From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.79]) by mx.groups.io with SMTP id smtpd.web11.13903.1681394339141575526 for ; Thu, 13 Apr 2023 06:58:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=rL3JejdL; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.237.79, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NvfDrLVIPoShWtxUKGqwyZbp53Ob0aofdmN/9e37ZS/24tKZ09RvWn4BtcV0mXNSkqd2iZsc2zLfJrhAg1mE2CgbbAhH7hvNNxTKJ8oUPsamfpplJfDFHqSM3aMbrttJBbzpMG8ht5o/0tmLoiMnYWvjRQW9wEduXemPySLFWadp4CnzgpthM30VnwDEJFXwXnvbGe6fJ3muCNsoCihsE3cQqSNogCkog2mQpxV0aXNOJUBCvwlRwfpGNuGF0TtMTVPWfEURKNYNBCQdjOp4ndieKaZxTVZjAgUZfb9ISKukg6EfsUz7q45fy5Oxj8anTCpRxaQPVblehegX5uXqrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kzkLMTg0UiInbvdKdJ9y3roBMQGAeaMeHSi4x5Rlxnw=; b=P6bmtxkhUyGdJGbzRoXTQeow+9pZGFkmyz6jQeqZIKJ1o7hVCIsomF4YuDlMSMmvYrlscVOQP+OlftSC/N9Fa6nY9b0as0o0E7pC6zU4K1cVE6M0AvuuLEhtVFaZuQFEVyyqkgLTMbK71y3ul9EMiafapayqhF+CPxpk3A7DAtN+Hy3RDKMLQUmfPClRYkt0EVW/y7dIP93VYjvMQW6Gh5LVkHwnt8jHrtbhw7ms066q6sACbuokQbky8C7Qn18ku+ApeBDztau0aslvaB+Qks+hIjegBisXok7tebgpbLBgilrZaZ8aCyrIPMKDaqKNuJyweSWAsDZz/l/6gtOLrA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kzkLMTg0UiInbvdKdJ9y3roBMQGAeaMeHSi4x5Rlxnw=; b=rL3JejdL8MgAbSJSKtbc6tyOnvCMZIp7QhDXuYi1Hg5s61BqJOrz4lda/I0QY+Q26SKLXzAw4MSGVSuDwdPWV3OkGee1GKQC9LrBJdbDU5hnllO2E5xYAVSEonHizo2glreP0cwGUziPEo8Thtn8aXyqnJF9krmpyZjKwfiOjcA= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amd.com; Received: from DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) by PH8PR12MB7025.namprd12.prod.outlook.com (2603:10b6:510:1bc::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6277.35; Thu, 13 Apr 2023 13:58:56 +0000 Received: from DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::ea32:baf8:cc85:9648]) by DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::ea32:baf8:cc85:9648%6]) with mapi id 15.20.6298.030; Thu, 13 Apr 2023 13:58:56 +0000 Message-ID: Date: Thu, 13 Apr 2023 08:58:53 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0 Subject: Re: [PATCH V1 1/1] OvmfPkg/PlatformPei: Skip PlatformInitEmuVariableNvStore in SEV guest To: Gerd Hoffmann Cc: "Xu, Min M" , joeyli , "devel@edk2.groups.io" , "Aktas, Erdem" , James Bottomley , "Yao, Jiewen" , Michael Roth References: <5d170680-0a9e-2d5f-ecc1-e9f587548e3c@amd.com> <7a06aa46-4c10-fc85-48a6-826a4d82991e@amd.com> <2xjjrifeaa7khaha4se7gs3hmtdz2kkg2dv4t7njwf5z5mbn2f@qb5s2k7c6225> <03fed1d7-cbd8-ee45-ebd8-8ecf60971e61@amd.com> From: "Lendacky, Thomas" In-Reply-To: X-ClientProxiedBy: CH0PR03CA0002.namprd03.prod.outlook.com (2603:10b6:610:b0::7) To DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) Return-Path: Thomas.Lendacky@amd.