From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.45]) by mx.groups.io with SMTP id smtpd.web10.220.1635862271894659412 for ; Tue, 02 Nov 2021 07:11:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=QJLAggC/; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.223.45, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=exLq8iU1QM1p205D17vH2gqX3JtX/WDt0PBlQ2ZkpUIDBinC1onGzQ1P8kjBD9RV9KXpmVLdY5ncBL0njJ1f+ngMYev+8mCfiH+o1FLNEaQ9KKROSKwdH0z6/rWrKdIXRPDAY5qp6lmAvl57IPZTM5a7yqKfvYshdeYwSO2c7I3plSYUfG1Fh5hY5Igl7g6+6YP/iWWMmSls1zfnmWE8A8rVN2CW2pAw+s/4D0DVhl6gU/ZwTZaKvIMvY1V21MsZIsxz8UrnyUfQ3a1uE101ITJI09l3q9qnXwHqpgHesOg2xt8vPAeHcRRcS0y9l4eHofjV/IVONX7zEZybq60lhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jgElLttDxhfPB5s3SJuhWTFCU6I1mZN6385KGOnn0kY=; b=aa8p5Igsyn43YKvhxJI4UiBP4aQ/OOxI/2S0BmA+PEtZLhfbhjdZ71K60A57poUNuw4Xtm2lhx7yk7KZLxtStOUHzKqBygoiJ2rCQMcxY86d0hrEGi7awkTAHcT5Um4cLOlqVheNjBf562x8S+bQ861RCBsTExva/ynOeu2JRoQIEDW/D1B+n/vOFxZvo0T7J+Ma9S7Q+IyuXYBRvSupGI3Ngs13SgqHwD5x7rlESD0WHNT0aJLlCoNSP9LFO30eEVg2e2qeU8GfUoL3dcL6CnAxc8vUAUAYAPOSvnDnGzSk4znXyPq3wzdHa6H2DGP6PvQx9GFDigZuvLOv0X/y1Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jgElLttDxhfPB5s3SJuhWTFCU6I1mZN6385KGOnn0kY=; b=QJLAggC/SUecwIad7cu423CZyLn7Mrgy9MO14nCfhZzpZ/TaMleh7tuHm0RP1gjc7e6LzgSgJwtDof8j6h+aMXWV6a5GhKA2VEqsFwClBbPmfhThVenWTQBGwxB7Vz7InKTIWBxgPXcqfc2VA93qVU2v91IfcPSzdF5jvhQMCKo= Authentication-Results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=amd.com; Received: from DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) by DM4PR12MB5357.namprd12.prod.outlook.com (2603:10b6:5:39b::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.14; Tue, 2 Nov 2021 14:11:10 +0000 Received: from DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::a87d:568d:994f:c5f9]) by DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::a87d:568d:994f:c5f9%8]) with mapi id 15.20.4649.019; Tue, 2 Nov 2021 14:11:10 +0000 Subject: Re: [PATCH 1/2] OvmfPkg/OvmfPkgX64: Add SEV launch secret and hashes table areas to MEMFD To: Dov Murik , Gerd Hoffmann , James Bottomley Cc: devel@edk2.groups.io, Brijesh Singh , Ard Biesheuvel , Jordan Justen , Erdem Aktas , Jiewen Yao , Min Xu References: <20211102073422.340858-1-dovmurik@linux.ibm.com> <20211102073422.340858-2-dovmurik@linux.ibm.com> <20211102100347.ulf4mt4fwjrsbaud@sirius.home.kraxel.org> <07819666-8465-6e46-7e07-a99b1b793073@linux.ibm.com> <20211102132954.5q2dxrbrz77fcdao@sirius.home.kraxel.org> From: "Lendacky, Thomas" Message-ID: <5f3cbabe-9a50-662a-16d9-09a1d04a3542@amd.com> Date: Tue, 2 Nov 2021 09:11:07 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 In-Reply-To: X-ClientProxiedBy: BLAPR03CA0083.namprd03.prod.outlook.com (2603:10b6:208:329::28) To DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) Return-Path: Thomas.Lendacky@amd.com MIME-Version: 1.0 Received: from [10.236.30.241] (165.204.77.1) by BLAPR03CA0083.namprd03.prod.outlook.com (2603:10b6:208:329::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.17 via Frontend Transport; Tue, 2 Nov 2021 14:11:08 