From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web09.5502.1607515349063678704 for ; Wed, 09 Dec 2020 04:02:29 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=YCEHNhKU; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: jiewen.yao@intel.com) IronPort-SDR: dFNHMm9qg18TF7rMUuwu5u0hSFLe2GOcOCsHztcOxAxtGO18CpiRh+XUTDooej64na4KENRgnT U5Q99MLFvIMw== X-IronPort-AV: E=McAfee;i="6000,8403,9829"; a="258773767" X-IronPort-AV: E=Sophos;i="5.78,405,1599548400"; d="scan'208";a="258773767" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Dec 2020 04:02:28 -0800 IronPort-SDR: DQA2L7eFjDJvAYteKLuYGavuF3dZir5ITagK/u4pAtHYN8dYfJO37F7pMneXhAw4Ycg0pBXDzs TZXegonG1yGQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.78,405,1599548400"; d="scan'208";a="337965635" Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by orsmga006.jf.intel.com with ESMTP; 09 Dec 2020 04:02:28 -0800 Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Wed, 9 Dec 2020 04:02:27 -0800 Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by ORSMSX610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Wed, 9 Dec 2020 04:02:27 -0800 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5 via Frontend Transport; Wed, 9 Dec 2020 04:02:27 -0800 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.104) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1713.5; Wed, 9 Dec 2020 04:02:27 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GzChDzuLPlx/JtU5aMJgLKlZAj1cWgxZtkjp4BEuPWcNmedO6lM9EPPULptnsZIirWSuxALJwSSs1sFi2LRkV6VqUlVBJ5wmw0ipIUTOgBrb5I8oNRfKT/O6rlJbUD11UvICrbnFTI0LxdhGPdM0+wfZ2gbZdZ8AbusO7zClvAQnu/DljXmt3QXX0YUGQ4SK0jJnL+daCzU4vZvxsJO+9JyPBKGJSoOJIaCWdRCEH/Tkkh24zUhWxMUwbQkeZLxi+P3YXNB91VMDNcEH7o4YPLewqBowQjdhHLLcNcI5HL4W1FI9aar7yFuW4k090VJUE26jBXAhDmlTmzyVjXR6Kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XXB73aJDj43hCAVOxkQwwho6MJLz4lbCHpvE5cCXUVI=; b=FaY2kjvh4d53w3ojUpijm+5Lq9opx5RUWsfvBzMUxTxxB+tt2JDs3EYT2ujZKfnZNfbA2NGIqqvWBFiRU6zICrTflOedtI3KImkl8BvSSF3GKs7e0P3h1B+ECribbfHPPV2jskpLS00WWfjykk3sj2nlvrHEBOkpbblGcXaC5mhTe/gi61Z33m6VkjpmzFd9FlN6N5y7ESjnWUiPLOv81Wanze5Pl8Bc+7MUqx3FCXA0VEiS4kGbix2XAKTke0CJhbULe8iYjzPp0neLIIa5C7YbEuHp/w/uyMLua4HX2f21OAMBw4j4nGEHZ+URF6571P6CLaPXh0Mup6iN1azETw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XXB73aJDj43hCAVOxkQwwho6MJLz4lbCHpvE5cCXUVI=; b=YCEHNhKUJJFS79ayAAEBt8oIrtcSp6DjbmLQ1O2TDVWvLNoNh+NAyZeidzVFAfnHkbSKZe5BxWpx16ehn2V96HUNkSmfXjgJoy/cUpE1yV+Z8b/+Qsh8yNXAbzhNhLQDLZmaMge/uWdYM9aOtGoaz1842KfOhGEViHYcwsdGcKE= Received: from CY4PR11MB1288.namprd11.prod.outlook.com (2603:10b6:903:23::8) by CY4PR11MB0054.namprd11.prod.outlook.com (2603:10b6:910:79::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.31; Wed, 9 Dec 2020 12:02:24 +0000 Received: from CY4PR11MB1288.namprd11.prod.outlook.com ([fe80::e058:fd5a:28d8:2b17]) by CY4PR11MB1288.namprd11.prod.outlook.com ([fe80::e058:fd5a:28d8:2b17%12]) with mapi id 15.20.3632.021; Wed, 9 Dec 2020 12:02:24 +0000 From: "Yao, Jiewen" To: "devel@edk2.groups.io" , "jejb@linux.ibm.com" CC: "dovmurik@linux.vnet.ibm.com" , "Dov.Murik1@il.ibm.com" , "ashish.kalra@amd.com" , "brijesh.singh@amd.com" , "tobin@ibm.com" , "david.kaplan@amd.com" , "jon.grimm@amd.com" , "thomas.lendacky@amd.com" , "frankeh@us.ibm.com" , "Dr . David Alan Gilbert" , "Laszlo Ersek" , "Justen, Jordan L" , Ard Biesheuvel , "Yao, Jiewen" Subject: Re: [edk2-devel] [PATCH v3 6/6] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table Thread-Topic: [edk2-devel] [PATCH v3 6/6] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table Thread-Index: AQHWx1f/PM2sfkDMX0aEQpLWWVm+vanusnYg Date: Wed, 9 Dec 2020 12:02:24 +0000 Message-ID: References: <20201130202819.3910-1-jejb@linux.ibm.com> <20201130202819.3910-7-jejb@linux.ibm.com> In-Reply-To: <20201130202819.3910-7-jejb@linux.ibm.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.5.1.3 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-originating-ip: [101.87.139.49] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: b723d790-ca89-42ca-115f-08d89c3a4aad x-ms-traffictypediagnostic: CY4PR11MB0054: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: EvNYD8gUCnPbN5GyUbZ88xDhXdKjiJ7hDLZD7evc0Uf8zy7DVNsZaDeCNIs1oz7BHpKV2zZbawI8M6MYseT7K+XQTKNH+QW6SA/NlvxXxTzfik4eSFYkwdAMVW9DhLyG3o2OTeNuwWv//nd6AWp29MzCpLzH0ydWoky5ku7SZ/QXQsYDxgQepFV3/DgYK3erQMAoePhpFBMf6guh16nFxW1zDhXUt6y3CTBkeYOR1SzcbtDyTOJ7+ek30cj3F4078HYGngeMcOnWumHXulHHqCXwSntHvuMHFvLumma+JCEaD6l+AdTuIk/grOfjXS6iYB8nqV2of+2AR1o4CY1USsy+rbbnOmDbrM+aSa0uMjOIu9qndX6Uq2OOVT77JHKtItmwaSiZ90B37LKJUCcxKV6eE5Whbo8q3+U6kyfQMkehIUHXJd4vL7Rt+HoRKHEYBqgg+6mOic+sz+TgMwCi8g== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CY4PR11MB1288.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(376002)(366004)(136003)(966005)(55016002)(64756008)(5660300002)(33656002)(26005)(7416002)(66556008)(4326008)(508600001)(76116006)(66476007)(52536014)(54906003)(9686003)(19627235002)(186003)(7696005)(83380400001)(71200400001)(66946007)(6506007)(2906002)(8676002)(110136005)(107886003)(8936002)(66446008)(86362001)(53546011)(219293001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?JlVHD9riC06lRgtXXNuZNJRLDBJ9W23KagijK2cEyn1zmnbMe5wAQioyx50U?= =?us-ascii?Q?Di9RvujqFd4mASswvyuaeI5zWhkZoz4SNBsMefsrKgi/InE7tUyBRLmQiCTM?= =?us-ascii?Q?bhhBzxpoZs8JcDK2HQR9vcPVKDQKWcbsgIDDN6eUvhnnvol46CCA8YEtpBUB?= =?us-ascii?Q?2WpqoiEYu9hCVPTGZqWMCGMaE8QZWrvQUdZrh/Yfr7ewRYBZXvzxOfaTl/Gh?= =?us-ascii?Q?yxoCAWVGsBSNgp6sydUsB0IjhxZPQ7GpA/NRPsYnJ6qjxHFIj4WzM8RAZ1sz?= =?us-ascii?Q?IhYhu6YMF3xeHf/KSO9FLW5NbVi0mIitR/ZvvMEQIjKbR6gbByvm9o0UNdBn?= =?us-ascii?Q?qI75NKNttic7tJMFHLlNaXwft6abEFmaQoRA7QcFmbedJpzm+6MZLU4JZrF6?= =?us-ascii?Q?bXnPX/QkBx5pGp0D3MrDhiXc+eNmSZRq29l2pWkQpF5Ua+mpXyYmxY7DG9Sv?= =?us-ascii?Q?TCUbfBjMOKsULuz+QVvI93WSLFBvAgjM6nF0YHEJW5eIMGOo1lNWNWnFDIW7?= =?us-ascii?Q?yBNNaXshR+8FmWxMg9/boA7+k+DmXcfcx77lnQcviKV4XD+7VyT72ID+r2Ql?= =?us-ascii?Q?M1gKesFD+rVO4JMq/GX2ljTDaE/NCMInAhkSBA/WalITUH3Sz7E1A3SbHD5t?= =?us-ascii?Q?5FvOkvDmcMs45tiUqNAUhWz0Jxc7csVwU/STpIAiCTAdEDwt1v2AiIEVRpQO?= =?us-ascii?Q?wKvLRxuP1X6z5xxxCsXCRK1a/2K/usKZMZFvzbpCC3CbPjbmm9ulgVsU3UX/?= =?us-ascii?Q?BsuMAP1aeVqF7SWYwi7gv7A0KQOBPQ4lePslbEueARZcW1luLs479RNggpmJ?