OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table

Now that the secret area is protected by a boot time HOB, extract its
location details into a configuration table referenced by
gSevLaunchSecretGuid so the boot loader or OS can locate it before a
call to ExitBootServices().

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077
Signed-off-by: James Bottomley <jejb@linux.ibm.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20201130202819.3910-7-jejb@linux.ibm.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
[lersek@redhat.com: fix indentation of InstallConfigurationTable() args]

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index e9c522bedad919a9c45dca815effbe1dd1734e29..bb7697eb324bc63ddbb59c1a0ad83e1e4b83d4ec 100644 (file)
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -778,6 +778,7 @@
       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE\r
   }\r
 !endif\r
+  OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf\r
   OvmfPkg/AmdSev/Grub/Grub.inf\r
 !if $(BUILD_SHELL) == TRUE\r
   ShellPkg/Application/Shell/Shell.inf {\r

diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index b2656a1cf6fca78a2086513d297c8a9f73c83c7e..e8fd4b8c7b89e9e73f313e38acfb2123e2ddcea8 100644 (file)
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -269,6 +269,7 @@ INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 !if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE\r
 INF  OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf\r
 !endif\r
+INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf\r
 INF  OvmfPkg/AmdSev/Grub/Grub.inf\r
 !if $(BUILD_SHELL) == TRUE\r
 INF  ShellPkg/Application/Shell/Shell.inf\r

diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
new file mode 100644 (file)
index 0000000..5385a6a
--- /dev/null
+++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
@@ -0,0 +1,27 @@
+/** @file\r
+  SEV Secret configuration table constructor\r
+\r
+  Copyright (C) 2020 James Bottomley, IBM Corporation.\r
+  SPDX-License-Identifier: BSD-2-Clause-Patent\r
+**/\r
+#include <PiDxe.h>\r
+#include <Library/UefiBootServicesTableLib.h>\r
+#include <Guid/SevLaunchSecret.h>\r
+\r
+STATIC SEV_LAUNCH_SECRET_LOCATION mSecretDxeTable = {\r
+  FixedPcdGet32 (PcdSevLaunchSecretBase),\r
+  FixedPcdGet32 (PcdSevLaunchSecretSize),\r
+};\r
+\r
+EFI_STATUS\r
+EFIAPI\r
+InitializeSecretDxe(\r
+  IN EFI_HANDLE           ImageHandle,\r
+  IN EFI_SYSTEM_TABLE     *SystemTable\r
+  )\r
+{\r
+  return gBS->InstallConfigurationTable (\r
+                &gSevLaunchSecretGuid,\r
+                &mSecretDxeTable\r
+                );\r
+}\r

diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
new file mode 100644 (file)
index 0000000..62ab00a
--- /dev/null
+++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
@@ -0,0 +1,37 @@
+## @file\r
+#  Sev Secret configuration Table installer\r
+#\r
+#  Copyright (C) 2020 James Bottomley, IBM Corporation.\r
+#\r
+#  SPDX-License-Identifier: BSD-2-Clause-Patent\r
+#\r
+##\r
+\r
+[Defines]\r
+  INF_VERSION                    = 0x00010005\r
+  BASE_NAME                      = SecretDxe\r
+  FILE_GUID                      = 6e2b9619-8810-4e9d-a177-d432bb9abeda\r
+  MODULE_TYPE                    = DXE_DRIVER\r
+  VERSION_STRING                 = 1.0\r
+  ENTRY_POINT                    = InitializeSecretDxe\r
+\r
+[Sources]\r
+  SecretDxe.c\r
+\r
+[Packages]\r
+  OvmfPkg/OvmfPkg.dec\r
+  MdePkg/MdePkg.dec\r
+\r
+[LibraryClasses]\r
+  UefiBootServicesTableLib\r
+  UefiDriverEntryPoint\r
+\r
+[Guids]\r
+  gSevLaunchSecretGuid\r
+\r
+[FixedPcd]\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase\r
+  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize\r
+\r
+[Depex]\r
+  TRUE\r

diff --git a/OvmfPkg/Include/Guid/SevLaunchSecret.h b/OvmfPkg/Include/Guid/SevLaunchSecret.h
new file mode 100644 (file)
index 0000000..fa5f383
--- /dev/null
+++ b/OvmfPkg/Include/Guid/SevLaunchSecret.h
@@ -0,0 +1,28 @@
+ /** @file\r
+   UEFI Configuration Table for exposing the SEV Launch Secret location to UEFI\r
+   applications (boot loaders).\r
+\r
+   Copyright (C) 2020 James Bottomley, IBM Corporation.\r
+   SPDX-License-Identifier: BSD-2-Clause-Patent\r
+ **/\r
+\r
+#ifndef SEV_LAUNCH_SECRET_H_\r
+#define SEV_LAUNCH_SECRET_H_\r
+\r
+#include <Uefi/UefiBaseType.h>\r
+\r
+#define SEV_LAUNCH_SECRET_GUID                          \\r
+  { 0xadf956ad,                                         \\r
+    0xe98c,                                             \\r
+    0x484c,                                             \\r
+    { 0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47 }, \\r
+  }\r
+\r
+typedef struct {\r
+  UINT32 Base;\r
+  UINT32 Size;\r
+} SEV_LAUNCH_SECRET_LOCATION;\r
+\r
+extern EFI_GUID gSevLaunchSecretGuid;\r
+\r
+#endif // SEV_LAUNCH_SECRET_H_\r

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 7d27f8e160402dde1964a7299bd1c7bced23d634..8a294116efaabc58cfc20d32e5dc48624c20e7af 100644 (file)
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -117,6 +117,7 @@
   gLinuxEfiInitrdMediaGuid              = {0x5568e427, 0x68fc, 0x4f3d, {0xac, 0x74, 0xca, 0x55, 0x52, 0x31, 0xcc, 0x68}}\r
   gQemuKernelLoaderFsMediaGuid          = {0x1428f772, 0xb64a, 0x441e, {0xb8, 0xc3, 0x9e, 0xbd, 0xd7, 0xf8, 0x93, 0xc7}}\r
   gGrubFileGuid                         = {0xb5ae312c, 0xbc8a, 0x43b1, {0x9c, 0x62, 0xeb, 0xb8, 0x26, 0xdd, 0x5d, 0x07}}\r
+  gSevLaunchSecretGuid                  = {0xadf956ad, 0xe98c, 0x484c, {0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47}}\r
 \r
 [Ppis]\r
   # PPI whose presence in the PPI database signals that the TPM base address\r