From nobody Sat May 4 01:34:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77504+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77504+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1625561721; cv=none; d=zohomail.com; s=zohoarc; b=QBrOKmJBroxtU838B+fVV/d4MlR+8Deymjd1S87hpAYwsifllg9zBV2OPz3oGggH9HG3ZNvejeH5LH7pgOsHeYfWyjXiFzjXirDQgPbET5jcLY/mpFfDocgpeVEBfjwpgvsA+Bdv5LX2szE4oHHqZklctEsxCTqSx5BdtqGHy/M= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1625561721; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=4gcFFkDv23Mcc2Tm7llC37JKRkQ40dXEXD09RKi3H6U=; b=lLs0tjoOhyVHaX1fkjYMclQwADFLLgZiqL8B7qWP/iC/walg/+SOVQ1emTxASOWRdCckIsJ29Dk4Bi8Cji+EYx2ax72guHMEJ2KiQL3XQP2SLJsNDq6cHdPum8w0XBI/PUuD053L89cmmu31FpzKIlWsASjs0+eTlTztHR0/ZLA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77504+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1625561721457388.18422900980954; Tue, 6 Jul 2021 01:55:21 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id AWQeYY1788612xz8oDCPowna; Tue, 06 Jul 2021 01:55:21 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web10.3675.1625561715030537148 for ; Tue, 06 Jul 2021 01:55:15 -0700 X-Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1668YZpu182744; Tue, 6 Jul 2021 04:55:12 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 39m8xspe40-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:12 -0400 X-Received: from m0098414.ppops.net (m0098414.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1668aQxB187228; Tue, 6 Jul 2021 04:55:11 -0400 X-Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0b-001b2d01.pphosted.com with ESMTP id 39m8xspe3d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:11 -0400 X-Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1668qBKj016454; Tue, 6 Jul 2021 08:55:10 GMT X-Received: from b03cxnp07028.gho.boulder.ibm.com (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15]) by ppma01dal.us.ibm.com with ESMTP id 39jfhb5q2h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 08:55:10 +0000 X-Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1668t80D44106148 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 6 Jul 2021 08:55:08 GMT X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 911F16A066; Tue, 6 Jul 2021 08:55:08 +0000 (GMT) X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7FC436A067; Tue, 6 Jul 2021 08:55:07 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 6 Jul 2021 08:55:07 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v2 01/11] OvmfPkg/AmdSev/SecretDxe: fix header comment to generic naming Date: Tue, 6 Jul 2021 08:54:51 +0000 Message-Id: <20210706085501.1260662-2-dovmurik@linux.ibm.com> In-Reply-To: <20210706085501.1260662-1-dovmurik@linux.ibm.com> References: <20210706085501.1260662-1-dovmurik@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: LTjIbjDddXJKjf-FBSSJeTYnGK9-HQHs X-Proofpoint-GUID: 21gA57vmik1vQtYrWwsZwkj106lkHWEz Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: sPSr58nmwstHh4D1zUij49bNx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1625561721; bh=GuLWqJfkyNzyOs4M29hMBbMH9gI7K6qhWnO8SaOK30Y=; h=Cc:Date:From:Reply-To:Subject:To; b=lUAjGGQIJZvK0Mhl7b4EWqMF8CKQcazReQWVAypnA+u0pNeufuFMF0pGcT49kFThXIO zAsybftMgR1kpNoN7cT2dvVVQZC4y1GLEv+aKF7U1w+AZcKYOnMgfQMcoIiysJ7yph4/W eYF89uIuf14iCEnCKzi4sC2KpOgXZLn2quQ= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1625561728194100005 Content-Type: text/plain; charset="utf-8" From: James Bottomley Commit 96201ae7bf97 ("OvmfPkg/AmdSev/SecretDxe: make secret location naming generic", 2020-12-15) replaced references to SEV with the generic term Confidential Computing, but missed the file header comment. Fix the naming in that header. Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Signed-off-by: James Bottomley Reviewed-by: Brijesh Singh --- OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c b/OvmfPkg/AmdSev/SecretDx= e/SecretDxe.c index 308022b5b25e..934ad207632b 100644 --- a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c +++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c @@ -1,5 +1,5 @@ /** @file - SEV Secret configuration table constructor + Confidential Computing Secret configuration table constructor =20 Copyright (C) 2020 James Bottomley, IBM Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77504): https://edk2.groups.io/g/devel/message/77504 Mute This Topic: https://groups.io/mt/84016354/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 01:34:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77508+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77508+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1625561720; cv=none; d=zohomail.com; s=zohoarc; b=QGhMiP31hK+ARnZz0dmHT1wRGUGi/BKsOli1Kj9cwLRt9VqoI/3WAMDBK3zWAX7sv8RLj5hqQGrnh/9kNVHtUGNG1hEavqBrM6DyS85+H9NtUZIVZbfBemzlj4shHqk216T58k+jkxGlBv+3Hh/nyCOBMEdXS1y5SlryD/n1W8U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1625561720; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=khq7kXSY9+T4Ltddc4GCvYB4oO5aG1ZaE0HEA92vn5Y=; b=FKe5X6MXvfNUEjAET0O83YmXHA2/gIYdVVLDqoseHrChcS8wHCqZ1i/Wpz4IYXeC9fc+WSIZJWFTwZFPWElEJE63os/e8BkvWXrSJ8YM9yulGzWyYZSGyJ+PQ7KwBqSz03y5X55OwIhJzKP9Ccffgon86ONGoIjvWFcbggz2Ops= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77508+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1625561720751669.2370194645908; Tue, 6 Jul 2021 01:55:20 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id W7CMYY1788612xIz4o2h0XY0; Tue, 06 Jul 2021 01:55:20 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web09.3605.1625561719739979602 for ; Tue, 06 Jul 2021 01:55:19 -0700 X-Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1668Y624083374; Tue, 6 Jul 2021 04:55:17 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 39mkpugjkh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:17 -0400 X-Received: from m0098420.ppops.net (m0098420.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1668YQJm087758; Tue, 6 Jul 2021 04:55:17 -0400 X-Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0b-001b2d01.pphosted.com with ESMTP id 39mkpugjjy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:16 -0400 X-Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1668qBcr016483; Tue, 6 Jul 2021 08:55:15 GMT X-Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by ppma01dal.us.ibm.com with ESMTP id 39jfhb5q3m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 08:55:15 +0000 X-Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1668t9nW43581910 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 6 Jul 2021 08:55:10 GMT X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C01076A047; Tue, 6 Jul 2021 08:55:09 +0000 (GMT) X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AFB136A05D; Tue, 6 Jul 2021 08:55:08 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 6 Jul 2021 08:55:08 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v2 02/11] OvmfPkg/AmdSev: use GenericQemuLoadImageLib in AmdSev builds Date: Tue, 6 Jul 2021 08:54:52 +0000 Message-Id: <20210706085501.1260662-3-dovmurik@linux.ibm.com> In-Reply-To: <20210706085501.1260662-1-dovmurik@linux.ibm.com> References: <20210706085501.1260662-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: w49--EGl5wcOu7CVSVMbvJghE28-Q0nr X-Proofpoint-GUID: IfpaxxzYpgGh9o1fvme4WnTqhf3z_Pf1 X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: X3CNcOmChdM4A4MRojNeNvBEx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1625561720; bh=DBRcIbyBE6ldPKcSGNbCBGI+oHJMG+rt3fbh5eB75NA=; h=Cc:Date:From:Reply-To:Subject:To; b=SpbH7vi6KqSkD1SyU+EqfiVwMRrTNtVEvHkbKVLi62hk36IxPittq1rN78butx/pGjM DZVxJJP78bOsa47J3VnpyTMOh/ewBs8RN9BfSC68N33ROJuwCZRZdggGY3vb+cSuk27+8 D0oyZ85UU0TFnImrr6u5InmI7uAkBiZ/N90= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1625561728070100001 Content-Type: text/plain; charset="utf-8" Newer kernels support efistub and therefore don't need all the legacy stuff in X86QemuLoadImageLib, which are harder to secure. Specifically the verification of kernel/initrd/cmdlien blobs will be added only to the GenericQemuLoadImageLib implementation, so use that for SEV builds. Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Signed-off-by: Dov Murik Reviewed-by: Brijesh Singh --- OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index 1d487befae08..a2f1324c40a6 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -368,7 +368,7 @@ [LibraryClasses.common.DXE_DRIVER] PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf - QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib= .inf + QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoad= ImageLib.inf !if $(TPM_ENABLE) =3D=3D TRUE Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.i= nf Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77508): https://edk2.groups.io/g/devel/message/77508 Mute This Topic: https://groups.io/mt/84016358/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 01:34:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77506+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77506+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1625561717; cv=none; d=zohomail.com; s=zohoarc; b=e9JNeX99/z81jWHUuA8TYp71Ugdq6X5y3z2lnZWLYw2HsqyZQhqXzl8rvNGp5tun0azCcsHfm4By7JFt8FWQ/7W53Oy0ETd4OQMfmcywrBCyKwyi03kNAoR8+9oe3h97MACE0XfDi4b1t3J1qemJQVx6ehyQ9Q+zJiNgkcUQ2h0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1625561717; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=PbeImbIFkevTMrPiRgriW1DFoBb4HnpPX45V1+2LXr4=; b=Vik7nUFQ9vzcb3v8Dmsr+7nvpjZkBPUpLWzecADysmzo4AodQ+wGC9XGZWfhI6+2e4E6yccQyC+QEj4ZISCpK9PqWIOlp/J37hIlyxWDFLYIKx/rgMXv+4/GL9pY31aIESp+aYpseotaXadvZWCGdisG6afeshr80Ed5TJYsCTc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77506+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1625561717625515.5897464607517; Tue, 6 Jul 2021 01:55:17 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id LIzIYY1788612xTHosbMfoo4; Tue, 06 Jul 2021 01:55:17 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web11.3632.1625561716765017476 for ; Tue, 06 Jul 2021 01:55:16 -0700 X-Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1668YmZu085051; Tue, 6 Jul 2021 04:55:14 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39m5q1jxx8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:14 -0400 X-Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1668igNU133652; Tue, 6 Jul 2021 04:55:14 -0400 X-Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253]) by mx0a-001b2d01.pphosted.com with ESMTP id 39m5q1jxwc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:14 -0400 X-Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1]) by ppma01wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1668r2AG006662; Tue, 6 Jul 2021 08:55:12 GMT X-Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18]) by ppma01wdc.us.ibm.com with ESMTP id 39jfhafw13-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 08:55:12 +0000 X-Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1668tB1M31981986 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 6 Jul 2021 08:55:11 GMT X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EF8806A058; Tue, 6 Jul 2021 08:55:10 +0000 (GMT) X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DE1B36A057; Tue, 6 Jul 2021 08:55:09 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 6 Jul 2021 08:55:09 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v2 03/11] OvmfPkg: PlatformBootManagerLibGrub: Allow executing kernel via fw_cfg Date: Tue, 6 Jul 2021 08:54:53 +0000 Message-Id: <20210706085501.1260662-4-dovmurik@linux.ibm.com> In-Reply-To: <20210706085501.1260662-1-dovmurik@linux.ibm.com> References: <20210706085501.1260662-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: a3o_txum1SasIhNbirdAo5Sq765ZvllT X-Proofpoint-GUID: sob__4ufHTf7NlssDjquivi5DJvYa4mp X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: dygUV8AfDdx9dFZcgHIZvRPHx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1625561717; bh=NwXQtspSqhRP+NAyIx+nuEjMkf5T6Axm22pVHhuExHE=; h=Cc:Date:From:Reply-To:Subject:To; b=DRHdfrdnc8m+mmWfCFuK8Xp9bUBezxwSNj2si0kgXz/xnGlygE3tTNFtyLR2/EHUjAk Tl8tAQcCBVZM16rSTEgXMc/qcQvYKeqLyZimG2VWn27Keu1XTyFVrnqyNc769ic2HRekm trp1W80496C0aXBpq/o0+EJFMZ4QVGD1v+Q= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1625561724160100001 Content-Type: text/plain; charset="utf-8" From: James Bottomley Support QEMU's -kernel option. OvmfPkg/Library/PlatformBootManagerLibGrub/QemuKernel.c is an exact copy of OvmfPkg/Library/PlatformBootManagerLib/QemuKernel.c . Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Signed-off-by: James Bottomley Reviewed-by: Brijesh Singh --- OvmfPkg/AmdSev/AmdSevX64.dsc = | 1 + OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub.inf = | 2 ++ OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h = | 11 +++++++++++ OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c = | 5 +++++ OvmfPkg/Library/{PlatformBootManagerLib =3D> PlatformBootManagerLibGrub}/Q= emuKernel.c | 0 5 files changed, 19 insertions(+) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index a2f1324c40a6..aefdcf881c99 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -281,6 +281,7 @@ [LibraryClasses.common.PEIM] CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuE= xceptionHandlerLib.inf MpInitLib|UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/PeiQemuFwCfgS3LibFwCfg.inf + QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoad= ImageLib.inf PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf =20 diff --git a/OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManager= LibGrub.inf b/OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManage= rLibGrub.inf index 9a806d17ec45..5f6f73d18470 100644 --- a/OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub= .inf +++ b/OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub= .inf @@ -23,6 +23,7 @@ [Defines] =20 [Sources] BdsPlatform.c + QemuKernel.c PlatformData.c BdsPlatform.h =20 @@ -46,6 +47,7 @@ [LibraryClasses] BootLogoLib DevicePathLib PciLib + QemuLoadImageLib UefiLib PlatformBmPrintScLib Tcg2PhysicalPresenceLib diff --git a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h b/Ovm= fPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h index 748c63081920..f1d3a2906c00 100644 --- a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h +++ b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h @@ -172,4 +172,15 @@ PlatformInitializeConsole ( IN PLATFORM_CONSOLE_CONNECT_ENTRY *PlatformConsole ); =20 +/** + Loads and boots UEFI Linux via the FwCfg interface. + + @retval EFI_NOT_FOUND - The Linux kernel was not found + +**/ +EFI_STATUS +TryRunningQemuKernel ( + VOID + ); + #endif // _PLATFORM_SPECIFIC_BDS_PLATFORM_H_ diff --git a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c b/Ovm= fPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c index 5c92d4fc2b09..7cceeea4879c 100644 --- a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c +++ b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c @@ -1315,6 +1315,11 @@ PlatformBootManagerAfterConsole ( // Tcg2PhysicalPresenceLibProcessRequest (NULL); =20 + // + // Process QEMU's -kernel command line option + // + TryRunningQemuKernel (); + // // Perform some platform specific connect sequence // diff --git a/OvmfPkg/Library/PlatformBootManagerLib/QemuKernel.c b/OvmfPkg/= Library/PlatformBootManagerLibGrub/QemuKernel.c similarity index 100% copy from OvmfPkg/Library/PlatformBootManagerLib/QemuKernel.c copy to OvmfPkg/Library/PlatformBootManagerLibGrub/QemuKernel.c --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77506): https://edk2.groups.io/g/devel/message/77506 Mute This Topic: https://groups.io/mt/84016356/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 01:34:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77507+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77507+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1625561723; cv=none; d=zohomail.com; s=zohoarc; b=VrDSFOr01lXHCo+s8KFuOHzIoN0EU7nO4MIAjxhrBA6a6ca+PM7cWxpFN4oEGD8B6cCqo2fu/WIjUi1o8EViZUzlLUCHxZgxL4o2rhAFXaIlI14a2PKCbpLMAr9tHsd1rReaHHlgY8xGJvikSrkb0n2JoMWvG8HSxDMU2D9zCQM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1625561723; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=UgP0x2/9Mqm/IquMtMIUzvY2AeBFlVdWoj3Ggd0aQNM=; b=fKgg0+tSE2TDYgVHiSXqU+Z1LwNq8GHJLJ60cJxABpjSGxXJgvi9g8f0qIEixhG5UMXSRBGeCMIvqmDnpOJdzVyuGWl8bOVgj9NbtvK33zk3WcmiGUSO16y5jF0n+Tjd2KmV/XRTM4jBnHDQsje8rYqW6piT4I+uBR5XA85yu2M= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77507+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 162556172381525.475580712094143; Tue, 6 Jul 2021 01:55:23 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id pn1AYY1788612xw1qJOUGUN0; Tue, 06 Jul 2021 01:55:23 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web08.3620.1625561717843590607 for ; Tue, 06 Jul 2021 01:55:17 -0700 X-Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1668YDot155706; Tue, 6 Jul 2021 04:55:16 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39mbdwbeg5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:16 -0400 X-Received: from m0098396.ppops.net (m0098396.