From nobody Sat Apr 20 05:37:49 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+74638+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+74638+1787277+3901457@groups.io;
	arc=fail (BodyHash is different from the expected one);
	dmarc=fail(p=none dis=none)  header.from=amd.com
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1619783550974563.2468906090837;
 Fri, 30 Apr 2021 04:52:30 -0700 (PDT)
Return-Path: <bounce+27952+74638+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id b1ysYY1788612xheRfQ5iSUV;
 Fri, 30 Apr 2021 04:52:30 -0700
X-Received: from NAM12-BN8-obe.outbound.protection.outlook.com
 (NAM12-BN8-obe.outbound.protection.outlook.com [])
 by mx.groups.io with SMTP id smtpd.web08.10381.1619783543755812561
 for <devel@edk2.groups.io>;
 Fri, 30 Apr 2021 04:52:25 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=QBMRJSrVT6QH9rlSIOTYAYoK8Fh+r1jwpglERsYB3z9QpqGCDmYD8ykK4mMzJ9CAftvXn3NKtDmYJmoLg68svoJu3kPFLMU3fggSWD0Gwf++x6vhaYkbHjtw3e1UtD/se2a0nLhTuKwRkSJfgnJsOwxJWETx9jYgYbdO4rGmnpWoipSsJ4u0rpMyuNUkV2dxLkNBJ2SxsTKq5rK9MhOvu2T512vtndmzKnwuZDzfOTijBY/uT1be9i4yjH5m1iXyHhqRTrA1Q0MaFMCjhXorLJPsUJgctVaD4J/xRY4lS/Ley0f1sNfVN8FgKMqUrbrDVvILZgKYEtXesvI5u0w9bQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=tcTRFz3hV9bG30nsmlvks68/TuBkbKM+hNbPVqlLii0=;
 b=bh/kyOm04KaEJrnOhBuZMKGdPbcMk/JNQsalwpWTE1wgUL1h0fHufZyCrIRv/7SP7XBekDe9cYlNJE3GsrfsNMRd2K4ETPhxxXt50PwIMoQNJwijVKg00npTvBjw7BwmrHcwoLqehpkclPCCmhMhsjNA3pv8LUZUPBNblo4ikvyJGnMA/cFTn4ceT+7NyaDGn8Kghn0iwPwZmUQo1iUA0sq41ZssZ+YKKl9+N+jarPlj42fvh35vn/BPO8ynfpzLZAZQalmx73Nc5GNUeDgeLNIu4dhrfOioTg4d2Jrk4AHRV6XDPiVt2a0Zk/2mH33SDzbovxBHpJ2sSlH3Col9GA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass
 header.d=amd.com; arc=none
X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com
 (2603:10b6:805:6f::22)
 by SA0PR12MB4349.namprd12.prod.outlook.com (2603:10b6:806:98::21) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.23; Fri, 30 Apr
 2021 11:52:22 +0000
X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com
 ([fe80::9898:5b48:a062:db94]) by SN6PR12MB2718.namprd12.prod.outlook.com
 ([fe80::9898:5b48:a062:db94%6]) with mapi id 15.20.4065.027; Fri, 30 Apr 2021
 11:52:22 +0000
From: "Brijesh Singh" <brijesh.singh@amd.com>
To: devel@edk2.groups.io
Cc: Brijesh Singh <brijesh.singh@amd.com>,
	James Bottomley <jejb@linux.ibm.com>,
	Min Xu <min.m.xu@intel.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Laszlo Ersek <lersek@redhat.com>,
