From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web11.17446.1680067417223862399 for ; Tue, 28 Mar 2023 22:23:37 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=iisFsvHS; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1680067417; x=1711603417; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=rjS3UOzpL1X4fEM/XGrSdCnMbufyhny5BkCr2BG5Z0U=; b=iisFsvHSIGl16Omjt9fCBhX8RyXGNc4KEpCAiDQHtVysRBI+zm37jAku 10nmu4/QnGX3HYVH+tyOFPrcFvsX1RArHEgoXELzU1mJ1FQ8vtYbOP1uk 4Qt8yY5Vu1xoilKEwYP8pAy9/WX4NF78UA8E8y1M4rxKU7RwE3sugbez4 tloAl4R3SorTif8/JKrcdnnm1TyDZerJi9yOYujSPuY48hDcAgVTlcNo0 W2GiiL+AyPgVdzePFheiOhjMU+1X9uXWCyE/eXgD9OPjhswkUrbGCtbc2 stvVqYW62oEk41qTPiZ0R6m14c3AA7xV704EI00oRvPMFljh2EXgJCgJN A==; X-IronPort-AV: E=McAfee;i="6600,9927,10663"; a="403403181" X-IronPort-AV: E=Sophos;i="5.98,299,1673942400"; d="scan'208";a="403403181" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Mar 2023 22:23:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10663"; a="795083576" X-IronPort-AV: E=Sophos;i="5.98,299,1673942400"; d="scan'208";a="795083576" Received: from mxu9-mobl1.ccr.corp.intel.com ([10.255.31.48]) by fmsmga002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Mar 2023 22:23:34 -0700 From: "Min Xu" To: devel@edk2.groups.io Cc: Min M Xu , Erdem Aktas , James Bottomley , Jiewen Yao , Tom Lendacky , Michael Roth , Gerd Hoffmann , Joey Lee Subject: [PATCH V1 1/1] OvmfPkg/PlatformPei: Skip PlatformInitEmuVariableNvStore in SEV guest Date: Wed, 29 Mar 2023 13:23:10 +0800 Message-Id: <20230329052310.27-1-min.m.xu@intel.com> X-Mailer: git-send-email 2.39.1.windows.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Min M Xu BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4379 PlatformInitEmuVariableNvStore is called to initialize the EmuVariableNvStore with the content pointed by PcdOvmfFlashNvStorageVariableBase. This is because when OVMF is launched with -bios parameter, UEFI variables will be partially emulated, and non-volatile variables may lose their contents after a reboot. This makes the secure boot feature not working. But in SEV guest, this design doesn't work. Because at this point the variable store mapping is still private/encrypted, OVMF will see ciphertext. So we skip the call of PlatformInitEmuVariableNvStore in SEV guest. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Tom Lendacky Cc: Michael Roth Cc: Gerd Hoffmann Reported-by: Joey Lee Tested-by: Joey Lee Signed-off-by: Min Xu --- OvmfPkg/PlatformPei/Platform.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c index 148240342b4b..be9ba3e00124 100644 --- a/OvmfPkg/PlatformPei/Platform.c +++ b/OvmfPkg/PlatformPei/Platform.c @@ -223,7 +223,20 @@ ReserveEmuVariableNvStore ( PcdStatus = PcdSet64S (PcdEmuVariableNvStoreReserved, VariableStore); #ifdef SECURE_BOOT_FEATURE_ENABLED - PlatformInitEmuVariableNvStore ((VOID *)(UINTN)VariableStore); + // + // PlatformInitEmuVariableNvStore is called to initialize the EmuVariableNvStore + // with the content pointed by PcdOvmfFlashNvStorageVariableBase. This is because + // when OVMF is launched with -bios parameter, UEFI variables will be partially emulated, + // and non-volatile variables may lose their contents after a reboot. This makes the secure + // boot feature not working. + // But in SEV guest, this design doesn't work. Because at this point the variable store + // mapping is still private/encrypted, OVMF will see ciphertext. So we skip the call + // of PlatformInitEmuVariableNvStore in SEV guest. + // + if (!MemEncryptSevIsEnabled ()) { + PlatformInitEmuVariableNvStore ((VOID *)(UINTN)VariableStore); + } + #endif ASSERT_RETURN_ERROR (PcdStatus); -- 2.39.1.windows.1