Re: [PATCH v2 4/6] OvmfPkg: create a SEV secret area in the AmdSev memfd

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Laszlo Ersek" <lersek@redhat.com>
To: James Bottomley <jejb@linux.ibm.com>, devel@edk2.groups.io
Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com,
	ashish.kalra@amd.com, brijesh.singh@amd.com, tobin@ibm.com,
	david.kaplan@amd.com, jon.grimm@amd.com, thomas.lendacky@amd.com,
	frankeh@us.ibm.com,
	"Dr . David Alan Gilbert" <dgilbert@redhat.com>
Subject: Re: [PATCH v2 4/6] OvmfPkg: create a SEV secret area in the AmdSev memfd
Date: Mon, 23 Nov 2020 23:28:29 +0100	[thread overview]
Message-ID: <7590cde3-e186-45cb-dbf5-3e64c7a3cc5e@redhat.com> (raw)
In-Reply-To: <20201120184521.19437-5-jejb@linux.ibm.com>

On 11/20/20 19:45, James Bottomley wrote:
> SEV needs an area to place an injected secret where OVMF can find it
> and pass it up as a ConfigurationTable.  This patch implements the
> area itself as an addition to the SEV enhanced reset vector table using
> an additional guid (4c2eb361-7d9b-4cc3-8081-127c90d3d294).
> 
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077
> Signed-off-by: James Bottomley <jejb@linux.ibm.com>
> 
> ---
> 
> v2: move guid to OVMF token space, separate patches
> ---
>  OvmfPkg/OvmfPkg.dec                          |  6 ++++++
>  OvmfPkg/ResetVector/ResetVector.inf          |  4 ++++
>  OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 14 ++++++++++++++
>  OvmfPkg/ResetVector/ResetVector.nasmb        |  2 ++
>  4 files changed, 26 insertions(+)
> 
> diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
> index 3fbf7a0ee1a4..7d27f8e16040 100644
> --- a/OvmfPkg/OvmfPkg.dec
> +++ b/OvmfPkg/OvmfPkg.dec
> @@ -304,6 +304,12 @@ [PcdsFixedAtBuild]
>    gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|0|UINT32|0x40
>    gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize|0|UINT32|0x41
>  
> +  ## The base address and size of the SEV Launch Secret Area provisioned
> +  #  after remote attestation.  If this is set in the .fdf, the platform
> +  #  is responsible for protecting the area from DXE phase overwrites.
> +  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|0x0|UINT32|0x42
> +  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize|0x0|UINT32|0x43
> +
>  [PcdsDynamic, PcdsDynamicEx]
>    gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2
>    gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10
> diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf
> index a53ae6c194ae..dc38f68919cd 100644
> --- a/OvmfPkg/ResetVector/ResetVector.inf
> +++ b/OvmfPkg/ResetVector/ResetVector.inf
> @@ -43,3 +43,7 @@ [Pcd]
>    gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
>    gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase
>    gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
> +
> +[FixedPcd]
> +  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
> +  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
> diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
> index baf9d09f3625..8d6600f17310 100644
> --- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
> +++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
> @@ -47,6 +47,20 @@ TIMES (32 - ((guidedStructureEnd - guidedStructureStart) % 32)) DB 0
>  ;
>  guidedStructureStart:
>  
> +;
> +; SEV Secret block Guid: 4c2eb361-7d9b-4cc3-8081-127c90d3d294
> +;
> +; This describes the guest ram area where the hypervisor may have
> +; injected the secret

(1) I suggest s/may have injected/should inject/, as this structure gets
built into the uncompressed part of the pflash, and its intended
consumer is the hypervisor.

If you'd like to stick with the wording as posted, that's fine too, however.

