From nobody Sun Feb 8 19:02:44 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+67342+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+67342+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1605148133; cv=none; d=zohomail.com; s=zohoarc; b=Sd4piPQLypl+iToPuH7gIimoHHQFESjGAAdtZPqKHrrdjmczYCRJpWneroWdeO3GdfgoggxMtygJ1nmAefcoqPB9TmpgGZG2lEpwG0vTI3R+uY7vrtgPo0FSkY6TuV/fYRq5AT/X7owuYget1o38Pz4ki2Q+QUOai1BIMhzsRA8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1605148133; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=9VOHYxERkK1Z5rhX/0EeDbR16IZGvQC1gyXM7eX6+Ik=; b=Ds9/2xQNd42U8XT8blVrOcsSRg/ZQieaVWxIjMeED2HO9Fbg+EFoh9h6Lxn4XGgk+UgpclAfTTWxLCD+C0YDvhvwjwepSR4NbDL3aGLsLkMQLU/VV/HK6M9uop2/9UxU2wB1N0sL5OUaq6luTqO3mvYE69028IIV1biLBDG09Yw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+67342+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1605148133792875.1357785405055; Wed, 11 Nov 2020 18:28:53 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id sJlGYY1788612xjvAajrIV5q; Wed, 11 Nov 2020 18:28:53 -0800 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web09.15817.1605140058791359393 for ; Wed, 11 Nov 2020 16:14:18 -0800 X-Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 0AC039iV013517; Wed, 11 Nov 2020 19:14:16 -0500 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 34rcxf85t2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Nov 2020 19:14:16 -0500 X-Received: from m0098393.ppops.net (m0098393.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 0AC037dx013316; Wed, 11 Nov 2020 19:14:16 -0500 X-Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com with ESMTP id 34rcxf85sx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Nov 2020 19:14:16 -0500 X-Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 0AC087fx009841; Thu, 12 Nov 2020 00:14:15 GMT X-Received: from b03cxnp07028.gho.boulder.ibm.com (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15]) by ppma04dal.us.ibm.com with ESMTP id 34nk7aerv1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 12 Nov 2020 00:14:15 +0000 X-Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 0AC0EBOf50069858 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Nov 2020 00:14:11 GMT X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9D7F27805E; Thu, 12 Nov 2020 00:14:11 +0000 (GMT) X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 685CC7805C; Thu, 12 Nov 2020 00:14:09 +0000 (GMT) X-Received: from jarvis.int.hansenpartnership.com (unknown [9.85.162.106]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP; Thu, 12 Nov 2020 00:14:09 +0000 (GMT) From: James Bottomley To: devel@edk2.groups.io Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com, ashish.kalra@amd.com, brijesh.singh@amd.com, tobin@ibm.com, david.kaplan@amd.com, jon.grimm@amd.com, thomas.lendacky@amd.com, jejb@linux.ibm.com, frankeh@us.ibm.com, "Dr . David Alan Gilbert" Subject: [edk2-devel] [PATCH 3/4] OvmfPkg: create a SEV secret area in the AmdSev memfd Date: Wed, 11 Nov 2020 16:13:15 -0800 Message-Id: <20201112001316.11341-4-jejb@linux.ibm.com> In-Reply-To: <20201112001316.11341-1-jejb@linux.ibm.com> References: <20201112001316.11341-1-jejb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jejb@linux.ibm.com X-Gm-Message-State: Bk9ZzcAn0ns8sJdSY77SeoYtx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1605148133; bh=5s7tXuaCgSUSOUvoRwhODEOeRHSnBweMk8sZpFuGKRY=; h=Cc:Date:From:Reply-To:Subject:To; b=A3fuGOze0a6ozK8S/H0kvVnG2ywnnHGP1s4E8b7YPbNB5RFFQG4+WFQtXFeyhPdM38a fOd17vTUDvJs19z8IrfSkK9cf28goyH/6a4Co3wOz0uhd8YxxnUuEd6WxHx/w7ngosywj +/183S4nb7AOp9xOb5ddw2lFmWr1Gog/Za4= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" SEV needs an area to place an injected secret where OVMF can find it and pass it up as a ConfigurationTable. This patch implements the area itself as an addition to the SEV enhanced reset vector. The reset vector scheme allows additions but not removals. If