From: James Bottomley Date: Mon, 30 Nov 2020 20:28:17 +0000 (-0800) Subject: OvmfPkg: create a SEV secret area in the AmdSev memfd X-Git-Tag: edk2-stable202102~346 X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=224752ecedf2fc3b3c568047404fac7959168be2 OvmfPkg: create a SEV secret area in the AmdSev memfd SEV needs an area to place an injected secret where OVMF can find it and pass it up as a ConfigurationTable. This patch implements the area itself as an addition to the SEV enhanced reset vector table using an additional guid (4c2eb361-7d9b-4cc3-8081-127c90d3d294). Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077 Signed-off-by: James Bottomley Reviewed-by: Laszlo Ersek Message-Id: <20201130202819.3910-5-jejb@linux.ibm.com> Acked-by: Ard Biesheuvel [lersek@redhat.com: fix typo in "ResetVectorVtf0.asm" comments] --- diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 3fbf7a0ee1..7d27f8e160 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -304,6 +304,12 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|0|UINT32|0x40 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize|0|UINT32|0x41 + ## The base address and size of the SEV Launch Secret Area provisioned + # after remote attestation. If this is set in the .fdf, the platform + # is responsible for protecting the area from DXE phase overwrites. + gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|0x0|UINT32|0x42 + gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize|0x0|UINT32|0x43 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm index 9e0a74fddf..9c0b5853a4 100644 --- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm +++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm @@ -47,6 +47,25 @@ TIMES (15 - ((guidedStructureEnd - guidedStructureStart + 15) % 16)) DB 0 ; guidedStructureStart: +; +; SEV Secret block +; +; This describes the guest ram area where the hypervisor should +; inject the secret. The data format is: +; +; base physical address (32 bit word) +; table length (32 bit word) +; +; GUID (SEV secret block): 4c2eb361-7d9b-4cc3-8081-127c90d3d294 +; +sevSecretBlockStart: + DD SEV_LAUNCH_SECRET_BASE + DD SEV_LAUNCH_SECRET_SIZE + DW sevSecretBlockEnd - sevSecretBlockStart + DB 0x61, 0xB3, 0x2E, 0x4C, 0x9B, 0x7D, 0xC3, 0x4C + DB 0x80, 0x81, 0x12, 0x7C, 0x90, 0xD3, 0xD2, 0x94 +sevSecretBlockEnd: + ; ; SEV-ES Processor Reset support ; diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf index a53ae6c194..dc38f68919 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -43,3 +43,7 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize + +[FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase + gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb index 4913b379a9..c5e0fe93ab 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -83,5 +83,7 @@ %include "Main.asm" %define SEV_ES_AP_RESET_IP FixedPcdGet32 (PcdSevEsWorkAreaBase) + %define SEV_LAUNCH_SECRET_BASE FixedPcdGet32 (PcdSevLaunchSecretBase) + %define SEV_LAUNCH_SECRET_SIZE FixedPcdGet32 (PcdSevLaunchSecretSize) %include "Ia16/ResetVectorVtf0.asm"