From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.groups.io with SMTP id smtpd.web09.7333.1606985205376384815 for ; Thu, 03 Dec 2020 00:46:45 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Ag1g/x8p; spf=pass (domain: redhat.com, ip: 216.205.24.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606985204; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dP7oKEgjli0gUxbIg4tX2hM19M4BkJ7NF32nPOA65l4=; b=Ag1g/x8pPRAgM48mdTkUJPPDOw1/3BtCVVxPSIL8lqFJjXp0qu22SkmpE8SMt+udpGSPEt qigEfiaLkVXVDpEFMP2SBkq3DP/3qnbOhl7dVCWX57hRLaG8zQCdL1AL22XhomuI0kio3h E69KD2fvSib1eTH1hqjUE3i23cWiFgg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-59-wu7qvxgPO02aChDrhwwhBQ-1; Thu, 03 Dec 2020 03:46:40 -0500 X-MC-Unique: wu7qvxgPO02aChDrhwwhBQ-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5BFC3185E495; Thu, 3 Dec 2020 08:46:38 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-113-182.ams2.redhat.com [10.36.113.182]) by smtp.corp.redhat.com (Postfix) with ESMTP id 545621000320; Thu, 3 Dec 2020 08:46:35 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v3 6/6] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table To: devel@edk2.groups.io, jejb@linux.ibm.com Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com, ashish.kalra@amd.com, brijesh.singh@amd.com, tobin@ibm.com, david.kaplan@amd.com, jon.grimm@amd.com, thomas.lendacky@amd.com, frankeh@us.ibm.com, "Dr . David Alan Gilbert" , Jordan Justen , Ard Biesheuvel References: <20201130202819.3910-1-jejb@linux.ibm.com> <20201130202819.3910-7-jejb@linux.ibm.com> From: "Laszlo Ersek" Message-ID: <936abed5-06d2-f29e-6cb0-d8e27d3704a4@redhat.com> Date: Thu, 3 Dec 2020 09:46:34 +0100 MIME-Version: 1.0 In-Reply-To: <20201130202819.3910-7-jejb@linux.ibm.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 11/30/20 21:28, James Bottomley wrote: > Now that the secret area is protected by a boot time HOB, extract its > location details into a configuration table referenced by > gSevLaunchSecretGuid so the boot loader or OS can locate it before a > call to ExitBootServices(). > > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077 > Signed-off-by: James Bottomley > Reviewed-by: Laszlo Ersek > --- > OvmfPkg/OvmfPkg.dec | 1 + > OvmfPkg/AmdSev/AmdSevX64.dsc | 1 + > OvmfPkg/AmdSev/AmdSevX64.fdf | 1 + > OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf | 37 ++++++++++++++++++++++++++ > OvmfPkg/Include/Guid/SevLaunchSecret.h | 28 +++++++++++++++++++ > OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 26 ++++++++++++++++++ > 6 files changed, 94 insertions(+) > create mode 100644 OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > create mode 100644 OvmfPkg/Include/Guid/SevLaunchSecret.h > create mode 100644 OvmfPkg/AmdSev/SecretDxe/SecretDxe.c > > diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec > index 7d27f8e16040..8a294116efaa 100644 > --- a/OvmfPkg/OvmfPkg.dec > +++ b/OvmfPkg/OvmfPkg.dec > @@ -117,6 +117,7 @@ [Guids] > gLinuxEfiInitrdMediaGuid = {0x5568e427, 0x68fc, 0x4f3d, {0xac, 0x74, 0xca, 0x55, 0x52, 0x31, 0xcc, 0x68}} > gQemuKernelLoaderFsMediaGuid = {0x1428f772, 0xb64a, 0x441e, {0xb8, 0xc3, 0x9e, 0xbd, 0xd7, 0xf8, 0x93, 0xc7}} > gGrubFileGuid = {0xb5ae312c, 0xbc8a, 0x43b1, {0x9c, 0x62, 0xeb, 0xb8, 0x26, 0xdd, 0x5d, 0x07}} > + gSevLaunchSecretGuid = {0xadf956ad, 0xe98c, 0x484c, {0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47}} > > [Ppis] > # PPI whose presence in the PPI database signals that the TPM base address > diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc > index e9c522bedad9..bb7697eb324b 100644 > --- a/OvmfPkg/AmdSev/AmdSevX64.dsc > +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc > @@ -778,6 +778,7 @@ [Components] > gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE > } > !endif > + OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > OvmfPkg/AmdSev/Grub/Grub.inf > !if $(BUILD_SHELL) == TRUE > ShellPkg/Application/Shell/Shell.inf { > diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf > index b2656a1cf6fc..e8fd4b8c7b89 100644 > --- a/OvmfPkg/AmdSev/AmdSevX64.fdf > +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf > @@ -269,6 +269,7 @@ [FV.DXEFV] > !