OvmfPkg/OvmfPkg.dec | 2 +- OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf | 2 +- ...aunchSecret.h => ConfidentialComputingSecret.h} | 14 +++++++------- OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 6 +++--- 4 files changed, 12 insertions(+), 12 deletions(-) rename OvmfPkg/Include/Guid/{SevLaunchSecret.h => ConfidentialComputingSecret.h} (65%)
This patch series changes the EFI configuration table information which is queried by the bootloader to make it more compatible with Intel TDX. The first patch changes the ABI to make the table contain two 64 bit integers instead of two 32 bit ones. The second patch is a cosmetic one to change the names of the GUIDs and tables to have a confidential computing prefix instead of a SEV Launch one. The first patch *must* be applied before the next stable tag to avoid ABI breakage. The second is purely cosmetic and doesn't change the code output. Ultimately there will still need to be a TDX collector for the secret, which would feed the value into the SecretDxe, but these changes should ensure that no further changes would be required by the secret consumers. James --- James Bottomley (2): OvmfPkg: Change SEV Launch Secret API to be UINT64 for base and size OvmfPkg/AmdSev/SecretDxe: make secret location naming generic OvmfPkg/OvmfPkg.dec | 2 +- OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf | 2 +- ...aunchSecret.h => ConfidentialComputingSecret.h} | 14 +++++++------- OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 6 +++--- 4 files changed, 12 insertions(+), 12 deletions(-) rename OvmfPkg/Include/Guid/{SevLaunchSecret.h => ConfidentialComputingSecret.h} (65%) -- 2.26.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#68919): https://edk2.groups.io/g/devel/message/68919 Mute This Topic: https://groups.io/mt/78991600/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
Series: Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> > -----Original Message----- > From: James Bottomley <jejb@linux.ibm.com> > Sent: Wednesday, December 16, 2020 9:42 AM > To: devel@edk2.groups.io > Cc: dovmurik@linux.vnet.ibm.com; Dov.Murik1@il.ibm.com; > ashish.kalra@amd.com; brijesh.singh@amd.com; tobin@ibm.com; > david.kaplan@amd.com; jon.grimm@amd.com; thomas.lendacky@amd.com; > jejb@linux.ibm.com; frankeh@us.ibm.com; Dr . David Alan Gilbert > <dgilbert@redhat.com>; Laszlo Ersek <lersek@redhat.com>; Justen, Jordan L > <jordan.l.justen@intel.com>; Ard Biesheuvel <ard.biesheuvel@arm.com>; > Yao, Jiewen <jiewen.yao@intel.com> > Subject: [PATCH 0/2] Update SevSecret API to work for TDX > > This patch series changes the EFI configuration table information > which is queried by the bootloader to make it more compatible with > Intel TDX. The first patch changes the ABI to make the table contain > two 64 bit integers instead of two 32 bit ones. The second patch is a > cosmetic one to change the names of the GUIDs and tables to have a > confidential computing prefix instead of a SEV Launch one. > > The first patch *must* be applied before the next stable tag to avoid > ABI breakage. The second is purely cosmetic and doesn't change the > code output. > > Ultimately there will still need to be a TDX collector for the secret, > which would feed the value into the SecretDxe, but these changes > should ensure that no further changes would be required by the secret > consumers. > > James > > --- > > James Bottomley (2): > OvmfPkg: Change SEV Launch Secret API to be UINT64 for base and size > OvmfPkg/AmdSev/SecretDxe: make secret location naming generic > > OvmfPkg/OvmfPkg.dec | 2 +- > OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf | 2 +- > ...aunchSecret.h => ConfidentialComputingSecret.h} | 14 +++++++------- > OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 6 +++--- > 4 files changed, 12 insertions(+), 12 deletions(-) > rename OvmfPkg/Include/Guid/{SevLaunchSecret.h => > ConfidentialComputingSecret.h} (65%) > > -- > 2.26.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#68924): https://edk2.groups.io/g/devel/message/68924 Mute This Topic: https://groups.io/mt/78991600/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