= =?us-ascii?Q?wkjxKci334OzhSUIe0D9ja3/lwHDaIaAFU5oBl/i1yqsYyQKhFBOniDopq69?= =?us-ascii?Q?vg9DQiXIf4Dzbw4iS+jHiX3T07agsedmtAFvXxNo8b04NQo9Ym4XYj7tcwkt?= =?us-ascii?Q?CIZSZvGPt3PXQ88SKmDXeGgDP84h+S4nkLw20st3lX4=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CY4PR11MB1288.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: b723d790-ca89-42ca-115f-08d89c3a4aad X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Dec 2020 12:02:24.6168 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: j/dWVr1RWQ60aRWZ6ePBzks0mgiNNWBIhmo1eODJKjBVfndPMfRLk8P2kGJKrXO7bqTFItUmMU83cewsQcQbEw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR11MB0054 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi James I am not sure if this solution is only for AMD SEV or it is a generic solu= tion to "pass a secret to grub and let grub decrypt the disk". If it is only for AMD SEV, please stop reading and ignore my comment below= . If it is designed to be a generic solution to pass a secret to grub and le= t grub decrypt the disk. I have some thought below: Intel TDX (https://software.intel.com/content/www/us/en/develop/articles/i= ntel-trust-domain-extensions.html) have similar feature - a TDX virtual fir= mware may do attestation and get a key from remote key server. We might use same architecture to pass the secrete to grub. Initially, we define an ACPI 'SVKL' table to pass the secrete in intel-tdx= -guest-hypervisor-communication-interface (https://software.intel.com/conte= nt/dam/develop/external/us/en/documents/intel-tdx-guest-hypervisor-communic= ation-interface.pdf), section 4.4 storage volume key data. But it is also OK if you want to use UEFI configuration table. If we need a common API for both AMD SEV and Intel TDX, then I recommend s= ome enhancement for SevLaunchSecret.h. 1) The file name (SevLaunchSecret.h) should be generic, such as TrustedVmS= ecret, StorageVolumeKey, etc. It should not include 'SEV'. Otherwise, we ha= ve to define a new GUID for 'TDX'. 2) The GUID name (gSevLaunchSecretGuid, SEV_LAUNCH_SECRET_GUID) should be = generic. Same reason above. 3) The data structure name (SEV_LAUNCH_SECRET_LOCATION) should be generic.= Same reason above. 4) The data structure field (SEV_LAUNCH_SECRET_LOCATION.Base) should use U= INTN or EFI_PHYSICAL_ADDRESS to support above 4GB memory location. 5) The internal data structure of the secret is not defined. Is it raw bin= ary? Or ASCII string password? Or DER format certificate? Or PEM format key= ? At least, we shall describe it in the header file. 6) The might be a chance that a key server need input multiple keys to a t= rusted VM. How we handle this? Do we expect multiple UEFI configuration tab= les and each table support one key? or one table to support multiple keys? Would you please take a look at intel-tdx-guest-hypervisor-communication-i= nterface, section 4.4 storage volume key data. We defined multiple key layout, key type and key format. Please let us kno= w if you have any thought. Thank you Yao Jiewen > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of James > Bottomley > Sent: Tuesday, December 1, 2020 4:28 AM > To: devel@edk2.groups.io > Cc: dovmurik@linux.vnet.ibm.com; Dov.Murik1@il.ibm.com; > ashish.kalra@amd.com; brijesh.singh@amd.com; tobin@ibm.com; > david.kaplan@amd.com; jon.grimm@amd.com; thomas.lendacky@amd.com; > jejb@linux.ibm.com; frankeh@us.ibm.com; Dr . David Alan Gilbert > ; Laszlo Ersek ; Justen, Jordan = L > ; Ard Biesheuvel > Subject: [edk2-devel] [PATCH v3 6/6] OvmfPkg/AmdSev: Expose the Sev > Secret area using a configuration table >=20 > Now that the secret area is protected by a boot time HOB, extract its > location details into a configuration table referenced by > gSevLaunchSecretGuid so the boot loader or OS can locate it before a > call to ExitBootServices(). >=20 > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3077 > Signed-off-by: James Bottomley > Reviewed-by: Laszlo Ersek > --- > OvmfPkg/OvmfPkg.dec | 1 + > OvmfPkg/AmdSev/AmdSevX64.dsc | 1 + > OvmfPkg/AmdSev/AmdSevX64.fdf | 1 + > OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf | 37 > ++++++++++++++++++++++++++ > OvmfPkg/Include/Guid/SevLaunchSecret.h | 28 +++++++++++++++++++ > OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 26 ++++++++++++++++++ > 6 files changed, 94 insertions(+) > create mode 100644 OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > create mode 100644 OvmfPkg/Include/Guid/SevLaunchSecret.h > create mode 100644 OvmfPkg/AmdSev/SecretDxe/SecretDxe.c >=20 > diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec > index 7d27f8e16040..8a294116efaa 100644 > --- a/OvmfPkg/OvmfPkg.dec > +++ b/OvmfPkg/OvmfPkg.dec > @@ -117,6 +117,7 @@ [Guids] > gLinuxEfiInitrdMediaGuid =3D {0x5568e427, 0x68fc, 0x4f3d= , {0xac, > 0x74, 0xca, 0x55, 0x52, 0x31, 0xcc, 0x68}} > gQemuKernelLoaderFsMediaGuid =3D {0x1428f772, 0xb64a, 0x441e= , > {0xb8, 0xc3, 0x9e, 0xbd, 0xd7, 0xf8, 0x93, 0xc7}} > gGrubFileGuid =3D {0xb5ae312c, 0xbc8a, 0x43b1= , {0x9c, 0x62, > 0xeb, 0xb8, 0x26, 0xdd, 0x5d, 0x07}} > + gSevLaunchSecretGuid =3D {0xadf956ad, 0xe98c, 0x484c= , {0xae, > 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47}} >=20 > [Ppis] > # PPI whose presence in the PPI database signals that the TPM base > address > diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc > b/OvmfPkg/AmdSev/AmdSevX64.dsc > index e9c522bedad9..bb7697eb324b 100644 > --- a/OvmfPkg/AmdSev/AmdSevX64.dsc > +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc > @@ -778,6 +778,7 @@ [Components] > gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE > } > !endif > + OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > OvmfPkg/AmdSev/Grub/Grub.inf > !if $(BUILD_SHELL) =3D=3D TRUE > ShellPkg/Application/Shell/Shell.inf { > diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf > b/OvmfPkg/AmdSev/AmdSevX64.fdf > index b2656a1cf6fc..e8fd4b8c7b89 100644 > --- a/OvmfPkg/AmdSev/AmdSevX64.fdf > +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf > @@ -269,6 +269,7 @@ [FV.DXEFV] > !if $(TOOL_CHAIN_TAG) !