From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id E48FCD811C5 for ; Mon, 15 Jul 2024 14:15:11 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=dY1ZLo1t36Czxr22DnuYzJw/bWKPVsF9wE9KX1Vmd20=; c=relaxed/simple; d=groups.io; h=Message-ID:Date:User-Agent:To:Cc:References:From:Subject:In-Reply-To:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20240206; t=1721052911; v=1; b=yRxWDogkHvmEp14j5qfu41+IcqtIMMejBlEjL8pjouvG6GB5Hr/8ZmAjz+UjSC77V7VMMRbS 2UaigNcasY+iOE4YQ8z2zE+Vp/I7nYiMu/wiI6k2pJ/ya5KLGQlVN+xpLMkFpYMbmHg3xrEJNP3 +P2aaZlksI48JsRN+iZTnDzkrGSkd0rmtoVHWV4+j6e/mw8vBMVYKwT5RZ9B7N3EwQYiENOKxuL 7WZCqJzgpMWsKJFU9KVpryAp+GTFcGWYoE11c443eEvQCxADhe/AQ/gNzGcj7BU4ypR6BLShI4b PVZ6wuGoDjXHXdfIbZpZWshxoyHnyzg0PBoRZ4FSiKqjw== X-Received: by 127.0.0.2 with SMTP id JsGhYY7687511x6mQOWPLC2Q; Mon, 15 Jul 2024 07:15:10 -0700 X-Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.77]) by mx.groups.io with SMTP id smtpd.web10.39144.1721052909472224589 for ; Mon, 15 Jul 2024 07:15:09 -0700 X-Received: from BL1PR12MB5732.namprd12.prod.outlook.com (2603:10b6:208:387::17) by PH7PR12MB6695.namprd12.prod.outlook.com (2603:10b6:510:1b2::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7762.28; Mon, 15 Jul 2024 14:15:06 +0000 X-Received: from BL1PR12MB5732.namprd12.prod.outlook.com ([fe80::bf0:d462:345b:dc52]) by BL1PR12MB5732.namprd12.prod.outlook.com ([fe80::bf0:d462:345b:dc52%7]) with mapi id 15.20.7762.027; Mon, 15 Jul 2024 14:15:06 +0000 Message-ID: <5c722bb7-e1cb-9f4d-f9e2-48b0a99db781@amd.com> Date: Mon, 15 Jul 2024 09:15:04 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 To: wojiaohanliyang@163.com, devel@edk2.groups.io Cc: erdemaktas@google.com, jejb@linux.ibm.com, jiewen.yao@intel.com, min.m.xu@intel.com, kraxel@redhat.com References: <20240714122455.136148-1-wojiaohanliyang@163.com> <20240714122455.136148-2-wojiaohanliyang@163.com> From: "Lendacky, Thomas via groups.io" Subject: Re: [edk2-devel] [PATCH 1/3] OvmfPkg/PlatformInitLib: Detect FlashNvVarStore before validate it In-Reply-To: <20240714122455.136148-2-wojiaohanliyang@163.com> X-ClientProxiedBy: SN7PR04CA0021.namprd04.prod.outlook.com (2603:10b6:806:f2::26) To BL1PR12MB5732.namprd12.prod.outlook.com (2603:10b6:208:387::17) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL1PR12MB5732:EE_|PH7PR12MB6695:EE_ X-MS-Office365-Filtering-Correlation-Id: 0c78dfcd-e39d-419f-2002-08dca4d886f5 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: =?utf-8?B?M3pCaVpLVlNqOE9Yb2FySHBQbW1YeGpXeUEzaGtUSGFwUWQ5RUJTcyt3UkR6?= =?utf-8?B?bitha1V4bzJTMmtjcXhmVVVuYmsxQlpFcVI2dm1BOFdmMHl4aHJsODhRbDlu?