+Mike On 12/16/20 02:41, James Bottomley wrote: > This patch series changes the EFI configuration table information > which is queried by the bootloader to make it more compatible with > Intel TDX. The first patch changes the ABI to make the table contain > two 64 bit integers instead of two 32 bit ones. The second patch is a > cosmetic one to change the names of the GUIDs and tables to have a > confidential computing prefix instead of a SEV Launch one. > > The first patch *must* be applied before the next stable tag to avoid > ABI breakage. The second is purely cosmetic and doesn't change the > code output. > > Ultimately there will still need to be a TDX collector for the secret, > which would feed the value into the SecretDxe, but these changes > should ensure that no further changes would be required by the secret > consumers. > > James > > --- > > James Bottomley (2): > OvmfPkg: Change SEV Launch Secret API to be UINT64 for base and size > OvmfPkg/AmdSev/SecretDxe: make secret location naming generic > > OvmfPkg/OvmfPkg.dec | 2 +- > OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf | 2 +- > ...aunchSecret.h => ConfidentialComputingSecret.h} | 14 +++++++------- > OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 6 +++--- > 4 files changed, 12 insertions(+), 12 deletions(-) > rename OvmfPkg/Include/Guid/{SevLaunchSecret.h => ConfidentialComputingSecret.h} (65%) > series Reviewed-by: Laszlo Ersek <lersek@redhat.com> I tried merging this: https://github.com/tianocore/edk2/pull/1235 but the Ubuntu builds all failed. I've checked two logs: https://dev.azure.com/tianocore/edk2-ci/_build/results?buildId=16967&view=logs&j=cf2d8b26-a21c-5c68-abf4-b944c123e462&t=5ffbbe5c-1d3a-55f5-5ef3-8a0ef80d76a1&l=184 https://dev.azure.com/tianocore/edk2-ci/_build/results?buildId=16968&view=logs&j=47cf355a-6eb4-51a8-46a8-ff4028bfcac0&t=beedef5d-00d0-5a8c-fa35-57d7319988c2&l=182 They say, INFO - /bin/sh: 1: qemu-system-aarch64: not found INFO - /bin/sh: 1: qemu-system-x86_64: not found I guess I won't be merging the three patch sets that I had planned for this evening... Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#69148): https://edk2.groups.io/g/devel/message/69148 Mute This Topic: https://groups.io/mt/78991600/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
On 12/17/20 19:43, Laszlo Ersek wrote: > I tried merging this: > > https://github.com/tianocore/edk2/pull/1235 > > but the Ubuntu builds all failed. I've checked two logs: > > https://dev.azure.com/tianocore/edk2-ci/_build/results?buildId=16967&view=logs&j=cf2d8b26-a21c-5c68-abf4-b944c123e462&t=5ffbbe5c-1d3a-55f5-5ef3-8a0ef80d76a1&l=184 > https://dev.azure.com/tianocore/edk2-ci/_build/results?buildId=16968&view=logs&j=47cf355a-6eb4-51a8-46a8-ff4028bfcac0&t=beedef5d-00d0-5a8c-fa35-57d7319988c2&l=182 > > They say, > > INFO - /bin/sh: 1: qemu-system-aarch64: not found > INFO - /bin/sh: 1: qemu-system-x86_64: not found The "Install qemu" tasks earlier seem to complete: https://dev.azure.com/tianocore/edk2-ci/_build/results?buildId=16967&view=logs&j=cf2d8b26-a21c-5c68-abf4-b944c123e462&t=a5c654c1-e049-5a30-61a9-da81b8ec031f https://dev.azure.com/tianocore/edk2-ci/_build/results?buildId=16968&view=logs&j=47cf355a-6eb4-51a8-46a8-ff4028bfcac0&t=9a629c6e-a36d-5733-3aff-19ed2a42cf75 However, the qemu "4.2-3ubuntu6.10" package is a dummy package: https://packages.ubuntu.com/focal/qemu and as shown under the link, it has no dependency on the packages with the actual qemu executables. So the latter do not get pulled in. (Even the logs make that clear: "Need to get 14.3 kB of