[PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP

[PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP

[Dov Murik]

AMD SEV and SEV-ES support measured direct boot with
kernel/initrd/cmdline hashes injected by QEMU and verified by OVMF
during boot.

To enable the same approach for AMD SEV-SNP, we declare the kernel
hashes page in the SNP metadata list as a new region type.  When QEMU
encounters that region in the list, it will insert the hashes of
kernel/initrd/cmdline and encrypt the page (or, if the user turned off
kernel hashes, it will validate the page as a zero page).

The first patch rearranges the pages in AmdSevX64's MEMFD so they are in
the same order both as in the main target (OvmfPkgX64), with the
exception of the SEV Launch Secret page which isn't defined in
OvmfPkgX64.

The second patch modifies the SNP metadata structure such that on
AmdSev target the SEV Launch Secret page is explicitly defined in SNP
metadata list, and therefore it is not included in the ranges that are
pre-validated (zero pages) by the VMM; instead the VMM will insert
content into this page (the hashes table), or mark it explicitly as a
zero page if no hashes are added.

This series is available at:
https://github.com/confidential-containers-demo/edk2/tree/snp-kernel-hashes-v3

A corresponding QEMU RFC series will be published soon in qemu-devel, or
use this tree:
https://github.com/confidential-containers-demo/qemu/tree/snp-kernel-hashes-v3

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Mario Smarduch <mario.smarduch@amd.com>
Cc: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>

---

v3 changes:
* Define the kernel hashes page in the SNP metadata table (thanks Tom)

v2: https://edk2.groups.io/g/devel/message/100362
v2 changes:
* Rebased on master
* Updated AmdSev MEMFD size to match OvmfX64

v1: https://edk2.groups.io/g/devel/message/88137

Dov Murik (2):
  OvmfPkg/AmdSev: Reorder MEMFD pages to match the order in
    OvmfPkgX64.fdf
  OvmfPkg/ResetVector: Define SNP metadata for kernel hashes

 OvmfPkg/AmdSev/AmdSevX64.fdf                | 27 ++++++++++----------
 OvmfPkg/ResetVector/ResetVector.nasmb       | 11 +++++++-
 OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 11 ++++++++
 3 files changed, 35 insertions(+), 14 deletions(-)

-- 
2.25.1

[PATCH v3 1/2] OvmfPkg/AmdSev: Reorder MEMFD pages to match the order in OvmfPkgX64.fdf

[Dov Murik]

Resize the MEMFD section of AmdSevX64.fdf and reorder its pages so that
it matches the same size and order used in OvmfPkgX64.fdf.

After this change, this is the difference in the MEMFD of the two
targets:

$ diff -u \
       <(sed -ne '/FD.MEMFD/,/FV.SECFV/p' OvmfPkg/OvmfPkgX64.fdf) \
       <(sed -ne '/FD.MEMFD/,/FV.SECFV/p' OvmfPkg/AmdSev/AmdSevX64.fdf)
--- /dev/fd/63  2023-02-16 07:06:15.365308683 +0000
+++ /dev/fd/62  2023-02-16 07:06:15.365308683 +0000
@@ -32,6 +32,12 @@
 0x00E000|0x001000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize

+0x00F000|0x000C00
+gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
+
+0x00FC00|0x000400
+gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize
+
 0x010000|0x010000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize

Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
---
 OvmfPkg/AmdSev/AmdSevX64.fdf | 27 ++++++++++----------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 5fb3b5d27632..54ba9ecf5149 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -36,10 +36,10 @@ FV = SECFV
 
 [FD.MEMFD]
 BaseAddress   = $(MEMFD_BASE_ADDRESS)
-Size          = 0xD00000
+Size          = 0xE00000
 ErasePolarity = 1
 BlockSize     = 0x10000
-NumBlocks     = 0xD0
+NumBlocks     = 0xE0
 
 0x000000|0x006000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
@@ -59,21 +59,21 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmf
 0x00B000|0x001000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize
 
-0x00C000|0x000C00
-gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
-
-0x00CC00|0x000400
-gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize
-
-0x00D000|0x001000
+0x00C000|0x001000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize
 
-0x00E000|0x001000
+0x00D000|0x001000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize
 
-0x00F000|0x001000
+0x00E000|0x001000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize
 
+0x00F000|0x000C00
+gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
+
+0x00FC00|0x000400
+gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize
+
 0x010000|0x010000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
 
@@ -81,12 +81,13 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.P
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize
 FV = PEIFV
 
-0x100000|0xC00000
+0x100000|0xD00000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
 FV = DXEFV
 
