From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (NAM11-BN8-obe.outbound.protection.outlook.com [40.107.236.41]) by mx.groups.io with SMTP id smtpd.web10.1352.1632163583824013575 for ; Mon, 20 Sep 2021 11:46:25 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=DTzsWa/l; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.236.41, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hLLthZFjkDoYDeFdk/XdR8gYpU6dtGkA1MKOch7+NitZTN5gJWIt9mAEP6q+Mc5E4xEr0wzW5t76/bhnOLf9mv4Q5fFmVDZEs76mZoQyBw5p6XfS6Q3Nq0so8kufPuHaxH6mDp8TtAaa8t/XYL5aJGxEOIRgxRMMj+fvUY4EGbOWHuhGB+Wqi2jAtfXjKf7eAySD8SI8fcRuMISwdZtuzOId+6t8Y6vi8IQaKwx4zkRLq48aMgKSFYFl5BP5f6C8J4z+R1VMWEcd7I5fglXhP++YH16MkRVXuE9XypWHc0C8OVwiSaqJcIUe4bXnL1AqO4cMJIL295sC9654b0UhlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=yMBCs7ggNQAsLpCTdzbEVR8VRTBv3UPMNupaGb+7VGs=; b=CJyHXe3DZ9osiFwgDLRD8/pj1h9OMleti9BnAp+baWWZ2FYSglabdBtQ35S3BG9H2DFDKpC7VGAYVWG/mdUtUGZDleZV0logPZmbojQd9ZtxlyjbjE0ZUlUVmmgaNRL2M3Tpc+jaP4p9KmlWF2vPqq2mcxwqHPelOh0LFfIMSQ95wpCkWLXGTvgWhJY0zL1n325TuNafim0jOLvaf1/oGGempFtAx2/IpqvMewbZdAok4GVfo08KO1inUl+7Qyb9UlxsuY5Swy0+q37vqpX3LQ5ngYKDnThBaRRk97wWfuxIMZ+dFImqN6ajOjnpGzzFovIcAmz4r6E8BFLqkL/vCw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yMBCs7ggNQAsLpCTdzbEVR8VRTBv3UPMNupaGb+7VGs=; b=DTzsWa/l5iZapQo7Qf6We3s7a25kMPT240W3RXHdkGENKkf085ifplnKrLrh4gP8P87Mgh9DfI7rQumC9FhR2eg30KGfnriqLPEs+FHH5H/R2RgklP9OX1PccGqbwI08EaiZRi1M5YpMJIdg3M7AXoSZZv2g2AMbsEmjeF+udfo= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4512.namprd12.prod.outlook.com (2603:10b6:806:71::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4523.14; Mon, 20 Sep 2021 18:46:23 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4523.018; Mon, 20 Sep 2021 18:46:23 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth , Jiewen Yao Subject: [PATCH v8 05/32] OvmfPkg: reserve SNP secrets page Date: Mon, 20 Sep 2021 13:45:37 -0500 Message-ID: <20210920184604.31590-6-brijesh.singh@amd.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210920184604.31590-1-brijesh.singh@amd.com> References: <20210920184604.31590-1-brijesh.singh@amd.com> X-ClientProxiedBy: SN4PR0201CA0034.namprd02.prod.outlook.com (2603:10b6:803:2e::20) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SN4PR0201CA0034.namprd02.prod.outlook.com (2603:10b6:803:2e::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4523.14 via Frontend Transport; Mon, 20 Sep 2021 18:46:22 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a17e2865-3156-421c-0d29-08d97c66f152 X-MS-TrafficTypeDiagnostic: SA0PR12MB4512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4941; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ToHPcZ6XsPDaGkSP4my6ISGS5c1mvkRLRJ6mlQxOxfOgJMLsSH5rwpb9j3ZX9+6+jap3cecT4k7gvvGboD7Dctu6I99MUKMM2zuIh82Qz4GvcCRRU0dt3ILFTGT/wSLHKY4UWoGsWvY3NzUbTd1jjDn5igq4pys3TrleXf4AWB3eqHpKxgaoWPYGUBD/AXBw+02cBoMrek7GBkzWEHHFesKWGsSuaftLYyblfaZ9qzQwrZ7yafy+0Zhxs7k+XPP7q9TvwmsKaEl/A3NJTqnGg8QTXJcpOL2c0PaaFk5bG/RAH+Wk967h1pumpzlVAcFmix0/uu0VhjgnOLl7Iitr1Z293yDk1uqb7VA6oXQNLLzvTXuFve25nQsdgiNg66mctWF4YH3EZHXzUJ29rw3TLt98sSR6kEt5myv1BIrozMPlZ4T2H0/AgLhjzgE24tGw1GqDIAe3z8LaGVq3nT6nxgAqP/sKChndObhK3FMFkAkonU3X4XDn+UG3jE+pafDhbSiW44gJPMpDR1TqYJPHW05YjLrCrRydW+nu2MPeNkgI