From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 9BFA6AC17EB for ; Tue, 23 Apr 2024 14:56:16 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=d1unkt+zbCVdLnoqAWTyS3yVPnBX/R9z0pMJm1bj4SU=; c=relaxed/simple; d=groups.io; h=Message-ID:Date:User-Agent:Subject:From:To:Cc:References:In-Reply-To:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Language; s=20240206; t=1713884175; v=1; b=pv/5HEc79T1JvNfboaFH19GbTy1yHiK7n+jbf77sNpbuyvxK90NDgpkM7YsO17d+wC5l7enl HMINpB4mKShQ4xB5kGDxP8S5aUBQY2ayDdsr6TUMWrtehLrREjArdtCjczU7OPRYOElHz6c3KDL 71mnLUYZUHKJwH2CF9VTEY+A917vdiSn0A1w1AotFvQaTJkA0D1qXPErSRgSDTQP75bPR1URbUg 1MVxTixXIwETNLkKtOynKkp+hziwoKCLEtfSTOaQVWv/KURAYruochBWxuppV2idb8x1v2ohEbG 6dQryJwWhP183PyfKpRLmqDlvxfr/axfSL+LomFw3HmYw== X-Received: by 127.0.0.2 with SMTP id ps4ZYY7687511xfe6rOwIgnr; Tue, 23 Apr 2024 07:56:15 -0700 X-Received: from NAM11-BN8-obe.outbound.protection.outlook.com (NAM11-BN8-obe.outbound.protection.outlook.com [40.107.236.80]) by mx.groups.io with SMTP id smtpd.web10.18985.1713879872149028435 for ; Tue, 23 Apr 2024 06:44:32 -0700 X-Received: from IA1PR12MB6460.namprd12.prod.outlook.com (2603:10b6:208:3a8::13) by MW4PR12MB6950.namprd12.prod.outlook.com (2603:10b6:303:207::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7472.44; Tue, 23 Apr 2024 13:44:29 +0000 X-Received: from IA1PR12MB6460.namprd12.prod.outlook.com ([fe80::c819:8fc0:6563:aadf]) by IA1PR12MB6460.namprd12.prod.outlook.com ([fe80::c819:8fc0:6563:aadf%5]) with mapi id 15.20.7472.044; Tue, 23 Apr 2024 13:44:28 +0000 Message-ID: <601f21e4-752e-4cca-a62c-cf4a414b6e51@amd.com> Date: Tue, 23 Apr 2024 19:14:04 +0530 User-Agent: Mozilla Thunderbird Subject: Re: [edk2-devel] [PATCH v3 4/5] OvmfPkg/VirtHstiDxe: add code flash check From: "Aithal, Srikanth via groups.io" To: devel@edk2.groups.io, kraxel@redhat.com Cc: Konstantin Kostiuk , Oliver Steffen , Jiewen Yao , Ard Biesheuvel , "Lendacky, Thomas" References: <20240422104729.502112-1-kraxel@redhat.com> <20240422104729.502112-5-kraxel@redhat.com> <1943e036-9a1f-4b11-ab12-e9df3670d264@amd.com> In-Reply-To: <1943e036-9a1f-4b11-ab12-e9df3670d264@amd.com> X-ClientProxiedBy: PN2PR01CA0228.INDPRD01.PROD.OUTLOOK.COM (2603:1096:c01:eb::16) To IA1PR12MB6460.namprd12.prod.outlook.com (2603:10b6:208:3a8::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: IA1PR12MB6460:EE_|MW4PR12MB6950:EE_ X-MS-Office365-Filtering-Correlation-Id: ec74ce92-a60e-4815-5ff0-08dc639b7f61 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: =?utf-8?B?Vjc5MXFoMDlIM1Z4V0ZpTGV3OExlbTFyWlRjQkwwUlBiR01Yakk1KzBrSzZB?= =?utf-8?B?NXNmWVNkRVJCTXRSUG1yWkpocGFFaVQ5M0VxcFNaaDNOZ29MTGwrTFpFaGF1?= =?utf-8?B?eTA2dXVrcElrS2ZCSGhta01qSXAvdzZaYkNsR1krNGlZVW5CVTNvQWV5YmVs?= =?utf-8?B?RlFNTmRBUmZPdzBPTUM4ajVTL3pOZE1HU2NYQ0FYSWhyL0xDdmZqaTFXOHlN?= =?utf-8?B?Qmd4a3MxMmFPTm1GWmFUMHRoSmQ3ZmlxeGhvUGZJeG45V3N1emhoTitIZFlv?= =?utf-8?B?dUFVMVJVZjg2MUFkVHNQQWNjMzJVdXJWSFdQL0NTejU2QXZXRXRGSnErNDEv?