From nobody Sun Apr 28 20:19:54 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+78074+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78074+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1626943406; cv=none;
	d=zohomail.com; s=zohoarc;
	b=flHheH9HJpQ7PL/UvSVyOkWczD5+747EmafvE7Edjp8e3UJsMkngojsX9Ue2CSCPk1ztlGg+Y9FU9e+tbMCcupeGM2DLYeBBBDBic5SNzzxWTzaoiQFW9ZAbJXb2CUdfbJSJ4qZyhwS5JhlGsOr2i0MuWErLteP0397JgnHcPIk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1626943406;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=midMRE4PNtlLvRoMj0u3vxVU+KQQU8CLaIyuzATVgy4=;
	b=l4EGuvyV0viafsS7fpLxt8+MrUcul3gn3lktkjOB+oEOhqBZb4gFBiM8V3p+91kPHUbaY+jLF9c7qilVIIHGFdZoCPJ5ULkr3U+0vLwKVMFPkSchPXpCYrwwwoLkyvoBN4v+Ou4lY86hEPC7Gah08b5skBIdSLLu2i5Hm4Hptiw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78074+1787277+3901457@groups.io;
	dmarc=fail header.from=<dovmurik@linux.ibm.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1626943406509337.51000488784575;
 Thu, 22 Jul 2021 01:43:26 -0700 (PDT)
Return-Path: <bounce+27952+78074+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id Tj1LYY1788612xIcQyWsqbU4;
 Thu, 22 Jul 2021 01:43:26 -0700
X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.158.5])
 by mx.groups.io with SMTP id smtpd.web10.5254.1626943404517808394
 for <devel@edk2.groups.io>;
 Thu, 22 Jul 2021 01:43:25 -0700
X-Received: from pps.filterd (m0098413.ppops.net [127.0.0.1])
	by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id
 16M8YVAD179438;
	Thu, 22 Jul 2021 04:43:22 -0400
X-Received: from pps.reinject (localhost [127.0.0.1])
	by mx0b-001b2d01.pphosted.com with ESMTP id 39y3yct9ya-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:22 -0400
X-Received: from m0098413.ppops.net (m0098413.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16M8Yu8R180344;
	Thu, 22 Jul 2021 04:43:20 -0400
X-Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com
 [169.55.85.253])
	by mx0b-001b2d01.pphosted.com with ESMTP id 39y3yct9xu-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:20 -0400
X-Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1])
	by ppma01wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16M8gpIB007520;
	Thu, 22 Jul 2021 08:43:19 GMT
X-Received: from b03cxnp07028.gho.boulder.ibm.com
 (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15])
	by ppma01wdc.us.ibm.com with ESMTP id 39upudfja5-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 08:43:19 +0000
X-Received: from b03ledav004.gho.boulder.ibm.com
 (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
	by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 16M8hHud46989636
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 22 Jul 2021 08:43:17 GMT
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id B706578063;
	Thu, 22 Jul 2021 08:43:17 +0000 (GMT)
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id BAEDB78064;
	Thu, 22 Jul 2021 08:43:16 +0000 (GMT)
X-Received: from localhost.localdomain (unknown [9.2.130.16])
	by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
	Thu, 22 Jul 2021 08:43:16 +0000 (GMT)
From: "Dov Murik" <dovmurik@linux.ibm.com>
To: devel@edk2.groups.io
Cc: Dov Murik <dovmurik@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@ibm.com>, Jim Cadden <jcadden@ibm.com>,
        James Bottomley <jejb@linux.ibm.com>,
        Hubertus Franke <frankeh@us.ibm.com>,
        Ard Biesheuvel <ardb+tianocore@kernel.org>,
        Jordan Justen <jordan.l.justen@intel.com>,
        Ashish Kalra <ashish.kalra@amd.com>,
        Brijesh Singh <brijesh.singh@amd.com>,
        Erdem Aktas <erdemaktas@google.com>,
 Jiewen Yao <jiewen.yao@intel.com>,
        Min Xu <min.m.xu@intel.com>, Tom Lendacky <thomas.lendacky@amd.com>
Subject: [edk2-devel] [PATCH v4 01/11] OvmfPkg/AmdSev/SecretDxe: fix header
 comment to generic naming
Date: Thu, 22 Jul 2021 08:42:57 +0000
Message-Id: <20210722084307.2890952-2-dovmurik@linux.ibm.com>
In-Reply-To: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
References: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: a0DUKn-LAuCSZfJA3d2QspPT13wM0Cv4
X-Proofpoint-ORIG-GUID: TtwGtsBEaqjtxbUgZKdJ6vw65rmHxbR9
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com
X-Gm-Message-State: MakwT3LeLSJnIpMqPOK7GyWux1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1626943406;
 bh=xWv26yMt5TrO//IwD98Mxt/VYy2FxaKLug/NQv/g1Xs=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=SldHVhstVBWOTLnG94HL40VwSBIXxYbVAFaCZzdMP0/Mz1Os8qtKOjFciiOuuoLqGr0
 cRs4KjQYmb49s4IhjwbSkT2K4m3MWjhpInHOTY/ZM2HVkRXRy+k8YYxrobNeGu7VU15zd
 iBe7ZiPgvUFXoPv84hxAvduwSBytdhYXoZo=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1626943408659100001
Content-Type: text/plain; charset="utf-8"

From: James Bottomley <jejb@linux.ibm.com>

Commit 96201ae7bf97 ("OvmfPkg/AmdSev/SecretDxe: make secret location
naming generic", 2020-12-15) replaced references to SEV with the generic
term Confidential Computing, but missed the file header comment.  Fix
the naming in that header.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457
Signed-off-by: James Bottomley <jejb@linux.ibm.com>
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>
---
 OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c b/OvmfPkg/AmdSev/SecretDx=
e/SecretDxe.c
index 308022b5b25e..934ad207632b 100644
--- a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
+++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
@@ -1,5 +1,5 @@
 /** @file
-  SEV Secret configuration table constructor
+  Confidential Computing Secret configuration table constructor
=20
   Copyright (C) 2020 James Bottomley, IBM Corporation.
   SPDX-License-Identifier: BSD-2-Clause-Patent
--=20
2.25.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78074): https://edk2.groups.io/g/devel/message/78074
Mute This Topic: https://groups.io/mt/84375115/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-


From nobody Sun Apr 28 20:19:54 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+78085+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78085+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1626943460; cv=none;
	d=zohomail.com; s=zohoarc;
	b=cGqnAC4RW5kgqubOkH+mXm7U0In2guUU6OGOwQvYt9aTXQPy1Sb4MgWEgBBeZH5iJCzwFIcqhpXu1ILfT4Er1QY1PiZvVLnlo7K6sZIZzl2XsLggaZLF1GdBYFT8Gphs/vYxfgJtkbjNr4mIDR3PdprPGJBrSemC6gnc4Cw/2QA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1626943460;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=Q2+WwL2mcDPEXU3xP5RZS6DtEW2h8f3CQ/hliS4bnLE=;
	b=lPBqicP44x5/rdw1gf0aPQVQq0ELZaGEzCgXvC3gd5kvCgdni7vGoRdzcXgvYEdRjmlUxu+WTo5N7RkykAfsTzwFNV/sdHnKAbv1ZiTm3dmdVhfmUNFdWrsANMGMOnUvGVpX7/U+gQp7k8g8p/febkPq8OBGtl4jA9ZcOtLPfS4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78085+1787277+3901457@groups.io;
	dmarc=fail header.from=<dovmurik@linux.ibm.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1626943460768267.56875979526296;
 Thu, 22 Jul 2021 01:44:20 -0700 (PDT)
Return-Path: <bounce+27952+78085+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id Z2xPYY1788612xHAHzRnmpw0;
 Thu, 22 Jul 2021 01:44:20 -0700
X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.156.1])
 by mx.groups.io with SMTP id smtpd.web12.5279.1626943460057786027
 for <devel@edk2.groups.io>;
 Thu, 22 Jul 2021 01:44:20 -0700
X-Received: from pps.filterd (m0098394.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id
 16M8Y51s069941;
	Thu, 22 Jul 2021 04:44:18 -0400
X-Received: from pps.reinject (localhost [127.0.0.1])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y1fsdv85-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:44:18 -0400
X-Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16M8YE3G070880;
	Thu, 22 Jul 2021 04:44:17 -0400
X-Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com
 [169.63.214.131])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y1fsdv7r-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:44:17 -0400
X-Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1])
	by ppma01dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16M8hMEp018002;
	Thu, 22 Jul 2021 08:44:16 GMT
X-Received: from b03cxnp08026.gho.boulder.ibm.com
 (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18])
	by ppma01dal.us.ibm.com with ESMTP id 39upueek6r-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 08:44:16 +0000
X-Received: from b03ledav004.gho.boulder.ibm.com
 (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
	by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 16M8hIVD13631936
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 22 Jul 2021 08:43:19 GMT
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id D784D7805E;
	Thu, 22 Jul 2021 08:43:18 +0000 (GMT)
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id DF70D7806B;
	Thu, 22 Jul 2021 08:43:17 +0000 (GMT)
X-Received: from localhost.localdomain (unknown [9.2.130.16])
	by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
	Thu, 22 Jul 2021 08:43:17 +0000 (GMT)
From: "Dov Murik" <dovmurik@linux.ibm.com>
To: devel@edk2.groups.io
Cc: Dov Murik <dovmurik@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@ibm.com>, Jim Cadden <jcadden@ibm.com>,
        James Bottomley <jejb@linux.ibm.com>,
        Hubertus Franke <frankeh@us.ibm.com>,
        Ard Biesheuvel <ardb+tianocore@kernel.org>,
        Jordan Justen <jordan.l.justen@intel.com>,
        Ashish Kalra <ashish.kalra@amd.com>,
        Brijesh Singh <brijesh.singh@amd.com>,
        Erdem Aktas <erdemaktas@google.com>,
 Jiewen Yao <jiewen.yao@intel.com>,
        Min Xu <min.m.xu@intel.com>, Tom Lendacky <thomas.lendacky@amd.com>
Subject: [edk2-devel] [PATCH v4 02/11] OvmfPkg/AmdSev: use
 GenericQemuLoadImageLib in AmdSev builds
Date: Thu, 22 Jul 2021 08:42:58 +0000
Message-Id: <20210722084307.2890952-3-dovmurik@linux.ibm.com>
In-Reply-To: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
References: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: sEKTfVeeaG9NK-Jx37TcxR48aSz-6pUr
X-Proofpoint-ORIG-GUID: cdN4H6XURtbxYJXWdWYnmFMmvLuxrcFe
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com
X-Gm-Message-State: DcnUkX9Xob1t39SHF8gBuenTx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1626943460;
 bh=wMRZq1NclsJEM2wTvv62gLAaS0V5kMoXuGfszCSFohE=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=KdB7N4ZbfKSuA0ivhy9K8ni6VobJaVkQHDWUlwYMXBVyNgypEbALwhY2yoEpsq3WhGw
 VzoZyWY8beXFPspruTdpRunRHp8nZELuEkASmE+PO11KwAaEEzBNOzCrQOEeWBjf2nufk
 Blp3z/qjg2m4YraMMQmCnHT6XBhdZoTCRv8=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1626943462122100005
Content-Type: text/plain; charset="utf-8"