 ##########################################################################################
-# Set the SEV-ES specific work area PCDs
+# Set the SEV-ES specific work area PCDs (used for all forms of SEV since the
+# the SEV STATUS MSR is now saved in the work area)
 #
 SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase = $(MEMFD_BASE_ADDRESS) +  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader
 SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize = gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize - gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader
-- 
2.25.1

[PATCH v3 2/2] OvmfPkg/ResetVector: Define SNP metadata for kernel hashes

[Dov Murik]

In order to allow the VMM (such as QEMU) to add a page with hashes of
kernel/initrd/cmdline for measured direct boot on SNP, add it explicitly
to the SNP metadata list report to the VMM.

In such case, VMM should fill the page with the hashes content, or
explicitly update it as a zero page (if kernel hashes are not used).

Note that for SNP, the launch secret part of the page (lower 3KB) are
not relevant and will remain zero.  The last 1KB is used for the hashes.

This should have no effect on OvmfPkgX64 targets (which don't define
PcdSevLaunchSecretBase).

Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
---
 OvmfPkg/ResetVector/ResetVector.nasmb       | 11 ++++++++++-
 OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 11 +++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb
index 94fbb0a87b37..5832aaa8abf7 100644
--- a/OvmfPkg/ResetVector/ResetVector.nasmb
+++ b/OvmfPkg/ResetVector/ResetVector.nasmb
@@ -64,6 +64,15 @@
 %define SEV_SNP_SECRETS_SIZE          (FixedPcdGet32 (PcdOvmfSnpSecretsSize))
 %define CPUID_BASE                    (FixedPcdGet32 (PcdOvmfCpuidBase))
 %define CPUID_SIZE                    (FixedPcdGet32 (PcdOvmfCpuidSize))
+%if (FixedPcdGet32 (PcdSevLaunchSecretBase) > 0)
+  ; There's a reserved page for SEV secrets and hashes; the VMM will fill and
+  ; validate the page, or mark it as a zero page.
+  %define SEV_SNP_KERNEL_HASHES_BASE    (FixedPcdGet32 (PcdSevLaunchSecretBase))
+  %define SEV_SNP_KERNEL_HASHES_SIZE    (FixedPcdGet32 (PcdSevLaunchSecretSize) + FixedPcdGet32 (PcdQemuHashTableSize))
+%else
+  %define SEV_SNP_KERNEL_HASHES_BASE    0
+  %define SEV_SNP_KERNEL_HASHES_SIZE    0
+%endif
 %define SNP_SEC_MEM_BASE_DESC_1       (FixedPcdGet32 (PcdOvmfSecPageTablesBase))
 %define SNP_SEC_MEM_SIZE_DESC_1       (FixedPcdGet32 (PcdOvmfSecGhcbBase) - SNP_SEC_MEM_BASE_DESC_1)
 ;
@@ -75,7 +84,7 @@
 ;
 %define SNP_SEC_MEM_BASE_DESC_2       (GHCB_BASE + 0x1000)
 %define SNP_SEC_MEM_SIZE_DESC_2       (SEV_SNP_SECRETS_BASE - SNP_SEC_MEM_BASE_DESC_2)
-%define SNP_SEC_MEM_BASE_DESC_3       (CPUID_BASE + CPUID_SIZE)
+%define SNP_SEC_MEM_BASE_DESC_3       (CPUID_BASE + CPUID_SIZE + SEV_SNP_KERNEL_HASHES_SIZE)
 %define SNP_SEC_MEM_SIZE_DESC_3       (FixedPcdGet32 (PcdOvmfPeiMemFvBase) - SNP_SEC_MEM_BASE_DESC_3)
 
 %ifdef ARCH_X64
diff --git a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm
index d03fc6d45175..8aa77d870123 100644
--- a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm
+++ b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm
@@ -26,6 +26,8 @@ BITS  64
 ;
 %define OVMF_SECTION_TYPE_CPUID           0x3
 
+; Kernel hashes section for measured direct boot
+%define OVMF_SECTION_TYPE_KERNEL_HASHES   0x10
 
 ALIGN 16
 
@@ -65,6 +67,15 @@ CpuidSec:
   DD  CPUID_SIZE
   DD  OVMF_SECTION_TYPE_CPUID
 
+%if (SEV_SNP_KERNEL_HASHES_BASE > 0)
+; Kernel hashes for measured direct boot, or zero page if
+; there are no kernel hashes / SEV secrets
+SevSnpKernelHashes:
+  DD  SEV_SNP_KERNEL_HASHES_BASE
+  DD  SEV_SNP_KERNEL_HASHES_SIZE
+  DD  OVMF_SECTION_TYPE_KERNEL_HASHES
+%endif
+
 ; Region need to be pre-validated by the hypervisor
 PreValidate3:
   DD  SNP_SEC_MEM_BASE_DESC_3
-- 
2.25.1