6tVMz6aO+a8CZ/oqWJj9kT4lHKtnZ6+meb+VFOXqWswHzUBUs9Z+6MnjvdCLndYUNG00T9m63vq0n1itGivBPIsA+13xGZoudECfLn4CpC8hiE3IyicvIB3sHTPpHtE4XwiaUxwxZQkWbFBxqYnZPBtFMqQxabhCNqyIT6VaiiP5oLpNq935Rif+tMUNd3doQcXNIxZvl1CNssVwxAbHzPrg0KO2VXjKZhf7WjSTDEt/1xv1WeroRTIBJaMKoek= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(136003)(376002)(346002)(39860400002)(396003)(19627235002)(316002)(26005)(6666004)(2616005)(83380400001)(38350700002)(6916009)(86362001)(66556008)(7696005)(1076003)(956004)(966005)(2906002)(36756003)(5660300002)(54906003)(4326008)(6486002)(66476007)(8676002)(38100700002)(52116002)(8936002)(66946007)(44832011)(478600001)(186003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?pGbyLpp46H5jtIyZ0xz43kWGogx89PG5A/v5aq7W0+CE6VKHaA+NdCjczVS6?= =?us-ascii?Q?BLBIYHzuwInO2Y7sJhCGX17ETgWPTR2DIzpFwsHjbz7H1HTNjgw10s4Kqsuw?= =?us-ascii?Q?hvL2y7z3IDeOhnZ3n534EG7QgIY0y4dmfdSWGTlibwVDDFNaPdeSBeJT6Z+E?= =?us-ascii?Q?HGXbfQo2UotGZm956ya+einq3/GyuPW0Ig6paibnbN2ilNcxyItOvwbWZtqK?= =?us-ascii?Q?73zHAtLZeZCCqLzcJQq1U/CqVSIN2TSqdpp8fQ7ctX93tepsbmLEpy66wuxl?= =?us-ascii?Q?Sxb8M4fnDH334hwF8hdPAoE8Y0x969nAEsTRaVcXevwTbej/TzlNmlMjIR9X?= =?us-ascii?Q?uDXdpls/fSUl19mWUe7OyOD2JRYyM5ZFgIfbBo9SSJBRKyFVxjDv55vH5Aur?= =?us-ascii?Q?JSN0OH3syhgAJ+9PoSjntRT9bHSBDxGySAobhMpFNQorxwaf0fSoLqVZ6oXn?= =?us-ascii?Q?5fSNpWtByi6GHkgxown3pUiNbjDSXcCTybQiUHtzKJQbtaTo1eKG5P/PaG8+?= =?us-ascii?Q?BQEUKnsSD44MiEdd79edmTQAklUrcpTVBmd7zRJb/kUI5u2rJXTNzWVJ5Ecl?= =?us-ascii?Q?51R7AwsTDCCjtw+rJSAacd+dcjIpHt1e/Pi6mLHLpiAl0atssu+7Z6/whlrM?= =?us-ascii?Q?MXLtudkVd7SJK/KtnkUNKMGTXMK0nmcLqGGzDFxWzUMJASTMhDTeeHq4nsf2?= =?us-ascii?Q?rsGyyKMjvU5aeNcGaqx7ooTKSIcSCl19ofRsbMqRJUBBNHq999a62St5Pt+B?= =?us-ascii?Q?l9uuKIwIG3w7ypDJgMXnHyhFozLW7vCLxhXnJVfblZ45dl+WAeDn6NGfzkX8?= =?us-ascii?Q?uBQMKd1wk290UTN6hcP9tQwwoqIKUxpml0mTRjrnkkJKwJg2mbyeraGckmC4?= =?us-ascii?Q?t36SZk6xHFWJcN5J4f+CQ0q454//ww7Or/KQNxqSAllACAQBazxykp+UI4Og?= =?us-ascii?Q?rSxmuM1FLq2jjPVG3O5TO/kaAAMTw8TQFB5iKdqzobR6fs58TJGldOPXBwd7?= =?us-ascii?Q?9Y9HsUL7xgl4K//1o/zk613F+ksp99zoOU9jmuZ+gOxZMs7DqPaVp3vmqut8?= =?us-ascii?Q?iPSEE8hc/UcfL5Kse+dOLHO0YfcECN1lRTz+F729wtDREWfA1ygbGXGLm4x8?= =?us-ascii?Q?utvPxcG3CKDxvo0/UaogOXF0I0ZDbsvWldGoy3J9HMfjfJsJCMeX7DJ84fzi?= =?us-ascii?Q?8tNZHYF4QQcj1SPOzTmb941BtsYIeVXgzDSSau1UkNCV8lRnbFre4zEMgben?= =?us-ascii?Q?Gt1DIM5bkORD5SanpsIqUhLPP+VGypFu9SLKrKmYhx5uXqGkKL7b6dYwVxhn?= =?us-ascii?Q?5oWHSHG1LwrN1ZH8AT1TwRFl?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: a17e2865-3156-421c-0d29-08d97c66f152 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Sep 2021 18:46:22.8879 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: OJjIMmq3t12dLKy9tg6iJF619YYdoo161SSlfjgLdu1LVnXiiRJ0Bn0tl6Cymk0GdP0NRVR+eo04zYxNzGaauA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4512 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 During the SNP guest launch sequence, a special secrets page needs to be inserted by the VMM. The PSP will populate the page; it will contain the VM Platform Communication Key (VMPCKs) used by the guest to send and receive secure messages to the PSP. The purpose of the secrets page in the SEV-SNP is different from the one used in SEV guests. In SEV, the secrets page contains the guest owner's private data after the remote attestation. Add a new section for the secrets page in the OVMF metadata structure so that hypervisor can locate it. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 6 ++++++ OvmfPkg/OvmfPkgX64.fdf | 3 +++ OvmfPkg/ResetVector/ResetVector.inf | 2 ++ OvmfPkg/ResetVector/ResetVector.nasmb | 3 +++ OvmfPkg/ResetVector/X64/OvmfMetadata.asm | 9 +++++++++ 5 files changed, 23 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index c37dafad49bb..6266fdef6054 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -340,6 +340,12 @@ [PcdsFixedAtBuild] # header definition. gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader|0|= UINT32|0x51 =20 + ## The base address and size of the SEV-SNP Secrets Area that contains + # the VM platform communication key used to send and recieve the + # messages to the PSP. If this is set in the .fdf, the platform + # is responsible to reserve this area from DXE phase overwrites. + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|0|UINT32|0x52 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize|0|UINT32|0x53 =20 [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 23936242e74a..5b871db20ab2 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -88,6 +88,9 @@ [FD.MEMFD] 0x00C000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecGhcbBackupSize =20 +0x00D000|0x001000 +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|gUefiOvmfPkgTokenSpaceGui= d.PcdOvmfSnpSecretsSize + 0x010000|0x010000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecPeiTempRamSize =20 diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese= tVector.inf index a2520dde5508..09454d0797e6 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -50,3 +50,5 @@ [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index bc61b1d05a24..f7d09acd33ed 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -77,6 +77,9 @@ %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + = 8) %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) = + 16) %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)= + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) + %define SEV_SNP_SECRETS_BASE (FixedPcdGet32 (PcdOvmfSnpSecretsBase)) + %define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize)) + %include "Ia32/Flat32ToFlat64.asm" %include "Ia32/AmdSev.asm" %include "Ia32/PageTables64.asm" diff --git a/OvmfPkg/ResetVector/X64/OvmfMetadata.asm b/OvmfPkg/ResetVector= /X64/OvmfMetadata.asm index a1260a1ed029..bb348e1c6a79 100644 --- a/OvmfPkg/ResetVector/X64/OvmfMetadata.asm +++ b/OvmfPkg/ResetVector/X64/OvmfMetadata.asm @@ -23,6 +23,9 @@ BITS 64 ; The section must be accepted or validated by the VMM before the boot %define OVMF_SECTION_TYPE_SEC_MEM 0x102 =20 +; AMD SEV-SNP specific sections +%define OVMF_SECTION_TYPE_SNP_SECRETS 0x200 + ALIGN 16 =20 TIMES (15 - ((OvmfGuidedStructureEnd - OvmfGuidedStructureStart + 15) % 16= )) DB 0 @@ -41,5 +44,11 @@ _Descriptor: DD OVMF_METADATA_VERSION ; Version DD (OvmfGuidedStructureEnd - _Descriptor - 16) / 12 ; Number of sections =20 +; SEV-SNP Secrets page +SevSnpSecrets: + DD SEV_SNP_SECRETS_BASE + DD SEV_SNP_SECRETS_SIZE + DD OVMF_SECTION_TYPE_SNP_SECRETS + OvmfGuidedStructureEnd: ALIGN 16 --=20 2.25.1