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1668a9UN161767; Tue, 6 Jul 2021 04:55:15 -0400 X-Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0a-001b2d01.pphosted.com with ESMTP id 39mbdwbefj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:15 -0400 X-Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1668pu49014092; Tue, 6 Jul 2021 08:55:14 GMT X-Received: from b03cxnp08027.gho.boulder.ibm.com (b03cxnp08027.gho.boulder.ibm.com [9.17.130.19]) by ppma04wdc.us.ibm.com with ESMTP id 39ju3agfab-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 08:55:14 +0000 X-Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1668tCHG13435450 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 6 Jul 2021 08:55:12 GMT X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 22B7C6A047; Tue, 6 Jul 2021 08:55:12 +0000 (GMT) X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 190796A057; Tue, 6 Jul 2021 08:55:11 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 6 Jul 2021 08:55:11 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v2 04/11] OvmfPkg: add library class BlobVerifierLib with null implementation Date: Tue, 6 Jul 2021 08:54:54 +0000 Message-Id: <20210706085501.1260662-5-dovmurik@linux.ibm.com> In-Reply-To: <20210706085501.1260662-1-dovmurik@linux.ibm.com> References: <20210706085501.1260662-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 5z1NAClbn3jPLEMmoPpuATYQ6Z_w71lN X-Proofpoint-ORIG-GUID: Di_rc1NbK7VrxN1rzvGGSNN62Br-YZlt X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: aR072EZrvEvSS4bssZoNLlqCx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1625561723; bh=vkgfBH3a/7QQrFofgu8NX1xEhLjkUuboR4DJV29ndZ4=; h=Cc:Date:From:Reply-To:Subject:To; b=ZbEla+rTOfnqCgl7i2zcaMnUy16Fqq6wdXIMXlAG5j4mJ+9SL9p1tOGIFQXyDU3D2y2 oybHVioVE+FvvbSL/4+FLZgFaZ5n0+X31+qTe8HxH1n8A3X05rweTNNQnBri2Vkyazro6 B8pqiWUSo6cKSTudgkSGHs+Tf9hmGjFeWME= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1625561728363100011 Content-Type: text/plain; charset="utf-8" BlobVerifierLib will be used to verify blobs fetching them from QEMU's firmware config (fw_cfg) in platforms that enable such verification. The null implementation NullBlobVerifierLib treats all blobs as valid. Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Signed-off-by: Dov Murik Reviewed-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 3 ++ OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf | 27 ++++++++++++++ OvmfPkg/Include/Library/BlobVerifierLib.h | 38 +++++++++++++= +++++++ OvmfPkg/Library/BlobVerifierLib/NullBlobVerifier.c | 34 +++++++++++++= +++++ 4 files changed, 102 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 6ae733f6e39f..f82228d69cc2 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -23,6 +23,9 @@ [LibraryClasses] ## @libraryclass Access bhyve's firmware control interface. BhyveFwCtlLib|Include/Library/BhyveFwCtlLib.h =20 + ## @libraryclass Verify blobs read from the VMM + BlobVerifierLib|Include/Library/BlobVerifierLib.h + ## @libraryclass Loads and boots a Linux kernel image # LoadLinuxLib|Include/Library/LoadLinuxLib.h diff --git a/OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf b/Ovmf= Pkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf new file mode 100644 index 000000000000..c8942ad05d96 --- /dev/null +++ b/OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf @@ -0,0 +1,27 @@ +## @file +# +# Null implementation of the blob verifier library. +# +# Copyright (C) 2021, IBM Corp +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D NullBlobVerifierLib + FILE_GUID =3D b1b5533e-e01a-43bb-9e54-414f00ca036e + MODULE_TYPE =3D BASE + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D BlobVerifierLib + +[Sources] + NullBlobVerifier.c + +[Packages] + MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec + +[LibraryClasses] + DebugLib diff --git a/OvmfPkg/Include/Library/BlobVerifierLib.h b/OvmfPkg/Include/Li= brary/BlobVerifierLib.h new file mode 100644 index 000000000000..667024766681 --- /dev/null +++ b/OvmfPkg/Include/Library/BlobVerifierLib.h @@ -0,0 +1,38 @@ +/** @file + + Blob verification library + + This library class allows verifiying whether blobs from external sources + (such as QEMU's firmware config) are trusted. + + Copyright (C) 2021, IBM Corporation + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#ifndef BLOB_VERIFIER_LIB_H__ +#define BLOB_VERIFIER_LIB_H__ + +#include +#include + +/** + Verify blob from an external source. + + @param BlobName The name of the blob + @param Buf The data of the blob + @param BufSize The size of the blob in bytes + + @retval EFI_SUCCESS The blob was verified successfully. + @retval EFI_ACCESS_DENIED The blob could not be verified, and theref= ore + should be considered non-secure. +**/ +EFI_STATUS +EFIAPI +VerifyBlob ( + IN CONST CHAR16 *BlobName, + IN CONST VOID *Buf, + UINT32 BufSize + ); + +#endif diff --git a/OvmfPkg/Library/BlobVerifierLib/NullBlobVerifier.c b/OvmfPkg/L= ibrary/BlobVerifierLib/NullBlobVerifier.c new file mode 100644 index 000000000000..7b31b6ec767d --- /dev/null +++ b/OvmfPkg/Library/BlobVerifierLib/NullBlobVerifier.c @@ -0,0 +1,34 @@ +/** @file + + Null implementation of the blob verifier library. + + Copyright (C) 2021, IBM Corporation + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include +#include +#include + +/** + Verify blob from an external source. + + @param BlobName The name of the blob + @param Buf The data of the blob + @param BufSize The size of the blob in bytes + + @retval EFI_SUCCESS The blob was verified successfully. + @retval EFI_ACCESS_DENIED The blob could not be verified, and theref= ore + should be considered non-secure. +**/ +EFI_STATUS +EFIAPI +VerifyBlob ( + IN CONST CHAR16 *BlobName, + IN CONST VOID *Buf, + UINT32 BufSize + ) +{ + return EFI_SUCCESS; +} --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77507): https://edk2.groups.io/g/devel/message/77507 Mute This Topic: https://groups.io/mt/84016357/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 01:34:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77510+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77510+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1625561729; cv=none; d=zohomail.com; s=zohoarc; b=nt8BIHDdom/RdmnuE3zhcGBOQKFgc25vJGI3bHZSKottNcpimWspSUuExrFuEKSU6DKaed4NfdfApLKD8gEfJTZnoeSALp4cBgoejR5YEFQQx6i5eeJuSkVBI5ezPEJB+hNHF2ezD9r0ZzMvAb2+iSlHKNa/MA5njVI8MMT9bNg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1625561729; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=loPzWoABBjXSG4UrvpTwgfKPTUnURM6pe56jWEaWytQ=; b=BPcbtCcXIt+xxAXGnJXqJl7gGfuRzAsLuidypdBc5A+2eG6Lb4N3O0HKJm6CEACI0jy5BMxuz7Zj56MR3i4rg1mLuT3iY1jmRlZl2uYKyZPeA6ZiYL6+p5V1t3dOli7Ya0c/nl2FSbofAVlA/LFdeZADI4jGBOSQHj4lR5OYSBk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77510+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 162556172915425.872319412960678; Tue, 6 Jul 2021 01:55:29 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 8aR8YY1788612xILscdoo56q; Tue, 06 Jul 2021 01:55:28 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web11.3633.1625561721639680975 for ; Tue, 06 Jul 2021 01:55:21 -0700 X-Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1668lITm084917; Tue, 6 Jul 2021 04:55:18 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39mk519jee-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:18 -0400 X-Received: from m0098393.ppops.net (m0098393.