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM4PR12MB5229:EE_|PH8PR12MB7025:EE_ X-MS-Office365-Filtering-Correlation-Id: 4adc7a25-7fd5-4ef7-1ddc-08db3c2738ca X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: APC4JQi8I5z9APz+33RlcxYUgy5UWoOQJUBVkxrugRKB1El3lZgtuD0VyGf336S5ECsl89MenZ2hFlyaTDsSgs8Chj1ycx1BKffpaZKnlfS42c7BgKGx0xoq4533fJf/x09vXdcBMnrY0Cjt22VXxjcezJ6Ptm08eJwT4JirydQmkjmaidTb/Ko7WLHcLJ1EQx2NlYu3o7V4dEr4WIpmWXQUQGtDiy8LfAz0iyZRmzCOJWVbxkcPEclI7QWOeUpqPDiuEXh2U7pKuabeNPXu8oyScWC0LKwXnjsk60s7eAhyh7mtDBtGc/GCGd1eBmT/KuZlQADx9TIg5CZHyeWUDynDy+LcqUObSxXxTeE75F6p7cKw2WvlJ7CYUtG5BCnhbIb0ivYvz4hqnI5pWufb49nNs2ZvpL00bM8HVzDXain4Egno4Iteem0ZfujlDKGw8EQD7pY/OOrZU/3UquE4mv7pXMAW5xgk7LPHTWv7hJFidtgabr3fDOPb13gpAbIHWnIvXzn9pAp+G37uAJ4h1n65fz5fcPbMz9nqOUHkhXIOuGxcJp8/9EfdQ4dW2Ug9oQj+a5T3lPqRE/HNDu/f6synnDCJtl/ga84YQQ9C1QYBXuZvw9rfsKEI5DoUvDQoSFH+eP0oMdsI7kPV7D9YVA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR12MB5229.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(6029001)(4636009)(39860400002)(366004)(396003)(376002)(136003)(346002)(451199021)(316002)(31686004)(54906003)(66476007)(66946007)(8676002)(53546011)(31696002)(66556008)(6916009)(86362001)(4326008)(38100700002)(478600001)(2616005)(186003)(26005)(41300700001)(36756003)(6512007)(6506007)(2906002)(83380400001)(8936002)(6666004)(5660300002)(6486002)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?ejZha0FqeldWeElQZGZWYWNpTVc2NldVcis3NGR3dTExT0UzYll6ckJIMzBj?= =?utf-8?B?MzFrL3ZJdHN1VHE0QnZPY1BzWVM3dll0OUdWY0ZSUWsyQ2xMdmppMlJ6bVBY?= =?utf-8?B?c0pIM3diSzhXUUUwUkdEc3prQml1KzF5NzhvNDdCaGNmMUxqU3hRdE1Ub0NM?= =?utf-8?B?TjMxTVREK2tvZ3M1WGZhNU1PNGdMcDlzRHVDMDB6SHRvZG5Ba2xqeDdBK0Zj?= =?utf-8?B?aHl0SlNUUCsreTVQbU1SWkhqbCt1RTRmTFBmQUx6eTVYdUJsS1VWdFh3TVFW?= =?utf-8?B?MUg2UW4xQWJ2VndlL3VrTE1RcFN1U1RkWEJBYk1DT2lKUVEyZE1QOG9hbk4z?= =?utf-8?B?bHlmSWgxMXdkME1wMSt0VVExclpiUVpoRjdKdkpWSW1ROTZ0dU5JbUNlak1j?= =?utf-8?B?UUQ1WVJPSVNSVmlsWlZxNWJjSnlnV0NXVkVRMGNucUROMWNIRU0xR3VraDBw?= =?utf-8?B?ekpsSTNoNHBDRVdVK0dpQ1Exa0pQTmpjUjMxWUVjdHd2MFZTQnhNSWdwSS9N?= =?utf-8?B?YlF2dkpnbm41TnliZWZ2MGh5U2szc2NRV0gvcElhSkFpeENsMVluSlpyRFlv?= =?utf-8?B?UHR2OXNYVThUT3lIdndyamw4SXE2dXhyNHdtYmVTbkEyellGei9oNjBVMlRj?= =?utf-8?B?SGw2a1dIUm4wWVJrR2tpZzdVOHU4TkQrVExNYVZTRmhFK3NaSWd0b2lRcVRB?