OvmgPkg: Add SEV launch secret and hashes table areas

[edk2-devel] [PATCH 0/2] OvmgPkg: Add SEV launch secret and hashes table areas

Posted by Dov Murik 2 years, 5 months ago

The SEV launch secret area and the QEMU hashes table area were specified
in the OvmfPkg/AmdSev/AmdSevX64 MEMFD but not in OvmfPkg/OvmfPkgX64 and
in OvmgPkg/Microvm/MicrovmX64.

This series adds theses MEMFD entries to both targets.  It allows QEMU
to discover the secrets area when performing SEV/SEV-ES secret
injection, and to properly fill the hashes table (though currently these
targets do not perform hashes verification when loading
kernel/initrd/cmdline from QEMU via fw_cfg).

After applying the patches, the MEMFD section of the three targets' fdf
files is identical:

    $ sed -n -e '/FD.MEMFD/,/FV.SECFV/p' OvmfPkg/OvmfPkgX64.fdf | sha1sum
    6ff89173952413fbdb7ffbbf42f8bc389c928500  -
    $ sed -n -e '/FD.MEMFD/,/FV.SECFV/p' OvmfPkg/Microvm/MicrovmX64.fdf | sha1sum
    6ff89173952413fbdb7ffbbf42f8bc389c928500  -
    $ sed -n -e '/FD.MEMFD/,/FV.SECFV/p' OvmfPkg/AmdSev/AmdSevX64.fdf | sha1sum
    6ff89173952413fbdb7ffbbf42f8bc389c928500  -

Code is in:
https://github.com/confidential-containers-demo/edk2/tree/add-sev-secret-and-hashes

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>

Dov Murik (2):
  OvmfPkg/OvmfPkgX64: Add SEV launch secret and hashes table areas to
    MEMFD
  OvmfPkg/Microvm: Add SEV launch secret and hashes table areas to MEMFD

 OvmfPkg/Microvm/MicrovmX64.fdf | 8 +++++++-
 OvmfPkg/OvmfPkgX64.fdf         | 8 +++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

-- 
2.25.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#83097): https://edk2.groups.io/g/devel/message/83097
Mute This Topic: https://groups.io/mt/86761213/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 0/2] OvmgPkg: Add SEV launch secret and hashes table areas

Posted by Gerd Hoffmann 2 years, 5 months ago

On Tue, Nov 02, 2021 at 07:34:20AM +0000, Dov Murik wrote:
> The SEV launch secret area and the QEMU hashes table area were specified
> in the OvmfPkg/AmdSev/AmdSevX64 MEMFD but not in OvmfPkg/OvmfPkgX64 and
> in OvmgPkg/Microvm/MicrovmX64.
> 
> This series adds theses MEMFD entries to both targets.  It allows QEMU
> to discover the secrets area when performing SEV/SEV-ES secret
> injection, and to properly fill the hashes table (though currently these
> targets do not perform hashes verification when loading
> kernel/initrd/cmdline from QEMU via fw_cfg).
> 
> After applying the patches, the MEMFD section of the three targets' fdf
> files is identical:
> 
>     $ sed -n -e '/FD.MEMFD/,/FV.SECFV/p' OvmfPkg/OvmfPkgX64.fdf | sha1sum
>     6ff89173952413fbdb7ffbbf42f8bc389c928500  -
>     $ sed -n -e '/FD.MEMFD/,/FV.SECFV/p' OvmfPkg/Microvm/MicrovmX64.fdf | sha1sum
>     6ff89173952413fbdb7ffbbf42f8bc389c928500  -
>     $ sed -n -e '/FD.MEMFD/,/FV.SECFV/p' OvmfPkg/AmdSev/AmdSevX64.fdf | sha1sum
>     6ff89173952413fbdb7ffbbf42f8bc389c928500  -
> 
> Code is in:
> https://github.com/confidential-containers-demo/edk2/tree/add-sev-secret-and-hashes

Acked-by: Gerd Hoffmann <kraxel@redhat.com>

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#83122): https://edk2.groups.io/g/devel/message/83122
Mute This Topic: https://groups.io/mt/86761213/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-