From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mx.groups.io with SMTP id smtpd.web09.9274.1656493074222649597 for ; Wed, 29 Jun 2022 01:57:54 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=Ms1yEYL4; spf=pass (domain: intel.com, ip: 192.55.52.151, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1656493074; x=1688029074; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=xrR+cP5zOvjumtBCcsSdVRGL3irza82N1N3tAxX9R+s=; b=Ms1yEYL4UsvXpvuh7qKmStctfGXaNpIUFbVs5HmlClAOrlcjq6PnpXt1 GQrGcO/DFmiVaERClDZPPIDZH6ueCCuETMhBdSvD8+hkyHRSeDoBEG7SE 3VGQjaMBm1JsBlyrr6OeUVEACQ4MEkg4PYktswKvc/kNs67flrrEKdbWP 9i+1JgpeCd/jfHTXsUjHj+FDVUWMZzCfQtAqhzJV3Rde4HRSzPam8MdQ6 4vrOBA2S9yBBMNVRVTquxAHqNOOQ2vR7CxG4Z84eFpHBh9l4uI9bXK0ZL 8X5I4BaTufQA6fn6EATmQ+qxRIiavCkzlXE1+62hVHre0u+cALzGnwF/9 g==; X-IronPort-AV: E=McAfee;i="6400,9594,10392"; a="262383724" X-IronPort-AV: E=Sophos;i="5.92,231,1650956400"; d="scan'208";a="262383724" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Jun 2022 01:57:48 -0700 X-IronPort-AV: E=Sophos;i="5.92,231,1650956400"; d="scan'208";a="595158972" Received: from mxu9-mobl1.ccr.corp.intel.com ([10.255.29.128]) by fmsmga007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Jun 2022 01:57:46 -0700 From: "Min Xu" To: devel@edk2.groups.io Cc: Min Xu , Leif Lindholm , Ard Biesheuvel , Abner Chang , Daniel Schaefer , Erdem Aktas , James Bottomley , Jiewen Yao , Tom Lendacky , Gerd Hoffmann Subject: [PATCH V3 0/7] Enable secure-boot when lauch OVMF with -bios parameter Date: Wed, 29 Jun 2022 16:56:56 +0800 Message-Id: X-Mailer: git-send-email 2.29.2.windows.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Secure-Boot related variables include the PK/KEK/DB/DBX and they are stored in NvVarStore (OVMF_VARS.fd). When lauching with -pflash, QEMU/OVMF will use emulated flash, and fully support UEFI variables. But when launching with -bios parameter, UEFI variables will be partially emulated, and non-volatile variables may lose their contents after a reboot. See OvmfPkg/README. Tdx guest is an example that -pflash is not supported. So this patch-set is designed to initialize the NvVarStore with the content of in OVMF_VARS.fd. patch 1: Add a new function (AllocateRuntimePages) in PrePiMemoryAllocationLib. This function will be used in PeilessStartupLib which will run in SEC phase. patch 2: Delete the TdxValidateCfv in PeilessStartupLib. Because it is going to be renamed to PlatformValidateNvVarStore and be moved to PlatformInitLib. patch 3 - 7: Then we add functions for EmuVariableNvStore in PlatformInitLib. This lib will then be called in OvmfPkg/PlatformPei and PeilessStartupLib. We also shortcut ConnectNvVarsToFileSystem in secure-boot. patch 8: At last a build-flag (SECURE_BOOT_FEATURE_ENABLED) is introduced in the dsc in OvmfPkg. Because the copy over of OVMR_VARS.fd to EmuVariableNvStore is only required when secure-boot is enabled. Code: https://github.com/mxu9/edk2/tree/secure-boot.v3 v3 changes: - Renamed TdxValidateCfv to PlatformValidateNvVarStore and implemented in PlatformInitlLib/Platform.c. - Shortcut ConnectNvVarsToFileSystem in secure-boot. - Other minor changes, such as adding log in PlatformInitEmuVariableNvStore. v2 changes: - The v1 title is "Enable Secure-Boot in Tdx guest". Because the patch-setwe was first designed to fix the gap when secure-boot feature was enabled in Tdx guest. After discussing with the community (see the disuccsions under https://edk2.groups.io/g/devel/message/90589) this patch-set can fix the secure-boot issue when OVMF is lauched with -bios parameter. So the title is updated. - Add a new function (AllocateRuntimePages) in PrePiMemoryAllocationLib. - Add build-flag SECURE_BOOT_FEATURE_ENABLED to control the copy over of OVMF_VARS.fd to EmuVariableNvStore. Cc: Leif Lindholm Cc: Ard Biesheuvel Cc: Abner Chang Cc: Daniel Schaefer Cc: Erdem Aktas Cc: James Bottomley [jejb] Cc: Jiewen Yao [jyao1] Cc: Tom Lendacky [tlendacky] Cc: Gerd Hoffmann Signed-off-by: Min Xu Min M Xu (7): OvmfPkg/PeilessStartupLib: Delete TdxValidateCfv OvmfPkg/PlatformInitLib: Add functions for EmuVariableNvStore OvmfPkg/PlatformPei: Update ReserveEmuVariableNvStore OvmfPkg: Reserve and init EmuVariableNvStore in Pei-less Startup OvmfPkg/NvVarsFileLib: Shortcut ConnectNvVarsToFileSystem in secure-boot OvmfPkg/TdxDxe: Set PcdEmuVariableNvStoreReserved OvmfPkg: Add build-flag SECURE_BOOT_FEATURE_ENABLED OvmfPkg/CloudHv/CloudHvX64.dsc | 9 + OvmfPkg/Include/Library/PlatformInitLib.h | 51 ++++ OvmfPkg/IntelTdx/IntelTdxX64.dsc | 9 + OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c | 7 + OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 153 ----------- .../PeilessStartupLib/PeilessStartup.c | 15 +- .../PeilessStartupInternal.h | 17 -- OvmfPkg/Library/PlatformInitLib/Platform.c | 238 ++++++++++++++++++ .../PlatformInitLib/PlatformInitLib.inf | 3 + OvmfPkg/OvmfPkgIa32.dsc | 9 + OvmfPkg/OvmfPkgIa32X64.dsc | 9 + OvmfPkg/OvmfPkgX64.dsc | 9 + OvmfPkg/PlatformPei/Platform.c | 25 +- OvmfPkg/TdxDxe/TdxDxe.c | 2 + OvmfPkg/TdxDxe/TdxDxe.inf | 1 + 15 files changed, 361 insertions(+), 196 deletions(-) -- 2.29.2.windows.2