From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (NAM11-BN8-obe.outbound.protection.outlook.com [40.107.236.53]) by mx.groups.io with SMTP id smtpd.web12.2599.1648668444522165903 for ; Wed, 30 Mar 2022 12:27:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=l3FrBJwS; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.236.53, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PPmbyCArF/Ra7NF/GUU+wJ8yXfV/fruhEVIH3TGH/5f2yk3BURSEOjYXbuWxBUX/5yu+x/Uuekka+vxUC8m4Sm4otwHu6pILxNpo9C3rnQigWja2PaU1nYYOyqtFVlkPH6m2HnTbB2xmfhYfG3PqGzAMiMy0KfUHc/3vRktv45+jk0Ix7Ye6TZu6+wTt+ggwm62G1egiY/nN1k28OKEDB4zWLr9PvLWMp1mQ0rZLYrGP2dXaAE5lmrY+YMU1uyxefEmH2OY7LVSvr2c2sprBxg2u6vkUynvSE74GHQYncQxisEquJLHG6KN9lSJhzGk8w5zukOfBMTmcjZR0cTRsRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vPk4VlAy0INALuxKxofEb4czSmtZXk3CSItMiSWl9sY=; b=gcuWqK+Ufz/v4HV3ka/zELoLEEjuhVZ4BK4q2iUe0cbpH5qSQf6OFSW+4DT4FQt22PVRBsYM/bl1OMgJo/MruHncSxYO0inQWn/lmBdSdE8iyhyucdsV6HBcOUmAdFri6fgyowcaITkbdtgNzDEA3A+fRyp5EAgeRGkIZQfTelnjZ5doYqh/qAf0im0rBNe8978f8HRQmf3p9zmqEoNcZ4AdzUBMJy9el/yDJVhe1vmgqEbHppSyuqYZRA88xapY4ai/jDHEqzKANKPG063enI30nrUAKPjP3aw+sg4IuHz9wQfoB2kdZmFc5Scw8RtYpwDrElRb6HlzrE63/Ovj8w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vPk4VlAy0INALuxKxofEb4czSmtZXk3CSItMiSWl9sY=; b=l3FrBJwS5SGyFl8UuOq66QtBfaEjvLqJ2JnpRgDThhFiN8Kh4UvG8vWiBUJeakMviE7HySoXzkkEcNopzzC7soVQlKBjL18GkPHyOXhrqr8GQRXuvhfLYzIRVIFXhfj/PkHeH1ZCJflT7OWT70BxGf5jMZi6uHPPIaL/EHV8Ah0= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by BL1PR12MB5112.namprd12.prod.outlook.com (2603:10b6:208:316::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.16; Wed, 30 Mar 2022 19:27:22 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::41d:eda:4fc2:2052]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::41d:eda:4fc2:2052%2]) with mapi id 15.20.5102.025; Wed, 30 Mar 2022 19:27:21 +0000 Message-ID: <7ea76edb-fad8-b06e-e715-0868de1f1261@amd.com> Date: Wed, 30 Mar 2022 14:27:18 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Cc: brijesh.singh@amd.com, devel@edk2.groups.io, Ard Biesheuvel , Jiewen Yao , Jordan Justen , Erdem Aktas , James Bottomley , Min Xu , Tom Lendacky , Tobin Feldman-Fitzthum Subject: Re: [PATCH 2/2] OvmfPkg/ResetVector: Exclude SEV launch secrets page from pre-validation To: Dov Murik , Gerd Hoffmann References: <20220328184530.86797-1-dovmurik@linux.ibm.com> <20220328184530.86797-3-dovmurik@linux.ibm.com> <20220330052029.4fuzbca2364nm7fg@sirius.home.kraxel.org> <7585badc-63d5-4195-760c-3cc3665795e4@linux.ibm.com> From: "Brijesh Singh" In-Reply-To: <7585badc-63d5-4195-760c-3cc3665795e4@linux.ibm.com> X-ClientProxiedBy: MN2PR18CA0003.namprd18.prod.outlook.com (2603:10b6:208:23c::8) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 941e47dd-1288-4261-034f-08da12834fe1 X-MS-TrafficTypeDiagnostic: BL1PR12MB5112:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: tXtoMrzKx8TZiNSWMr+rtuVqVo1wCz8PD1I8Yo1+BNHFfFZhYJvZjXgInjgeLrAgqMDgaf/CuCg/YBiyV34NEe+8TCKcksERl3w/pwu+YUG/23DLol1YEQw5bzM3whS1PnACybcU5bbHZ0axnTiqJYfPXQcI8Fx4h8RPKel28pTOhHv2BCC/Kcwuyw3NwMxuBVqGRZJhvoMGrtcL1OYOm0stLdw0l0kPV6x4AlExHtKUZab376RkD2ZNfPW7LnVHlXuuB7Jl41ZrklJvUF7QEMyNSDhE5IBx3IK3gHT+vqxStE/I5TAquzj7npKKbE8rtg6jhiYngOigByOUZIRgGVhFgJ/Oaj5fnkChGjAHRLzjKZeWG3w6z/2TilHLaXVGMbJ6HGhcCQX2/S6g+2cRI6E+oGNS/6oQq5Z+maCki+NQKOS1jMN5LRvDj1ExcCYRAXW3Lsmx1amM1IOu4M972CcDcsFt45H9Th0vR+OFTShqs+6Hv1xW0cY1heIPhD89O8ReL0pWoA1jc8+vnHKOWDHRvH3TZwGz360KxeAheJaPXQSnf/1J+U4LDsC84o87QKOTYZhe8nUCj7AfDggWIky+XEq/UtWGwIpEsCrvxyUL8/hPgnJR/b8YRM+Cn8eYsk0wGjpy++WcFvow/NPIVMTSBazN0lc3TLe/QaBbku8qLTsZ8Q4rT5FJCXlMo1Nt3anU/5iYtahYoen56NCe7CXBsYklJnnN8igZhiWf2Qs= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(4636009)(366004)(110136005)(53546011)(6512007)(2906002)(6506007)(54906003)(6666004)(31696002)(4326008)(86362001)(8676002)(66476007)(66946007)(508600001)(66556008)(316002)(5660300002)(31686004)(2616005)(6486002)(44832011)(186003)(36756003)(38100700002)(83380400001)(26005)(8936002)(7416002)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?ZTMyZERrNTdBTVRSQjh5ZkJmUW95alZrdjZOdmJtT1dyZi9HM0U0RzJUUXl0?= =?utf-8?B?L2dZKzFzSDdzdEx6cFYxYjlrbThwL2hLUGhQSnBpSFdOZ3NzaXk0V2dncjQr?= =?utf-8?B?aTFMQkJpakJKTm5DNXMvOGR6SDlaZ0hVa1pZOXlJdVRQdUZzWmxxZVF3c0Nz?= =?utf-8?B?VW16dkZPK2tiN0ozUW5BY0RyRmdhU0hUZFBKL2hJOHBJUmxtY1FhWWFCSW5P?= =?utf-8?B?T2R4S1laZkc1eDlMVUQ1OHdqbE9ObzBJMk1jMmNlbzc1dHY3RkhWQjY2bFBt?= =?utf-8?B?aHRzNG5Pb2hHL0JJcTRtUnpkdzNGYzRJdXRDdUdER1hWbG05TFV0OXF6c05G?= =?utf-8?B?TFVRNGZPZnBKK1FacW5ZL1J2UTUvL0NQYjd5ajYxSUx5bGwvWEcyRVVxWnBh?= =?utf-8?B?WHF3ckM1M2hCTTJEUThkTlFubCtLMDFGZnZGTW9EUXp5SDljS0F3R25qVG5a?= =?utf-8?B?Q2VnMGpWU1FITFMxajNVK29HV2JleTkvdXJ4bkcyY2xFV0Ixb0pPQk9iN1E4?= =?utf-8?B?aWhER0ZyYU1lY0RiL2FpYUVWK1hZdTM4UUs2ZXd3Yy9lbDNxak9TSngvNFVW?= =?utf-8?B?WVJrTjlnb1NFK0JzcGphYUpaSXZHR2c0T0syR3BVeUhCelZHNFZPS296Q25L?= =?utf-8?B?UzZoTW5TN3F5UEhuR3EyMVlLRmI5TWtZOE1wTE04U2IzWkRZb244aWh3VVZ3?= =?utf-8?B?Q3RXRG1qTkxnNkRocENRNHo0NlEyRkRiMG03Zk4rbC9jbitJV2JyeVVNdE5l?= =?utf-8?B?eWJ4cllxbUR3UUVWeUFGb3BNWFBkdG9haHRLWnhzRUd6eHVMUUJmTTRibEww?= =?utf-8?B?aVJzS1VTWkNUdEdoTzZwd2s4VjFRUWE0MGxuSGhKbklNRjRxcklrUWQ5N0Vi?= =?utf-8?B?U1dTQ1pGSHdOQXBCUysrZXhMWnUzbkt5QmVrRFhDUEl0ZkZ2MEF2bE1JNGk3?= =?utf-8?B?K1Z2dU5JOWRoMmJrOE9IVmJxOHBwei9KMU56MW0vUjduZkhrVzFZUTlQSjVJ?= =?utf-8?B?d2dPSVdWeHp3NWtoa3p4OTJZaHE0QThrUGIyNis3MDNGWXNHSHZzYzY2RnRE?= =?utf-8?B?YW52dkV6eTJKdVZaTGVTQlJveFRqdUdlNnlYV0ZVWFFvOFFhd1RoVlVJUnpD?= =?utf-8?B?c08zdzVvaFFOWERMd0V6Um0yejIreW1naEUrYUJzVVlOV29EOEJaZnljODR0?= =?utf-8?B?S0xiSWFCQmhjMFM5RHZha01hbElrNHgrMjVJUUhYSDN0VzBtUmtXVGJ6VlFl?= =?utf-8?B?UnFWWVk4TTFjVjU4a1Z6WTZYbkdLNnBMMVpVVGJXbWhIeEdTQmlCb2hBZTJ1?= =?utf-8?B?ZjhCMWlGc2w2Tm9XU0pMaFBqUEJmRHR5SDJVT1NQc0R1WlJZTEJoOE45dURn?= =?utf-8?B?ZlZweE4zaS9SNU1sQ21kcFZ4S2J3SnJ4b0VOSXFNbnZPdXFaRm9RLytHeVF1?= =?utf-8?B?Sm96TlhZUnhnMmxtYjJNSTRGSkU3dUNmMWFoenNNUGFHK2RKeDlPb0RFNXFh?= =?utf-8?B?dlZIcWl6OTdDbThhZkVld0QySDVwdCtRMEJXVTJIV1RPdW5wUHJyYVlTc0hr?