From nobody Mon Feb  9 08:29:27 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+68091+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+68091+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1606768249; cv=none;
	d=zohomail.com; s=zohoarc;
	b=XI23FI6t3V8PqKH1I2h9QfjfYrHCWdANdCGPxjdEFmBCzi2Vg5WDVyKlz4wKaMr+PUj1d6NuR40yGM/HNle1YM7Le6ZtO7G3HbwKhyfr1GF8Ml4Scqv+ByVxwmoFb3Tn3iujYv1t+eQ9UqTj/vLKERy5OzH8Rdy94m5b8nXcHsE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1606768249;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=KNC9gYkAtSSE2Rm3MvXd62H9890XLLalSdVwn6yt13I=;
	b=BpG0e2p2/rmJDX/CVN8+HSK8AZgr8MTVU/WdDr7RFy+1bT3rCllRFTusRENFf8CXiU6fr9gUK1CGn+7qdKMYeYbQdaQ1R9ywfHFY++4G0vU+2/ACQw6h9tRx4zdoybdlkxRO3InRIzufXgwg+MnBitUoxmpI9S3aGluSdjjF6bo=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+68091+1787277+3901457@groups.io;
	dmarc=fail header.from=<jejb@linux.ibm.com> (p=none dis=none)
 header.from=<jejb@linux.ibm.com>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1606768249167365.89018371490704;
 Mon, 30 Nov 2020 12:30:49 -0800 (PST)
Return-Path: <bounce+27952+68091+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id 1DobYY1788612xaA7zaZHLmQ;
 Mon, 30 Nov 2020 12:30:48 -0800
X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.156.1])
 by mx.groups.io with SMTP id smtpd.web08.2986.1606768247831841137
 for <devel@edk2.groups.io>;
 Mon, 30 Nov 2020 12:30:47 -0800
X-Received: from pps.filterd (m0098404.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id
 0AUK4S0H138487;
	Mon, 30 Nov 2020 15:30:43 -0500
X-Received: from pps.reinject (localhost [127.0.0.1])
	by mx0a-001b2d01.pphosted.com with ESMTP id 3555tvkrcx-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Mon, 30 Nov 2020 15:30:43 -0500
X-Received: from m0098404.ppops.net (m0098404.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 0AUK4ftl139782;
	Mon, 30 Nov 2020 15:30:42 -0500
X-Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com
 [169.47.144.26])
	by mx0a-001b2d01.pphosted.com with ESMTP id 3555tvkrc9-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Mon, 30 Nov 2020 15:30:42 -0500
X-Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1])
	by ppma04wdc.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 0AUKNIgx019913;
	Mon, 30 Nov 2020 20:30:41 GMT
X-Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com
 [9.57.198.25])
	by ppma04wdc.us.ibm.com with ESMTP id 354ysu3gdy-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Mon, 30 Nov 2020 20:30:41 +0000
X-Received: from b01ledav002.gho.pok.ibm.com (b01ledav002.gho.pok.ibm.com
 [9.57.199.107])
	by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 0AUKUd7f17760592
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Mon, 30 Nov 2020 20:30:39 GMT
X-Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 9DF01124053;
	Mon, 30 Nov 2020 20:30:39 +0000 (GMT)
X-Received: from b01ledav002.gho.pok.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id BC090124052;
	Mon, 30 Nov 2020 20:30:37 +0000 (GMT)
X-Received: from jarvis.int.hansenpartnership.com (unknown [9.80.201.242])
	by b01ledav002.gho.pok.ibm.com (Postfix) with ESMTP;
	Mon, 30 Nov 2020 20:30:37 +0000 (GMT)
From: "James Bottomley" <jejb@linux.ibm.com>
To: devel@edk2.groups.io
Cc: dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com, ashish.kalra@amd.com,
        brijesh.singh@amd.com, tobin@ibm.com, david.kaplan@amd.com,
        jon.grimm@amd.com, thomas.lendacky@amd.com, jejb@linux.ibm.com,
        frankeh@us.ibm.com, "Dr . David Alan Gilbert" <dgilbert@redhat.com>,
        Laszlo Ersek <lersek@redhat.com>,
        Jordan Justen <jordan.l.justen@intel.com>,
        Ard Biesheuvel <ard.biesheuvel@arm.com>
Subject: [edk2-devel] [PATCH v3 4/6] OvmfPkg: create a SEV secret area in the
 AmdSev memfd
Date: Mon, 30 Nov 2020 12:28:17 -0800
Message-Id: <20201130202819.3910-5-jejb@linux.ibm.com>
In-Reply-To: <20201130202819.3910-1-jejb@linux.ibm.com>
References: <20201130202819.3910-1-jejb@linux.ibm.com>
MIME-Version: 1.0
X-TM-AS-GCONF: 00
Precedence: Bulk
List-Unsubscribe: <https://edk2.groups.io/g/devel/unsub>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,jejb@linux.ibm.com
X-Gm-Message-State: 4zJu1D7IMafFWM3Fase1Skk5x1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1606768248;
 bh=h5UfMiDkhjTFSYrXV4+0pf8qbFlriqcs9PeEVva7rQc=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=ZaF2/8BZnW+qGBJ0xfijriOmWBkOr7rmYfQqj4iHWDWqDeBi6iq5LlTuD/c5BtiSaY1
 KF5DOVuTBOpwQBy27utm2OdznNWdooMEuu4KFRp7XJ7NOi6Kwh+KgXzLolJ/wppAmb/Lw
 ji/fT6AXGrqOY1wV6XbU8fXbgb1QqaUvvvA=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Type: text/plain; charset="utf-8"

