From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.79]) by mx.groups.io with SMTP id smtpd.web11.886.1623087224826509009 for ; Mon, 07 Jun 2021 10:33:45 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=v1bTi57x; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.223.79, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=buBit+t292tTFnxn6xSjG5fhtlvEi+NRzfodTFxGHg2AhLaMLYsBmegUyO20HpvCAwJyIW0bfcz9dQisFXZDQJeJmVqybsO/e0BRbRzT5PW4SxzH4Qrk/r32l/MgPCo9S9dS8BuIudDvC7tpPbxZmBwDQatVUqmjUcexVVPvZkzd1Iy/1WVp56T4EB6DcGD36qQyKX2XiG8AVoN6YU5jx2V7zx0sJ6FzYfcWcAyGzljhAhWMY0b5B/9S1c6d7Bt16C+qNndB1lJffKl80F7WiM6LOwnupeRgTPNQ22zrrfHRsfBj8Z39/hljS2xJz4IEI+IGbtIq0XGHAuP9pJQT5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=c1GE06qZT7PBzd2ArNlj0WtoNVa8rVIKA/7GY5uE2AI=; b=OswTlPT4Y7sewscxyXxODArBaT3f2k7inVGtE0JPhIU+IgiTIz+ZDR8YpY0zdTGexTDQyYZR2ZtYVG5Gok5zfGlSP8vKqg0vh/n8QXnpBga0R/drGbyGiLuyWbyG+G/6q6NTg02ti+pxCAo98ZvhDTWiKL7WtUHKjVNcri0p3fmuqReXi9S4lFdENWi+9nhlgiFRm/+RfKMf2S1sLnYAd2pLpUvIiplwiyXZSq+G4ppKkH18DgyFVScWTx1TjD4qd0TJAfs/PeRhlqd9Fvw3IIAz6vw69vpRmCU+PG/RQ9Ka5nic2T5gy1dzLHSqjr09pltEsYj0zDuXJ7tbJLupHw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=c1GE06qZT7PBzd2ArNlj0WtoNVa8rVIKA/7GY5uE2AI=; b=v1bTi57x5qszIpTM90clC5eH7CGs3OmXYLFHz3fy5lfWPM+MJcBdXl1ZqFqPwyTxjPIT9dO1yOsic1jvtPdXhy2dYCswmZtl2qQRL2cCNd7FtK+zg7UTZFN+ONDjdvbBskJtIx1ma4BZhCHemKdK9887NP70n110ZYhTS5/XqkE= Authentication-Results: kernel.org; dkim=none (message not signed) header.d=none;kernel.org; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4575.namprd12.prod.outlook.com (2603:10b6:806:73::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.24; Mon, 7 Jun 2021 17:33:42 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa%3]) with mapi id 15.20.4195.030; Mon, 7 Jun 2021 17:33:42 +0000 CC: brijesh.singh@amd.com, Ard Biesheuvel Subject: Re: [PATCH RFC v3 05/22] OvmfPkg: reserve Secrets page in MEMFD To: Laszlo Ersek , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Erdem Aktas , Eric Dong , Ray Ni , Rahul Kumar , devel@edk2.groups.io References: <20210526231118.12946-1-brijesh.singh@amd.com> <20210526231118.12946-6-brijesh.singh@amd.com> <6c1d0c68-0537-9b58-ada4-ec9deb1a7c9d@redhat.com> <55475e6f-d2fa-b33f-57a1-f82a1ea3fc2f@redhat.com> From: "Brijesh Singh" Message-ID: Date: Mon, 7 Jun 2021 12:33:40 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.10.2 In-Reply-To: <55475e6f-d2fa-b33f-57a1-f82a1ea3fc2f@redhat.com> X-Originating-IP: [70.112.153.56] X-ClientProxiedBy: SA9PR13CA0001.namprd13.prod.outlook.com (2603:10b6:806:21::6) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from Brijeshs-MacBook-Pro.local (70.112.153.56) by SA9PR13CA0001.namprd13.prod.outlook.com (2603:10b6:806:21::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.9 via Frontend Transport; Mon, 7 Jun 2021 17:33:41 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a921337a-19ef-4a16-dddd-08d929da64f2 X-MS-TrafficTypeDiagnostic: SA0PR12MB4575: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:597; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: