[+cc: Tobin] Hi Brijesh,
On 30/04/2021 14:51, Brijesh Singh wrote: > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 > > When AMD SEV is enabled in the guest VM, a hypervisor need to insert a > secrets page. > > When SEV-SNP is enabled, the secrets page contains the VM platform > communication keys. The guest BIOS and OS can use this key to communicate > with the SEV firmware to get attesation report. See the SEV-SNP firmware > spec for more details for the content of the secrets page. > > When SEV and SEV-ES is enabled, the secrets page contains the information > provided by the guest owner after the attestation. See the SEV > LAUNCH_SECRET command for more details. > > Cc: James Bottomley <j...@linux.ibm.com> > Cc: Min Xu <min.m...@intel.com> > Cc: Jiewen Yao <jiewen....@intel.com> > Cc: Tom Lendacky <thomas.lenda...@amd.com> > Cc: Jordan Justen <jordan.l.jus...@intel.com> > Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org> > Cc: Laszlo Ersek <ler...@redhat.com> > Cc: Erdem Aktas <erdemak...@google.com> > Signed-off-by: Brijesh Singh <brijesh.si...@amd.com> > --- > OvmfPkg/AmdSev/SecretPei/SecretPei.c | 16 +++++++++++++++- > OvmfPkg/AmdSev/SecretPei/SecretPei.inf | 1 + > OvmfPkg/OvmfPkgX64.dsc | 2 ++ > OvmfPkg/OvmfPkgX64.fdf | 5 +++++ > 4 files changed, 23 insertions(+), 1 deletion(-) > > diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c > b/OvmfPkg/AmdSev/SecretPei/SecretPei.c > index ad491515dd..92836c562c 100644 > --- a/OvmfPkg/AmdSev/SecretPei/SecretPei.c > +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c > @@ -7,6 +7,7 @@ > #include <PiPei.h> > #include <Library/HobLib.h> > #include <Library/PcdLib.h> > +#include <Library/MemEncryptSevLib.h> > > EFI_STATUS > EFIAPI > @@ -15,10 +16,23 @@ InitializeSecretPei ( > IN CONST EFI_PEI_SERVICES **PeiServices > ) > { > + UINTN Type; > + > + // > + // The secret page should be mapped encrypted by the guest OS and must not > + // be treated as a system RAM. Mark it as ACPI NVS so that guest OS maps it > + // encrypted. > + // > + if (MemEncryptSevSnpIsEnabled ()) { > + Type = EfiACPIMemoryNVS; > + } else { > + Type = EfiBootServicesData; > + } > + Would it make sense to always use EfiACPIMemoryNVS for the injected secret area, even for regular SEV (non-SNP)? -Dov > BuildMemoryAllocationHob ( > PcdGet32 (PcdSevLaunchSecretBase), > PcdGet32 (PcdSevLaunchSecretSize), > - EfiBootServicesData > + Type > ); > > return EFI_SUCCESS; > diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.inf > b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf > index 08be156c4b..9265f8adee 100644 > --- a/OvmfPkg/AmdSev/SecretPei/SecretPei.inf > +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf > @@ -26,6 +26,7 @@ > HobLib > PeimEntryPoint > PcdLib > + MemEncryptSevLib > > [FixedPcd] > gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > index a7d747f6b4..593c0e69f6 100644 > --- a/OvmfPkg/OvmfPkgX64.dsc > +++ b/OvmfPkg/OvmfPkgX64.dsc > @@ -716,6 +716,7 @@ > OvmfPkg/SmmAccess/SmmAccessPei.inf > !endif > UefiCpuPkg/CpuMpPei/CpuMpPei.inf > + OvmfPkg/AmdSev/SecretPei/SecretPei.inf > > !if $(TPM_ENABLE) == TRUE > OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf > @@ -965,6 +966,7 @@ > OvmfPkg/PlatformDxe/Platform.inf > OvmfPkg/AmdSevDxe/AmdSevDxe.inf > OvmfPkg/IoMmuDxe/IoMmuDxe.inf > + OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > > !if $(SMM_REQUIRE) == TRUE > OvmfPkg/SmmAccess/SmmAccess2Dxe.inf > diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf > index d519f85328..b04175f77c 100644 > --- a/OvmfPkg/OvmfPkgX64.fdf > +++ b/OvmfPkg/OvmfPkgX64.fdf > @@ -88,6 +88,9 @@ > gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.PcdSevE > 0x00C000|0x001000 > > gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize > > +0x00D000|0x001000 > +gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize > + > 0x010000|0x010000 > > gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize > > @@ -178,6 +181,7 @@ INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf > INF SecurityPkg/Tcg/TcgPei/TcgPei.inf > INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf > !endif > +INF OvmfPkg/AmdSev/SecretPei/SecretPei.inf > > > ################################################################################ > > @@ -313,6 +317,7 @@ INF > OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf > INF ShellPkg/Application/Shell/Shell.inf > > INF MdeModulePkg/Logo/LogoDxe.inf > +INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf > > # > # Network modules > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#74759): https://edk2.groups.io/g/devel/message/74759 Mute This Topic: https://groups.io/mt/82479058/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-