From nobody Mon Feb  9 16:50:58 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+100364+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+100364+1787277+3901457@groups.io;
	dmarc=fail(p=reject dis=none)  header.from=linux.ibm.com
ARC-Seal: i=1; a=rsa-sha256; t=1676883004; cv=none;
	d=zohomail.com; s=zohoarc;
	b=ZcXOjtKODULtY7OdYbIDSKwzTAx7dBqLPCK7TTVpord2Lv9XdXwHSxx5Urjb0TmmxhJjrl+/pcsYHtEc8havZ08dcwUKG+sFjlhnyiq7j4X8NQXG+iQo7XYqQD6gZ3mCaIRf46eUhPhWtP1VNrPRtvdVH1+JKhyDeNv5MI1uln4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1676883004;
 h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=Dft+qVylZMpnBCF39bHOTzshaUy49kF3xICHo/ZhThY=;
	b=fqhtzIyxEL8juOj8iEUJ22IxrzpxULzPDY0c8GBvSnUjModknfZOax1yjsukHeJ3E9ALd90kJ7Z5WwOaOnYXIWWSUsB8yzVliGtYMzIbaVrHFfoxNUtJ/qB5MFInklTn6k2XZ8ipBSseCMCm6xfaZKDF1l+1QTLGtmosJ1lJ5RU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+100364+1787277+3901457@groups.io;
	dmarc=fail header.from=<dovmurik@linux.ibm.com> (p=reject dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 167688300387221.180627539224815;
 Mon, 20 Feb 2023 00:50:03 -0800 (PST)
Return-Path: <bounce+27952+100364+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id MbsMYY1788612xj1DVk2eVvt;
 Mon, 20 Feb 2023 00:50:03 -0800
X-Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.158.5])
 by mx.groups.io with SMTP id smtpd.web11.8794.1676883002054843275
 for <devel@edk2.groups.io>;
 Mon, 20 Feb 2023 00:50:02 -0800
X-Received: from pps.filterd (m0098419.ppops.net [127.0.0.1])
	by mx0b-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
 31K6DKwm011910;
	Mon, 20 Feb 2023 08:49:59 GMT
X-Received: from pps.reinject (localhost [127.0.0.1])
	by mx0b-001b2d01.pphosted.com (PPS) with ESMTPS id 3nv1ukdgdv-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Mon, 20 Feb 2023 08:49:59 +0000
X-Received: from m0098419.ppops.net (m0098419.ppops.net [127.0.0.1])
	by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 31K89Lw8019097;
	Mon, 20 Feb 2023 08:49:58 GMT
X-Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com
 [169.55.85.253])
	by mx0b-001b2d01.pphosted.com (PPS) with ESMTPS id 3nv1ukdgdf-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Mon, 20 Feb 2023 08:49:58 +0000
X-Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1])
	by ppma01wdc.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 31K60bcT024430;
	Mon, 20 Feb 2023 08:49:58 GMT
X-Received: from smtprelay06.dal12v.mail.ibm.com ([9.208.130.100])
	by ppma01wdc.us.ibm.com (PPS) with ESMTPS id 3ntpa6m6ts-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Mon, 20 Feb 2023 08:49:58 +0000
X-Received: from smtpav04.dal12v.mail.ibm.com (smtpav04.dal12v.mail.ibm.com
 [10.241.53.103])
	by smtprelay06.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 31K8nuGD9634460
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Mon, 20 Feb 2023 08:49:57 GMT
X-Received: from smtpav04.dal12v.mail.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id D9B7358066;
	Mon, 20 Feb 2023 08:49:56 +0000 (GMT)
X-Received: from smtpav04.dal12v.mail.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 16E5C5805A;
	Mon, 20 Feb 2023 08:49:56 +0000 (GMT)
X-Received: from amdmilan1.watson.ibm.com (unknown [9.2.130.16])
	by smtpav04.dal12v.mail.ibm.com (Postfix) with ESMTP;
	Mon, 20 Feb 2023 08:49:56 +0000 (GMT)
From: "Dov Murik" <dovmurik@linux.ibm.com>
To: devel@edk2.groups.io
Cc: Dov Murik <dovmurik@linux.ibm.com>,
        Ard Biesheuvel <ardb+tianocore@kernel.org>,
        Jiewen Yao <jiewen.yao@intel.com>,
        Jordan Justen <jordan.l.justen@intel.com>,
        Gerd Hoffmann <kraxel@redhat.com>,
 Erdem Aktas <erdemaktas@google.com>,
        James Bottomley <jejb@linux.ibm.com>, Min Xu <min.m.xu@intel.com>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        Michael Roth <michael.roth@amd.com>,
        Ashish Kalra <ashish.kalra@amd.com>,
        Mario Smarduch <mario.smarduch@amd.com>,
        Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
Subject: [edk2-devel] [RESEND] [PATCH v2 2/2] OvmfPkg/ResetVector: Exclude SEV
 launch secrets page from pre-validation
Date: Mon, 20 Feb 2023 08:49:42 +0000
Message-Id: <20230220084942.1292756-3-dovmurik@linux.ibm.com>
In-Reply-To: <20230220084942.1292756-1-dovmurik@linux.ibm.com>
References: <20230220084942.1292756-1-dovmurik@linux.ibm.com>
MIME-Version: 1.0
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: RtVNWv0zl8VbuOFO492A_-I39RuF2k6Z
X-Proofpoint-ORIG-GUID: JoMEkwoO36UqIPR-SM59amyktEgvNnIX
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,dovmurik@linux.ibm.com
X-Gm-Message-State: Qtx9SQLnYMZYFj5xnGvmMIP2x1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1676883003;
 bh=6h+qf8FZZhbnDaMQTcb2qjQ7eD0dToG/aSrfKEew9gE=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=oytttmPPlKeSD6uiRkpR7Dte+goTsKzA/i5CAkQDlEc2tIbD8CEwaFXMkqgHLEjZ8yE
 ru26twYYc/PJ7oxSk0r3YQqE/HmuQeX1jHzxDs0x5T4FJty2B0qMgL2WlpAorSuLk9guG
 AdXUNBi4kT2IgZr2HbVnOVq0dVTzGQJzOhA=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1676883005917100001
Content-Type: text/plain; charset="utf-8"