Newer kernels support efistub and therefore don't need all the legacy
stuff in X86QemuLoadImageLib, which are harder to secure.  Specifically
the verification of kernel/initrd/cmdline blobs will be added only to
the GenericQemuLoadImageLib implementation, so use that for SEV builds.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>
---
 OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 1d487befae08..a2f1324c40a6 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -368,7 +368,7 @@ [LibraryClasses.common.DXE_DRIVER]
   PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
   MpInitLib|UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
-  QemuLoadImageLib|OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib=
.inf
+  QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoad=
ImageLib.inf
 !if $(TPM_ENABLE) =3D=3D TRUE
   Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.i=
nf
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
--=20
2.25.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78085): https://edk2.groups.io/g/devel/message/78085
Mute This Topic: https://groups.io/mt/84375132/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-


From nobody Sun Apr 28 20:19:54 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+78081+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78081+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1626943415; cv=none;
	d=zohomail.com; s=zohoarc;
	b=F5dpI2PQaEIS/w7VXgCkwP4gD3x8cj8DxzgEQDnk1MaDn6Vtq4ud5XWj/xnoxdHVD/Y9IJn2kLHyNpbUZA66G0M90LKla7IJzwCW4V+QBQCJex0z2qJbDqx0NcYeLCu/R3f12Zl0yXhA3Hq8olI4EP7s0nvYmk2+HjGnOpz5c28=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1626943415;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=oJ84dGprFEUuWm0StdVfcqdSAegZQ7H7DYkkSKDyAgU=;
	b=HHAkvyTHl6BqdKcoZT5Qz3a0Qa1FLdwlNFpkmzqOxPwn3dQzG+5SmH6aWQzds2eY/3HWN5dFk5HZa33LFQUe7modvJkT6fSd9zarHrFEovwOTuKzQig5LFvNnekG8ZNBUoMfQSiLYQdcAWf9RH0gA+viGa86kpXLvaeqwxL/SCI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78081+1787277+3901457@groups.io;
	dmarc=fail header.from=<dovmurik@linux.ibm.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 162694341525765.27822431245181;
 Thu, 22 Jul 2021 01:43:35 -0700 (PDT)
Return-Path: <bounce+27952+78081+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id YCuuYY1788612xTiFljOQ5bm;
 Thu, 22 Jul 2021 01:43:34 -0700
X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.158.5])
 by mx.groups.io with SMTP id smtpd.web12.5274.1626943414335029230
 for <devel@edk2.groups.io>;
 Thu, 22 Jul 2021 01:43:34 -0700
X-Received: from pps.filterd (m0098416.ppops.net [127.0.0.1])
	by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id
 16M8Y8EM113158;
	Thu, 22 Jul 2021 04:43:23 -0400
X-Received: from pps.reinject (localhost [127.0.0.1])
	by mx0b-001b2d01.pphosted.com with ESMTP id 39y1qb5h6r-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:23 -0400
X-Received: from m0098416.ppops.net (m0098416.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16M8be6N125590;
	Thu, 22 Jul 2021 04:43:22 -0400
X-Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com
 [169.63.121.186])
	by mx0b-001b2d01.pphosted.com with ESMTP id 39y1qb5h6h-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:22 -0400
X-Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1])
	by ppma03wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16M8baJt008386;
	Thu, 22 Jul 2021 08:43:21 GMT
X-Received: from b03cxnp08028.gho.boulder.ibm.com
 (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20])
	by ppma03wdc.us.ibm.com with ESMTP id 39vqdw6d5p-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 08:43:21 +0000
X-Received: from b03ledav004.gho.boulder.ibm.com
 (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
	by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 16M8hKWc39518652
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 22 Jul 2021 08:43:20 GMT
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 095897805E;
	Thu, 22 Jul 2021 08:43:20 +0000 (GMT)
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 0BDB078063;
	Thu, 22 Jul 2021 08:43:19 +0000 (GMT)
X-Received: from localhost.localdomain (unknown [9.2.130.16])
	by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
	Thu, 22 Jul 2021 08:43:18 +0000 (GMT)
From: "Dov Murik" <dovmurik@linux.ibm.com>
To: devel@edk2.groups.io
Cc: Dov Murik <dovmurik@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@ibm.com>, Jim Cadden <jcadden@ibm.com>,
        James Bottomley <jejb@linux.ibm.com>,
        Hubertus Franke <frankeh@us.ibm.com>,
        Ard Biesheuvel <ardb+tianocore@kernel.org>,
        Jordan Justen <jordan.l.justen@intel.com>,
        Ashish Kalra <ashish.kalra@amd.com>,
        Brijesh Singh <brijesh.singh@amd.com>,
        Erdem Aktas <erdemaktas@google.com>,
 Jiewen Yao <jiewen.yao@intel.com>,
        Min Xu <min.m.xu@intel.com>, Tom Lendacky <thomas.lendacky@amd.com>
Subject: [edk2-devel] [PATCH v4 03/11] OvmfPkg: PlatformBootManagerLibGrub:
 Allow executing kernel via fw_cfg
Date: Thu, 22 Jul 2021 08:42:59 +0000
Message-Id: <20210722084307.2890952-4-dovmurik@linux.ibm.com>
In-Reply-To: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
References: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: JG4vQbnOTGASC2wlgn2YznM-KNZxMjeA
X-Proofpoint-ORIG-GUID: 8mAIwcH_OSN6gfjWonPYneY8FrNUVXOT
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com
X-Gm-Message-State: rrJ0cOA3zvVpLo6JaeE3s2yux1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1626943414;
 bh=EvJHwPUSpZ80SSoy4zlGg1Uc+Xnd8I4JJFct8dL3a0o=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=MLvZz3lF+0lR/pJkPb8gp5I99WesnWWwt54k7+uC+/ukflOSl22/HDTZzsFP3mfySxI
 SkUi6qGznhPzhndUXJOF4oFNcZyGxi6cT1dboGcU33phuwbQnbroou/NzzbuGQCQx0Yqd
 touYD8Kf9KZcLPKhinhJqAFeE8gzF4javK8=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1626943415483100010
Content-Type: text/plain; charset="utf-8"

From: James Bottomley <jejb@linux.ibm.com>

Support QEMU's -kernel option.

Create a QemuKernel.c for PlatformBootManagerLibGrub
which is an exact copy of the file
PlatformBootManagerLib/QemuKernel.c .

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457
Signed-off-by: James Bottomley <jejb@linux.ibm.com>
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>
---
 OvmfPkg/AmdSev/AmdSevX64.dsc                                              =
          |  1 +
 OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub.inf =
          |  2 ++
 OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h                  =
          | 11 +++++++++++
 OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c                  =
          |  5 +++++
 OvmfPkg/Library/{PlatformBootManagerLib =3D> PlatformBootManagerLibGrub}/Q=
emuKernel.c |  0
 5 files changed, 19 insertions(+)

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index a2f1324c40a6..aefdcf881c99 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -281,6 +281,7 @@ [LibraryClasses.common.PEIM]
   CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/PeiCpuE=
xceptionHandlerLib.inf
   MpInitLib|UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/PeiQemuFwCfgS3LibFwCfg.inf
+  QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoad=
ImageLib.inf
   PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
   QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
=20
diff --git a/OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManager=
LibGrub.inf b/OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManage=
rLibGrub.inf
index 9a806d17ec45..5f6f73d18470 100644
--- a/OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub=
.inf
+++ b/OvmfPkg/Library/PlatformBootManagerLibGrub/PlatformBootManagerLibGrub=
.inf
@@ -23,6 +23,7 @@ [Defines]
=20
 [Sources]
   BdsPlatform.c
+  QemuKernel.c
   PlatformData.c
   BdsPlatform.h
=20
@@ -46,6 +47,7 @@ [LibraryClasses]
   BootLogoLib
   DevicePathLib
   PciLib
+  QemuLoadImageLib
   UefiLib
   PlatformBmPrintScLib
   Tcg2PhysicalPresenceLib
diff --git a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h b/Ovm=
fPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h
index 748c63081920..f1d3a2906c00 100644
--- a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h
+++ b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.h
@@ -172,4 +172,15 @@ PlatformInitializeConsole (
   IN PLATFORM_CONSOLE_CONNECT_ENTRY   *PlatformConsole
   );
=20
+/**
+  Loads and boots UEFI Linux via the FwCfg interface.
+
+  @retval    EFI_NOT_FOUND - The Linux kernel was not found
+
+**/
+EFI_STATUS
+TryRunningQemuKernel (
+  VOID
+  );
+
 #endif // _PLATFORM_SPECIFIC_BDS_PLATFORM_H_
diff --git a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c b/Ovm=
fPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
index 5c92d4fc2b09..7cceeea4879c 100644
--- a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
@@ -1315,6 +1315,11 @@ PlatformBootManagerAfterConsole (
   //
   Tcg2PhysicalPresenceLibProcessRequest (NULL);
=20
+  //
+  // Process QEMU's -kernel command line option
+  //
+  TryRunningQemuKernel ();
+
   //
   // Perform some platform specific connect sequence
   //
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/QemuKernel.c b/OvmfPkg/=
Library/PlatformBootManagerLibGrub/QemuKernel.c
similarity index 100%
copy from OvmfPkg/Library/PlatformBootManagerLib/QemuKernel.c
copy to OvmfPkg/Library/PlatformBootManagerLibGrub/QemuKernel.c
--=20
2.25.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78081): https://edk2.groups.io/g/devel/message/78081
Mute This Topic: https://groups.io/mt/84375122/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-