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1668lt63085833; Tue, 6 Jul 2021 04:55:18 -0400 X-Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com with ESMTP id 39mk519jdy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:18 -0400 X-Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1668qAJE016396; Tue, 6 Jul 2021 08:55:17 GMT X-Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20]) by ppma01dal.us.ibm.com with ESMTP id 39jfhb5q5f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 08:55:16 +0000 X-Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1668tDTp19792246 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 6 Jul 2021 08:55:13 GMT X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 517BC6A064; Tue, 6 Jul 2021 08:55:13 +0000 (GMT) X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4A0DA6A058; Tue, 6 Jul 2021 08:55:12 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 6 Jul 2021 08:55:12 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v2 05/11] OvmfPkg: add NullBlobVerifierLib to DSC Date: Tue, 6 Jul 2021 08:54:55 +0000 Message-Id: <20210706085501.1260662-6-dovmurik@linux.ibm.com> In-Reply-To: <20210706085501.1260662-1-dovmurik@linux.ibm.com> References: <20210706085501.1260662-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: uJjWBYqF1m9ZPKiuCINsBy8bHqb7ih7- X-Proofpoint-GUID: WzB0856iljQqFgkThIYr5Kzi-KMHNKs0 X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: ioJtgROGaNpKUwvu7DfBvKUyx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1625561728; bh=sa/CRhxM2rLtxvmonKNo55DI7Cb8fTSqXUyP/HB/16U=; h=Cc:Date:From:Reply-To:Subject:To; b=P3gcxSoNM0c41WO4jhnnSWZwFNkV5tbftLBSSlM1FivAxCdSudAKKf/yvs5HOYxSTA/ RIsocr8JRfNjy4varzMOuLKyM7/KtpM5I3sGE/pThibQa09tC3YencD0LMjW1Pa+MzLcx ur6Vv79h177wQmxmNdnn5CgmQjGItSrfjT8= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1625561735282100004 Content-Type: text/plain; charset="utf-8" This prepares the ground for calling VerifyBlob() in QemuKernelLoaderFsDxe. Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Signed-off-by: Dov Murik Reviewed-by: Brijesh Singh --- OvmfPkg/AmdSev/AmdSevX64.dsc | 6 +++++- OvmfPkg/OvmfPkgIa32.dsc | 5 ++++- OvmfPkg/OvmfPkgIa32X64.dsc | 5 ++++- OvmfPkg/OvmfPkgX64.dsc | 5 ++++- 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index aefdcf881c99..8b260df114e3 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -173,6 +173,7 @@ [LibraryClasses] LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/Customize= dDisplayLib.inf FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltL= ib.inf + BlobVerifierLib|OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf =20 !if $(SOURCE_DEBUG_ENABLE) =3D=3D TRUE PeCoffExtraActionLib|SourceLevelDebugPkg/Library/PeCoffExtraActionLibDeb= ug/PeCoffExtraActionLibDebug.inf @@ -693,7 +694,10 @@ [Components] NULL|MdeModulePkg/Library/BootManagerUiLib/BootManagerUiLib.inf NULL|MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootMaintenanc= eManagerUiLib.inf } - OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { + + NULL|OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf + } OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index f53efeae7986..68e8a2f74249 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -786,7 +786,10 @@ [Components] NULL|OvmfPkg/Csm/LegacyBootMaintUiLib/LegacyBootMaintUiLib.inf !endif } - OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { + + NULL|OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf + } OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index b3662e17f256..24d9cddc2447 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -800,7 +800,10 @@ [Components.X64] NULL|OvmfPkg/Csm/LegacyBootMaintUiLib/LegacyBootMaintUiLib.inf !endif } - OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { + + NULL|OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf + } OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 0a237a905866..c4907efd7b67 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -798,7 +798,10 @@ [Components] NULL|OvmfPkg/Csm/LegacyBootMaintUiLib/LegacyBootMaintUiLib.inf !endif } - OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { + + NULL|OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf + } OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77510): https://edk2.groups.io/g/devel/message/77510 Mute This Topic: https://groups.io/mt/84016360/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 01:34:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77511+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77511+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1625561729; cv=none; d=zohomail.com; s=zohoarc; b=KZqpIUMtcwl33yxqIAWkgyyiakMNTkjFk0UoysW4OE7e9dvmhBW2bKYUFtMRkXzPG6G2XN7vrqRzs1qpclsa/Pd3R0uPrE+1yoUvrh8wZ5f1OUsyCsGFhp0QD2w/5Rc1Y4cl7YiOtg4QvHSx6u0YUk9kwlTSQyEnI7Vile/k2nk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1625561729; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=xFWdvI5iV4C0hpehMi+QGVdye3QruoTdlkmGcJbQkmM=; b=SHYAJwMhVrAbzH6Mtb+INwNJO4ZYTAy7H69p1h+OT0+/gQ1iltsjVaMIGCubJbxZMZx4JJf8i1yVMocQPzxC72baiRvvFgVsGI3pSfDaG0hZ2tWUkFss9s0l8IVu97gGJqtZ6eMs8W91wdByaC2ZMKYwAaURm2eCPAOmoUC0/ys= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77511+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1625561729440928.8780406856532; Tue, 6 Jul 2021 01:55:29 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 7lwDYY1788612xWUJTbsx3KO; Tue, 06 Jul 2021 01:55:29 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web10.3676.1625561721999748268 for ; Tue, 06 Jul 2021 01:55:22 -0700 X-Received: from pps.filterd (m0187473.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1668XRXm171731; Tue, 6 Jul 2021 04:55:18 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39m8bkygf6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:18 -0400 X-Received: from m0187473.ppops.net (m0187473.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1668Xq15173233; Tue, 6 Jul 2021 04:55:17 -0400 X-Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253]) by mx0a-001b2d01.pphosted.com with ESMTP id 39m8bkygef-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:17 -0400 X-Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1]) by ppma01wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1668r0BG006626; Tue, 6 Jul 2021 08:55:16 GMT X-Received: from b03cxnp07027.gho.boulder.ibm.com (b03cxnp07027.gho.boulder.ibm.com [9.17.130.14]) by ppma01wdc.us.ibm.com with ESMTP id 39jfhafw2e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 08:55:16 +0000 X-Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp07027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1668tE248388952 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 6 Jul 2021 08:55:14 GMT X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A287A6A05D; Tue, 6 Jul 2021 08:55:14 +0000 (GMT) X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7AC4D6A051; Tue, 6 Jul 2021 08:55:13 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 6 Jul 2021 08:55:13 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Leif Lindholm , Sami Mujawar , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v2 06/11] ArmVirtPkg: add NullBlobVerifierLib to DSC Date: Tue, 6 Jul 2021 08:54:56 +0000 Message-Id: <20210706085501.1260662-7-dovmurik@linux.ibm.com> In-Reply-To: <20210706085501.1260662-1-dovmurik@linux.ibm.com> References: <20210706085501.1260662-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: Y8q8qGd_4yGtrIuF6WgUAVCCb5kL9IMr X-Proofpoint-ORIG-GUID: NPfXCJDyEHNw1wXnASpqzxY9SYTjSC9o X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: FwgLzzTix8k3ECnUVwMDsCQ9x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1625561729; bh=bJ1PuWTc/Vewi/+r9I09RQLBLvaTEcxx1Zaf3LEbqxk=; h=Cc:Date:From:Reply-To:Subject:To; b=DYglw2txM3z4dcfMdorsxnWx/VpyUnakNj7/kJMEAxRooLqKLiyjcEEiaJ/NlW1Dvrf 4lvgyQkeQuaMQX11INSo6XKRjanlfB32GyKr1Q9/+7rcV+v7bq5YrcUtVq/DquLT+Pl4O z4LD7qjv34Pwl+KXWjdvgtsGla9rfFFMhgM= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1625561735319100006 Content-Type: text/plain; charset="utf-8" This prepares the ground for calling VerifyBlob() in QemuKernelLoaderFsDxe. Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Sami Mujawar Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Signed-off-by: Dov Murik Reviewed-by: Brijesh Singh --- ArmVirtPkg/ArmVirtQemu.dsc | 5 ++++- ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc index 7ef5e7297bc7..a0d3592ae0e6 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc @@ -440,7 +440,10 @@ [Components.common] NULL|MdeModulePkg/Library/BootManagerUiLib/BootManagerUiLib.inf NULL|MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootMaintenanc= eManagerUiLib.inf } - OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { + + NULL|OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf + } =20 # # Networking stack diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKerne= l.dsc index a542fcb157e9..e63a7f0b6d63 100644 --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc @@ -376,7 +376,10 @@ [Components.common] NULL|MdeModulePkg/Library/BootManagerUiLib/BootManagerUiLib.inf NULL|MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootMaintenanc= eManagerUiLib.inf } - OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { + + NULL|OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf + } =20 # # Networking stack --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77511): https://edk2.groups.io/g/devel/message/77511 Mute This Topic: https://groups.io/mt/84016361/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 01:34:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77509+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77509+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1625561722; cv=none; d=zohomail.com; s=zohoarc; b=mbwv4KIyRif3XcD3bVlUz1TVvKSFe2MeZer6nJv2C3fB+s1JY7O2+u8qS/oh3rtSLaQu4UX9rbriAWaukPYvu2YZhTnNXKadG8fK4CVvz7COHGDXalc1EvPnmCtJotIO91t9Uup9s8zF76sYnWPiYHoZYOImA0ixtVf27Tg+MBg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1625561722; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=W8lBWGgytbRon1Kc4AsRXPC34bh1B56HayEG8EaQkJ4=; b=ZIt8n5+mIRxbeDAkk0YIjQzHLKz0Viq4PHAlJlHZNpzPUE+nflgslfR3aO/u+5yMV/eXui+PUQpFab0W/bbRajd3ubHznG0BZv19bRTB+yD4gWgQj/SSfRgHn/c8oqzDQ0RyDDdq4eLCBGVVN9YJi5WnZNjhVQ2jOGeQB5zBPns= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77509+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1625561722401839.1153493075273; Tue, 6 Jul 2021 01:55:22 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id brDMYY1788612x7LUrszBDGg; Tue, 06 Jul 2021 01:55:22 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web08.3621.1625561721535317083 for ; Tue, 06 Jul 2021 01:55:21 -0700 X-Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1668XZmi121993; Tue, 6 Jul 2021 04:55:20 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39mjuwj207-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:20 -0400 X-Received: from m0098410.ppops.net (m0098410.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1668Xk86122520; Tue, 6 Jul 2021 04:55:19 -0400 X-Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253]) by mx0a-001b2d01.pphosted.com with ESMTP id 39mjuwj1yh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:19 -0400 X-Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1]) by ppma01wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1668r072006631; Tue, 6 Jul 2021 08:55:17 GMT X-Received: from b03cxnp07028.gho.boulder.ibm.com (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15]) by ppma01wdc.us.ibm.com with ESMTP id 39jfhafw2x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 08:55:17 +0000 X-Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1668tF4D45744420 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 6 Jul 2021 08:55:16 GMT X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DC2566A04D; Tue, 6 Jul 2021 08:55:15 +0000 (GMT) X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CB4216A051; Tue, 6 Jul 2021 08:55:14 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 6 Jul 2021 08:55:14 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v2 07/11] OvmfPkg/QemuKernelLoaderFsDxe: call VerifyBlob after fetch from fw_cfg Date: Tue, 6 Jul 2021 08:54:57 +0000 Message-Id: <20210706085501.1260662-8-dovmurik@linux.ibm.com> In-Reply-To: <20210706085501.1260662-1-dovmurik@linux.ibm.com> References: <20210706085501.1260662-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: f0CUQH9tVrBTNymy9wZUnq6IGlHBlCsO X-Proofpoint-GUID: Ft21CewkqBzoV-kf46ywSn6EQPnr1_DZ X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: g6drTsSptSTFXaZ0mnyp4iWYx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1625561722; bh=AhJf5GDWfgDKZD2jbCHunq1miBVS4oei0aDN+uIPeOo=; h=Cc:Date:From:Reply-To:Subject:To; b=lT65t7sewQ74nI0xVTVwhxIkFILMeYPxttyqSA7ZDPpbupZ442c3XMuBDYcrt3zp+h5 l4tLE5ONx8x1duNRCSWhUk8zRFTSOgaBWCaraSUFB9TQ7/HuktOUHw86vNWdJE6XGPuoL 1rvQ/Zn/9fplNr3M8RlpEiEb+jzxbeG2GVw= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1625561728258100006 Content-Type: text/plain; charset="utf-8" In QemuKernelLoaderFsDxeEntrypoint we use FetchBlob to read the content of the kernel/initrd/cmdline from the QEMU fw_cfg interface. Insert a call to VerifyBlob after fetching to allow BlobVerifierLib implementations to add a verification step for these blobs. This will allow confidential computing OVMF builds to add verification mechanisms for these blobs that originate from an untrusted source (QEMU). The null implementation of BlobVerifierLib does nothing in VerifyBlob, and therefore no functional change is expected. Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Co-developed-by: James Bottomley Signed-off-by: James Bottomley Signed-off-by: Dov Murik Reviewed-by: Brijesh Singh --- OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPk= g/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c index c7ddd86f5c75..b43330d23b80 100644 --- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -1039,6 +1040,14 @@ QemuKernelLoaderFsDxeEntrypoint ( if (EFI_ERROR (Status)) { goto FreeBlobs; } + Status =3D VerifyBlob ( + CurrentBlob->Name, + CurrentBlob->Data, + CurrentBlob->Size + ); + if (EFI_ERROR (Status)) { + goto FreeBlobs; + } mTotalBlobBytes +=3D CurrentBlob->Size; } KernelBlob =3D &mKernelBlob[KernelBlobTypeKernel]; --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77509): https://edk2.groups.io/g/devel/message/77509 Mute This Topic: https://groups.io/mt/84016359/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 01:34:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77512+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77512+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1625561724; cv=none; d=zohomail.com; s=zohoarc; b=d9HB6WoY+bGChZlmEpyf92h7iZSPADomZXnfl3SJC/z66H19IjBSvAb/SSp7CeFUSSOzNRnkZUokN1U3s77OUeFzrOyGHk5UDwQS0CTZLB6PbwbgJZjQIQA7JTpL3MNQ5slm4h4a86r2bptgp6KJM/+5Ggbnn07FtNwysg5/yvk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1625561724; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=9fEXh2ox5MJHJwHi1yUqFF8YW82803NhkDbVOX+3bJM=; b=YIVYXwJERid5V3DE7839eq594f7BrhaJegw0eHY6f0WEz4/KE2E7ZDgllMI+RLwEUWYJreDOFlETSeVdeTN9bgLlXsxDZJLLH7UDHUOEDt0tsIccp95tl6mkAdLeTDPAPJbK+mojid32zECa2p5e255nYJ2yjytxQk+cnovU858= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77512+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 162556172445478.67610684677243; Tue, 6 Jul 2021 01:55:24 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 4hAaYY1788612xe1vYzmbPtb; Tue, 06 Jul 2021 01:55:24 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web12.3676.1625561723321065955 for ; Tue, 06 Jul 2021 01:55:23 -0700 X-Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1668X4FU166061; Tue, 6 Jul 2021 04:55:20 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 39mbkdu5p8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:20 -0400 X-Received: from m0098416.ppops.net (m0098416.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1668jCjf011377; Tue, 6 Jul 2021 04:55:20 -0400 X-Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253]) by mx0b-001b2d01.pphosted.com with ESMTP id 39mbkdu5nv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:19 -0400 X-Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1]) by ppma01wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1668r0BO006626; Tue, 6 Jul 2021 08:55:19 GMT X-Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by ppma01wdc.us.ibm.com with ESMTP id 39jfhafw3b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 08:55:18 +0000 X-Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1668tHlF54460852 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 6 Jul 2021 08:55:17 GMT X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 17F0B6A057; Tue, 6 Jul 2021 08:55:17 +0000 (GMT) X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 063AF6A064; Tue, 6 Jul 2021 08:55:16 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 6 Jul 2021 08:55:15 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v2 08/11] OvmfPkg/AmdSev/SecretPei: build hob for full page Date: Tue, 6 Jul 2021 08:54:58 +0000 Message-Id: <20210706085501.1260662-9-dovmurik@linux.ibm.com> In-Reply-To: <20210706085501.1260662-1-dovmurik@linux.ibm.com> References: <20210706085501.1260662-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: _DmHMZxvJfHqUBZkYlCoS2d-8tX_4J9n X-Proofpoint-ORIG-GUID: 4cBFQYg9o9l-zRCoy6k3rsOHgy9hbGms X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: BdfN3ZjQ9jWOoJY2Ck3c4uScx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1625561724; bh=OEtGR+Ja0dU+EsU7ubyZ/dPI9d6miHQz34wmtiidRZA=; h=Cc:Date:From:Reply-To:Subject:To; b=gYT7y0Amc4nsdqg8DaQJqjOAwd62pulwbryETssh1d6tINCw8jDykDgiFAi1ACac0tX j6oA8w10wbgVh+eKIcP/6ueeld7Qaxr3Sfh3EXqcTY7bZgQ9ZLByRNiR1+xYutAUGlSD6 AAiZOiLVSi4FgS34IPWOA/lHgVR+Mww6jWo= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1625561731775100001 Content-Type: text/plain; charset="utf-8" Round up the size of the SEV launch secret area to a whole page, as required by BuildMemoryAllocationHob. This will allow the secret area defined in the MEMFD to take less than a whole 4KB page. Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Signed-off-by: Dov Murik --- OvmfPkg/AmdSev/SecretPei/SecretPei.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPe= i/SecretPei.c index ad491515dd5d..db4267428e5a 100644 --- a/OvmfPkg/AmdSev/SecretPei/SecretPei.c +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c @@ -15,9 +15,16 @@ InitializeSecretPei ( IN CONST EFI_PEI_SERVICES **PeiServices ) { + UINT64 RoundedSize; + + RoundedSize =3D PcdGet32 (PcdSevLaunchSecretSize); + if (RoundedSize % EFI_PAGE_SIZE !=3D 0) { + RoundedSize =3D (RoundedSize / EFI_PAGE_SIZE + 1) * EFI_PAGE_SIZE; + } + BuildMemoryAllocationHob ( PcdGet32 (PcdSevLaunchSecretBase), - PcdGet32 (PcdSevLaunchSecretSize), + RoundedSize, EfiBootServicesData ); =20 --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77512): https://edk2.groups.io/g/devel/message/77512 Mute This Topic: https://groups.io/mt/84016362/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 01:34:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77513+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77513+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1625561724; cv=none; d=zohomail.com; s=zohoarc; b=SzMDumNCguG8aXf2mDWPgr+LkfBIFkXI9EnmDHQ5z9j8lHDCwXN2LqSfqjWGC0lcVu4XEAO033sMiACeEQ9f+oWBjVAUYDlkk6EauBe1R9Oc9EJotDntTwWvMM0Y6xm3YUGDlxxQIGzoOkTwmuLMPp0dWMj3wE3rquCyrZTDTAE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1625561724; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=YQlJ0fKzGlS6KfIOWg0QSMRkZ1gnMjIcjkQfCl29IlQ=; b=QWv4KFe/u6KtFqCa1LKfAfqsx5WgmWC4qLnO9b6sUaYUfcK742SAG5x4eajgouqKlQq8rocabXBIjkR0e4SWTMANbqigQTzr4yJob2zzFhIrN1hp36bajqAQCbnKYl3D3nQ6u+3SDltzu/h8N8Z2nTV/CfNIMEoTmHhz4OSB6Gw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77513+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1625561724476529.6765711543334; Tue, 6 Jul 2021 01:55:24 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id ufJMYY1788612xrLZs1QNp1H; Tue, 06 Jul 2021 01:55:24 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web09.3606.1625561723638901239 for ; Tue, 06 Jul 2021 01:55:23 -0700 X-Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1668Wrsx106893; Tue, 6 Jul 2021 04:55:22 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39mkah99ts-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:21 -0400 X-Received: from m0098404.ppops.net (m0098404.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1668X7hD107827; Tue, 6 Jul 2021 04:55:21 -0400 X-Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0a-001b2d01.pphosted.com with ESMTP id 39mkah99ta-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:21 -0400 X-Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1668piKJ019740; Tue, 6 Jul 2021 08:55:20 GMT X-Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18]) by ppma02dal.us.ibm.com with ESMTP id 39jfhbdpjg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 08:55:20 +0000 X-Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1668tI7k33227224 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 6 Jul 2021 08:55:18 GMT X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3FE946A04D; Tue, 6 Jul 2021 08:55:18 +0000 (GMT) X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 35BE56A047; Tue, 6 Jul 2021 08:55:17 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 6 Jul 2021 08:55:17 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v2 09/11] OvmfPkg/AmdSev: reserve MEMFD space for for firmware config hashes Date: Tue, 6 Jul 2021 08:54:59 +0000 Message-Id: <20210706085501.1260662-10-dovmurik@linux.ibm.com> In-Reply-To: <20210706085501.1260662-1-dovmurik@linux.ibm.com> References: <20210706085501.1260662-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: I8TSIFYgPIYGWxtz8vnd4ZWMQX9n0xH7 X-Proofpoint-ORIG-GUID: OFQvK-ho7o1rO0PvYsbhvesammGMmOeU X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: koa3ngN9GH4HoWtEmpBZIe5Kx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1625561724; bh=AUglnr2xuZ5gNuGktJC3H876EkLVtQEjfJ7iK+wgMYE=; h=Cc:Date:From:Reply-To:Subject:To; b=Ogz2k5jVVqnNt5p2NwoC4RRrxh7S+pwrOwJLOCIpYk9VbJLRQRgg5YYbvOAHb2L0T31 amNYI7nIZyaTTKCzTV29tR7ZQ7l91oAb0S9m0mIuT25iM3xAZM1ecK32n5D0oW/mrCDY6 jyBky49exbZVWej2+dI1jfD7aHXHOFJ7UVg= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1625562638026100001 Content-Type: text/plain; charset="utf-8" From: James Bottomley Split the existing 4KB page reserved for SEV launch secrets into two parts: first 3KB for SEV launch secrets and last 1KB for firmware config hashes. The area of the firmware config hashes will be attested (measured) by the PSP and thus the untrusted VMM can't pass in different files from what the guest owner allows. Declare this in the Reset Vector table using GUID 7255371f-3a3b-4b04-927b-1da6efa8d454 and a uint32_t table of a base and size value (similar to the structure used to declare the launch secret block). Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Co-developed-by: Dov Murik Signed-off-by: Dov Murik Signed-off-by: James Bottomley --- OvmfPkg/OvmfPkg.dec | 6 ++++++ OvmfPkg/AmdSev/AmdSevX64.fdf | 5 ++++- OvmfPkg/ResetVector/ResetVector.inf | 2 ++ OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 20 ++++++++++++++++++++ OvmfPkg/ResetVector/ResetVector.nasmb | 2 ++ 5 files changed, 34 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index f82228d69cc2..2ab27f0c73c2 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -324,6 +324,12 @@ [PcdsFixedAtBuild] gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|0x0|UINT32|0x42 gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize|0x0|UINT32|0x43 =20 + ## The base address and size of a hash table confirming allowed + # parameters to be passed in via the Qemu firmware configuration + # device + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|0x0|UINT32|0x47 + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize|0x0|UINT32|0x48 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf index 9977b0f00a18..0a89749700c3 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.fdf +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf @@ -59,9 +59,12 @@ [FD.MEMFD] 0x00B000|0x001000 gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.P= cdSevEsWorkAreaSize =20 -0x00C000|0x001000 +0x00C000|0x000C00 gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGu= id.PcdSevLaunchSecretSize =20 +0x00CC00|0x000400 +gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|gUefiOvmfPkgTokenSpaceGuid= .PcdQemuHashTableSize + 0x00D000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecGhcbBackupSize =20 diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese= tVector.inf index dc38f68919cd..d028c92d8cfa 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -47,3 +47,5 @@ [Pcd] [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVe= ctor/Ia16/ResetVectorVtf0.asm index 9c0b5853a46f..7ec3c6e980c3 100644 --- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm +++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm @@ -47,7 +47,27 @@ TIMES (15 - ((guidedStructureEnd - guidedStructureStart = + 15) % 16)) DB 0 ; guidedStructureStart: =20 +; SEV Hash Table Block ; +; This describes the guest ram area where the hypervisor should +; install a table describing the hashes of certain firmware configuration +; device files that would otherwise be passed in unchecked. The current +; use is for the kernel, initrd and command line values, but others may be +; added. The data format is: +; +; base physical address (32 bit word) +; table length (32 bit word) +; +; GUID (SEV FW config hash block): 7255371f-3a3b-4b04-927b-1da6efa8d454 +; +sevFwHashBlockStart: + DD SEV_FW_HASH_BLOCK_BASE + DD SEV_FW_HASH_BLOCK_SIZE + DW sevFwHashBlockEnd - sevFwHashBlockStart + DB 0x1f, 0x37, 0x55, 0x72, 0x3b, 0x3a, 0x04, 0x4b + DB 0x92, 0x7b, 0x1d, 0xa6, 0xef, 0xa8, 0xd4, 0x54 +sevFwHashBlockEnd: + ; SEV Secret block ; ; This describes the guest ram area where the hypervisor should diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index 5fbacaed5f9d..8d0bab02f8cb 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -88,5 +88,7 @@ %define SEV_ES_AP_RESET_IP FixedPcdGet32 (PcdSevEsWorkAreaBase) %define SEV_LAUNCH_SECRET_BASE FixedPcdGet32 (PcdSevLaunchSecretBase) %define SEV_LAUNCH_SECRET_SIZE FixedPcdGet32 (PcdSevLaunchSecretSize) + %define SEV_FW_HASH_BLOCK_BASE FixedPcdGet32 (PcdQemuHashTableBase) + %define SEV_FW_HASH_BLOCK_SIZE FixedPcdGet32 (PcdQemuHashTableSize) %include "Ia16/ResetVectorVtf0.asm" =20 --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77513): https://edk2.groups.io/g/devel/message/77513 Mute This Topic: https://groups.io/mt/84016363/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 01:34:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77514+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77514+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1625561725; cv=none; d=zohomail.com; s=zohoarc; b=EbgESiTTbdqPydUmikH8SXzBL+bTDwvryVggg533o7IucY4W+lU40lneTfu0vbJ8s6dnP5nkLDb6Xl373niBlQGxsZanhnlpr2TY76rsD1bJOR9z2vOwY2VO8Ujalf8+M+C4AVAwjIORZ6gMrSUegTU0I7o9ueBBhCy8sGr4FH8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1625561725; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=yvJKiMU0kRYnZU2pBSscxSYpfvJmrwjljPanq7Fhr5o=; b=BF+g/l1WBa7enVyBkIGrtkltAffny0+hPOwqrbIrHbONMtxiDkhNZlykNLPOwVTG9baxW9IwLQrFuhQr+ATI9CNGXZagDCSjGeQ/uPwBBBQjZS3tzV1cEmiRxmlb4O9CTbI81T0PaqE6eTijWF3fVpxOty8ZVsF1qb5cBYHo+UI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77514+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1625561725593200.708477171426; Tue, 6 Jul 2021 01:55:25 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id BQDPYY1788612xtfH6lOS2tf; Tue, 06 Jul 2021 01:55:25 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web09.3607.1625561724507003185 for ; Tue, 06 Jul 2021 01:55:24 -0700 X-Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1668XSsE020012; Tue, 6 Jul 2021 04:55:22 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 39me2b07u1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:22 -0400 X-Received: from m0098413.ppops.net (m0098413.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1668XWO0020463; Tue, 6 Jul 2021 04:55:22 -0400 X-Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0b-001b2d01.pphosted.com with ESMTP id 39me2b07tq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:22 -0400 X-Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1668q5ql006534; Tue, 6 Jul 2021 08:55:21 GMT X-Received: from b03cxnp08027.gho.boulder.ibm.com (b03cxnp08027.gho.boulder.ibm.com [9.17.130.19]) by ppma02wdc.us.ibm.com with ESMTP id 39jfhaqunm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 08:55:21 +0000 X-Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1668tJ6415860236 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 6 Jul 2021 08:55:19 GMT X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7A4BA6A058; Tue, 6 Jul 2021 08:55:19 +0000 (GMT) X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 684C96A057; Tue, 6 Jul 2021 08:55:18 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 6 Jul 2021 08:55:18 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v2 10/11] OvmfPkg: add SevHashesBlobVerifierLib Date: Tue, 6 Jul 2021 08:55:00 +0000 Message-Id: <20210706085501.1260662-11-dovmurik@linux.ibm.com> In-Reply-To: <20210706085501.1260662-1-dovmurik@linux.ibm.com> References: <20210706085501.1260662-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 7nw3kmfYp8tMCgwC65nfAqi0oPmRboHO X-Proofpoint-GUID: tB77jTjObGsLdUqVBmQ4IqFGrEtYUs5F X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: 3yVterjaCCYP05s92hdZnEoGx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1625561725; bh=AdXiKtFIQfQqe5KrawTPSK7qZ0L/8FNBJF2r4S/gSLM=; h=Cc:Date:From:Reply-To:Subject:To; b=nes4RacW9HNF9drDnZ9chv8i7U7GVApMopRALRVRANCAs1m6GyPboLsOLrq2KjRYUYr ehBlZsYyALTtK8cFK9ejK7nZhhKCQzkJ+dNCjBqE70OlNV8nt8ewJbtC0KxkGfOXE6PX/ NawHN4L2m0rEtNTyaeC2f9geqdJDmHgEpg8= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1625561731956100005 Content-Type: text/plain; charset="utf-8" Add an implementation for BlobVerifierLib that locates the SEV hashes table and verifies that the calculated hashes of the kernel, initrd, and cmdline blobs indeed match the expected hashes stated in the hashes table. If there's a missing hash or a hash mismatch then EFI_ACCESS_DENIED is returned which will cause a failure to load a kernel image. Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Co-developed-by: James Bottomley Signed-off-by: James Bottomley Signed-off-by: Dov Murik --- OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifierLib.inf | 36 ++++ OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifier.c | 199 +++++++= +++++++++++++ 2 files changed, 235 insertions(+) diff --git a/OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifierLib.inf b= /OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifierLib.inf new file mode 100644 index 000000000000..b060d6a1b545 --- /dev/null +++ b/OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifierLib.inf @@ -0,0 +1,36 @@ +## @file +# +# Blob verifier library that uses SEV hashes table. +# +# Copyright (C) 2021, IBM Corp +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D SevHashesBlobVerifierLib + FILE_GUID =3D 59e713b5-eff3-46a7-8d8b-46f4c004ad7b + MODULE_TYPE =3D BASE + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D BlobVerifierLib + CONSTRUCTOR =3D SevHashesBlobVerifierLibConstructor + +[Sources] + SevHashesBlobVerifier.c + +[Packages] + CryptoPkg/CryptoPkg.dec + MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec + +[LibraryClasses] + BaseCryptLib + BaseMemoryLib + DebugLib + PcdLib + +[FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize diff --git a/OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifier.c b/Ovmf= Pkg/Library/BlobVerifierLib/SevHashesBlobVerifier.c new file mode 100644 index 000000000000..961ee29f5df3 --- /dev/null +++ b/OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifier.c @@ -0,0 +1,199 @@ +/** @file + + Blob verifier library that uses SEV hashes table. + + Copyright (C) 2021, IBM Corporation + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include +#include +#include +#include +#include + +/** + The SEV Hashes table must be in encrypted memory and has the table + and its entries described by + + |UINT16 | + + With the whole table GUID being 9438d606-4f22-4cc9-b479-a793d411fd21 + + The current possible table entries are for the kernel, the initrd + and the cmdline: + + 4de79437-abd2-427f-b835-d5b172d2045b kernel + 44baf731-3a2f-4bd7-9af1-41e29169781d initrd + 97d02dd8-bd20-4c94-aa78-e7714d36ab2a cmdline + + The size of the entry is used to identify the hash, but the + expectation is that it will be 32 bytes of SHA-256. +**/ + +#define SEV_HASH_TABLE_GUID \ + (GUID) { 0x9438d606, 0x4f22, 0x4cc9, { 0xb4, 0x79, 0xa7, 0x93, 0xd4, 0x1= 1, 0xfd, 0x21 } } +#define SEV_KERNEL_HASH_GUID \ + (GUID) { 0x4de79437, 0xabd2, 0x427f, { 0xb8, 0x35, 0xd5, 0xb1, 0x72, 0xd= 2, 0x04, 0x5b } } +#define SEV_INITRD_HASH_GUID \ + (GUID) { 0x44baf731, 0x3a2f, 0x4bd7, { 0x9a, 0xf1, 0x41, 0xe2, 0x91, 0x6= 9, 0x78, 0x1d } } +#define SEV_CMDLINE_HASH_GUID \ + (GUID) { 0x97d02dd8, 0xbd20, 0x4c94, { 0xaa, 0x78, 0xe7, 0x71, 0x4d, 0x3= 6, 0xab, 0x2a } } + +STATIC CONST EFI_GUID mSevKernelHashGuid =3D SEV_KERNEL_HASH_GUID; +STATIC CONST EFI_GUID mSevInitrdHashGuid =3D SEV_INITRD_HASH_GUID; +STATIC CONST EFI_GUID mSevCmdlineHashGuid =3D SEV_CMDLINE_HASH_GUID; + +#pragma pack (1) +typedef struct { + GUID Guid; + UINT16 Len; + UINT8 Data[]; +} HASH_TABLE; +#pragma pack () + +STATIC HASH_TABLE *mHashesTable; +STATIC UINT16 mHashesTableSize; + +STATIC +CONST GUID* +FindBlobEntryGuid ( + IN CONST CHAR16 *BlobName + ) +{ + if (StrCmp (BlobName, L"kernel") =3D=3D 0) { + return &mSevKernelHashGuid; + } else if (StrCmp (BlobName, L"initrd") =3D=3D 0) { + return &mSevInitrdHashGuid; + } else if (StrCmp (BlobName, L"cmdline") =3D=3D 0) { + return &mSevCmdlineHashGuid; + } else { + return NULL; + } +} + +/** + Verify blob from an external source. + + @param BlobName The name of the blob + @param Buf The data of the blob + @param BufSize The size of the blob in bytes + + @retval EFI_SUCCESS The blob was verified successfully. + @retval EFI_ACCESS_DENIED The blob could not be verified, and theref= ore + should be considered non-secure. +**/ +EFI_STATUS +EFIAPI +VerifyBlob ( + IN CONST CHAR16 *BlobName, + IN CONST VOID *Buf, + UINT32 BufSize + ) +{ + CONST GUID *Guid; + INT32 Len; + HASH_TABLE *Entry; + UINT8 Hash[SHA256_DIGEST_SIZE]; + + if (mHashesTable =3D=3D NULL || mHashesTableSize =3D=3D 0) { + DEBUG ((DEBUG_ERROR, + "%a: Verifier called but no hashes table discoverd in MEMFD\n", + __FUNCTION__)); + return EFI_ACCESS_DENIED; + } + + Guid =3D FindBlobEntryGuid (BlobName); + if (Guid =3D=3D NULL) { + DEBUG ((DEBUG_ERROR, "%a: Unknown blob name \"%s\"\n", __FUNCTION__, + BlobName)); + return EFI_ACCESS_DENIED; + } + + Sha256HashAll (Buf, BufSize, Hash); + + for (Entry =3D mHashesTable, Len =3D 0; + Len < (INT32)mHashesTableSize; + Len +=3D Entry->Len, + Entry =3D (HASH_TABLE *)((UINT8 *)Entry + Entry->Len)) { + UINTN EntrySize; + EFI_STATUS Status; + + if (!CompareGuid (&Entry->Guid, Guid)) { + continue; + } + + DEBUG ((DEBUG_INFO, "%a: Found GUID %g in table\n", __FUNCTION__, Guid= )); + + // + // Verify that the buffer's calculated hash is identical to the expect= ed + // hash table entry + // + EntrySize =3D Entry->Len - sizeof (Entry->Guid) - sizeof (Entry->Len); + if (EntrySize !