	Erdem Aktas <erdemaktas@google.com>
Subject: [edk2-devel] [PATCH RFC v2 11/28] OvmfPkg: Reserve Secrets page in
 MEMFD
Date: Fri, 30 Apr 2021 06:51:31 -0500
Message-Id: <20210430115148.22267-12-brijesh.singh@amd.com>
In-Reply-To: <20210430115148.22267-1-brijesh.singh@amd.com>
References: <20210430115148.22267-1-brijesh.singh@amd.com>
X-Originating-IP: [165.204.77.1]
X-ClientProxiedBy: SA0PR12CA0006.namprd12.prod.outlook.com
 (2603:10b6:806:6f::11) To SN6PR12MB2718.namprd12.prod.outlook.com
 (2603:10b6:805:6f::22)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by
 SA0PR12CA0006.namprd12.prod.outlook.com (2603:10b6:806:6f::11) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.27 via Frontend
 Transport; Fri, 30 Apr 2021 11:52:22 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 96cd4276-00ba-4398-e635-08d90bce6a55
X-MS-TrafficTypeDiagnostic: SA0PR12MB4349:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: 
 <SA0PR12MB43498A640C501E1935A2D986E55E9@SA0PR12MB4349.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:7691;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: 
 ljqx04ErVASjtTwAJ0kbzNAIyXMnELd1XJJtExz3JE7zQdRuCWwAQZnWy/MhkGRIHfDOGikiuGJH7raKhBfRsK4ukNn0BhPdT+XzfYzQbd9cwICkTaFejp+sEi2loswKhUWpne5WSKEJ2oC8dXRNyEZRSqYfNlX2iWBqZWj7E1sxANPiEh+8OX2HatzBaRAY8LdvfRJaWJ3whBzF+iGflB1lUYPrrVPI4/xCXsx5wI9LNJl0tG3CLkUo6ACh/LtZ/bi00UCx1T0v00FK9++9ePrLcPG9RCvdiPClJGXQuIPpSpZ7IxEtGttBvmaTDaFAR8dS/fao6ACmCBA1sWESOadtmlXZK+EhNmvh1fDXz0eIbCErDv9j3ii4L3FbbQQXz3wtCXvP6VWz40c+2LKprLVT+DUgL/RfGpvZVsO6rGzMmSk0EjHMs6O4Eak59XBSLOwzCpTnx3uEqBaxROrgVvfZH7GHLBtI6OThD3IdEQE4d+g6kMqIW2NHf7ZStLSalZjAA/YSmf+CgsC6LL1bvSQmh9JNSQ/d+Cy9+KiQ8gOVBZCh9cfGMeJlxddOKqrFzyl41pu6Ke2o953jk/qgmiJPwtunJLe9/HB9Sg0k6y4jcZPXpbIey1lYc/6MIXpcKkVQHZar7fMds0dEDpm+3TuhMBjfZAW0EGIbkoRPGm02O8CljEaxE8bwtTgG9bkLL//umV7fytkvMQhXUbrPquEacufKnvVEXK3GAnCTjQo=
X-MS-Exchange-AntiSpam-MessageData: 
 =?us-ascii?Q?rQIFeDI9jFPsc7MO+bUpSJ1MK1ms8Nnz4+qHgOylYTKlWtqlbqO38StYmDCh?=
 =?us-ascii?Q?wtV2NNDmIaT0KQEsQ3r/Xu0C4/hDoneKBrHQOvdKQuevoZUzdwIIZNJ8kfKN?=
 =?us-ascii?Q?cC7zD/2seXtJDGOBFC4HGhNVMooU/wPeVORtn+uDKS/Bep5sPyvhfKZDptmC?=
 =?us-ascii?Q?5y7aXU0oinr41VQwrCBut/xSjGLRndyihod4CHJhFIxYaacmkioxrEQJpoli?=
 =?us-ascii?Q?jecIQ70HEK8GV5Qi0svPPVIVJOdy5KxllRJ1CedhSZW1bYR2ZSmqNFOiVEg0?=
 =?us-ascii?Q?ItP8fqNsV+iv08ggT3G9NkUV8SatAHNdKi5h6Aermsgd2gAB3hipvE7Tv/67?=
 =?us-ascii?Q?IRFRNRY5DooBz9qs2kPzOBwcFblJR3RryDcTzv699QabAy4HVsKMU6+LFeba?=