SEV needs an area to place an injected secret where OVMF can find it
and pass it up as a ConfigurationTable.  This patch implements the
area itself as an addition to the SEV enhanced reset vector table using
an additional guid (4c2eb361-7d9b-4cc3-8081-127c90d3d294).

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3077
Signed-off-by: James Bottomley <jejb@linux.ibm.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>

---

v2: move guid to OVMF token space, separate patches
v3: comment rewording

SEV Secret
---
 OvmfPkg/OvmfPkg.dec                          |  6 ++++++
 OvmfPkg/ResetVector/ResetVector.inf          |  4 ++++
 OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 19 +++++++++++++++++++
 OvmfPkg/ResetVector/ResetVector.nasmb        |  2 ++
 4 files changed, 31 insertions(+)

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 3fbf7a0ee1a4..7d27f8e16040 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -304,6 +304,12 @@ [PcdsFixedAtBuild]
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|0|UINT32|0x40
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize|0|UINT32|0x41
=20
+  ## The base address and size of the SEV Launch Secret Area provisioned
+  #  after remote attestation.  If this is set in the .fdf, the platform
+  #  is responsible for protecting the area from DXE phase overwrites.
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|0x0|UINT32|0x42
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize|0x0|UINT32|0x43
+
 [PcdsDynamic, PcdsDynamicEx]
   gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10
diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese=
tVector.inf
index a53ae6c194ae..dc38f68919cd 100644
--- a/OvmfPkg/ResetVector/ResetVector.inf
+++ b/OvmfPkg/ResetVector/ResetVector.inf
@@ -43,3 +43,7 @@ [Pcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
+
+[FixedPcd]
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVe=
ctor/Ia16/ResetVectorVtf0.asm
index 9e0a74fddfc1..5c6df5ee1a31 100644
--- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
+++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
@@ -47,6 +47,25 @@ TIMES (15 - ((guidedStructureEnd - guidedStructureStart =
+ 15) % 16)) DB 0
 ;
 guidedStructureStart:
=20
+;
+; SEV Secret block
+;
+; This describes the guest ram area where the hypervisor may should
+; inject the secret.  The data format is:
+;
+; base physical address (32 bit word)
+; table length (32 bit word)
+;
+; GUID (SEV secret block): 4c2eb361-7d9b-4cc3-8081-127c90d3d294
+;
+sevSecretBlockStart:
+    DD      SEV_LAUNCH_SECRET_BASE
+    DD      SEV_LAUNCH_SECRET_SIZE
+    DW      sevSecretBlockEnd - sevSecretBlockStart
+    DB      0x61, 0xB3, 0x2E, 0x4C, 0x9B, 0x7D, 0xC3, 0x4C
+    DB      0x80, 0x81, 0x12, 0x7C, 0x90, 0xD3, 0xD2, 0x94
+sevSecretBlockEnd:
+
 ;
 ; SEV-ES Processor Reset support
 ;
diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re=
setVector.nasmb
index 4913b379a993..c5e0fe93abf4 100644
--- a/OvmfPkg/ResetVector/ResetVector.nasmb
+++ b/OvmfPkg/ResetVector/ResetVector.nasmb
@@ -83,5 +83,7 @@
 %include "Main.asm"
=20
   %define SEV_ES_AP_RESET_IP  FixedPcdGet32 (PcdSevEsWorkAreaBase)
+  %define SEV_LAUNCH_SECRET_BASE  FixedPcdGet32 (PcdSevLaunchSecretBase)
+  %define SEV_LAUNCH_SECRET_SIZE  FixedPcdGet32 (PcdSevLaunchSecretSize)
 %include "Ia16/ResetVectorVtf0.asm"
=20
--=20
2.26.2



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#68091): https://edk2.groups.io/g/devel/message/68091
Mute This Topic: https://groups.io/mt/78617855/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-