= =?utf-8?B?cm82ZE5jZUJ0RmhQRGZmMXFLVnp5QzQ1RXZWVWYreXpxQkxTNitnVllMNnNJ?= =?utf-8?B?TTlPSTQwWmVXSWpQSFRGWHZuOWhNcFN0NklmMU5WL2hMaWMrcDNEZUQwMHll?= =?utf-8?B?RWhvLzJmb2JKVDRkMTJzMXk0K2lhUXAyZDJBUERMQXN3dFgwelpUVHpoY0NN?= =?utf-8?B?R2RxUk9zZEJmRnNIUWIrd1I3L2dHcG0wQlhpK29iT0JJRUdTdWU3dE5SN0h5?= =?utf-8?B?Mzk4VWdPTVdPb292akt2aFpGRlVjQWp3ekZldjBQbUJaMyttWC9DWUxWQ21s?= =?utf-8?B?KytPQXd5c0pFOHhTNEoya2NtcnNJbjg1eEgyMGpWenBDMGtTUlBpbzgzcVg5?= =?utf-8?B?SlkxaHFSVzgyakRtMlFWRVNxVGFMaXBNb2IyMzdQQitMQnljaVdFZWhDMzNT?= =?utf-8?B?R1Zqa0FTTnFnSGJoNHNBajZkOHAybkVzSWpyOFd6YnMwNDZHMzZvMStwazdF?= =?utf-8?B?OVJUdmJiM1ZCUER3My8zdVA0OUtqMEZMVGIvM3FnM1oxZGN5YkU2eC95bzd1?= =?utf-8?B?WlBmdkVoNEVNaGxwVWJYSUhMVHpmMCsyaVcwall0ODliS0hUWmoyMWJCcWNN?= =?utf-8?B?SmQrcE1CMWxXSGg3aXZVRHJJMlN4czdhT3RmTjgxZWJrVXN6Ulg3NTNwSTdh?= =?utf-8?B?WHo0TGtKaExiRmxVNFVYOVdFSnBySDBmaGVvN1pDV2NPSHRUcmpUMHErTWNp?= =?utf-8?B?dVBLT2RSdHNKTWplbk9yb29MTzFHaUFVVUU2eDJaTVg3cXY4SjVyT3FLOUdy?= =?utf-8?B?eUJrVTFiZHFicTJCWWNQSzlBWDN2NGdGUnNucE1ZMGVubnE1WjQ4MTVJQzNV?= =?utf-8?B?WEhHQkNBTjc5d2JkMVZkemNVZDBFWm5qU1hVNUNKekpGazVmbGpBRWlaQkR4?= =?utf-8?B?aCtjQ2pSVVVpd3hHeW00akk1SExPUUZreTRGaFJHenRhK0E5L2JZVHRMVmJS?= =?utf-8?B?RkVwSUpnSGRrWk5uY25pczRKTlJqd3VJbWh0cE5oL1BkNi9VWUVyMytwc293?= =?utf-8?B?UitHazV4TGRHNFNSazZvNDRnQlFMSnhmWEhCV0E2UVNtTmJqbU12ZlV3ZjF4?= =?utf-8?B?Q2V0cFNCSlphTUtWL3lnNmVSVzY3L29uYlIyUXRBWDZzYXdydVU3ZVAvN0hk?= =?utf-8?B?K1FVZlVxbUEvNWtZSEdRa0dTdDVzbmdhdGtNc0lrbGQ1anhBZ3lsVlVueUdr?= =?utf-8?B?VU9FTzdCT0JhcXdrdFg1VDBJNFNDTnY1dzZnOWZHSFJBbmpLZUZSb3h0WU1l?= =?utf-8?B?WnAzdTAyc0loOUFSc3ZZS1dYdVVYUiszUVNsR1NKN0Qwb3FWOWdJaWtFdTRR?= =?utf-8?B?TDNRQ2tmVEFRcStFMUFydFNpcVBwQ2hKT1ZZMmVhc3BrRU5yclRCRVRqcDFt?= =?utf-8?B?cnBReml5ZTF1VEZDYnY0dTJMYkNpQjJnR3YwYStBU0J0UUU3UFF6cDhmbW9Z?= =?utf-8?B?NjRqWitLU0c1Rk1Fd2dhSUZBcyt4ZHl4cmN4TmFXQW8xUGRDU1JObkZTb2Qx?= =?utf-8?B?OGF6eXJCVXJKbDdqclpXY0VPbXpWeVo4Y2RjVDVqTzVzNnMvZ29EMk04SGd0?= =?utf-8?B?VVEyVDlWK2ZKQlo5eEJpcU5pKzNxRUZ1aGk3WUhGdmtvSkw4NHhOM3ZiV3VQ?= =?utf-8?Q?mCNzi1Trzc1miFDR/o=3D?= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?YXdIZGVnNWpkenduY0VBRVRvMnY0QStScThnUk1HdnJBM1hQaTBlQkJ6OUEv?= =?utf-8?B?bkM5NDJVcE1KM0NKSWc1ZGtUZzgxSEFYSmx5clNIeUJHODcrblN1dWxSWm02?= =?utf-8?B?MnB0bm00TXdnQ1dtQ2lmR1BFN0RBU2lEc2UvVDltK28xSVhHUXpUSVJITk5S?= =?utf-8?B?QXBKMGEvVFFOcU5JMWltb1F3YkhFeUVLREV5REhZMS9aTUoxOVVmU2FKNjBa?= =?utf-8?B?amYrbVA3ZnNodXZWY2l0aW9hQjluMEZUcDU4cEp5V0dib0k1Sy9zYXY3NUJF?= =?utf-8?B?bUNMYnZqNm8xR3dVOWdzTHhVV2Y4NHJGZ2dxTTEwUjZZc2NIQnUyYjZ2NVZU?= =?utf-8?B?VFRrcFRyYVN6Q1ZRMDV2Nno3aC95OWk5c1R1WDdzTk10TU5SNjkzK3puLzMv?= =?utf-8?B?Wlo3K00vRkN1V3J6Q0dzeTlIejFnM0pXbEZRajRyZkU1ZG5yejNER01NbzU3?