Re: [PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP

[Lendacky, Thomas]

On 3/2/23 03:15, Dov Murik wrote:
> AMD SEV and SEV-ES support measured direct boot with
> kernel/initrd/cmdline hashes injected by QEMU and verified by OVMF
> during boot.
> 
> To enable the same approach for AMD SEV-SNP, we declare the kernel
> hashes page in the SNP metadata list as a new region type.  When QEMU
> encounters that region in the list, it will insert the hashes of
> kernel/initrd/cmdline and encrypt the page (or, if the user turned off
> kernel hashes, it will validate the page as a zero page).
> 
> The first patch rearranges the pages in AmdSevX64's MEMFD so they are in
> the same order both as in the main target (OvmfPkgX64), with the
> exception of the SEV Launch Secret page which isn't defined in
> OvmfPkgX64.
> 
> The second patch modifies the SNP metadata structure such that on
> AmdSev target the SEV Launch Secret page is explicitly defined in SNP
> metadata list, and therefore it is not included in the ranges that are
> pre-validated (zero pages) by the VMM; instead the VMM will insert
> content into this page (the hashes table), or mark it explicitly as a
> zero page if no hashes are added.
> 
> This series is available at:
> https://github.com/confidential-containers-demo/edk2/tree/snp-kernel-hashes-v3
> 
> A corresponding QEMU RFC series will be published soon in qemu-devel, or
> use this tree:
> https://github.com/confidential-containers-demo/qemu/tree/snp-kernel-hashes-v3
> 
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Cc: James Bottomley <jejb@linux.ibm.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Cc: Michael Roth <michael.roth@amd.com>
> Cc: Ashish Kalra <ashish.kalra@amd.com>
> Cc: Mario Smarduch <mario.smarduch@amd.com>
> Cc: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>

For the series:

Acked-by: Tom Lendacky <thomas.lendacky@amd.com>

> 
> ---
> 
> v3 changes:
> * Define the kernel hashes page in the SNP metadata table (thanks Tom)
> 
> v2: https://edk2.groups.io/g/devel/message/100362
> v2 changes:
> * Rebased on master
> * Updated AmdSev MEMFD size to match OvmfX64
> 
> v1: https://edk2.groups.io/g/devel/message/88137
> 
> Dov Murik (2):
>    OvmfPkg/AmdSev: Reorder MEMFD pages to match the order in
>      OvmfPkgX64.fdf
>    OvmfPkg/ResetVector: Define SNP metadata for kernel hashes
> 
>   OvmfPkg/AmdSev/AmdSevX64.fdf                | 27 ++++++++++----------
>   OvmfPkg/ResetVector/ResetVector.nasmb       | 11 +++++++-
>   OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 11 ++++++++
>   3 files changed, 35 insertions(+), 14 deletions(-)
> 

Re: [PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP

[Gerd Hoffmann]

On Thu, Mar 02, 2023 at 09:15:30AM +0000, Dov Murik wrote:
> AMD SEV and SEV-ES support measured direct boot with
> kernel/initrd/cmdline hashes injected by QEMU and verified by OVMF
> during boot.
> 
> To enable the same approach for AMD SEV-SNP, we declare the kernel
> hashes page in the SNP metadata list as a new region type.  When QEMU
> encounters that region in the list, it will insert the hashes of
> kernel/initrd/cmdline and encrypt the page (or, if the user turned off
> kernel hashes, it will validate the page as a zero page).
> 
> The first patch rearranges the pages in AmdSevX64's MEMFD so they are in
> the same order both as in the main target (OvmfPkgX64), with the
> exception of the SEV Launch Secret page which isn't defined in
> OvmfPkgX64.
> 
> The second patch modifies the SNP metadata structure such that on
> AmdSev target the SEV Launch Secret page is explicitly defined in SNP
> metadata list, and therefore it is not included in the ranges that are
> pre-validated (zero pages) by the VMM; instead the VMM will insert
> content into this page (the hashes table), or mark it explicitly as a
> zero page if no hashes are added.
> 
> This series is available at:
> https://github.com/confidential-containers-demo/edk2/tree/snp-kernel-hashes-v3
> 
> A corresponding QEMU RFC series will be published soon in qemu-devel, or
> use this tree:
> https://github.com/confidential-containers-demo/qemu/tree/snp-kernel-hashes-v3