the size of the reset vector is 22, it only contains the AP reset IP, but if it is 30 (or greater) it contains the SEV secret page location and size. Signed-off-by: James Bottomley --- OvmfPkg/OvmfPkg.dec | 5 +++++ OvmfPkg/AmdSev/AmdSevX64.fdf | 3 +++ OvmfPkg/ResetVector/ResetVector.inf | 4 ++++ OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 4 ++++ OvmfPkg/ResetVector/ResetVector.nasmb | 2 ++ 5 files changed, 18 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 3fbf7a0ee1..b00f083417 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -117,6 +117,7 @@ gLinuxEfiInitrdMediaGuid =3D {0x5568e427, 0x68fc, 0x4f3d, {= 0xac, 0x74, 0xca, 0x55, 0x52, 0x31, 0xcc, 0x68}} gQemuKernelLoaderFsMediaGuid =3D {0x1428f772, 0xb64a, 0x441e, {= 0xb8, 0xc3, 0x9e, 0xbd, 0xd7, 0xf8, 0x93, 0xc7}} gGrubFileGuid =3D {0xb5ae312c, 0xbc8a, 0x43b1, {= 0x9c, 0x62, 0xeb, 0xb8, 0x26, 0xdd, 0x5d, 0x07}} + gSevLaunchSecretGuid =3D {0xadf956ad, 0xe98c, 0x484c, {= 0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47}} =20 [Ppis] # PPI whose presence in the PPI database signals that the TPM base addre= ss @@ -304,6 +305,10 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|0|UINT32|0x40 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize|0|UINT32|0x41 =20 + ## The base address and size of the SEV Launch Secret Area + gSevLaunchSecretGuid.PcdSevLaunchSecretBase|0x0|UINT32|0 + gSevLaunchSecretGuid.PcdSevLaunchSecretSize|0x0|UINT32|1 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf index 689386612d..1fd38b3fe2 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.fdf +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf @@ -59,6 +59,9 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|gUefiOvmfPk= gTokenSpaceGuid.PcdOvmf 0x00B000|0x001000 gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.P= cdSevEsWorkAreaSize =20 +0x00C000|0x001000 +gSevLaunchSecretGuid.PcdSevLaunchSecretBase|gSevLaunchSecretGuid.PcdSevLau= nchSecretSize + 0x010000|0x010000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecPeiTempRamSize =20 diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese= tVector.inf index a53ae6c194..72fd78eef4 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -43,3 +43,7 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize + +[FixedPcd] + gSevLaunchSecretGuid.PcdSevLaunchSecretBase + gSevLaunchSecretGuid.PcdSevLaunchSecretSize diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVe= ctor/Ia16/ResetVectorVtf0.asm index 980e0138e7..7d3214e55d 100644 --- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm +++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm @@ -35,6 +35,8 @@ ALIGN 16 ; the build time RIP value. The GUID must always be 48 bytes from the ; end of the firmware. ; +; 0xffffffc2 (-0x3e) - Base Location of the SEV Launch Secret +; 0xffffffc6 (-0x3a) - Size of SEV Launch Secret ; 0xffffffca (-0x36) - IP value ; 0xffffffcc (-0x34) - CS segment base [31:16] ; 0xffffffce (-0x32) - Size of the SEV-ES reset block @@ -51,6 +53,8 @@ ALIGN 16 TIMES (32 - (sevEsResetBlockEnd - sevEsResetBlockStart)) DB 0 =20 sevEsResetBlockStart: + DD SEV_LAUNCH_SECRET_BASE + DD SEV_LAUNCH_SECRET_SIZE DD SEV_ES_AP_RESET_IP DW sevEsResetBlockEnd - sevEsResetBlockStart DB 0xDE, 0x71, 0xF7, 0x00, 0x7E, 0x1A, 0xCB, 0x4F diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index 4913b379a9..c5e0fe93ab 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -83,5 +83,7 @@ %include "Main.asm" =20 %define SEV_ES_AP_RESET_IP FixedPcdGet32 (PcdSevEsWorkAreaBase) + %define SEV_LAUNCH_SECRET_BASE FixedPcdGet32 (PcdSevLaunchSecretBase) + %define SEV_LAUNCH_SECRET_SIZE FixedPcdGet32 (PcdSevLaunchSecretSize) %include "Ia16/ResetVectorVtf0.asm" =20 --=20 2.26.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#67342): https://edk2.groups.io/g/devel/message/67342 Mute This Topic: https://groups.io/mt/78198620/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-