* [PATCH v3 1/2] OvmfPkg/AmdSev: Reorder MEMFD pages to match the order in OvmfPkgX64.fdf
2023-03-02 9:15 [PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP Dov Murik
@ 2023-03-02 9:15 ` Dov Murik
2023-03-02 9:15 ` [PATCH v3 2/2] OvmfPkg/ResetVector: Define SNP metadata for kernel hashes Dov Murik
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: Dov Murik @ 2023-03-02 9:15 UTC (permalink / raw)
To: devel
Cc: Dov Murik, Ard Biesheuvel, Jiewen Yao, Jordan Justen,
Gerd Hoffmann, Erdem Aktas, James Bottomley, Min Xu, Tom Lendacky,
Michael Roth, Ashish Kalra, Mario Smarduch,
Tobin Feldman-Fitzthum
Resize the MEMFD section of AmdSevX64.fdf and reorder its pages so that
it matches the same size and order used in OvmfPkgX64.fdf.
After this change, this is the difference in the MEMFD of the two
targets:
$ diff -u \
<(sed -ne '/FD.MEMFD/,/FV.SECFV/p' OvmfPkg/OvmfPkgX64.fdf) \
<(sed -ne '/FD.MEMFD/,/FV.SECFV/p' OvmfPkg/AmdSev/AmdSevX64.fdf)
--- /dev/fd/63 2023-02-16 07:06:15.365308683 +0000
+++ /dev/fd/62 2023-02-16 07:06:15.365308683 +0000
@@ -32,6 +32,12 @@
0x00E000|0x001000
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize
+0x00F000|0x000C00
+gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
+
+0x00FC00|0x000400
+gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize
+
0x010000|0x010000
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
---
OvmfPkg/AmdSev/AmdSevX64.fdf | 27 ++++++++++----------
1 file changed, 14 insertions(+), 13 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 5fb3b5d27632..54ba9ecf5149 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -36,10 +36,10 @@ FV = SECFV
[FD.MEMFD]
BaseAddress = $(MEMFD_BASE_ADDRESS)
-Size = 0xD00000
+Size = 0xE00000
ErasePolarity = 1
BlockSize = 0x10000
-NumBlocks = 0xD0
+NumBlocks = 0xE0
0x000000|0x006000
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
@@ -59,21 +59,21 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmf
0x00B000|0x001000
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize
-0x00C000|0x000C00
-gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
-
-0x00CC00|0x000400
-gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize
-
-0x00D000|0x001000
+0x00C000|0x001000
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize
-0x00E000|0x001000
+0x00D000|0x001000
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize
-0x00F000|0x001000
+0x00E000|0x001000
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize
+0x00F000|0x000C00
+gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
+
+0x00FC00|0x000400
+gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize
+
0x010000|0x010000
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
@@ -81,12 +81,13 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.P
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize
FV = PEIFV
-0x100000|0xC00000
+0x100000|0xD00000
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
FV = DXEFV
##########################################################################################
-# Set the SEV-ES specific work area PCDs
+# Set the SEV-ES specific work area PCDs (used for all forms of SEV since the
+# the SEV STATUS MSR is now saved in the work area)
#
SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase = $(MEMFD_BASE_ADDRESS) + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader
SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize = gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize - gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH v3 2/2] OvmfPkg/ResetVector: Define SNP metadata for kernel hashes
2023-03-02 9:15 [PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP Dov Murik
2023-03-02 9:15 ` [PATCH v3 1/2] OvmfPkg/AmdSev: Reorder MEMFD pages to match the order in OvmfPkgX64.fdf Dov Murik
@ 2023-03-02 9:15 ` Dov Murik
2023-03-02 16:35 ` [PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP Lendacky, Thomas
2023-03-20 10:06 ` Gerd Hoffmann
3 siblings, 0 replies; 7+ messages in thread
From: Dov Murik @ 2023-03-02 9:15 UTC (permalink / raw)
To: devel
Cc: Dov Murik, Ard Biesheuvel, Jiewen Yao, Jordan Justen,
Gerd Hoffmann, Erdem Aktas, James Bottomley, Min Xu, Tom Lendacky,
Michael Roth, Ashish Kalra, Mario Smarduch,
Tobin Feldman-Fitzthum
In order to allow the VMM (such as QEMU) to add a page with hashes of
kernel/initrd/cmdline for measured direct boot on SNP, add it explicitly
to the SNP metadata list report to the VMM.
