From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.66]) by mx.groups.io with SMTP id smtpd.web10.31070.1605731994135794225 for ; Wed, 18 Nov 2020 12:39:54 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=1uW4rWEm; spf=none, err=SPF record not found (domain: amd.com, ip: 40.107.223.66, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BKD0H8VnEeUy5sszj7xuz5VIQA6DPb2wb/pZfoK16fnJA0PNrN5nFQKhaRE9s60kQeNCwy7bGclcNrY6PrJge82M7xNiYqcBlhrJ7DjSszncwvEHXLcsrMkXWTk1gHq89T1teVbwIG48LEMJRwa+uq+EpouSzVlchosJ9w3VeF7WQkRWfAZT1rIimgeRJ74IH+GsXi11B9FuCD2rcWE24KECpgDEgbTPzzwuJ+pi7MzTJQpuWiKIddo7YNySp8SgnR1ttYHN2bacuV6gnaxZ61m6rsTacoXeLPbmtbz4gPZf5NPmqNP3nLgc/6Se+yX/DBREawQl3XOO+yRx5shLPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7X6B9+uop7iskRr0ydGYCdSDUcaW5Jpm8ABZ4+N8QfY=; b=Ko466Bckqbx3HSIDDuqSYsaHGN7bo9S/AJi4/G0olH4dnu2UCDcHU8eKiY1Kwgd0drSkxHAKuPBU8oFXkwtEIRDubUBWd/Bofj1WNFov4xtCBudagP1jcq5gxslWKp2KhVvoDm32LRVzYwF/Uu1WoXJ8E5UraYKF+3thxTvDE5RnjH2IedPr5rOWMy7v5MxAwPVvSmCDXw+LD0RnCKWhLiEBzQN305qaj83UECJlb+8TdDh1dDaH8K/EeZJGg/H7ITyPsyqOAYc/dvGLX3c4njHjpexpI1d8fhP3H3wqDfqiaHxDKG17cDlLlb4l3OtNSOvKVMjJHEYk+Fe/MCh9fA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7X6B9+uop7iskRr0ydGYCdSDUcaW5Jpm8ABZ4+N8QfY=; b=1uW4rWEmLnnAl3IcwkN/FptYbH8wBcxeQESMPDDbPwU0GWCEE+daTI0yyQDtYQXtiqt8Kbb9HAYMQRSmdkW0L3Kws9UdR5spoY0jji4NKV4LJK+PZYU4ZI8ti5sRPMDshlzVxYtUHKIQAqOLyJfRPNeaY9CHpRysmZXnr6/Lci0= Authentication-Results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM6PR12MB4092.namprd12.prod.outlook.com (2603:10b6:5:214::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3564.28; Wed, 18 Nov 2020 20:39:52 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::dcda:c3e8:2386:e7fe]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::dcda:c3e8:2386:e7fe%12]) with mapi id 15.20.3564.028; Wed, 18 Nov 2020 20:39:52 +0000 Subject: Re: [edk2-devel] [PATCH 3/4] OvmfPkg: create a SEV secret area in the AmdSev memfd To: devel@edk2.groups.io, lersek@redhat.com, jejb@linux.ibm.com Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com, ashish.kalra@amd.com, brijesh.singh@amd.com, tobin@ibm.com, david.kaplan@amd.com, jon.grimm@amd.com, frankeh@us.ibm.com, "Dr . David Alan Gilbert" References: <20201112001316.11341-1-jejb@linux.ibm.com> <20201112001316.11341-4-jejb@linux.ibm.com> <6db69ccd-340f-2df2-718b-5f7db09da0b8@redhat.com> From: "Lendacky, Thomas" Message-ID: <76c21922-aaa5-4ae2-b4b9-055f0720d4ef@amd.com> Date: Wed, 18 Nov 2020 14:39:49 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 In-Reply-To: <6db69ccd-340f-2df2-718b-5f7db09da0b8@redhat.com> X-Originating-IP: [67.79.209.213] X-ClientProxiedBy: SN4PR0801CA0023.namprd08.prod.outlook.com (2603:10b6:803:29::33) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from office-linux.texastahm.com (67.79.209.213) by SN4PR0801CA0023.namprd08.prod.outlook.com (2603:10b6:803:29::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.20 via Frontend Transport; Wed, 18 Nov 2020 20:39:51 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 