From nobody Sun Apr 28 20:19:54 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+78083+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78083+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1626943431; cv=none;
	d=zohomail.com; s=zohoarc;
	b=HJDucigg1xVEvAwCMQaQq34sJStUHWuX9VC9z0TiYy9biNWknJA/3aXPrJPTnJC1RQu3BpEXLhn8/d0sHTxI8/339t7+xU+l+NfJ9D8zcVXG5uThLFCv6xPx41ulF3vHPSz52sE8CCIwDWnN/6MB4w5ZkFkf+qovrVEwRkDJewI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1626943431;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=hGKeppyb964Mh7KN6iHl0ds9rMl5IGDZ3dLC3jlVpdg=;
	b=EWPa+tRWkwtQ5Tu8+37EQZmfoqu2u1M/drHmrwqUwJPlFrXMJCf85iOfqQodEEOxxnKxw725ZZykgNgkkoA9mfEZFgAx8JYH7jbQS48w9+6PmujvAs3Vai6A9SfoCDXukUVxbj/T1sFDBDQg5nYCDfbXgJrsFHs8Zw5Flo4DVBY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78083+1787277+3901457@groups.io;
	dmarc=fail header.from=<dovmurik@linux.ibm.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1626943431612600.2368506332992;
 Thu, 22 Jul 2021 01:43:51 -0700 (PDT)
Return-Path: <bounce+27952+78083+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id t5PmYY1788612xnCOGheVKRP;
 Thu, 22 Jul 2021 01:43:51 -0700
X-Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com
 [148.163.158.5])
 by mx.groups.io with SMTP id smtpd.web09.5238.1626943430565939426
 for <devel@edk2.groups.io>;
 Thu, 22 Jul 2021 01:43:50 -0700
X-Received: from pps.filterd (m0127361.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id
 16M8aCEF093096;
	Thu, 22 Jul 2021 04:43:48 -0400
X-Received: from pps.reinject (localhost [127.0.0.1])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y5a8r5cc-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:48 -0400
X-Received: from m0127361.ppops.net (m0127361.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16M8bTcu095416;
	Thu, 22 Jul 2021 04:43:48 -0400
X-Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com
 [169.63.214.131])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y5a8r5c3-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:48 -0400
X-Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1])
	by ppma01dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16M8hM1s018004;
	Thu, 22 Jul 2021 08:43:47 GMT
X-Received: from b03cxnp07027.gho.boulder.ibm.com
 (b03cxnp07027.gho.boulder.ibm.com [9.17.130.14])
	by ppma01dal.us.ibm.com with ESMTP id 39upueek8a-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 08:43:47 +0000
X-Received: from b03ledav004.gho.boulder.ibm.com
 (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
	by b03cxnp07027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 16M8hLCd34079170
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 22 Jul 2021 08:43:21 GMT
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 2F38578068;
	Thu, 22 Jul 2021 08:43:21 +0000 (GMT)
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 348F97806E;
	Thu, 22 Jul 2021 08:43:20 +0000 (GMT)
X-Received: from localhost.localdomain (unknown [9.2.130.16])
	by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
	Thu, 22 Jul 2021 08:43:20 +0000 (GMT)
From: "Dov Murik" <dovmurik@linux.ibm.com>
To: devel@edk2.groups.io
Cc: Dov Murik <dovmurik@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@ibm.com>, Jim Cadden <jcadden@ibm.com>,
        James Bottomley <jejb@linux.ibm.com>,
        Hubertus Franke <frankeh@us.ibm.com>,
        Ard Biesheuvel <ardb+tianocore@kernel.org>,
        Jordan Justen <jordan.l.justen@intel.com>,
        Ashish Kalra <ashish.kalra@amd.com>,
        Brijesh Singh <brijesh.singh@amd.com>,
        Erdem Aktas <erdemaktas@google.com>,
 Jiewen Yao <jiewen.yao@intel.com>,
        Min Xu <min.m.xu@intel.com>, Tom Lendacky <thomas.lendacky@amd.com>
Subject: [edk2-devel] [PATCH v4 04/11] OvmfPkg: add library class
 BlobVerifierLib with null implementation
Date: Thu, 22 Jul 2021 08:43:00 +0000
Message-Id: <20210722084307.2890952-5-dovmurik@linux.ibm.com>
In-Reply-To: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
References: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
X-TM-AS-GCONF: 00
X-Proofpoint-ORIG-GUID: pGQcfECDROCGTdMjSdNksj4djEyPQnO6
X-Proofpoint-GUID: fkJ3D92PDf1hSF01Aq7fcaGNXvJGOjzl
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com
X-Gm-Message-State: vayKNrmEZSj4pWETbE5RWsi1x1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1626943431;
 bh=NA8eNVFxPXjgu2c8UhaDW/MC+D0/PVealslBA7G5370=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=xVUHxQyzW8Z/jHDQR7Oylu0C9Fxgk20UFWlx1XxIcJkuwn050i1iM5SEmqi8zMWcgGe
 rzZVJzDMuu9quTCuJ0EtLZxPgyiGDbruYMc7mtRhmyWStThY2sPc5B6dK4k1yS2KUs3Xl
 R05EtATvdmjAodRCM3uFeZ60/TWjZKnJnDU=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1626943432382100002
Content-Type: text/plain; charset="utf-8"

BlobVerifierLib will be used to verify blobs fetching them from QEMU's
firmware config (fw_cfg) in platforms that enable such verification.

The null implementation BlobVerifierLibNull treats all blobs as valid.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
---
 OvmfPkg/OvmfPkg.dec                                     |  3 ++
 OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf | 24 +++++++++++++
 OvmfPkg/Include/Library/BlobVerifierLib.h               | 38 +++++++++++++=
+++++++
 OvmfPkg/Library/BlobVerifierLib/BlobVerifierNull.c      | 33 +++++++++++++=
++++
 4 files changed, 98 insertions(+)

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 6ae733f6e39f..f82228d69cc2 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -23,6 +23,9 @@ [LibraryClasses]
   ##  @libraryclass  Access bhyve's firmware control interface.
   BhyveFwCtlLib|Include/Library/BhyveFwCtlLib.h
=20
+  ##  @libraryclass  Verify blobs read from the VMM
+  BlobVerifierLib|Include/Library/BlobVerifierLib.h
+
   ##  @libraryclass  Loads and boots a Linux kernel image
   #
   LoadLinuxLib|Include/Library/LoadLinuxLib.h
diff --git a/OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf b/Ovmf=
Pkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf
new file mode 100644
index 000000000000..850d398e65a4
--- /dev/null
+++ b/OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf
@@ -0,0 +1,24 @@
+## @file
+#
+#  Null implementation of the blob verifier library.
+#
+#  Copyright (C) 2021, IBM Corp
+#
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    =3D 1.29
+  BASE_NAME                      =3D BlobVerifierLibNull
+  FILE_GUID                      =3D b1b5533e-e01a-43bb-9e54-414f00ca036e
+  MODULE_TYPE                    =3D BASE
+  VERSION_STRING                 =3D 1.0
+  LIBRARY_CLASS                  =3D BlobVerifierLib
+
+[Sources]
+  BlobVerifierNull.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  OvmfPkg/OvmfPkg.dec
diff --git a/OvmfPkg/Include/Library/BlobVerifierLib.h b/OvmfPkg/Include/Li=
brary/BlobVerifierLib.h
new file mode 100644
index 000000000000..db122684f76c
--- /dev/null
+++ b/OvmfPkg/Include/Library/BlobVerifierLib.h
@@ -0,0 +1,38 @@
+/** @file
+
+  Blob verification library
+
+  This library class allows verifiying whether blobs from external sources
+  (such as QEMU's firmware config) are trusted.
+
+  Copyright (C) 2021, IBM Corporation
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef BLOB_VERIFIER_LIB_H__
+#define BLOB_VERIFIER_LIB_H__
+
+#include <Uefi/UefiBaseType.h>
+#include <Base.h>
+
+/**
+  Verify blob from an external source.
+
+  @param[in] BlobName           The name of the blob
+  @param[in] Buf                The data of the blob
+  @param[in] BufSize            The size of the blob in bytes
+
+  @retval EFI_SUCCESS           The blob was verified successfully.
+  @retval EFI_ACCESS_DENIED     The blob could not be verified, and theref=
ore
+                                should be considered non-secure.
+**/
+EFI_STATUS
+EFIAPI
+VerifyBlob (
+  IN  CONST CHAR16    *BlobName,
+  IN  CONST VOID      *Buf,
+  IN  UINT32          BufSize
+  );
+
+#endif
diff --git a/OvmfPkg/Library/BlobVerifierLib/BlobVerifierNull.c b/OvmfPkg/L=
ibrary/BlobVerifierLib/BlobVerifierNull.c
new file mode 100644
index 000000000000..975d4dd52f80
--- /dev/null
+++ b/OvmfPkg/Library/BlobVerifierLib/BlobVerifierNull.c
@@ -0,0 +1,33 @@
+/** @file
+
+  Null implementation of the blob verifier library.
+
+  Copyright (C) 2021, IBM Corporation
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/BlobVerifierLib.h>
+
+/**
+  Verify blob from an external source.
+
+  @param[in] BlobName           The name of the blob
+  @param[in] Buf                The data of the blob
+  @param[in] BufSize            The size of the blob in bytes
+
+  @retval EFI_SUCCESS           The blob was verified successfully.
+  @retval EFI_ACCESS_DENIED     The blob could not be verified, and theref=
ore
+                                should be considered non-secure.
+**/
+EFI_STATUS
+EFIAPI
+VerifyBlob (
+  IN  CONST CHAR16    *BlobName,
+  IN  CONST VOID      *Buf,
+  IN  UINT32          BufSize
+  )
+{
+  return EFI_SUCCESS;
+}
--=20
2.25.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78083): https://edk2.groups.io/g/devel/message/78083
Mute This Topic: https://groups.io/mt/84375128/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-


From nobody Sun Apr 28 20:19:54 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+78076+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78076+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1626943409; cv=none;
	d=zohomail.com; s=zohoarc;
	b=In2v37m+W9dg+8/WReT/xU0hDiNURx8rrOg/BJzonz1pHj8lVALiO6mU7C9/Nel0HT4rAjyGdjtnDcBE+IfWlSnE8MFlHQRbLJPKjhwoSO+xYBAZVhI+CjlXHqSCXUeribJ5JDuOV/i8xI4T2U9dHo+ZTz/XerfkNsd9ZmEoJvk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1626943409;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=3dHyxGzZlC7P6dStLHZROKkNC5bY004UYNRSWPUloUc=;
	b=WHQMA0m+LGJw4AM1Dbmj7CfIdBXdVGC8xHQBOg0MQkQ4DOpXY/L81sajEe6rMBwABVK9HCjJb3hN2Xc8dH9YaF2OrvYGbYoUantzBkNjuQnEpR6f66Lj8Qo0RiY719qhxN8jifS5vxL5RD6sMNyUluySc4xFWav7D90BNGQOYTM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78076+1787277+3901457@groups.io;
	dmarc=fail header.from=<dovmurik@linux.ibm.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1626943409297852.1697285165209;
 Thu, 22 Jul 2021 01:43:29 -0700 (PDT)
Return-Path: <bounce+27952+78076+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id V2ppYY1788612xQwp3s9TSdJ;
 Thu, 22 Jul 2021 01:43:29 -0700
X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.156.1])
 by mx.groups.io with SMTP id smtpd.web08.5237.1626943408351681703
 for <devel@edk2.groups.io>;
 Thu, 22 Jul 2021 01:43:28 -0700
X-Received: from pps.filterd (m0098394.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id
 16M8Y6B3070075;
	Thu, 22 Jul 2021 04:43:26 -0400
X-Received: from pps.reinject (localhost [127.0.0.1])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y1fsdumf-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:26 -0400
X-Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16M8YDqn070766;
	Thu, 22 Jul 2021 04:43:25 -0400
X-Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com
 [169.55.85.253])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y1fsdukw-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:25 -0400
X-Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1])
	by ppma01wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16M8gogA007415;
	Thu, 22 Jul 2021 08:43:24 GMT
X-Received: from b03cxnp07029.gho.boulder.ibm.com
 (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16])
	by ppma01wdc.us.ibm.com with ESMTP id 39upudfjcv-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 08:43:24 +0000
X-Received: from b03ledav004.gho.boulder.ibm.com
 (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
	by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 16M8hMcM35914066
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 22 Jul 2021 08:43:22 GMT
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 57BE578068;
	Thu, 22 Jul 2021 08:43:22 +0000 (GMT)
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 574CA78060;
	Thu, 22 Jul 2021 08:43:21 +0000 (GMT)
X-Received: from localhost.localdomain (unknown [9.2.130.16])
	by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
	Thu, 22 Jul 2021 08:43:21 +0000 (GMT)
From: "Dov Murik" <dovmurik@linux.ibm.com>
To: devel@edk2.groups.io
Cc: Dov Murik <dovmurik@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@ibm.com>, Jim Cadden <jcadden@ibm.com>,
        James Bottomley <jejb@linux.ibm.com>,
        Hubertus Franke <frankeh@us.ibm.com>,
        Ard Biesheuvel <ardb+tianocore@kernel.org>,
        Jordan Justen <jordan.l.justen@intel.com>,
        Ashish Kalra <ashish.kalra@amd.com>,
        Brijesh Singh <brijesh.singh@amd.com>,
        Erdem Aktas <erdemaktas@google.com>,
 Jiewen Yao <jiewen.yao@intel.com>,
        Min Xu <min.m.xu@intel.com>, Tom Lendacky <thomas.lendacky@amd.com>
Subject: [edk2-devel] [PATCH v4 05/11] OvmfPkg: add BlobVerifierLibNull to DSC
Date: Thu, 22 Jul 2021 08:43:01 +0000
Message-Id: <20210722084307.2890952-6-dovmurik@linux.ibm.com>
In-Reply-To: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
References: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: VYY964AjHZHWGVp-NJ8u967Q5QSNTobk
X-Proofpoint-ORIG-GUID: 2zvR5twfesbRT8kAy3Xr7W7KDmC8KLtZ
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com
X-Gm-Message-State: UEfuZNUOeyWHxc1M90strawOx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1626943409;
 bh=d3YW6jPe0uxBuJEKNw82o6u86g/qxUoR9weUZGhH2sc=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=gGlcWm9CxhWvqiIN2blV/mvai4r2b1nSOvM2af/yicI+0m39nJVETLwST/okBzSa5n+
 g3Q2AH9c/JO+6DaZ/yQa/oeLGILU7OQ3VduFdTEZw8qYKi4be0OynaM/6gcoyKvX7BSbR
 8gA3VuLAPNHM9x5y3lJSNjZGBPebxKOJTT4=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1626943411169100002
Content-Type: text/plain; charset="utf-8"

