OvmfPkg/AmdSev: assign and reserve the Sev Secret area

Create a one page secret area in the MEMFD and reserve the area with a
boot time HOB.

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077
Signed-off-by: James Bottomley <jejb@linux.ibm.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20201130202819.3910-6-jejb@linux.ibm.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
[lersek@redhat.com: s/protect/reserve/g in the commit message, at Ard's
 and James's suggestion]

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 18707725b3e44a3844f04010ac1cea8eddb8a8e8..e9c522bedad919a9c45dca815effbe1dd1734e29 100644 (file)
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -613,6 +613,7 @@
   OvmfPkg/PlatformPei/PlatformPei.inf\r
   UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf\r
   UefiCpuPkg/CpuMpPei/CpuMpPei.inf\r
+  OvmfPkg/AmdSev/SecretPei/SecretPei.inf\r
 \r
 !if $(TPM_ENABLE) == TRUE\r
   OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf\r

diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 1aa95826384a3de11d4a6f868afd693ad9c78501..b2656a1cf6fca78a2086513d297c8a9f73c83c7e 100644 (file)
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -59,6 +59,9 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmf
 0x00B000|0x001000\r
 gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize\r
 \r
+0x00C000|0x001000\r
+gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize\r
+\r
 0x010000|0x010000\r
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize\r
 \r
@@ -138,6 +141,7 @@ INF  OvmfPkg/PlatformPei/PlatformPei.inf
 INF  MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf\r
 INF  UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf\r
 INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf\r
+INF  OvmfPkg/AmdSev/SecretPei/SecretPei.inf\r
 \r
 !if $(TPM_ENABLE) == TRUE\r
 INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf\r

diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
new file mode 100644 (file)
index 0000000..ad49151
--- /dev/null
+++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
@@ -0,0 +1,25 @@
+/** @file\r
+  SEV Secret boot time HOB placement\r
+\r
+  Copyright (C) 2020 James Bottomley, IBM Corporation.\r
+  SPDX-License-Identifier: BSD-2-Clause-Patent\r
+**/\r
+#include <PiPei.h>\r
+#include <Library/HobLib.h>\r
+#include <Library/PcdLib.h>\r
+\r
+EFI_STATUS\r
+EFIAPI\r
+InitializeSecretPei (\r
+  IN       EFI_PEI_FILE_HANDLE  FileHandle,\r
+  IN CONST EFI_PEI_SERVICES     **PeiServices\r
+  )\r
+{\r
+  BuildMemoryAllocationHob (\r
+    PcdGet32 (PcdSevLaunchSecretBase),\r
+    PcdGet32 (PcdSevLaunchSecretSize),\r
+    EfiBootServicesData\r
+    );\r
+\r
+  return EFI_SUCCESS;\r
+}\r

diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.inf b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
new file mode 100644 (file)
index 0000000..08be156
--- /dev/null
+++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
@@ -0,0 +1,35 @@
+## @file\r
+#  PEI support for SEV Secrets\r
+#\r
+#  Copyright (C) 2020 James Bottomley, IBM Corporation.\r
+#\r
+#  SPDX-License-Identifier: BSD-2-Clause-Patent\r
+#\r
+##\r
+\r
+[Defines]\r
+  INF_VERSION                    = 0x00010005\r
+  BASE_NAME                      = SecretPei\r
+  FILE_GUID                      = 45260dde-0c3c-4b41-a226-ef3803fac7d4\r
+  MODULE_TYPE                    = PEIM\r
+  VERSION_STRING                 = 1.0\r
+  ENTRY_POINT                    = InitializeSecretPei\r
+\r
+[Sources]\r
+  SecretPei.c\r
+\r
+[Packages]\r
+  OvmfPkg/OvmfPkg.dec\r
+  MdePkg/MdePkg.dec\r
+\r
+[LibraryClasses]\r
+  HobLib\r
+  PeimEntryPoint\r
+  PcdLib\r
+\r
+[FixedPcd]\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize\r
+\r
+[Depex]\r
+  TRUE\r