From nobody Sat May 4 02:01:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77956+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77956+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1626768261; cv=none; d=zohomail.com; s=zohoarc; b=DCCyMYj1GB+ruEyYx6WzNlF7j8XNFy8B/IKFmPWc++oCd52pLJr5Bc0fXN8x0DajAQpS29VMGH7MVqVDalRIAN2Gye1gOaBUsEiMHAzA5/LAXLSbn5uMol8bBsUCsUSQsK+Orny0oVraoKjHQmC6mwsfU3ubkUYfCsjfE9in1q8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1626768261; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=lxCcIRjwuSejlwbundRdJCDlCOycfIIyWUtUKx8obNI=; b=J4hs2msgivXf8RDzMBjWh3WHAomPKGjLx26cHJe6lB4gd6l2o39XqBbiQ7VV/gw8TmAp/dtiJ/IwAOxb7V8QLeg0THV/jjiTtMSL8oDj6S5KcfV2MBCmgn4e5xxKxTCTu7gQiLGyEnhDcLKhRHfSFMwDcBX4Rf9lPcGz6oxAq3I= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77956+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1626768261743479.9306070305022; Tue, 20 Jul 2021 01:04:21 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id HRH6YY1788612xZnCF29u8Lb; Tue, 20 Jul 2021 01:04:21 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web08.4831.1626768260652891841 for ; Tue, 20 Jul 2021 01:04:20 -0700 X-Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16K83Oxh101250; Tue, 20 Jul 2021 04:04:19 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 39wny8pqcs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:18 -0400 X-Received: from m0098416.ppops.net (m0098416.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16K83fFa102354; Tue, 20 Jul 2021 04:04:18 -0400 X-Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0b-001b2d01.pphosted.com with ESMTP id 39wny8pqc8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:18 -0400 X-Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16K83fAV032620; Tue, 20 Jul 2021 08:04:17 GMT X-Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by ppma04wdc.us.ibm.com with ESMTP id 39upuaw2rc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 08:04:17 +0000 X-Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16K84FYx34013534 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Jul 2021 08:04:15 GMT X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 81D82136053; Tue, 20 Jul 2021 08:04:15 +0000 (GMT) X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4D170136061; Tue, 20 Jul 2021 08:04:14 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 20 Jul 2021 08:04:14 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v3 01/11] OvmfPkg/AmdSev/SecretDxe: fix header comment to generic naming Date: Tue, 20 Jul 2021 08:03:51 +0000 Message-Id: <20210720080401.3662854-2-dovmurik@linux.ibm.com> In-Reply-To: <20210720080401.3662854-1-dovmurik@linux.ibm.com> References: <20210720080401.3662854-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: SmahsAvNxIYYH2nzaq37BH3MjWIJHuRK X-Proofpoint-GUID: 4eyMPcrlOxrql-1N0YxayxSoDQLJfynL X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: ukIOSN7Kr992HlG59sCwgZPrx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1626768261; bh=U1TJBecakoCL0wldox25FXJmGNh+8Skb8pzaZ8Zea5I=; h=Cc:Date:From:Reply-To:Subject:To; b=JASdcG3TwQiQqC5EJZha3hXnoY4uUU13H7WJAPXhc8cD5ENtWGtzg5dIPj5Lq9C9rgh AAgr9t89N5zNcM0Js35fzcPtd5lvyXa4Mr9RfqNMHB5hjLI2HWHJB8hfDiwfH0bi5xHeB 1qRKO49u92B8u/lKrz+cSqiLdKidLWqfZWI= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1626768263687100005 Content-Type: text/plain; charset="utf-8" From: James Bottomley Commit 96201ae7bf97 ("OvmfPkg/AmdSev/SecretDxe: make secret location naming generic", 2020-12-15) replaced references to SEV with the generic term Confidential Computing, but missed the file header comment. Fix the naming in that header. Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Signed-off-by: James Bottomley Reviewed-by: Brijesh Singh --- OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c b/OvmfPkg/AmdSev/SecretDx= e/SecretDxe.c index 308022b5b25e..934ad207632b 100644 --- a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c +++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c @@ -1,5 +1,5 @@ /** @file - SEV Secret configuration table constructor + Confidential Computing Secret configuration table constructor =20 Copyright (C) 2020 James Bottomley, IBM Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77956): https://edk2.groups.io/g/devel/message/77956 Mute This Topic: https://groups.io/mt/84328230/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 02:01:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77965+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77965+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1626768462; cv=none; d=zohomail.com; s=zohoarc; b=gUd3CIwM/AYT/X9j4xdJt6PoptI97g5TdMZIg0pCOfNbDNvEkPO+FLxlZsfPspf7XP47a8cVTIA4JBiXiRv9X3tGF6cDTsRwXFc2OGb94DznJxYCtQLA3uTXu3U3SWErsLIL4HNjx67h4I5CtBGhFioMocVaLKsLAn+GcrBPLc0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1626768462; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=Rg+JAwkAEyAeNrTavJ4s16/cNxxo1IX8KN69GVdkzGU=; b=iM3o7w6GcA6xb/mD65e0+nyYidnta/6HHOqG+yraUn/DmV+24PFH2IXS3Y1TVwGLkr7J+V8mLKE3g0ODQ6IPInY43cp4VMQcnAu7ZjVIdjqEKdIn/n25SYLCdanp9GC+fX3vQgM4trslDJkhddiiO7lwjoL0dQxb3I7/m0W3AKw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77965+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1626768462854554.6032861189128; Tue, 20 Jul 2021 01:07:42 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id fWHHYY1788612x9O0I5t02gF; Tue, 20 Jul 2021 01:07:42 -0700 X-Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web08.4858.1626768461920220356 for ; Tue, 20 Jul 2021 01:07:42 -0700 X-Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16K83Fbb040901; Tue, 20 Jul 2021 04:04:22 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39wngufb4a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:22 -0400 X-Received: from m0098421.ppops.net (m0098421.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16K83Gwc040920; Tue, 20 Jul 2021 04:04:22 -0400 X-Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253]) by mx0a-001b2d01.pphosted.com with ESMTP id 39wngufb3p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:21 -0400 X-Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1]) by ppma01wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16K82gFW012504; Tue, 20 Jul 2021 08:04:21 GMT X-Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18]) by ppma01wdc.us.ibm.com with ESMTP id 39upubd3bp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 08:04:20 +0000 X-Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16K84Il916777606 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Jul 2021 08:04:19 GMT X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D599D13605E; Tue, 20 Jul 2021 08:04:18 +0000 (GMT) X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A0EB1136053; Tue, 20 Jul 2021 08:04:17 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 20 Jul 2021 08:04:17 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v3 02/11] OvmfPkg/AmdSev: use GenericQemuLoadImageLib in AmdSev builds Date: Tue, 20 Jul 2021 08:03:52 +0000 Message-Id: <20210720080401.3662854-3-dovmurik@linux.ibm.com> In-Reply-To: <20210720080401.3662854-1-dovmurik@linux.ibm.com> References: <20210720080401.3662854-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: L54Pm3nbm9lfnycczDChIh7XlSB-XLkY X-Proofpoint-GUID: pugGjkA9cO3Ikx1iT6RONfh7jJwY1XER X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: ZskHbeuVOp0c6O7TmmeXaMKYx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1626768462; bh=Zp+zYLoYt0ufLhUCyBJSc5Kbx0vtbXPsyTeLVunHLas=; h=Cc:Date:From:Reply-To:Subject:To; b=fVZuxpaHmlU0LQuAgVI1x24NxHN+HLW6QzT3UsFNjWKVVYsq/BSeOW4dAG7vE7etU6k /kCEmYmzLvI67Rh2fnrz1PHh7HkxljVfjZkzZvA00pyt0MpZ62a0xYmKH/CeQcahlOIQk Eh845zxMVGsJxe1S1EkW77Y/mF7WKeSxeas= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1626768463539100003 Content-Type: text/plain; charset="utf-8" Newer kernels support efistub and therefore don't need all the legacy stuff in X86QemuLoadImageLib, which are harder to secure. Specifically the verification of kernel/initrd/cmdline blobs will be added only to the GenericQemuLoadImageLib implementation, so use that for SEV builds. Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Signed-off-by: Dov Murik Reviewed-by: Brijesh Singh --- OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index 1d487befae08..a2f1324c40a6 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -368,7 +368,7 @@ [LibraryClasses.common.DXE_DRIVER] PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf - QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib= .inf + QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoad= ImageLib.inf !if $(TPM_ENABLE) =3D=3D TRUE Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.i= nf Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77965): https://edk2.groups.io/g/devel/message/77965 Mute This Topic: https://groups.io/mt/84328268/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 02:01:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77964+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77964+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1626768406; cv=none; d=zohomail.com; s=zohoarc; b=MgJe6dWWDGibxa9Ews4GOJjhN7eVA1Us3yFAfks8K6WM8mm8I7ryNW/6W9ez8EQWXrXC5Gb7Ft4J4jVGRw9qjOj1mrBTDCQYKu0rjP219IAfksPs6/KSw0euIGpL5AwbHhE8ElN0REt4n6cOHVYkvVErMCKEYVbM5mbXeuHrCtU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1626768406; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=6OAvmM9aOzd2e5MAH1UAHHXU3xE+a5cKwxZuKycjfDI=; b=ScBGvBEcmnBfa0vN3TJZZ9xfmflnqxR+Rxx7Rn2UTw5hl7a49hAbxx+qzWtUuwQlPux15k2fF9HKaokpxjJTytbgwLgl1i0Dc0Dw6F5GPywMJec/1OwJyV0k8GOzxL/6PvQPx5D/nVlUDMlcM9DbgnTD53JZBmoH78kWJZ+gPAQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77964+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1626768406341209.42960374070447; Tue, 20 Jul 2021 01:06:46 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id c9JxYY1788612x1iPZSwgtZZ; Tue, 20 Jul 2021 01:06:46 -0700 X-Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web08.4848.1626768405402712170 for ; Tue, 20 Jul 2021 01:06:45 -0700 X-Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16K86SMM190528; Tue, 20 Jul 2021 04:06:43 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39wr5tv31d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:06:42 -0400 X-Received: from m0127361.ppops.net (m0127361.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16K86gCI191918; Tue, 20 Jul 2021 04:06:42 -0400 X-Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com with ESMTP id 39wr5tv2gg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:06:41 -0400 X-Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16K82oKu020463; Tue, 20 Jul 2021 08:04:24 GMT X-Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by ppma02wdc.us.ibm.com with ESMTP id 39vvw7805g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 08:04:24 +0000 X-Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16K84Mm734079062 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Jul 2021 08:04:22 GMT X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 73C4413606A; Tue, 20 Jul 2021 08:04:22 +0000 (GMT) X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4825A136053; Tue, 20 Jul 2021 08:04:21 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 20 Jul 2021 08:04:21 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v3 03/11] OvmfPkg: PlatformBootManagerLibGrub: Allow executing kernel via fw_cfg Date: Tue, 20 Jul 2021 08:03:53 +0000 Message-Id: <20210720080401.3662854-4-dovmurik@linux.ibm.com> In-Reply-To: <20210720080401.3662854-1-dovmurik@linux.ibm.com> References: <20210720080401.3662854-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: SEeZhf8hD8EQLiV9FZqMgRlwIr0cpyJH X-Proofpoint-GUID: y80Zedd2pgQcuidGtNFLpNHtz3Doq4LL X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: sQ126aHnoKUOyZAGrNo5KKCEx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1626768406; bh=pghiMSnIDzypGv1AVe/9zZdTWsVaG8Mn3asrxsEvbpY=; h=Cc:Date:From:Reply-To:Subject:To; b=bso3IKyUbfwFM8tMaVp9elKN5f1DSMpn23iC04PeC24SvGgbJ7Qm08qTQUhIhGf52ES JXAHBeqH+5cUIt/LmddJTJLImgPDXFRnJfCtfmd6eAQFzVMoybH5xLUrWJiViJy7RD1AV kVVGESQOL9k+7JQemzi7Eiqh/81txsTndoU= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1626768408081100001 Content-Type: text/plain; charset="utf-8" From: James Bottomley Support QEMU's -kernel option. Create a QemuKernel.c for PlatformBootManagerLibGrub which is an exact copy of the file PlatformBootManagerLib/QemuKernel.c . Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Signed-off-by: James Bottomley Reviewed-by: Brijesh Singh --- OvmfPkg/AmdSev/AmdSevX64.dsc = | 1 + OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub.inf = | 2 ++ OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h = | 11 +++++++++++ OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c = | 5 +++++ OvmfPkg/Library/{PlatformBootManagerLib =3D> PlatformBootManagerLibGrub}/Q= emuKernel.c | 0 5 files changed, 19 insertions(+) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index a2f1324c40a6..aefdcf881c99 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -281,6 +281,7 @@ [LibraryClasses.common.PEIM] CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuE= xceptionHandlerLib.inf MpInitLib|UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/PeiQemuFwCfgS3LibFwCfg.inf + QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoad= ImageLib.inf PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf =20 diff --git a/OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManager= LibGrub.inf b/OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManage= rLibGrub.inf index 9a806d17ec45..5f6f73d18470 100644 --- a/OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub= .inf +++ b/OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub= .inf @@ -23,6 +23,7 @@ [Defines] =20 [Sources] BdsPlatform.c + QemuKernel.c PlatformData.c BdsPlatform.h =20 @@ -46,6 +47,7 @@ [LibraryClasses] BootLogoLib DevicePathLib PciLib + QemuLoadImageLib UefiLib PlatformBmPrintScLib Tcg2PhysicalPresenceLib diff --git a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h b/Ovm= fPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h index 748c63081920..f1d3a2906c00 100644 --- a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h +++ b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h @@ -172,4 +172,15 @@ PlatformInitializeConsole ( IN PLATFORM_CONSOLE_CONNECT_ENTRY *PlatformConsole ); =20 +/** + Loads and boots UEFI Linux via the FwCfg interface. + + @retval EFI_NOT_FOUND - The Linux kernel was not found + +**/ +EFI_STATUS +TryRunningQemuKernel ( + VOID + ); + #endif // _PLATFORM_SPECIFIC_BDS_PLATFORM_H_ diff --git a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c b/Ovm= fPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c index 5c92d4fc2b09..7cceeea4879c 100644 --- a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c +++ b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c @@ -1315,6 +1315,11 @@ PlatformBootManagerAfterConsole ( // Tcg2PhysicalPresenceLibProcessRequest (NULL); =20 + // + // Process QEMU's -kernel command line option + // + TryRunningQemuKernel (); + // // Perform some platform specific connect sequence // diff --git a/OvmfPkg/Library/PlatformBootManagerLib/QemuKernel.c b/OvmfPkg/= Library/PlatformBootManagerLibGrub/QemuKernel.c similarity index 100% copy from OvmfPkg/Library/PlatformBootManagerLib/QemuKernel.c copy to OvmfPkg/Library/PlatformBootManagerLibGrub/QemuKernel.c --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77964): https://edk2.groups.io/g/devel/message/77964 Mute This Topic: https://groups.io/mt/84328261/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 02:01:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77957+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77957+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1626768279; cv=none; d=zohomail.com; s=zohoarc; b=bh5uNBREGhqF4SXU2Md+VsgD1/pFLs+eB3R7DV7HGV8WzdwaIvbrorRar/l1LBm90/9P0TtzzqxTzefIFeKMf9wMmRNjMS36nY04SBMG2GlXh+gcUQFARqn211yTf367X7NbDg3BP7UnX0soVLt0O/OAWEdBHIJdhq94qHwjyjo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1626768279; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=D3x0jJwowji8sOq99XSIc84//k5rmXQ435mrncwS2lk=; b=GGU/pB2LQ8auV2wn9fduKiKVhdHBUSH1eSUkCknKuQVVGuJX33dOd9DlirUWwcNK15gB1GAIFEQ9TIoAhPFhAq/lK40dAwKhKkVkZ79BAvn+DWHpw+lFk8xvtqlPvckmg9xzMUWlV3b38tJoZlKWWBIx7rFFQEEYI8sh8ioC0hg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77957+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1626768279424304.36308496576953; Tue, 20 Jul 2021 01:04:39 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id c9fYYY1788612xq74CyOFRfx; Tue, 20 Jul 2021 01:04:39 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web10.4760.1626768278659876466 for ; Tue, 20 Jul 2021 01:04:38 -0700 X-Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16K84XWG126322; Tue, 20 Jul 2021 04:04:37 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39wtcc8fwk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:36 -0400 X-Received: from m0098409.ppops.net (m0098409.