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ae64e6e4-de65-4132-a983-08d99e0a9e81 X-MS-TrafficTypeDiagnostic: DM4PR12MB5357: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: IyAlrGFMa4PjdgvQwWHAOWqiRpGSgcrfWkE5O9WkSLNZ+kvO7VUPhcumqzq6m0PGc3XHj4J96/T3ykjdEOKALh8AVlb658r6mY8vancdWeEmN5qlngY2f3BrV210vMrcP9S3wf40MTEJ+/JySFG8nyojVt5yNvRhIH7F5dCJ0EtZMa5bjVeBn/TNqyTkEFB8FFu4EHhRRBuR1mda4mj8eFBT0qSLhT03CuApbeHuEf6HrcgKOzAfKUKFdQWXC4J/TPV515UZQUN+87NpbzK1yBimz0YES/94wuXFJbVCauYcdWprzG7fokbuaun8gId6HkVgovKHNIJK0LmFo8DvMpfW/m8K4cZcfSunxXLZ0x3MC4j767cRsRnNuKOlej0fsMGroH0myYMD9SEb7BgNaXUI0IBHx1faFU02MU3uwxlDjmPWd8KM7a0/jKW8Ha1ayXGAq/YgWABDKocST+hBVW/Mst0SzE0/HcZ3BiRF9VeJE991v/lIq/7RrgMvW57ZswnN9l7QO64krv4+i+PLQSUXueIn7XpvnU60T0nx6vhKl6kFr8TvF1GbjDToDmOpH/7CTvitIvsVejkxXCTLT5d6uVVE2V3ZgLP5SwqWVPklHGeFGLHbJsNf3Mip1TYZX4BE9OD0KUd51oEcd5z7VFfuXz/8/FlWsko0p6eoCRkFzc1+OCvMLOqN11gqeRuxlM17r6FNcxGLtPZQSR0HGE3ApFcY2kk+qMPaNqP6+ipq/bo6nl3xrVjti5Qf0WTyuEQEOL+hh36HzGVsAXDxqg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR12MB5229.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(36756003)(508600001)(83380400001)(316002)(38100700002)(31696002)(5660300002)(16576012)(53546011)(956004)(26005)(4326008)(8936002)(54906003)(8676002)(31686004)(2616005)(2906002)(66556008)(86362001)(66946007)(66476007)(6486002)(186003)(110136005)(219293001)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?RmEyR1A5VzNoYmRoMHhIR2lGbWhObVBpU3pZbEZ6Yi9vbGZ5Qyt1dWNkTkVZ?= =?utf-8?B?TzJSYzNJYWZ2K1UzUTlrUi91bWZleUhtYnBRMjJ3a2NFMkRjNjh3SnhqZXUx?= =?utf-8?B?RHhuZmg2R1JhNy9naXFBcXJEODgvazJFVlJIQSt3c0JzSmVKOFdWT2VRb21i?= =?utf-8?B?ZlJkZHJmeVNPanA0eC9obHdRcEh3dFN6b2wwd2M1OXBjaHMrQVR6K0VzZDYr?= =?utf-8?B?TENQMmhEL0EvMlFTS2NyWXFBKzFpMlB1RDdmbXY2enR6Ym5mQW93N0FNR3A3?= =?utf-8?B?QTUwUG10eFV4ejZDb0cwZUcrckhwTTloOVpLd1o5aHZxOFVxaG5QZGVXTkht?= =?utf-8?B?eUNRdzFsb0J4OGpIWTJEK0VsNnJmclFraGVnNjBqQWRTekxZTjZaaVVVSGR6?= =?utf-8?B?T0JOZlk0RWY0MXNId2lkMmhuRCt3bTV1aklGa1gwRTRzZ0lWTUtaMmVhRXlM?= =?utf-8?B?VDRXejBrZWR0QW0zNkt2ME1JblVTQUJIUmlUUUNPcjRKVEV3eHRvM05DVmpq?= =?utf-8?B?VmZ1c1NSaHZYc0Vnak01NGJvaGJyYkVvalI0b3IxNWtpbGYyWmtCWVd0Ym9v?= =?utf-8?B?dDVvRk9CMFVKMHpYc2R5ZmFIbDVJSWJQd1JKTi9rUVZQYnppUnNyb2FyUTds?= =?utf-8?B?dm1DZEZ0L3kzUTA1c2ZzdHl2aHpnMVliVEZmVm9ZdlNRY0tWVWoyUkZyaXR6?= =?utf-8?B?TzF3RHZhcW5HM0JSbWo0YkgxL2Y5ZUVDVXBrOVArcHIrb2hkclNDZEQ3NVZ6?= =?utf-8?B?T3d5VXFXdVFvbDk4eSt1N0dud256WjhTVmF3RHJPVjVleGQ5ZzVKK1FUbkpW?= =?utf-8?B?ak4veDM3VmpWNzlOWkVsdk9uQVkveXMzRkF0MXY1ekk5TUEwTFIrS1QzcUpm?= =?utf-8?B?OVVpUGEvUFFKSnk4L0FxM1lDU3dqRkNhdXpjekE5dkZzV0hwOE1uYjg1Zjk3?= =?utf-8?B?MVJKZjdHalAwV3UrZTh2a0RrRStQMEZtNVJqOFNrTDZyWDZidVFyQUROS0c4?= =?utf-8?B?VEIxTWxpZFEwRWhGanRNRnhqN0NGL2gvWUdHQmlaaU9SRkMvNzlBR094R2hi?= =?utf-8?B?eURoMmQyRFZpUnhPTXZpM1JZRmtqT21adTFKWXJ5dkp3UmxzZGZCdGw4ZzFs?= =?utf-8?B?dE5kYmlTckVnakJITzlyQTEyUmZXbndySlh4R1VkMWJBQjlGUEFVcEdXbHR0?= =?utf-8?B?SFZlRm1lWE5qTUdsQkRhaXRqTjBxUU1LZ1pLeTNTZHFVby8vN1ErS0N0ZmJT?= =?utf-8?B?VzlYR0wrc0xzUmhSdWEwRUk3ZVdBK2tMblh3d2pOc1AwTHRnZDI0OWpKUEl1?= =?utf-8?B?Wnh3TVN1S3FjajhGL3VMY1JmT1JDT2s5SGs3b01XRkNuV2hBN29iNm5tMEhr?