= =?utf-8?B?ak1IRXpQNFc4blFybHlmUDdwa3h3SFBLVCtFT2pYYXIyMEhWMUNaK2pSVEhX?= =?utf-8?B?WGZiWlJQbmdXSnRLaFBveHBuczhsQm1qZDRMODEzaUxldEhDdFJTWWZJOHZB?= =?utf-8?B?K1JoTkRld1VBQjFkL1IwdSt0ME1XQUNNMmJ5alh2YUE0K3M3WHZRcFZPSm1B?= =?utf-8?B?MDJ2NWh5b0ZTNzF2b2o4Z3Y1VUdNUTZYUDhtWmVsODU5ZVY0OTF1Y1B5M2JX?= =?utf-8?B?cldwd0NNTUlacDZmYlZSdThMdzFHSEdaeFZ1UDNUMGQ4akljTUxra2RsOFpz?= =?utf-8?B?cG1WbTBhQllRKzBUbUQvUXRLSlV3UU91aFBSTjh0Wk1MVUE5N3FvQ0RlWTBt?= =?utf-8?B?VXlhRFZLcTVxckhiZ2xGU2RSUXNpeWZBclpoTmR4TGh4Sk1FRC9YWWszSFVT?= =?utf-8?B?aEthaUxzRzdOOG1XbEFlZklsbjVKc2ZtTHdSeHNGcEkyQXVUb2pJNWFtbDNi?= =?utf-8?B?eEdmUjhBNlUvUXdpUnlNb0N1Y3d2N2xrK0YvOHpucjhMYzVpSUdzT0tsVTdV?= =?utf-8?B?b3dETnpkdjRiYVljRi81MFY0NFZ2ZG1ZZWFEWld3TWRwQkw4ekRrMjEwOXFo?= =?utf-8?B?U0JHZlZKOVdjMnU4OE83RzVmR1dtSGcrRTJUUzBicjBydVdiWVZoSE9ZNm1h?= =?utf-8?B?MXpaNGI4dWR5eDhoOHRBWTRWV2NCOEhQVXdycVgrZzBxMmIyYjRJb1NFWk1w?= =?utf-8?B?THgxNGplc2M5bGFCYVMvbWxtaHYrL3pSNmRsc1VUOWpUdzZhY1Y3MjFFSEdK?= =?utf-8?B?WTY5ZGgvQVhMbzJNaG9QSW5DMXE1T25tUlJwYnhVUVFWNXVjU2pUdVMrTWww?= =?utf-8?B?WW9aV2kyQVpLSUw3NVJGVW8zUklWWlFTRWt2Nk1KWmdNS3h4dE1BM04rVEc5?= =?utf-8?B?RERUUEt1amlJS2szQ0t1YzZyNGZIK1NYQlJoK3pwQzBpR3FKOU4rNU1zNVNI?= =?utf-8?B?RjB2S3RrRXV1VzlqeVNJK3p5TGhUUFNtY3NFZWprM1FaNW05aTlYQjhsTFNJ?= =?utf-8?B?RGEyZytTVzRTeDV3R2tObHVpWlhnNDlYNGdsUENZelNVSEFlc0RHMDBRODYw?= =?utf-8?B?T2EwZ1A0K2xwUng1WkhpNHAweUNhazVKZVQya0NXN0lYZkw2ekRSbUlPOHVn?= =?utf-8?B?RDNiU2lkcWl3ZjlxbDB3UWhKQnZyOEdyQWFSaWdtcTU1SFAyWjc3SElDZTRQ?= =?utf-8?B?VHJQdTk1NTBMbHM4N2J4N3ljVFk0MXRBc1JNQVNyenFreDVIRXYwSnlxbTNT?= =?utf-8?B?N3ZiRVcvZU4zLzAwRWsyMkNMM003V1d1Q2VkU0dLY0FrQ3Y1QldiR0docElt?= =?utf-8?B?ZmR5ZUkxMjRwS2VrQnZuWm5hYzE1QVppTlZRdWFqZ1JTTjdzSm84ZVJRPT0=?= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?UkxCTVVmMXRDa0E0TlJqNGIvZEFiM1BLUk0zRXFabGhxQkpWcFJnZTd3MU5F?= =?utf-8?B?T1FQTW9CSy9la3V5NE1oYXQrYjVtd2lOR21mNWEwZCtnL1lRSWxGR2ZLSWFl?= =?utf-8?B?dG5WTHR6TEFRUGpCK01vcU9OR3ptU2xIcHFUbjFKQ2h6RnEwSy82d3JEVTVJ?= =?utf-8?B?T0pHZmFqVUVPbGUvRUorWE5pSXdNb1VIaWpRcEFQUVdZV08zaGVkTE90Zndm?= =?utf-8?B?c2QvMmtFZ2xSekt3ZDROV0Z5Vml4TlRuamdwcEJ6dVdxSlVzT05oRkRweWxG?= =?utf-8?B?TnI1YjhEWmphSXRGOTNsWmN1RzExaHZYQml4ejBKNVgxM0xxa2lBd0V4Rzd6?= =?utf-8?B?SVlkRGJicHFodklhdG1raitDanNhK0hGV041QzR0TjU2a2F5bHZrWUIwWFNy?= =?utf-8?B?dGhHeW9XVHp4Z3hob2lvNWRlRHE4MTh4R2o1bldHbjErTDhFb2JWVXNYbWhx?= =?utf-8?B?eEYwejVHd0dhTW1DMkNleFdoNXRaaDFpWGlPMVhuNjFtdmRmdENqTENvK2pP?= =?utf-8?B?TWpadDlnWEZSdVF0Q3ZHQk9PekFicWIxeFkxRCtXeXNvMDRuVmc3VjdTcWdi?= =?utf-8?B?SU1UZDBIa0w2UlBhVlB5TDVZYjhnWkk3L3VMK0tyZVVFb1pMQlVhWE9IYVFC?= =?utf-8?B?Ti9Ma09ZT1Y0azVCZUVKaFdBcGFudis5Z2d5d09XeWl0TUdEZkxhdHNGcFBm?= =?utf-8?B?WGxHVnBKTHpMZnlRblBKRCszYlh2anpCWFAxT1JlSFdTRE94QjRsSzBYeTlU?= =?utf-8?B?eUxWQjRqREZSRmczZlRFR1ppU3lLYTFrNGcrTTdhWTZ1U3lEWUpqSFdBazNX?= =?utf-8?B?Q2xabFRzQkdRM2N1M2EyZDg5cU9QU256bkdENU1nWkY3NEpYTCtFRXFDVGtR?= =?utf-8?B?ZnJzUjU3TmhxTEt3cjRvYUlTbjQ4cnpGSUM3MDJWS2xTS050Y2JxbHNXaTA1?