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16K84YQt126486; Tue, 20 Jul 2021 04:04:35 -0400 X-Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0a-001b2d01.pphosted.com with ESMTP id 39wtcc8ft5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:34 -0400 X-Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16K83gKd032658; Tue, 20 Jul 2021 08:04:27 GMT X-Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18]) by ppma04wdc.us.ibm.com with ESMTP id 39upuaw2uy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 08:04:27 +0000 X-Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16K84PVw25362908 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Jul 2021 08:04:25 GMT X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5372D136053; Tue, 20 Jul 2021 08:04:25 +0000 (GMT) X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1CA7713605D; Tue, 20 Jul 2021 08:04:24 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 20 Jul 2021 08:04:23 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v3 04/11] OvmfPkg: add library class BlobVerifierLib with null implementation Date: Tue, 20 Jul 2021 08:03:54 +0000 Message-Id: <20210720080401.3662854-5-dovmurik@linux.ibm.com> In-Reply-To: <20210720080401.3662854-1-dovmurik@linux.ibm.com> References: <20210720080401.3662854-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: -uG-MG1RpTjtleNUOn8ilNbq1TnC5uSN X-Proofpoint-GUID: etZvqmXx-nn88kZGJSjtI-1PAs-4_cAE X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: woBjVRTcuiX2W4LxDVCsF08jx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1626768279; bh=6HpGmVckFae2mvj5yQyNAei1ql+9SjJ6FYEb6WFOKB8=; h=Cc:Date:From:Reply-To:Subject:To; b=WqD24DCcmKQVYmkOBswfqZZWu6s/IfrbVMB7K0ltJjM1wPzAy9yUGKd6bQozgpri2Pw vmOhgSjRKNcK2X8z5zYswpROgoFH2jdc4nIWsKPsIiWv1py3so1rqr4sOdbhkIToLk+1q f1gg98O0kBrkjJEZ4SD7+MGcterBU7mbALc= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1626768280083100002 Content-Type: text/plain; charset="utf-8" BlobVerifierLib will be used to verify blobs fetching them from QEMU's firmware config (fw_cfg) in platforms that enable such verification. The null implementation BlobVerifierLibNull treats all blobs as valid. Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Signed-off-by: Dov Murik Reviewed-by: Tom Lendacky --- OvmfPkg/OvmfPkg.dec | 3 ++ OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf | 24 +++++++++++++ OvmfPkg/Include/Library/BlobVerifierLib.h | 38 +++++++++++++= +++++++ OvmfPkg/Library/BlobVerifierLib/BlobVerifierNull.c | 33 +++++++++++++= ++++ 4 files changed, 98 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 6ae733f6e39f..f82228d69cc2 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -23,6 +23,9 @@ [LibraryClasses] ## @libraryclass Access bhyve's firmware control interface. BhyveFwCtlLib|Include/Library/BhyveFwCtlLib.h =20 + ## @libraryclass Verify blobs read from the VMM + BlobVerifierLib|Include/Library/BlobVerifierLib.h + ## @libraryclass Loads and boots a Linux kernel image # LoadLinuxLib|Include/Library/LoadLinuxLib.h diff --git a/OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf b/Ovmf= Pkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf new file mode 100644 index 000000000000..850d398e65a4 --- /dev/null +++ b/OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf @@ -0,0 +1,24 @@ +## @file +# +# Null implementation of the blob verifier library. +# +# Copyright (C) 2021, IBM Corp +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 1.29 + BASE_NAME =3D BlobVerifierLibNull + FILE_GUID =3D b1b5533e-e01a-43bb-9e54-414f00ca036e + MODULE_TYPE =3D BASE + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D BlobVerifierLib + +[Sources] + BlobVerifierNull.c + +[Packages] + MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec diff --git a/OvmfPkg/Include/Library/BlobVerifierLib.h b/OvmfPkg/Include/Li= brary/BlobVerifierLib.h new file mode 100644 index 000000000000..db122684f76c --- /dev/null +++ b/OvmfPkg/Include/Library/BlobVerifierLib.h @@ -0,0 +1,38 @@ +/** @file + + Blob verification library + + This library class allows verifiying whether blobs from external sources + (such as QEMU's firmware config) are trusted. + + Copyright (C) 2021, IBM Corporation + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#ifndef BLOB_VERIFIER_LIB_H__ +#define BLOB_VERIFIER_LIB_H__ + +#include +#include + +/** + Verify blob from an external source. + + @param[in] BlobName The name of the blob + @param[in] Buf The data of the blob + @param[in] BufSize The size of the blob in bytes + + @retval EFI_SUCCESS The blob was verified successfully. + @retval EFI_ACCESS_DENIED The blob could not be verified, and theref= ore + should be considered non-secure. +**/ +EFI_STATUS +EFIAPI +VerifyBlob ( + IN CONST CHAR16 *BlobName, + IN CONST VOID *Buf, + IN UINT32 BufSize + ); + +#endif diff --git a/OvmfPkg/Library/BlobVerifierLib/BlobVerifierNull.c b/OvmfPkg/L= ibrary/BlobVerifierLib/BlobVerifierNull.c new file mode 100644 index 000000000000..975d4dd52f80 --- /dev/null +++ b/OvmfPkg/Library/BlobVerifierLib/BlobVerifierNull.c @@ -0,0 +1,33 @@ +/** @file + + Null implementation of the blob verifier library. + + Copyright (C) 2021, IBM Corporation + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include +#include + +/** + Verify blob from an external source. + + @param[in] BlobName The name of the blob + @param[in] Buf The data of the blob + @param[in] BufSize The size of the blob in bytes + + @retval EFI_SUCCESS The blob was verified successfully. + @retval EFI_ACCESS_DENIED The blob could not be verified, and theref= ore + should be considered non-secure. +**/ +EFI_STATUS +EFIAPI +VerifyBlob ( + IN CONST CHAR16 *BlobName, + IN CONST VOID *Buf, + IN UINT32 BufSize + ) +{ + return EFI_SUCCESS; +} --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77957): https://edk2.groups.io/g/devel/message/77957 Mute This Topic: https://groups.io/mt/84328238/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 02:01:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77962+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77962+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1626768295; cv=none; d=zohomail.com; s=zohoarc; b=Vc6YimLoqDARXszkDSpX4DQs3VvKWB6excmHVjgJZfNcPGZweYPQZaH3aqLiloSyuunSkNojftjTWGZrB52DmnRx/3A7N51YZbC8XPjUGK6kg5wR55CextXUx2+yDJhQLYMQBcMnIl3+M036l1kTdK6hBgNfEUgliJfC9RtjWRE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1626768295; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=zIluDlHrulw40eoeREryRJ2U1iOGEx1zyeTnZvmDMUs=; b=klw+YiKLLTNpGZINOPkjkd1Etay32OIkGWfDrD1/fGUYpfN3FJrNe8qoVIHNocXHh6amkQIFcQ/EOqRWkfgnVSpimHfhkpvIdRLsUtG2go4Y00TGR7DBXRz3XyDQdkBxiUQwY3SJSI3oH6j1B4qqoUyzbD/dvhxgXdemc9tBchk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77962+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1626768295743851.3398690869357; Tue, 20 Jul 2021 01:04:55 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id fIaNYY1788612xhCXHBM3OVd; Tue, 20 Jul 2021 01:04:55 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web10.4761.1626768294869212281 for ; Tue, 20 Jul 2021 01:04:54 -0700 X-Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16K83KfL047132; Tue, 20 Jul 2021 04:04:53 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39wsm0sr48-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:53 -0400 X-Received: from m0098396.ppops.net (m0098396.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16K83VeC048964; Tue, 20 Jul 2021 04:04:52 -0400 X-Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11]) by mx0a-001b2d01.pphosted.com with ESMTP id 39wsm0sr3t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:52 -0400 X-Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1]) by ppma03dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16K84DwQ019058; Tue, 20 Jul 2021 08:04:51 GMT X-Received: from b03cxnp07027.gho.boulder.ibm.com (b03cxnp07027.gho.boulder.ibm.com [9.17.130.14]) by ppma03dal.us.ibm.com with ESMTP id 39upuc5yvd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 08:04:51 +0000 X-Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp07027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16K84SIr33751338 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Jul 2021 08:04:28 GMT X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 04B59136053; Tue, 20 Jul 2021 08:04:28 +0000 (GMT) X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C2408136055; Tue, 20 Jul 2021 08:04:26 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 20 Jul 2021 08:04:26 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v3 05/11] OvmfPkg: add BlobVerifierLibNull to DSC Date: Tue, 20 Jul 2021 08:03:55 +0000 Message-Id: <20210720080401.3662854-6-dovmurik@linux.ibm.com> In-Reply-To: <20210720080401.3662854-1-dovmurik@linux.ibm.com> References: <20210720080401.3662854-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: opiGPjkNKGIAVnH53QAwZimi47hhrRoz X-Proofpoint-ORIG-GUID: C6k-DixSbB9nqTaoU_G5mJGl3fsk2385 X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: pVnlb3NbbT0WpQB9VWjCgi0nx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1626768295; bh=kV/aZxTuHkV+Gho5XJXrS9VYt/4y+7srdC9ReMb7FpI=; h=Cc:Date:From:Reply-To:Subject:To; b=hJNlsHQ3I0we2nGij7IUzaO7Tf3x4EiY+ghsol5+sDHuu0RCkNaU966vOuhoQsv7vld SVEP0/J0z52FqXXI4NmImyzI91RmJsF1Few3PlBJd6fDAcz3J/Lr5HNyOYsJq49lVkkxd eVtT8RQuH3eyzf7USoTWaulNCSt5PbdiyWc= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1626768296021100005 Content-Type: text/plain; charset="utf-8" This prepares the ground for calling VerifyBlob() in QemuKernelLoaderFsDxe. Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Signed-off-by: Dov Murik Reviewed-by: Tom Lendacky --- OvmfPkg/AmdSev/AmdSevX64.dsc | 6 +++++- OvmfPkg/OvmfPkgIa32.dsc | 5 ++++- OvmfPkg/OvmfPkgIa32X64.dsc | 5 ++++- OvmfPkg/OvmfPkgX64.dsc | 5 ++++- 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index aefdcf881c99..b2cc96cc5a97 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -173,6 +173,7 @@ [LibraryClasses] LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/Customize= dDisplayLib.inf FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltL= ib.inf + BlobVerifierLib|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf =20 !if $(SOURCE_DEBUG_ENABLE) =3D=3D TRUE PeCoffExtraActionLib|SourceLevelDebugPkg/Library/PeCoffExtraActionLibDeb= ug/PeCoffExtraActionLibDebug.inf @@ -693,7 +694,10 @@ [Components] NULL|MdeModulePkg/Library/BootManagerUiLib/BootManagerUiLib.inf NULL|MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootMaintenanc= eManagerUiLib.inf } - OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { + + NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf + } OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index f53efeae7986..7613abab6a7f 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -786,7 +786,10 @@ [Components] NULL|OvmfPkg/Csm/LegacyBootMaintUiLib/LegacyBootMaintUiLib.inf !endif } - OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { + + NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf + } OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index b3662e17f256..8b35aaf4b44c 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -800,7 +800,10 @@ [Components.X64] NULL|OvmfPkg/Csm/LegacyBootMaintUiLib/LegacyBootMaintUiLib.inf !endif } - OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { + + NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf + } OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 0a237a905866..0c95c74ad1a8 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -798,7 +798,10 @@ [Components] NULL|OvmfPkg/Csm/LegacyBootMaintUiLib/LegacyBootMaintUiLib.inf !endif } - OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { + + NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf + } OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77962): https://edk2.groups.io/g/devel/message/77962 Mute This Topic: https://groups.io/mt/84328243/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 02:01:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77958+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77958+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1626768279; cv=none; d=zohomail.com; s=zohoarc; b=C+kw4mXgZuHK0DottzblAaV7GMpQW50HW3YmdiuGPSk219wBWthx7xkL61knjCwvWc6ZwDvEIvMoKYtSI/PIAH2gZFxymMXGZvUBNrdOSYB363/ta1dYen6dVO74Kt7ARQVH0M+MmAzgLlYfGOXoxfAbw2wi7yxbMybZ5f2h5OY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1626768279; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=TDIwKdRIh9UWm1hajJjM//TBEr7KjbzwhAWjhQnX3vI=; b=kdDilno5S9Lcz90HwMwg8CtKAU8RdcTDUhXg4i+/4z+iQTyKMTR4ZFQX3lm4kE0VhW7/KjnTL55/unqQ/EMUw+GaEcqhX+qOF7uZahSN33TZqEAmkfZ1kTFx1djpAoh/7m8Kb/hgR+adAgxrTaNPysZaW8gP7HmUVubIlQAbBFE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77958+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1626768279849240.80454841047197; Tue, 20 Jul 2021 01:04:39 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id myvfYY1788612x9LOJov8yCt; Tue, 20 Jul 2021 01:04:39 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web11.4822.1626768278749789654 for ; Tue, 20 Jul 2021 01:04:38 -0700 X-Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16K830xA026982; Tue, 20 Jul 2021 04:04:34 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 39wthc08ra-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:34 -0400 X-Received: from m0098420.ppops.net (m0098420.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16K830cT026900; Tue, 20 Jul 2021 04:04:33 -0400 X-Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0b-001b2d01.pphosted.com with ESMTP id 39wthc08qy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:33 -0400 X-Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16K82oSs020478; Tue, 20 Jul 2021 08:04:33 GMT X-Received: from b03cxnp08025.gho.boulder.ibm.com (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17]) by ppma02wdc.us.ibm.com with ESMTP id 39vvw7809b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 08:04:33 +0000 X-Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16K84Vtm35193242 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Jul 2021 08:04:31 GMT X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id ED91B13605E; Tue, 20 Jul 2021 08:04:30 +0000 (GMT) X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A0DC8136069; Tue, 20 Jul 2021 08:04:29 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 20 Jul 2021 08:04:29 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Ard Biesheuvel , Leif Lindholm , Sami Mujawar , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v3 06/11] ArmVirtPkg: add BlobVerifierLibNull to DSC Date: Tue, 20 Jul 2021 08:03:56 +0000 Message-Id: <20210720080401.3662854-7-dovmurik@linux.ibm.com> In-Reply-To: <20210720080401.3662854-1-dovmurik@linux.ibm.com> References: <20210720080401.3662854-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: GRaw6U822Fg-rWn3K-G2ohEzj55mcuGv X-Proofpoint-GUID: 4htb_8jQa_9B5S-xMwnHQYe277jXK9Jv X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: Sno5mEVhIEPCm3uHhrYwoOdbx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1626768279; bh=D8a/pJ5JZ5RKb3MmraByAwkW+Qhpmwr4t4t/CtPpPrI=; h=Cc:Date:From:Reply-To:Subject:To; b=bcf+D1dhy+sCUnYFgdn6ooffWTWPj1sm8iQAEbp7dNF/YEzMrfJqBBHiQ+66d+duWjU I4hHuG1ZQTAwRShyrCHnaAqmZyKg7MwjM6q6bSAQifEQhlmjQg7h0AY1k5hP9ZWMVYcdL 3E3kUdcjw49moejdmlMis0Tg3V3+QSuPqII= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1626768280094100003 Content-Type: text/plain; charset="utf-8" This prepares the ground for calling VerifyBlob() in QemuKernelLoaderFsDxe. Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Sami Mujawar Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Signed-off-by: Dov Murik --- ArmVirtPkg/ArmVirtQemu.dsc | 5 ++++- ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc index 7ef5e7297bc7..bf8bb1ec9578 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc @@ -440,7 +440,10 @@ [Components.common] NULL|MdeModulePkg/Library/BootManagerUiLib/BootManagerUiLib.inf NULL|MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootMaintenanc= eManagerUiLib.inf } - OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { + + NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf + } =20 # # Networking stack diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKerne= l.dsc index a542fcb157e9..af34cb47a12d 100644 --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc @@ -376,7 +376,10 @@ [Components.common] NULL|MdeModulePkg/Library/BootManagerUiLib/BootManagerUiLib.inf NULL|MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootMaintenanc= eManagerUiLib.inf } - OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { + + NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf + } =20 # # Networking stack --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77958): https://edk2.groups.io/g/devel/message/77958 Mute This Topic: https://groups.io/mt/84328239/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 