From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web10.12544.1677164702012524881 for ; Thu, 23 Feb 2023 07:05:02 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=FAnRlDnS; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: dovmurik@linux.ibm.com) Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 31NEVZ65023633; Thu, 23 Feb 2023 15:04:59 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : date : mime-version : subject : from : to : cc : references : in-reply-to : content-type : content-transfer-encoding; s=pp1; bh=3Xhp9Dfr+X6oel3nlbDocGzYljYDQi0T9d86sZFBtd0=; b=FAnRlDnSUExmgelMZh0zP8nNFswhdKPlp63KhHSGqHXUf4GbF2ELZOfdeiTFmEmIRh4h Q9voIC8kzh5T131TGl+79xlO55AFzR7TayYYmdLDHrGFlrxtx6CZ7Lr7/yfUMH33FPON ga0atzaLDwaIv0eb3kvb5I/AD2ZiQdk+wSB/WutE5PA/uIQIC85T9R8ivIwEt2cgHiu3 JSazlK/jAPAt01rynjvzEVy6XnqQDDTVpoG3antuNhXgu0iaxWOOmOJdGyI+0ki7O5SU SwX1H3681hR0/nfo9lJDDbX9Bf+W9BUA52oAkLo5DNBHV6GgXtKVBN+4Ws1kPVd5OFkS Yw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com (PPS) with ESMTPS id 3nx9yy8ww6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 23 Feb 2023 15:04:59 +0000 Received: from m0098416.ppops.net (m0098416.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 31NEWa4J025695; Thu, 23 Feb 2023 15:04:59 GMT Received: from ppma05wdc.us.ibm.com (1b.90.2fa9.ip4.static.sl-reverse.com [169.47.144.27]) by mx0b-001b2d01.pphosted.com (PPS) with ESMTPS id 3nx9yy8wvk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 23 Feb 2023 15:04:58 +0000 Received: from pps.filterd (ppma05wdc.us.ibm.com [127.0.0.1]) by ppma05wdc.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 31NDxrJJ015944; Thu, 23 Feb 2023 15:04:58 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([9.208.130.97]) by ppma05wdc.us.ibm.com (PPS) with ESMTPS id 3ntpa76she-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 23 Feb 2023 15:04:57 +0000 Received: from smtpav06.dal12v.mail.ibm.com (smtpav06.dal12v.mail.ibm.com [10.241.53.105]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 31NF4ujr27394304 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 23 Feb 2023 15:04:56 GMT Received: from smtpav06.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A659458043; Thu, 23 Feb 2023 15:04:56 +0000 (GMT) Received: from smtpav06.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AD2925805F; Thu, 23 Feb 2023 15:04:53 +0000 (GMT) Received: from [9.160.173.144] (unknown [9.160.173.144]) by smtpav06.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 23 Feb 2023 15:04:53 +0000 (GMT) Message-ID: <532bb5b0-952b-c830-8de8-fe31f9aa6283@linux.ibm.com> Date: Thu, 23 Feb 2023 17:04:51 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: [RESEND] [PATCH v2 2/2] OvmfPkg/ResetVector: Exclude SEV launch secrets page from pre-validation From: "Dov Murik" To: Gerd Hoffmann , Tom Lendacky Cc: devel@edk2.groups.io, Ard Biesheuvel , Jiewen Yao , Jordan Justen , Erdem Aktas , James Bottomley , Min Xu , Michael Roth , Ashish Kalra , Mario Smarduch , Tobin Feldman-Fitzthum , Dov Murik References: <20230220084942.1292756-1-dovmurik@linux.ibm.com> <20230220084942.1292756-3-dovmurik@linux.ibm.com> <67f06585-b9e6-a450-04fe-ad6b1105d3b6@amd.com> <20230221093820.amj4t2jhzrya7r5k@sirius.home.kraxel.org> In-Reply-To: X-TM-AS-GCONF: 00 X-Proofpoint-GUID: bob4h3hDYFbpZsmI47rP8QQWqvJ-yKDO X-Proofpoint-ORIG-GUID: ATLYOI5Hgk1uNBVvI2QGV1jT6RAJWtNH X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.170.22 definitions=2023-02-23_08,2023-02-23_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 lowpriorityscore=0 priorityscore=1501 mlxscore=0 malwarescore=0 mlxlogscore=999 bulkscore=0 phishscore=0 impostorscore=0 clxscore=1015 adultscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302230115 Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 23/02/2023 16:58, Dov Murik wrote: > > > On 21/02/2023 11:38, Gerd Hoffmann wrote: >> On Mon, Feb 20, 2023 at 08:44:23AM -0600, Tom Lendacky wrote: >>> On 2/20/23 02:49, Dov Murik wrote: >>>> In order to allow the VMM (such as QEMU) to add a page with hashes of >>>> kernel/initrd/cmdline for measured direct boot on SNP, this page must >>>> not be part of the SNP metadata list reported to the VMM. >>>> >>>> Check if that page is defined; if it is, skip it in the metadata list. >>>> In such case, VMM should fill the page with the hashes content, or >>>> explicitly update it as a zero page (if kernel hashes are not used). >>> >>> Would it be better to define a new section type (similar to what I did in >>> the SVSM PoC)? This way, it remains listed in the metadata and allows the >>> VMM to detect it and decide how to handle it. >> >> Explicitly describing things sounds better to me too. >> > > Thanks for the feedback Tom and Gerd. > > > I can define a new section type OVMF_SECTION_TYPE_KERNEL_HASHES. In the AmdSev > target it'll cover the single MEMFD page at 00F000 (after the CPUID page). > Now there's a question for the QEMU side -- should QEMU then fill the page > and encrypt it (launch_update type=NORMAL)? (currently the whole hashes table > creation and encryption is done elsewhere there) > > And on regular OvmfX64 builds - should that area should be with type > OVMF_SECTION_TYPE_SNP_SEC_MEM which is accepted as a type=ZERO page ? > > > Playing with this idea, the metadata list will add: > > > ; Kernel hashes section for measured direct boot > %define OVMF_SECTION_TYPE_KERNEL_HASHES 0x5 > > ... > > ; Kernel hashes for measured direct boot, or zero page if > ; there are no kernel hashes / SEV secrets > SevSnpKernelHashes: > DD SEV_SNP_KERNEL_HASHES_BASE > DD SEV_SNP_KERNEL_HASHES_SIZE > DD SEV_SNP_KERNEL_HASHES_TYPE > Or maybe this metadata section ^^^^^ should be added only if the Pcd for secrets+hashes page is defined? -Dov > > > and the base/size/type of that region are defined in an > %if statement in ResetVector.nasmb: > > > %if (FixedPcdGet32 (PcdSevLaunchSecretBase) > 0) > ; There's a reserved page for SEV secrets and hashes; the VMM will fill and > ; validate the page > %define SEV_SNP_KERNEL_HASHES_TYPE OVMF_SECTION_TYPE_KERNEL_HASHES > %define SEV_SNP_KERNEL_HASHES_BASE (FixedPcdGet32 (PcdSevLaunchSecretBase)) > %else > ; No SEV secrets and hashes page; the VMM will validate it as another zero page > %define SEV_SNP_KERNEL_HASHES_TYPE OVMF_SECTION_TYPE_SNP_SEC_MEM > %define SEV_SNP_KERNEL_HASHES_BASE (CPUID_BASE + CPUID_SIZE) > %endif > %define SEV_SNP_KERNEL_HASHES_SIZE (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) - SEV_SNP_KERNEL_HASHES_BASE) > > > (I still need to figure out the point about QEMU above.) > > > Is that what you had in mind? > > -Dov