[v3] SEV Encrypted Boot for Ovmf

[edk2-devel] [PATCH v3 5/6] OvmfPkg/AmdSev: assign and protect the Sev Secret area

Posted by James Bottomley 5 years, 2 months ago

Create a one page secret area in the MEMFD and protect the area with a
boot time HOB.

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077
Signed-off-by: James Bottomley <jejb@linux.ibm.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
---
 OvmfPkg/AmdSev/AmdSevX64.dsc           |  1 +
 OvmfPkg/AmdSev/AmdSevX64.fdf           |  4 +++
 OvmfPkg/AmdSev/SecretPei/SecretPei.inf | 35 ++++++++++++++++++++++++++
 OvmfPkg/AmdSev/SecretPei/SecretPei.c   | 25 ++++++++++++++++++
 4 files changed, 65 insertions(+)
 create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.inf
 create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.c

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 18707725b3e4..e9c522bedad9 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -613,6 +613,7 @@ [Components]
   OvmfPkg/PlatformPei/PlatformPei.inf
   UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf
   UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+  OvmfPkg/AmdSev/SecretPei/SecretPei.inf
 
 !if $(TPM_ENABLE) == TRUE
   OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 1aa95826384a..b2656a1cf6fc 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -59,6 +59,9 @@ [FD.MEMFD]
 0x00B000|0x001000
 gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize
 
+0x00C000|0x001000
+gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
+
 0x010000|0x010000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
 
@@ -138,6 +141,7 @@ [FV.PEIFV]
 INF  MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
 INF  UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf
 INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+INF  OvmfPkg/AmdSev/SecretPei/SecretPei.inf
 
 !if $(TPM_ENABLE) == TRUE
 INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.inf b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
new file mode 100644
index 000000000000..08be156c4bc0
--- /dev/null
+++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
@@ -0,0 +1,35 @@
+## @file
+#  PEI support for SEV Secrets
+#
+#  Copyright (C) 2020 James Bottomley, IBM Corporation.
+#
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = SecretPei
+  FILE_GUID                      = 45260dde-0c3c-4b41-a226-ef3803fac7d4
+  MODULE_TYPE                    = PEIM
+  VERSION_STRING                 = 1.0
+  ENTRY_POINT                    = InitializeSecretPei
+
+[Sources]
+  SecretPei.c
+
+[Packages]
+  OvmfPkg/OvmfPkg.dec
+  MdePkg/MdePkg.dec
+
+[LibraryClasses]
+  HobLib
+  PeimEntryPoint
+  PcdLib
+
+[FixedPcd]
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
+
+[Depex]
+  TRUE
diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
new file mode 100644
index 000000000000..ad491515dd5d
--- /dev/null
+++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
@@ -0,0 +1,25 @@
+/** @file
+  SEV Secret boot time HOB placement
+
+  Copyright (C) 2020 James Bottomley, IBM Corporation.
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <PiPei.h>
+#include <Library/HobLib.h>
+#include <Library/PcdLib.h>
+
+EFI_STATUS
+EFIAPI
+InitializeSecretPei (
+  IN       EFI_PEI_FILE_HANDLE  FileHandle,
+  IN CONST EFI_PEI_SERVICES     **PeiServices
+  )
+{
+  BuildMemoryAllocationHob (
+    PcdGet32 (PcdSevLaunchSecretBase),
+    PcdGet32 (PcdSevLaunchSecretSize),
+    EfiBootServicesData
+    );
+
+  return EFI_SUCCESS;
+}
-- 
2.26.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#68092): https://edk2.groups.io/g/devel/message/68092
Mute This Topic: https://groups.io/mt/78617873/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v3 5/6] OvmfPkg/AmdSev: assign and protect the Sev Secret area

Posted by Ard Biesheuvel 5 years, 2 months ago

Hi James,

On 11/30/20 9:28 PM, James Bottomley wrote:
> Create a one page secret area in the MEMFD and protect the area with a
> boot time HOB.
> 

I take it 'protect' here only means prevent the memory from being used 
for somethine else? In the context of security, encryption, secrets, 
etc, it might be useful to call that out.



> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077
> Signed-off-by: James Bottomley <jejb@linux.ibm.com>
> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
> ---
>   OvmfPkg/AmdSev/AmdSevX64.dsc           |  1 +
>   OvmfPkg/AmdSev/AmdSevX64.fdf           |  4 +++
>   OvmfPkg/AmdSev/SecretPei/SecretPei.inf | 35 ++++++++++++++++++++++++++
>   OvmfPkg/AmdSev/SecretPei/SecretPei.c   | 25 ++++++++++++++++++
>   4 files changed, 65 insertions(+)
>   create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.inf
>   create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.c
> 
> diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
> index 18707725b3e4..e9c522bedad9 100644
> --- a/OvmfPkg/AmdSev/AmdSevX64.dsc
> +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
> @@ -613,6 +613,7 @@ [Components]
>     OvmfPkg/PlatformPei/PlatformPei.inf
>     UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf
>     UefiCpuPkg/CpuMpPei/CpuMpPei.inf
> +  OvmfPkg/AmdSev/SecretPei/SecretPei.inf
>   
>   !if $(TPM_ENABLE) == TRUE
>     OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
> index 1aa95826384a..b2656a1cf6fc 100644
> --- a/OvmfPkg/AmdSev/AmdSevX64.fdf
> +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
> @@ -59,6 +59,9 @@ [FD.MEMFD]
>   0x00B000|0x001000
>   gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize
>   
> +0x00C000|0x001000
> +gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
> +
>   0x010000|0x010000
>   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
>   
> @@ -138,6 +141,7 @@ [FV.PEIFV]
>   INF  MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
>   INF  UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf
>   INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
> +INF  OvmfPkg/AmdSev/SecretPei/SecretPei.inf
>   
>   !if $(TPM_ENABLE) == TRUE
>   INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.inf b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
> new file mode 100644
> index 000000000000..08be156c4bc0
> --- /dev/null
> +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
> @@ -0,0 +1,35 @@
> +## @file
> +#  PEI support for SEV Secrets
> +#
> +#  Copyright (C) 2020 James Bottomley, IBM Corporation.
> +#
> +#  SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> +  INF_VERSION                    = 0x00010005
> +  BASE_NAME                      = SecretPei
> +  FILE_GUID                      = 45260dde-0c3c-4b41-a226-ef3803fac7d4
> +  MODULE_TYPE                    = PEIM
> +  VERSION_STRING                 = 1.0
> +  ENTRY_POINT                    = InitializeSecretPei
> +
> +[Sources]
> +  SecretPei.c
> +
> +[Packages]
> +  OvmfPkg/OvmfPkg.dec
> +  MdePkg/MdePkg.dec
> +
> +[LibraryClasses]
> +  HobLib
> +  PeimEntryPoint
> +  PcdLib
> +
> +[FixedPcd]
> +  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
> +  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
> +
> +[Depex]
> +  TRUE
> diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
> new file mode 100644
> index 000000000000..ad491515dd5d
> --- /dev/null
> +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
> @@ -0,0 +1,25 @@
> +/** @file
> +  SEV Secret boot time HOB placement
> +
> +  Copyright (C) 2020 James Bottomley, IBM Corporation.
> +  SPDX-License-Identifier: BSD-2-Clause-Patent
> +**/
> +#include <PiPei.h>
> +#include <Library/HobLib.h>
> +#include <Library/PcdLib.h>
> +
> +EFI_STATUS
> +EFIAPI
> +InitializeSecretPei (
> +  IN       EFI_PEI_FILE_HANDLE  FileHandle,
> +  IN CONST EFI_PEI_SERVICES     **PeiServices
> +  )
> +{
> +  BuildMemoryAllocationHob (
> +    PcdGet32 (PcdSevLaunchSecretBase),
> +    PcdGet32 (PcdSevLaunchSecretSize),
> +    EfiBootServicesData
> +    );
> +
> +  return EFI_SUCCESS;
> +}
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#68123): https://edk2.groups.io/g/devel/message/68123
Mute This Topic: https://groups.io/mt/78617873/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH v3 5/6] OvmfPkg/AmdSev: assign and protect the Sev Secret area

Posted by James Bottomley 5 years, 2 months ago

On Tue, 2020-12-01 at 08:54 +0100, Ard Biesheuvel wrote:
> Hi James,
> 
> On 11/30/20 9:28 PM, James Bottomley wrote:
> > Create a one page secret area in the MEMFD and protect the area
> > with a
> > boot time HOB.
> > 
> 
> I take it 'protect' here only means prevent the memory from being
> used for somethine else?

Yes, make sure it's not allocated as free memory until exit boot
services.

>  In the context of security, encryption, secrets, 
> etc, it might be useful to call that out.

OK, how about reserve instead of protect?