02:01:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77963+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77963+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1626768400; cv=none; d=zohomail.com; s=zohoarc; b=jhB9bPQz7D/H5p5+p/J/lc40MSLpCPXWArKnRdRKeKWAWIT4/icx8ZbrsWOAFf8myTESB9AMsbM8AStAYonDU7uWl4BTHJHPpncrOvsuNuz7JqVdCQelKyTcMdD4drgYIhkBMigucKY3+YMH2lyPgOTp1n89QTAJwQyBR8FswUg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1626768400; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=z/lKQ/8fFh7MUNeuXPUQ0yar+R1GlSY9VOMBaJa9vVg=; b=KIZNzJ5+8QQ0+TxKAqDwrVMxqvmEGiYktHz6jMJdCo9ii37HrLswXNyDuOh4jaJbEo5/wbPoHXjnuu7JLBurnuoYmuC+U50s3oOz22/3sz1K1iuemCtmyexHr1rAc9O5f197a01gz/Qke1zHJlHRxXbWsAHiTSjVyT4Oa8xzhMw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77963+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1626768400798801.6333100231094; Tue, 20 Jul 2021 01:06:40 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id nQtuYY1788612xItq0c6oiGe; Tue, 20 Jul 2021 01:06:40 -0700 X-Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web11.4830.1626768399838275379 for ; Tue, 20 Jul 2021 01:06:40 -0700 X-Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16K86TSE190642; Tue, 20 Jul 2021 04:06:37 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39wr5tv2ye-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:06:37 -0400 X-Received: from m0127361.ppops.net (m0127361.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16K86Z6L191027; Tue, 20 Jul 2021 04:06:36 -0400 X-Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0a-001b2d01.pphosted.com with ESMTP id 39wr5tv2jy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:06:36 -0400 X-Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16K83HLe021963; Tue, 20 Jul 2021 08:04:36 GMT X-Received: from b03cxnp08028.gho.boulder.ibm.com (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20]) by ppma02dal.us.ibm.com with ESMTP id 39vuk4tvt7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 08:04:36 +0000 X-Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16K84YW911862452 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Jul 2021 08:04:34 GMT X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 02A9E136059; Tue, 20 Jul 2021 08:04:34 +0000 (GMT) X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C28A4136065; Tue, 20 Jul 2021 08:04:32 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 20 Jul 2021 08:04:32 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v3 07/11] OvmfPkg/QemuKernelLoaderFsDxe: call VerifyBlob after fetch from fw_cfg Date: Tue, 20 Jul 2021 08:03:57 +0000 Message-Id: <20210720080401.3662854-8-dovmurik@linux.ibm.com> In-Reply-To: <20210720080401.3662854-1-dovmurik@linux.ibm.com> References: <20210720080401.3662854-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 7ub1n0KSebJIVPkOBOTiZm79wFj_2w8v X-Proofpoint-GUID: SeALYliiKaqOk1O7EZE0lLGYSKAKXy8H X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: tK6pGd66GKgFzzysIbPGnEa1x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1626768400; bh=ZIde6FN4Re9cthLJ0ljpWLqNuaIvbuVaZXyCF46cAao=; h=Cc:Date:From:Reply-To:Subject:To; b=LyO806Bb2uKsZ4RPHOUSNkWsXoR5SFNLkDtGA+5ILmRWDckMRja2B28CGEmYELn+Rz6 Z2jTYiOAPVZ7kVh/fORiek8xBHc61KZ+MyRpBOp4giOlAsXhgdyL1rVILIHl6pNq9e/IX DZVlECGKgtd7PgGB4CZd+I9PXx3WYygTsdM= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1626768401518100001 Content-Type: text/plain; charset="utf-8" In QemuKernelLoaderFsDxeEntrypoint we use FetchBlob to read the content of the kernel/initrd/cmdline from the QEMU fw_cfg interface. Insert a call to VerifyBlob after fetching to allow BlobVerifierLib implementations to add a verification step for these blobs. This will allow confidential computing OVMF builds to add verification mechanisms for these blobs that originate from an untrusted source (QEMU). The null implementation of BlobVerifierLib does nothing in VerifyBlob, and therefore no functional change is expected. Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Co-developed-by: James Bottomley Signed-off-by: James Bottomley Signed-off-by: Dov Murik Reviewed-by: Brijesh Singh Reviewed-by: Tom Lendacky --- OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPk= g/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c index c7ddd86f5c75..6832d563bcb0 100644 --- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -1039,6 +1040,14 @@ QemuKernelLoaderFsDxeEntrypoint ( if (EFI_ERROR (Status)) { goto FreeBlobs; } + Status =3D VerifyBlob ( + CurrentBlob->Name, + CurrentBlob->Data, + CurrentBlob->Size + ); + if (EFI_ERROR (Status)) { + goto FreeBlobs; + } mTotalBlobBytes +=3D CurrentBlob->Size; } KernelBlob =3D &mKernelBlob[KernelBlobTypeKernel]; --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77963): https://edk2.groups.io/g/devel/message/77963 Mute This Topic: https://groups.io/mt/84328260/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 02:01:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77966+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77966+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1626768539; cv=none; d=zohomail.com; s=zohoarc; b=Lz/l6Cj0EoiXG5zgkKhQZlsiRREZSELDitsYJtkS3HgapaIO6PoV6i7cebqWw5WRkQv3ODsBV9fCIUbp1v+diUjg+gpq7Ivi8jlpH9BkVstQvdr/CyTS0f+itQAoz7q7VikWnMol7xFrwzoPny+xwf5bfMzCtNcOjQ3dzV/p50U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1626768539; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=NeYgNO70hun16Nxzrqn7jlsREFU0iipAhCN9qUhPy+U=; b=HrnkSqj1bhPKRKfK7eCGcEYCo2593QO3V2zbNAoBDQHzS4wfqcnaFfAXFgQQZ+pHWqXnbKvM1ROTHJ2+Cswd5xQY2xcmeJFSCD3PFOqS03kEyOLZ3nX+w6rxU9UdEG28AweW8xBTcUIZg1dDqtHdoH2y5hDWsA/6+EKZ7m71PF4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77966+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1626768539422249.89154884960726; Tue, 20 Jul 2021 01:08:59 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id PyMzYY1788612x1f8rdUdJ3G; Tue, 20 Jul 2021 01:08:59 -0700 X-Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web11.4844.1626768538485715448 for ; Tue, 20 Jul 2021 01:08:58 -0700 X-Received: from pps.filterd (m0098417.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16K88cTX024786; Tue, 20 Jul 2021 04:08:56 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 39wtce8fh9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:08:56 -0400 X-Received: from m0098417.ppops.net (m0098417.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16K88twW025609; Tue, 20 Jul 2021 04:08:55 -0400 X-Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com with ESMTP id 39wtce8ete-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:08:54 -0400 X-Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16K82lCE019385; Tue, 20 Jul 2021 08:04:39 GMT X-Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by ppma04dal.us.ibm.com with ESMTP id 39upubp0ef-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 08:04:39 +0000 X-Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16K84avC27853202 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Jul 2021 08:04:36 GMT X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C650B136065; Tue, 20 Jul 2021 08:04:36 +0000 (GMT) X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 91A72136053; Tue, 20 Jul 2021 08:04:35 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 20 Jul 2021 08:04:35 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v3 08/11] OvmfPkg/AmdSev/SecretPei: build hob for full page Date: Tue, 20 Jul 2021 08:03:58 +0000 Message-Id: <20210720080401.3662854-9-dovmurik@linux.ibm.com> In-Reply-To: <20210720080401.3662854-1-dovmurik@linux.ibm.com> References: <20210720080401.3662854-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: rwnAWxzaPIXoHJ12CPgOhgNEqv127Qrh X-Proofpoint-GUID: dl2RGBrOtSO55xy_5Fm7pQe-dLdoLoOF X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: k0bw9ZE3V61OaW4PaLe5eiUQx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1626768539; bh=hLZefYkTwfrMpQkp0/XqlRJRCcZ1b2KGhJUuYXl1TOM=; h=Cc:Date:From:Reply-To:Subject:To; b=DvronXZ4swp68F9phFEFkRDi7gMJ4o9s2KWBvrhbEVnSufjooeAhuv+8r4WkExTNpqq PL1Y6VF0CKfsxGpGdryhfjDgkAbMDDSSunLaQYQCNRAXuNEW3qquR8s2+3aS/UcZmjBs0 mEoZDKjOZmXRLj8Vr6omHQG9rB6nCMDfhe4= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1626768541478100001 Content-Type: text/plain; charset="utf-8" Round up the size of the SEV launch secret area to a whole page, as required by BuildMemoryAllocationHob. This will allow the secret area defined in the MEMFD to take less than a whole 4KB page. Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Signed-off-by: Dov Murik Reviewed-by: Brijesh Singh Reviewed-by: Tom Lendacky --- OvmfPkg/AmdSev/SecretPei/SecretPei.