= =?utf-8?B?Sm1TK09hUWxlYmxsY3lObnI2TGhCWFErNXpBOThKM3FOblJmM1BXc2N6ZXRx?= =?utf-8?B?Y2MxTDlraVJRUlVGVGh4dGVKYUZVTVFjWlQrMEhsUFh2NGlGR2tIT2hxcSt0?= =?utf-8?B?T3ZLemZ6SzAvczY5NXhDRmdFcTMrUmI3S0FNVUlJT25WM1ZZaitTYmQreW5Z?= =?utf-8?B?amI3dE0vci9obnM4THhmTzZKZXhrY2l0eUg1RVl6c0dRWXlUakEyS2plZmFE?= =?utf-8?B?Q3FRRGhONFVkU2MzSnBVM2hDZjFuNzBHMjg2eE5heTE4SjRwUktHZ3ZtVHln?= =?utf-8?B?MmlwMk1TOHExUWFFd20vdTBBVUJWVWhSZXdOb1RxaE11enlURS8rOWlQWUJr?= =?utf-8?B?Mk81YnZJcmNXMytMVDRHWFJuVW1uNitNcXcveVROYTcwUWI2MFZuQzBJMndy?= =?utf-8?B?Vk1KT08xK3VBS2gvem9UeFRjZ0V6UTUrUkJ0dC9mbkVmekhraFFaalZrR29I?= =?utf-8?B?NGxlQzNPWGVtZGUyN0l2by9ZcEluSmNLRzNQeW9CaU5MSGIxSU14TXlpR0k4?= =?utf-8?B?dWRnWHRRMTNKS3YvM3RzSlIrdW1NU2dkUExKbkxpMndwTmcrQ09zRzdjNXNB?= =?utf-8?B?L3Mxck1XZWdBTlZheXU1NHVXUm8xS1ZkY0YxeGppOVd3Q3FEWDM3MVhWbFhM?= =?utf-8?B?MVQyc1JWaDFacG1zRzlxZ1lTV044V25pbSt1R2paZnJqRWQyNXlSbFJ2TGZ0?= =?utf-8?B?K01EV3BqWHROWDA0K3lMa0FLY3ZtQWNFclZjeHF5Um1oNkNKMDI5bWV6QkUx?= =?utf-8?B?VDEzbjg3U1I0bjQwTlVFcmZ0dnZIdWt4U01uMS9kaDlmYkM1Yzh3dzNFdE55?= =?utf-8?B?Vzdwb1p1Mm5maDdvUFFoamdGK3d3bjlObG1td05sT0JaOGd2SC9iSGJ4VEpW?= =?utf-8?B?WTdUUDkzT2VpWDdHWEZ0V2EvQW1qQkZoKzRnczQzcjdtZXR3UERxUUwzUVA5?= =?utf-8?B?VmUvNWR0eGVlTUIxNElDeFZQWnpQRkJOYSt6b1ZOb3dTUmdwdkhyZS9oa2Jq?= =?utf-8?B?VUQwMU1NSUNpZTVUWWtJMjN4ZjRCOHYrVTRyUjhqdXFSSlFmL0w3cmJEVDd6?= =?utf-8?B?ZTRrM2lnS0RRMHNXNHp6eDNjTkk2bExqdWEySGtaT2ZOQW1DdzlmUi8wRjZn?= =?utf-8?B?MEVTclIyWFpjUDhMdmlFSFIxczFlSnJuVk9rcG5tVUFyQmFTN1NIaUovYnpt?= =?utf-8?B?b1BLbHV0V3R1T1FzanRCTW9PWEJSOWUyNTlvZUtsRVFjajBjemJXNjJ0d0xN?= =?utf-8?B?WE5zNTREcmFPRWcxRUl0c2ZUNDcvVk1NRkxzSXZvc0o4THMyZ2F6alc1UGty?= =?utf-8?B?bHhPSWlldVRhTXBxVFk0SjFOTkN4MjJZTHhlWm40cndYajRKR1BhT3FiOWRa?= =?utf-8?Q?/TQP+ZUsAM7mkuN9IR0Kwsx6S?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4adc7a25-7fd5-4ef7-1ddc-08db3c2738ca X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Apr 2023 13:58:55.9362 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 9YmzXeP0KC6klgj29ZNThauYV5hEen0Wc0+7iN5AIBgW4bazjOCOd3eVqXnb8GsNhavmbsKmhEhc+DUvTN7VZg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR12MB7025 Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 4/13/23 01:05, Gerd Hoffmann wrote: > Hi, > >>>> Specifying both OVMF_CODE.fd and OVMF_VARS.fd generates an ASSERT. >>> >>> Both as pflash I assume? Which assert? >> >> Yes, both as pflash. I've never attempted to run an SEV guest using the >> -bios option. >> >> The assert is: >> ASSERT [PlatformPei] /root/kernels/ovmf-build-X64/OvmfPkg/Library/PlatformInitLib/Platform.c(930): ((BOOLEAN)(0==1)) > > Ok, so wrong encryption settings. > >>>> Specifying just OVMF.fd boots successfully >>> >>> pflash or -bios or both? >> >> Just pflash. > > /me looks surprised. It should not make a difference whenever you use > the separate OVMF_CODE.fd + OVMF_VARS.fd files or the combined OVMF.fd. > > What are the exact qemu command lines for both cases? For the OVMF_CODE.fd/OVMF_VARS.fd case: qemu-system-x86_64 -enable-kvm -cpu EPYC,host-phys-bits=true -smp 1 -machine type=q35,confidential-guest-support=sev0,vmport=off -m 1G -object sev-guest,id=sev0,policy=0,cbitpos=51,reduced-phys-bits=1 -drive if=pflash,format=raw,unit=0,file=/root/kernels/qemu-install/OVMF_CODE.fd,readonly=on -drive if=pflash,format=raw,unit=1,file=./fedora.fd -drive file=./fedora.img,if=none,id=disk0,format=raw -device virtio-scsi-pci,id=scsi0,disable-legacy=on,iommu_platform=true -device scsi-hd,drive=disk0 -nographic -monitor pty -monitor unix:monitor,server,nowait -gdb tcp::1234 -qmp tcp::4444,server,wait=off In this case, only OVMF_CODE.fd will be encrypted. The fedora.fd (OVMF_VARS.fd) will be unencrypted. For the OVMF.fd case: qemu-system-x86_64 -enable-kvm -cpu EPYC,host-phys-bits=true -smp 1 -machine type=q35,confidential-guest-support=sev0,vmport=off -m 1G -object sev-guest,id=sev0,policy=0,cbitpos=51,reduced-phys-bits=1 -drive if=pflash,format=raw,unit=0,file=/root/kernels/qemu-install/OVMF.fd,readonly=on -drive file=./fedora.img,if=none,id=disk0,format=raw -device virtio-scsi-pci,id=scsi0,disable-legacy=on,iommu_platform=true -device scsi-hd,drive=disk0 -nographic -monitor pty -monitor unix:monitor,server,nowait -gdb tcp::1234 -qmp tcp::4444,server,wait=off In this case, OVMF.fd will be encrypted, which includes the now memory backed variable store. > >> I believe none of the mappings are setup properly at this point. I >> think just eliminating the call for an SEV guest is fine. > > Can AmdSevInitialize() setup the mappings? Is there a way to tell when OVMF.fd vs OVMF_VARS.fd/OVMF_CODE.fd is used? The reason being that the variable store of OVMF.fd must be accessed encrypted since the whole binary was used in the LAUNCH_UPDATE. But with the split mode, only the OVMF_CODE.fd was encrypted in the LAUNCH_UPDATE, so the variable store must be accessed unencrypted. If we can make that determination, then I think we can setup the mappings. Thanks, Tom > > take care, > Gerd >