From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mx.groups.io with SMTP id smtpd.web10.5793.1681467657367381317
 for <devel@edk2.groups.io>;
 Fri, 14 Apr 2023 03:20:57 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=iq9FhQfC;
 spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: kraxel@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1681467656;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=1bXchqqWqGz+H7AmHcso3s4mtoWT7I056GZYW9pp4ek=;
	b=iq9FhQfCQJA7pE1WdTLeuOQTqiLBg/8nFMX+Wz87Y0hYm5TMx2ak6IKsqSAaDfsa554BzP
	J0wVNh4ToS2R3ZC+YzTfssbTA+6xdHPt2zcG4n3r2bO5ner88SFMaULRosMGaIYTA2xwia
	5h7KB1TtUrDadRUSRdPaW4kvHIR8fo0=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-350-BjZE43B3NCCorLbHS6nBpw-1; Fri, 14 Apr 2023 06:20:54 -0400
X-MC-Unique: BjZE43B3NCCorLbHS6nBpw-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8D4628996E0;
	Fri, 14 Apr 2023 10:20:53 +0000 (UTC)
Received: from sirius.home.kraxel.org (unknown [10.39.192.81])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 4443BBC88;
	Fri, 14 Apr 2023 10:20:53 +0000 (UTC)
Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
	id 152A51800081; Fri, 14 Apr 2023 12:20:52 +0200 (CEST)
Date: Fri, 14 Apr 2023 12:20:52 +0200
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: "Xu, Min M" <min.m.xu@intel.com>, joeyli <jlee@suse.com>, 
	"devel@edk2.groups.io" <devel@edk2.groups.io>, "Aktas, Erdem" <erdemaktas@google.com>, 
	James Bottomley <jejb@linux.ibm.com>, "Yao, Jiewen" <jiewen.yao@intel.com>, 
	Michael Roth <michael.roth@amd.com>
Subject: Re: [PATCH V1 1/1] OvmfPkg/PlatformPei: Skip PlatformInitEmuVariableNvStore in SEV guest
Message-ID: <gux3maqgxayg6r6wvi4ucbypfsvcbu4smsbvwrjtiggzukltd4@qh53i4jlbxun>
References: <PH0PR11MB5064B1575F38459DE8989675C5919@PH0PR11MB5064.namprd11.prod.outlook.com>
 <5d170680-0a9e-2d5f-ecc1-e9f587548e3c@amd.com>
 <PH0PR11MB50645A2DFD5D861D9D5194C4C5969@PH0PR11MB5064.namprd11.prod.outlook.com>
 <7a06aa46-4c10-fc85-48a6-826a4d82991e@amd.com>
 <shlx36de2yoszmxy3wuapqsjek3uqtmg6xgqkw76ihstu2qysq@h5dabwczhcxk>
 <a4c50453-db09-22e4-4f12-1465d7a7500d@amd.com>
 <2xjjrifeaa7khaha4se7gs3hmtdz2kkg2dv4t7njwf5z5mbn2f@qb5s2k7c6225>
 <03fed1d7-cbd8-ee45-ebd8-8ecf60971e61@amd.com>
 <ujqoq42nx67qyjcujfoyoa3aid66hwga7j2klzbv3c4xjg2qj2@btai6jne2j54>
 <c5a1ce9d-47b9-0afd-3f27-ce073ae44360@amd.com>
MIME-Version: 1.0
In-Reply-To: <c5a1ce9d-47b9-0afd-3f27-ce073ae44360@amd.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

  Hi,

>    -drive if=pflash,format=raw,unit=0,file=/root/kernels/qemu-install/OVMF_CODE.fd,readonly=on
>    -drive if=pflash,format=raw,unit=1,file=./fedora.fd

>  In this case, only OVMF_CODE.fd will be encrypted.
>  The fedora.fd (OVMF_VARS.fd) will be unencrypted.

>    -drive if=pflash,format=raw,unit=0,file=/root/kernels/qemu-install/OVMF.fd,readonly=on

>  In this case, OVMF.fd will be encrypted, which includes the now memory
>  backed variable store.

> > Can AmdSevInitialize() setup the mappings?
> 
> Is there a way to tell when OVMF.fd vs OVMF_VARS.fd/OVMF_CODE.fd is used?

Hmm, good question.  Can the guest figure what memory ranges are part
of the launch measurement?

I have a patch here (attached below) which refines flash detection and
can detect whenever varstore flash is writable or not.  I suspect that
doesn't help much though as flash probing requires mappings already
being correct.

take care,
  Gerd

commit fdab276a9f8a25f505b083b5e15180d093f515e3
Author: Gerd Hoffmann <kraxel@redhat.com>
Date:   Tue Apr 4 11:25:37 2023 +0200

    OvmfPkg/QemuFlashFvbServicesRuntimeDxe: refine flash detection

diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
index 82b2b70441bf..c088d560f829 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
@@ -118,8 +118,17 @@ QemuFlashDetected (
       *Ptr = OriginalUint8;
     } else if (ProbeUint8 == CLEARED_ARRAY_STATUS) {
       DEBUG ((DEBUG_INFO, "QemuFlashDetected => FD behaves as FLASH\n"));
-      FlashDetected = TRUE;
-      *Ptr          = READ_ARRAY_CMD;
+      *Ptr = WRITE_BYTE_CMD;
+      *Ptr = OriginalUint8;
+      *Ptr = READ_STATUS_CMD;
+      ProbeUint8 = *Ptr;
+      if (ProbeUint8 & 0x10 /* programming error */) {
+        DEBUG ((DEBUG_INFO, "QemuFlashDetected => FLASH is readonly\n"));
+      } else {
+        DEBUG ((DEBUG_INFO, "QemuFlashDetected => FLASH is writable\n"));
+        FlashDetected = TRUE;
+      }
+      *Ptr = READ_ARRAY_CMD;
     }
   }