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPe= i/SecretPei.c index ad491515dd5d..db94c26b54d1 100644 --- a/OvmfPkg/AmdSev/SecretPei/SecretPei.c +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c @@ -4,6 +4,7 @@ Copyright (C) 2020 James Bottomley, IBM Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include #include #include #include @@ -17,7 +18,7 @@ InitializeSecretPei ( { BuildMemoryAllocationHob ( PcdGet32 (PcdSevLaunchSecretBase), - PcdGet32 (PcdSevLaunchSecretSize), + ALIGN_VALUE (PcdGet32 (PcdSevLaunchSecretSize), EFI_PAGE_SIZE), EfiBootServicesData ); =20 --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77966): https://edk2.groups.io/g/devel/message/77966 Mute This Topic: https://groups.io/mt/84328282/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 02:01:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77959+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77959+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1626768285; cv=none; d=zohomail.com; s=zohoarc; b=LVOnE7O8diForvS9yLx7/FQOUSKg9YOA8rLvWtHkvDRFc37BPP1qndAlos7zxgihRjD4qUyFceRkgvHd5zSZbXW5PiWvp/mTRWvLSlTL2H7KxRoMSl4wJq7sMq2P9ARTfabYhZ+pVqbdTQUZNMrA/B/9gpV/dgUl7CeRBNiBPpE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1626768285; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=i9FLYOio4TtX906RxD1/tYGgJRh6UCiMgZTLufF8VFA=; b=N5FjQc7UPPURCQ2/0t4Eg/mT4ftncao8t4SE5EnooKtN9jc9fVFT3Puwguct92iNeCgy8haqiPFtoU2CmhLyJSAfLAWRuRIK/GAKSKXunlRV4NLXvazMCQ3txI1VTTOwcIBUIJXaxjItjAu8mxELsP8Sh20pCbd5aXt6WWy+eQY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77959+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 162676828591022.955375628473575; Tue, 20 Jul 2021 01:04:45 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id gAT6YY1788612xi3eEOXxzm6; Tue, 20 Jul 2021 01:04:45 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web08.4834.1626768284985532448 for ; Tue, 20 Jul 2021 01:04:45 -0700 X-Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16K8368K092112; Tue, 20 Jul 2021 04:04:43 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 39wr5d46mr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:43 -0400 X-Received: from m0098419.ppops.net (m0098419.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16K83dn9096585; Tue, 20 Jul 2021 04:04:43 -0400 X-Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11]) by mx0b-001b2d01.pphosted.com with ESMTP id 39wr5d46m8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:43 -0400 X-Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1]) by ppma03dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16K84D3W019077; Tue, 20 Jul 2021 08:04:42 GMT X-Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18]) by ppma03dal.us.ibm.com with ESMTP id 39upuc602w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 08:04:42 +0000 X-Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16K84dXZ29032918 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Jul 2021 08:04:39 GMT X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C18DE136063; Tue, 20 Jul 2021 08:04:39 +0000 (GMT) X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 95992136077; Tue, 20 Jul 2021 08:04:38 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 20 Jul 2021 08:04:38 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v3 09/11] OvmfPkg/AmdSev: reserve MEMFD space for for firmware config hashes Date: Tue, 20 Jul 2021 08:03:59 +0000 Message-Id: <20210720080401.3662854-10-dovmurik@linux.ibm.com> In-Reply-To: <20210720080401.3662854-1-dovmurik@linux.ibm.com> References: <20210720080401.3662854-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-GUID: KWvGyBNJUMwhD8TYTnD1VYAn-mswYxnb X-Proofpoint-ORIG-GUID: QlQDVVb6Rz9NQ89Daszj2WXGTJQ9Htf- X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: jnuTeMsJhRxKAVqx9WP8fNvgx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1626768285; bh=nHZJKL52X55peSXYTo1l2DF4mOKHqP1Yvrd3qAJiJEI=; h=Cc:Date:From:Reply-To:Subject:To; b=abqP/L3G9iLpmM7Tefu4xGBoV5ohTyKj680PCI/WXSg+s6zxX1uLhXp3DB/rIwmAETp TGYzbv85sbMclOIgr6c9pIICDzg2/zP+qC/4BUBo+ajhu+y39gJ+yCTNzUGiZdI+/2Ij6 HJlujXDyh84G1B+D0APgkbbBWF2Fn397Eow= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1626768286821100002 Content-Type: text/plain; charset="utf-8" From: James Bottomley Split the existing 4KB page reserved for SEV launch secrets into two parts: first 3KB for SEV launch secrets and last 1KB for firmware config hashes. The area of the firmware config hashes will be attested (measured) by the PSP and thus the untrusted VMM can't pass in different files from what the guest owner allows. Declare this in the Reset Vector table using GUID 7255371f-3a3b-4b04-927b-1da6efa8d454 and a uint32_t table of a base and size value (similar to the structure used to declare the launch secret block). Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Co-developed-by: Dov Murik Signed-off-by: Dov Murik Signed-off-by: James Bottomley Reviewed-by: Tom Lendacky Reviewed-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 6 ++++++ OvmfPkg/AmdSev/AmdSevX64.fdf | 5 ++++- OvmfPkg/ResetVector/ResetVector.inf | 2 ++ OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 20 ++++++++++++++++++++ OvmfPkg/ResetVector/ResetVector.nasmb | 2 ++ 5 files changed, 34 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index f82228d69cc2..2ab27f0c73c2 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -324,6 +324,12 @@ [PcdsFixedAtBuild] gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|0x0|UINT32|0x42 gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize|0x0|UINT32|0x43 =20 + ## The base address and size of a hash table confirming allowed + # parameters to be passed in via the Qemu firmware configuration + # device + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|0x0|UINT32|0x47 + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize|0x0|UINT32|0x48 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf index 9977b0f00a18..0a89749700c3 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.fdf +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf @@ -59,9 +59,12 @@ [FD.MEMFD] 0x00B000|0x001000 gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.P= cdSevEsWorkAreaSize =20 -0x00C000|0x001000 +0x00C000|0x000C00 gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGu= id.PcdSevLaunchSecretSize =20 +0x00CC00|0x000400 +gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|gUefiOvmfPkgTokenSpaceGuid= .PcdQemuHashTableSize + 0x00D000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecGhcbBackupSize =20 diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese= tVector.inf index dc38f68919cd..d028c92d8cfa 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -47,3 +47,5 @@ [Pcd] [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVe= ctor/Ia16/ResetVectorVtf0.asm index 9c0b5853a46f..7ec3c6e980c3 100644 --- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm +++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm @@ -47,7 +47,27 @@ TIMES (15 - ((guidedStructureEnd - guidedStructureStart = + 15) % 16)) DB 0 ; guidedStructureStart: =20 +; SEV Hash Table Block ; +; This describes the guest ram area where the hypervisor should +; install a table describing the hashes of certain firmware configuration +; device files that would otherwise be passed in unchecked. The current +; use is for the kernel, initrd and command line values, but others may be +; added. The data format is: +; +; base physical address (32 bit word) +; table length (32 bit word) +; +; GUID (SEV FW config hash block): 7255371f-3a3b-4b04-927b-1da6efa8d454 +; +sevFwHashBlockStart: + DD SEV_FW_HASH_BLOCK_BASE + DD SEV_FW_HASH_BLOCK_SIZE + DW sevFwHashBlockEnd - sevFwHashBlockStart + DB 0x1f, 0x37, 0x55, 0x72, 0x3b, 0x3a, 0x04, 0x4b + DB 0x92, 0x7b, 0x1d, 0xa6, 0xef, 0xa8, 0xd4, 0x54 +sevFwHashBlockEnd: + ; SEV Secret block ; ; This describes the guest ram area where the hypervisor should diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index 5fbacaed5f9d..8d0bab02f8cb 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -88,5 +88,7 @@ %define SEV_ES_AP_RESET_IP FixedPcdGet32 (PcdSevEsWorkAreaBase) %define SEV_LAUNCH_SECRET_BASE FixedPcdGet32 (PcdSevLaunchSecretBase) %define SEV_LAUNCH_SECRET_SIZE FixedPcdGet32 (PcdSevLaunchSecretSize) + %define SEV_FW_HASH_BLOCK_BASE FixedPcdGet32 (PcdQemuHashTableBase) + %define SEV_FW_HASH_BLOCK_SIZE FixedPcdGet32 (PcdQemuHashTableSize) %include "Ia16/ResetVectorVtf0.asm" =20 --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77959): https://edk2.groups.io/g/devel/message/77959 Mute This Topic: https://groups.io/mt/84328240/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 02:01:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77960+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77960+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1626768290; cv=none; d=zohomail.com; s=zohoarc; b=gkvSE9LYVHjzATluVkQnSr2bOLeZO2uMaLTNXxsOi28E4y8LCMN6y1RchpVS8+dC/Jy9RYR8wpojtD70Du/ISF13HUcOb19fH52WPyOYnXK7uRQTHiDE0xmM83F9ZV4gQ05lMohN5+Ca8e6q14eBo0PaFjUA0iOvF113iEjS2NY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1626768290; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=JqgiKgzcubf4twaNnRSbTLjR/fZgZGFP8zxEc1NgsUs=; b=oBrQVJC6VLgSMS8w4n8kLXgPX/VXwneI69okjm6wXQK+bTG4b/Nl5nuTyGRFYwnuG27KIjMJhTExIURsNd3WBxwFN7A7du7YCf+mTxP45OAiHGXYuSKNRiiYV1vLpICoBGyAB8LoMsNNmEuoclHr+q39Tk61I8I4ZvEhsHsOGkg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77960+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1626768290236781.1372949116547; Tue, 20 Jul 2021 01:04:50 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id AOdwYY1788612xJs1zRJZrjv; Tue, 20 Jul 2021 01:04:49 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web11.4823.1626768289225588633 for ; Tue, 20 Jul 2021 01:04:49 -0700 X-Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16K83OwV101311; Tue, 20 Jul 2021 04:04:47 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 39wny8pqvy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:47 -0400 X-Received: from m0098416.ppops.net (m0098416.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16K83mei103162; Tue, 20 Jul 2021 04:04:46 -0400 X-Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11]) by mx0b-001b2d01.pphosted.com with ESMTP id 39wny8pqvh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:46 -0400 X-Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1]) by ppma03dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16K84D16019052; Tue, 20 Jul 2021 08:04:45 GMT X-Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by ppma03dal.us.ibm.com with ESMTP id 39upuc604t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 08:04:45 +0000 X-Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16K84hJH21823786 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Jul 2021 08:04:43 GMT X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 37DFC136051; Tue, 20 Jul 2021 08:04:43 +0000 (GMT) X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 06F87136053; Tue, 20 Jul 2021 08:04:42 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 20 Jul 2021 08:04:41 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v3 10/11] OvmfPkg: add BlobVerifierLibSevHashes Date: Tue, 20 Jul 2021 08:04:00 +0000 Message-Id: <20210720080401.3662854-11-dovmurik@linux.ibm.com> In-Reply-To: <20210720080401.3662854-1-dovmurik@linux.ibm.com> References: <20210720080401.3662854-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: nDnewPiL04lyhgWmmVgvhbHDj9pY7XEu X-Proofpoint-GUID: nd-mzQgNW3pQViziST6z_6Gc6AS6Frfr X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: MZ9ZfjuXUEybzM18q9YVHwBWx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1626768289; bh=UyAUuqbGZ01lcQI+t9g+sJbs57NpV+glOygUMaSGjIg=; h=Cc:Date:From:Reply-To:Subject:To; b=tFsMHsLMa3ynqh9qllo7T4c3ixegTLhy5sKvE2Bk27hpwphepzJIb+ua6RZUn1epetM G7o5OsuWltuOLGnYxehZlBPr+EO6KJ38p65b+zuRU5eHBTcGil0GtKnQmrFh2SWeqwtXw /ZIXHPxWLvt+ib4EzemtZylS8tVaJe8tiPY= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1626768291250100002 Content-Type: text/plain; charset="utf-8" Add an implementation for BlobVerifierLib that locates the SEV hashes table and verifies that the calculated hashes of the kernel, initrd, and cmdline blobs indeed match the expected hashes stated in the hashes table. If there's a missing hash or a hash mismatch then EFI_ACCESS_DENIED is returned which will cause a failure to load a kernel image. Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Co-developed-by: James Bottomley Signed-off-by: James Bottomley Signed-off-by: Dov Murik Reviewed-by: Brijesh Singh Reviewed-by: Tom Lendacky --- OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf | 37 ++++ OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c | 200 +++++++= +++++++++++++ 2 files changed, 237 insertions(+) diff --git a/OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf b= /OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf new file mode 100644 index 000000000000..76ca0b8154ce --- /dev/null +++ b/OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf @@ -0,0 +1,37 @@ +## @file +# +# Blob verifier library that uses SEV hashes table. The hashes table hol= ds the +# allowed hashes of the kernel, initrd, and cmdline blobs. +# +# Copyright (C) 2021, IBM Corp +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 1.29 + BASE_NAME =3D BlobVerifierLibSevHashes + FILE_GUID =3D 59e713b5-eff3-46a7-8d8b-46f4c004ad7b + MODULE_TYPE =3D BASE + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D BlobVerifierLib + CONSTRUCTOR =3D BlobVerifierLibSevHashesConstructor + +[Sources] + BlobVerifierSevHashes.c + +[Packages] + CryptoPkg/CryptoPkg.dec + MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec + +[LibraryClasses] + BaseCryptLib + BaseMemoryLib + DebugLib + PcdLib + +[FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase + gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize diff --git a/OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c b/Ovmf= Pkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c new file mode 100644 index 000000000000..797d63d18067 --- /dev/null +++ b/OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c @@ -0,0 +1,200 @@ +/** @file + + Blob verifier library that uses SEV hashes table. The hashes table hold= s the + allowed hashes of the kernel, initrd, and cmdline blobs. + + Copyright (C) 2021, IBM Corporation + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include +#include +#include +#include +#include + +/** + The SEV Hashes table must be in encrypted memory and has the table + and its entries described by + + |UINT16 | + + With the whole table GUID being 9438d606-4f22-4cc9-b479-a793d411fd21 + + The current possible table entries are for the kernel, the initrd + and the cmdline: + + 4de79437-abd2-427f-b835-d5b172d2045b kernel + 44baf731-3a2f-4bd7-9af1-41e29169781d initrd + 97d02dd8-bd20-4c94-aa78-e7714d36ab2a cmdline + + The size of the entry is used to identify the hash, but the + expectation is that it will be 32 bytes of SHA-256. +**/ + +#define SEV_HASH_TABLE_GUID \ + (GUID) { 0x9438d606, 0x4f22, 0x4cc9, { 0xb4, 0x79, 0xa7, 0x93, 0xd4, 0x1= 1, 0xfd, 0x21 } } +#define SEV_KERNEL_HASH_GUID \ + (GUID) { 0x4de79437, 0xabd2, 0x427f, { 0xb8, 0x35, 0xd5, 0xb1, 0x72, 0xd= 2, 0x04, 0x5b } } +#define SEV_INITRD_HASH_GUID \ + (GUID) { 0x44baf731, 0x3a2f, 0x4bd7, { 0x9a, 0xf1, 0x41, 0xe2, 0x91, 0x6= 9, 0x78, 0x1d } } +#define SEV_CMDLINE_HASH_GUID \ + (GUID) { 0x97d02dd8, 0xbd20, 0x4c94, { 0xaa, 0x78, 0xe7, 0x71, 0x4d, 0x3= 6, 0xab, 0x2a } } + +STATIC CONST EFI_GUID mSevKernelHashGuid =3D SEV_KERNEL_HASH_GUID; +STATIC CONST EFI_GUID mSevInitrdHashGuid =3D SEV_INITRD_HASH_GUID; +STATIC CONST EFI_GUID mSevCmdlineHashGuid =3D SEV_CMDLINE_HASH_GUID; + +#pragma pack (1) +typedef struct { + GUID Guid; + UINT16 Len; + UINT8 Data[]; +} HASH_TABLE; +#pragma pack () + +STATIC HASH_TABLE *mHashesTable; +STATIC UINT16 mHashesTableSize; + +STATIC +CONST GUID* +FindBlobEntryGuid ( + IN CONST CHAR16 *BlobName + ) +{ + if (StrCmp (BlobName, L"kernel") =3D=3D 0) { + return &mSevKernelHashGuid; + } else if (StrCmp (BlobName, L"initrd") =3D=3D 0) { + return &mSevInitrdHashGuid; + } else if (StrCmp (BlobName, L"cmdline") =3D=3D 0) { + return &mSevCmdlineHashGuid; + } else { + return NULL; + } +} + +/** + Verify blob from an external source. + + @param[in] BlobName The name of the blob + @param[in] Buf The data of the blob + @param[in] BufSize The size of the blob in bytes + + @retval EFI_SUCCESS The blob was verified successfully. + @retval EFI_ACCESS_DENIED The blob could not be verified, and theref= ore + should be considered non-secure. +**/ +EFI_STATUS +EFIAPI +VerifyBlob ( + IN CONST CHAR16 *BlobName, + IN CONST VOID *Buf, + IN UINT32 BufSize + ) +{ + CONST GUID *Guid; + INT32 Len; + HASH_TABLE *Entry; + + if (mHashesTable =3D=3D NULL || mHashesTableSize =3D=3D 0) { + DEBUG ((DEBUG_ERROR, + "%a: Verifier called but no hashes table discoverd in MEMFD\n", + __FUNCTION__)); + return EFI_ACCESS_DENIED; + } + + Guid =3D FindBlobEntryGuid (BlobName); + if (Guid =3D=3D NULL) { + DEBUG ((DEBUG_ERROR, "%a: Unknown blob name \"%s\"\n", __FUNCTION__, + BlobName)); + return EFI_ACCESS_DENIED; + } + + for (Entry =3D mHashesTable, Len =3D 0; + Len < (INT32)mHashesTableSize; + Len +=3D Entry->Len, + Entry =3D (HASH_TABLE *)((UINT8 *)Entry + Entry->Len)) { + UINTN EntrySize; + EFI_STATUS Status; + UINT8 Hash[SHA256_DIGEST_SIZE]; + + if (!CompareGuid (&Entry->Guid, Guid)) { + continue; + } + + DEBUG ((DEBUG_INFO, "%a: Found GUID %g in table\n", __FUNCTION__, Guid= )); + + EntrySize =3D Entry->Len - sizeof (Entry->Guid) - sizeof (Entry->Len); + if (EntrySize !