From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mx.groups.io with SMTP id smtpd.web09.35096.1623068812222055240
 for <devel@edk2.groups.io>;
 Mon, 07 Jun 2021 05:26:52 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=HXnOdf9R;
 spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: lersek@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1623068811;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=krz1ss52Q75K1jkQLRbtAokBIxHUEZ+CYIvryiT8HfI=;
	b=HXnOdf9R1EwYgA1eB9qfGME3hlQXp6jjpzgiqTS4wjfZsbXIkDhi7lJg/un/7JQFSwPvep
	Z3DeVYu/gxo8lFJNCeoHM+P5NGhFOmm/KVYRHce30SG7a4waheuPp+q6C/hPoenycqSZ9/
	g4aJJ7JHlPaSfkzN43U+AROouihspGo=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-224-33vY1rqWPfi-SZm0apGYoA-1; Mon, 07 Jun 2021 08:26:48 -0400
X-MC-Unique: 33vY1rqWPfi-SZm0apGYoA-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 674181926DA1;
	Mon,  7 Jun 2021 12:26:46 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-75.ams2.redhat.com [10.36.114.75])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id BFE585D75A;
	Mon,  7 Jun 2021 12:26:43 +0000 (UTC)
Subject: Re: [PATCH RFC v3 05/22] OvmfPkg: reserve Secrets page in MEMFD
To: Brijesh Singh <brijesh.singh@amd.com>,
 James Bottomley <jejb@linux.ibm.com>, Min Xu <min.m.xu@intel.com>,
 Jiewen Yao <jiewen.yao@intel.com>, Tom Lendacky <thomas.lendacky@amd.com>,
 Jordan Justen <jordan.l.justen@intel.com>,
 Erdem Aktas <erdemaktas@google.com>, Eric Dong <eric.dong@intel.com>,
 Ray Ni <ray.ni@intel.com>, Rahul Kumar <rahul1.kumar@intel.com>,
 devel@edk2.groups.io
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
References: <20210526231118.12946-1-brijesh.singh@amd.com>
 <20210526231118.12946-6-brijesh.singh@amd.com>
From: "Laszlo Ersek" <lersek@redhat.com>
Message-ID: <6c1d0c68-0537-9b58-ada4-ec9deb1a7c9d@redhat.com>
Date: Mon, 7 Jun 2021 14:26:42 +0200
MIME-Version: 1.0
In-Reply-To: <20210526231118.12946-6-brijesh.singh@amd.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit

On 05/27/21 01:11, Brijesh Singh wrote:
> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
> 
> When AMD SEV is enabled in the guest VM, a hypervisor need to insert a
> secrets page.

For pure SEV?

> 
> When SEV-SNP is enabled, the secrets page contains the VM platform
> communication keys. The guest BIOS and OS can use this key to communicate
> with the SEV firmware to get attesation report. See the SEV-SNP firmware
> spec for more details for the content of the secrets page.
> 
> When SEV and SEV-ES is enabled, the secrets page contains the information
> provided by the guest owner after the attestation. See the SEV
> LAUNCH_SECRET command for more details.
> 
> Cc: James Bottomley <jejb@linux.ibm.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Erdem Aktas <erdemaktas@google.com>
> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> ---
>  OvmfPkg/OvmfPkgX64.dsc                 |  2 ++
>  OvmfPkg/OvmfPkgX64.fdf                 |  5 +++++
>  OvmfPkg/AmdSev/SecretPei/SecretPei.inf |  1 +
>  OvmfPkg/AmdSev/SecretPei/SecretPei.c   | 15 ++++++++++++++-
>  4 files changed, 22 insertions(+), 1 deletion(-)

How is all of the above related to the "OvmfPkg/OvmfPkgX64.dsc"
platform, where remote attestation is not a goal?

What you describe makes sense to me, but only for the remote-attested
"OvmfPkg/AmdSev/AmdSevX64.dsc" platform. (Which already includes
SecretPei and SecretDxe, and sets the necessary PCDs.)