 =?us-ascii?Q?2s+WNEohxFObrTUvjCbQCx6Qd16Qs4dbEKtOKU+0l3iDvSZ3tdZm84fnLQJ2?=
 =?us-ascii?Q?56DqjouKdU3jqcM3Eh1YzXfwVYh4iv3OdWzpkeAVlmcZ167Tfz2nPsHCrZOA?=
 =?us-ascii?Q?9t3O/LqVMcuDQblCOo7UPcKvHRoNIFAw9tNHAVvMp0GZROFsiib3UqCtSNyp?=
 =?us-ascii?Q?0CNDvtWrEcKV6JuedsSkXnofI/xuuiJREJKTgjlLaQaIkvGcqRBFytsGjizU?=
 =?us-ascii?Q?NwUnXQDblLqVR9y7WwrKCHjvYuwAOMTdLm9isqI7hZ99l5Kfu/NdCt5KVmIm?=
 =?us-ascii?Q?3gdyZLwSjspuTMSQ07tOhI5c++5kOa67lIlsJfVDFnzSTbOS6ZhkmHCXK1pE?=
 =?us-ascii?Q?SvKdhOjndt3823CevzP0QVqDUEVoJAJOJcO2nBteWr5szWiqPTIObqFoP5zR?=
 =?us-ascii?Q?VCj0wijlPXHQavHsKJrGtwEUCe7jy/bxTEAld3WV5J4tpStYn/nq6EbUVrMt?=
 =?us-ascii?Q?r/EZ3TGg/sNNfOJFiLgat2TjtoV5Ipq3vdc5J0gL42K6avV/yGZIhSZ89Kn7?=
 =?us-ascii?Q?TWojdTcMXMcq4r1P4LzU/NbZwXQ1I7GFw4+QWDN5JEN8zWoBK8I+X4Z9yErP?=
 =?us-ascii?Q?R5CM1QVrkuTndauz1ko9vLc8fVBSOZ64JcprGfFaS2Rcfe8wMSr1puF8RJRb?=
 =?us-ascii?Q?R7SToAUwD2XpeMNyKxAQPggC0uRs7K7NgEQ6HL2YSpgqp7p/an4Bg18ht5EV?=
 =?us-ascii?Q?+/EImtwB4N9fNZLFIWtnu2Rl9IBJFVDuuBDCxNLTN/zUYh4wPuh9hzauDHFK?=
 =?us-ascii?Q?zWs0JmpANQDj5hvHqzkugXcnIj7zFO8Imutqq+PouKkkDtei6pdtLigTEUO2?=
 =?us-ascii?Q?sIwg+mGP80FRhNwScUYpuzRk2Q+YpvycQlnNy/LOJzFpOv6QtU4aXAOcjI1Z?=
 =?us-ascii?Q?ZY1jWbAuSxi3CP9W3j68EPMv?=
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 96cd4276-00ba-4398-e635-08d90bce6a55
X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Apr 2021 11:52:22.6357
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 hoWXZ5yTSUsJ9EoMIIG++OIq1NTAMmxlAZbixi17tSpRb/YQl3soVtuuWKxyV0P7FiOyTvvIYnt+C3Y2EYb2Zw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4349
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com
X-Gm-Message-State: sAU5oK0tqe99Ww7kn9RW2fiYx1787277AA=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1619783550;
 bh=YFJAqizYychmQorCOqasbH+5DKkvkfbZdR4bclb3YRI=;
 h=Cc:Content-Type:Date:From:Reply-To:Subject:To;
 b=FdhF4z1kdaXcxjpYmGYRQTdcUE4sW7gfcwtAZP47zx8bCKxq++3a0yQmp8h42vgAww/
 J+BqYghkFenaWhRD+0m9bMb++m7IYZO/Df/l+fBthE76cCrJExQiOjrl7pzaSxtkEsEKK
 cNBDhAbiwyUyWvHN2FTQi35BiHgJKekZBb4=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275

When AMD SEV is enabled in the guest VM, a hypervisor need to insert a
secrets page.

When SEV-SNP is enabled, the secrets page contains the VM platform
communication keys. The guest BIOS and OS can use this key to communicate
with the SEV firmware to get attesation report. See the SEV-SNP firmware
spec for more details for the content of the secrets page.

