[PATCH 4/4] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table


James Bottomley <jejb@...>
 

This is to allow the boot loader (grub) to pick up the secret area.
The Configuration Table simply points to the base and size (in
physical memory) and this area is covered by a Boot time HOB, meaning
that the secret will be freed after ExitBootServices, by which time it
should be consumed anyway.

Signed-off-by: James Bottomley <jejb@...>
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 3 ++
OvmfPkg/AmdSev/AmdSevX64.fdf | 3 ++
.../SevLaunchSecret/SecretDxe/SecretDxe.inf | 38 +++++++++++++++
.../SevLaunchSecret/SecretPei/SecretPei.inf | 46 +++++++++++++++++++
.../SevLaunchSecret/SecretDxe/SecretDxe.c | 29 ++++++++++++
.../SevLaunchSecret/SecretPei/SecretPei.c | 26 +++++++++++
6 files changed, 145 insertions(+)
create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf
create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf
create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.c
create mode 100644 OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.c

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 7d3663150e..eb8cc9d60a 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -698,6 +698,7 @@
OvmfPkg/SmmAccess/SmmAccessPei.inf=0D
!endif=0D
UefiCpuPkg/CpuMpPei/CpuMpPei.inf=0D
+ OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf=0D
=0D
!if $(TPM_ENABLE) =3D=3D TRUE=0D
OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf=0D
@@ -1007,6 +1008,8 @@
}=0D
!endif=0D
=0D
+ OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf=0D
+=0D
#=0D
# TPM support=0D
#=0D
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 1fd38b3fe2..65ee4d993b 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -146,6 +146,7 @@ INF MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
INF OvmfPkg/SmmAccess/SmmAccessPei.inf=0D
!endif=0D
INF UefiCpuPkg/CpuMpPei/CpuMpPei.inf=0D
+INF OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf=0D
=0D
!if $(TPM_ENABLE) =3D=3D TRUE=0D
INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf=0D
@@ -290,6 +291,8 @@ INF ShellPkg/Application/Shell/Shell.inf
=0D
INF MdeModulePkg/Logo/LogoDxe.inf=0D
=0D
+INF OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf=0D
+=0D
#=0D
# Network modules=0D
#=0D
diff --git a/OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf b/OvmfP=
kg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf
new file mode 100644
index 0000000000..085162e5c4
--- /dev/null
+++ b/OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.inf
@@ -0,0 +1,38 @@
+## @file=0D
+# Sev Secret configuration Table installer=0D
+#=0D
+# Copyright (C) 2020 James Bottomley, IBM Corporation.=0D
+#=0D
+# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+#=0D
+##=0D
+=0D
+[Defines]=0D
+ INF_VERSION =3D 0x00010005=0D
+ BASE_NAME =3D SecretDxe=0D
+ FILE_GUID =3D 6e2b9619-8810-4e9d-a177-d432bb9abeda=
=0D
+ MODULE_TYPE =3D DXE_DRIVER=0D
+ VERSION_STRING =3D 1.0=0D
+ ENTRY_POINT =3D InitializeSecretDxe=0D
+=0D
+[Sources]=0D
+ SecretDxe.c=0D
+=0D
+[Packages]=0D
+ OvmfPkg/OvmfPkg.dec=0D
+ MdePkg/MdePkg.dec=0D
+=0D
+[LibraryClasses]=0D
+ UefiBootServicesTableLib=0D
+ UefiDriverEntryPoint=0D
+ UefiLib=0D
+=0D
+[Guids]=0D
+ gSevLaunchSecretGuid=0D
+=0D
+[FixedPcd]=0D
+ gSevLaunchSecretGuid.PcdSevLaunchSecretBase=0D
+ gSevLaunchSecretGuid.PcdSevLaunchSecretSize=0D
+=0D
