From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web12.303.1662438976985344787 for ; Mon, 05 Sep 2022 21:36:17 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=jy3eDHKO; spf=permerror, err=too many SPF records (domain: intel.com, ip: 192.55.52.115, mailfrom: min.m.xu@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1662438976; x=1693974976; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=ev/mCq4EuQMqsuID/k9Kj/KcJHEf5tFrt5fQWFQe1CA=; b=jy3eDHKOwS2L8V5QNzmJ7pjuOyq01+6YB+aFGNyX1enyaw6sp3l4JGcW oo18b//l6954KPGre7O6lDDRjr6kmYmhdLnD5imsH+QfrA2egAPtR7+Jg QBXpCnD9Z03Ig+IJ/eMhsQXCHA00yrt8PFF4JF2Nlff1qXqzSEGMYS3b0 3+Kj7rtaLR5lbK39AHl3smmn+YNeA0nYHPZmNvarVs+rJaMLB4wCKE9TS 6Z9RMNQsdh0AR0RChdHshC35ldlei9O5xuNEmON1Ucg5GG9orMQL1gFsg 3glDbF2prb1F3mOhwEzyxXUnayx0dfdXW2tRuP3BVlZXHNvRXhs0PCeMX A==; X-IronPort-AV: E=McAfee;i="6500,9779,10461"; a="296502049" X-IronPort-AV: E=Sophos;i="5.93,293,1654585200"; d="scan'208";a="296502049" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Sep 2022 21:36:15 -0700 X-IronPort-AV: E=Sophos;i="5.93,293,1654585200"; d="scan'208";a="675517279" Received: from mxu9-mobl1.ccr.corp.intel.com ([10.238.4.118]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Sep 2022 21:36:13 -0700 From: "Min Xu" To: devel@edk2.groups.io Cc: Min Xu , Leif Lindholm , Ard Biesheuvel , Abner Chang , Daniel Schaefer , Erdem Aktas , James Bottomley , Jiewen Yao , Tom Lendacky , Gerd Hoffmann Subject: [PATCH V5 0/8] Enable secure-boot when lauch OVMF with -bios parameter Date: Tue, 6 Sep 2022 12:35:52 +0800 Message-Id: X-Mailer: git-send-email 2.29.2.windows.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Secure-Boot related variables include the PK/KEK/DB/DBX and they are stored in NvVarStore (OVMF_VARS.fd). When lauching with -pflash, QEMU/OVMF will use emulated flash, and fully support UEFI variables. But when launching with -bios parameter, UEFI variables will be partially emulated, and non-volatile variables may lose their contents after a reboot. See OvmfPkg/README. Tdx guest is an example that -pflash is not supported. So this patch-set is designed to initialize the NvVarStore with the content of in OVMF_VARS.fd. patch 1: Add a new function (AllocateRuntimePages) in PrePiMemoryAllocationLib. This function will be used in PeilessStartupLib which will run in SEC phase. patch 2: Delete the TdxValidateCfv in PeilessStartupLib. Because it is going to be renamed to PlatformValidateNvVarStore and be moved to PlatformInitLib. patch 3 - 7: Then we add functions for EmuVariableNvStore in PlatformInitLib. This lib will then be called in OvmfPkg/PlatformPei and PeilessStartupLib. We also shortcut ConnectNvVarsToFileSystem in secure-boot. patch 8: At last a build-flag (SECURE_BOOT_FEATURE_ENABLED) is introduced in the dsc in OvmfPkg. Because the copy over of OVMR_VARS.fd to EmuVariableNvStore is only required when secure-boot is enabled. Code: https://github.com/mxu9/edk2/tree/secure-boot.v5 v5 changes: - Set InternalAllocatePages to STATIC function according to the review comment. - Rebase the code to commit c05a218a9758. v4 chagnes: - "EmbeddedPkg: Add AllocateRuntimePages in PrePiMemoryAllocationLib" is missed in v3. It is added in this version. - No other changes. v3 changes: - Renamed TdxValidateCfv to PlatformValidateNvVarStore and implemented in PlatformInitlLib/Platform.c. - Shortcut ConnectNvVarsToFileSystem in secure-boot. - Other minor changes, such as adding log in PlatformInitEmuVariableNvStore. v2 changes: - The v1 title is "Enable Secure-Boot in Tdx guest". Because the patch-setwe was first designed to fix the gap when secure-boot feature was enabled in Tdx guest. After discussing with the community (see the disuccsions under https://edk2.groups.io/g/devel/message/90589) this patch-set can fix the secure-boot issue when OVMF is lauched with -bios parameter. So the title is updated. - Add a new function (AllocateRuntimePages) in PrePiMemoryAllocationLib. - Add build-flag SECURE_BOOT_FEATURE_ENABLED to control the copy over of OVMF_VARS.fd to EmuVariableNvStore. Cc: Leif Lindholm Cc: Ard Biesheuvel Cc: Abner Chang Cc: Daniel Schaefer Cc: Erdem Aktas Cc: James Bottomley [jejb] Cc: Jiewen Yao [jyao1] Cc: Tom Lendacky [tlendacky] Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Min Xu Min M Xu (8): EmbeddedPkg: Add AllocateRuntimePages in PrePiMemoryAllocationLib OvmfPkg/PeilessStartupLib: Delete TdxValidateCfv OvmfPkg/PlatformInitLib: Add functions for EmuVariableNvStore OvmfPkg/PlatformPei: Update ReserveEmuVariableNvStore OvmfPkg: Reserve and init EmuVariableNvStore in Pei-less Startup OvmfPkg/NvVarsFileLib: Shortcut ConnectNvVarsToFileSystem in secure-boot OvmfPkg/TdxDxe: Set PcdEmuVariableNvStoreReserved OvmfPkg: Add build-flag SECURE_BOOT_FEATURE_ENABLED EmbeddedPkg/Include/Library/PrePiLib.h | 19 ++ .../MemoryAllocationLib.c | 65 +++-- OvmfPkg/CloudHv/CloudHvX64.dsc | 9 + OvmfPkg/Include/Library/PlatformInitLib.h | 51 ++++ OvmfPkg/IntelTdx/IntelTdxX64.dsc | 9 + OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c | 7 + OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 153 ----------- .../PeilessStartupLib/PeilessStartup.c | 15 +- .../PeilessStartupInternal.h | 17 -- OvmfPkg/Library/PlatformInitLib/Platform.c | 238 ++++++++++++++++++ .../PlatformInitLib/PlatformInitLib.inf | 3 + OvmfPkg/OvmfPkgIa32.dsc | 9 + OvmfPkg/OvmfPkgIa32X64.dsc | 9 + OvmfPkg/OvmfPkgX64.dsc | 9 + OvmfPkg/PlatformPei/Platform.c | 25 +- OvmfPkg/TdxDxe/TdxDxe.c | 2 + OvmfPkg/TdxDxe/TdxDxe.inf | 1 + 17 files changed, 429 insertions(+), 212 deletions(-) -- 2.29.2.windows.2