In such case, VMM should fill the page with the hashes content, or
explicitly update it as a zero page (if kernel hashes are not used).
Note that for SNP, the launch secret part of the page (lower 3KB) are
not relevant and will remain zero. The last 1KB is used for the hashes.
This should have no effect on OvmfPkgX64 targets (which don't define
PcdSevLaunchSecretBase).
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
---
OvmfPkg/ResetVector/ResetVector.nasmb | 11 ++++++++++-
OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 11 +++++++++++
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb
index 94fbb0a87b37..5832aaa8abf7 100644
--- a/OvmfPkg/ResetVector/ResetVector.nasmb
+++ b/OvmfPkg/ResetVector/ResetVector.nasmb
@@ -64,6 +64,15 @@
%define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize))
%define CPUID_BASE (FixedPcdGet32 (PcdOvmfCpuidBase))
%define CPUID_SIZE (FixedPcdGet32 (PcdOvmfCpuidSize))
+%if (FixedPcdGet32 (PcdSevLaunchSecretBase) > 0)
+ ; There's a reserved page for SEV secrets and hashes; the VMM will fill and
+ ; validate the page, or mark it as a zero page.
+ %define SEV_SNP_KERNEL_HASHES_BASE (FixedPcdGet32 (PcdSevLaunchSecretBase))
+ %define SEV_SNP_KERNEL_HASHES_SIZE (FixedPcdGet32 (PcdSevLaunchSecretSize) + FixedPcdGet32 (PcdQemuHashTableSize))
+%else
+ %define SEV_SNP_KERNEL_HASHES_BASE 0
+ %define SEV_SNP_KERNEL_HASHES_SIZE 0
+%endif
%define SNP_SEC_MEM_BASE_DESC_1 (FixedPcdGet32 (PcdOvmfSecPageTablesBase))
%define SNP_SEC_MEM_SIZE_DESC_1 (FixedPcdGet32 (PcdOvmfSecGhcbBase) - SNP_SEC_MEM_BASE_DESC_1)
;
@@ -75,7 +84,7 @@
;
%define SNP_SEC_MEM_BASE_DESC_2 (GHCB_BASE + 0x1000)
%define SNP_SEC_MEM_SIZE_DESC_2 (SEV_SNP_SECRETS_BASE - SNP_SEC_MEM_BASE_DESC_2)
-%define SNP_SEC_MEM_BASE_DESC_3 (CPUID_BASE + CPUID_SIZE)
+%define SNP_SEC_MEM_BASE_DESC_3 (CPUID_BASE + CPUID_SIZE + SEV_SNP_KERNEL_HASHES_SIZE)
%define SNP_SEC_MEM_SIZE_DESC_3 (FixedPcdGet32 (PcdOvmfPeiMemFvBase) - SNP_SEC_MEM_BASE_DESC_3)
%ifdef ARCH_X64
diff --git a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm
index d03fc6d45175..8aa77d870123 100644
--- a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm
+++ b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm
@@ -26,6 +26,8 @@ BITS 64
;
%define OVMF_SECTION_TYPE_CPUID 0x3
+; Kernel hashes section for measured direct boot
+%define OVMF_SECTION_TYPE_KERNEL_HASHES 0x10
ALIGN 16
@@ -65,6 +67,15 @@ CpuidSec:
DD CPUID_SIZE
DD OVMF_SECTION_TYPE_CPUID
+%if (SEV_SNP_KERNEL_HASHES_BASE > 0)
+; Kernel hashes for measured direct boot, or zero page if
+; there are no kernel hashes / SEV secrets
+SevSnpKernelHashes:
+ DD SEV_SNP_KERNEL_HASHES_BASE
+ DD SEV_SNP_KERNEL_HASHES_SIZE
+ DD OVMF_SECTION_TYPE_KERNEL_HASHES
+%endif
+
; Region need to be pre-validated by the hypervisor
PreValidate3:
DD SNP_SEC_MEM_BASE_DESC_3
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP
2023-03-02 9:15 [PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP Dov Murik
2023-03-02 9:15 ` [PATCH v3 1/2] OvmfPkg/AmdSev: Reorder MEMFD pages to match the order in OvmfPkgX64.fdf Dov Murik