=3D SHA256_DIGEST_SIZE) { + DEBUG ((DEBUG_ERROR, "%a: Hash has the wrong size %d !=3D %d\n", + __FUNCTION__, EntrySize, SHA256_DIGEST_SIZE)); + return EFI_ACCESS_DENIED; + } + + if (CompareMem (Entry->Data, Hash, EntrySize) =3D=3D 0) { + Status =3D EFI_SUCCESS; + DEBUG ((DEBUG_INFO, "%a: Hash comparison succeeded for \"%s\"\n", + __FUNCTION__, BlobName)); + } else { + Status =3D EFI_ACCESS_DENIED; + DEBUG ((DEBUG_ERROR, "%a: Hash comparison failed for \"%s\"\n", + __FUNCTION__, BlobName)); + } + return Status; + } + + DEBUG ((DEBUG_ERROR, "%a: Hash GUID %g not found in table\n", __FUNCTION= __, + Guid)); + return EFI_ACCESS_DENIED; +} + +/** + Locate the SEV hashes table. + + This function always returns success, even if the table can't be found. = The + subsequent VerifyBlob calls will fail if no table was found. + + @retval RETURN_SUCCESS The verifier tables were set up correctly +**/ +RETURN_STATUS +EFIAPI +SevHashesBlobVerifierLibConstructor ( + VOID + ) +{ + HASH_TABLE *Ptr =3D (void *)(UINTN)FixedPcdGet64 (PcdQemuHashTableBase); + UINT32 Size =3D FixedPcdGet32 (PcdQemuHashTableSize); + + mHashesTable =3D NULL; + mHashesTableSize =3D 0; + + if (Ptr =3D=3D NULL || Size =3D=3D 0) { + return RETURN_SUCCESS; + } + + if (!CompareGuid (&Ptr->Guid, &SEV_HASH_TABLE_GUID)) { + return RETURN_SUCCESS; + } + + if (Ptr->Len < (sizeof Ptr->Guid + sizeof Ptr->Len)) { + return RETURN_SUCCESS; + } + + DEBUG ((DEBUG_INFO, "%a: Found injected hashes table in secure location\= n", + __FUNCTION__)); + + mHashesTable =3D (HASH_TABLE *)Ptr->Data; + mHashesTableSize =3D Ptr->Len - sizeof Ptr->Guid - sizeof Ptr->Len; + + DEBUG ((DEBUG_VERBOSE, "%a: mHashesTable=3D0x%p, Size=3D%u\n", __FUNCTIO= N__, + mHashesTable, mHashesTableSize)); + + return RETURN_SUCCESS; +} --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77514): https://edk2.groups.io/g/devel/message/77514 Mute This Topic: https://groups.io/mt/84016364/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 01:34:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77515+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77515+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1625561731; cv=none; d=zohomail.com; s=zohoarc; b=Qq+iH6pDkXF/3qbo5ohCjt2Y9OQ78wYQUJcOqEeQDBDvRNn5e+UWTMaGnPyHbjXtlQAFcxArWQiEdOOvSVVc8mqioXXLirz4hmEbaa+tTXLSNa4HKMmdI0YZyS1BINHo2/GVk9Pml13xgvR4d6V5IIbKEPpKPM8Wun6NvYcZyXw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1625561731; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=Gm5PBQC51craX+4IdgmcFOGnU/2qfEMdXXogM56lgcU=; b=Wuwa/m5JYHOOzH0Fo7AwTY2YgDykNPmKa4UTaK1i+iVba+nk/hPAAb+kUoumyg99rJa4sN9W0SVcbHDiRHAfMxJp59dxxhSJiWGa7py1lNAXbYufYEJdzoO4xska2PnfYddPeurXP269jCWxzRigfEXWYStg9kjDhSsTXG+QqTo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77515+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 16255617319431014.1479101089527; Tue, 6 Jul 2021 01:55:31 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id hh2JYY1788612xzPFXuSDLqs; Tue, 06 Jul 2021 01:55:31 -0700 X-Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web12.3677.1625561726028161497 for ; Tue, 06 Jul 2021 01:55:26 -0700 X-Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1668YHlJ077917; Tue, 6 Jul 2021 04:55:24 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39m6rbspah-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:24 -0400 X-Received: from m0098417.ppops.net (m0098417.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 1668Yudn080286; Tue, 6 Jul 2021 04:55:23 -0400 X-Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11]) by mx0a-001b2d01.pphosted.com with ESMTP id 39m6rbspa8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 04:55:23 -0400 X-Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1]) by ppma03dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 1668rCEK021263; Tue, 6 Jul 2021 08:55:22 GMT X-Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20]) by ppma03dal.us.ibm.com with ESMTP id 39jhpxky6j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Jul 2021 08:55:22 +0000 X-Received: from b03ledav003.gho.boulder.ibm.com (b03ledav003.gho.boulder.ibm.com [9.17.130.234]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 1668tKH134144742 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 6 Jul 2021 08:55:20 GMT X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A12116A064; Tue, 6 Jul 2021 08:55:20 +0000 (GMT) X-Received: from b03ledav003.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9874B6A05A; Tue, 6 Jul 2021 08:55:19 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav003.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 6 Jul 2021 08:55:19 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v2 11/11] OvmfPkg/AmdSev: Enforce hash verification of kernel blobs Date: Tue, 6 Jul 2021 08:55:01 +0000 Message-Id: <20210706085501.1260662-12-dovmurik@linux.ibm.com> In-Reply-To: <20210706085501.1260662-1-dovmurik@linux.ibm.com> References: <20210706085501.1260662-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: T5hVwHCuf2PzLWo1yBXpy_JZh6pqb7nk X-Proofpoint-ORIG-GUID: DRshdmw5_BxkesD30c8fw6_rdoIV6lGs X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: y69VEhAGCa2nm1V0A7tDNrCYx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1625561731; bh=cnw41G0ZNH6Vo4t+7RSKQp2McdD8tFYW5kg8hiK/wIU=; h=Cc:Date:From:Reply-To:Subject:To; b=DcHg3yzSj6kz4MJ2gsxw5wY/qzsYN4N5chDd69G640NyPZj5c8YyWVznJhXrt/vapq2 4nf/zWWJjJi4XWWx+pWxKOKkmKhl5dvrKJLsN2/gU63Nfhnpup+yL1EIesJIxrrq6N9P3 VTd318idzh7o/lVxKPBWtMaoR3AwwmiyTi8= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1625561738793100001 Content-Type: text/plain; charset="utf-8" In the AmdSevX86 build, use SevHashesBlobVerifierLib to enforce verification of hashes of the kernel/initrd/cmdline blobs fetched from firmware config. This allows for secure (measured) boot of SEV guests with QEMU's -kernel/-initrd/-append switches (with the corresponding QEMU support for injecting the hashes table into initial measured guest memory). Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Signed-off-by: Dov Murik Reviewed-by: Tom Lendacky --- OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index 8b260df114e3..d1ed0abbd0fb 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -173,7 +173,7 @@ [LibraryClasses] LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/Customize= dDisplayLib.inf FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltL= ib.inf - BlobVerifierLib|OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf + BlobVerifierLib|OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifierLib= .inf =20 !if $(SOURCE_DEBUG_ENABLE) =3D=3D TRUE PeCoffExtraActionLib|SourceLevelDebugPkg/Library/PeCoffExtraActionLibDeb= ug/PeCoffExtraActionLibDebug.inf @@ -696,7 +696,7 @@ [Components] } OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { - NULL|OvmfPkg/Library/BlobVerifierLib/NullBlobVerifierLib.inf + NULL|OvmfPkg/Library/BlobVerifierLib/SevHashesBlobVerifierLib.inf } OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf OvmfPkg/Virtio10Dxe/Virtio10.inf --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77515): https://edk2.groups.io/g/devel/message/77515 Mute This Topic: https://groups.io/mt/84016365/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-