8990142c-4929-4f74-8df3-08d88c0219f9 X-MS-TrafficTypeDiagnostic: DM6PR12MB4092: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ewE6m1yh+6SFx+UUyyUIRlXyPHWeq/rEMwusiVge8zd54ysEL6QaGcW8+E8uBC8CHjJf7bWOeZPpXWJI7ZnDseX9U9mi7Jp3gSf23rmBGp776srIjf/557u2OtXbdH2Bmk+PEExB1+o8BNIC8Bz7I5XUH890vdUPYVBRvmgHB6r0inDaZaL30+n0IvqJsyANp5rFFPvBzPg+RyUTz9UiMJdip+o0LQMX3RoYt1F317dSeWWHpI8OMp8VVuBblZyRsxy8aK54skB4DLteMPBA4z6JT15B/pMFo/QtLFPcuQwxvk92xCu7yGZZncmYJzciLJJ3zmScK7dnOIw9LmaeKyNhzcwhO+3Sm0No8FhXu3s8c395l5TH8lzwXj4LEalaH5DROYpU+3jwz6ZIAQTmeqk4Hon43ilxjJMvXuMpofudZEDOqQAHqjV+6KdzpTJOchC68xzi7n8+5AKaP6uBAYY7pbEHo1MhLx1zwqJwjoc= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(366004)(376002)(396003)(346002)(39860400002)(66476007)(8936002)(31696002)(2906002)(66946007)(8676002)(86362001)(52116002)(6486002)(5660300002)(19627235002)(36756003)(45080400002)(316002)(6512007)(66556008)(31686004)(2616005)(4326008)(186003)(83380400001)(478600001)(956004)(966005)(26005)(6506007)(53546011)(16526019)(219293001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: rN+8ReKZ8qCz8cPE4QRJjofWjlKG4gzzSbG+ftlDhELutDnyGlcfjYy/q0khHS2wjMF27ck4yofCdsIDIRPKXRDV1Uf8QlYRUy+qTnQpLpBVzLjxfJQoM3ksXXz6SL+A9e3dfiI5zVjyqLzkEyhK1Ffh5qv321YyZ7ANfpOouaAd9e2JO3qJk0o5y3XpQLp4iXo9WqAow0Tqub1emZeGipPWTv7xQjk+jSA766XbL7Ra2UM7YVJanAua3II5+J1mbpgwh9NOLc/cK6s63LQk6/Hry3vqaWaT5WTNiItIvTYZks6yv2Chd1OvGEK9OD1Df9JMfhdpARkPMKR326DkvN51ZxAUPGkyNZ3L2fe3eHewle15IyVZ0bVbi9w3XcnAgkGhsMWhiffX9vYH4QdDLQtzAntyj2LCTNwBdV1opPD05y8bZEIuLGKu8oj0/wi71OQc/UzQWQEYPI4Swdj3fle9b4vTJ0S6jXo1cSNvJ55kDuyhWvkRT2cb+N3MrrkuxoodJ32QZNeCVxCLRo5/wSrRIHn2DaqLzhIebGQ34Huw7orYT1kKkNLc3TgleW2HjMyeNJNvnJciByTc/lvTF60EUNMwloBFRt3xzhHoylUlqjt/tVf8fJ63eKUmQLlJE56CPt2XuOa9SMkc+/Oxlg== X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8990142c-4929-4f74-8df3-08d88c0219f9 X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Nov 2020 20:39:52.8002 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: FreUsbgQaZbCM62RtgqfFPX3NM1iHLZW3aEHDxBVLHL2ZV1G0/I/ltW24UKCSUf1cNSGBbTQcJOg754jHTE0JA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4092 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 11/16/20 4:46 PM, Laszlo Ersek via groups.io wrote: > On 11/12/20 01:13, James Bottomley wrote: >> SEV needs an area to place an injected secret where OVMF can find it >> and pass it up as a ConfigurationTable. This patch implements the >> area itself as an addition to the SEV enhanced reset vector. The >> reset vector scheme allows additions but not removals. If the size of >> the reset vector is 22, it only contains the AP reset IP, but if it is >> 30 (or greater) it contains the SEV secret page location and size. >> >> Signed-off-by: James Bottomley >> --- >> OvmfPkg/OvmfPkg.dec | 5 +++++ >> OvmfPkg/AmdSev/AmdSevX64.fdf | 3 +++ >> OvmfPkg/ResetVector/ResetVector.inf | 4 ++++ >> OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 4 ++++ >> OvmfPkg/ResetVector/ResetVector.nasmb | 2 ++ >> 5 files changed, 18 insertions(+) >> ... >> ; >> ; SEV-ES Processor Reset support >> ; >> ; sevEsResetBlock: >> ; For the initial boot of an AP under SEV-ES, the "reset" RIP must be >> ; programmed to the RAM area defined by SEV_ES_AP_RESET_IP. A known offset >> ; and GUID will be used to locate this block in the firmware and extract >> ; the build time RIP value. The GUID must always be 48 bytes from the >> ; end of the firmware. >> ; >> ; 0xffffffca (-0x36) - IP value >> ; 0xffffffcc (-0x34) - CS segment base [31:16] >> ; 0xffffffce (-0x32) - Size of the SEV-ES reset block >> ; 0xffffffd0 (-0x30) - SEV-ES reset block GUID >> ; (00f771de-1a7e-4fcb-890e-68c77e2fb44e) >> ; >> ; A hypervisor reads the CS segement base and IP value. The CS segment base >> ; value represents the high order 16-bits of the CS segment base, so the >> ; hypervisor must left shift the value of the CS segement base by 16 bits to >> ; form the full CS segment base for the CS segment register. It would then >> ; program the EIP register with the IP value as read. >> ; >> >> TIMES (32 - (sevEsResetBlockEnd - sevEsResetBlockStart)) DB 0 >> >> sevEsResetBlockStart: >> DD SEV_ES_AP_RESET_IP >> DW sevEsResetBlockEnd - sevEsResetBlockStart >> DB 0xDE, 0x71, 0xF7, 0x00, 0x7E, 0x1A, 0xCB, 0x4F >> DB 0x89, 0x0E, 0x68, 0xC7, 0x7E, 0x2F, 0xB4, 0x4E >> sevEsResetBlockEnd: > > I'm not exactly sure why we added the padding (TIMES ... DB 0) in edk2 > commit 30937f2f98c4 ("OvmfPkg: Use the SEV-ES work area for the SEV-ES > AP reset vector", 2020-08-17). I can imagine it was *already* for the > same purpose -- to deterministically terminate the above-described > backwards-traversal of the GUID-ed structures (and at the same time > remain aligned to 32 bytes, regarding the cumulative size of all > provided structures). The padding is required to "push" the GUID into the proper location at exactly 48 bytes from the end of the file. Without the padding, the GUID doesn't line up correctly and can't be located. Thanks, Tom > > So, in that vein, I'd propose something like this (relative to master @ > d448574e7310): > >> diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm >> index 980e0138e7fe..957356ff997e 100644 >> --- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm >> +++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm >> @@ -16,55 +16,83 @@ ALIGN 16 >> ; Pad the image size to 4k when page tables are in VTF0 >> ; >> ; If the VTF0 image has page tables built in, then we need to make >> ; sure the end of VTF0 is 4k above where the page tables end. >> ; >> ; This is required so the page tables will be 4k aligned when VTF0 is >> ; located just below 0x100000000 (4GB) in the firmware device. >> ; >> %ifdef ALIGN_TOP_TO_4K_FOR_PAGING >> TIMES (0x1000 - ($ - EndOfPageTables) - 0x20) DB 0 >> %endif >> >> +; >> +; pre-pad the sequence of GUIDed structures to a multiple of 32 bytes >> +; >> +TIMES (31 - (guidedStructuresEnd - guidedStructuresStart + 31) % 32) DB 0 >> + >> +guidedStructuresStart: >> +; >> +; Zero GUID to terminate decreasing address order traversal. >> +; >> +TIMES 16 DB 0 >> + >> +; >> +; Expose