[PATCH 3/4] OvmfPkg: create a SEV secret area in the AmdSev memfd


James Bottomley <jejb@...>
 

SEV needs an area to place an injected secret where OVMF can find it
and pass it up as a ConfigurationTable. This patch implements the
area itself as an addition to the SEV enhanced reset vector. The
reset vector scheme allows additions but not removals. If the size of
the reset vector is 22, it only contains the AP reset IP, but if it is
30 (or greater) it contains the SEV secret page location and size.

Signed-off-by: James Bottomley <jejb@...>
---
OvmfPkg/OvmfPkg.dec | 5 +++++
OvmfPkg/AmdSev/AmdSevX64.fdf | 3 +++
OvmfPkg/ResetVector/ResetVector.inf | 4 ++++
OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 4 ++++
OvmfPkg/ResetVector/ResetVector.nasmb | 2 ++
5 files changed, 18 insertions(+)

diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 3fbf7a0ee1..b00f083417 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -117,6 +117,7 @@
gLinuxEfiInitrdMediaGuid =3D {0x5568e427, 0x68fc, 0x4f3d, {=
0xac, 0x74, 0xca, 0x55, 0x52, 0x31, 0xcc, 0x68}}=0D
gQemuKernelLoaderFsMediaGuid =3D {0x1428f772, 0xb64a, 0x441e, {=
0xb8, 0xc3, 0x9e, 0xbd, 0xd7, 0xf8, 0x93, 0xc7}}=0D
gGrubFileGuid =3D {0xb5ae312c, 0xbc8a, 0x43b1, {=
0x9c, 0x62, 0xeb, 0xb8, 0x26, 0xdd, 0x5d, 0x07}}=0D
+ gSevLaunchSecretGuid =3D {0xadf956ad, 0xe98c, 0x484c, {=
0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47}}=0D
=0D
[Ppis]=0D
# PPI whose presence in the PPI database signals that the TPM base addre=
ss=0D
@@ -304,6 +305,10 @@
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|0|UINT32|0x40=0D
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize|0|UINT32|0x41=0D
=0D
+ ## The base address and size of the SEV Launch Secret Area=0D
+ gSevLaunchSecretGuid.PcdSevLaunchSecretBase|0x0|UINT32|0=0D
+ gSevLaunchSecretGuid.PcdSevLaunchSecretSize|0x0|UINT32|1=0D
+=0D
[PcdsDynamic, PcdsDynamicEx]=0D
gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2=0D
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x1=
0=0D
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 689386612d..1fd38b3fe2 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -59,6 +59,9 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|gUefiOvmfPk=
gTokenSpaceGuid.PcdOvmf
0x00B000|0x001000=0D
gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.P=
cdSevEsWorkAreaSize=0D
=0D
+0x00C000|0x001000=0D
+gSevLaunchSecretGuid.PcdSevLaunchSecretBase|gSevLaunchSecretGuid.PcdSevLau=
nchSecretSize=0D
+=0D
0x010000|0x010000=0D
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpace=
Guid.PcdOvmfSecPeiTempRamSize=0D
=0D
diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese=
tVector.inf
index a53ae6c194..72fd78eef4 100644
--- a/OvmfPkg/ResetVector/ResetVector.inf
+++ b/OvmfPkg/ResetVector/ResetVector.inf
@@ -43,3 +43,7 @@
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize=0D
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase=0D
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize=0D
+=0D
+[FixedPcd]=0D
+ gSevLaunchSecretGuid.PcdSevLaunchSecretBase=0D
+ gSevLaunchSecretGuid.PcdSevLaunchSecretSize=0D
diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVe=
ctor/Ia16/ResetVectorVtf0.asm
index 980e0138e7..7d3214e55d 100644
--- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
+++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm
@@ -35,6 +35,8 @@ ALIGN 16
; the build time RIP value. The GUID must always be 48 bytes from the=0D
; end of the firmware.=0D
;=0D
+; 0xffffffc2 (-0x3e) - Base Location of the SEV Launch Secret=0D
+; 0xffffffc6 (-0x3a) - Size of SEV Launch Secret=0D
; 0xffffffca (-0x36) - IP value=0D
; 0xffffffcc (-0x34) - CS segment base [31:16]=0D
; 0xffffffce (-0x32) - Size of the SEV-ES reset block=0D
@@ -51,6 +53,8 @@ ALIGN 16
TIMES (32 - (sevEsResetBlockEnd - sevEsResetBlockStart)) DB 0=0D
=0D
sevEsResetBlockStart:=0D
+ DD SEV_LAUNCH_SECRET_BASE=0D
+ DD SEV_LAUNCH_SECRET_SIZE=0D
DD SEV_ES_AP_RESET_IP=0D
DW sevEsResetBlockEnd - sevEsResetBlockStart=0D
DB 0xDE, 0x71, 0xF7, 0x00, 0x7E, 0x1A, 0xCB, 0x4F=0D
diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re=
setVector.nasmb
index 4913b379a9..c5e0fe93ab 100644
--- a/OvmfPkg/ResetVector/ResetVector.nasmb
+++ b/OvmfPkg/ResetVector/ResetVector.nasmb
@@ -83,5 +83,7 @@
%include "Main.asm"=0D
=0D
%define SEV_ES_AP_RESET_IP FixedPcdGet32 (PcdSevEsWorkAreaBase)=0D
+ %define SEV_LAUNCH_SECRET_BASE FixedPcdGet32 (PcdSevLaunchSecretBase)=0D
+ %define SEV_LAUNCH_SECRET_SIZE FixedPcdGet32 (PcdSevLaunchSecretSize)=0D
%include "Ia16/ResetVectorVtf0.asm"=0D
=0D
--=20
2.26.2

Join devel@edk2.groups.io to automatically receive all group messages.