From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web09.6728.1606809266061018967 for ; Mon, 30 Nov 2020 23:54:26 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ard.biesheuvel@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 3E69E1042; Mon, 30 Nov 2020 23:54:25 -0800 (PST) Received: from [192.168.1.81] (unknown [10.37.8.63]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 26C8C3F23F; Mon, 30 Nov 2020 23:54:21 -0800 (PST) Subject: Re: [PATCH v3 5/6] OvmfPkg/AmdSev: assign and protect the Sev Secret area To: James Bottomley , devel@edk2.groups.io Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com, ashish.kalra@amd.com, brijesh.singh@amd.com, tobin@ibm.com, david.kaplan@amd.com, jon.grimm@amd.com, thomas.lendacky@amd.com, frankeh@us.ibm.com, "Dr . David Alan Gilbert" , Laszlo Ersek , Jordan Justen References: <20201130202819.3910-1-jejb@linux.ibm.com> <20201130202819.3910-6-jejb@linux.ibm.com> From: "Ard Biesheuvel" Message-ID: <48062d01-55bf-68ec-5603-436d8426ad74@arm.com> Date: Tue, 1 Dec 2020 08:54:19 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20201130202819.3910-6-jejb@linux.ibm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Hi James, On 11/30/20 9:28 PM, James Bottomley wrote: > Create a one page secret area in the MEMFD and protect the area with a > boot time HOB. > I take it 'protect' here only means prevent the memory from being used for somethine else? In the context of security, encryption, secrets, etc, it might be useful to call that out. > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077 > Signed-off-by: James Bottomley > Reviewed-by: Laszlo Ersek > --- > OvmfPkg/AmdSev/AmdSevX64.dsc | 1 + > OvmfPkg/AmdSev/AmdSevX64.fdf | 4 +++ > OvmfPkg/AmdSev/SecretPei/SecretPei.inf | 35 ++++++++++++++++++++++++++ > OvmfPkg/AmdSev/SecretPei/SecretPei.c | 25 ++++++++++++++++++ > 4 files changed, 65 insertions(+) > create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.inf > create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.c > > diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc > index 18707725b3e4..e9c522bedad9 100644 > --- a/OvmfPkg/AmdSev/AmdSevX64.dsc > +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc > @@ -613,6 +613,7 @@ [Components] > OvmfPkg/PlatformPei/PlatformPei.inf > UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf > UefiCpuPkg/CpuMpPei/CpuMpPei.inf > + OvmfPkg/AmdSev/SecretPei/SecretPei.inf > > !if $(TPM_ENABLE) == TRUE > OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf > diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf > index 1aa95826384a..b2656a1cf6fc 100644 > --- a/OvmfPkg/AmdSev/AmdSevX64.fdf > +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf > @@ -59,6 +59,9 @@ [FD.MEMFD] > 0x00B000|0x001000 > gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize > > +0x00C000|0x001000 > +gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize > + > 0x010000|0x010000 > gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize > > @@ -138,6 +141,7 @@ [FV.PEIFV] > INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf > INF UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf > INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf > +INF OvmfPkg/AmdSev/SecretPei/SecretPei.inf > > !if $(TPM_ENABLE) == TRUE > INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf > diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.inf b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf > new file mode 100644 > index 000000000000..08be156c4bc0 > --- /dev/null > +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf > @@ -0,0 +1,35 @@ > +## @file > +# PEI support for SEV Secrets > +# > +# Copyright (C) 2020 James Bottomley, IBM Corporation. > +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION = 0x00010005 > + BASE_NAME = SecretPei > + FILE_GUID = 45260dde-0c3c-4b41-a226-ef3803fac7d4 > + MODULE_TYPE = PEIM > + VERSION_STRING = 1.0 > + ENTRY_POINT = InitializeSecretPei > + > +[Sources] > + SecretPei.c > + > +[Packages] > + OvmfPkg/OvmfPkg.dec > + MdePkg/MdePkg.dec > + > +[LibraryClasses] > + HobLib > + PeimEntryPoint > + PcdLib > + > +[FixedPcd] > + gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase > + gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize > + > +[Depex] > + TRUE > diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPei/SecretPei.c > new file mode 100644 > index 000000000000..ad491515dd5d > --- /dev/null > +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c > @@ -0,0 +1,25 @@ > +/** @file > + SEV Secret boot time HOB placement > + > + Copyright (C) 2020 James Bottomley, IBM Corporation. > + SPDX-License-Identifier: BSD-2-Clause-Patent > +**/ > +#include > +#include > +#include > + > +EFI_STATUS > +EFIAPI > +InitializeSecretPei ( > + IN EFI_PEI_FILE_HANDLE FileHandle, > + IN CONST EFI_PEI_SERVICES **PeiServices > + ) > +{ > + BuildMemoryAllocationHob ( > + PcdGet32 (PcdSevLaunchSecretBase), > + PcdGet32 (PcdSevLaunchSecretSize), > + EfiBootServicesData > + ); > + > + return EFI_SUCCESS; > +} >