This prepares the ground for calling VerifyBlob() in
QemuKernelLoaderFsDxe.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
---
 OvmfPkg/AmdSev/AmdSevX64.dsc | 6 +++++-
 OvmfPkg/OvmfPkgIa32.dsc      | 5 ++++-
 OvmfPkg/OvmfPkgIa32X64.dsc   | 5 ++++-
 OvmfPkg/OvmfPkgX64.dsc       | 5 ++++-
 4 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index aefdcf881c99..b2cc96cc5a97 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -173,6 +173,7 @@ [LibraryClasses]
   LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf
   CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/Customize=
dDisplayLib.inf
   FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltL=
ib.inf
+  BlobVerifierLib|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf
=20
 !if $(SOURCE_DEBUG_ENABLE) =3D=3D TRUE
   PeCoffExtraActionLib|SourceLevelDebugPkg/Library/PeCoffExtraActionLibDeb=
ug/PeCoffExtraActionLibDebug.inf
@@ -693,7 +694,10 @@ [Components]
       NULL|MdeModulePkg/Library/BootManagerUiLib/BootManagerUiLib.inf
       NULL|MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootMaintenanc=
eManagerUiLib.inf
   }
-  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
+    <LibraryClasses>
+      NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf
+  }
   OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
   OvmfPkg/Virtio10Dxe/Virtio10.inf
   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index f53efeae7986..7613abab6a7f 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -786,7 +786,10 @@ [Components]
       NULL|OvmfPkg/Csm/LegacyBootMaintUiLib/LegacyBootMaintUiLib.inf
 !endif
   }
-  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
+    <LibraryClasses>
+      NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf
+  }
   OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
   OvmfPkg/Virtio10Dxe/Virtio10.inf
   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index b3662e17f256..8b35aaf4b44c 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -800,7 +800,10 @@ [Components.X64]
       NULL|OvmfPkg/Csm/LegacyBootMaintUiLib/LegacyBootMaintUiLib.inf
 !endif
   }
-  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
+    <LibraryClasses>
+      NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf
+  }
   OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
   OvmfPkg/Virtio10Dxe/Virtio10.inf
   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 0a237a905866..0c95c74ad1a8 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -798,7 +798,10 @@ [Components]
       NULL|OvmfPkg/Csm/LegacyBootMaintUiLib/LegacyBootMaintUiLib.inf
 !endif
   }
-  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
+    <LibraryClasses>
+      NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf
+  }
   OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
   OvmfPkg/Virtio10Dxe/Virtio10.inf
   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
--=20
2.25.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78076): https://edk2.groups.io/g/devel/message/78076
Mute This Topic: https://groups.io/mt/84375117/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-


From nobody Sun Apr 28 20:19:54 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+78080+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78080+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1626943413; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ZSBXfSQzQ0LX8vt7xKmk5aFEYtMJ0brxoXdr4SJPkc8ClPWxJIxepVuvUpoTJ+iIZ/idWkbP9NL9MJlSu5PLJSeenfvW8I1e9lRDsvyLLfQWKA/tDDHmmGx5aSENUHfKSQBZSbNwnAqxr1y/TxCh7y5vWYeMGEeWxPD5ENn2r7E=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1626943413;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=7g0flpKhD3DhMe/x+VKdchLGL4edHHt5u696RRAPkdo=;
	b=aLklchw7y8SRU/v0aTRXzxJ9NkVyiiuK8Aj3kidZxUPgVv40p4Bpp8VGhLpCAwgtfjVPbrFbBu0JokwehVS868V1hLaCLfDNm2SMiSqHgCkcUYN6dVtnQ9vo9pYcS0dq8ySpgxKxrBqkA5WooCv23m1puNwTJqNLURo4DGXp+uM=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78080+1787277+3901457@groups.io;
	dmarc=fail header.from=<dovmurik@linux.ibm.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1626943413785831.7971953011232;
 Thu, 22 Jul 2021 01:43:33 -0700 (PDT)
Return-Path: <bounce+27952+78080+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id d9HsYY1788612x0dOZco14F7;
 Thu, 22 Jul 2021 01:43:33 -0700
X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.156.1])
 by mx.groups.io with SMTP id smtpd.web10.5256.1626943412709840443
 for <devel@edk2.groups.io>;
 Thu, 22 Jul 2021 01:43:32 -0700
X-Received: from pps.filterd (m0098396.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id
 16M8XXSL109999;
	Thu, 22 Jul 2021 04:43:28 -0400
X-Received: from pps.reinject (localhost [127.0.0.1])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y476suyw-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:28 -0400
X-Received: from m0098396.ppops.net (m0098396.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16M8XtAY111275;
	Thu, 22 Jul 2021 04:43:27 -0400
X-Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com
 [169.47.144.26])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y476suy0-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:27 -0400
X-Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1])
	by ppma04wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16M8bjGV001063;
	Thu, 22 Jul 2021 08:43:25 GMT
X-Received: from b03cxnp08025.gho.boulder.ibm.com
 (b03cxnp08025.gho.boulder.ibm.com [9.17.130.17])
	by ppma04wdc.us.ibm.com with ESMTP id 39upucygn7-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 08:43:25 +0000
X-Received: from b03ledav004.gho.boulder.ibm.com
 (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
	by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 16M8hN0729032828
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 22 Jul 2021 08:43:23 GMT
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 9EB0078069;
	Thu, 22 Jul 2021 08:43:23 +0000 (GMT)
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 806877805E;
	Thu, 22 Jul 2021 08:43:22 +0000 (GMT)
X-Received: from localhost.localdomain (unknown [9.2.130.16])
	by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
	Thu, 22 Jul 2021 08:43:22 +0000 (GMT)
From: "Dov Murik" <dovmurik@linux.ibm.com>
To: devel@edk2.groups.io
Cc: Dov Murik <dovmurik@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@ibm.com>, Jim Cadden <jcadden@ibm.com>,
        James Bottomley <jejb@linux.ibm.com>,
        Hubertus Franke <frankeh@us.ibm.com>,
        Ard Biesheuvel <ardb+tianocore@kernel.org>,
        Leif Lindholm <leif@nuviainc.com>,
 Sami Mujawar <sami.mujawar@arm.com>,
        Jordan Justen <jordan.l.justen@intel.com>,
        Ashish Kalra <ashish.kalra@amd.com>,
        Brijesh Singh <brijesh.singh@amd.com>,
        Erdem Aktas <erdemaktas@google.com>,
 Jiewen Yao <jiewen.yao@intel.com>,
        Min Xu <min.m.xu@intel.com>, Tom Lendacky <thomas.lendacky@amd.com>
Subject: [edk2-devel] [PATCH v4 06/11] ArmVirtPkg: add BlobVerifierLibNull to
 DSC
Date: Thu, 22 Jul 2021 08:43:02 +0000
Message-Id: <20210722084307.2890952-7-dovmurik@linux.ibm.com>
In-Reply-To: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
References: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: SjX6ktDB7SC72JldDt0-rV83Qc1io1vu
X-Proofpoint-ORIG-GUID: UHPtb3hlCbqCn_vh08ga80D4IUm8tUib
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com
X-Gm-Message-State: SdEeDpypZhNN2Hq1SDAA2YyHx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1626943413;
 bh=irswse4M87jVagxxSzxbdKGvr+gxwRf9o0X9pmRWePU=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=nK1am0ieULYbDLTYPPVHBgwSs+Ni1564PDCYM2StExAgWR1ytxVEgC4saQzoWMkXoPx
 yZWNGz4ev/ZKIDHb9UWoWAb7L2v/96B6WyVUUOMSQpFOCDQPnihREIQbNCqOxWo9W5bJp
 zcb6+dCpGXoOZG11pE+Q1yQwHnOZw+x4G8Q=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1626943415350100004
Content-Type: text/plain; charset="utf-8"

This prepares the ground for calling VerifyBlob() in
QemuKernelLoaderFsDxe.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
---
 ArmVirtPkg/ArmVirtQemu.dsc       | 5 ++++-
 ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 7ef5e7297bc7..bf8bb1ec9578 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -440,7 +440,10 @@ [Components.common]
       NULL|MdeModulePkg/Library/BootManagerUiLib/BootManagerUiLib.inf
       NULL|MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootMaintenanc=
eManagerUiLib.inf
   }
-  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
+    <LibraryClasses>
+      NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf
+  }
=20
   #
   # Networking stack
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKerne=
l.dsc
index a542fcb157e9..af34cb47a12d 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -376,7 +376,10 @@ [Components.common]
       NULL|MdeModulePkg/Library/BootManagerUiLib/BootManagerUiLib.inf
       NULL|MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootMaintenanc=
eManagerUiLib.inf
   }
-  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+  OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
+    <LibraryClasses>
+      NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf
+  }
=20
   #
   # Networking stack
--=20
2.25.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78080): https://edk2.groups.io/g/devel/message/78080
Mute This Topic: https://groups.io/mt/84375121/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-