= =?utf-8?B?Y005WVg0UlJuNURRZ0VrR01qc0RhVUcvV3NzT2xPNHZVZ3hHdkdJbEUxUmxB?= =?utf-8?B?ZGM1UnhvUEoxb1NWTDdVNm1PWUNManBZTGoybmdNOG9mWFZzTjhQcnVodi9D?= =?utf-8?B?VHRxMUM2cUUxZWdDR1VKZVlnbk9YSURqcGhsSVpka1VTMkxLTTlzbEpYblRO?= =?utf-8?B?S3BZQml5aEFQamw2cU4wVkN1SG9NbHBOV0FwakpWYWVyUlNhMTlHMGNCU3Vz?= =?utf-8?B?elRlSDA4cUhyWlRLT1NQTjY5NUJkL2sxdDQzcWVFSHp6ekJYaXV0blAzNVFQ?= =?utf-8?B?enA2YlJ1SHlJVWNNUGg4TFV2TjJRUFdYdEtMdm5qNUxnZzR0b1Y5NmIrV0Zu?= =?utf-8?B?WG4yWlBNMlpWTGdMWlRoSmFIMXdRYVpEb2N1Q0tRakhIbWFWSDNRS2tJU1A5?= =?utf-8?B?L2ZVUVJud1ZYdHhNWW94dGVNVDUxVkFEbVhxMDgwSmxiR2tJVXByajA4NStC?= =?utf-8?B?clgzbmR2WnIvWDdBd1VMUFBOYndvdHpoekl5eFVtRVBwenRKUjB3NEVJV1Zo?= =?utf-8?B?b3ZLSVJIY2ZHRkdsN0dSN1hvQndRWlRMSThDTU03VnRCNS9XckVzeHF6bWpr?= =?utf-8?B?TDhJMk85aTJPb1pDMHAvNmQrb2dKbUxEeUhrMUNwVkQ2UEVtcGgxeTEycmlI?= =?utf-8?B?cGRmUWFoWjhXclE1eE9aOC8zN0ZzUm1mQTFBcllLOUVRRHhtOVJXY0tyTlhB?= =?utf-8?B?OUprN0xJNWgyRHdRakxIQ2g0b3FjeDdRZkZ5MEtmVjJaZXdDbGorbXJOUGgw?= =?utf-8?B?TytYTnBadWNlSkY5UTYwKzlRMXJZQjN4WGtDdHh6K29MVGhiMFJwYjZla0lJ?= =?utf-8?B?NVQrQjJIc3d6ODlkZm9EVmtFOE5ITEdSUWxwanZ0YnQzdXgxc2NSY3E3TGVJ?= =?utf-8?B?Mlo3YnROSW83RzRZT2o2MWRqQU5zcFlpSVFYZ095dUtmVkRuSEhXUkNZdGNE?= =?utf-8?B?WUZ6b2NxRUkvMnRqM0dhRDlwSnRwcHJLQS8ydjhtSGxVdFU4NjlONlVEaHF2?= =?utf-8?B?OWtMZlZyUE9OR3I2TDZNTDk0L3RrM091amR6VngrbWlZamF0YTdBSGhvMUgz?= =?utf-8?B?NGFtb1pqanpvVEJtUEdPTXl1N3pHekVMaDB3b1UxZzhETU1uL2t6RWxFQ3NC?= =?utf-8?Q?OSWL/d1kUwrRRrLNwLUhQm8oA?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: ec74ce92-a60e-4815-5ff0-08dc639b7f61 X-MS-Exchange-CrossTenant-AuthSource: IA1PR12MB6460.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Apr 2024 13:44:28.9332 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: CDTmNRUNgxMKX1LbkvalclKn1GSnUVuxsMgoBkln/BvSVNkCraO0cECW6q5tkU4CRwvJlYJyYcbf28qIvcwmOQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR12MB6950 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Tue, 23 Apr 2024 07:56:08 -0700 Resent-From: srikanth.aithal@amd.com Reply-To: devel@edk2.groups.io,srikanth.aithal@amd.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: HS6ir1qbG83Jr9OoXlH2RKFEx7686176AA= Content-Type: multipart/alternative; boundary="------------0xip4DDStcEKMHmVr71jBrpb" Content-Language: en-US X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b="pv/5HEc7"; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io --------------0xip4DDStcEKMHmVr71jBrpb Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Correcting. On 4/23/2024 7:09 PM, Aithal, Srikanth wrote: > Hello, > > Todays OVMF/edk2 master branch is breaking AMD SEV-ES guest boot with > OvmfX64 package, where as sev-es guest boots fine with AmdSev package. > > Git bisect pointed to below commit as bad, going back to previous > commit i.e ddc43e7a SEV-ES guest boots fine with OvmfX64 package: Git bisect pointed to below commit as bad, going back to previous commit i.e ddc43e7a SEV-ES guest boots fine. With OVMF/edk2 master branch SEV-ES