KlJ6CjzsntY7ByRIzjoAyu2G6MtP+YMpw79RdXNWmWQAHHu+/94iHxt/YyLG8M6bU/8/Ehk8XAemlATL/o4GDcM7CG4bhOLKQ7yRJYo8rsW1dtBcWLgFEcIRiuoNt7PB65GQFU2Bc+2dClgpkFToEGpccodlSM4GboN9/dKLu9IOZMylusgQAGfQydnu59T9nYy763A6hsSliY03zqt4qj/9yEXt9WmR8BSUCmpqbIJudXYpn/SMOpFresKFGhGNHU0P+AJ3vKTQmDwBUN/a42qYUWp8wBuX84TCQL3IyJaZFAWBw85WiAhQvQv4+TvFRpy9lzUnVQGbSDWi+10xg+jVmBtZCrnq1fQWepmDf0klo76YFN5pzv0qrh4SIxxF6I4+nDHbHnQaaUeLjP7TgQDUVeV3ZF8lSJQjfmk51tgXtd+V+utjuXNqyottKbzHogdivT88P0wy75ubQKBodX8vQlHhn5666nrL5tOJt26KLHyj0rNkiW5TGRj2C2cokJr5ydP1/nouyfgRH3/UIl53P3bj3vSn1lMdkEKsQ9g9GP75FfMn2xTG49WVIA03bbUwzdfzeQahWUJBJM8Y8DtfL5zl+6JjiBDVi/FoWBi/Dx7WHAO+rDJwcAOwzZptycSZwJvSkeb779+WZBK1ly1ulSE6nKcFq+KqTqIyOwRfRm7rcsVebM7rs1o/50iULrkiUWzJg55XJqEFRcQwc1j8JoDi0mEtW6kgq+UIoolxz6GQxVaRgiQXCFvTnRS/pjh8H0dbyWIqdOCvfzbFtnGCKhaDfXAWLRTd5z7YIBpSQxUVJdCObc2cSAZBgu6U5l9P1K0GuYVCUfEadutW6f3TmIQ49huT/m5k/3u413k= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(39860400002)(396003)(136003)(366004)(346002)(38100700002)(38350700002)(8676002)(8936002)(2906002)(921005)(66556008)(66476007)(66946007)(6486002)(19627235002)(36756003)(478600001)(966005)(45080400002)(16526019)(956004)(26005)(31696002)(2616005)(4326008)(186003)(44832011)(53546011)(52116002)(110136005)(316002)(6506007)(86362001)(31686004)(83380400001)(7416002)(6512007)(5660300002)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?5hS9NIbmRaQTa0iobi3Q4z27VHYWiVJ4l6OEHcN8gLK/OKsVQe2+kcmMgVf8?= =?us-ascii?Q?RLTqSnWUoDB4UJeLQeh3i61+7BpZjm5yv468IG1SswUdoEKVJ6A6RoMzuhe/?= =?us-ascii?Q?ba+z0RQDZPXz9ljhdVK/a52SBRJPrnBje+0od5mRON9/LTfUk/QOsfOi/jvA?= =?us-ascii?Q?30qJbbl8Hfiwo/BJAste0QQ8RTNxgail4aXzXdrJRcx38WREM8GKZ4gO5p3C?= =?us-ascii?Q?LYUVJ7pcnWUdfaW3lHgkJvmrGuXpOxMZr6dk1lgmbODgWzrA5u2iqWuYDEyQ?= =?us-ascii?Q?uyY/7jr6vdZl0M7FvMd+0Hg1GmljcQ+vXawOoXadveJ08k+yLKOdz+nvyZ6G?= =?us-ascii?Q?nf78M8PXwzz4hpCRvrtx7v9uOj3kSrp1BZbisDGFs3gb7TjalhKCeUnN5lnM?= =?us-ascii?Q?j7POOzX6Ppv5MMuo2jXXlyVQ4wxCd0i6+B/30uKeDzOHrxklW0jSYXtx7pmL?= =?us-ascii?Q?v+b9lZxrrcZN6LeruhGH1KsLU2RmN6fHWszr1Lg5Qz8hUGdc2vW4L5wh43Sx?= =?us-ascii?Q?tcDu8ez5furnGtqTJG8PcJ45YqR7wcTxjmZErDMTQ+eYUwuC5FhZNAV7e2Tt?= =?us-ascii?Q?5R3VDsI1zlsYrOcJ0LVYV5Tel41W4ktANMSUwGN8ck0c65tL0tL8SkrEX+0U?= =?us-ascii?Q?H6bwBe4pbBhvChPQ0K4yWoAu9hWs0+qHv8oU72s/6AL+ca8i2NcrvyS+wEwg?= =?us-ascii?Q?i0CvOg2tAB92W1R7H8umxfXgKjn4TX4ybePlgH0Gw0u31Xpn0Prc8RzQtKqU?= =?us-ascii?Q?MFPW0j1DzNelFUq2uvD2AnBeFWzxWmb1YjHgpjWvp5hUsYQY0ajfxCoPvfVX?= =?us-ascii?Q?PknciSGOq3CqePtoBm7J4kXAaBxYjwVqG7g8FwWSYruGUzNxXX3s0wpeWzD5?= =?us-ascii?Q?RtPtYlWBnpnjCdLwtXi+DW7zxiwLFl4s3sXq5Xu0RyEmJuG7EnwTh9EnTJPo?= =?us-ascii?Q?8H1SRF7SvbeAJa1TUm4Lm5QYhrmaKLVWCEpgv8VC3uHBN1SM4MClqXrAb9Je?= =?us-ascii?Q?c6cGqMw/iNCJyGyzUOZNNvaR9UjhUaWtBLbiEjTCCpR5nFoEKr4AnXxP80lj?= =?us-ascii?Q?tacMP0vpmuIUv52InllpcgaMFrHdTTWV7eKo297WW8CE5obFvAf4CiO7Nsa/?= =?us-ascii?Q?VOcyVFPcdo3zyrDpIBu1ahdzddiEy0WMm5BSN5lLpkBNTrwzwSz3WOk3YpmR?= =?us-ascii?Q?eNUMJc73ulXqKGPgv5sEI3ZoufOijCCF34QKzPrcISCfuRQD4E1LpCvpuS2m?= =?us-ascii?Q?YXsikwt9BQyka/pyHLsP439GusPEuEt8emEPkPpwm95WWXCn6q8rgNTklw8s?= =?us-ascii?Q?FwVUv2N4WwvOB2ho79JZvhvA?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: a921337a-19ef-4a16-dddd-08d929da64f2 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jun 2021 17:33:42.4432 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: jSjHX9nvoiDPC2ZFfBLUtY5zEzHlgcj9+cfgZZJDb6+srrNbyZpd65dcOd1aDYQuTFygPnHUvOwniKvV1cur3A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4575 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US On 6/7/21 7:48 AM, Laszlo Ersek wrote: > On 06/07/21 14:26, Laszlo Ersek wrote: >> On 05/27/21 01:11, Brijesh Singh wrote: >>> BZ: https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2= Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D3275&data=3D04%7C01%7Cbri= jesh.singh%40amd.com%7Cc7a508dbd4af461b413208d929b2a231%7C3dd8961fe4884e608= e11a82d994e183d%7C0%7C0%7C637586669489236720%7CUnknown%7CTWFpbGZsb3d8eyJWIj= oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sda= ta=3DOjlLNpUW8U%2FykMMU7JwjddEZd9Zi%2BsHNK%2FqoQCwW3vo%3D&reserved=3D0 >>> >>> When AMD SEV is enabled in the guest VM, a hypervisor need to insert a >>> secrets page. >> For pure SEV? >> >>> When SEV-SNP is enabled, the secrets page contains the VM platform >>> communication keys. The guest BIOS and OS can use this key to communica= te >>> with the SEV firmware to get attesation report. See the SEV-SNP firmwar= e >>> spec for more details for the content of the secrets page. >>> >>> When SEV and SEV-ES is enabled, the secrets page contains the informati= on >>> provided by the guest owner after the attestation. See the SEV >>> LAUNCH_SECRET command for more details. >>> >>> Cc: James Bottomley >>> Cc: Min Xu >>> Cc: Jiewen Yao >>> Cc: Tom Lendacky >>> Cc: Jordan Justen >>> Cc: Ard Biesheuvel >>> Cc: Laszlo Ersek >>> Cc: Erdem Aktas >>> Signed-off-by: Brijesh Singh >>> --- >>> OvmfPkg/OvmfPkgX64.dsc | 2 ++ >>> OvmfPkg/OvmfPkgX64.fdf | 5 +++++ >>> OvmfPkg/AmdSev/SecretPei/SecretPei.inf | 1 + >>> OvmfPkg/AmdSev/SecretPei/SecretPei.c | 15 ++++++++++++++- >>> 4 files changed, 22 insertions(+), 1 deletion(-) >> How is all of the above related to the "OvmfPkg/OvmfPkgX64.dsc" >> platform, where remote attestation is not a goal? >> >> What you describe makes sense to me, but only for the remote-attested >> "OvmfPkg/AmdSev/AmdSevX64.dsc" platform. (Which already includes >> SecretPei and SecretDxe, and sets the necessary PCDs.) >> >> Then, even if we limit this patch only to the "OvmfPkg/AmdSev/SecretPei" >> module, the commit message does not explain sufficiently why the secrets >> page must be reserved for good. The "SEV-SNP firmware spec" reference is >> vague at best; I'm permanently lost between the dozen PDF files I have >> downloaded locally from the AMD website. Please include a specific >> document number, revision number, and chapter/section identifier. >> >> Honestly I'm getting a *rushed* vibe on this whole series. Why is that? >> >> Assume that I'm dumb. You won't be far from the truth. Then hold my hand >> through all this? > Here's the v2 discussion: > > - https://nam11.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fmid.= mail-archive.com%2F9804ecb5-8afd-c56e-4982-d1a6ebad3de8%40redhat.com&da= ta=3D04%7C01%7Cbrijesh.singh%40amd.com%7Cc7a508dbd4af461b413208d929b2a231%7= C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637586669489236720%7CUnknown%7C= TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0= %3D%7C1000&sdata=3DK8FRcks19dQ4BM4DBOh%2F7uO4hNvIsM0eqdNvwUQzDUU%3D&= ;reserved=3D0 > - https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fedk= 2.groups.io%2Fg%2Fdevel%2Fmessage%2F74797&data=3D04%7C01%7Cbrijesh.sing= h%40amd.com%7Cc7a508dbd4af461b413208d929b2a231%7C3dd8961fe4884e608e11a82d99= 4e183d%7C0%7C0%7C637586669489236720%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA= wMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3D8rfp= RAEvBdWex0BQctCbbGnHb691gcKSIEvVA3ZKDkg%3D&reserved=3D0 > - https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Flis= tman.redhat.com%2Farchives%2Fedk2-devel-archive%2F2021-May%2Fmsg00112.html&= amp;data=3D04%7C01%7Cbrijesh.singh%40amd.com%7Cc7a508dbd4af461b413208d929b2= a231%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637586669489246713%7CUnkn= own%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV= CI6Mn0%3D%7C1000&sdata=3DNAL8jAfiq1EApkDBOBjgL7b3NIsmjginZSDxB1NDCk8%3D= &reserved=3D0 > > That discussion refers to a different use case, raised by Dov. That use > case might justify reserving the area even for plain SEV. It's out of > scope for now, AIUI. > > ( > > And even for that separate use case, James showed down-thread that *not* > reserving the page forever in the firmware is more flexible. > > - https://nam11.safelinks.protection.outlook.com/?url=3Dhttp%3A%2F%2Fmid.= mail-archive.com%2Faed7d3490fe6edee74440ed8e4cd5364fb2ba4af.camel%40linux.i= bm.com&data=3D04%7C01%7Cbrijesh.singh%40amd.com%7Cc7a508dbd4af461b41320= 8d929b2a231%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637586669489246713= %7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haW= wiLCJXVCI6Mn0%3D%7C1000&sdata=3D2UV6KcGYb9CoKzgIU%2FscCX2l%2F5pKaSkFYsh= P%2BPSWHSM%3D&reserved=3D0 > - https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fedk= 2.groups.io%2Fg%2Fdevel%2Fmessage%2F74801&data=3D04%7C01%7Cbrijesh.sing= h%40amd.com%7Cc7a508dbd4af461b413208d929b2a231%7C3dd8961fe4884e608e11a82d99= 4e183d%7C0%7C0%7C637586669489246713%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA= wMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3DjnHp= YxYkijt2LtcH772m88%2BLNH3Zjfn3Zqc3uuttL1M%3D&reserved=3D0 > - https://nam11.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Flis= tman.redhat.com%2Farchives%2Fedk2-devel-archive%2F2021-May%2Fmsg00116.html&= amp;data=3D04%7C01%7Cbrijesh.singh%40amd.com%7Cc7a508dbd4af461b413208d929b2= a231%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637586669489246713%7CUnkn= own%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV= CI6Mn0%3D%7C1000&sdata=3DXzePjtTDS8blsXhBNOg52uo81uFhoYpgcNMvU4RupSI%3D= &reserved=3D0 > > ) > > AFAICT, the only effect of the v2 sub-thread on the patch has been that > we now use the Reserved memory type rather than AcpiNVS (when SEV-SNP is > in use). I have two comments on that: > > - It's good that we're not mixing in the other use case raised by Dov > (i.e., enabling the guest-kernel to read secrets from the injected > page even under plain SEV). > > - It's still unclear to me why the reservation needs to be permanent > under SEV-SNP. As highlighted in the previous email, in the case of SEV, the secrets page contains the private data provided by the guest owner to the guest. Whereas, in SEV-SNP, the secrets page includes the key and other metadata used by the guest (OVMF or kernel) to construct a message for the PSP. The secrets page contains some information (e.g key and sequence number) that must persist across kexec boots. If we mark the SEV-SNP secrets page as "Boot Data," I believe it gets free'd on ExitBootService(). In the kexec'ed kernel, we need to retrieve the secret page to get the key and message counters to construct the next PSP quest request command. I have not looked into detail on how EFI configuration table and other data is preserved during the kexec boot, but I thought making the secrets reserved should ensure that memory is not free'd on ExitBootServices() and we can reach it after the kexec. I can investigate a bit more. Dov/James, =C2=A0 Does kexec works with the SEV secrets page? -Brijesh