the location of the SEV Launch Secret area to the hypervisor >> +; (necessary when using the remote attestation firmware platform). >> +; >> +; sevLaunchSecretDescriptor: >> +; This GUIDed structure is chained in decreasing address order from >> +; sevEsResetBlock. It describes the guest RAM area where the hypervisor has >> +; to securely inject the SEV Launch Secret. The GUID is >> +; 78C93F1E-ADBC-4259-B92B-CE81E523FBC4. >> +; >> +sevLaunchSecretDescriptorStart: >> + DD SEV_LAUNCH_SECRET_BASE >> + DD SEV_LAUNCH_SECRET_SIZE >> + DW sevLaunchSecretDescriptorEnd - sevLaunchSecretDescriptorStart >> + DB 0x1E, 0x3F, 0xC9, 0x78, 0xBC, 0xAD, 0x59, 0x42 >> + DB 0xB9, 0x2B, 0xCE, 0x81, 0xE5, 0x23, 0xFB, 0xC4 >> +sevLaunchSecretDescriptorEnd: >> + >> ; >> ; SEV-ES Processor Reset support >> ; >> ; sevEsResetBlock: >> ; For the initial boot of an AP under SEV-ES, the "reset" RIP must be >> ; programmed to the RAM area defined by SEV_ES_AP_RESET_IP. A known offset >> ; and GUID will be used to locate this block in the firmware and extract >> ; the build time RIP value. The GUID must always be 48 bytes from the >> ; end of the firmware. >> ; >> ; 0xffffffca (-0x36) - IP value >> ; 0xffffffcc (-0x34) - CS segment base [31:16] >> ; 0xffffffce (-0x32) - Size of the SEV-ES reset block >> ; 0xffffffd0 (-0x30) - SEV-ES reset block GUID >> ; (00f771de-1a7e-4fcb-890e-68c77e2fb44e) >> ; >> ; A hypervisor reads the CS segement base and IP value. The CS segment base >> ; value represents the high order 16-bits of the CS segment base, so the >> ; hypervisor must left shift the value of the CS segement base by 16 bits to >> ; form the full CS segment base for the CS segment register. It would then >> ; program the EIP register with the IP value as read. >> ; >> >> -TIMES (32 - (sevEsResetBlockEnd - sevEsResetBlockStart)) DB 0 >> - >> sevEsResetBlockStart: >> DD SEV_ES_AP_RESET_IP >> DW sevEsResetBlockEnd - sevEsResetBlockStart >> DB 0xDE, 0x71, 0xF7, 0x00, 0x7E, 0x1A, 0xCB, 0x4F >> DB 0x89, 0x0E, 0x68, 0xC7, 0x7E, 0x2F, 0xB4, 0x4E >> sevEsResetBlockEnd: >> +guidedStructuresEnd: >> >> ALIGN 16 >> >> applicationProcessorEntryPoint: >> ; >> ; Application Processors entry point >> ; >> ; GenFv generates code aligned on a 4k boundary which will jump to this >> ; location. (0xffffffe0) This allows the Local APIC Startup IPI to be >> ; used to wake up the application processors. >> ; >> jmp EarlyApInitReal16 > > Back to your patch: > > On 11/12/20 01:13, James Bottomley wrote: >> diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb >> index 4913b379a9..c5e0fe93ab 100644 >> --- a/OvmfPkg/ResetVector/ResetVector.nasmb >> +++ b/OvmfPkg/ResetVector/ResetVector.nasmb >> @@ -83,5 +83,7 @@ >> %include "Main.asm" >> >> %define SEV_ES_AP_RESET_IP FixedPcdGet32 (PcdSevEsWorkAreaBase) >> + %define SEV_LAUNCH_SECRET_BASE FixedPcdGet32 (PcdSevLaunchSecretBase) >> + %define SEV_LAUNCH_SECRET_SIZE FixedPcdGet32 (PcdSevLaunchSecretSize) >> %include "Ia16/ResetVectorVtf0.asm" >> >> > > OK. > > Thanks, > Laszlo > > > > > >