guest boots fine with *AmdSev *package: > > commit 506740982bba199f12e75f6cfda510c30aa4e7c6 > Author: Gerd Hoffmann > Date:   Mon Apr 22 12:47:28 2024 +0200 > >     OvmfPkg/VirtHstiDxe: add code flash check > >     Detects qemu config issue: code pflash is writable. >     Checked for both PC and Q35. > >     Cc: Ard Biesheuvel >     Cc: Jiewen Yao >     Cc: Konstantin Kostiuk >     Signed-off-by: Gerd Hoffmann >     Reviewed-by: Jiewen Yao > > QEMU commandline used: > > qemu-system-x86_64 \ > -machine q35,confidential-guest-support=sev0,vmport=off \ > -object > sev-guest,id=sev0,cbitpos=51,policy=0x5,reduced-phys-bits=1,kernel-hashes=off > \ > -name guest=vm,debug-threads=on \ > -drive if=pflash,format=raw,unit=0,file= or OVMF_X64/OVMF.fd>,readonly  \ > -cpu EPYC-Milan-v2 \ > -m 4096 \ > -smp 1,cores=1,threads=1,dies=1,sockets=1 \ > -drive file=22.04-serverfull.qcow2,index=0,media=disk,format=qcow2 \ > --enable-kvm \ > --nographic > > > Component levels used in test: > qemu: v8.2.2 > host_kernel and guest_kernel: v6.8.2 > ovmf: current master of https://github.com/tianocore/edk2, Head: 86c8d69 > > Attaching guest serial log. > > > Thanks, > > Aithal, Srikanth > > On 4/22/2024 4:17 PM, Gerd Hoffmann via groups.io wrote: >> Detects qemu config issue: code pflash is writable. >> Checked for both PC and Q35. >> >> Cc: Ard Biesheuvel >> Cc: Jiewen Yao >> Cc: Konstantin Kostiuk >> Signed-off-by: Gerd Hoffmann >> Reviewed-by: Jiewen Yao >> --- >>   OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf |  2 ++ >>   OvmfPkg/VirtHstiDxe/VirtHstiDxe.h   | 13 +++++++++++ >>   OvmfPkg/VirtHstiDxe/QemuCommon.c    | 36 +++++++++++++++++++++++++++++ >>   OvmfPkg/VirtHstiDxe/VirtHstiDxe.c   |  4 ++++ >>   4 files changed, 55 insertions(+) >>   create mode 100644 OvmfPkg/VirtHstiDxe/QemuCommon.c >> >> diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf >> b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf >> index b6bdd1f22e83..9514933011e8 100644 >> --- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf >> +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf >> @@ -22,6 +22,7 @@ [Sources] >>     VirtHstiDxe.c >>     QemuPC.c >>     QemuQ35.c >> +  QemuCommon.c >>     Flash.c >>     [Packages] >> @@ -48,6 +49,7 @@ [FeaturePcd] >>     gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire >>     [Pcd] >> +  gUefiOvmfPkgTokenSpaceGuid.PcdBfvBase >>     gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageVariableBase >>     [Depex] >> diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h >> b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h >> index ceff41c03711..f8bdcfe8f219 100644 >> --- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h >> +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h >> @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent >>     #define VIRT_HSTI_BYTE0_SMM_SMRAM_LOCK         BIT0 >>   #define VIRT_HSTI_BYTE0_SMM_SECURE_VARS_FLASH  