From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.groups.io with SMTP id smtpd.web08.2291.1607975873804128974 for ; Mon, 14 Dec 2020 11:57:54 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=DGadFLAG; spf=pass (domain: redhat.com, ip: 63.128.21.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1607975873; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=krL6yNmwjk2J9njxY/rJi9B2nhMm2vXkz1LDxHsiKnQ=; b=DGadFLAG5Os2V//qPYcJJUuARkJPmZP128LmrAn73ztLr3Zw7+Ot5AtYrNDA26C6+XxTox ged8WrU/Q/swnln0uRg2fUlaA7hxoxK73bK/HUU7AiQLLcohloAh46O383E0XwA9GFFOA4 0iuCMf2DU3HgBNYW0lIAiTBPJIi4sL8= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-572-SxwRSNtePauY17SlV5dGAQ-1; Mon, 14 Dec 2020 14:57:46 -0500 X-MC-Unique: SxwRSNtePauY17SlV5dGAQ-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9C3401842141; Mon, 14 Dec 2020 19:57:44 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-113-107.ams2.redhat.com [10.36.113.107]) by smtp.corp.redhat.com (Postfix) with ESMTP id 019D95D9DC; Mon, 14 Dec 2020 19:57:35 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v3 0/6] SEV Encrypted Boot for Ovmf From: "Laszlo Ersek" To: jejb@linux.ibm.com Cc: devel@edk2.groups.io, dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com, ashish.kalra@amd.com, brijesh.singh@amd.com, tobin@ibm.com, david.kaplan@amd.com, jon.grimm@amd.com, thomas.lendacky@amd.com, frankeh@us.ibm.com, "Dr . David Alan Gilbert" , Jordan Justen , Ard Biesheuvel , Jiewen Yao Reply-To: devel@edk2.groups.io, lersek@redhat.com References: <20201130202819.3910-1-jejb@linux.ibm.com> <0805f171-b5c2-a556-3e64-c700aaf06d85@redhat.com> <762be18c6132f0f55e029879931ba6bca79323cd.camel@linux.ibm.com> <18bbe7d1-a51a-647e-d05a-73e5465d31cc@redhat.com> Message-ID: <48be9f9a-98a5-41a8-c8e3-d84610c97573@redhat.com> Date: Mon, 14 Dec 2020 20:57:35 +0100 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Hi James, On 12/04/20 03:01, Laszlo Ersek wrote: > On 12/04/20 02:55, Laszlo Ersek wrote: > >> I will send a short patch series to add the exceptions, and once >> that's upstream, we *will* merge this (v3) series. > > BTW the tweaks I added on top of your v3, in > , are as follows (git > range-diff output): > >> 1: 4020c20b2342 ! 1: b96494ad75db OvmfPkg/ResetVector: convert SEV-ES Reset Block structure to be GUIDed >> @@ -8,8 +8,9 @@ >> >> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077 >> Signed-off-by: James Bottomley >> - >> Message-Id: <20201130202819.3910-2-jejb@linux.ibm.com> >> + Acked-by: Ard Biesheuvel >> + Reviewed-by: Laszlo Ersek >> >> diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm >> --- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm >> 2: 488fbdbe7689 ! 2: acc8cb13da8d OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF >> @@ -11,8 +11,9 @@ >> >> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077 >> Signed-off-by: James Bottomley >> - >> Message-Id: <20201130202819.3910-3-jejb@linux.ibm.com> >> + Acked-by: Ard Biesheuvel >> + Reviewed-by: Laszlo Ersek >> >> diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc >> new file mode 100644 >> 3: 796ec96e3414 ! 3: b80ce0838781 OvmfPkg/AmdSev: add Grub Firmware Volume Package >> @@ -19,8 +19,10 @@ >> >> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077 >> Signed-off-by: James Bottomley >> - >> Message-Id: <20201130202819.3910-4-jejb@linux.ibm.com> >> + Acked-by: Ard Biesheuvel >> + [lersek@redhat.com: replace local variable initialization with assignment] >> + Reviewed-by: Laszlo Ersek >> >> diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec >> --- a/OvmfPkg/OvmfPkg.dec >> @@ -779,7 +781,9 @@ >> +{ >> + EFI_HANDLE Handle; >> + EFI_STATUS Status; >> -+ UINT16 FrontPageTimeout = 0; >> ++ UINT16 FrontPageTimeout; >> ++ >> ++ FrontPageTimeout = 0; >> + >> + DEBUG ((DEBUG_INFO, "PlatformBootManagerBeforeConsole\n")); >> + InstallDevicePathCallback (); >> 4: d954947f8d14 ! 