From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) by mx.groups.io with SMTP id smtpd.web12.1604.1627721108174551390 for ; Sat, 31 Jul 2021 01:45:08 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@google.com header.s=20161025 header.b=WEj90A0K; spf=pass (domain: google.com, ip: 209.85.216.51, mailfrom: erdemaktas@google.com) Received: by mail-pj1-f51.google.com with SMTP id b6so18589290pji.4 for ; Sat, 31 Jul 2021 01:45:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LK81FT1QPKABKrkG/rfSTEzk/IS4mBof+0iN0vKNsF8=; b=WEj90A0KMe+GGmfHQKZdnxNwQoUdv2OykEjNN6ORcnIiaqZbgeqQ7a1vYh5pYakRfH r88THf+q2FEtROcBS/gqGxPq/jq2w7hiAy6Bl2Fb3MjrAg6SorDrWlQ7SgS+nmGidEHO NL32OGautDdSprX2TPUZ5QWvrDmJE4ZBLK4AlxVapgkShllceHnwy3GafjXw+4WKuVVt YgKfzQq7LsS5d3iXPankKg64Hw2MlXEXyE4yPvXrugjgEOrw3U8NzYKwBEDk82cUUe4r W2cgC06RgTbBTdDL9W/pB6TxuDaQ5rexa8hQ207vHJVnX5wqbQguVIciRbHZXNFFLtAq Dn6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LK81FT1QPKABKrkG/rfSTEzk/IS4mBof+0iN0vKNsF8=; b=U1yxd0YS/nkmdNBJcPil58VvIt2CGl66zccpO6d4Wr//HDsIXfevr5rJll7T+HB9L8 4cWXFkgyU6BR9rV2YWsB7Lu9SXyBb70dcqUNyk7WsegOuXpH+sxT4WXAtvVqxKO33013 H72IaT6qXpsdMbbFrrB4Mt3ni09r+Wyxo2OkkdxTTVPinFf6ROE9BMJ6c95rDuo5gO4X K+vlodwueARxB5l0D9Q43x7eVoSiP0x4uuaxMOqpLG77u9iTd92wJNoEJQxFPBGi3PKO 8hF5Kwo0HAznVWaBJV3Uj7Bh8uzChmIFEX7aJfFkBziwEc7ZrUWS6oSSAmIalQOdhti1 DDnQ== X-Gm-Message-State: AOAM530+Xhazc9/qK4YvE9JaAdKq1dhG+z761vCSFDUgGDDxlzkC7tZV SzeO6M6kR1rHdYgEZNhd+c/KZ8SR9iLivRF24RVeBQ== X-Google-Smtp-Source: ABdhPJwHj1Fozow0jOoMp/jTb1PsRdtOMMEf6ghAGLLEC8CDqnUD7Jzj//OFhVBcYi6JTLkhNelQGEWRjZaiAlw955U= X-Received: by 2002:aa7:9e0c:0:b029:35c:2d52:501e with SMTP id y12-20020aa79e0c0000b029035c2d52501emr6874146pfq.36.1627721107368; Sat, 31 Jul 2021 01:45:07 -0700 (PDT) MIME-Version: 1.0 References: <20210630125321.30278-1-brijesh.singh@amd.com> <20210630125321.30278-8-brijesh.singh@amd.com> In-Reply-To: <20210630125321.30278-8-brijesh.singh@amd.com> From: "Erdem Aktas" Date: Sat, 31 Jul 2021 01:44:56 -0700 Message-ID: Subject: Re: [RFC PATCH v5 07/28] OvmfPkg/ResetVector: pre-validate the data pages used in SEC phase To: Brijesh Singh Cc: devel@edk2.groups.io, James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek , Eric Dong , Ray Ni , Rahul Kumar , Michael D Kinney , Liming Gao , Zhiguang Liu , Michael Roth Content-Type: text/plain; charset="UTF-8" On Wed, Jun 30, 2021 at 5:54 AM Brijesh Singh wrote: > > a) Enhance the OVMF reset vector code to validate the pages as described > above (go through step 2 - 3). > OR > b) Validate the pages during the guest creation time. The SEV firmware > provides a command which can be used by the VMM to validate the pages > without affecting the measurement of the launch. Are you referring to the PAGE_TYPE_UNMEASURED? Does it not affect the measurement , PAGE_INFO will be still measured, right? > Approach #b seems much simpler; it does not require any changes to the > OVMF reset vector code. I am worried about verifying the measurement. I understand the secret page and cpuid page being part of measurement because both of them are mentioned in the AMD SNP SPEC but now we are introducing a new parameters (all the 4KB page addresses between SNP_HV_VALIDATED_START and SNP_HV_VALIDATED_END) that VM owner needs to know to calculate the measurement and verify the attestation. Sorry if I am overthinking or missing something here. -Erdem