From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web08.50744.1658299119662855098 for ; Tue, 19 Jul 2022 23:38:39 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=YNMwkSc0; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1658299119; x=1689835119; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=W5GH/T7xB6qfBN8BKsmN9MCRTwZTg06IiVdlj5DN4rI=; b=YNMwkSc0MhiKz7VG8LvAFpYU7bNnk8F2fLekOyB3gnoAO8IUj70qN0SM dnpPwWhBysQkGfz/bgSqVd8Xsyzk84An0ZO+R9odxzy6n1nEuFBVZINhH U2DgyiQY+DwEBRnuWhdfyVjhtXNF2whYADXjru7p6nBoQ/B9aakee8ilt 68zP/dJ86UZilRKci7tcwT9UhpUjHy5Cy7XGdwB+W6J4i0YAFdw5adLh+ 0wdcZyOmljRrCPW6aEbLWDPYZIUyah/P0HVAbYJY6JkPy4pIz5Ub4Wicw YuVNdJ/DQiFUU+99K3T66ZBZFsnhF4QpANQ6m09X4BLPND663PyMHB2L8 w==; X-IronPort-AV: E=McAfee;i="6400,9594,10413"; a="348387637" X-IronPort-AV: E=Sophos;i="5.92,286,1650956400"; d="scan'208";a="348387637" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jul 2022 23:38:39 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.92,286,1650956400"; d="scan'208";a="925104159" Received: from orsmsx605.amr.corp.intel.com ([10.22.229.18]) by fmsmga005.fm.intel.com with ESMTP; 19 Jul 2022 23:38:35 -0700 Received: from orsmsx612.amr.corp.intel.com (10.22.229.25) by ORSMSX605.amr.corp.intel.com (10.22.229.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.28; Tue, 19 Jul 2022 23:38:34 -0700 Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx612.amr.corp.intel.com (10.22.229.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27 via Frontend Transport; Tue, 19 Jul 2022 23:38:34 -0700 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.171) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.27; Tue, 19 Jul 2022 23:38:34 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XQf6KMDQVZnroqXRUdoUfQJBzQNHbo7irBp1F1LvsQy33AhJUii097vttNVHV5SEtglR6iMa1xwnoLxQqalnjuzIiqmfQjYCTkLcXRL4y+vabjEOUiEAqWr5xvzcUL8gMP2+IVdN1JEIz/tRcQQUqHgTHf0/G/ZAfvy7gj9U3nfQjRQdHpS62AZmC+RM0vgPiC/bAui9xJBuidokZas6IdzdR4R3DKCNi93k+bruVL+cCTUU6KqzGD5nZ3k4bu0Bew+jirEXR8HbBGNQ2ckFDDtjT8BDvkiq6nQLicnC71dlbD8Z3VFh+HUIjze/gl2cvQXG1WJ5WUcnivt/Cr01Aw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2lg3SijNFgnsDBhkpTDZxwP7n9Zo+Ym2V/YW53glrR0=; b=Ryot1yx7M8lW5J+3r6VvjhZVRK8lGnWZglwDzr2YpDjE4C5F8c+OR3rlYcSp6/oU7d61gtZyoey9JdCkQwlXS8q6UEIyj9D271HsFcXZsQxmzAeR3ijVWKpMvMweaGYSgPmIG/vZ5AhQrQo7XEceV7cY9E5xkE0ftLNOJK7ZYA4pg1KrzAOiF3ZImgjGzP2SKaUflTWSiu394Ua7dFOcGa6gsp7A5i8UIBJhor+djl0vhU3NJEa8qcwaqWcjSi3pMVN3Ducd0tWzHoyv01rX8DeLzamYOVUuvGOMVFG0coIQLSp5zmTB8X8JLTAiJq0jA9yzX55vtwrBj8BBoEcB4Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from PH0PR11MB5064.namprd11.prod.outlook.com (2603:10b6:510:3b::15) by MW5PR11MB5858.namprd11.prod.outlook.com (2603:10b6:303:193::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.18; Wed, 20 Jul 2022 06:38:33 +0000 Received: from PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::61e0:6297:8d54:672e]) by PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::61e0:6297:8d54:672e%3]) with mapi id 15.20.5438.025; Wed, 20 Jul 2022 06:38:33 +0000 From: "Min Xu" To: "devel@edk2.groups.io" , Gerd Hoffmann CC: Leif Lindholm , Ard Biesheuvel , "Chang, Abner" , "Schaefer, Daniel" , "Aktas, Erdem" , James Bottomley , "Yao, Jiewen" , Tom Lendacky , "Xu, Min M" Subject: Re: [PATCH V4 0/8] Enable secure-boot when lauch OVMF with -bios parameter Thread-Topic: [PATCH V4 0/8] Enable secure-boot when lauch OVMF with -bios parameter Thread-Index: AQHYjNlHg7xqrw4f0ky+7BOyVV9Mwa2G7HQA Date: Wed, 20 Jul 2022 06:38:32 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.6.500.17 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: a807f80c-3f01-4839-d569-08da6a1a7756 x-ms-traffictypediagnostic: MW5PR11MB5858:EE_ x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 1089BIPuPAvwCP8+SS4n1VuvU70t18l060pfd67MZGMsm5oiICy0VACLsQuzxoxRVC5y7u9zjMXHDIiVM03T76o1YuZlJk+9mNY2ZEsCNWQhEcFi2lRjwZS4l0IYeLBfLfAvt9kAFi9kzgF0g5KPX01OgXnoRKL4HzsYoOss7aJlOCFZTLhDet/xSvSBXw0CYKQlto4EtvFvkstJzLpODLAaXUEei676XwVfKPGM/ZMEs4jfTvB/aJX1ZtRtyAXYd9SLgyeQLHyzZ/QA8R5BNQPmYt9B5R88HOf5KazsMh6Rdus2ry/oObLa6HOfs7rUIiRJlQ8h9U1ClpCImgaTsKuimS0zjgcaQDOzudVh0cxy3m5uxmas5EzR5xX/Tz/FBtPmUMB0iZThshpGg07xoaGHlWmCE7XVqondu6UjODSi6mU9N1o/9iIXimPuZYFqTHV1wPNjc+V0wBdIfZ3Lh8IEKLo9u7smbiztdDLZI3N6Z0PsA9X6fbZG3d/i6pV6EsftYxjwdfdJW7H5qfy3Mb8p2xLFFm87xEflXbNNYLevX1QnZHwzapeIM+FAse3fpsYxOWstiJbi/M2r9ZJz4474h/vZff1W+fkXe8QlH7wMlluCwOChz+3jjKHG/9DHq9/WUcdmjRiL5NqJX5IsSGDStxUKlANuZYw59B+lhlVxkoIIIt0cbQGtGQYzlWVb7GJ1w3j4v9bpcx0+DuZv5+Jy4iGzMcfQA6fIKg9JnsC3PoDr7Kkv+kGruCqus1ro31lOI29uaAV2NsVShfkUGkctqv4/+Uie7puyPLechuKzDOOv6ySf8dZ2FXnpVbyIky5PajFzjttQAAK7ZcgkZNa/3kYIcbvJM4pgj089Ge/wpLMTBLvk1tKRkE8dspRP x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB5064.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(366004)(136003)(346002)(39860400002)(376002)(396003)(9686003)(53546011)(26005)(107886003)(83380400001)(122000001)(55016003)(2906002)(41300700001)(38100700002)(38070700005)(54906003)(110136005)(82960400001)(5660300002)(478600001)(52536014)(966005)(8936002)(4326008)(8676002)(71200400001)(64756008)(7696005)(6506007)(186003)(76116006)(66946007)(66556008)(66476007)(66446008)(33656002)(316002)(19627235002)(86362001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?QvBO7x1ONVKfecRaHG0G3tVcW2Vs4+VYtHMN/yLxLODSIrgW1Kl0/QePV5y7?= =?us-ascii?Q?Nwk9mJt/NtX1Q/x457QzlbGFo1MfEJe0BVXx0m53wI+RcexRg5JrN8XxQk7/?= =?us-ascii?Q?qC0IzEjDkcbKDgVu90qU+cOxSBaH3hoqJ7ET+/GDx0/7g54HDC5YD9fm3BcR?= =?us-ascii?Q?uvR2nHWL7FhHTTrI4YF/u7yJPKXxWr0fF4F9quqtyOjhvTukzAwPpja9RpZW?= =?us-ascii?Q?X4W/9HgNd3+sDRJfbc+2z8bTd4l1Ns/zetNtie+fVDAwmxGMFIDSFRLXXSQV?= =?us-ascii?Q?j5liL4SfDXWeOiCcKH9rFs0u2CkL7TNEhjmAUGFRFnBb5addgmIwwD50Vt9+?= =?us-ascii?Q?3Tu+i+ixf+XyPLi5U/D7ejrTHjviztPz2q2wxbC8wbQSARc9OHUFxzworBRp?= =?us-ascii?Q?oD/8+aje7f97pz6IylwIaOoKTGg8UUhGsdrOsHCFwo3kbTQqwFFZFRvHyk+f?= =?us-ascii?Q?dlc1nZS6owTVTci44+ItGICaAxG28Fx5Z0KIyV4fFZz9YPrO3xDviOxIbeE4?= =?us-ascii?Q?LDj7vfb477/Ttc+3XRx7rzgxpRRwWDVbBoAEXIcIqWhHTOaKSowWx8KdkT6w?= =?us-ascii?Q?SJgLN769tUEmCy9Rw9+wzQJGfSkLq9O6DQYUzhqSujFi3ObXhyETiKL+O7BR?= =?us-ascii?Q?qdgjJ/kC0cohPVMq4O5CalYD/OnwQxz50JuBMuHEJYQAerGDJxKB13Ek0tpa?= =?us-ascii?Q?N6gwz43TPsCVmlzeFSzsxuykscB/7OtfW70nsBblwg+M+CfTcyK4kqSgnptS?= =?us-ascii?Q?AA1Vck3DQsKKJzJOTgHr06Ivzut5PhpE7X2MJ/8kDGrxjNG2A6MtUPkZxFSV?= =?us-ascii?Q?nJVXUB+9w+my0hdG0IKB/HFRw3fbYKbDFhiMwaVv45YK9tyauzz0TJA04JC7?= =?us-ascii?Q?NSTNDY8Kb0FKWYdFR97A3PvkMA1HMXsmQ2Ho4V56YR95sh2EGgJoG/FvTGpN?= =?us-ascii?Q?LxtLE/XZdTQBCQ+x0NJ2idRhXxsWr9qwojpGkfQxgYGHVAciE61gvfvJw4p+?= =?us-ascii?Q?/b8A0Pnb0buANkK2RjJx24vuzb9Pvja1KCjD+8Lk5CEjzYX2ZXUgFBSgxMLQ?= =?us-ascii?Q?+Gea5gZgIfFfS7nHUl/5WiBQb0QvMEz59d8C1vIjGFsxsPSx0buT9uf7s0EJ?= =?us-ascii?Q?XXmVicmEd3AaZQ9NUMZAL2lme0BO9PbirCpQa9tcPxHgC5pqjT8JDq8G5H6v?= =?us-ascii?Q?qRawZirYVHzwDlzTg6EXK646ip6Lvs0QSpYUdUGRuDVhsaJGEIS59Rlwy7qQ?= =?us-ascii?Q?6DKdo/lHDoMAC/Ph3IL54NfvQ80DhpErcYm7/8mSNRzQfaH1DR7+P6ziOo8X?= =?us-ascii?Q?gv1DbYbuDcwMeNXvRNSaaAXLNpwzwtRwf6EPoRZ8FX/mwRQfXzzD4D6vWmsB?= =?us-ascii?Q?W6ypfrk6Wtxicu76uRKobt8lhvJIHnKgq7M3OMV/g0yfE4r7lXmbfJn96XJV?= =?us-ascii?Q?eqKmILKRCsQoEG9MExhD3XqjUJSRkwMMqPYEldrQckPu8sBmfE/OjZyNVn9b?= =?us-ascii?Q?ost7Qtc23Zv9i3gj+EKS/YDqXlDiSm6wS9UNcc9KG85CIbHI7P3gfUYQuOwh?= =?us-ascii?Q?Ht/FkzFbOaVhzzetSn9r9GoK+q33ugYq7AnaZ8gT?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5064.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: a807f80c-3f01-4839-d569-08da6a1a7756 X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2022 06:38:32.9595 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: et0yuQSD39j5PZmYvrMpT3EcjO47c3O4h1OsGYD6sxc42pMBByS2Smlu9l/ZSpawTz/3oPO6m4jKdl6/fWpuLg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW5PR11MB5858 Return-Path: min.m.xu@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, Gerd Do you have any comments to this patch-set? Thanks Min > -----Original Message----- > From: Xu, Min M > Sent: Friday, July 1, 2022 7:29 AM > To: devel@edk2.groups.io > Cc: Xu, Min M ; Leif Lindholm > ; Ard Biesheuvel ; > Chang, Abner ; Schaefer, Daniel > ; Aktas, Erdem ; > James Bottomley ; Yao, Jiewen > ; Tom Lendacky ; > Gerd Hoffmann > Subject: [PATCH V4 0/8] Enable secure-boot when lauch OVMF with -bios > parameter >=20 > Secure-Boot related variables include the PK/KEK/DB/DBX and they are > stored in NvVarStore (OVMF_VARS.fd). When lauching with -pflash, > QEMU/OVMF will use emulated flash, and fully support UEFI variables. > But when launching with -bios parameter, UEFI variables will be partially > emulated, and non-volatile variables may lose their contents after a rebo= ot. > See OvmfPkg/README. >=20 > Tdx guest is an example that -pflash is not supported. So this patch-set = is > designed to initialize the NvVarStore with the content of in OVMF_VARS.fd= . >=20 > patch 1: > Add a new function (AllocateRuntimePages) in PrePiMemoryAllocationLib. > This function will be used in PeilessStartupLib which will run in SEC p= hase. >=20 > patch 2: > Delete the TdxValidateCfv in PeilessStartupLib. Because it is going to = be > renamed to PlatformValidateNvVarStore and be moved to PlatformInitLib. >=20 > patch 3 - 7: > Then we add functions for EmuVariableNvStore in PlatformInitLib. This