= =?utf-8?B?Z2pFSjdOUnJQTE9xK0JFSlFsOFdycDB6dEg0a2pPTTV6S01hK1dmUjMxQ0ZS?= =?utf-8?B?NmcwN1lXR2h4eVVqcFZjTGc0YUs1VUtRWVloUnlJeW5TK3FhMnRTM0NPZFM4?= =?utf-8?B?d0N3UkpzTjZ0c2VGMU9ha0M1ek1qRjYxREZMcjQ2NUFyTE9NUHN3N0NOZ3RV?= =?utf-8?B?amxOaDFBTUE2VFJZLzZwU2NGeXIyM3hIVENMc08xL3Buc0FwZnVycW85WkxG?= =?utf-8?B?NUFNQytNdjk4UklkUnpoTnFHY0hJUG1obWt5MXd1eDdERkVpaFhRNGQ5dHcx?= =?utf-8?B?dEJCN3Y4WFFoc05URzJ5ekEwZ0FNenNiNW11U0ltMVA3ZkxpUFVDZGRVRFVk?= =?utf-8?B?eEx4SEg1TXhWc2NvOTFQaytmL2hRV1ZnR2E3UzFxVCsyYldDbksyQmorV3hu?= =?utf-8?B?aGhwNXpIWGJJQU5qOW5xbElacG9MU3FOaEJBQVBjWGxDaEN2bVl5ODZibXJ0?= =?utf-8?B?dEZ0Y09rLzBBV1U1cll3a1g5V1c1R2FiZXR3dUd4MWV2ZUpHU1d4T2cwMm03?= =?utf-8?B?TE83TnRtc1BRenVvRUdqRUtTUDZ6cEZkLy9sSER0SVVNMUZJcEpiK01lL3R5?= =?utf-8?B?SS9ub2FtZDNmVTZNK244VGdjTk1oSUppREJKUnlDTVpNOGJmMUhiQVZRaVBY?= =?utf-8?B?MjJpUnFIYnVmbUx1M1ZFTWdmRGU0QWJOZStzcS95OVp6M2FmaE54aXV6a3c0?= =?utf-8?B?M1lDR1Q1b0tJOVkvdFFXa2t2Y2FzOEp3cTJtK3MyTmFYT2VhVTNWUm1aZVNs?= =?utf-8?B?VWZ2VDBELzRnUCtjYzNSZUxWeEQ5UUgyZFRyVFNvdk5kcEZRcHo4YVlGU2Vh?= =?utf-8?B?NVcyRFZnY09vSGNLZnArVVRtQndLRHV0YldSVHlvSms0NEpnajFzcGliaGJ0?= =?utf-8?B?UVhOWDZOR3gxN3d0SWI2VDFYanEzckU2L3FmSUZpMUVGTUlWNEQzaERoYzlZ?= =?utf-8?B?cFFxeUxiQmMxTDZoYTIzYmNIS3lJNUI0anhqaE5NREdiSEF0STU4WVZPOGxQ?= =?utf-8?B?M0pJaHdyUFNsZEw5eDdueVFBanF6aXRYNFNZYkFWMDJPM1FaM0ZKQmgxeFFs?= =?utf-8?B?L2lSWG91dHhpd1N2Z1RyQlZrbVF4NlRjWnhRVkkwRFg0TXYvSG1YZ1dnY2ZD?= =?utf-8?B?R2QwbGVKWWU5aWx6dDI4S0I3MjdMbDBXc1VyZTA0K0NFd3oxaUtCTEE0R2NE?= =?utf-8?B?dkVRNHZXK2ZFaUM4STUzakh3L0tNdTRKdUk1d0NiTkVEOGU2QTZ0RWlLZzZi?= =?utf-8?B?SklWc0c3MndWa3dYTk1SUkdyRDZmdGJ6T0dJZ1V5WVZaOTREcWFva25CUEtP?= =?utf-8?B?ZFNWUEdRVVRkUVdVNkxVRDlVbFN1SFJNU3JDVml4SXRMM1cyMUhRZWxFNFRJ?= =?utf-8?B?UGdIYkVQSmJobllUMzBtd21WeGMyRDZWcWxKK0hyREs0OWZyM3E4NU5jb01L?= =?utf-8?B?U3FGNzVHM0dXcWMxMW5BejhNdStIbHB6K1BFdm1FQ2c1eE5TR3JSUUltVytV?= =?utf-8?B?SGdNdmFCR0FzTGxaUC9LaDhLY3NKL05aZGhwaHlsMVV4WDhoMjkzQjVPVEta?= =?utf-8?B?NHl0U0NRN3BqQi9iTmRyUnpkbGRqSVc5WnY4cFl5cXpKUHhMVU5HUk1nM1J3?= =?utf-8?Q?ILhCgR45RLmNY/ZBHJNn5oH1F?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0c78dfcd-e39d-419f-2002-08dca4d886f5 X-MS-Exchange-CrossTenant-AuthSource: BL1PR12MB5732.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jul 2024 14:15:06.5414 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: h3QnKRdFSCXpYpuVT64gZZZf3z8Q1gpolCKM7filmpcPH/BWbtf4rvxXMTVmiMD29b8rMCvxjmSBHpj/BlB4/Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR12MB6695 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Mon, 15 Jul 2024 07:15:09 -0700 Resent-From: thomas.lendacky@amd.com Reply-To: devel@edk2.groups.io,thomas.lendacky@amd.