From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web09.1176.1662448947971246366 for ; Tue, 06 Sep 2022 00:22:28 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=DKa/HzXb; spf=permerror, err=too many SPF records (domain: intel.com, ip: 134.134.136.20, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1662448948; x=1693984948; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=UsXYxLEgjIW0e6q8RKtFX/qJCVEo+Q5D/yYF+P7oII8=; b=DKa/HzXbxQ4y+sTZ71eiLuDSnK+QXKb94QLiex+6MQ6DLGc/ZXQnhja2 ve/Ju8V2HPqf3F2gLRmS3KflNX7Y8dPLZiL11X/n15KQ0aQqbuhhCkRQd MXQ1XKlUbsS2RPkvLjnhlD3xweXbPW3kDmvVG+K3EF1ancAm9IitWL+za EmUsztWQVrO6sm0K1V/+8X997sS4d38rnXUmxz3FTMAuEogJKjJMqd5Rr RcVR5oY+LG86q/QKoswc372kL+yqlDZHFQr3MkhLP4CMVWObOF9yRTCiJ hr2qbjEQTPMAEMdUovpZXKHRs/BibxBzgoYfI5TK/I7nbpUdtuta8IH7/ w==; X-IronPort-AV: E=McAfee;i="6500,9779,10461"; a="283520454" X-IronPort-AV: E=Sophos;i="5.93,293,1654585200"; d="scan'208";a="283520454" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Sep 2022 00:22:26 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.93,293,1654585200"; d="scan'208";a="756273683" Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by fmsmga001.fm.intel.com with ESMTP; 06 Sep 2022 00:22:26 -0700 Received: from orsmsx612.amr.corp.intel.com (10.22.229.25) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Tue, 6 Sep 2022 00:22:26 -0700 Received: from orsmsx607.amr.corp.intel.com (10.22.229.20) by ORSMSX612.amr.corp.intel.com (10.22.229.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Tue, 6 Sep 2022 00:22:23 -0700 Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx607.amr.corp.intel.com (10.22.229.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Frontend Transport; Tue, 6 Sep 2022 00:22:23 -0700 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.174) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.31; Tue, 6 Sep 2022 00:22:22 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ViAn/Aepwu8JqIKNdkdV4NwHJ2BP+27TdvfY5uUYq7PGz0NGadilCysaMIkiUUIqbUvG02bRotZiyX487tCGdAlYHY1i5T2Z1pr8bCtHZhYYF9YbZ7jqnY0FN0qq9MwxsFvAbHerrQ3yC5A+bf3178tqaSGz4w01m6kJ+fhqTP/q2fiSugnCD5piLN0PgF65Lzi/jBBQVGu2Rmf4LqMQEB7AyI8QqNdTeROvOCc7l0L28GssAxgjVWljVo9XHqYPwBpWG6WisdOHQrXoPPOOlh4YxpRAmYf9YsPOaJjI3Fq7F6iNZHFanz+6sHcwUSRlUdicK4TC1IT7z/glh3zlGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8/r8DVG9qxLeQl8z8nmylpaxmeAR2OXmdxkbrRoS2A8=; b=gNLdd5icsM6l54A82rdW4UAc0FzlTjgOBebwm7xxQVvMBwlXa1u8CcsYz7zHh7wtMHadwD5+6+0w8JiXkFQn41FCGqCGPHRPzErmzGPfy5+0Z/ZuNmEn5//WHBo57188zq9BGfNO1mY+vD0XjEzFHP3fKpDPuyX3wNhADzTJzkpbIQLiPUvlsPSW8JL72bZFr4LogTEMBr6DvS1jg6eztPnayBsOuu5v+RRTl+78gNypa4Gt0MHksjUSBke4LH35/7hnI9nN7HivliRqfuX5JPn62c78qhP3Pu1ODJE9Rm9eSGmDE3bSPnLQ1YASirbQqALe4UVIw0B3oFovRqv1lg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by CH2PR11MB4488.namprd11.prod.outlook.com (2603:10b6:610:4a::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5588.10; Tue, 6 Sep 2022 07:22:20 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::2080:d65f:9c32:7749]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::2080:d65f:9c32:7749%6]) with