From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web09.26612.1656212770864849318 for ; Sat, 25 Jun 2022 20:06:11 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=eQQGIJBi; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1656212770; x=1687748770; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=Cz/Ft9xw2th7SY4EsS6XIqRK7yITMa83Q2YiTnlVeM8=; b=eQQGIJBiiyfcZXNmsiaE7eBZWMPY9/3lSk3F5wjIQ7sZNZGBQYhR+DKO eP/Io0pIc7kBRpHMNxxj3Q68wgjn3uhiEuKNs3JYljBh9L65Yb+ItPgtS VBL1qafxOl8aBkp3UPZ8KEEIpIzSTqorLTi36JJRZ2Y2PSo9KrDJaENbF 3lER9ps2FrGMmFz+FNnSGHvq15LQ2sdRyCb1SzivZrCLD6ndVa58s88eb w5H4MSfg8qJYxWKyOg+nghz3rSrYdp6ZXBWfh1q8ML798GFQFzTbv/ng5 qj+0jMuj5p7BOCCKrH86gsETVYKiKVnA4DUUQ5PnjUS29gG/+ic0ZNFcA A==; X-IronPort-AV: E=McAfee;i="6400,9594,10389"; a="367554785" X-IronPort-AV: E=Sophos;i="5.92,223,1650956400"; d="scan'208";a="367554785" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jun 2022 20:06:10 -0700 X-IronPort-AV: E=Sophos;i="5.92,223,1650956400"; d="scan'208";a="645862076" Received: from mxu9-mobl1.ccr.corp.intel.com ([10.255.30.236]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jun 2022 20:06:08 -0700 From: "Min Xu" To: devel@edk2.groups.io Cc: Min Xu , Leif Lindholm , Ard Biesheuvel , Abner Chang , Daniel Schaefer , Erdem Aktas , James Bottomley , Jiewen Yao , Tom Lendacky , Gerd Hoffmann Subject: [PATCH V2 0/8] Enable secure-boot when lauch OVMF with -bios parameter Date: Sun, 26 Jun 2022 11:05:49 +0800 Message-Id: X-Mailer: git-send-email 2.29.2.windows.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Secure-Boot related variables include the PK/KEK/DB/DBX and they are stored in NvVarStore (OVMF_VARS.fd). When lauching with -pflash, QEMU/OVMF will use emulated flash, and fully support UEFI variables. But when launching with -bios parameter, UEFI variables will be partially emulated, and non-volatile variables may lose their contents after a reboot. See OvmfPkg/README. Tdx guest is an example that -pflash is not supported. So this patch-set is designed to initialize the NvVarStore with the content of in OVMF_VARS.fd. patch 1 - 2: Validate the integrity of OVMF_VARS.fd in Tdx guest. patch 3: Add a new function (AllocateRuntimePages) in PrePiMemoryAllocationLib. This function will be used in PeilessStartupLib which will run in SEC phase. patch 4 - 7: Then we add functions for EmuVariableNvStore in PlatformInitLib. This lib will then be called in OvmfPkg/PlatformPei and PeilessStartupLib. patch 8: At last a build-flag (SECURE_BOOT_FEATURE_ENABLED) is introduced in the dsc in OvmfPkg. Because the copy over of OVMR_VARS.fd to EmuVariableNvStore is only required when secure-boot is enabled. Code: https://github.com/mxu9/edk2/tree/secure-boot.v2 v2 changes: - The v1 title is "Enable Secure-Boot in Tdx guest". Because the patch-setwe was first designed to fix the gap when secure-boot feature was enabled in Tdx guest. After discussing with the community (see the disuccsions under https://edk2.groups.io/g/devel/message/90589) this patch-set can fix the secure-boot issue when OVMF is lauched with -bios parameter. So the title is updated. - Add a new function (AllocateRuntimePages) in PrePiMemoryAllocationLib. - Add build-flag SECURE_BOOT_FEATURE_ENABLED to control the copy over of OVMF_VARS.fd to EmuVariableNvStore. Cc: Leif Lindholm Cc: Ard Biesheuvel Cc: Abner Chang Cc: Daniel Schaefer Cc: Erdem Aktas Cc: James Bottomley [jejb] Cc: Jiewen Yao [jyao1] Cc: Tom Lendacky [tlendacky] Cc: Gerd Hoffmann Signed-off-by: Min Xu Min M Xu (8): OvmfPkg: Move TdxValidateCfv from PeilessStartupLib to PlatformInitLib OvmfPkg: Validate Cfv integrity in Tdx guest EmbeddedPkg: Add AllocateRuntimePages in PrePiMemoryAllocationLib OvmfPkg/PlatformInitLib: Add functions for EmuVariableNvStore OvmfPkg/PlatformPei: Update ReserveEmuVariableNvStore OvmfPkg: Reserve and init EmuVariableNvStore in Pei-less Startup OvmfPkg/TdxDxe: Set PcdEmuVariableNvStoreReserved OvmfPkg: Add build-flag SECURE_BOOT_FEATURE_ENABLED EmbeddedPkg/Include/Library/PrePiLib.h | 19 +++ .../MemoryAllocationLib.c | 64 ++++++-- OvmfPkg/CloudHv/CloudHvX64.dsc | 9 ++ OvmfPkg/Include/Library/PlatformInitLib.h | 51 ++++++ OvmfPkg/IntelTdx/IntelTdxX64.dsc | 9 ++ OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 153 ------------------ .../PeilessStartupLib/PeilessStartup.c | 7 + .../PeilessStartupInternal.h | 17 -- OvmfPkg/Library/PlatformInitLib/IntelTdx.c | 153 ++++++++++++++++++ OvmfPkg/Library/PlatformInitLib/Platform.c | 77 +++++++++ .../PlatformInitLib/PlatformInitLib.inf | 2 + OvmfPkg/OvmfPkgIa32.dsc | 9 ++ OvmfPkg/OvmfPkgIa32X64.dsc | 9 ++ OvmfPkg/OvmfPkgX64.dsc | 9 ++ OvmfPkg/PlatformPei/Platform.c | 25 +-- OvmfPkg/Sec/SecMain.c | 8 + OvmfPkg/Sec/SecMain.inf | 2 + OvmfPkg/TdxDxe/TdxDxe.c | 2 + OvmfPkg/TdxDxe/TdxDxe.inf | 1 + 19 files changed, 422 insertions(+), 204 deletions(-) -- 2.29.2.windows.2