2023-03-02 9:15 ` [PATCH v3 2/2] OvmfPkg/ResetVector: Define SNP metadata for kernel hashes Dov Murik
@ 2023-03-02 16:35 ` Lendacky, Thomas
2023-03-20 10:06 ` Gerd Hoffmann
3 siblings, 0 replies; 7+ messages in thread
From: Lendacky, Thomas @ 2023-03-02 16:35 UTC (permalink / raw)
To: Dov Murik, devel
Cc: Ard Biesheuvel, Jiewen Yao, Jordan Justen, Gerd Hoffmann,
Erdem Aktas, James Bottomley, Min Xu, Michael Roth, Ashish Kalra,
Mario Smarduch, Tobin Feldman-Fitzthum
On 3/2/23 03:15, Dov Murik wrote:
> AMD SEV and SEV-ES support measured direct boot with
> kernel/initrd/cmdline hashes injected by QEMU and verified by OVMF
> during boot.
>
> To enable the same approach for AMD SEV-SNP, we declare the kernel
> hashes page in the SNP metadata list as a new region type. When QEMU
> encounters that region in the list, it will insert the hashes of
> kernel/initrd/cmdline and encrypt the page (or, if the user turned off
> kernel hashes, it will validate the page as a zero page).
>
> The first patch rearranges the pages in AmdSevX64's MEMFD so they are in
> the same order both as in the main target (OvmfPkgX64), with the
> exception of the SEV Launch Secret page which isn't defined in
> OvmfPkgX64.
>
> The second patch modifies the SNP metadata structure such that on
> AmdSev target the SEV Launch Secret page is explicitly defined in SNP
> metadata list, and therefore it is not included in the ranges that are
> pre-validated (zero pages) by the VMM; instead the VMM will insert
> content into this page (the hashes table), or mark it explicitly as a
> zero page if no hashes are added.
>
> This series is available at:
> https://github.com/confidential-containers-demo/edk2/tree/snp-kernel-hashes-v3
>
> A corresponding QEMU RFC series will be published soon in qemu-devel, or
> use this tree:
> https://github.com/confidential-containers-demo/qemu/tree/snp-kernel-hashes-v3
>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Cc: James Bottomley <jejb@linux.ibm.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Cc: Michael Roth <michael.roth@amd.com>
> Cc: Ashish Kalra <ashish.kalra@amd.com>
> Cc: Mario Smarduch <mario.smarduch@amd.com>
> Cc: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
For the series:
Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
>
> ---
>
> v3 changes:
> * Define the kernel hashes page in the SNP metadata table (thanks Tom)
>
> v2: https://edk2.groups.io/g/devel/message/100362
> v2 changes:
> * Rebased on master
> * Updated AmdSev MEMFD size to match OvmfX64
>
> v1: https://edk2.groups.io/g/devel/message/88137
>
> Dov Murik (2):
> OvmfPkg/AmdSev: Reorder MEMFD pages to match the order in
> OvmfPkgX64.fdf
> OvmfPkg/ResetVector: Define SNP metadata for kernel hashes
>
> OvmfPkg/AmdSev/AmdSevX64.fdf | 27 ++++++++++----------
> OvmfPkg/ResetVector/ResetVector.nasmb | 11 +++++++-
> OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 11 ++++++++
> 3 files changed, 35 insertions(+), 14 deletions(-)
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP
2023-03-02 9:15 [PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP Dov Murik
` (2 preceding siblings ...)