archives" -- obviously, a real QEMU won't fit in that, and no other packages get pulled in). The meta-package that pulls in all system emulators is called "qemu-system": https://packages.ubuntu.com/focal/qemu-system What I don't understand at this point is how the CI scripts could work previously. ... Aha! I do understand it now. Look at one of the last successful PRs: https://github.com/tianocore/edk2/pull/1232 The CI logs contain this message: "##[warning]Ubuntu-latest pipelines will use Ubuntu-20.04 soon. For more details, see https://github.com/actions/virtual-environments/issues/1816" So let's check out: https://github.com/actions/virtual-environments/issues/1816 Okay... so it looks like I'm the victim of "Ubuntu-latest" switching to 20.04 ("focal") from 18.04 ("bionic"). Compare the "qemu" package in both: https://packages.ubuntu.com/bionic/qemu https://packages.ubuntu.com/focal/qemu In the former, qemu depends on qemu-system (which depends further on the actual emulator subpackages), in the latter, qemu doesn't depend on anything. According to <https://github.com/actions/virtual-environments/issues/1816>, we could change: .azurepipelines/Ubuntu-GCC5.yml: vm_image: 'ubuntu-latest' .azurepipelines/Ubuntu-PatchCheck.yml: vmImage: 'ubuntu-latest' ArmVirtPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml: vm_image: 'ubuntu-latest' EmulatorPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml: vm_image: 'ubuntu-latest' OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml: vm_image: 'ubuntu-latest' to "ubuntu-18.04". But perhaps we should change: ArmVirtPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml: - bash: sudo apt-get install qemu OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml: - bash: sudo apt-get install qemu to "qemu-system", instead. Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#69150): https://edk2.groups.io/g/devel/message/69150 Mute This Topic: https://groups.io/mt/78991600/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
On 12/17/20 20:23, Laszlo Ersek wrote: > On 12/17/20 19:43, Laszlo Ersek wrote: > >> I tried merging this: >> >> https://github.com/tianocore/edk2/pull/1235 >> >> but the Ubuntu builds all failed. I've checked two logs: >> >> https://dev.azure.com/tianocore/edk2-ci/_build/results?buildId=16967&view=logs&j=cf2d8b26-a21c-5c68-abf4-b944c123e462&t=5ffbbe5c-1d3a-55f5-5ef3-8a0ef80d76a1&l=184 >> https://dev.azure.com/tianocore/edk2-ci/_build/results?buildId=16968&view=logs&j=47cf355a-6eb4-51a8-46a8-ff4028bfcac0&t=beedef5d-00d0-5a8c-fa35-57d7319988c2&l=182 >> >> They say, >> >> INFO - /bin/sh: 1: qemu-system-aarch64: not found >> INFO - /bin/sh: 1: qemu-system-x86_64: not found > > The "Install qemu" tasks earlier seem to complete: > > https://dev.azure.com/tianocore/edk2-ci/_build/results?buildId=16967&view=logs&j=cf2d8b26-a21c-5c68-abf4-b944c123e462&t=a5c654c1-e049-5a30-61a9-da81b8ec031f > https://dev.azure.com/tianocore/edk2-ci/_build/results?buildId=16968&view=logs&j=47cf355a-6eb4-51a8-46a8-ff4028bfcac0&t=9a629c6e-a36d-5733-3aff-19ed2a42cf75 > > However, the qemu "4.2-3ubuntu6.10" package is a dummy package: > > https://packages.ubuntu.com/focal/qemu > > and as shown under the link, it has no dependency on the packages with the actual qemu executables. So the latter do not get pulled in. > > (Even the logs make that clear: "Need to get 14.3 kB of archives" -- obviously, a real QEMU won't fit in that, and no other packages get pulled in). > > The meta-package that pulls in all system emulators is called "qemu-system": > > https://packages.ubuntu.com/focal/qemu-system > > What I don't understand at this point is how the CI scripts could work previously. > > ... Aha! I do understand it now. Look at one of the last successful PRs: > > https://github.com/tianocore/edk2/pull/1232 > > The CI logs contain this message: > > "##[warning]Ubuntu-latest