mapi id 15.20.5588.011; Tue, 6 Sep 2022 07:22:20 +0000 From: "Yao, Jiewen" To: "Xu, Min M" , "devel@edk2.groups.io" CC: Leif Lindholm , Ard Biesheuvel , "Chang, Abner" , "Schaefer, Daniel" , "Aktas, Erdem" , James Bottomley , Tom Lendacky , Gerd Hoffmann Subject: Re: [PATCH V5 0/8] Enable secure-boot when lauch OVMF with -bios parameter Thread-Topic: [PATCH V5 0/8] Enable secure-boot when lauch OVMF with -bios parameter Thread-Index: AQHYwao2r6T6vylx60WiicWG36dmJ63R/3RQ Date: Tue, 6 Sep 2022 07:22:20 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.500.17 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 78657f7a-f77a-4a28-9fdf-08da8fd88906 x-ms-traffictypediagnostic: CH2PR11MB4488:EE_ x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: b9+0mk99c1u7sU66m2wVKHQI8DmLA8VFGh8WVSl1ayDG9plbBdWR1Zlmbghq5Gqdl2r+DGtNmNRI+pWOrcV0N8JYZAVC1eSraq9JOGdEJBKj4qqeKIpUCbsZcpd99amt80ItvkHNEDeuT+6EiKKGveszgL3PofWogKjDNKncdIUplzcBg/x+rl+dxHzRdeRhM1wuMoOVXVgpQtA/nEG2tN9936NF1XVNaHZbaJrHrD5qdmoW5fQa39A0Tujsr5zRQ0/FtIuc5njtgUmoX7OqBAFLsPkwsZ2Tshen65+FcxvxELrbxw3V0YFwnIEzTAZE43+KjMYrWdbwMPA3dIe/GVcxvKye1mzNm64DWZIe3qZIsc7U17ga0L1AQB5o4fubTF1Jr5N8/pq4uGc778W6E8DuO64F63XgT6N76VkluxfWUHyyssd1P04lQ0juI0lDfN06HbrJq6KkFMYE5+UjFRMHq1sotTcDwV6fdcatkLwPSZ3KbSu+A5bHvgamXcteJZZQxiM/Erkr/x9wS6lnK8opArNGD/xDx2VDtpxojVZ5lXXT5nkxBqxHd+Y61L8pDIqaJFw5MDobh/HcpoyhGL7Mo3XdQa1YaGVWWTja2yMoF1YPkpwDBj3/kFk35+DAExXVYz1kt7WDoxVHx3zzoFwykpcUjrGUr4dbpba1wBIHYFDnSwMbZlGMzQJlGa34qSekg/aTmf8vSRZRzXESSuTlvwSmhLJKOFFlcvEgsIT6Wtl+lDs25boqauI/vT0HCV95QSIO2CNP2ejzFwgiwBa0lTy9X+Y+gw5GLrXhld8zf+4ieKyriZ+kVz+6QE4jIURcbm+RuXOSvOesXLSXoA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(366004)(39860400002)(346002)(376002)(136003)(396003)(54906003)(186003)(38070700005)(82960400001)(110136005)(55016003)(83380400001)(71200400001)(316002)(19627235002)(8936002)(122000001)(966005)(2906002)(26005)(52536014)(9686003)(41300700001)(8676002)(53546011)(4326008)(5660300002)(6506007)(7696005)(478600001)(33656002)(76116006)(66946007)(66446008)(64756008)(86362001)(66476007)(66556008)(38100700002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?R3zYKt3vFxgXgxPmiIoChUterHbVdJy4iizo+YMhE0hjEoa7DkWtMpgUBTIQ?= =?us-ascii?Q?tegGzr5QPG5bsL8XroPE6zKcbqzCxCqmKmqTMW2gM+ZA4/zkhx4PxW7aA/j7?= =?us-ascii?Q?E5IvNeQXIFosprcuzqMuX31nZg5db1s8Jak6A1ue6sbk8tLqFU5dy5CSsP7L?= =?us-ascii?Q?UsDI0D7kA6zErGlelh93osNWkRE83XVDgt70C9uG42qNc4p/ndbKl7nv07lI?= =?us-ascii?Q?+NfF46EkPTSs1nvhjNmM3GjUmsgJA9C1YoMrhDiheSYQ3St4x+64ZGj+5Lki?= =?us-ascii?Q?xxJShryqkjAX/zceok5kr6JX2PySN3ONezAAUCZifjos9e0HOG6IWaX2ujKo?= =?us-ascii?Q?HBJ0FEgRnI2xX1VdQAwbVLstcrIhjap15tlO74pqKyGSoda5OQWybsEaxMjD?= =?us-ascii?Q?zosMUhuSK9cdXlHjwOXIwtvBPpI6jio0adekSxIk03SsGPUI27OHCsCgSd2w?= =?us-ascii?Q?Oqk0PouMGEaVRkPt/YweW7xSEkzOs/8GhbhiR84PZ3hTqXqKh7UZkHqn5Xnv?= =?us-ascii?Q?JwxqH3h61nyl51+xPt2y6OaW4mcEzjPa47Od3DWzCZLV9qEbQZYFOq3ZIyhS?= =?us-ascii?Q?Ag0wZSkkQ/B1F+iXM0PtHH22klMbxlH+5DR/H4meKpS2XMasLJxg1DdNwAmA?= =?us-ascii?Q?RSiooHNPidIzPh/5/d+0jHrAioGIMaSd14McTk671y1bdjxHj8xKlqUzR176?= =?us-ascii?Q?EOD6dPktzbLVfUn6jkfzsMvAWudedg/hc9/ver7LM43YrdfxvtFUU65lihd8?