When SEV and SEV-ES is enabled, the secrets page contains the information
provided by the guest owner after the attestation. See the SEV
LAUNCH_SECRET command for more details.

Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 OvmfPkg/AmdSev/SecretPei/SecretPei.c   | 16 +++++++++++++++-
 OvmfPkg/AmdSev/SecretPei/SecretPei.inf |  1 +
 OvmfPkg/OvmfPkgX64.dsc                 |  2 ++
 OvmfPkg/OvmfPkgX64.fdf                 |  5 +++++
 4 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPe=
i/SecretPei.c
index ad491515dd..92836c562c 100644
--- a/OvmfPkg/AmdSev/SecretPei/SecretPei.c
+++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
@@ -7,6 +7,7 @@
 #include <PiPei.h>
 #include <Library/HobLib.h>
 #include <Library/PcdLib.h>
+#include <Library/MemEncryptSevLib.h>
=20
 EFI_STATUS
 EFIAPI
@@ -15,10 +16,23 @@ InitializeSecretPei (
   IN CONST EFI_PEI_SERVICES     **PeiServices
   )
 {
+  UINTN   Type;
+
+  //
+  // The secret page should be mapped encrypted by the guest OS and must n=
ot
+  // be treated as a system RAM. Mark it as ACPI NVS so that guest OS maps=
 it
+  // encrypted.
+  //
+  if (MemEncryptSevSnpIsEnabled ()) {
+    Type =3D EfiACPIMemoryNVS;
+  } else {
+    Type =3D EfiBootServicesData;
+  }
+
   BuildMemoryAllocationHob (
     PcdGet32 (PcdSevLaunchSecretBase),
     PcdGet32 (PcdSevLaunchSecretSize),
-    EfiBootServicesData
+    Type
     );
=20
   return EFI_SUCCESS;
diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.inf b/OvmfPkg/AmdSev/Secret=
Pei/SecretPei.inf
index 08be156c4b..9265f8adee 100644
--- a/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
+++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
@@ -26,6 +26,7 @@
   HobLib
   PeimEntryPoint
   PcdLib
+  MemEncryptSevLib
=20
 [FixedPcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index a7d747f6b4..593c0e69f6 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -716,6 +716,7 @@
   OvmfPkg/SmmAccess/SmmAccessPei.inf
 !endif
   UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+  OvmfPkg/AmdSev/SecretPei/SecretPei.inf
=20
 !if $(TPM_ENABLE) =3D=3D TRUE
   OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
@@ -965,6 +966,7 @@
   OvmfPkg/PlatformDxe/Platform.inf
   OvmfPkg/AmdSevDxe/AmdSevDxe.inf
   OvmfPkg/IoMmuDxe/IoMmuDxe.inf
+  OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
=20
 !if $(SMM_REQUIRE) =3D=3D TRUE
   OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index d519f85328..b04175f77c 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -88,6 +88,9 @@ gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPk=
gTokenSpaceGuid.PcdSevE
 0x00C000|0x001000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpace=
Guid.PcdOvmfSecGhcbBackupSize
=20
+0x00D000|0x001000
+gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGu=
id.PcdSevLaunchSecretSize
+
 0x010000|0x010000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpace=
Guid.PcdOvmfSecPeiTempRamSize
=20
@@ -178,6 +181,7 @@ INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
 INF  SecurityPkg/Tcg/TcgPei/TcgPei.inf
 INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
 !endif
+INF  OvmfPkg/AmdSev/SecretPei/SecretPei.inf
=20
 ##########################################################################=
######
=20
@@ -313,6 +317,7 @@ INF  OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrd=
DynamicShellCommand.inf
 INF  ShellPkg/Application/Shell/Shell.inf
=20
 INF MdeModulePkg/Logo/LogoDxe.inf
+INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
=20
 #
 # Network modules
--=20
2.17.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#74638): https://edk2.groups.io/g/devel/message/74638
Mute This Topic: https://groups.io/mt/82479058/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-