From nobody Sun Apr 28 20:19:54 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+78077+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78077+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1626943410; cv=none;
	d=zohomail.com; s=zohoarc;
	b=bj42SUPDEam8Ziji7zhqDFWTJIrbBno0kdu8rxi156B8VZhbd80UlcWLH3aEtsfw1WB6CXqhb0/uEFn47G+gZ9FKB3k4nHjrygQlHjjDM7Aztzv3XyiQu4yYdpmUmESRhKfgrY5ZonaSI/mhxKdxbzD3Hz6jAfE24e53MdbFrVE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1626943410;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=Ojx6p1E/Ddqc8KnqkCmKxE/Ni+16W7LTf4FEfv6YKb0=;
	b=mJF7TNKDQj9lHuyJwJO3C7oRAful54s17hVTzFHTIaJVnnk4ChU+dlBoVU4q5qO4Wup8Fw5ThNxgqBGj2R46RScZZgZcAcVadwbAXQSsZkofQKt3KeFpoLQ/DYFYTX96pXdgXF2HXjwKQ46f/7ztxPfm6InqXSdvWikT4ABeD5E=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78077+1787277+3901457@groups.io;
	dmarc=fail header.from=<dovmurik@linux.ibm.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1626943410940527.5119997149422;
 Thu, 22 Jul 2021 01:43:30 -0700 (PDT)
Return-Path: <bounce+27952+78077+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id EuTfYY1788612xwLSi0tsFxR;
 Thu, 22 Jul 2021 01:43:30 -0700
X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.156.1])
 by mx.groups.io with SMTP id smtpd.web12.5273.1626943410086119721
 for <devel@edk2.groups.io>;
 Thu, 22 Jul 2021 01:43:30 -0700
X-Received: from pps.filterd (m0098410.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id
 16M8XatA007953;
	Thu, 22 Jul 2021 04:43:28 -0400
X-Received: from pps.reinject (localhost [127.0.0.1])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y4ca9n6b-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:28 -0400
X-Received: from m0098410.ppops.net (m0098410.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16M8ZgtT016807;
	Thu, 22 Jul 2021 04:43:28 -0400
X-Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com
 [169.62.189.10])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y4ca9n5v-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:28 -0400
X-Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1])
	by ppma02dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16M8bYDu003035;
	Thu, 22 Jul 2021 08:43:27 GMT
X-Received: from b03cxnp07028.gho.boulder.ibm.com
 (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15])
	by ppma02dal.us.ibm.com with ESMTP id 39vuk7d4tj-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 08:43:27 +0000
X-Received: from b03ledav004.gho.boulder.ibm.com
 (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
	by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 16M8hOP542795310
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 22 Jul 2021 08:43:24 GMT
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id B7BD478063;
	Thu, 22 Jul 2021 08:43:24 +0000 (GMT)
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id BC9C978074;
	Thu, 22 Jul 2021 08:43:23 +0000 (GMT)
X-Received: from localhost.localdomain (unknown [9.2.130.16])
	by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
	Thu, 22 Jul 2021 08:43:23 +0000 (GMT)
From: "Dov Murik" <dovmurik@linux.ibm.com>
To: devel@edk2.groups.io
Cc: Dov Murik <dovmurik@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@ibm.com>, Jim Cadden <jcadden@ibm.com>,
        James Bottomley <jejb@linux.ibm.com>,
        Hubertus Franke <frankeh@us.ibm.com>,
        Ard Biesheuvel <ardb+tianocore@kernel.org>,
        Jordan Justen <jordan.l.justen@intel.com>,
        Ashish Kalra <ashish.kalra@amd.com>,
        Brijesh Singh <brijesh.singh@amd.com>,
        Erdem Aktas <erdemaktas@google.com>,
 Jiewen Yao <jiewen.yao@intel.com>,
        Min Xu <min.m.xu@intel.com>, Tom Lendacky <thomas.lendacky@amd.com>
Subject: [edk2-devel] [PATCH v4 07/11] OvmfPkg/QemuKernelLoaderFsDxe: call
 VerifyBlob after fetch from fw_cfg
Date: Thu, 22 Jul 2021 08:43:03 +0000
Message-Id: <20210722084307.2890952-8-dovmurik@linux.ibm.com>
In-Reply-To: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
References: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
X-TM-AS-GCONF: 00
X-Proofpoint-ORIG-GUID: VdImrzuRHSjDryaZfg2eRUUGzUY_-3Tv
X-Proofpoint-GUID: jmnE0cMrzuXvjP_6a_OKOlb0zya-rka2
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com
X-Gm-Message-State: MCBjWqALEYSoIwXEJTVHYIGwx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1626943410;
 bh=qET0u/s2potitE/MxpTjOfQzgdidLBdsA9rn6Jt6Qhw=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=tBZwSKm19D2MOR1VpCEpD8EZM9Rk4Zcl7z2iVNhYukZF/Ha6TydvR4HDFkViCQU3hbG
 WpLZ2qAwAB62Tb5WsDFNaS96YkGNo8xwqHe7Jhvs/cR+qZOplU6qHcA3XcPAXBkDS7f0Y
 i6MJz5ZeV9unKhmWsYuU6IKD4R4u173OGRc=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1626943413001100007
Content-Type: text/plain; charset="utf-8"

In QemuKernelLoaderFsDxeEntrypoint we use FetchBlob to read the content
of the kernel/initrd/cmdline from the QEMU fw_cfg interface.  Insert a
call to VerifyBlob after fetching to allow BlobVerifierLib
implementations to add a verification step for these blobs.

This will allow confidential computing OVMF builds to add verification
mechanisms for these blobs that originate from an untrusted source
(QEMU).

The null implementation of BlobVerifierLib does nothing in VerifyBlob,
and therefore no functional change is expected.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457
Co-developed-by: James Bottomley <jejb@linux.ibm.com>
Signed-off-by: James Bottomley <jejb@linux.ibm.com>
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
---
 OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPk=
g/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
index c7ddd86f5c75..6832d563bcb0 100644
--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
@@ -17,6 +17,7 @@
 #include <Guid/QemuKernelLoaderFsMedia.h>
 #include <Library/BaseLib.h>
 #include <Library/BaseMemoryLib.h>
+#include <Library/BlobVerifierLib.h>
 #include <Library/DebugLib.h>
 #include <Library/DevicePathLib.h>
 #include <Library/MemoryAllocationLib.h>
@@ -1039,6 +1040,14 @@ QemuKernelLoaderFsDxeEntrypoint (
     if (EFI_ERROR (Status)) {
       goto FreeBlobs;
     }
+    Status =3D VerifyBlob (
+               CurrentBlob->Name,
+               CurrentBlob->Data,
+               CurrentBlob->Size
+               );
+    if (EFI_ERROR (Status)) {
+      goto FreeBlobs;
+    }
     mTotalBlobBytes +=3D CurrentBlob->Size;
   }
   KernelBlob      =3D &mKernelBlob[KernelBlobTypeKernel];
--=20
2.25.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78077): https://edk2.groups.io/g/devel/message/78077
Mute This Topic: https://groups.io/mt/84375118/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-


From nobody Sun Apr 28 20:19:54 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+78078+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78078+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1626943411; cv=none;
	d=zohomail.com; s=zohoarc;
	b=LheByFDgmlgkDUF/y1wjhKk0uAjGJ/I6kjl4MQUtSoFV16kx1+2leu55jo4esN81yHEz9zZCPaNqh/EtRxS4m2pusM2dajxEPeLuGptrqd7GYj1Z2J6XeZpz2iC2/hxrMtMglYiTjti+xwVzey5kXXEDZVWVFznKH71QjHwTrhs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1626943411;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=huLBr4wTG1no/hp8LuPZAMWqP8yTkH70gLfFKgFStlc=;
	b=jyp1tVz6Rz8+8aI6/ECJ9chvVgE1vnLKG/wWFIqMoxPk6Pcr56h1tV1n0Y+p03Ael3eC/N0ELjmBoA6X3DZX7usL8Hn023kyGDhvJDdBpleQ8G42zHtaG/T2R7gXolnkZSk5O4qoRimzD1aDAiAzyeNiaZab4PK24zuw/FcNALk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78078+1787277+3901457@groups.io;
	dmarc=fail header.from=<dovmurik@linux.ibm.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1626943411918885.8570582394053;
 Thu, 22 Jul 2021 01:43:31 -0700 (PDT)
Return-Path: <bounce+27952+78078+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id xBtyYY1788612x3XUX8wzIsw;
 Thu, 22 Jul 2021 01:43:31 -0700
X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.158.5])
 by mx.groups.io with SMTP id smtpd.web10.5255.1626943410987972832
 for <devel@edk2.groups.io>;
 Thu, 22 Jul 2021 01:43:31 -0700
X-Received: from pps.filterd (m0098413.ppops.net [127.0.0.1])
	by mx0b-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id
 16M8YVbd179445;
	Thu, 22 Jul 2021 04:43:29 -0400
X-Received: from pps.reinject (localhost [127.0.0.1])
	by mx0b-001b2d01.pphosted.com with ESMTP id 39y3ycta24-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:29 -0400
X-Received: from m0098413.ppops.net (m0098413.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16M8Z4x9180687;
	Thu, 22 Jul 2021 04:43:29 -0400
X-Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com
 [169.62.189.10])
	by mx0b-001b2d01.pphosted.com with ESMTP id 39y3ycta1y-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:29 -0400
X-Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1])
	by ppma02dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16M8bYfS003030;
	Thu, 22 Jul 2021 08:43:28 GMT
X-Received: from b03cxnp08026.gho.boulder.ibm.com
 (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18])
	by ppma02dal.us.ibm.com with ESMTP id 39vuk7d4uj-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 08:43:28 +0000
X-Received: from b03ledav004.gho.boulder.ibm.com
 (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
	by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 16M8hQCZ31457774
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 22 Jul 2021 08:43:26 GMT
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id E4F2F78064;
	Thu, 22 Jul 2021 08:43:25 +0000 (GMT)
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id E017D78068;
	Thu, 22 Jul 2021 08:43:24 +0000 (GMT)
X-Received: from localhost.localdomain (unknown [9.2.130.16])
	by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
	Thu, 22 Jul 2021 08:43:24 +0000 (GMT)
From: "Dov Murik" <dovmurik@linux.ibm.com>
To: devel@edk2.groups.io
Cc: Dov Murik <dovmurik@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@ibm.com>, Jim Cadden <jcadden@ibm.com>,
        James Bottomley <jejb@linux.ibm.com>,
        Hubertus Franke <frankeh@us.ibm.com>,
        Ard Biesheuvel <ardb+tianocore@kernel.org>,
        Jordan Justen <jordan.l.justen@intel.com>,
        Ashish Kalra <ashish.kalra@amd.com>,
        Brijesh Singh <brijesh.singh@amd.com>,
        Erdem Aktas <erdemaktas@google.com>,
 Jiewen Yao <jiewen.yao@intel.com>,
        Min Xu <min.m.xu@intel.com>, Tom Lendacky <thomas.lendacky@amd.com>
Subject: [edk2-devel] [PATCH v4 08/11] OvmfPkg/AmdSev/SecretPei: build hob for
 full page
Date: Thu, 22 Jul 2021 08:43:04 +0000
Message-Id: <20210722084307.2890952-9-dovmurik@linux.ibm.com>
In-Reply-To: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
References: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: ctnbrJP_FOFF4D7FwIjK5QMOIvMY18Zf
X-Proofpoint-ORIG-GUID: PLU26kaQ9XW1AA20PSdO--FKh98HdVA8
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com
X-Gm-Message-State: ewfcOW9b5BS20yWZ4epApQ0Yx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1626943411;
 bh=xoqqM7odugx+lJRbpMHpb+kx+Xi91Zs4OZ+njrqzE1Y=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=gmNfqsZeKPQLqgA8qyJd5lP4N4LvNn9fd2wQbaDemsNHzoXUvvkbne6D5zEJuoLmD9W
 WmThUytiDq1UsR23sK43aj6aYTrq7dGL5PyvZtg99Hd1pwN4tnBdSrpdtXFQM2PcOKYpG
 3bYesrPUp5EZGicHbb41bYyo5MoKCViRxyw=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1626943413122100009
Content-Type: text/plain; charset="utf-8"