James


> > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077
> > Signed-off-by: James Bottomley <jejb@linux.ibm.com>
> > Reviewed-by: Laszlo Ersek <lersek@redhat.com>
> > ---
> >   OvmfPkg/AmdSev/AmdSevX64.dsc           |  1 +
> >   OvmfPkg/AmdSev/AmdSevX64.fdf           |  4 +++
> >   OvmfPkg/AmdSev/SecretPei/SecretPei.inf | 35
> > ++++++++++++++++++++++++++
> >   OvmfPkg/AmdSev/SecretPei/SecretPei.c   | 25 ++++++++++++++++++
> >   4 files changed, 65 insertions(+)
> >   create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.inf
> >   create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.c
> > 
> > diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc
> > b/OvmfPkg/AmdSev/AmdSevX64.dsc
> > index 18707725b3e4..e9c522bedad9 100644
> > --- a/OvmfPkg/AmdSev/AmdSevX64.dsc
> > +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
> > @@ -613,6 +613,7 @@ [Components]
> >     OvmfPkg/PlatformPei/PlatformPei.inf
> >     UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf
> >     UefiCpuPkg/CpuMpPei/CpuMpPei.inf
> > +  OvmfPkg/AmdSev/SecretPei/SecretPei.inf
> >   
> >   !if $(TPM_ENABLE) == TRUE
> >     OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> > diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf
> > b/OvmfPkg/AmdSev/AmdSevX64.fdf
> > index 1aa95826384a..b2656a1cf6fc 100644
> > --- a/OvmfPkg/AmdSev/AmdSevX64.fdf
> > +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
> > @@ -59,6 +59,9 @@ [FD.MEMFD]
> >   0x00B000|0x001000
> >  
> > gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpac
> > eGuid.PcdSevEsWorkAreaSize
> >   
> > +0x00C000|0x001000
> > +gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgToke
> > nSpaceGuid.PcdSevLaunchSecretSize
> > +
> >   0x010000|0x010000
> >  
> > gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTok
> > enSpaceGuid.PcdOvmfSecPeiTempRamSize
> >   
> > @@ -138,6 +141,7 @@ [FV.PEIFV]
> >   INF  MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
> >   INF  UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf
> >   INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
> > +INF  OvmfPkg/AmdSev/SecretPei/SecretPei.inf
> >   
> >   !if $(TPM_ENABLE) == TRUE
> >   INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> > diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
> > b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
> > new file mode 100644
> > index 000000000000..08be156c4bc0
> > --- /dev/null
> > +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
> > @@ -0,0 +1,35 @@
> > +## @file
> > +#  PEI support for SEV Secrets
> > +#
> > +#  Copyright (C) 2020 James Bottomley, IBM Corporation.
> > +#
> > +#  SPDX-License-Identifier: BSD-2-Clause-Patent
> > +#
> > +##
> > +
> > +[Defines]
> > +  INF_VERSION                    = 0x00010005
> > +  BASE_NAME                      = SecretPei
> > +  FILE_GUID                      = 45260dde-0c3c-4b41-a226-
> > ef3803fac7d4
> > +  MODULE_TYPE                    = PEIM
> > +  VERSION_STRING                 = 1.0
> > +  ENTRY_POINT                    = InitializeSecretPei
> > +
> > +[Sources]
> > +  SecretPei.c
> > +
> > +[Packages]
> > +  OvmfPkg/OvmfPkg.dec
> > +  MdePkg/MdePkg.dec
> > +
> > +[LibraryClasses]
> > +  HobLib
> > +  PeimEntryPoint
> > +  PcdLib
> > +
> > +[FixedPcd]
> > +  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
> > +  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
> > +
> > +[Depex]
> > +  TRUE
> > diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c
> > b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
> > new file mode 100644
> > index 000000000000..ad491515dd5d
> > --- /dev/null
> > +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
> > @@ -0,0 +1,25 @@
> > +/** @file
> > +  SEV Secret boot time HOB placement
> > +
> > +  Copyright (C) 2020 James Bottomley, IBM Corporation.
> > +  SPDX-License-Identifier: BSD-2-Clause-Patent
> > +**/
> > +#include <PiPei.h>
> > +#include <Library/HobLib.h>
> > +#include <Library/PcdLib.h>
> > +
> > +EFI_STATUS
> > +EFIAPI
> > +InitializeSecretPei (
> > +  IN       EFI_PEI_FILE_HANDLE  FileHandle,
> > +  IN CONST EFI_PEI_SERVICES     **PeiServices
> > +  )
> > +{
> > +  BuildMemoryAllocationHob (
> > +    PcdGet32 (PcdSevLaunchSecretBase),
> > +    PcdGet32 (PcdSevLaunchSecretSize),
> > +    EfiBootServicesData
> > +    );
> > +
> > +  return EFI_SUCCESS;
> > +}
> > 
> 
> 
> 
> 
> 




-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#68147): https://edk2.groups.io/g/devel/message/68147
Mute This Topic: https://groups.io/mt/78617873/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH v3 1/6] OvmfPkg/ResetVector: convert SEV-ES Reset Block structure to be GUIDed
[edk2-devel] [PATCH v3 2/6] OvmfPkg/Amdsev: Base commit to build encrypted boot specific OVMF
[edk2-devel] [PATCH v3 3/6] OvmfPkg/AmdSev: add Grub Firmware Volume Package
[edk2-devel] [PATCH v3 4/6] OvmfPkg: create a SEV secret area in the AmdSev memfd
[edk2-devel] [PATCH v3 5/6] OvmfPkg/AmdSev: assign and protect the Sev Secret area
[edk2-devel] [PATCH v3 6/6] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table