From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mx.groups.io with SMTP id smtpd.web12.32335.1656631779038420889 for ; Thu, 30 Jun 2022 16:29:39 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=TRWustfk; spf=pass (domain: intel.com, ip: 134.134.136.126, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1656631779; x=1688167779; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=mJPLPMGqPr6ka/xOdDr9X0gaLMqfHMv4R7NxN5Advlw=; b=TRWustfk4DBBQCg/51FhITB9fIQMSGBj5pwCIPHUlG5UomI6HWayw3Ms aYGJOwPIjmMWCaOuvMeKTQ0aoVHsRszeKTlcWYjln09OhCYF3CcmmOOt5 LWmGC6mNtQ6iPPVY+qjIGuxY5bvxmsBZyuLVLXcNTMQjyUjyJ0Nspty6P XP0HsSEgmY2gFdDw6SJFdEf9N7SNKAATAY+ntVqa8MjD82FGfeyfhtRwI XDNjl1qr03i/gkmbHzGZdzPaOUqFGfAs+bIdmX8Ub9b8OZe5PMVF32kzL a/9WuoYtOUIp8pOnl4FbFP0+xPkv8RsDH+Z61a0CPQtHoczkZaTOznASE Q==; X-IronPort-AV: E=McAfee;i="6400,9594,10394"; a="265528264" X-IronPort-AV: E=Sophos;i="5.92,235,1650956400"; d="scan'208";a="265528264" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jun 2022 16:29:38 -0700 X-IronPort-AV: E=Sophos;i="5.92,235,1650956400"; d="scan'208";a="648098579" Received: from mxu9-mobl1.ccr.corp.intel.com ([10.255.29.210]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jun 2022 16:29:35 -0700 From: "Min Xu" To: devel@edk2.groups.io Cc: Min Xu , Leif Lindholm , Ard Biesheuvel , Abner Chang , Daniel Schaefer , Erdem Aktas , James Bottomley , Jiewen Yao , Tom Lendacky , Gerd Hoffmann Subject: [PATCH V4 0/8] Enable secure-boot when lauch OVMF with -bios parameter Date: Fri, 1 Jul 2022 07:29:09 +0800 Message-Id: X-Mailer: git-send-email 2.29.2.windows.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Secure-Boot related variables include the PK/KEK/DB/DBX and they are stored in NvVarStore (OVMF_VARS.fd). When lauching with -pflash, QEMU/OVMF will use emulated flash, and fully support UEFI variables. But when launching with -bios parameter, UEFI variables will be partially emulated, and non-volatile variables may lose their contents after a reboot. See OvmfPkg/README. Tdx guest is an example that -pflash is not supported. So this patch-set is designed to initialize the NvVarStore with the content of in OVMF_VARS.fd. patch 1: Add a new function (AllocateRuntimePages) in PrePiMemoryAllocationLib. This function will be used in PeilessStartupLib which will run in SEC phase. patch 2: Delete the TdxValidateCfv in PeilessStartupLib. Because it is going to be renamed to PlatformValidateNvVarStore and be moved to PlatformInitLib. patch 3 - 7: Then we add functions for EmuVariableNvStore in PlatformInitLib. This lib will then be called in OvmfPkg/PlatformPei and PeilessStartupLib. We also shortcut ConnectNvVarsToFileSystem in secure-boot. patch 8: At last a build-flag (SECURE_BOOT_FEATURE_ENABLED) is introduced in the dsc in OvmfPkg. Because the copy over of OVMR_VARS.fd to EmuVariableNvStore is only required when secure-boot is enabled. Code: https://github.com/mxu9/edk2/tree/secure-boot.v4 v4 chagnes: - "EmbeddedPkg: Add AllocateRuntimePages in PrePiMemoryAllocationLib" is missed in v3. It is added in this version. - No other changes. v3 changes: - Renamed TdxValidateCfv to PlatformValidateNvVarStore and implemented in PlatformInitlLib/Platform.c. - Shortcut ConnectNvVarsToFileSystem in secure-boot. - Other minor changes, such as adding log in PlatformInitEmuVariableNvStore. v2 changes: - The v1 title is "Enable Secure-Boot in Tdx guest". Because the patch-setwe was first designed to fix the gap when secure-boot feature was enabled in Tdx guest. After discussing with the community (see the disuccsions under https://edk2.groups.io/g/devel/message/90589) this patch-set can fix the secure-boot issue when OVMF is lauched with -bios parameter. So the title is updated. - Add a new function (AllocateRuntimePages) in PrePiMemoryAllocationLib. - Add build-flag SECURE_BOOT_FEATURE_ENABLED to control the copy over of OVMF_VARS.fd to EmuVariableNvStore. Cc: Leif Lindholm Cc: Ard Biesheuvel Cc: Abner Chang Cc: Daniel Schaefer Cc: Erdem Aktas Cc: James Bottomley [jejb] Cc: Jiewen Yao [jyao1] Cc: Tom Lendacky [tlendacky] Cc: Gerd Hoffmann Signed-off-by: Min Xu Min M Xu (8): EmbeddedPkg: Add AllocateRuntimePages in PrePiMemoryAllocationLib OvmfPkg/PeilessStartupLib: Delete TdxValidateCfv OvmfPkg/PlatformInitLib: Add functions for EmuVariableNvStore OvmfPkg/PlatformPei: Update ReserveEmuVariableNvStore OvmfPkg: Reserve and init EmuVariableNvStore in Pei-less Startup OvmfPkg/NvVarsFileLib: Shortcut ConnectNvVarsToFileSystem in secure-boot OvmfPkg/TdxDxe: Set PcdEmuVariableNvStoreReserved OvmfPkg: Add build-flag SECURE_BOOT_FEATURE_ENABLED EmbeddedPkg/Include/Library/PrePiLib.h | 19 ++ .../MemoryAllocationLib.c | 64 +++-- OvmfPkg/CloudHv/CloudHvX64.dsc | 9 + OvmfPkg/Include/Library/PlatformInitLib.h | 51 ++++ OvmfPkg/IntelTdx/IntelTdxX64.dsc | 9 + OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c | 7 + OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 153 ----------- .../PeilessStartupLib/PeilessStartup.c | 15 +- .../PeilessStartupInternal.h | 17 -- OvmfPkg/Library/PlatformInitLib/Platform.c | 238 ++++++++++++++++++ .../PlatformInitLib/PlatformInitLib.inf | 3 + OvmfPkg/OvmfPkgIa32.dsc | 9 + OvmfPkg/OvmfPkgIa32X64.dsc | 9 + OvmfPkg/OvmfPkgX64.dsc | 9 + OvmfPkg/PlatformPei/Platform.c | 25 +- OvmfPkg/TdxDxe/TdxDxe.c | 2 + OvmfPkg/TdxDxe/TdxDxe.inf | 1 + 17 files changed, 428 insertions(+), 212 deletions(-) -- 2.29.2.windows.2