l= ib > will then be called in OvmfPkg/PlatformPei and PeilessStartupLib. > We also shortcut ConnectNvVarsToFileSystem in secure-boot. >=20 > patch 8: > At last a build-flag (SECURE_BOOT_FEATURE_ENABLED) is introduced in the > dsc in OvmfPkg. Because the copy over of OVMR_VARS.fd to > EmuVariableNvStore is only required when secure-boot is enabled. >=20 > Code: https://github.com/mxu9/edk2/tree/secure-boot.v4 >=20 > v4 chagnes: > - "EmbeddedPkg: Add AllocateRuntimePages in PrePiMemoryAllocationLib" > is > missed in v3. It is added in this version. > - No other changes. >=20 > v3 changes: > - Renamed TdxValidateCfv to PlatformValidateNvVarStore and implemented > in PlatformInitlLib/Platform.c. > - Shortcut ConnectNvVarsToFileSystem in secure-boot. > - Other minor changes, such as adding log in > PlatformInitEmuVariableNvStore. >=20 > v2 changes: > - The v1 title is "Enable Secure-Boot in Tdx guest". Because the > patch-setwe was first designed to fix the gap when secure-boot feature > was enabled in Tdx guest. After discussing with the community (see > the disuccsions under https://edk2.groups.io/g/devel/message/90589) > this patch-set can fix the secure-boot issue when OVMF is lauched > with -bios parameter. So the title is updated. > - Add a new function (AllocateRuntimePages) in PrePiMemoryAllocationLib. > - Add build-flag SECURE_BOOT_FEATURE_ENABLED to control the copy over > of OVMF_VARS.fd to EmuVariableNvStore. >=20 > Cc: Leif Lindholm > Cc: Ard Biesheuvel > Cc: Abner Chang > Cc: Daniel Schaefer > Cc: Erdem Aktas > Cc: James Bottomley [jejb] > Cc: Jiewen Yao [jyao1] > Cc: Tom Lendacky [tlendacky] > Cc: Gerd Hoffmann > Signed-off-by: Min Xu >=20 > Min M Xu (8): > EmbeddedPkg: Add AllocateRuntimePages in PrePiMemoryAllocationLib > OvmfPkg/PeilessStartupLib: Delete TdxValidateCfv > OvmfPkg/PlatformInitLib: Add functions for EmuVariableNvStore > OvmfPkg/PlatformPei: Update ReserveEmuVariableNvStore > OvmfPkg: Reserve and init EmuVariableNvStore in Pei-less Startup > OvmfPkg/NvVarsFileLib: Shortcut ConnectNvVarsToFileSystem in > secure-boot > OvmfPkg/TdxDxe: Set PcdEmuVariableNvStoreReserved > OvmfPkg: Add build-flag SECURE_BOOT_FEATURE_ENABLED >=20 > EmbeddedPkg/Include/Library/PrePiLib.h | 19 ++ > .../MemoryAllocationLib.c | 64 +++-- > OvmfPkg/CloudHv/CloudHvX64.dsc | 9 + > OvmfPkg/Include/Library/PlatformInitLib.h | 51 ++++ > OvmfPkg/IntelTdx/IntelTdxX64.dsc | 9 + > OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c | 7 + > OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 153 ----------- > .../PeilessStartupLib/PeilessStartup.c | 15 +- > .../PeilessStartupInternal.h | 17 -- > OvmfPkg/Library/PlatformInitLib/Platform.c | 238 ++++++++++++++++++ > .../PlatformInitLib/PlatformInitLib.inf | 3 + > OvmfPkg/OvmfPkgIa32.dsc | 9 + > OvmfPkg/OvmfPkgIa32X64.dsc | 9 + > OvmfPkg/OvmfPkgX64.dsc | 9 + > OvmfPkg/PlatformPei/Platform.c | 25 +- > OvmfPkg/TdxDxe/TdxDxe.c | 2 + > OvmfPkg/TdxDxe/TdxDxe.inf | 1 + > 17 files changed, 428 insertions(+), 212 deletions(-) >=20 > -- > 2.29.2.windows.2