2023-03-02 16:35 ` [PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP Lendacky, Thomas
@ 2023-03-20 10:06 ` Gerd Hoffmann
2023-11-27 20:03 ` [edk2-devel] " Lendacky, Thomas via groups.io
3 siblings, 1 reply; 7+ messages in thread
From: Gerd Hoffmann @ 2023-03-20 10:06 UTC (permalink / raw)
To: Dov Murik
Cc: devel, Ard Biesheuvel, Jiewen Yao, Jordan Justen, Erdem Aktas,
James Bottomley, Min Xu, Tom Lendacky, Michael Roth, Ashish Kalra,
Mario Smarduch, Tobin Feldman-Fitzthum
On Thu, Mar 02, 2023 at 09:15:30AM +0000, Dov Murik wrote:
> AMD SEV and SEV-ES support measured direct boot with
> kernel/initrd/cmdline hashes injected by QEMU and verified by OVMF
> during boot.
>
> To enable the same approach for AMD SEV-SNP, we declare the kernel
> hashes page in the SNP metadata list as a new region type. When QEMU
> encounters that region in the list, it will insert the hashes of
> kernel/initrd/cmdline and encrypt the page (or, if the user turned off
> kernel hashes, it will validate the page as a zero page).
>
> The first patch rearranges the pages in AmdSevX64's MEMFD so they are in
> the same order both as in the main target (OvmfPkgX64), with the
> exception of the SEV Launch Secret page which isn't defined in
> OvmfPkgX64.
>
> The second patch modifies the SNP metadata structure such that on
> AmdSev target the SEV Launch Secret page is explicitly defined in SNP
> metadata list, and therefore it is not included in the ranges that are
> pre-validated (zero pages) by the VMM; instead the VMM will insert
> content into this page (the hashes table), or mark it explicitly as a
> zero page if no hashes are added.
>
> This series is available at:
> https://github.com/confidential-containers-demo/edk2/tree/snp-kernel-hashes-v3
>
> A corresponding QEMU RFC series will be published soon in qemu-devel, or
> use this tree:
> https://github.com/confidential-containers-demo/qemu/tree/snp-kernel-hashes-v3
For the series:
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [edk2-devel] [PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP
2023-03-20 10:06 ` Gerd Hoffmann
@ 2023-11-27 20:03 ` Lendacky, Thomas via groups.io
2023-11-28 11:07 ` Ard Biesheuvel
0 siblings, 1 reply; 7+ messages in thread
From: Lendacky, Thomas via groups.io @ 2023-11-27 20:03 UTC (permalink / raw)
To: Ard Biesheuvel, Jiewen Yao, Jordan Justen
Cc: devel, Erdem Aktas, James Bottomley, Min Xu, Michael Roth,
Ashish Kalra, Mario Smarduch, Tobin Feldman-Fitzthum,
Gerd Hoffmann
On 3/20/23 05:06, Gerd Hoffmann wrote:
> On Thu, Mar 02, 2023 at 09:15:30AM +0000, Dov Murik wrote:
>> AMD SEV and SEV-ES support measured direct boot with
>> kernel/initrd/cmdline hashes injected by QEMU and verified by OVMF
>> during boot.
>>
>> To enable the same approach for AMD SEV-SNP, we declare the kernel
>> hashes page in the SNP metadata list as a new region type. When QEMU
>> encounters that region in the list, it will insert the hashes of
>> kernel/initrd/cmdline and encrypt the page (or, if the user turned off
>> kernel hashes, it will validate the page as a zero page).
>>
>> The first patch rearranges the pages in AmdSevX64's MEMFD so they are in
>> the same order both as in the main target (OvmfPkgX64), with the
>> exception of the SEV Launch Secret page which isn't defined in
>> OvmfPkgX64.