=3D "XCODE5" && $(BUILD_SHELL) =3D=3D TRUE > INF > OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellComma > nd.inf > !endif > +INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > INF OvmfPkg/AmdSev/Grub/Grub.inf > !if $(BUILD_SHELL) =3D=3D TRUE > INF ShellPkg/Application/Shell/Shell.inf > diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > new file mode 100644 > index 000000000000..62ab00a3d382 > --- /dev/null > +++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > @@ -0,0 +1,37 @@ > +## @file > +# Sev Secret configuration Table installer > +# > +# Copyright (C) 2020 James Bottomley, IBM Corporation. > +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION =3D 0x00010005 > + BASE_NAME =3D SecretDxe > + FILE_GUID =3D 6e2b9619-8810-4e9d-a177-d432bb9abe= da > + MODULE_TYPE =3D DXE_DRIVER > + VERSION_STRING =3D 1.0 > + ENTRY_POINT =3D InitializeSecretDxe > + > +[Sources] > + SecretDxe.c > + > +[Packages] > + OvmfPkg/OvmfPkg.dec > + MdePkg/MdePkg.dec > + > +[LibraryClasses] > + UefiBootServicesTableLib > + UefiDriverEntryPoint > + > +[Guids] > + gSevLaunchSecretGuid > + > +[FixedPcd] > + gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase > + gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize > + > +[Depex] > + TRUE > diff --git a/OvmfPkg/Include/Guid/SevLaunchSecret.h > b/OvmfPkg/Include/Guid/SevLaunchSecret.h > new file mode 100644 > index 000000000000..fa5f3830bc2b > --- /dev/null > +++ b/OvmfPkg/Include/Guid/SevLaunchSecret.h > @@ -0,0 +1,28 @@ > + /** @file > + UEFI Configuration Table for exposing the SEV Launch Secret location= to > UEFI > + applications (boot loaders). > + > + Copyright (C) 2020 James Bottomley, IBM Corporation. > + SPDX-License-Identifier: BSD-2-Clause-Patent > + **/ > + > +#ifndef SEV_LAUNCH_SECRET_H_ > +#define SEV_LAUNCH_SECRET_H_ > + > +#include > + > +#define SEV_LAUNCH_SECRET_GUID \ > + { 0xadf956ad, \ > + 0xe98c, \ > + 0x484c, \ > + { 0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47 }, \ > + } > + > +typedef struct { > + UINT32 Base; > + UINT32 Size; > +} SEV_LAUNCH_SECRET_LOCATION; > + > +extern EFI_GUID gSevLaunchSecretGuid; > + > +#endif // SEV_LAUNCH_SECRET_H_ > diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c > b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c > new file mode 100644 > index 000000000000..d8cc9b00946a > --- /dev/null > +++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c > @@ -0,0 +1,26 @@ > +/** @file > + SEV Secret configuration table constructor > + > + Copyright (C) 2020 James Bottomley, IBM Corporation. > + SPDX-License-Identifier: BSD-2-Clause-Patent > +**/ > +#include > +#include > +#include > + > +STATIC SEV_LAUNCH_SECRET_LOCATION mSecretDxeTable =3D { > + FixedPcdGet32 (PcdSevLaunchSecretBase), > + FixedPcdGet32 (PcdSevLaunchSecretSize), > +}; > + > +EFI_STATUS > +EFIAPI > +InitializeSecretDxe( > + IN EFI_HANDLE ImageHandle, > + IN EFI_SYSTEM_TABLE *SystemTable > + ) > +{ > + return gBS->InstallConfigurationTable (&gSevLaunchSecretGuid, > + &mSecretDxeTable > + ); > +} > -- > 2.26.2 >=20 >=20 >=20 >=20 >=20