In order to allow the VMM (such as QEMU) to add a page with hashes of
kernel/initrd/cmdline for measured direct boot on SNP, this page must
not be part of the SNP metadata list reported to the VMM.

Check if that page is defined; if it is, skip it in the metadata list.
In such case, VMM should fill the page with the hashes content, or
explicitly update it as a zero page (if kernel hashes are not used).

Note that for SNP, the launch secret part of the page (lower 3KB) are
not relevant and will stay zero.  The last 1KB is used for the hashes.

This should have no effect on OvmfPkgX64 targets (which don't define
PcdSevLaunchSecretBase).

Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
---
 OvmfPkg/ResetVector/ResetVector.nasmb | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re=
setVector.nasmb
index 94fbb0a87b37..16f3daf49d82 100644
--- a/OvmfPkg/ResetVector/ResetVector.nasmb
+++ b/OvmfPkg/ResetVector/ResetVector.nasmb
@@ -75,7 +75,19 @@
 ;
 %define SNP_SEC_MEM_BASE_DESC_2       (GHCB_BASE + 0x1000)
 %define SNP_SEC_MEM_SIZE_DESC_2       (SEV_SNP_SECRETS_BASE - SNP_SEC_MEM_=
BASE_DESC_2)
-%define SNP_SEC_MEM_BASE_DESC_3       (CPUID_BASE + CPUID_SIZE)
+%if (FixedPcdGet32 (PcdSevLaunchSecretBase) > 0)
+  ; There's a reserved page for SEV secrets and hashes; the VMM will fill =
and
+  ; validate the page, or mark it as a zero page.
+  %define EXPECTED_END_OF_LAUNCH_SECRET_PAGE (FixedPcdGet32 (PcdSevLaunchS=
ecretBase) + \
+                                              FixedPcdGet32 (PcdSevLaunchS=
ecretSize) + \
+                                              FixedPcdGet32 (PcdQemuHashTa=
bleSize))
+  %if (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) !=3D EXPECTED_END_OF_LAUNC=
H_SECRET_PAGE)
+    %error "PcdOvmfSecPeiTempRamBase must start directly after the SEV Lau=
nch Secret page"
+  %endif
+  %define SNP_SEC_MEM_BASE_DESC_3     (FixedPcdGet32 (PcdOvmfSecPeiTempRam=
Base))
+%else
+  %define SNP_SEC_MEM_BASE_DESC_3     (CPUID_BASE + CPUID_SIZE)
+%endif
 %define SNP_SEC_MEM_SIZE_DESC_3       (FixedPcdGet32 (PcdOvmfPeiMemFvBase)=
 - SNP_SEC_MEM_BASE_DESC_3)
=20
 %ifdef ARCH_X64
--=20
2.25.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#100364): https://edk2.groups.io/g/devel/message/100364
Mute This Topic: https://groups.io/mt/97082683/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-