+[Depex]=0D
+ TRUE=0D
diff --git a/OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf b/OvmfP=
kg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf
new file mode 100644
index 0000000000..b154dcc74e
--- /dev/null
+++ b/OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.inf
@@ -0,0 +1,46 @@
+## @file=0D
+# PEI support for SEV Secrets=0D
+#=0D
+# Copyright (C) 2020 James Bottomley, IBM Corporation.=0D
+#=0D
+# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+#=0D
+##=0D
+=0D
+[Defines]=0D
+ INF_VERSION =3D 0x00010005=0D
+ BASE_NAME =3D SecretPei=0D
+ FILE_GUID =3D 45260dde-0c3c-4b41-a226-ef3803fac7d4=
=0D
+ MODULE_TYPE =3D PEIM=0D
+ VERSION_STRING =3D 1.0=0D
+ ENTRY_POINT =3D InitializeSecretPei=0D
+=0D
+#=0D
+# The following information is for reference only and not required by the =
build tools.=0D
+#=0D
+# VALID_ARCHITECTURES =3D IA32 X64 EBC=0D
+#=0D
+=0D
+[Sources]=0D
+ SecretPei.c=0D
+=0D
+[Packages]=0D
+ OvmfPkg/OvmfPkg.dec=0D
+ MdePkg/MdePkg.dec=0D
+ MdeModulePkg/MdeModulePkg.dec=0D
+=0D
+[LibraryClasses]=0D
+ BaseLib=0D
+ DebugLib=0D
+ HobLib=0D
+ PeiServicesLib=0D
+ PeiServicesTablePointerLib=0D
+ PeimEntryPoint=0D
+ PcdLib=0D
+=0D
+[FixedPcd]=0D
+ gSevLaunchSecretGuid.PcdSevLaunchSecretBase=0D
+ gSevLaunchSecretGuid.PcdSevLaunchSecretSize=0D
+=0D
+[Depex]=0D
+ TRUE=0D
diff --git a/OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.c b/OvmfPkg=
/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.c
new file mode 100644
index 0000000000..b40bbe1eb9
--- /dev/null
+++ b/OvmfPkg/AmdSev/SevLaunchSecret/SecretDxe/SecretDxe.c
@@ -0,0 +1,29 @@
+/** @file=0D
+ SEV Secret configuration table constructor=0D
+=0D
+ Copyright (C) 2020 James Bottomley, IBM Corporation.=0D
+ SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+**/=0D
+#include <PiDxe.h>=0D
+#include <Library/UefiLib.h>=0D
+#include <Library/UefiDriverEntryPoint.h>=0D
+#include <Library/UefiBootServicesTableLib.h>=0D
+=0D
+struct {=0D
+ UINT32 base;=0D
+ UINT32 size;=0D
+} secretDxeTable =3D {=0D
+ FixedPcdGet32(PcdSevLaunchSecretBase),=0D
+ FixedPcdGet32(PcdSevLaunchSecretSize),=0D
+};=0D
+=0D
+EFI_STATUS=0D
+EFIAPI=0D
+InitializeSecretDxe(=0D
+ IN EFI_HANDLE ImageHandle,=0D
+ IN EFI_SYSTEM_TABLE *SystemTable=0D
+ )=0D
+{=0D
+ return gBS->InstallConfigurationTable (&gSevLaunchSecretGuid,=0D
+ &secretDxeTable);=0D
+}=0D
diff --git a/OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.c b/OvmfPkg=
/AmdSev/SevLaunchSecret/SecretPei/SecretPei.c
new file mode 100644
index 0000000000..16b49792ad
--- /dev/null
+++ b/OvmfPkg/AmdSev/SevLaunchSecret/SecretPei/SecretPei.c
@@ -0,0 +1,26 @@
+/** @file=0D
+ SEV Secret boot time HOB placement=0D
+=0D
+ Copyright (C) 2020 James Bottomley, IBM Corporation.=0D
+ SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+**/=0D
+#include <PiPei.h>=0D
+#include <Library/BaseLib.h>=0D
+#include <Library/DebugLib.h>=0D
+#include <Library/HobLib.h>=0D
+#include <Library/PcdLib.h>=0D
+=0D
+EFI_STATUS=0D
+EFIAPI=0D
+InitializeSecretPei (=0D
+ IN EFI_PEI_FILE_HANDLE FileHandle,=0D
+ IN CONST EFI_PEI_SERVICES **PeiServices=0D
+ )=0D
+{=0D
+ BuildMemoryAllocationHob (=0D
+ PcdGet32 (PcdSevLaunchSecretBase),=0D
+ PcdGet32 (PcdSevLaunchSecretSize),=0D
+ EfiBootServicesData);=0D
+=0D
+ return EFI_SUCCESS;=0D
+}=0D
--=20
2.26.2

Join devel@edk2.groups.io to automatically receive all group messages.