Reviewed-by: Laszlo Ersek <lersek@redhat.com>

Thanks
Laszlo


> +;
> +sevSecretBlockStart:
> +    DD      SEV_LAUNCH_SECRET_BASE
> +    DD      SEV_LAUNCH_SECRET_SIZE
> +    DW      sevSecretBlockEnd - sevSecretBlockStart
> +    DB      0x61, 0xB3, 0x2E, 0x4C, 0x9B, 0x7D, 0xC3, 0x4C
> +    DB      0x80, 0x81, 0x12, 0x7C, 0x90, 0xD3, 0xD2, 0x94
> +sevSecretBlockEnd:
> +
>  ;
>  ; SEV-ES Processor Reset support
>  ;
> diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb
> index 4913b379a993..c5e0fe93abf4 100644
> --- a/OvmfPkg/ResetVector/ResetVector.nasmb
> +++ b/OvmfPkg/ResetVector/ResetVector.nasmb
> @@ -83,5 +83,7 @@
>  %include "Main.asm"
>  
>    %define SEV_ES_AP_RESET_IP  FixedPcdGet32 (PcdSevEsWorkAreaBase)
> +  %define SEV_LAUNCH_SECRET_BASE  FixedPcdGet32 (PcdSevLaunchSecretBase)
> +  %define SEV_LAUNCH_SECRET_SIZE  FixedPcdGet32 (PcdSevLaunchSecretSize)
>  %include "Ia16/ResetVectorVtf0.asm"
>  
>

next prev parent reply	other threads:[~2020-11-23 22:28 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-20 18:45 [PATCH v2 0/6] SEV Encrypted Boot for Ovmf James Bottomley
2020-11-20 18:45 ` [PATCH v2 1/6] OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF James Bottomley
2020-11-23 18:01   ` Laszlo Ersek
2020-11-23 23:25     ` James Bottomley
2020-11-23 23:43       ` Laszlo Ersek
2020-11-20 18:45 ` [PATCH v2 2/6] OvmfPkg/AmdSev: add Grub Firmware Volume Package James Bottomley
2020-11-23 21:08   ` Laszlo Ersek
2020-11-24  6:38     ` James Bottomley
2020-11-24  8:23       ` Laszlo Ersek
2020-11-24 14:54         ` Laszlo Ersek
2020-11-24 15:58           ` Laszlo Ersek
2020-11-24 16:22             ` [edk2-devel] " James Bottomley
2020-11-24 23:22               ` Laszlo Ersek
2020-11-24 23:42                 ` James Bottomley
2020-11-25  1:27                   ` James Bottomley
2020-11-25 14:01                     ` Laszlo Ersek
2020-11-25 16:02                       ` James Bottomley
2020-11-25 17:09                         ` James Bottomley
2020-11-25 18:17                           ` James Bottomley
2020-11-25 19:20                             ` Laszlo Ersek
2020-11-25 20:11                               ` James Bottomley
2020-11-25 18:35                           ` Laszlo Ersek
2020-11-25 19:08                             ` Laszlo Ersek
2020-11-25 19:14                               ` Laszlo Ersek
2020-11-20 18:45 ` [PATCH v2 3/6] OvmfPkg: convert ES Reset Block structure to be guided James Bottomley
2020-11-23 22:16   ` Laszlo Ersek
2020-11-24 14:57     ` Lendacky, Thomas
2020-11-24 19:07       ` James Bottomley
2020-11-24 23:19         ` Laszlo Ersek
2020-11-24 19:05     ` James Bottomley
2020-11-24 23:15       ` Laszlo Ersek
2020-11-20 18:45 ` [PATCH v2 4/6] OvmfPkg: create a SEV secret area in the AmdSev memfd James Bottomley
2020-11-23 22:28   ` Laszlo Ersek [this message]
2020-11-20 18:45 ` [PATCH v2 5/6] OvmfPkg/AmdSev: assign and protect the Sev Secret area James Bottomley
2020-11-23 22:38   ` Laszlo Ersek
2020-11-20 18:45 ` [PATCH v2 6/6] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table James Bottomley
2020-11-23 22:56   ` Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7590cde3-e186-45cb-dbf5-3e64c7a3cc5e@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox