From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.74]) by mx.groups.io with SMTP id smtpd.web11.4104.1682541840565672495 for ; Wed, 26 Apr 2023 13:44:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=TAVAwZBV; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.223.74, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hXoXDzsouOC9hsMZJS/cf2xoeaHvzXMyKeU3VxXLivS6s5KQYmFyhxGjySPEBHSeEENfxaPwkEYbdZeDUm3apQkufEeNbZ80wuWv2Vu039W9mNqcmRftuSgwbSK6rZo58CxpsL3ZXB2Zy6OUFE+W8acb6XsXJv3RNEYLMvHMcK+YbkWLKM8OsLxr7OAs2ohgQ+TeJC+yqy9DehkVVU3ebPom6tRSeCmLPAK5BnqMt6sE7CqCyYQeZ7L2mTHdUjibzKCB5WxBKD8gdx6+UOuG7hixYJsYDp/4gIYmUt6USYEAB6QtExUQaKqBQ90cOnOCfb6KblGykdXydmRxb1p+bQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DQY9x87yMHWMPltFAEGIh2wDy4i+15FHduIN81KhOBs=; b=nhjR+Tjn8SqOaQ4QV1dpgPMHIq2VSe+yM/naEuXwujlflhFrsUyfRoODKT1ln7x7TULHH5SD3mDTB43N6grlQGaPqiNfEgORCRg0ApeYNMbeH0TgWPRBgW2dA5rwCXk+lB7ahVqHGhBLbD1jEUU29ywACGon9Q2dg1iZWPNLaWSjem/b2E+FJsiSivZvmi/zLzkkn0CZ6fqG6sXBAt3P3LrNchAlq2+V6xxVZGdBvx8iuvwn+kgqSJ2d8OpDhsw9XHuDkUN5uSKScvC/rdFGD0azJ+z00XEumkQQZ13NOhR1wDKKqds8lsEOhO7ZY7S7moYqBCZ0mocY8B6nUL/w7w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DQY9x87yMHWMPltFAEGIh2wDy4i+15FHduIN81KhOBs=; b=TAVAwZBV9W1kW48GOHElXQ3w7zAp5bj9vxWH5TEYwmdNj8Hg3RRUfS14Al98rG2zszG+DCycJ63S20UN4hNGGGZ6hvzKSYGTM/64LdJmqP2uqCvFMtubk1s7vbYD9Y9NPlIT6k5YkYPd2LX84MJ0gdikPBWy9XpaHmdd9HrHag4= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amd.com; Received: from DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) by DM6PR12MB4546.namprd12.prod.outlook.com (2603:10b6:5:2ae::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6319.34; Wed, 26 Apr 2023 20:43:58 +0000 Received: from DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::ea32:baf8:cc85:9648]) by DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::ea32:baf8:cc85:9648%7]) with mapi id 15.20.6340.021; Wed, 26 Apr 2023 20:43:58 +0000 Message-ID: Date: Wed, 26 Apr 2023 15:43:55 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0 Subject: Re: [PATCH V1 1/1] OvmfPkg/PlatformPei: Skip PlatformInitEmuVariableNvStore in SEV guest To: Gerd Hoffmann Cc: "Xu, Min M" , joeyli , "devel@edk2.groups.io" , "Aktas, Erdem" , James Bottomley , "Yao, Jiewen" , Michael Roth References: <2xjjrifeaa7khaha4se7gs3hmtdz2kkg2dv4t7njwf5z5mbn2f@qb5s2k7c6225> <03fed1d7-cbd8-ee45-ebd8-8ecf60971e61@amd.com> <0da93279-d397-c067-cc9f-7abfc9935eea@amd.com> From: "Lendacky, Thomas" In-Reply-To: X-ClientProxiedBy: SN7P220CA0030.NAMP220.PROD.OUTLOOK.COM (2603:10b6:806:123::35) To DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) Return-Path: Thomas.Lendacky@amd.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM4PR12MB5229:EE_|DM6PR12MB4546:EE_ X-MS-Office365-Filtering-Correlation-Id: 2d1d67c0-b5a8-40dc-6aea-08db4696f5a3 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 8ua7kZP1HhDZx12SfeDXT1jcK6hJ/8sEB7VnuGX6KJT3bZglu1A4l+tdTggy/jgE6Z5cAhMEj6hvKPSM5bmVZ5/beC4Z5ZI4yBPVI6pq/ZeHbuFHTUrUa91pa2Vgxt2XVfsdM993RZuDKgETHMrz9aJLj9ef8EQBt4ew2o6Ek4z+H8mQ1gyr4cslQgnQ8ubEIXsDVWFjmme6LyQS4r9uX4aKLMi6q969oIwS45iYqCHzuUJTvTt+O4bSl4gJHp4CnoV4k0twUSS/lTCfnQeax9PHSWPaccpagCMPLYRF07vKlFiHtpyBMidQyDncXWIx+nvhWz7Bh4RrweRt67BRl69lZHsanAmfnkOTGFiUZ/PL+FZAwHTNfmncnfj0VE1ceeN+ZDO3Q5g02GtKKz00T9S9SMhNkPwXZ5578Qo7bHUCyge3FqI/Qe9QP/rubL1c+wq0q/A1aegTzeDMO5tAqwOCn87D1FVwigm9sRUQkJ+jNWRi11/oLx7t4jkw/B0bHksee80sa4cayAO+uVgKM2yyjZu3CpanOBfShdAlm5fOop+tUr8424ACYfHw2mpySqqcX5CegDpqfND3EvseGdJMfJezs3hp9T7QgpipkpyS561ow+r+tLlR9rBGMLIg1Xo8JFX36pwFx9DeMsL9ow== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR12MB5229.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(6029001)(4636009)(366004)(39860400002)(376002)(136003)(396003)(346002)(451199021)(478600001)(6666004)(83380400001)(2616005)(53546011)(66556008)(26005)(6506007)(6512007)(966005)(6486002)(54906003)(66946007)(186003)(31686004)(19627235002)(41300700001)(38100700002)(5660300002)(316002)(6916009)(4326008)(86362001)(66476007)(31696002)(2906002)(8676002)(8936002)(36756003)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?RGVmVDZyRG9Bc0hwMVBXZmVPVkxCcVlQekY2cXoxUXZuZ1pnNkppd2t6UzBw?= =?utf-8?B?TExKd3haeGtxN3A2bE16VFFJREd1bEJZUlFwQ05saG1mYi8zQXByY3BnMTZX?= =?utf-8?B?YWxRTzJDVnU2dnJHcGVTc1lmZ05OY0IyY0JIVVlLVytQVTBGTDlaS3hjVFk2?= =?utf-8?B?REtScVhteHFCTTBGK3RXaFJkcm9DVm5JelptU1QxS2FWNHdhZFU0QklOS3k2?= =?utf-8?B?RHYwV3ZDdFl0RlR5MldMZUdxcDRKSTZvZG9LdEFhY2VzbWQ1K0JYaUVhNlBw?= =?utf-8?B?ekNkSEFxMFNMS0RzdXBPZCtsQUZaS0RjVXptWTFkbzRxbTJZVmdMWXV0V05R?= =?utf-8?B?V0owK2ZLazZ1SkkzaXlueXZjckFQZldpclB6ZHBWV2pFUVZQUGE3UEpxMFdu?= =?utf-8?B?bUlUSnhJUy81U25ZZXQzZkgreC9POWhsWWtSUkkzajhaVm40OXhMdFM1bnpa?= =?utf-8?B?OExyOTBnWnlRSXkwV3lveUZjZXYyc1JjL2FxcjZzaXBRVkozeGdFS21Mb2dj?= =?utf-8?B?SnIwMmdyY1F0NnN5a3NFNGNhTmJkOU05TTA5ZEZsbGNZeld1UDZkZ0R2elZZ?= =?utf-8?B?bTBrZUZ0K1RYYzFuNXNLYnJpVGxjOC9Wb3RiN0ZyOXAzZ1IxN1NsdzBkSWpy?= =?utf-8?B?M1lTUVU4ZDZ6YzRVTnlMTW5PNVhnbS9kRnBQSXBtZHdwakRtMEVRelA4YS9L?= =?utf-8?B?NG9kVERxb3pZVCtONDNHNmpTUUpqY3pPZ2o0YWxQVkxjVDZVZ2VZWHRUT0lN?= =?utf-8?B?VHJMbGI1RngrMFZBYjdzMG1NUnpTYWMvVFJrbEtuMkJ4cG5Jb2h3a0hLTXBm?= =?utf-8?B?YmtnOXZpQWpwUC8raVFlNWErM3p5bElLcy9lM0RDdHBxZnlUZzVTOWppTWxz?= =?utf-8?B?TFh3a1UwQnVwdXprWkFOSHAvVG5Ra3hTdEtEMGx4dVMwTURtUUozOStBSjVM?= =?utf-8?B?YnUyRmZ0TzFVb29KUEVJSWJMZW1rbjh0aWNiTDJHOXd4cFQ0VnBVbnNkN1BV?= =?utf-8?B?YkNMaWFSQVBMZjZhd2gyTW5QYXNIcHZrNlYwajcrSzJGMWhLTEhTWnhHYUVr?