= =?us-ascii?Q?Wen97Nre5RYrOuqHyqrz52U687rMj+QrXwLxXe4JevGZgnTy3jh/DN3CxvSH?= =?us-ascii?Q?qgsVIlXtoZLPutDOefY1ulpa1Bb4Ps/AmhEqedpSfVuiRQY8N0pYrwtEqrZL?= =?us-ascii?Q?BqHDyx2uosEWDatmN9hOnBseRRwCF0jakxFY+5KDSWtCr/c2Fs+bwv0yayjj?= =?us-ascii?Q?M4mpCyaf/7f3+aRYtQl3acXqSscPdFqGtTlO6zy7C3UcbfPZo0hheSgRZ0an?= =?us-ascii?Q?Tuu9QCKXvKEY9rYHP5KyWZA6nrxqMz7VDmlgg1pabOSpQRHOZj16ErRe8m+G?= =?us-ascii?Q?LnTcpn42pSif2QxbkoB9qpgoaNTTqSr29ZMAT45u+pD4HiZDpnQ9xIHyCbLd?= =?us-ascii?Q?QfRgV7PIixaXl+n/SXIjPp/GXzG30Ey5bSakJcCfjLFMBfl/l6WzR8b7hXdr?= =?us-ascii?Q?az2sQaoQ3MotQ/x5W3nZDS1kC9bBT/O5Pc+Rp8HSueHKLvN3QQcUnzcl6S6I?= =?us-ascii?Q?w2F867Xu6cE2a8zClq+5muuRdqhpdMCmLqYkE4792z0PcNN6JPQmyt/+LXs6?= =?us-ascii?Q?Hq7KVc20Gow+DfrC/1G4nIk/pFMg3Fxt4nUlZsbCFT8abZhQLa1Raia/oFVA?= =?us-ascii?Q?AKuMuEJV6t2K+6UPBT+f/eo99GcWBxkcxRNel8mhxNEN7qInsg+GGoePHez/?= =?us-ascii?Q?1BiRcWBc0tkHMrDezCZ3+oAjcEyc2JC7Q0RJkzETKC9uciDWCVqEn66JFl7U?= =?us-ascii?Q?yBUy9rf8nGHR/xKa5TMouXXrFpZ3wKes+89DNKFcLzK2f+QJ3G6nKm2qb/i3?= =?us-ascii?Q?xlhSE/yz1C1KWIx/i0gITCa1xutsvlTrRVbT69vr?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 78657f7a-f77a-4a28-9fdf-08da8fd88906 X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Sep 2022 07:22:20.0654 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 7Q5C3LGyuiDrx62dMHvVC9GyYOZu5A4TO0URoE2kkyTtm3OZe7Axgw3B6QHewSrD+r/9IS2afKfEoVZUnfcCjw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR11MB4488 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jiewen Yao Merged https://github.com/tianocore/edk2/pull/3292 > -----Original Message----- > From: Xu, Min M > Sent: Tuesday, September 6, 2022 12:36 PM > To: devel@edk2.groups.io > Cc: Xu, Min M ; Leif Lindholm > ; Ard Biesheuvel > ; Chang, Abner ; > Schaefer, Daniel ; Aktas, Erdem > ; James Bottomley ; Yao, > Jiewen ; Tom Lendacky > ; Gerd Hoffmann > Subject: [PATCH V5 0/8] Enable secure-boot when lauch OVMF with -bios > parameter >=20 > Secure-Boot related variables include the PK/KEK/DB/DBX and they are > stored in NvVarStore (OVMF_VARS.fd). When lauching with -pflash, > QEMU/OVMF will use emulated flash, and fully support UEFI variables. > But when launching with -bios parameter, UEFI variables will be partially > emulated, and non-volatile variables may lose their contents after a > reboot. See OvmfPkg/README. >=20 > Tdx guest is an example that -pflash is not supported. So this patch-set > is designed to initialize the NvVarStore with the content of in > OVMF_VARS.fd. >=20 > patch 1: > Add a new function (AllocateRuntimePages) in PrePiMemoryAllocationLib. > This function will be used in PeilessStartupLib which will run > in SEC phase. >=20 > patch 2: > Delete the TdxValidateCfv in PeilessStartupLib. Because it is going to > be renamed to PlatformValidateNvVarStore and be moved to > PlatformInitLib. >=20 > patch 3 - 7: > Then we add functions for EmuVariableNvStore in PlatformInitLib. This > lib will then be called in OvmfPkg/PlatformPei and PeilessStartupLib. > We also shortcut ConnectNvVarsToFileSystem in secure-boot. >=20 > patch 8: > At last a build-flag (SECURE_BOOT_FEATURE_ENABLED) is introduced in > the dsc in OvmfPkg. Because the copy over of OVMR_VARS.fd to > EmuVariableNvStore is only required when secure-boot is enabled. >=20 > Code: https://github.com/mxu9/edk2/tree/secure-boot.v5 >=20 > v5 changes: > - Set InternalAllocatePages to STATIC function according to the review > comment. > - Rebase the code to commit c05a218a9758. >=20 > v4 chagnes: > - "EmbeddedPkg: Add AllocateRuntimePages in PrePiMemoryAllocationLib" > is > missed in v3. It is added in this version. > - No other changes. >=20 > v3 changes: > - Renamed TdxValidateCfv to PlatformValidateNvVarStore and > implemented > in PlatformInitlLib/Platform.c. > - Shortcut ConnectNvVarsToFileSystem in secure-boot. > - Other minor changes, such as adding log in > PlatformInitEmuVariableNvStore. >=20 > v2 changes: > - The v1 title is "Enable Secure-Boot in Tdx guest". Because the > patch-setwe was first designed to fix the gap when secure-boot feature > was enabled in Tdx guest. After discussing with the community (see > the disuccsions under https://edk2.groups.io/g/devel/message/90589) > this patch-set can fix the secure-boot issue when OVMF is lauched > with -bios parameter. So the title is updated. > - Add a new function (AllocateRuntimePages) in PrePiMemoryAllocationLib. > - Add build-flag SECURE_BOOT_FEATURE_ENABLED to control the copy > over > of OVMF_VARS.fd to EmuVariableNvStore. >=20 > Cc: Leif Lindholm > Cc: Ard Biesheuvel > Cc: Abner Chang > Cc: Daniel Schaefer > Cc: Erdem Aktas > Cc: James Bottomley [jejb] > Cc: Jiewen Yao [jyao1] > Cc: Tom Lendacky [tlendacky] > Cc: Gerd Hoffmann > Acked-by: Gerd Hoffmann > Signed-off-by: Min Xu >=20 > Min M Xu (8): > EmbeddedPkg: Add AllocateRuntimePages in PrePiMemoryAllocationLib > OvmfPkg/PeilessStartupLib: Delete TdxValidateCfv > OvmfPkg/PlatformInitLib: Add functions for EmuVariableNvStore > OvmfPkg/PlatformPei: Update ReserveEmuVariableNvStore > OvmfPkg: Reserve and init EmuVariableNvStore in Pei-less Startup > OvmfPkg/NvVarsFileLib: Shortcut ConnectNvVarsToFileSystem in > secure-boot > OvmfPkg/TdxDxe: Set PcdEmuVariableNvStoreReserved > OvmfPkg: Add build-flag SECURE_BOOT_FEATURE_ENABLED >=20 > EmbeddedPkg/Include/Library/PrePiLib.h | 19 ++ > .../MemoryAllocationLib.c | 65 +++-- > OvmfPkg/CloudHv/CloudHvX64.dsc | 9 + > OvmfPkg/Include/Library/PlatformInitLib.h | 51 ++++ > OvmfPkg/IntelTdx/IntelTdxX64.dsc | 9 + > OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c | 7 + > OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 153 ----------- > .../PeilessStartupLib/PeilessStartup.c | 15 +- > .../PeilessStartupInternal.h | 17 -- > OvmfPkg/Library/PlatformInitLib/Platform.c | 238 > ++++++++++++++++++ > .../PlatformInitLib/PlatformInitLib.inf | 3 + > OvmfPkg/OvmfPkgIa32.dsc | 9 + > OvmfPkg/OvmfPkgIa32X64.dsc | 9 + > OvmfPkg/OvmfPkgX64.dsc | 9 + > OvmfPkg/PlatformPei/Platform.c | 25 +- > OvmfPkg/TdxDxe/TdxDxe.c | 2 + > OvmfPkg/TdxDxe/TdxDxe.inf | 1 + > 17 files changed, 429 insertions(+), 212 deletions(-) >=20 > -- > 2.29.2.windows.2