public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Dov Murik" <dovmurik@linux.ibm.com>
To: devel@edk2.groups.io
Cc: Dov Murik <dovmurik@linux.ibm.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Gerd Hoffmann <kraxel@redhat.com>,
	Erdem Aktas <erdemaktas@google.com>,
	James Bottomley <jejb@linux.ibm.com>, Min Xu <min.m.xu@intel.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	Michael Roth <michael.roth@amd.com>,
	Ashish Kalra <ashish.kalra@amd.com>,
	Mario Smarduch <mario.smarduch@amd.com>,
	Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
Subject: [RESEND] [PATCH v2 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP
Date: Mon, 20 Feb 2023 08:49:40 +0000	[thread overview]
Message-ID: <20230220084942.1292756-1-dovmurik@linux.ibm.com> (raw)

[Resending due to missing Cc in actual patches emails.]

(Note: This is a new version of this one-year-old patch series; the v1
series [1] got a few Acked-by but it's been so long that I don't
consider them relevant anymore.)

AMD SEV and SEV-ES support measured direct boot with
kernel/initrd/cmdline hashes injected by QEMU and verified by OVMF
during boot.

To enable the same approach for AMD SEV-SNP we make sure the page in
which QEMU inserts the hashes of kernel/initrd/cmdline is not already
pre-validated, as SNP doesn't allow validating a page twice.

The first patch rearranges the pages in AmdSevX64's MEMFD so they are in
the same order both as in the main target (OvmfPkgX64), with the
exception of the SEV Launch Secret page which isn't defined in
OvmfPkgX64.

The second patch modifies the SNP metadata structure such that on
AmdSev target the SEV Launch Secret page is not included in the ranges
that are pre-validated (zero pages) by the VMM; instead the VMM will
insert content into this page (the hashes table), or mark it explicitly
as a zero page if no hashes are added.

This series is available at:
https://github.com/confidential-containers-demo/edk2/tree/snp-kernel-hashes-v2

The corresponding RFC patch series for QEMU is in:
https://lore.kernel.org/qemu-devel/20230216084913.2148508-1-dovmurik@linux.ibm.com/
or use this tree:
https://github.com/confidential-containers-demo/qemu/tree/snp-kernel-hashes-v2

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Mario Smarduch <mario.smarduch@amd.com>
Cc: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>

---

v2 changes:
* Rebased on master
* Updated AmdSev MEMFD size to match OvmfX64

v1:
[1] https://edk2.groups.io/g/devel/message/88137


Dov Murik (2):
  OvmfPkg/AmdSev: Reorder MEMFD pages to match the order in
    OvmfPkgX64.fdf
  OvmfPkg/ResetVector: Exclude SEV launch secrets page from
    pre-validation

 OvmfPkg/AmdSev/AmdSevX64.fdf          | 27 ++++++++++----------
 OvmfPkg/ResetVector/ResetVector.nasmb | 14 +++++++++-
 2 files changed, 27 insertions(+), 14 deletions(-)

-- 
2.25.1


             reply	other threads:[~2023-02-20  8:49 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-20  8:49 Dov Murik [this message]
2023-02-20  8:49 ` [RESEND] [PATCH v2 1/2] OvmfPkg/AmdSev: Reorder MEMFD pages to match the order in OvmfPkgX64.fdf Dov Murik
2023-02-20  8:49 ` [RESEND] [PATCH v2 2/2] OvmfPkg/ResetVector: Exclude SEV launch secrets page from pre-validation Dov Murik
2023-02-20 14:44   ` Lendacky, Thomas
2023-02-21  9:38     ` Gerd Hoffmann
2023-02-23 14:58       ` Dov Murik
2023-02-23 15:04         ` Dov Murik
2023-02-27 18:50           ` Lendacky, Thomas

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230220084942.1292756-1-dovmurik@linux.ibm.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox