/STYcqkvOS?= =?us-ascii?Q?Byor5xr4UmuLHq3LvHtL9K2YlG1DRHegC1HgUoSXxKexUK2W4qvWn9bVAp4z?= =?us-ascii?Q?vUwoxfJDkpgyPXBmYz/FKG7168A/L9EnqFNi0aCYTYpQ4S6jJgCKx6hyqvbh?= =?us-ascii?Q?oeTd2baWjD1J1FcFcc+Hb/1ThwFFZo91aLt2KSfL+rx1chLzEuygpVRQCJp7?= =?us-ascii?Q?MydFUmrWOpo+60TwTFr3g3wHrmWnzd/K9EULJuRlqy8cLT81+hadQwGqyLHl?= =?us-ascii?Q?wfH6eYIJaSqADD10Ti9w/bQS?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6250a73f-e400-48c5-cec1-08d976e319cd X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:01.3876 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: A30LlfmUGzaFALd9ZQIbswPX969FCgaOF0DMpvCzYMHKSc6kd6kDkZYEmOa7/KBLi0jtgDrn5Z9mMrNUBD1yQw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 During the SNP guest launch sequence, a special secrets page needs to be inserted by the VMM. The PSP will populate the page; it will contain the VM Platform Communication Key (VMPCKs) used by the guest to send and receive secure messages to the PSP. The purpose of the secrets page in the SEV-SNP is different from the one used in SEV guests. In SEV, the secrets page contains the guest owner's private data after the remote attestation. Add a new section for the secrets page in the OVMF metadata structure so that hypervisor can locate it. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 6 ++++++ OvmfPkg/OvmfPkgX64.fdf | 3 +++ OvmfPkg/ResetVector/ResetVector.inf | 2 ++ OvmfPkg/ResetVector/ResetVector.nasmb | 3 +++ OvmfPkg/ResetVector/X64/OvmfMetadata.asm | 9 +++++++++ 5 files changed, 23 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index c37dafad49bb..6266fdef6054 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -340,6 +340,12 @@ [PcdsFixedAtBuild] # header definition. gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader|0|= UINT32|0x51 =20 + ## The base address and size of the SEV-SNP Secrets Area that contains + # the VM platform communication key used to send and recieve the + # messages to the PSP. If this is set in the .fdf, the platform + # is responsible to reserve this area from DXE phase overwrites. + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|0|UINT32|0x52 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize|0|UINT32|0x53 =20 [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 23936242e74a..5b871db20ab2 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -88,6 +88,9 @@ [FD.MEMFD] 0x00C000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecGhcbBackupSize =20 +0x00D000|0x001000 +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|gUefiOvmfPkgTokenSpaceGui= d.PcdOvmfSnpSecretsSize + 0x010000|0x010000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecPeiTempRamSize =20 diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese= tVector.inf index a2520dde5508..09454d0797e6 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -50,3 +50,5 @@ [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index bc61b1d05a24..f7d09acd33ed 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -77,6 +77,9 @@ %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + = 8) %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) = + 16) %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)= + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) + %define SEV_SNP_SECRETS_BASE (FixedPcdGet32 (PcdOvmfSnpSecretsBase)) + %define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize)) + %include "Ia32/Flat32ToFlat64.asm" %include "Ia32/AmdSev.asm" %include "Ia32/PageTables64.asm" diff --git a/OvmfPkg/ResetVector/X64/OvmfMetadata.asm b/OvmfPkg/ResetVector= /X64/OvmfMetadata.asm index a1260a1ed029..bb348e1c6a79 100644 --- a/OvmfPkg/ResetVector/X64/OvmfMetadata.asm +++ b/OvmfPkg/ResetVector/X64/OvmfMetadata.asm @@ -23,6 +23,9 @@ BITS 64 ; The section must be accepted or validated by the VMM before the boot %define OVMF_SECTION_TYPE_SEC_MEM 0x102 =20 +; AMD SEV-SNP specific sections +%define OVMF_SECTION_TYPE_SNP_SECRETS 0x200 + ALIGN 16 =20 TIMES (15 - ((OvmfGuidedStructureEnd - OvmfGuidedStructureStart + 15) % 16= )) DB 0 @@ -41,5 +44,11 @@ _Descriptor: DD OVMF_METADATA_VERSION ; Version DD (OvmfGuidedStructureEnd - _Descriptor - 16) / 12 ; Number of sections =20 +; SEV-SNP Secrets page +SevSnpSecrets: + DD SEV_SNP_SECRETS_BASE + DD SEV_SNP_SECRETS_SIZE + DD OVMF_SECTION_TYPE_SNP_SECRETS + OvmfGuidedStructureEnd: ALIGN 16 --=20 2.17.1