Round up the size of the SEV launch secret area to a whole page, as
required by BuildMemoryAllocationHob.  This will allow the secret
area defined in the MEMFD to take less than a whole 4KB page.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>
---
 OvmfPkg/AmdSev/SecretPei/SecretPei.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPe=
i/SecretPei.c
index ad491515dd5d..db94c26b54d1 100644
--- a/OvmfPkg/AmdSev/SecretPei/SecretPei.c
+++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
@@ -4,6 +4,7 @@
   Copyright (C) 2020 James Bottomley, IBM Corporation.
   SPDX-License-Identifier: BSD-2-Clause-Patent
 **/
+#include <Base.h>
 #include <PiPei.h>
 #include <Library/HobLib.h>
 #include <Library/PcdLib.h>
@@ -17,7 +18,7 @@ InitializeSecretPei (
 {
   BuildMemoryAllocationHob (
     PcdGet32 (PcdSevLaunchSecretBase),
-    PcdGet32 (PcdSevLaunchSecretSize),
+    ALIGN_VALUE (PcdGet32 (PcdSevLaunchSecretSize), EFI_PAGE_SIZE),
     EfiBootServicesData
     );
=20
--=20
2.25.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78078): https://edk2.groups.io/g/devel/message/78078
Mute This Topic: https://groups.io/mt/84375119/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-


From nobody Sun Apr 28 20:19:54 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+78079+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78079+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1626943413; cv=none;
	d=zohomail.com; s=zohoarc;
	b=bsfqyyhl5+YRHxlCwU7BEKgcdvLoVAPuDlC0OFxbihGU5CUJ92yx9pec8AqemNepWsJ0htEoIfvQW5Sj33gTPYZDCYCbDjqEXUEkoc+r6cH48Luz+Oo5Ey/PcZZFC/9Yscn4KauCBa5qS1M34U3WARgioToz1Xr7ylGdiefu6Cg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1626943413;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=zlefPjSerJEIgeSCLL7LlvdfC2u0IR+ggu8eiNqq8nI=;
	b=mefkMV4FCyb13Cu+8N8x8B6ArvicL+EIgmaSSCFHYziglyVbPztU37avL8+5k6ZyXFBUxfVe6vzw4/88uvUQJQHhdI2O3Pg84G/d/vLlo3Ftp4VJLVUE3lkGkXIQIlJqaFboqCiFeM2UUip54Jzh+F6udcCzDhr9elG7FU8wZ1Q=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78079+1787277+3901457@groups.io;
	dmarc=fail header.from=<dovmurik@linux.ibm.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1626943413333723.1295506380764;
 Thu, 22 Jul 2021 01:43:33 -0700 (PDT)
Return-Path: <bounce+27952+78079+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id 6fhzYY1788612x3YuS7ngKi7;
 Thu, 22 Jul 2021 01:43:33 -0700
X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.156.1])
 by mx.groups.io with SMTP id smtpd.web09.5232.1626943412541384503
 for <devel@edk2.groups.io>;
 Thu, 22 Jul 2021 01:43:32 -0700
X-Received: from pps.filterd (m0098396.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id
 16M8XYlm110011;
	Thu, 22 Jul 2021 04:43:31 -0400
X-Received: from pps.reinject (localhost [127.0.0.1])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y476sv16-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:30 -0400
X-Received: from m0098396.ppops.net (m0098396.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16M8Ypwr113241;
	Thu, 22 Jul 2021 04:43:30 -0400
X-Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com
 [169.62.189.10])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y476sv0w-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:30 -0400
X-Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1])
	by ppma02dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16M8bZen003109;
	Thu, 22 Jul 2021 08:43:29 GMT
X-Received: from b03cxnp08028.gho.boulder.ibm.com
 (b03cxnp08028.gho.boulder.ibm.com [9.17.130.20])
	by ppma02dal.us.ibm.com with ESMTP id 39vuk7d4v9-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 08:43:29 +0000
X-Received: from b03ledav004.gho.boulder.ibm.com
 (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
	by b03cxnp08028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 16M8hRAF34603500
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 22 Jul 2021 08:43:27 GMT
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 1352178064;
	Thu, 22 Jul 2021 08:43:27 +0000 (GMT)
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 0F2A67806E;
	Thu, 22 Jul 2021 08:43:26 +0000 (GMT)
X-Received: from localhost.localdomain (unknown [9.2.130.16])
	by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
	Thu, 22 Jul 2021 08:43:25 +0000 (GMT)
From: "Dov Murik" <dovmurik@linux.ibm.com>
To: devel@edk2.groups.io
Cc: Dov Murik <dovmurik@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@ibm.com>, Jim Cadden <jcadden@ibm.com>,
        James Bottomley <jejb@linux.ibm.com>,
        Hubertus Franke <frankeh@us.ibm.com>,
        Ard Biesheuvel <ardb+tianocore@kernel.org>,
        Jordan Justen <jordan.l.justen@intel.com>,
        Ashish Kalra <ashish.kalra@amd.com>,
        Brijesh Singh <brijesh.singh@amd.com>,
        Erdem Aktas <erdemaktas@google.com>,
 Jiewen Yao <jiewen.yao@intel.com>,
        Min Xu <min.m.xu@intel.com>, Tom Lendacky <thomas.lendacky@amd.com>
Subject: [edk2-devel] [PATCH v4 09/11] OvmfPkg/AmdSev: reserve MEMFD space for
 for firmware config hashes
Date: Thu, 22 Jul 2021 08:43:05 +0000
Message-Id: <20210722084307.2890952-10-dovmurik@linux.ibm.com>
In-Reply-To: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
References: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: 4_twtdwyeSBWjaNh0J3x3kv7BmFDIhMS
X-Proofpoint-ORIG-GUID: odTUneTYOLjrB-KbGqvCPnAzmzfKDFu4
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com
X-Gm-Message-State: 8jeAGurLBUSuKc9vJwc23SWrx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1626943413;
 bh=nu8TlgmS6WGgl76K+dJQSYDqwc92IiD0/bid8ML1XIA=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=iOdHWXv9dp2ikvthz5m5G6sMAwJjofsantRd12Y3LuUXvTRKPhdWPs6WpxWc80u2jva
 lKdOoHWwJsGIJNTYvtoG0L4BQJjsxJdtlKHB4ucaEAids9p4sPX5uiIDgwIp2TfH7xEfB
 6QCwXTPiwG4wzf+6R92xRrW3GjiHH7r1ilo=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1626943415329100002
Content-Type: text/plain; charset="utf-8"

From: James Bottomley <jejb@linux.ibm.com>

Split the existing 4KB page reserved for SEV launch secrets into two
parts: first 3KB for SEV launch secrets and last 1KB for firmware
config hashes.

The area of the firmware config hashes will be attested (measured) by
the PSP and thus the untrusted VMM can't pass in different files from
what the guest owner allows.

Declare this in the Reset Vector table using GUID
7255371f-3a3b-4b04-927b-1da6efa8d454 and a uint32_t table of a base
and size value (similar to the structure used to declare the launch
secret block).

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457
Co-developed-by: Dov Murik <dovmurik@linux.ibm.com>
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Signed-off-by: James Bottomley <jejb@linux.ibm.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>
---
 OvmfPkg/OvmfPkg.dec                          |  6 ++++++
 OvmfPkg/AmdSev/AmdSevX64.fdf                 |  5 ++++-
 OvmfPkg/ResetVector/ResetVector.inf          |  2 ++
 OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 20 ++++++++++++++++++++
 OvmfPkg/ResetVector/ResetVector.nasmb        |  2 ++
 5 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index f82228d69cc2..2ab27f0c73c2 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -324,6 +324,12 @@ [PcdsFixedAtBuild]
   gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|0x0|UINT32|0x42
   gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize|0x0|UINT32|0x43
=20
+  ## The base address and size of a hash table confirming allowed
+  #  parameters to be passed in via the Qemu firmware configuration
+  #  device
+  gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|0x0|UINT32|0x47
+  gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize|0x0|UINT32|0x48
+
 [PcdsDynamic, PcdsDynamicEx]
   gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 9977b0f00a18..0a89749700c3 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -59,9 +59,12 @@ [FD.MEMFD]
 0x00B000|0x001000
 gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.P=
cdSevEsWorkAreaSize
=20
-0x00C000|0x001000
+0x00C000|0x000C00
 gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGu=
id.PcdSevLaunchSecretSize
=20
+0x00CC00|0x000400
+gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|gUefiOvmfPkgTokenSpaceGuid=
.PcdQemuHashTableSize
+
 0x00D000|0x001000
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpace=
Guid.PcdOvmfSecGhcbBackupSize
=20
diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese=
tVector.inf
index dc38f68919cd..d028c92d8cfa 100644
--- a/OvmfPkg/ResetVector/ResetVector.inf
+++ b/OvmfPkg/ResetVector/ResetVector.inf
@@ -47,3 +47,5 @@ [Pcd]
 [FixedPcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
   gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
+  gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase
+  gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize
diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVe=
ctor/Ia16/ResetVectorVtf0.asm
index 9c0b5853a46f..7ec3c6e980c3 100644
--- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
+++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
@@ -47,7 +47,27 @@ TIMES (15 - ((guidedStructureEnd - guidedStructureStart =
+ 15) % 16)) DB 0
 ;
 guidedStructureStart:
=20
+; SEV Hash Table Block
 ;
+; This describes the guest ram area where the hypervisor should
+; install a table describing the hashes of certain firmware configuration
+; device files that would otherwise be passed in unchecked.  The current
+; use is for the kernel, initrd and command line values, but others may be
+; added.  The data format is:
+;
+; base physical address (32 bit word)
+; table length (32 bit word)
+;
+; GUID (SEV FW config hash block): 7255371f-3a3b-4b04-927b-1da6efa8d454
+;
+sevFwHashBlockStart:
+    DD      SEV_FW_HASH_BLOCK_BASE
+    DD      SEV_FW_HASH_BLOCK_SIZE
+    DW      sevFwHashBlockEnd - sevFwHashBlockStart
+    DB      0x1f, 0x37, 0x55, 0x72, 0x3b, 0x3a, 0x04, 0x4b
+    DB      0x92, 0x7b, 0x1d, 0xa6, 0xef, 0xa8, 0xd4, 0x54
+sevFwHashBlockEnd:
+
 ; SEV Secret block
 ;
 ; This describes the guest ram area where the hypervisor should
diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re=
setVector.nasmb
index 5fbacaed5f9d..8d0bab02f8cb 100644
--- a/OvmfPkg/ResetVector/ResetVector.nasmb
+++ b/OvmfPkg/ResetVector/ResetVector.nasmb
@@ -88,5 +88,7 @@
   %define SEV_ES_AP_RESET_IP  FixedPcdGet32 (PcdSevEsWorkAreaBase)
   %define SEV_LAUNCH_SECRET_BASE  FixedPcdGet32 (PcdSevLaunchSecretBase)
   %define SEV_LAUNCH_SECRET_SIZE  FixedPcdGet32 (PcdSevLaunchSecretSize)
+  %define SEV_FW_HASH_BLOCK_BASE  FixedPcdGet32 (PcdQemuHashTableBase)
+  %define SEV_FW_HASH_BLOCK_SIZE  FixedPcdGet32 (PcdQemuHashTableSize)
 %include "Ia16/ResetVectorVtf0.asm"
=20
--=20
2.25.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78079): https://edk2.groups.io/g/devel/message/78079
Mute This Topic: https://groups.io/mt/84375120/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-