BIT1 >> +#define VIRT_HSTI_BYTE0_READONLY_CODE_FLASH    BIT2 >>     typedef struct { >>     // ADAPTER_INFO_PLATFORM_SECURITY >> @@ -67,6 +68,18 @@ VirtHstiQemuPCVerify ( >>     VOID >>     ); >>   +/* QemuCommon.c */ >> + >> +VOID >> +VirtHstiQemuCommonInit ( >> +  VIRT_ADAPTER_INFO_PLATFORM_SECURITY  *VirtHsti >> +  ); >> + >> +VOID >> +VirtHstiQemuCommonVerify ( >> +  VOID >> +  ); >> + >>   /* Flash.c */ >>     #define QEMU_FIRMWARE_FLASH_UNKNOWN    0 >> diff --git a/OvmfPkg/VirtHstiDxe/QemuCommon.c >> b/OvmfPkg/VirtHstiDxe/QemuCommon.c >> new file mode 100644 >> index 000000000000..4ab3fe2d6e63 >> --- /dev/null >> +++ b/OvmfPkg/VirtHstiDxe/QemuCommon.c >> @@ -0,0 +1,36 @@ >> +/** @file >> + >> +SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#include >> +#include >> + >> +#include "VirtHstiDxe.h" >> + >> +VOID >> +VirtHstiQemuCommonInit ( >> +  VIRT_ADAPTER_INFO_PLATFORM_SECURITY  *VirtHsti >> +  ) >> +{ >> +  VirtHstiSetSupported (VirtHsti, 0, >> VIRT_HSTI_BYTE0_READONLY_CODE_FLASH); >> +} >> + >> +VOID >> +VirtHstiQemuCommonVerify ( >> +  VOID >> +  ) >> +{ >> +  CHAR16  *ErrorMsg; >> + >> +  switch (VirtHstiQemuFirmwareFlashCheck (PcdGet32 (PcdBfvBase))) { >> +    case QEMU_FIRMWARE_FLASH_WRITABLE: >> +      ErrorMsg = L"qemu code pflash is writable"; >> +      break; >> +    default: >> +      ErrorMsg = NULL; >> +  } >> + >> +  VirtHstiTestResult (ErrorMsg, 0, >> VIRT_HSTI_BYTE0_READONLY_CODE_FLASH); >> +} >> diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c >> b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c >> index 74e5e6bd9d4f..b6e53a1219d1 100644 >> --- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c >> +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c >> @@ -104,9 +104,11 @@ VirtHstiOnReadyToBoot ( >>     switch (VirtHstiGetHostBridgeDevId ()) { >>       case INTEL_82441_DEVICE_ID: >>         VirtHstiQemuPCVerify (); >> +      VirtHstiQemuCommonVerify (); >>         break; >>       case INTEL_Q35_MCH_DEVICE_ID: >>         VirtHstiQemuQ35Verify (); >> +      VirtHstiQemuCommonVerify (); >>         break; >>       default: >>         ASSERT (FALSE); >> @@ -142,9 +144,11 @@ VirtHstiDxeEntrypoint ( >>     switch (DevId) { >>       case INTEL_82441_DEVICE_ID: >>         VirtHsti = VirtHstiQemuPCInit (); >> +      VirtHstiQemuCommonInit (VirtHsti); >>         break; >>       case INTEL_Q35_MCH_DEVICE_ID: >>         VirtHsti = VirtHstiQemuQ35Init (); >> +      VirtHstiQemuCommonInit (VirtHsti); >>         break; >>       default: >>         DEBUG ((DEBUG_INFO, "%a: unknown platform (0x%x)\n", >> __func__, DevId)); -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118172): https://edk2.groups.io/g/devel/message/118172 Mute This Topic: https://groups.io/mt/105667072/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=- --------------0xip4DDStcEKMHmVr71jBrpb Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

