[v3] SEV Encrypted Boot for Ovmf

[edk2-devel] [PATCH v3 4/6] OvmfPkg: create a SEV secret area in the AmdSev memfd

Posted by James Bottomley 5 years, 2 months ago

SEV needs an area to place an injected secret where OVMF can find it
and pass it up as a ConfigurationTable.  This patch implements the
area itself as an addition to the SEV enhanced reset vector table using
an additional guid (4c2eb361-7d9b-4cc3-8081-127c90d3d294).

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077
Signed-off-by: James Bottomley <jejb@linux.ibm.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>

---

v2: move guid to OVMF token space, separate patches
v3: comment rewording

SEV Secret
---
 OvmfPkg/OvmfPkg.dec                          |  6 ++++++
 OvmfPkg/ResetVector/ResetVector.inf          |  4 ++++
 OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 19 +++++++++++++++++++
 OvmfPkg/ResetVector/ResetVector.nasmb        |  2 ++
 4 files changed, 31 insertions(+)

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 3fbf7a0ee1a4..7d27f8e16040 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -304,6 +304,12 @@ [PcdsFixedAtBuild]
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|0|UINT32|0x40
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize|0|UINT32|0x41
 
+  ## The base address and size of the SEV Launch Secret Area provisioned
+  #  after remote attestation.  If this is set in the .fdf, the platform
+  #  is responsible for protecting the area from DXE phase overwrites.
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|0x0|UINT32|0x42
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize|0x0|UINT32|0x43
+
 [PcdsDynamic, PcdsDynamicEx]
   gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10
diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf
index a53ae6c194ae..dc38f68919cd 100644
--- a/OvmfPkg/ResetVector/ResetVector.inf
+++ b/OvmfPkg/ResetVector/ResetVector.inf
@@ -43,3 +43,7 @@ [Pcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
+
+[FixedPcd]
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
index 9e0a74fddfc1..5c6df5ee1a31 100644
--- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
+++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
@@ -47,6 +47,25 @@ TIMES (15 - ((guidedStructureEnd - guidedStructureStart + 15) % 16)) DB 0
 ;
 guidedStructureStart:
 
+;
+; SEV Secret block
+;
+; This describes the guest ram area where the hypervisor may should
+; inject the secret.  The data format is:
+;
+; base physical address (32 bit word)
+; table length (32 bit word)
+;
+; GUID (SEV secret block): 4c2eb361-7d9b-4cc3-8081-127c90d3d294
+;
+sevSecretBlockStart:
+    DD      SEV_LAUNCH_SECRET_BASE
+    DD      SEV_LAUNCH_SECRET_SIZE
+    DW      sevSecretBlockEnd - sevSecretBlockStart
+    DB      0x61, 0xB3, 0x2E, 0x4C, 0x9B, 0x7D, 0xC3, 0x4C
+    DB      0x80, 0x81, 0x12, 0x7C, 0x90, 0xD3, 0xD2, 0x94
+sevSecretBlockEnd:
+
 ;
 ; SEV-ES Processor Reset support
 ;
diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb
index 4913b379a993..c5e0fe93abf4 100644
--- a/OvmfPkg/ResetVector/ResetVector.nasmb
+++ b/OvmfPkg/ResetVector/ResetVector.nasmb
@@ -83,5 +83,7 @@
 %include "Main.asm"
 
   %define SEV_ES_AP_RESET_IP  FixedPcdGet32 (PcdSevEsWorkAreaBase)
+  %define SEV_LAUNCH_SECRET_BASE  FixedPcdGet32 (PcdSevLaunchSecretBase)
+  %define SEV_LAUNCH_SECRET_SIZE  FixedPcdGet32 (PcdSevLaunchSecretSize)
 %include "Ia16/ResetVectorVtf0.asm"
 
-- 
2.26.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#68091): https://edk2.groups.io/g/devel/message/68091
Mute This Topic: https://groups.io/mt/78617855/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v3 4/6] OvmfPkg: create a SEV secret area in the AmdSev memfd

