From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web11.12465.1677164314517311330 for ; Thu, 23 Feb 2023 06:58:34 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=fvMmJbkz; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: dovmurik@linux.ibm.com) Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 31NEqQaC017422; Thu, 23 Feb 2023 14:58:32 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : date : mime-version : subject : to : cc : references : from : in-reply-to : content-type : content-transfer-encoding; s=pp1; bh=w3Z28uI75ZHu4w3DsuoJOIrLVKjeAXpzPTxBA9TDsKw=; b=fvMmJbkzH6bG2kXaUQrBSTW9IAryKDc1pqRCtFHKsAn6Wqk/+sJxKI78k8lSHZBz8/Tg mV/s0smvjTrlGLQwNMZ9xQDpIGvvIFqMPIO9wNn1OaatgzfAmkj4rhO01MSeCITPqWRp u3HtGZ/V/zAHSkhmCa/XvvpUyNjHWRsNvJdrroUMkQl8m/bDVlNupKOQjdo+fVXogiNf JsDx2Qswy9Z809Cs6MN/EXFOtQ1oCwiPev1nRXHDLy7w/U4we8U7p3Ue2o/at7pQBMWT xCRLWQ9za1cZYavw+YBmthmRplMsHrC+YMGYWhZsy0DpDv5mpUJRt+I2lnbtY3UT6CR2 Tg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3nxa9t05b8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 23 Feb 2023 14:58:31 +0000 Received: from m0127361.ppops.net (m0127361.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 31NEs2lX024226; Thu, 23 Feb 2023 14:58:31 GMT Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3nxa9t05ap-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 23 Feb 2023 14:58:31 +0000 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 31NCaakY013518; Thu, 23 Feb 2023 14:58:30 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([9.208.130.102]) by ppma01dal.us.ibm.com (PPS) with ESMTPS id 3nx8a10raa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 23 Feb 2023 14:58:30 +0000 Received: from smtpav06.dal12v.mail.ibm.com (smtpav06.dal12v.mail.ibm.com [10.241.53.105]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 31NEwSXm8913456 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 23 Feb 2023 14:58:28 GMT Received: from smtpav06.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 304D258055; Thu, 23 Feb 2023 14:58:28 +0000 (GMT) Received: from smtpav06.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 765A65805E; Thu, 23 Feb 2023 14:58:25 +0000 (GMT) Received: from [9.160.173.144] (unknown [9.160.173.144]) by smtpav06.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 23 Feb 2023 14:58:25 +0000 (GMT) Message-ID: Date: Thu, 23 Feb 2023 16:58:23 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: [RESEND] [PATCH v2 2/2] OvmfPkg/ResetVector: Exclude SEV launch secrets page from pre-validation To: Gerd Hoffmann , Tom Lendacky Cc: devel@edk2.groups.io, Ard Biesheuvel , Jiewen Yao , Jordan Justen , Erdem Aktas , James Bottomley , Min Xu , Michael Roth , Ashish Kalra , Mario Smarduch , Tobin Feldman-Fitzthum References: <20230220084942.1292756-1-dovmurik@linux.ibm.com> <20230220084942.1292756-3-dovmurik@linux.ibm.com> <67f06585-b9e6-a450-04fe-ad6b1105d3b6@amd.com> <20230221093820.amj4t2jhzrya7r5k@sirius.home.kraxel.org> From: "Dov Murik" In-Reply-To: <20230221093820.amj4t2jhzrya7r5k@sirius.home.kraxel.org> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: D78glXhlzZfmJp8H5L6okfjp7I0wE0X8 X-Proofpoint-ORIG-GUID: pxZNvlrJD7AxaDZrxxgNZ_Ickbr_lFPt X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.170.22 definitions=2023-02-23_08,2023-02-23_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 impostorscore=0 clxscore=1015 mlxlogscore=999 spamscore=0 adultscore=0 mlxscore=0 malwarescore=0 priorityscore=1501 lowpriorityscore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302230118 Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 21/02/2023 11:38, Gerd Hoffmann wrote: > On Mon, Feb 20, 2023 at 08:44:23AM -0600, Tom Lendacky wrote: >> On 2/20/23 02:49, Dov Murik wrote: >>> In order to allow the VMM (such as QEMU) to add a page with hashes of >>> kernel/initrd/cmdline for measured direct boot on SNP, this page must >>> not be part of the SNP metadata list reported to the VMM. >>> >>> Check if that page is defined; if it is, skip it in the metadata list. >>> In such case, VMM should fill the page with the hashes content, or >>> explicitly update it as a zero page (if kernel hashes are not used). >> >> Would it be better to define a new section type (similar to what I did in >> the SVSM PoC)? This way, it remains listed in the metadata and allows the >> VMM to detect it and decide how to handle it. > > Explicitly describing things sounds better to me too. > Thanks for the feedback Tom and Gerd. I can define a new section type OVMF_SECTION_TYPE_KERNEL_HASHES. In the AmdSev target it'll cover the single MEMFD page at 00F000 (after the CPUID page). Now there's a question for the QEMU side -- should QEMU then fill the page and encrypt it (launch_update type=NORMAL)? (currently the whole hashes table creation and encryption is done elsewhere there) And on regular OvmfX64 builds - should that area should be with type OVMF_SECTION_TYPE_SNP_SEC_MEM which is accepted as a type=ZERO page ? Playing with this idea, the metadata list will add: ; Kernel hashes section for measured direct boot %define OVMF_SECTION_TYPE_KERNEL_HASHES 0x5 ... ; Kernel hashes for measured direct boot, or zero page if ; there are no kernel hashes / SEV secrets SevSnpKernelHashes: DD SEV_SNP_KERNEL_HASHES_BASE DD SEV_SNP_KERNEL_HASHES_SIZE DD SEV_SNP_KERNEL_HASHES_TYPE and the base/size/type of that region are defined in an %if statement in ResetVector.nasmb: %if (FixedPcdGet32 (PcdSevLaunchSecretBase) > 0) ; There's a reserved page for SEV secrets and hashes; the VMM will fill and ; validate the page %define SEV_SNP_KERNEL_HASHES_TYPE OVMF_SECTION_TYPE_KERNEL_HASHES %define SEV_SNP_KERNEL_HASHES_BASE (FixedPcdGet32 (PcdSevLaunchSecretBase)) %else ; No SEV secrets and hashes page; the VMM will validate it as another zero page %define SEV_SNP_KERNEL_HASHES_TYPE OVMF_SECTION_TYPE_SNP_SEC_MEM %define SEV_SNP_KERNEL_HASHES_BASE (CPUID_BASE + CPUID_SIZE) %endif %define SEV_SNP_KERNEL_HASHES_SIZE (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) - SEV_SNP_KERNEL_HASHES_BASE) (I still need to figure out the point about QEMU above.) Is that what you had in mind? -Dov