>>
>> The second patch modifies the SNP metadata structure such that on
>> AmdSev target the SEV Launch Secret page is explicitly defined in SNP
>> metadata list, and therefore it is not included in the ranges that are
>> pre-validated (zero pages) by the VMM; instead the VMM will insert
>> content into this page (the hashes table), or mark it explicitly as a
>> zero page if no hashes are added.
>>
>> This series is available at:
>> https://github.com/confidential-containers-demo/edk2/tree/snp-kernel-hashes-v3
>>
>> A corresponding QEMU RFC series will be published soon in qemu-devel, or
>> use this tree:
>> https://github.com/confidential-containers-demo/qemu/tree/snp-kernel-hashes-v3
>
> For the series:
> Acked-by: Gerd Hoffmann <kraxel@redhat.com>
I've noticed that series was never picked up. Any chance that this can be
merged?
Thanks,
Tom
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#111760): https://edk2.groups.io/g/devel/message/111760
Mute This Topic: https://groups.io/mt/97335488/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [edk2-devel] [PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP
2023-11-27 20:03 ` [edk2-devel] " Lendacky, Thomas via groups.io
@ 2023-11-28 11:07 ` Ard Biesheuvel
0 siblings, 0 replies; 7+ messages in thread
From: Ard Biesheuvel @ 2023-11-28 11:07 UTC (permalink / raw)
To: Tom Lendacky
Cc: Ard Biesheuvel, Jiewen Yao, Jordan Justen, devel, Erdem Aktas,
James Bottomley, Min Xu, Michael Roth, Ashish Kalra,
Mario Smarduch, Tobin Feldman-Fitzthum, Gerd Hoffmann
On Mon, 27 Nov 2023 at 21:04, Tom Lendacky <thomas.lendacky@amd.com> wrote:
>
> On 3/20/23 05:06, Gerd Hoffmann wrote:
> > On Thu, Mar 02, 2023 at 09:15:30AM +0000, Dov Murik wrote:
> >> AMD SEV and SEV-ES support measured direct boot with
> >> kernel/initrd/cmdline hashes injected by QEMU and verified by OVMF
> >> during boot.
> >>
> >> To enable the same approach for AMD SEV-SNP, we declare the kernel
> >> hashes page in the SNP metadata list as a new region type. When QEMU
> >> encounters that region in the list, it will insert the hashes of
> >> kernel/initrd/cmdline and encrypt the page (or, if the user turned off
> >> kernel hashes, it will validate the page as a zero page).
> >>
> >> The first patch rearranges the pages in AmdSevX64's MEMFD so they are in
> >> the same order both as in the main target (OvmfPkgX64), with the
> >> exception of the SEV Launch Secret page which isn't defined in
> >> OvmfPkgX64.
> >>
> >> The second patch modifies the SNP metadata structure such that on
> >> AmdSev target the SEV Launch Secret page is explicitly defined in SNP
> >> metadata list, and therefore it is not included in the ranges that are
> >> pre-validated (zero pages) by the VMM; instead the VMM will insert
> >> content into this page (the hashes table), or mark it explicitly as a
> >> zero page if no hashes are added.
> >>
> >> This series is available at:
> >> https://github.com/confidential-containers-demo/edk2/tree/snp-kernel-hashes-v3
> >>
> >> A corresponding QEMU RFC series will be published soon in qemu-devel, or
> >> use this tree:
> >> https://github.com/confidential-containers-demo/qemu/tree/snp-kernel-hashes-v3
> >
> > For the series:
> > Acked-by: Gerd Hoffmann <kraxel@redhat.com>
>
> I've noticed that series was never picked up. Any chance that this can be
> merged?
>
Queued up now
Apologies for the delay.
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#111808): https://edk2.groups.io/g/devel/message/111808
Mute This Topic: https://groups.io/mt/97335488/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 7+ messages in thread