For the series:
Acked-by: Gerd Hoffmann <kraxel@redhat.com>

Re: [edk2-devel] [PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP

[Lendacky, Thomas via groups.io]

On 3/20/23 05:06, Gerd Hoffmann wrote:
> On Thu, Mar 02, 2023 at 09:15:30AM +0000, Dov Murik wrote:
>> AMD SEV and SEV-ES support measured direct boot with
>> kernel/initrd/cmdline hashes injected by QEMU and verified by OVMF
>> during boot.
>>
>> To enable the same approach for AMD SEV-SNP, we declare the kernel
>> hashes page in the SNP metadata list as a new region type.  When QEMU
>> encounters that region in the list, it will insert the hashes of
>> kernel/initrd/cmdline and encrypt the page (or, if the user turned off
>> kernel hashes, it will validate the page as a zero page).
>>
>> The first patch rearranges the pages in AmdSevX64's MEMFD so they are in
>> the same order both as in the main target (OvmfPkgX64), with the
>> exception of the SEV Launch Secret page which isn't defined in
>> OvmfPkgX64.
>>
>> The second patch modifies the SNP metadata structure such that on
>> AmdSev target the SEV Launch Secret page is explicitly defined in SNP
>> metadata list, and therefore it is not included in the ranges that are
>> pre-validated (zero pages) by the VMM; instead the VMM will insert
>> content into this page (the hashes table), or mark it explicitly as a
>> zero page if no hashes are added.
>>
>> This series is available at:
>> https://github.com/confidential-containers-demo/edk2/tree/snp-kernel-hashes-v3
>>
>> A corresponding QEMU RFC series will be published soon in qemu-devel, or
>> use this tree:
>> https://github.com/confidential-containers-demo/qemu/tree/snp-kernel-hashes-v3
> 
> For the series:
> Acked-by: Gerd Hoffmann <kraxel@redhat.com>

I've noticed that series was never picked up. Any chance that this can be 
merged?

Thanks,
Tom

> 


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#111760): https://edk2.groups.io/g/devel/message/111760
Mute This Topic: https://groups.io/mt/97335488/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v3 0/2] OvmfPkg: Enable measured direct boot on AMD SEV-SNP

[Ard Biesheuvel]

On Mon, 27 Nov 2023 at 21:04, Tom Lendacky <thomas.lendacky@amd.com> wrote:
>
> On 3/20/23 05:06, Gerd Hoffmann wrote:
> > On Thu, Mar 02, 2023 at 09:15:30AM +0000, Dov Murik wrote:
> >> AMD SEV and SEV-ES support measured direct boot with
> >> kernel/initrd/cmdline hashes injected by QEMU and verified by OVMF
> >> during boot.
> >>
> >> To enable the same approach for AMD SEV-SNP, we declare the kernel
> >> hashes page in the SNP metadata list as a new region type.  When QEMU
> >> encounters that region in the list, it will insert the hashes of
> >> kernel/initrd/cmdline and encrypt the page (or, if the user turned off
> >> kernel hashes, it will validate the page as a zero page).
> >>
> >> The first patch rearranges the pages in AmdSevX64's MEMFD so they are in
> >> the same order both as in the main target (OvmfPkgX64), with the
> >> exception of the SEV Launch Secret page which isn't defined in
> >> OvmfPkgX64.
> >>
> >> The second patch modifies the SNP metadata structure such that on
> >> AmdSev target the SEV Launch Secret page is explicitly defined in SNP
> >> metadata list, and therefore it is not included in the ranges that are
> >> pre-validated (zero pages) by the VMM; instead the VMM will insert
> >> content into this page (the hashes table), or mark it explicitly as a
> >> zero page if no hashes are added.
> >>
> >> This series is available at:
> >> https://github.com/confidential-containers-demo/edk2/tree/snp-kernel-hashes-v3
> >>
> >> A corresponding QEMU RFC series will be published soon in qemu-devel, or
> >> use this tree:
> >> https://github.com/confidential-containers-demo/qemu/tree/snp-kernel-hashes-v3
> >
> > For the series:
> > Acked-by: Gerd Hoffmann <kraxel@redhat.com>
>
> I've noticed that series was never picked up. Any chance that this can be
> merged?
>

Queued up now

Apologies for the delay.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#111808): https://edk2.groups.io/g/devel/message/111808
Mute This Topic: https://groups.io/mt/97335488/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-