=3D SHA256_DIGEST_SIZE) { + DEBUG ((DEBUG_ERROR, "%a: Hash has the wrong size %d !=3D %d\n", + __FUNCTION__, EntrySize, SHA256_DIGEST_SIZE)); + return EFI_ACCESS_DENIED; + } + + // + // Calculate the buffer's hash and verify that it is identical to the + // expected hash table entry + // + Sha256HashAll (Buf, BufSize, Hash); + + if (CompareMem (Entry->Data, Hash, EntrySize) =3D=3D 0) { + Status =3D EFI_SUCCESS; + DEBUG ((DEBUG_INFO, "%a: Hash comparison succeeded for \"%s\"\n", + __FUNCTION__, BlobName)); + } else { + Status =3D EFI_ACCESS_DENIED; + DEBUG ((DEBUG_ERROR, "%a: Hash comparison failed for \"%s\"\n", + __FUNCTION__, BlobName)); + } + return Status; + } + + DEBUG ((DEBUG_ERROR, "%a: Hash GUID %g not found in table\n", __FUNCTION= __, + Guid)); + return EFI_ACCESS_DENIED; +} + +/** + Locate the SEV hashes table. + + This function always returns success, even if the table can't be found. = The + subsequent VerifyBlob calls will fail if no table was found. + + @retval RETURN_SUCCESS The verifier tables were set up correctly +**/ +RETURN_STATUS +EFIAPI +BlobVerifierLibSevHashesConstructor ( + VOID + ) +{ + HASH_TABLE *Ptr =3D (void *)(UINTN)FixedPcdGet64 (PcdQemuHashTableBase); + UINT32 Size =3D FixedPcdGet32 (PcdQemuHashTableSize); + + mHashesTable =3D NULL; + mHashesTableSize =3D 0; + + if (Ptr =3D=3D NULL || Size =3D=3D 0) { + return RETURN_SUCCESS; + } + + if (!CompareGuid (&Ptr->Guid, &SEV_HASH_TABLE_GUID)) { + return RETURN_SUCCESS; + } + + if (Ptr->Len < (sizeof Ptr->Guid + sizeof Ptr->Len)) { + return RETURN_SUCCESS; + } + + DEBUG ((DEBUG_INFO, "%a: Found injected hashes table in secure location\= n", + __FUNCTION__)); + + mHashesTable =3D (HASH_TABLE *)Ptr->Data; + mHashesTableSize =3D Ptr->Len - sizeof Ptr->Guid - sizeof Ptr->Len; + + DEBUG ((DEBUG_VERBOSE, "%a: mHashesTable=3D0x%p, Size=3D%u\n", __FUNCTIO= N__, + mHashesTable, mHashesTableSize)); + + return RETURN_SUCCESS; +} --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77960): https://edk2.groups.io/g/devel/message/77960 Mute This Topic: https://groups.io/mt/84328241/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 02:01:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77961+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77961+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1626768293; cv=none; d=zohomail.com; s=zohoarc; b=FWWpLP0swvRlYVl1a9mCBNaBY5UOfBR5GCvbZpV5hDVbpVBzx249fC5Si9nKeuTrWxPXeAMyqWhB820LeGkX47QhR9N8QaKE73+bQfVPwOmXQGbTCqhr/J7hQPY7Po7NbO+pWQWr6aLr0aFZNTd18prpqAlPkQlSVF99WB0q1Rg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1626768293; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=lieBMcDixaW6vIYJvqbqLzvxtD0hSA2O/+4l4+B8ofg=; b=P/cVN14OG52pefyV9jAKL+WaL+Dq+AAHvl4izTKJ1Va6VcajY040k8QgG0r5b5J8cz+ow+GVYkYihBp9q/lYYVbSLR+3rAX2lBN67nme9xNU7pUyeXgIHckQq9j21CU6wWbyMS7yojIV33GxBUoL+8haYH3/axouGb7AF1FqAL4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77961+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1626768293729578.9080858136201; Tue, 20 Jul 2021 01:04:53 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id chdjYY1788612xjR87phV66L; Tue, 20 Jul 2021 01:04:53 -0700 X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web08.4836.1626768292722996110 for ; Tue, 20 Jul 2021 01:04:52 -0700 X-Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16K84L0a006191; Tue, 20 Jul 2021 04:04:51 -0400 X-Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com with ESMTP id 39wssmhkce-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:50 -0400 X-Received: from m0098413.ppops.net (m0098413.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16K84iEx007636; Tue, 20 Jul 2021 04:04:49 -0400 X-Received: from ppma05wdc.us.ibm.com (1b.90.2fa9.ip4.static.sl-reverse.com [169.47.144.27]) by mx0b-001b2d01.pphosted.com with ESMTP id 39wssmhkc4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 04:04:49 -0400 X-Received: from pps.filterd (ppma05wdc.us.ibm.com [127.0.0.1]) by ppma05wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16K83xHr007106; Tue, 20 Jul 2021 08:04:49 GMT X-Received: from b03cxnp08027.gho.boulder.ibm.com (b03cxnp08027.gho.boulder.ibm.com [9.17.130.19]) by ppma05wdc.us.ibm.com with ESMTP id 39upuaw5qs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 20 Jul 2021 08:04:49 +0000 X-Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 16K84lil14877052 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 20 Jul 2021 08:04:47 GMT X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DC32713605E; Tue, 20 Jul 2021 08:04:46 +0000 (GMT) X-Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AF9D9136055; Tue, 20 Jul 2021 08:04:45 +0000 (GMT) X-Received: from localhost.localdomain (unknown [9.2.130.16]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 20 Jul 2021 08:04:45 +0000 (GMT) From: "Dov Murik" To: devel@edk2.groups.io Cc: Dov Murik , Tobin Feldman-Fitzthum , Tobin Feldman-Fitzthum , Jim Cadden , James Bottomley , Hubertus Franke , Ard Biesheuvel , Jordan Justen , Ashish Kalra , Brijesh Singh , Erdem Aktas , Jiewen Yao , Min Xu , Tom Lendacky Subject: [edk2-devel] [PATCH v3 11/11] OvmfPkg/AmdSev: Enforce hash verification of kernel blobs Date: Tue, 20 Jul 2021 08:04:01 +0000 Message-Id: <20210720080401.3662854-12-dovmurik@linux.ibm.com> In-Reply-To: <20210720080401.3662854-1-dovmurik@linux.ibm.com> References: <20210720080401.3662854-1-dovmurik@linux.ibm.com> X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 6jrCvvxDemTRKV4g_GdgF3VMFwYQTciy X-Proofpoint-GUID: T2nEFadCyDBSEtU1YC9-TjP0zJur_CCQ X-Proofpoint-UnRewURL: 1 URL was un-rewritten MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com X-Gm-Message-State: Sa4LFhLBCg3AXPla6TBQbRKvx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1626768293; bh=0F9JyrW5J8Df8EdR5MAlAqzWx9gYSZTDS2Zr+/ndD9Y=; h=Cc:Date:From:Reply-To:Subject:To; b=lUe7+MRqvxiqE5sZ5gSZcGL44JnHRdMyammbxcybt075KBDhNkO6ye0P4xgOLTGdfYT o6PfIivtAcRvXz3dkHSelYIzr31sANHfEYJ+Z9oL60kO6C84xXLv18HkrPipmThNmAvOK 1z/eDeldAKS9829u+yHCgvUDgP2sWO+0MY0= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1626768295626100001 Content-Type: text/plain; charset="utf-8" In the AmdSevX64 build, use BlobVerifierLibSevHashes to enforce verification of hashes of the kernel/initrd/cmdline blobs fetched from firmware config. This allows for secure (measured) boot of SEV guests with QEMU's -kernel/-initrd/-append switches (with the corresponding QEMU support for injecting the hashes table into initial measured guest memory). Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Ashish Kalra Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457 Signed-off-by: Dov Murik Reviewed-by: Tom Lendacky --- OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index b2cc96cc5a97..c01599ea354f 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -173,7 +173,7 @@ [LibraryClasses] LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/Customize= dDisplayLib.inf FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltL= ib.inf - BlobVerifierLib|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf + BlobVerifierLib|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes= .inf =20 !if $(SOURCE_DEBUG_ENABLE) =3D=3D TRUE PeCoffExtraActionLib|SourceLevelDebugPkg/Library/PeCoffExtraActionLibDeb= ug/PeCoffExtraActionLibDebug.inf @@ -696,7 +696,7 @@ [Components] } OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf { - NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf + NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf } OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf OvmfPkg/Virtio10Dxe/Virtio10.inf --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77961): https://edk2.groups.io/g/devel/message/77961 Mute This Topic: https://groups.io/mt/84328242/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-