4: f3cda3cadde4 OvmfPkg: create a SEV secret area in the AmdSev memfd >> @@ -10,8 +10,9 @@ >> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077 >> Signed-off-by: James Bottomley >> Reviewed-by: Laszlo Ersek >> - >> Message-Id: <20201130202819.3910-5-jejb@linux.ibm.com> >> + Acked-by: Ard Biesheuvel >> + [lersek@redhat.com: fix typo in "ResetVectorVtf0.asm" comments] >> >> diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec >> --- a/OvmfPkg/OvmfPkg.dec >> @@ -52,7 +53,7 @@ >> +; >> +; SEV Secret block >> +; >> -+; This describes the guest ram area where the hypervisor may should >> ++; This describes the guest ram area where the hypervisor should >> +; inject the secret. The data format is: >> +; >> +; base physical address (32 bit word) >> 5: 1a18c4921cdf ! 5: c38b3caf22ad OvmfPkg/AmdSev: assign and protect the Sev Secret area >> @@ -1,14 +1,17 @@ >> Author: James Bottomley >> >> - OvmfPkg/AmdSev: assign and protect the Sev Secret area >> + OvmfPkg/AmdSev: assign and reserve the Sev Secret area >> >> - Create a one page secret area in the MEMFD and protect the area with a >> + Create a one page secret area in the MEMFD and reserve the area with a >> boot time HOB. >> >> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077 >> Signed-off-by: James Bottomley >> Reviewed-by: Laszlo Ersek >> Message-Id: <20201130202819.3910-6-jejb@linux.ibm.com> >> + Acked-by: Ard Biesheuvel >> + [lersek@redhat.com: s/protect/reserve/g in the commit message, at Ard's >> + and James's suggestion] >> >> diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc >> --- a/OvmfPkg/AmdSev/AmdSevX64.dsc >> 6: 6970b9413c93 ! 6: ea823d078162 OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table >> @@ -11,6 +11,8 @@ >> Signed-off-by: James Bottomley >> Reviewed-by: Laszlo Ersek >> Message-Id: <20201130202819.3910-7-jejb@linux.ibm.com> >> + Acked-by: Ard Biesheuvel >> + [lersek@redhat.com: fix indentation of InstallConfigurationTable() args] >> >> diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec >> --- a/OvmfPkg/OvmfPkg.dec >> @@ -152,7 +154,8 @@ >> + IN EFI_SYSTEM_TABLE *SystemTable >> + ) >> +{ >> -+ return gBS->InstallConfigurationTable (&gSevLaunchSecretGuid, >> -+ &mSecretDxeTable >> -+ ); >> ++ return gBS->InstallConfigurationTable ( >> ++ &gSevLaunchSecretGuid, >> ++ &mSecretDxeTable >> ++ ); >> +} > > I meant to include this range-diff in the email where I'd confirm the > merge and the commit range; too bad I got distracted with this ECC mess. Additional updates (expressed incrementally), per prior discussion: > 1: b96494ad75db = 1: 11f014f9a5a5 OvmfPkg/ResetVector: convert SEV-ES Reset Block structure to be GUIDed > 2: acc8cb13da8d = 2: ac3e7f9e93ab OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF > 3: b80ce0838781 ! 3: da5e1715a902 OvmfPkg/AmdSev: add Grub Firmware Volume Package > @@ -23,6 +23,10 @@ > Acked-by: Ard Biesheuvel > [lersek@redhat.com: replace local variable initialization with assignment] > Reviewed-by: Laszlo Ersek > + [lersek@redhat.com: squash 'OvmfPkg: add "gGrubFileGuid=Grub" to > + GuidCheck.IgnoreDuplicates', reviewed stand-alone by Phil (msgid > + ) and Ard (msgid > + <10aeda37-def6-d9a4-6e02-4c66c1492f57@arm.com>)] > > diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec > --- a/OvmfPkg/OvmfPkg.dec > @@ -2327,3 +2331,16 @@ > + > +remove_efi=0 > +echo "grub.efi generated in ${basedir}" > + > +diff --git a/OvmfPkg/OvmfPkg.ci.yaml b/OvmfPkg/OvmfPkg.ci.yaml > +--- a/OvmfPkg/OvmfPkg.ci.yaml > ++++ b/OvmfPkg/OvmfPkg.ci.yaml > +@@ > + "IgnoreGuidName": ["ResetVector", "XenResetVector"], # Expected duplication for gEfiFirmwareVolumeTopFileGuid > + "IgnoreGuidValue": [], > + "IgnoreFoldersAndFiles": [], > +- "IgnoreDuplicates": [], > ++ "IgnoreDuplicates": ["gGrubFileGuid=Grub"], > + }, > + > + ## options defined .pytool/Plugin/LibraryClassCheck > 4: f3cda3cadde4 = 4: 9caed44db39b OvmfPkg: create a SEV secret area in the AmdSev memfd > 5: c38b3caf22ad = 5: dbba0abc831f OvmfPkg/AmdSev: assign and reserve the Sev Secret area > 6: ea823d078162 = 6: 0612c2ecdc77 OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table Merged as commit range ef3e73c6a0c0..01726b6d23d4, via the same PR: . Please proceed with addressing Jiewen's feedback, with further patches. Thanks! Laszlo