pipelines will use Ubuntu-20.04 soon. For more details, see https://github.com/actions/virtual-environments/issues/1816" > > So let's check out: > > https://github.com/actions/virtual-environments/issues/1816 > > Okay... so it looks like I'm the victim of "Ubuntu-latest" switching to 20.04 ("focal") from 18.04 ("bionic"). Compare the "qemu" package in both: > > https://packages.ubuntu.com/bionic/qemu > https://packages.ubuntu.com/focal/qemu > > In the former, qemu depends on qemu-system (which depends further on the actual emulator subpackages), in the latter, qemu doesn't depend on anything. > > According to <https://github.com/actions/virtual-environments/issues/1816>, we could change: > > .azurepipelines/Ubuntu-GCC5.yml: vm_image: 'ubuntu-latest' > .azurepipelines/Ubuntu-PatchCheck.yml: vmImage: 'ubuntu-latest' > ArmVirtPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml: vm_image: 'ubuntu-latest' > EmulatorPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml: vm_image: 'ubuntu-latest' > OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml: vm_image: 'ubuntu-latest' > > to "ubuntu-18.04". But perhaps we should change: > > ArmVirtPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml: - bash: sudo apt-get install qemu > OvmfPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml: - bash: sudo apt-get install qemu > > to "qemu-system", instead. Well, no. I've just tried that: https://github.com/tianocore/edk2/pull/1236 and we have two problems with it: (1) the emulator is now available, but it crashes: https://dev.azure.com/tianocore/edk2-ci/_build/results?buildId=16975&view=logs&j=cf2d8b26-a21c-5c68-abf4-b944c123e462&t=5ffbbe5c-1d3a-55f5-5ef3-8a0ef80d76a1 "INFO - Segmentation fault (core dumped)" (2) in spite of this failure, the mergify bot says, "All checks passed. Auto close personal build." :/ So at the moment we can only go back to the 18.04LTS image. I'll try that next. Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#69151): https://edk2.groups.io/g/devel/message/69151 Mute This Topic: https://groups.io/mt/78991600/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
On 12/16/20 02:41, James Bottomley wrote: > This patch series changes the EFI configuration table information > which is queried by the bootloader to make it more compatible with > Intel TDX. The first patch changes the ABI to make the table contain > two 64 bit integers instead of two 32 bit ones. The second patch is a > cosmetic one to change the names of the GUIDs and tables to have a > confidential computing prefix instead of a SEV Launch one. > > The first patch *must* be applied before the next stable tag to avoid > ABI breakage. The second is purely cosmetic and doesn't change the > code output. > > Ultimately there will still need to be a TDX collector for the secret, > which would feed the value into the SecretDxe, but these changes > should ensure that no further changes would be required by the secret > consumers. > > James > > --- > > James Bottomley (2): > OvmfPkg: Change SEV Launch Secret API to be UINT64 for base and size > OvmfPkg/AmdSev/SecretDxe: make secret location naming generic > > OvmfPkg/OvmfPkg.dec | 2 +- > OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf | 2 +- > ...aunchSecret.h => ConfidentialComputingSecret.h} | 14 +++++++------- > OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 6 +++--- > 4 files changed, 12 insertions(+), 12 deletions(-) > rename OvmfPkg/Include/Guid/{SevLaunchSecret.h => ConfidentialComputingSecret.h} (65%) > Merged as commit range c487970ac89d..96201ae7bf97, via <https://github.com/tianocore/edk2/pull/1235>. Thanks Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#69180): https://edk2.groups.io/g/devel/message/69180 Mute This Topic: https://groups.io/mt/78991600/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
© 2016 - 2024 Red Hat, Inc.