From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web08.5188.1620205250777720645 for ; Wed, 05 May 2021 02:00:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=F8R/pg1l; spf=none, err=permanent DNS error (domain: linux.vnet.ibm.com, ip: 148.163.158.5, mailfrom: dovmurik@linux.vnet.ibm.com) Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1458Y5Yr161561; Wed, 5 May 2021 05:00:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pp1; bh=e50Z697YC09MznLSrMzqVECYUAZ/t8tuMAQYuYbyufU=; b=F8R/pg1ljyAdpC617L3ORIqKQcWrOHRvkBpNFOXUUi3AZQ/xaKy81h1o/V9YDQ3EvJaW SiLZqu+uADcZT/l65D+fczUjnJHbuobD4ZGOoKRAE7VyZVxRq2fqpsufgru5ipIowGxu LwzdmM7fW/BgICYhjrBOU23B/RpdF7uI5tQKIlAaWpLTIMs2tYPDuxcXHKoZvkxG+5cF flXNr9qpD5LKWtOfTry6Jwc8N+QKtE5EP2Cp/0kHPL2LmuhgAdI///F6fpO3dVxIvJtz xXOeevKLYOwq2HrIiGuyvUaAUgl+T9/Bj8sQUhZVfxKBHK41bOvlsqq6kevDsFq2ukeu cg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 38bn7ymmum-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 05 May 2021 05:00:48 -0400 Received: from m0098414.ppops.net (m0098414.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1458YO5W162937; Wed, 5 May 2021 05:00:47 -0400 Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0b-001b2d01.pphosted.com with ESMTP id 38bn7ymmtc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 05 May 2021 05:00:47 -0400 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.16.0.43/8.16.0.43) with SMTP id 1458pwJG029762; Wed, 5 May 2021 09:00:46 GMT Received: from b06avi18626390.portsmouth.uk.ibm.com (b06avi18626390.portsmouth.uk.ibm.com [9.149.26.192]) by ppma03ams.nl.ibm.com with ESMTP id 38bedxr6k5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 05 May 2021 09:00:45 +0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06avi18626390.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 14590HE311665728 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 5 May 2021 09:00:18 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 38690AE083; Wed, 5 May 2021 09:00:42 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E6F2813A035; Wed, 5 May 2021 07:11:00 +0000 (GMT) Received: from [9.160.96.23] (unknown [9.160.96.23]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 5 May 2021 07:11:00 +0000 (GMT) Subject: Re: [edk2-devel] [PATCH RFC v2 27/28] OvmfPkg/AmdSev: Expose the SNP reserved pages through configuration table To: devel@edk2.groups.io, brijesh.singh@amd.com Cc: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek , Erdem Aktas References: <20210430115148.22267-1-brijesh.singh@amd.com> <20210430115148.22267-28-brijesh.singh@amd.com> From: "Dov Murik" Message-ID: <54944028-2676-7bf9-25ee-b4d162fead43@linux.vnet.ibm.com> Date: Wed, 5 May 2021 10:10:59 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0 In-Reply-To: <20210430115148.22267-28-brijesh.singh@amd.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: INn4SYSKueanP4sYG12uY1Vt14hwQClP X-Proofpoint-ORIG-GUID: dZfKUPL281hsQmxhrkT-BBENXpWcZCWT X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-05_02:2021-05-05,2021-05-05 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 malwarescore=0 suspectscore=0 phishscore=0 lowpriorityscore=0 bulkscore=0 mlxlogscore=999 priorityscore=1501 adultscore=0 clxscore=1015 spamscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2105050063 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Hi Brijesh, On 30/04/2021 14:51, Brijesh Singh wrote: > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 > > Now that both the secrets and cpuid pages are reserved in the HOB, > extract the location details through fixed PCD and make it available > to the guest OS through the configuration table. > > Cc: James Bottomley > Cc: Min Xu > Cc: Jiewen Yao > Cc: Tom Lendacky > Cc: Jordan Justen > Cc: Ard Biesheuvel > Cc: Laszlo Ersek > Cc: Erdem Aktas > Signed-off-by: Brijesh Singh > --- > OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 21 ++++++++++++++++++++ > OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf | 4 ++++ > OvmfPkg/Include/Guid/ConfidentialComputingSecret.h | 17 ++++++++++++++++ > OvmfPkg/OvmfPkg.dec | 1 + > 4 files changed, 43 insertions(+) > > diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c > index 308022b5b2..08b6d9bddf 100644 > --- a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c > +++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c > @@ -6,6 +6,7 @@ > **/ > #include > #include > +#include > #include > > STATIC CONFIDENTIAL_COMPUTING_SECRET_LOCATION mSecretDxeTable = { > @@ -13,6 +14,15 @@ STATIC CONFIDENTIAL_COMPUTING_SECRET_LOCATION mSecretDxeTable = { > FixedPcdGet32 (PcdSevLaunchSecretSize), > }; > > +STATIC CONFIDENTIAL_COMPUTING_BLOB_LOCATION mSnpBootDxeTable = { > + 0x414d4445, // AMDE (nit: I believe this UINT32 will appear in memory as the string "EDMA".) > + 1, Not sure what's the official stance regarding a version field here. Maybe it's better to generate a new GUID whenever there's a struct change. -Dov > + (UINT64)(UINTN) FixedPcdGet32 (PcdSevLaunchSecretBase), > + FixedPcdGet32 (PcdSevLaunchSecretSize), > + (UINT64)(UINTN) FixedPcdGet32 (PcdOvmfSnpCpuidBase), > + FixedPcdGet32 (PcdOvmfSnpCpuidSize), > +}; > + > EFI_STATUS > EFIAPI > InitializeSecretDxe( > @@ -20,6 +30,17 @@ InitializeSecretDxe( > IN EFI_SYSTEM_TABLE *SystemTable > ) > { > + // > + // If its SEV-SNP active guest then install the CONFIDENTIAL_COMPUTING_BLOB. > + // It contains the location for both the Secrets and CPUID page. > + // > + if (MemEncryptSevSnpIsEnabled ()) { > + return gBS->InstallConfigurationTable ( > + &gConfidentialComputingBlobGuid, > + &mSnpBootDxeTable > + ); > + } > + > return gBS->InstallConfigurationTable ( > &gConfidentialComputingSecretGuid, > &mSecretDxeTable > diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > index 40bda7ff84..d15194b368 100644 > --- a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > +++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > @@ -23,13 +23,17 @@ > MdePkg/MdePkg.dec > > [LibraryClasses] > + MemEncryptSevLib > UefiBootServicesTableLib > UefiDriverEntryPoint > > [Guids] > gConfidentialComputingSecretGuid > + gConfidentialComputingBlobGuid > > [FixedPcd] > + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpCpuidBase > + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpCpuidSize > gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase > gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize > > diff --git a/OvmfPkg/Include/Guid/ConfidentialComputingSecret.h b/OvmfPkg/Include/Guid/ConfidentialComputingSecret.h > index 7026fc5b08..0d7f1b8818 100644 > --- a/OvmfPkg/Include/Guid/ConfidentialComputingSecret.h > +++ b/OvmfPkg/Include/Guid/ConfidentialComputingSecret.h > @@ -18,11 +18,28 @@ > { 0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47 }, \ > } > > +#define CONFIDENTIAL_COMPUTING_BLOB_GUID \ > + { 0x067b1f5f, \ > + 0xcf26, \ > + 0x44c5, \ > + { 0x85, 0x54, 0x93, 0xd7, 0x77, 0x91, 0x2d, 0x42 }, \ > + } > + > typedef struct { > UINT64 Base; > UINT64 Size; > } CONFIDENTIAL_COMPUTING_SECRET_LOCATION; > > +typedef struct { > + UINT32 Header; > + UINT16 Version; > + UINT64 SecretsPhysicalAddress; > + UINT32 SecretsSize; > + UINT64 CpuidPhysicalAddress; > + UINT32 CpuidLSize; > +} CONFIDENTIAL_COMPUTING_BLOB_LOCATION; > + > extern EFI_GUID gConfidentialComputingSecretGuid; > +extern EFI_GUID gConfidentialComputingBlobGuid; > > #endif // SEV_LAUNCH_SECRET_H_ > diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec > index d1bfe49731..f38c5e476a 100644 > --- a/OvmfPkg/OvmfPkg.dec > +++ b/OvmfPkg/OvmfPkg.dec > @@ -126,6 +126,7 @@ > gQemuKernelLoaderFsMediaGuid = {0x1428f772, 0xb64a, 0x441e, {0xb8, 0xc3, 0x9e, 0xbd, 0xd7, 0xf8, 0x93, 0xc7}} > gGrubFileGuid = {0xb5ae312c, 0xbc8a, 0x43b1, {0x9c, 0x62, 0xeb, 0xb8, 0x26, 0xdd, 0x5d, 0x07}} > gConfidentialComputingSecretGuid = {0xadf956ad, 0xe98c, 0x484c, {0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47}} > + gConfidentialComputingBlobGuid = {0x067b1f5f, 0xcf26, 0x44c5, {0x85, 0x54, 0x93, 0xd7, 0x77, 0x91, 0x2d, 0x42}} > > [Ppis] > # PPI whose presence in the PPI database signals that the TPM base address >