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: OkTsZNjzrxc1LjqOfACrah1Wx7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=yRxWDogk; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=pass (policy=none) header.from=groups.io On 7/14/24 07:24, wojiaohanliyang@163.com wrote: > From: hanliyang >=20 > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4807 >=20 > The commit 4f173db8b45b ("OvmfPkg/PlatformInitLib: Add functions for > EmuVariableNvStore") rename the function from TdxValidateCfv to > PlatformValidateNvVarStore. >=20 > PlatformValidateNvVarStore is placed in the PlatformInitLib and is used > in the case that OVMF is launched with -bios parameter and to validate > the integrity of FlashNvVarStore. But if we launch a VM without > FlashNvVarStore, the PlatformValidateNvVarStore will fail to validate > the integrity and will trigger ASSERT (FALSE) in > PlatformInitEmuVariableNvStore. >=20 > In order to prevent calls to PlatformValidateNvVarStore in the case lack > of FlashNvVarStore, we should detect FlashNvVarStore before calls to > PlatformValidateNvVarStore. If fail to detect FlashNvVarStore, we should > return don't initialize the EmuVariableNvStore, otherwise calls to > PlatformValidateNvVarStore and initialize the EmuVariableNvStore when > succeed to validate the integrity of NvVarStore. >=20 While Secure Boot isn't supported at the moment for SEV-ES / SEV-SNP, this will cause a boot failure for those types of VMs should it be enabled. SEV-ES results in: Invalid MMIO opcode (AF) ASSERT [SecMain] /root/kernels/ovmf-build-X64/OvmfPkg/Library/CcExitLib/CcE= xitVcHandler.c(498): ((BOOLEAN)(0=3D=3D1)) while SEV-SNP just terminates with an error in Qemu. I haven't looked into what the cause is at this time. Thanks, Tom > Fixes: 4f173db8b45b ("OvmfPkg/PlatformInitLib: Add functions for EmuVaria= bleNvStore") > Signed-off-by: hanliyang > --- > OvmfPkg/Library/PlatformInitLib/Platform.c | 47 +++++++++++++++++++ > .../PlatformInitLib/PlatformInitLib.inf | 1 + > 2 files changed, 48 insertions(+) >=20 > diff --git a/OvmfPkg/Library/PlatformInitLib/Platform.c b/OvmfPkg/Library= /PlatformInitLib/Platform.c > index f48bf16ae3..0a720a4c2c 100644 > --- a/OvmfPkg/Library/PlatformInitLib/Platform.c > +++ b/OvmfPkg/Library/PlatformInitLib/Platform.c > @@ -895,6 +895,16 @@ PlatformReserveEmuVariableNvStore ( > return VariableStore; > } > =20 > +#define WRITE_BYTE_CMD 0x10 > +#define BLOCK_ERASE_CMD 0x20 > +#define CLEAR_STATUS_CMD 0x50 > +#define READ_STATUS_CMD 0x70 > +#define READ_DEVID_CMD 0x90 > +#define BLOCK_ERASE_CONFIRM_CMD 0xd0 > +#define READ_ARRAY_CMD 0xff > + > +#define CLEARED_ARRAY_STATUS 0x00 > + > /** > When OVMF is lauched with -bios parameter, UEFI variables will be > partially emulated, and non-volatile variables may lose their contents > @@ -928,6 +938,43 @@ PlatformInitEmuVariableNvStore ( > Size =3D (UINT32)PcdGet32 (PcdFlashNvStorageVariableSize); > ASSERT (Size < EmuVariableNvStoreSize); > =20 > + // > + // If launch a VM without OvmfFlashNvStorage device, then we'll fail > + // to check the integrity of NvVarStore and trigger ASSERT (FALSE). > + // So, we should detect the OvmfFlashNvStorage before calls to > + // PlatformValidateNvVarStore(). If fail to detect OvmfFlashNvStorage, > + // we should return and don't initialize the EmuVariableNvStore, > + // otherwise calls to PlatformValidateNvVarStore() and initialize the > + // EmuVariableNvStore when succeed to check the integrity of > + // NvVarStore. > + // > + // This method to detect the OvmfFlashNvStorage here references > + // OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c. > + // > + volatile UINT8 *Ptr; > + > + UINTN BlockSize; > + UINTN Offset; > + UINT8 ProbeUint8; > + > + BlockSize =3D PcdGet32 (PcdOvmfFirmwareBlockSize); > + > + for (Offset =3D 0; Offset < BlockSize; Offset++) { > + Ptr =3D Base + Offset; > + ProbeUint8 =3D *Ptr; > + if ((ProbeUint8 !=3D CLEAR_STATUS_CMD) && > + (ProbeUint8 !=3D READ_STATUS_CMD) && > + (ProbeUint8 !=3D CLEARED_ARRAY_STATUS)) > + { > + break; > + } > + } > + > + if (Offset >=3D BlockSize) { > + DEBUG ((DEBUG_INFO, "OvmfFlashNvStorage: Failed to find probe locati= on\n")); > + return EFI_INVALID_PARAMETER; > + } > + > if (!PlatformValidateNvVarStore (Base, PcdGet32 (PcdCfvRawDataSize))) = { > ASSERT (FALSE); > return EFI_INVALID_PARAMETER; > diff --git a/OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf b/OvmfPk= g/Library/PlatformInitLib/PlatformInitLib.inf > index 21e6efa5e0..b7d5e63dcd 100644 > --- a/OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf > +++ b/OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf > @@ -104,6 +104,7 @@ > gUefiOvmfPkgTokenSpaceGuid.PcdTdxAcceptPageSize > gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageVariableBase > gUefiOvmfPkgTokenSpaceGuid.PcdCfvRawDataSize > + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFirmwareBlockSize > =20 > [FeaturePcd] > gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#119935): https://edk2.groups.io/g/devel/message/119935 Mute This Topic: https://groups.io/mt/107212942/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-