From nobody Sun Apr 28 20:19:54 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+78084+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78084+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1626943458; cv=none;
	d=zohomail.com; s=zohoarc;
	b=DzVDeCtYVcjoHiXMWJguxElygzglyoazfvW7Fi99kFH5ZrKqrIa7w87WYmnfL03rLLLVPIDYY5cXorfB9f9RKtPaIynPBnOPZUA2eFLcQJtYEmue70icfuQpwg5TCiemmkNSjnKQ7DZ+ouiSsieSXLmywFQzBT1T5oq39cAwf34=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1626943458;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=qakaWcT85xBidrfS2bscXyDPAwbzbRQDuNB8b9ET0bc=;
	b=RY9we7HCfk92kCa27CLWUsmopH+6H4kWM2OXwiOmOV31ITNidW7gYUU8wMSjj2XzLYAF+d1gDsIBf2xigjlWpVuYijF7vE0osMX4tFeqmazZrNYdwrjyUdeQ9UiN0nA6u+1auAyjtTKj7zrCAvc74xnXI763bx9o8SmGrzQLVxw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78084+1787277+3901457@groups.io;
	dmarc=fail header.from=<dovmurik@linux.ibm.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1626943458682927.5831884496612;
 Thu, 22 Jul 2021 01:44:18 -0700 (PDT)
Return-Path: <bounce+27952+78084+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id Pb49YY1788612xV8PS9IXpgX;
 Thu, 22 Jul 2021 01:44:18 -0700
X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.156.1])
 by mx.groups.io with SMTP id smtpd.web10.5260.1626943457845486410
 for <devel@edk2.groups.io>;
 Thu, 22 Jul 2021 01:44:17 -0700
X-Received: from pps.filterd (m0098410.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id
 16M8XZEp007812;
	Thu, 22 Jul 2021 04:44:16 -0400
X-Received: from pps.reinject (localhost [127.0.0.1])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y4ca9nud-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:44:16 -0400
X-Received: from m0098410.ppops.net (m0098410.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16M8ZLtU015624;
	Thu, 22 Jul 2021 04:44:15 -0400
X-Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com
 [169.63.214.131])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y4ca9ntw-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:44:15 -0400
X-Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1])
	by ppma01dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16M8hM3O018004;
	Thu, 22 Jul 2021 08:44:14 GMT
X-Received: from b03cxnp07027.gho.boulder.ibm.com
 (b03cxnp07027.gho.boulder.ibm.com [9.17.130.14])
	by ppma01dal.us.ibm.com with ESMTP id 39upueekde-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 08:44:14 +0000
X-Received: from b03ledav004.gho.boulder.ibm.com
 (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
	by b03cxnp07027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 16M8hSXn27853180
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 22 Jul 2021 08:43:28 GMT
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 2F31878067;
	Thu, 22 Jul 2021 08:43:28 +0000 (GMT)
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 366BE78068;
	Thu, 22 Jul 2021 08:43:27 +0000 (GMT)
X-Received: from localhost.localdomain (unknown [9.2.130.16])
	by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
	Thu, 22 Jul 2021 08:43:27 +0000 (GMT)
From: "Dov Murik" <dovmurik@linux.ibm.com>
To: devel@edk2.groups.io
Cc: Dov Murik <dovmurik@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@ibm.com>, Jim Cadden <jcadden@ibm.com>,
        James Bottomley <jejb@linux.ibm.com>,
        Hubertus Franke <frankeh@us.ibm.com>,
        Ard Biesheuvel <ardb+tianocore@kernel.org>,
        Jordan Justen <jordan.l.justen@intel.com>,
        Ashish Kalra <ashish.kalra@amd.com>,
        Brijesh Singh <brijesh.singh@amd.com>,
        Erdem Aktas <erdemaktas@google.com>,
 Jiewen Yao <jiewen.yao@intel.com>,
        Min Xu <min.m.xu@intel.com>, Tom Lendacky <thomas.lendacky@amd.com>
Subject: [edk2-devel] [PATCH v4 10/11] OvmfPkg: add BlobVerifierLibSevHashes
Date: Thu, 22 Jul 2021 08:43:06 +0000
Message-Id: <20210722084307.2890952-11-dovmurik@linux.ibm.com>
In-Reply-To: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
References: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
X-TM-AS-GCONF: 00
X-Proofpoint-ORIG-GUID: GZXbsE84uMJr6zy97LqAVRHDzsm55qMU
X-Proofpoint-GUID: qMkyhXBpH74MtPWDVDqZRuxk0_nNbs46
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com
X-Gm-Message-State: 5kQq1MLT4MAXMCZklTpjSgkFx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1626943458;
 bh=CmX8jEraWCn4cz5BRUv6ZRguPAj7JP50pKUt40U8JBw=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=ZpOVGBYEVIzZ/annQPssgw851+E7NXU9PZsRXYnXYEF/JqinSezff8K6t9eOjemfRvT
 mj9rMrVS3ppU5plEW5m3XtXQcNYH6aJuP0ZwLvjndyXiqzVW+Sg+yTs6DTuSAyicNYY/2
 oPDyucF0g4p4YNJQ2qf6jP/l/kKOhtgmoyU=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1626943460054100002
Content-Type: text/plain; charset="utf-8"

Add an implementation for BlobVerifierLib that locates the SEV hashes
table and verifies that the calculated hashes of the kernel, initrd, and
cmdline blobs indeed match the expected hashes stated in the hashes
table.

If there's a missing hash or a hash mismatch then EFI_ACCESS_DENIED is
returned which will cause a failure to load a kernel image.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457
Co-developed-by: James Bottomley <jejb@linux.ibm.com>
Signed-off-by: James Bottomley <jejb@linux.ibm.com>
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
---
 OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf |  37 ++++
 OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c      | 199 +++++++=
+++++++++++++
 2 files changed, 236 insertions(+)

diff --git a/OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf b=
/OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf
new file mode 100644
index 000000000000..76ca0b8154ce
--- /dev/null
+++ b/OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf
@@ -0,0 +1,37 @@
+## @file
+#
+#  Blob verifier library that uses SEV hashes table.  The hashes table hol=
ds the
+#  allowed hashes of the kernel, initrd, and cmdline blobs.
+#
+#  Copyright (C) 2021, IBM Corp
+#
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    =3D 1.29
+  BASE_NAME                      =3D BlobVerifierLibSevHashes
+  FILE_GUID                      =3D 59e713b5-eff3-46a7-8d8b-46f4c004ad7b
+  MODULE_TYPE                    =3D BASE
+  VERSION_STRING                 =3D 1.0
+  LIBRARY_CLASS                  =3D BlobVerifierLib
+  CONSTRUCTOR                    =3D BlobVerifierLibSevHashesConstructor
+
+[Sources]
+  BlobVerifierSevHashes.c
+
+[Packages]
+  CryptoPkg/CryptoPkg.dec
+  MdePkg/MdePkg.dec
+  OvmfPkg/OvmfPkg.dec
+
+[LibraryClasses]
+  BaseCryptLib
+  BaseMemoryLib
+  DebugLib
+  PcdLib
+
+[FixedPcd]
+  gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase
+  gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize
diff --git a/OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c b/Ovmf=
Pkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c
new file mode 100644
index 000000000000..372ae6f469e7
--- /dev/null
+++ b/OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c
@@ -0,0 +1,199 @@
+/** @file
+
+  Blob verifier library that uses SEV hashes table.  The hashes table hold=
s the
+  allowed hashes of the kernel, initrd, and cmdline blobs.
+
+  Copyright (C) 2021, IBM Corporation
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Library/BaseCryptLib.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BlobVerifierLib.h>
+
+/**
+  The SEV Hashes table must be in encrypted memory and has the table
+  and its entries described by
+
+  <GUID>|UINT16 <len>|<data>
+
+  With the whole table GUID being 9438d606-4f22-4cc9-b479-a793d411fd21
+
+  The current possible table entries are for the kernel, the initrd
+  and the cmdline:
+
+  4de79437-abd2-427f-b835-d5b172d2045b  kernel
+  44baf731-3a2f-4bd7-9af1-41e29169781d  initrd
+  97d02dd8-bd20-4c94-aa78-e7714d36ab2a  cmdline
+
+  The size of the entry is used to identify the hash, but the
+  expectation is that it will be 32 bytes of SHA-256.
+**/
+
+#define SEV_HASH_TABLE_GUID \
+  (GUID) { 0x9438d606, 0x4f22, 0x4cc9, { 0xb4, 0x79, 0xa7, 0x93, 0xd4, 0x1=
1, 0xfd, 0x21 } }
+#define SEV_KERNEL_HASH_GUID \
+  (GUID) { 0x4de79437, 0xabd2, 0x427f, { 0xb8, 0x35, 0xd5, 0xb1, 0x72, 0xd=
2, 0x04, 0x5b } }
+#define SEV_INITRD_HASH_GUID \
+  (GUID) { 0x44baf731, 0x3a2f, 0x4bd7, { 0x9a, 0xf1, 0x41, 0xe2, 0x91, 0x6=
9, 0x78, 0x1d } }
+#define SEV_CMDLINE_HASH_GUID \
+  (GUID) { 0x97d02dd8, 0xbd20, 0x4c94, { 0xaa, 0x78, 0xe7, 0x71, 0x4d, 0x3=
6, 0xab, 0x2a } }
+
+STATIC CONST EFI_GUID mSevKernelHashGuid =3D SEV_KERNEL_HASH_GUID;
+STATIC CONST EFI_GUID mSevInitrdHashGuid =3D SEV_INITRD_HASH_GUID;
+STATIC CONST EFI_GUID mSevCmdlineHashGuid =3D SEV_CMDLINE_HASH_GUID;
+
+#pragma pack (1)
+typedef struct {
+  GUID   Guid;
+  UINT16 Len;
+  UINT8  Data[];
+} HASH_TABLE;
+#pragma pack ()
+
+STATIC HASH_TABLE *mHashesTable;
+STATIC UINT16 mHashesTableSize;
+
+STATIC
+CONST GUID*
+FindBlobEntryGuid (
+  IN  CONST CHAR16    *BlobName
+  )
+{
+  if (StrCmp (BlobName, L"kernel") =3D=3D 0) {
+    return &mSevKernelHashGuid;
+  } else if (StrCmp (BlobName, L"initrd") =3D=3D 0) {
+    return &mSevInitrdHashGuid;
+  } else if (StrCmp (BlobName, L"cmdline") =3D=3D 0) {
+    return &mSevCmdlineHashGuid;
+  } else {
+    return NULL;
+  }
+}
+
+/**
+  Verify blob from an external source.
+
+  @param[in] BlobName           The name of the blob
+  @param[in] Buf                The data of the blob
+  @param[in] BufSize            The size of the blob in bytes
+
+  @retval EFI_SUCCESS           The blob was verified successfully.
+  @retval EFI_ACCESS_DENIED     The blob could not be verified, and theref=
ore
+                                should be considered non-secure.
+**/
+EFI_STATUS
+EFIAPI
+VerifyBlob (
+  IN  CONST CHAR16    *BlobName,
+  IN  CONST VOID      *Buf,
+  IN  UINT32          BufSize
+  )
+{
+  CONST GUID *Guid;
+  INT32 Remaining;
+  HASH_TABLE *Entry;
+
+  if (mHashesTable =3D=3D NULL || mHashesTableSize =3D=3D 0) {
+    DEBUG ((DEBUG_ERROR,
+      "%a: Verifier called but no hashes table discoverd in MEMFD\n",
+      __FUNCTION__));
+    return EFI_ACCESS_DENIED;
+  }
+
+  Guid =3D FindBlobEntryGuid (BlobName);
+  if (Guid =3D=3D NULL) {
+    DEBUG ((DEBUG_ERROR, "%a: Unknown blob name \"%s\"\n", __FUNCTION__,
+      BlobName));
+    return EFI_ACCESS_DENIED;
+  }
+
+  //
+  // Remaining is INT32 to catch underflow in case Entry->Len has a
+  // very high UINT16 value
+  //
+  for (Entry =3D mHashesTable, Remaining =3D mHashesTableSize;
+       Remaining >=3D sizeof *Entry && Remaining >=3D Entry->Len;
+       Remaining -=3D Entry->Len,
+       Entry =3D (HASH_TABLE *)((UINT8 *)Entry + Entry->Len)) {
+    UINTN EntrySize;
+    EFI_STATUS Status;
+    UINT8 Hash[SHA256_DIGEST_SIZE];
+
+    if (!CompareGuid (&Entry->Guid, Guid)) {
+      continue;
+    }
+
+    DEBUG ((DEBUG_INFO, "%a: Found GUID %g in table\n", __FUNCTION__, Guid=
));
+
+    EntrySize =3D Entry->Len - sizeof Entry->Guid - sizeof Entry->Len;
+    if (EntrySize !=3D SHA256_DIGEST_SIZE) {
+      DEBUG ((DEBUG_ERROR, "%a: Hash has the wrong size %d !=3D %d\n",
+        __FUNCTION__, EntrySize, SHA256_DIGEST_SIZE));
+      return EFI_ACCESS_DENIED;
+    }
+
+    //
+    // Calculate the buffer's hash and verify that it is identical to the
+    // expected hash table entry
+    //
+    Sha256HashAll (Buf, BufSize, Hash);
+
+    if (CompareMem (Entry->Data, Hash, EntrySize) =3D=3D 0) {
+      Status =3D EFI_SUCCESS;
+      DEBUG ((DEBUG_INFO, "%a: Hash comparison succeeded for \"%s\"\n",
+        __FUNCTION__, BlobName));
+    } else {
+      Status =3D EFI_ACCESS_DENIED;
+      DEBUG ((DEBUG_ERROR, "%a: Hash comparison failed for \"%s\"\n",
+        __FUNCTION__, BlobName));
+    }
+    return Status;
+  }
+
+  DEBUG ((DEBUG_ERROR, "%a: Hash GUID %g not found in table\n", __FUNCTION=
__,
+    Guid));
+  return EFI_ACCESS_DENIED;
+}
+
+/**
+  Locate the SEV hashes table.
+
+  This function always returns success, even if the table can't be found. =
 The
+  subsequent VerifyBlob calls will fail if no table was found.
+
+  @retval RETURN_SUCCESS   The hashes table is set up correctly, or there =
is no
+                           hashes table
+**/
+RETURN_STATUS
+EFIAPI
+BlobVerifierLibSevHashesConstructor (
+  VOID
+  )
+{
+  HASH_TABLE *Ptr =3D (void *)(UINTN)FixedPcdGet64 (PcdQemuHashTableBase);
+  UINT32 Size =3D FixedPcdGet32 (PcdQemuHashTableSize);
+
+  mHashesTable =3D NULL;
+  mHashesTableSize =3D 0;
+
+  if (Ptr =3D=3D NULL || Size < sizeof *Ptr ||
+      !CompareGuid (&Ptr->Guid, &SEV_HASH_TABLE_GUID) ||
+      Ptr->Len < sizeof *Ptr || Ptr->Len > Size) {
+    return RETURN_SUCCESS;
+  }
+
+  DEBUG ((DEBUG_INFO, "%a: Found injected hashes table in secure location\=
n",
+    __FUNCTION__));
+
+  mHashesTable =3D (HASH_TABLE *)Ptr->Data;
+  mHashesTableSize =3D Ptr->Len - sizeof Ptr->Guid - sizeof Ptr->Len;
+
+  DEBUG ((DEBUG_VERBOSE, "%a: mHashesTable=3D0x%p, Size=3D%u\n", __FUNCTIO=
N__,
+    mHashesTable, mHashesTableSize));
+
+  return RETURN_SUCCESS;
+}
--=20
2.25.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78084): https://edk2.groups.io/g/devel/message/78084
Mute This Topic: https://groups.io/mt/84375131/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-