Posted by Laszlo Ersek 5 years, 2 months ago

On 11/30/20 21:28, James Bottomley wrote:
> SEV needs an area to place an injected secret where OVMF can find it
> and pass it up as a ConfigurationTable.  This patch implements the
> area itself as an addition to the SEV enhanced reset vector table using
> an additional guid (4c2eb361-7d9b-4cc3-8081-127c90d3d294).
> 
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077
> Signed-off-by: James Bottomley <jejb@linux.ibm.com>
> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
> 
> ---
> 
> v2: move guid to OVMF token space, separate patches
> v3: comment rewording
> 
> SEV Secret
> ---
>  OvmfPkg/OvmfPkg.dec                          |  6 ++++++
>  OvmfPkg/ResetVector/ResetVector.inf          |  4 ++++
>  OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 19 +++++++++++++++++++
>  OvmfPkg/ResetVector/ResetVector.nasmb        |  2 ++
>  4 files changed, 31 insertions(+)
> 
> diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
> index 3fbf7a0ee1a4..7d27f8e16040 100644
> --- a/OvmfPkg/OvmfPkg.dec
> +++ b/OvmfPkg/OvmfPkg.dec
> @@ -304,6 +304,12 @@ [PcdsFixedAtBuild]
>    gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|0|UINT32|0x40
>    gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize|0|UINT32|0x41
>  
> +  ## The base address and size of the SEV Launch Secret Area provisioned
> +  #  after remote attestation.  If this is set in the .fdf, the platform
> +  #  is responsible for protecting the area from DXE phase overwrites.
> +  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|0x0|UINT32|0x42
> +  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize|0x0|UINT32|0x43
> +
>  [PcdsDynamic, PcdsDynamicEx]
>    gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2
>    gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10
> diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf
> index a53ae6c194ae..dc38f68919cd 100644
> --- a/OvmfPkg/ResetVector/ResetVector.inf
> +++ b/OvmfPkg/ResetVector/ResetVector.inf
> @@ -43,3 +43,7 @@ [Pcd]
>    gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
>    gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase
>    gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
> +
> +[FixedPcd]
> +  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
> +  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
> diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
> index 9e0a74fddfc1..5c6df5ee1a31 100644
> --- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
> +++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
> @@ -47,6 +47,25 @@ TIMES (15 - ((guidedStructureEnd - guidedStructureStart + 15) % 16)) DB 0
>  ;
>  guidedStructureStart:
>  
> +;
> +; SEV Secret block
> +;
> +; This describes the guest ram area where the hypervisor may should
> +; inject the secret.  The data format is:
> +;
> +; base physical address (32 bit word)
> +; table length (32 bit word)
> +;
> +; GUID (SEV secret block): 4c2eb361-7d9b-4cc3-8081-127c90d3d294
> +;

(1) s/may should/should/, but we can fix this up at merge.

The syntax updates look great otherwise, so my R-b stands.

Thanks!
Laszlo

> +sevSecretBlockStart:
> +    DD      SEV_LAUNCH_SECRET_BASE
> +    DD      SEV_LAUNCH_SECRET_SIZE
> +    DW      sevSecretBlockEnd - sevSecretBlockStart
> +    DB      0x61, 0xB3, 0x2E, 0x4C, 0x9B, 0x7D, 0xC3, 0x4C
> +    DB      0x80, 0x81, 0x12, 0x7C, 0x90, 0xD3, 0xD2, 0x94
> +sevSecretBlockEnd:
> +
>  ;
>  ; SEV-ES Processor Reset support
>  ;
> diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb
> index 4913b379a993..c5e0fe93abf4 100644
> --- a/OvmfPkg/ResetVector/ResetVector.nasmb
> +++ b/OvmfPkg/ResetVector/ResetVector.nasmb
> @@ -83,5 +83,7 @@
>  %include "Main.asm"
>  
>    %define SEV_ES_AP_RESET_IP  FixedPcdGet32 (PcdSevEsWorkAreaBase)
> +  %define SEV_LAUNCH_SECRET_BASE  FixedPcdGet32 (PcdSevLaunchSecretBase)
> +  %define SEV_LAUNCH_SECRET_SIZE  FixedPcdGet32 (PcdSevLaunchSecretSize)
>  %include "Ia16/ResetVectorVtf0.asm"
>  
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#68229): https://edk2.groups.io/g/devel/message/68229
Mute This Topic: https://groups.io/mt/78617855/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH v3 1/6] OvmfPkg/ResetVector: convert SEV-ES Reset Block structure to be GUIDed
[edk2-devel] [PATCH v3 2/6] OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF
[edk2-devel] [PATCH v3 3/6] OvmfPkg/AmdSev: add Grub Firmware Volume Package
[edk2-devel] [PATCH v3 4/6] OvmfPkg: create a SEV secret area in the AmdSev memfd
[edk2-devel] [PATCH v3 5/6] OvmfPkg/AmdSev: assign and protect the Sev Secret area
[edk2-devel] [PATCH v3 6/6] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table