= =?utf-8?B?bU9ocFRLcnJqRGVwWHFJdlB1djY1OXp5Rko2VkFVc2crSDhkVEVhK1pSS1Nz?= =?utf-8?B?OHcrMGdMNGhTSmJDV0pIS01iU1UzNitqa2ZjYVRYbFRyNmhQUzRkVFN1Snli?= =?utf-8?B?dmNqL3lSa3owS2tqQVhKdWtKQ2JTdGJBQm1vd3BKclFsaWxJOWpVTlhEcGk3?= =?utf-8?B?T3FBbXJGamVtVGVtTGF5TGZjOFdDb2kzeWFlMlhjSGkxTVJ6Qy9UZEpISDdS?= =?utf-8?B?UGxEaUZqQnlaaGlia1Q2eEM3M1IrKzhkNDNCalp4K09UNnlBelFLeGdXY0c3?= =?utf-8?B?UVF2Z3ovaXZ1U0Vmczc2T2FmaUpqbG5Kc0hqS3dack9yZjR1cXdSendjcjZN?= =?utf-8?B?a2ZLVTFuUkN3THFRbUxFSFcrL0VFK2NqbWdWVlNkY3BEOVZxLzhqNy9QamVG?= =?utf-8?B?VnJYcjlmM2dPcXVEOXJwZXFKQ2NZVVBURWkyeUJnTStUNnZQWEE5N2R4bDJo?= =?utf-8?B?TktJekFsc2NQbzExK3REOVlSNTF4MklJVm9TVlgwVytPbmtYZ1hoQ1NDd002?= =?utf-8?B?SlNXeS9wT0hjVnU2V0tMWTlxelB5K0FqOGEwSXhPYXlobm8wamhuajhQTDFj?= =?utf-8?B?SlEydnNMVU9yVkc1M0VreWt0UkFxVEk2VTNXRUxrOGg2Tno3TGlHa2JDMUJs?= =?utf-8?B?T0RTUGNqMnMyaXFicFpWd3VDNTVFNnVYTWVSYlExZlduNTBxUklWTWZYQzhv?= =?utf-8?B?MzZZcjFqd1V6S2JRbEhYN0kyUVp6dGxBOWdjV3YybEdqUDFLVjJoOEZ5Ujg4?= =?utf-8?B?R2dDdkNpYmp1M0t6NFZSVXhtSjgrdFFjNlF0SkdWQVNKQnVCMzJyOG55Vytj?= =?utf-8?B?K1NSYXBmbVJ4bUxoVFNGVm15a0I0TGxLRkM3T1pmeWxUQVA4VEt3S0tUVjZt?= =?utf-8?B?dis1UWtna2FBYVlSWExiSmc5YlFTaXBDbzdIYWNRVm9lQ0psY3J0ajRnbmk2?= =?utf-8?B?Wm5xQk5NL1BIcGFYeWFKUVYvaUlnSFB4ejU1enE3V2ZtakdkRTBVT2ZVNGRk?= =?utf-8?Q?KJE969ON5f3CTukYK2oPmWkLB?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2d1d67c0-b5a8-40dc-6aea-08db4696f5a3 X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Apr 2023 20:43:58.4664 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ru8qj7my62FAdQq5v/tSWCg7OkoJk0OpMZufbmYX9rq7WLeDfoXDRA1yFPU8QZOwcc3J7Ht1m1RdqKtHP9RlBw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4546 Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 4/24/23 04:45, Gerd Hoffmann wrote: > On Fri, Apr 21, 2023 at 03:49:27PM -0500, Tom Lendacky wrote: >> On 4/21/23 04:18, Gerd Hoffmann wrote: >>>>> Hmm, good question. Can the guest figure what memory ranges are part >>>>> of the launch measurement? >>>>> >>>>> I have a patch here (attached below) which refines flash detection and >>>>> can detect whenever varstore flash is writable or not. I suspect that >>>>> doesn't help much though as flash probing requires mappings already >>>>> being correct. >>>> >>>> Sorry for the delay, but, yeah, doesn't help. SEV and SEV-ES assert and >>>> SEV-SNP terminates because of accessing a shared page (in the RMP) as a >>>> private page (we don't support the generated 0x404 error code in the #VC >>>> handler). >>> >>> Can you try this? >>> https://github.com/kraxel/edk2/commits/devel/secure-boot-pcd >> >> It works for the split vars/code launch, but fails for the combined >> vars/code launch: >> >> EMU Variable FVB Started >> EMU Variable FVB: Using pre-reserved block at 7FE7C000 >> EMU Variable FVB: Basic FV headers were invalid >> EMU Variable FVB: SecureBoot: restore FV from ROM >> EMU Variable FVB: Basic FV headers were invalid >> ASSERT [EmuVariableFvbRuntimeDxe] /root/kernels/ovmf-gerd-build-X64/OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.c(781): ((BOOLEAN)(0==1)) >> >> So the mapping isn't correct at this point either. > > Log looks like this for me, using grep -Ei '(fvb|flash|amdsev)' > > Loading driver at 0x0003F022000 EntryPoint=0x0003F0245B5 AmdSevDxe.efi > Loading driver at 0x0003F6E4000 EntryPoint=0x0003F6E7035 FvbServicesRuntimeDxe.efi > QEMU Flash: Attempting flash detection at FFC00010 > QemuFlashDetected => FD behaves as ROM > QemuFlashDetected => No > QEMU flash was not detected. Writable FVB is not being installed. > Loading driver at 0x0003F6D3000 EntryPoint=0x0003F6D55B9 EmuVariableFvbRuntimeDxe.efi > EMU Variable FVB Started > EMU Variable FVB: Using pre-reserved block at 3FEF4000 > EMU Variable FVB: Basic FV headers were invalid > Installing FVB for EMU Variable support > > So AmdSevDxe is loaded first, next comes FvbServicesRuntimeDxe, finally > EmuVariableFvbRuntimeDxe. > > So AmdSev should have (in theory, in practice obviously not ...) setup > everything at that point I assume? I'd have to dig much deeper to see if there's a way to identify whether a VARS file was specified on the Qemu command line. I *think* (please correct me if I'm missing something) for SEV and SEV-ES it would be straight forward to try and access the memory as shared and check the headers. If they're valid, then a VARS file was specified on the command line and should remain mapped shared. If they aren't valid, a VARS file wasn't specified and you have either the full OVMF.fd file or just the OVMF_CODE.fd with memory backing the VARS that, in either case, should be mapped private. I think the problem may come in with SNP where if the mapping isn't correct (shared mapping against a page that has been validated or a private mapping against a page that hasn't been validated) you can end up with #NPFs or #VCs and having to figure out what or why you are getting those. Let me see what I can find... I'm off the next few days so it might be a bit. Thanks, Tom > > Failing that FvbServicesRuntimeDxe might do it as well, there actually > is some code doing so to fixup things after calling > SetMemorySpaceAttributes (see MarkIoMemoryRangeForRuntimeAccess). > > Maybe that should also be called before QemuFlashInitialize() so the SEV > settings are correct when OVMF goes do flash detection? > > take care, > Gerd >