Then, even if we limit this patch only to the "OvmfPkg/AmdSev/SecretPei"
module, the commit message does not explain sufficiently why the secrets
page must be reserved for good. The "SEV-SNP firmware spec" reference is
vague at best; I'm permanently lost between the dozen PDF files I have
downloaded locally from the AMD website. Please include a specific
document number, revision number, and chapter/section identifier.

Honestly I'm getting a *rushed* vibe on this whole series. Why is that?

Assume that I'm dumb. You won't be far from the truth. Then hold my hand
through all this?

Laszlo


> 
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index 999738dc39cd..ea08e1fabc65 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -716,6 +716,7 @@ [Components]
>    OvmfPkg/SmmAccess/SmmAccessPei.inf
>  !endif
>    UefiCpuPkg/CpuMpPei/CpuMpPei.inf
> +  OvmfPkg/AmdSev/SecretPei/SecretPei.inf
>  
>  !if $(TPM_ENABLE) == TRUE
>    OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf
> @@ -966,6 +967,7 @@ [Components]
>    OvmfPkg/PlatformDxe/Platform.inf
>    OvmfPkg/AmdSevDxe/AmdSevDxe.inf
>    OvmfPkg/IoMmuDxe/IoMmuDxe.inf
> +  OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
>  
>  !if $(SMM_REQUIRE) == TRUE
>    OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> index d6be798fcadd..9126b8eb5014 100644
> --- a/OvmfPkg/OvmfPkgX64.fdf
> +++ b/OvmfPkg/OvmfPkgX64.fdf
> @@ -88,6 +88,9 @@ [FD.MEMFD]
>  0x00C000|0x001000
>  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize
>  
> +0x00D000|0x001000
> +gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
> +
>  0x010000|0x010000
>  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
>  
> @@ -179,6 +182,7 @@ [FV.PEIFV]
>  INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
>  INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
>  !endif
> +INF  OvmfPkg/AmdSev/SecretPei/SecretPei.inf
>  
>  ################################################################################
>  
> @@ -314,6 +318,7 @@ [FV.DXEFV]
>  INF  ShellPkg/Application/Shell/Shell.inf
>  
>  INF MdeModulePkg/Logo/LogoDxe.inf
> +INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
>  
>  #
>  # Network modules
> diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.inf b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
> index 08be156c4bc0..9265f8adee12 100644
> --- a/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
> +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
> @@ -26,6 +26,7 @@ [LibraryClasses]
>    HobLib
>    PeimEntryPoint
>    PcdLib
> +  MemEncryptSevLib
>  
>  [FixedPcd]
>    gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
> diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
> index ad491515dd5d..51eb094555aa 100644
> --- a/OvmfPkg/AmdSev/SecretPei/SecretPei.c
> +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
> @@ -7,6 +7,7 @@
>  #include <PiPei.h>
>  #include <Library/HobLib.h>
>  #include <Library/PcdLib.h>
> +#include <Library/MemEncryptSevLib.h>
>  
>  EFI_STATUS
>  EFIAPI
> @@ -15,10 +16,22 @@ InitializeSecretPei (
>    IN CONST EFI_PEI_SERVICES     **PeiServices
>    )
>  {
> +  UINTN   Type;
> +
> +  //
> +  // The location of the secret page should be marked reserved so that guest OS
> +  // does not treated as a system RAM.
> +  //
> +  if (MemEncryptSevSnpIsEnabled ()) {
> +    Type = EfiReservedMemoryType;
> +  } else {
> +    Type = EfiBootServicesData;
> +  }
> +
>    BuildMemoryAllocationHob (
>      PcdGet32 (PcdSevLaunchSecretBase),
>      PcdGet32 (PcdSevLaunchSecretSize),
> -    EfiBootServicesData
> +    Type
>      );
>  
>    return EFI_SUCCESS;
>