= =?utf-8?B?TldPL2JJK3ZlM2o2Zi9qLzNHdU55RzlTRmFBN2dzRklxQ3kvd0N1bU5wc2c0?= =?utf-8?B?bTBCUXErK3BRSklIdXRUTnlFZE0vOEo5Sk9oRWdPWVJKdkM0K3g3UlU1Rlhq?= =?utf-8?B?dUhkckdDUUNBdUNwYkVJMXI1T2xldWNvOXU4UFY3eEg0d1FjNnNzL210ODNy?= =?utf-8?B?eDNLbExBRmx0Zk9oVlJoNElxSC9reEtjbmJsWkNRbGJIbXFEQ3VmejEyRWp1?= =?utf-8?B?MzI4Zi8vT3VMclBKQ0d1VWNNbDkvcWloWFlkaGVEOFJWekYyeEFmeW4zRllj?= =?utf-8?B?YWFXS2hib1doc1NoZUExNXpkcFNXTk93VXJDVUhROVd2RW4vRHpCcHNhdXd0?= =?utf-8?B?ZGJ0dGNxeFlYWVFTQ2FOenVlOHprb25NNTRKenRLTHRMSjlEMllkNkl1ODU4?= =?utf-8?B?UkpIanlsdjllYzVBRnFoZkx0Rk9LWmlyU1lPa0MrVlVVU2NsZjdnYmFRam4v?= =?utf-8?B?ZGFNNTlxK3BvRWcyRHJOUkRvWUl1b2VIdWRmS1g0U3NsaXdvdGZRV3VUUzZR?= =?utf-8?B?YjMwekFtc3ZCSDl3V0l0d2N2eGV2ZnB4bWVwcURiTXdkZ0F2UUx6WVAzQ1Z4?= =?utf-8?B?SDkrU0JEVUlHWGVhMllpaGhITm8vZFcxcmE5WFpnbDRzOHBhYTBLT3lvK0pZ?= =?utf-8?B?RmYySlp6NXhrWU1SbXRFcytaMWcrRllueVRxaTRmL3YvLy9DSVJEaXc1SVhM?= =?utf-8?B?bEZDZkV4a3I5TzFndEJwa2FiOSs2SFBCVmN3enNVVS9xT3hVTldVUlE3ai9T?= =?utf-8?Q?PEHYmExrw2M6nxrlpSfGVfs=3D?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: ae64e6e4-de65-4132-a983-08d99e0a9e81 X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Nov 2021 14:11:09.8503 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 69NA2692r1Jw6OwNPezwlWmnSSHuKS3r6wILZlxvLKVgDoAxggBhkiLZKsPMhe+ypOsPtO2bmYWxqdyA5qx+3g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB5357 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 11/2/21 8:53 AM, Dov Murik wrote: > > > On 02/11/2021 15:29, Gerd Hoffmann wrote: >> Hi, >> >>>> I'm wondering whenever you actually tried to boot a sev guest >>>> in microvm? >>> >>> No I haven't tried. Do you want Microvm to be able to boot SEV guests, >>> or do you intentionally want to keep functionality out so it stays small? >> >> Need to look at it on a case by case base. It is clearly not a >> priority, but if it makes sense we can discuss adding it. >> >> microvm has no support for SMM mode, and that is unlikely to change, >> so anything requiring SMM mode is not going to work, thats why I dropped >> SMM + secure boot + TPM bits for the initial patch series. >> >> Having support for tpm makes sense even without secure boot, so we might >> bring that back, but it'll also require some (small) changes on the host >> side so qemu allows creating a tpm, generates acpi tables for the tpm etc. >> >> Does SEV need and/or use SMM mode? Looking through AmdSevX64.dsc >> doesn't give a clear answer, on one hand there is a >> LibraryClasses.common.SMM_CORE section, but on the other hand it uses >> the non-SMM variable driver stack. > > I think SEV doesn't work with SMM. James - can you please give a more > definitive answer here? SEV works with SMM, but SEV-ES (and likely SEV-SNP) doesn't work with SMM because of the fact that the hypervisor wants to change the guest register state to enter SMM, which isn't allowed and results in a VMRUN failure. It might be possible to get SMM to work by having separate VMSAs for the SMM state, but it is not anything that really has been investigated too deeply. Thanks, Tom > > -Dov >