= =?utf-8?B?RVkxTStEK3JNTUMwZi9iNUJxNkJXdTc5QklQRndRNmdldVF1YWxzUTUrUHND?= =?utf-8?B?L3ZsVWJ5bXhSaEJ5c2o0Si9iYmF1Um8zOGJhQUFFNWJhVkRMd2NkLy9PdUxO?= =?utf-8?B?MmxNVGVjUVRLQjdJcEozYXJNaGVmWndKUDduTnlnN1pLclZnTTlvcEtBRTFv?= =?utf-8?B?VkJCL3pHTmQvOHp4YTdsNE4raXV3KzhIT2NDd3ZMendJS3hZbHBNcHJ2Smow?= =?utf-8?B?NDNZM090VGpYclFsODBXaXl5K2d4eUdyY1dJcE9DVmFtTHhEYks3aUZKK0Fr?= =?utf-8?B?OE5hRVNuNVBCLzZxenM1eXdRMXhRNFMvVk5LbGtGcCtaSTBLQUNnMHNQYjk3?= =?utf-8?B?MVhUd0wwb2NWbFZTRE9QTnpsK0N6VFBDWWZSaXI1cm1BM3laSW9nMFJ5cWpD?= =?utf-8?B?UENRRUtpb293TXhSUVBSR3dDbzlCOW4rcjZWY3lmcWNRNkVjRGFvS2NtSmlo?= =?utf-8?B?TFhsWnBhSmdPWjhHR0QwZjZFTyt5OTZGU2lYVjdOVzlQN2Jtc0FrUUsrR3or?= =?utf-8?B?bjJiTHdONnhvWmduZk1ES0dienF4V2hLYTJnNnlxRmlUeVRBNVlmZythRHdJ?= =?utf-8?B?cFU0aFJ5enRxNEJJVHI4OFZZVWxIWElBRFp5akcyV0Q2L29CQW9CVThva1VI?= =?utf-8?B?a01sUndDeExod000TStON3lqZXRKcVVWNzlIZ3dVakhhYkFsam1GOTdWb0NJ?= =?utf-8?B?SWRBcUpBNGdHem0ydmZQRGdlaEw1b1ltVlBBWTR0ZUFGNyt2Wm1xZz09?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 941e47dd-1288-4261-034f-08da12834fe1 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Mar 2022 19:27:21.8227 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: TEeRF1vortfhhyxJngJ+ftBGMd5kUt9W0rCNrnMjmeH3sBkkZ/cU2U1S17xvi0xpVe8AliEC4M+XVO0WVL0NTw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR12MB5112 Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 3/30/22 01:04, Dov Murik wrote: > > > On 30/03/2022 8:20, Gerd Hoffmann wrote: >> Hi, >> >>> Check if that page is defined; if it is, skip it in the metadata list. >>> In such case, VMM should fill the page with the hashes content, or >>> explicitly update it as a zero page (if kernel hashes are not used). >> >> Is it an option to just skip the page unconditionally? >> >> I think in the OvmfPkgX64 build the page is not used, so it probably >> doesn't matter whenever it is included or not, and it would make things >> a bit less confusing ... >> > > > Brijesh, > > What would happen if we change this: > > %define SNP_SEC_MEM_BASE_DESC_3 (CPUID_BASE + CPUID_SIZE) > > to: > > %define SNP_SEC_MEM_BASE_DESC_3 (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)) > > in OvmfPkg/ResetVector/ResetVector.nasmb ? > > It means that the page starting at MEMFD_BASE_ADDRESS+0x00F000 (that is, the page > that follows the SNP CPUID page) will not be pre-validated by QEMU. > Lets look at the OvmfPkgX64.fdf is ... 0x00E000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize 0x010000|0x010000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize 0x020000|0x0E0000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize ... If you change SNP_SEC_MEM_BASE_DESC_3 to start from PcdOvmfPeiMemFvBase then who will validate the range for PcdOvmfSecPeiTempRamBase - PcdOvmfPeiMemFvBase ? The SEC phase (Sec/X64/SecEntry.nasm) uses the PcdOvmfSecPeiTempRamBase. If the memory is not validated prior to use then it will result in #VC (page-not-validated) and crash the guest BIOS boot.