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE > INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf > !endif > +INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > INF OvmfPkg/AmdSev/Grub/Grub.inf > !if $(BUILD_SHELL) == TRUE > INF ShellPkg/Application/Shell/Shell.inf > diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > new file mode 100644 > index 000000000000..62ab00a3d382 > --- /dev/null > +++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > @@ -0,0 +1,37 @@ > +## @file > +# Sev Secret configuration Table installer > +# > +# Copyright (C) 2020 James Bottomley, IBM Corporation. > +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION = 0x00010005 > + BASE_NAME = SecretDxe > + FILE_GUID = 6e2b9619-8810-4e9d-a177-d432bb9abeda > + MODULE_TYPE = DXE_DRIVER > + VERSION_STRING = 1.0 > + ENTRY_POINT = InitializeSecretDxe > + > +[Sources] > + SecretDxe.c > + > +[Packages] > + OvmfPkg/OvmfPkg.dec > + MdePkg/MdePkg.dec > + > +[LibraryClasses] > + UefiBootServicesTableLib > + UefiDriverEntryPoint > + > +[Guids] > + gSevLaunchSecretGuid > + > +[FixedPcd] > + gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase > + gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize > + > +[Depex] > + TRUE > diff --git a/OvmfPkg/Include/Guid/SevLaunchSecret.h b/OvmfPkg/Include/Guid/SevLaunchSecret.h > new file mode 100644 > index 000000000000..fa5f3830bc2b > --- /dev/null > +++ b/OvmfPkg/Include/Guid/SevLaunchSecret.h > @@ -0,0 +1,28 @@ > + /** @file > + UEFI Configuration Table for exposing the SEV Launch Secret location to UEFI > + applications (boot loaders). > + > + Copyright (C) 2020 James Bottomley, IBM Corporation. > + SPDX-License-Identifier: BSD-2-Clause-Patent > + **/ > + > +#ifndef SEV_LAUNCH_SECRET_H_ > +#define SEV_LAUNCH_SECRET_H_ > + > +#include > + > +#define SEV_LAUNCH_SECRET_GUID \ > + { 0xadf956ad, \ > + 0xe98c, \ > + 0x484c, \ > + { 0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47 }, \ > + } > + > +typedef struct { > + UINT32 Base; > + UINT32 Size; > +} SEV_LAUNCH_SECRET_LOCATION; > + > +extern EFI_GUID gSevLaunchSecretGuid; > + > +#endif // SEV_LAUNCH_SECRET_H_ > diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c > new file mode 100644 > index 000000000000..d8cc9b00946a > --- /dev/null > +++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c > @@ -0,0 +1,26 @@ > +/** @file > + SEV Secret configuration table constructor > + > + Copyright (C) 2020 James Bottomley, IBM Corporation. > + SPDX-License-Identifier: BSD-2-Clause-Patent > +**/ > +#include > +#include > +#include > + > +STATIC SEV_LAUNCH_SECRET_LOCATION mSecretDxeTable = { > + FixedPcdGet32 (PcdSevLaunchSecretBase), > + FixedPcdGet32 (PcdSevLaunchSecretSize), > +}; > + > +EFI_STATUS > +EFIAPI > +InitializeSecretDxe( > + IN EFI_HANDLE ImageHandle, > + IN EFI_SYSTEM_TABLE *SystemTable > + ) > +{ > + return gBS->InstallConfigurationTable (&gSevLaunchSecretGuid, > + &mSecretDxeTable > + ); > +} > (1) The indentation is still not correct; it should be return gBS->InstallConfigurationTable ( &gSevLaunchSecretGuid, &mSecretDxeTable ); note that the args are indented two spaces relative to the function pointer field called "InstallConfigurationTable". But, this can be fixed up at merge. Now, please let me fetch my email; I'll go through any new comments I may not have seen yet, and then I'll merge this. Thanks! Laszlo