From nobody Sun Apr 28 20:19:54 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+78082+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78082+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=linux.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1626943420; cv=none;
	d=zohomail.com; s=zohoarc;
	b=m1qJcZ9PwwTB1dbZ4CchxPUtqIrzQZlI19YhHjdSlLUeZlrxkjBiKNhIum1OYnnkE+2QCtjCEBo0iwN3IqqKDXpqNACsJZvpf70tLkccQaxTq1S0gOXUeNNOkg7FR3A7OW8aymIiDEW1+gWiOeY6N6mm9oQpA+r7viJQbgdeZd8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1626943420;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=E1LL8uhyxYopbVTVT4O/F7JglR6qtVY5kDohAkW37SY=;
	b=YUJvUs4+bTa51ihGjX4OGJtVIv2LP7p3WKeIHFGTzBeV8rL8QgxkDw1Q30mbnJG85S7PBnrj1bLS4xL2Alb+72todt4FT0d7gvJrWP0TEVX0ul4JEWgX62lh3su7cWv5ZY7czxUEigRs+9SBwSnmCMJVeyS0xDDYetCoyYefYEI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+78082+1787277+3901457@groups.io;
	dmarc=fail header.from=<dovmurik@linux.ibm.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1626943420923787.955045415242;
 Thu, 22 Jul 2021 01:43:40 -0700 (PDT)
Return-Path: <bounce+27952+78082+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id Ke7UYY1788612xlL9NEz1ZzX;
 Thu, 22 Jul 2021 01:43:40 -0700
X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.156.1])
 by mx.groups.io with SMTP id smtpd.web08.5241.1626943420072242264
 for <devel@edk2.groups.io>;
 Thu, 22 Jul 2021 01:43:40 -0700
X-Received: from pps.filterd (m0098393.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id
 16M8YVSR037292;
	Thu, 22 Jul 2021 04:43:38 -0400
X-Received: from pps.reinject (localhost [127.0.0.1])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y1x1n96d-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:38 -0400
X-Received: from m0098393.ppops.net (m0098393.ppops.net [127.0.0.1])
	by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 16M8YeW9037734;
	Thu, 22 Jul 2021 04:43:37 -0400
X-Received: from ppma05wdc.us.ibm.com (1b.90.2fa9.ip4.static.sl-reverse.com
 [169.47.144.27])
	by mx0a-001b2d01.pphosted.com with ESMTP id 39y1x1n94a-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 04:43:37 -0400
X-Received: from pps.filterd (ppma05wdc.us.ibm.com [127.0.0.1])
	by ppma05wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 16M8gB6O012218;
	Thu, 22 Jul 2021 08:43:31 GMT
X-Received: from b03cxnp07029.gho.boulder.ibm.com
 (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16])
	by ppma05wdc.us.ibm.com with ESMTP id 39upucynek-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Thu, 22 Jul 2021 08:43:31 +0000
X-Received: from b03ledav004.gho.boulder.ibm.com
 (b03ledav004.gho.boulder.ibm.com [9.17.130.235])
	by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 16M8hTTj45482296
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 22 Jul 2021 08:43:29 GMT
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 5A07478066;
	Thu, 22 Jul 2021 08:43:29 +0000 (GMT)
X-Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 579C77805E;
	Thu, 22 Jul 2021 08:43:28 +0000 (GMT)
X-Received: from localhost.localdomain (unknown [9.2.130.16])
	by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP;
	Thu, 22 Jul 2021 08:43:28 +0000 (GMT)
From: "Dov Murik" <dovmurik@linux.ibm.com>
To: devel@edk2.groups.io
Cc: Dov Murik <dovmurik@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@linux.ibm.com>,
        Tobin Feldman-Fitzthum <tobin@ibm.com>, Jim Cadden <jcadden@ibm.com>,
        James Bottomley <jejb@linux.ibm.com>,
        Hubertus Franke <frankeh@us.ibm.com>,
        Ard Biesheuvel <ardb+tianocore@kernel.org>,
        Jordan Justen <jordan.l.justen@intel.com>,
        Ashish Kalra <ashish.kalra@amd.com>,
        Brijesh Singh <brijesh.singh@amd.com>,
        Erdem Aktas <erdemaktas@google.com>,
 Jiewen Yao <jiewen.yao@intel.com>,
        Min Xu <min.m.xu@intel.com>, Tom Lendacky <thomas.lendacky@amd.com>
Subject: [edk2-devel] [PATCH v4 11/11] OvmfPkg/AmdSev: Enforce hash
 verification of kernel blobs
Date: Thu, 22 Jul 2021 08:43:07 +0000
Message-Id: <20210722084307.2890952-12-dovmurik@linux.ibm.com>
In-Reply-To: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
References: <20210722084307.2890952-1-dovmurik@linux.ibm.com>
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: yqThYFI6IJIfwFp-vnRhKkhrT1acxTx8
X-Proofpoint-ORIG-GUID: HQ4AzcRqcNHoQvjQpSLuJ7Jh2UeeCxKA
X-Proofpoint-UnRewURL: 0 URL was un-rewritten
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com
X-Gm-Message-State: Ug2iBd22lpolvEi7mVt6iU2fx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1626943420;
 bh=aZ9BF4jTjvu1rEVaSi9UYr0itgIpqdfs+logTsvWrYw=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=JjFq2ZQ8FmMZ5Hp7ZXV/+7Lh5j8EXazr+cSK8fMAoN+QB30x2M+Ok0tzLB9qb1BiMga
 mKRQafYRnjuvhDsvsiqB7n0GhLU3UgAe8KdnM7WNWjuR07ytfFtVvFULq/gHETYfQGEvn
 nsERaUzYJyx9fbott7mWKGFZoZGvlWvIdFE=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1626943421786100002
Content-Type: text/plain; charset="utf-8"

In the AmdSevX64 build, use BlobVerifierLibSevHashes to enforce
verification of hashes of the kernel/initrd/cmdline blobs fetched from
firmware config.

This allows for secure (measured) boot of SEV guests with QEMU's
-kernel/-initrd/-append switches (with the corresponding QEMU support
for injecting the hashes table into initial measured guest memory).

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ashish Kalra <ashish.kalra@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3457
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
---
 OvmfPkg/AmdSev/AmdSevX64.dsc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index b2cc96cc5a97..c01599ea354f 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -173,7 +173,7 @@ [LibraryClasses]
   LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf
   CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/Customize=
dDisplayLib.inf
   FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltL=
ib.inf
-  BlobVerifierLib|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf
+  BlobVerifierLib|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes=
.inf
=20
 !if $(SOURCE_DEBUG_ENABLE) =3D=3D TRUE
   PeCoffExtraActionLib|SourceLevelDebugPkg/Library/PeCoffExtraActionLibDeb=
ug/PeCoffExtraActionLibDebug.inf
@@ -696,7 +696,7 @@ [Components]
   }
   OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf {
     <LibraryClasses>
-      NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf
+      NULL|OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf
   }
   OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
   OvmfPkg/Virtio10Dxe/Virtio10.inf
--=20
2.25.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78082): https://edk2.groups.io/g/devel/message/78082
Mute This Topic: https://groups.io/mt/84375127/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-