Correcting.

On 4/23/2024 7:09 PM, Aithal, Srikanth wrote:
Hello,

Todays OVMF/edk2 master branch is breaking AMD SEV-ES guest boot with OvmfX64 package, where as sev-es guest boots fine with AmdSev package.

Git bisect pointed to below commit as bad, going back to previous commit i.e ddc43e7a SEV-ES guest boots fine with OvmfX64 package:
Git bisect pointed to below commit as bad, going back to previous commit i.e ddc43e7a SEV-ES guest boots fine. With OVMF/edk2 master branch SEV-ES guest boots fine with AmdSev package:

commit 506740982bba199f12e75f6cfda510c30aa4e7c6
Author: Gerd Hoffmann <kraxel@redhat.com>
Date:   Mon Apr 22 12:47:28 2024 +0200

    OvmfPkg/VirtHstiDxe: add code flash check

    Detects qemu config issue: code pflash is writable.
    Checked for both PC and Q35.

    Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
    Cc: Jiewen Yao <jiewen.yao@intel.com>
    Cc: Konstantin Kostiuk <kkostiuk@redhat.com>
    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
    Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

QEMU commandline used:

qemu-system-x86_64 \
-machine q35,confidential-guest-support=sev0,vmport=off \
-object sev-guest,id=sev0,cbitpos=51,policy=0x5,reduced-phys-bits=1,kernel-hashes=off \
-name guest=vm,debug-threads=on \
-drive if=pflash,format=raw,unit=0,file=<path to OVMF_X64/OVMF_CODE.fd or OVMF_X64/OVMF.fd>,readonly  \
-cpu EPYC-Milan-v2 \
-m 4096 \
-smp 1,cores=1,threads=1,dies=1,sockets=1 \
-drive file=22.04-serverfull.qcow2,index=0,media=disk,format=qcow2 \
--enable-kvm \
--nographic


Component levels used in test:
qemu: v8.2.2
host_kernel and guest_kernel: v6.8.2
ovmf: current master of https://github.com/tianocore/edk2, Head: 86c8d69

Attaching guest serial log.


Thanks,

Aithal, Srikanth <Srikanth.Aithal@amd.com>

On 4/22/2024 4:17 PM, Gerd Hoffmann via groups.io wrote:
Detects qemu config issue: code pflash is writable.
Checked for both PC and Q35.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Konstantin Kostiuk <kkostiuk@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
---
  OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf |  2 ++
  OvmfPkg/VirtHstiDxe/VirtHstiDxe.h   | 13 +++++++++++
  OvmfPkg/VirtHstiDxe/QemuCommon.c    | 36 +++++++++++++++++++++++++++++
  OvmfPkg/VirtHstiDxe/VirtHstiDxe.c   |  4 ++++
  4 files changed, 55 insertions(+)
  create mode 100644 OvmfPkg/VirtHstiDxe/QemuCommon.c

diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
index b6bdd1f22e83..9514933011e8 100644
--- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
+++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
@@ -22,6 +22,7 @@ [Sources]
    VirtHstiDxe.c
    QemuPC.c
    QemuQ35.c
+  QemuCommon.c
    Flash.c
    [Packages]
@@ -48,6 +49,7 @@ [FeaturePcd]
    gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire
    [Pcd]
+  gUefiOvmfPkgTokenSpaceGuid.PcdBfvBase
    gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashNvStorageVariableBase
    [Depex]
diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h
index ceff41c03711..f8bdcfe8f219 100644
--- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h
+++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.h
@@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
    #define VIRT_HSTI_BYTE0_SMM_SMRAM_LOCK         BIT0
  #define VIRT_HSTI_BYTE0_SMM_SECURE_VARS_FLASH  BIT1
+#define VIRT_HSTI_BYTE0_READONLY_CODE_FLASH    BIT2
    typedef struct {
    // ADAPTER_INFO_PLATFORM_SECURITY
@@ -67,6 +68,18 @@ VirtHstiQemuPCVerify (
    VOID
    );
  +/* QemuCommon.c */
+
+VOID
+VirtHstiQemuCommonInit (
+  VIRT_ADAPTER_INFO_PLATFORM_SECURITY  *VirtHsti
+  );
+
+VOID
+VirtHstiQemuCommonVerify (
+  VOID
+  );
+
  /* Flash.c */
    #define QEMU_FIRMWARE_FLASH_UNKNOWN    0
diff --git a/OvmfPkg/VirtHstiDxe/QemuCommon.c b/OvmfPkg/VirtHstiDxe/QemuCommon.c
new file mode 100644
index 000000000000..4ab3fe2d6e63
--- /dev/null
+++ b/OvmfPkg/VirtHstiDxe/QemuCommon.c
@@ -0,0 +1,36 @@
+/** @file
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/DebugLib.h>
+
+#include "VirtHstiDxe.h"
+
+VOID
+VirtHstiQemuCommonInit (
+  VIRT_ADAPTER_INFO_PLATFORM_SECURITY  *VirtHsti
+  )
+{
+  VirtHstiSetSupported (VirtHsti, 0, VIRT_HSTI_BYTE0_READONLY_CODE_FLASH);
+}
+
+VOID
+VirtHstiQemuCommonVerify (
+  VOID
+  )
+{
+  CHAR16  *ErrorMsg;
+
+  switch (VirtHstiQemuFirmwareFlashCheck (PcdGet32 (PcdBfvBase))) {
+    case QEMU_FIRMWARE_FLASH_WRITABLE:
+      ErrorMsg = L"qemu code pflash is writable";
+      break;
+    default:
+      ErrorMsg = NULL;
+  }
+
+  VirtHstiTestResult (ErrorMsg, 0, VIRT_HSTI_BYTE0_READONLY_CODE_FLASH);
+}
diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
index 74e5e6bd9d4f..b6e53a1219d1 100644
--- a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
+++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
@@ -104,9 +104,11 @@ VirtHstiOnReadyToBoot (
    switch (VirtHstiGetHostBridgeDevId ()) {
      case INTEL_82441_DEVICE_ID:
        VirtHstiQemuPCVerify ();
+      VirtHstiQemuCommonVerify ();
        break;
      case INTEL_Q35_MCH_DEVICE_ID:
        VirtHstiQemuQ35Verify ();
+      VirtHstiQemuCommonVerify ();
        break;
      default:
        ASSERT (FALSE);
@@ -142,9 +144,11 @@ VirtHstiDxeEntrypoint (
    switch (DevId) {
      case INTEL_82441_DEVICE_ID:
        VirtHsti = VirtHstiQemuPCInit ();
+      VirtHstiQemuCommonInit (VirtHsti);
        break;
      case INTEL_Q35_MCH_DEVICE_ID:
        VirtHsti = VirtHstiQemuQ35Init ();
+      VirtHstiQemuCommonInit (VirtHsti);
        break;
      default:
        DEBUG ((DEBUG_INFO, "%a: unknown platform (0x%x)\n", __func__, DevId));
_._,_._,_
Groups.io Links:

You receive all messages sent to this group.

View/Reply Online (#118172) | | Mute This Topic | New Topic
Your Subscription | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_
--------------0xip4DDStcEKMHmVr71jBrpb--