* Wed Feb 23 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-3

- edk2-spec-build-amdsev-variant.patch [bz#2054661]
- edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch [bz#2041755]
- Resolves: bz#2054661
  (RFE:  Support measured AMD SEV boot with kernel/initrd/cmdline in OVMF)
- Resolves: bz#2041755
  (Mark SEV launch secret area as reserved)
This commit is contained in:
Miroslav Rezanina 2022-02-23 04:16:00 -05:00
parent 088600e053
commit 16c9a4257a
3 changed files with 106 additions and 2 deletions

View File

@ -0,0 +1,51 @@
From c4096f74a41bde4fc62576222e0c9622152d7701 Mon Sep 17 00:00:00 2001
From: Pawel Polawski <ppolawsk@redhat.com>
Date: Tue, 4 Jan 2022 15:16:40 +0800
Subject: [PATCH 2/2] OvmfPkg/AmdSev/SecretPei: Mark SEV launch secret area as
reserved
RH-Author: Pawel Polawski <ppolawsk@redhat.com>
RH-MergeRequest: 10: OvmfPkg/AmdSev/SecretPei: Mark SEV launch secret area as reserved
RH-Commit: [1/1] a8f099d508e2e7b39697945acaa767c43577b1e6 (elkoniu/edk2)
RH-Bugzilla: 2041754
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Mark the SEV launch secret MEMFD area as reserved, which will allow the
guest OS to use it during the lifetime of the OS, without creating
copies of the sensitive content.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Jiewen Yao <Jiewen.Yao@intel.com>
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>
---
OvmfPkg/AmdSev/SecretPei/SecretPei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
index db94c26b54..6bf1a55dea 100644
--- a/OvmfPkg/AmdSev/SecretPei/SecretPei.c
+++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
@@ -19,7 +19,7 @@ InitializeSecretPei (
BuildMemoryAllocationHob (
PcdGet32 (PcdSevLaunchSecretBase),
ALIGN_VALUE (PcdGet32 (PcdSevLaunchSecretSize), EFI_PAGE_SIZE),
- EfiBootServicesData
+ EfiReservedMemoryType
);
return EFI_SUCCESS;
--
2.27.0

30
edk2-ovmf-amdsev.json Normal file
View File

@ -0,0 +1,30 @@
{
"description": "OVMF with SEV-ES support",
"interface-types": [
"uefi"
],
"mapping": {
"device": "flash",
"mode": "stateless",
"executable": {
"filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd",
"format": "raw"
}
},
"targets": [
{
"architecture": "x86_64",
"machines": [
"pc-q35-rhel8.5.0"
]
}
],
"features": [
"amd-sev",
"amd-sev-es",
"verbose-dynamic"
],
"tags": [
]
}

View File

@ -24,7 +24,7 @@ ExclusiveArch: x86_64 aarch64
Name: edk2 Name: edk2
Version: %{GITDATE}git%{GITCOMMIT} Version: %{GITDATE}git%{GITCOMMIT}
Release: 2%{?dist} Release: 3%{?dist}
Summary: UEFI firmware for 64-bit virtual machines Summary: UEFI firmware for 64-bit virtual machines
License: BSD-2-Clause-Patent and OpenSSL and MIT License: BSD-2-Clause-Patent and OpenSSL and MIT
URL: http://www.tianocore.org URL: http://www.tianocore.org
@ -45,6 +45,7 @@ Source11: edk2-aarch64.json
Source12: edk2-ovmf-sb.json Source12: edk2-ovmf-sb.json
Source13: edk2-ovmf.json Source13: edk2-ovmf.json
Source14: edk2-ovmf-cc.json Source14: edk2-ovmf-cc.json
Source15: edk2-ovmf-amdsev.json
Patch0008: 0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch Patch0008: 0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch
Patch0009: 0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch Patch0009: 0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch
@ -93,6 +94,8 @@ Patch49: edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch
Patch50: edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch Patch50: edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch
# For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default # For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default
Patch51: edk2-OvmfPkg-rework-TPM-configuration.patch Patch51: edk2-OvmfPkg-rework-TPM-configuration.patch
# For bz#2041755 - Mark SEV launch secret area as reserved
Patch52: edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch
# python3-devel and libuuid-devel are required for building tools. # python3-devel and libuuid-devel are required for building tools.
@ -201,7 +204,7 @@ git config am.keepcr true
%autosetup -T -D -n edk2-%{GITCOMMIT} -S git_am %autosetup -T -D -n edk2-%{GITCOMMIT} -S git_am
cp -a -- %{SOURCE1} %{SOURCE3} . cp -a -- %{SOURCE1} %{SOURCE3} .
cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} . cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} .
tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
# Format the Red Hat-issued certificate that is to be enrolled as both Platform # Format the Red Hat-issued certificate that is to be enrolled as both Platform
@ -293,6 +296,11 @@ build ${OVMF_FLAGS} -a X64 \
build ${OVMF_SB_FLAGS} -a IA32 -a X64 \ build ${OVMF_SB_FLAGS} -a IA32 -a X64 \
-p OvmfPkg/OvmfPkgIa32X64.dsc -p OvmfPkg/OvmfPkgIa32X64.dsc
# Build AmdSev
touch OvmfPkg/AmdSev/Grub/grub.efi # dummy
build ${OVMF_FLAGS} -a X64 \
-p OvmfPkg/AmdSev/AmdSevX64.dsc
# Sanity check: the varstore templates must be identical. # Sanity check: the varstore templates must be identical.
cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \ cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd
@ -368,6 +376,9 @@ install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.secboot.fd \
install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/UefiShell.iso \ install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/UefiShell.iso \
%{buildroot}%{_datadir}/%{name}/ovmf/UefiShell.iso %{buildroot}%{_datadir}/%{name}/ovmf/UefiShell.iso
install -m 0644 Build/AmdSev/DEBUG_%{TOOLCHAIN}/FV/OVMF.fd \
%{buildroot}%{_datadir}/%{name}/ovmf/OVMF.amdsev.fd
ln -s ../%{name}/ovmf/OVMF_CODE.secboot.fd %{buildroot}%{_datadir}/OVMF/ ln -s ../%{name}/ovmf/OVMF_CODE.secboot.fd %{buildroot}%{_datadir}/OVMF/
ln -s ../%{name}/ovmf/OVMF_VARS.fd %{buildroot}%{_datadir}/OVMF/ ln -s ../%{name}/ovmf/OVMF_VARS.fd %{buildroot}%{_datadir}/OVMF/
ln -s ../%{name}/ovmf/OVMF_VARS.secboot.fd %{buildroot}%{_datadir}/OVMF/ ln -s ../%{name}/ovmf/OVMF_VARS.secboot.fd %{buildroot}%{_datadir}/OVMF/
@ -384,6 +395,8 @@ install -m 0644 edk2-ovmf.json \
%{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf.json %{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf.json
install -m 0644 edk2-ovmf-cc.json \ install -m 0644 edk2-ovmf-cc.json \
%{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json %{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json
install -m 0644 edk2-ovmf-amdsev.json \
%{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf-amdsev.json
# endif build_ovmf # endif build_ovmf
%endif %endif
@ -474,6 +487,7 @@ KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$')
%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd %{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd
%{_datadir}/%{name}/ovmf/OVMF_VARS.fd %{_datadir}/%{name}/ovmf/OVMF_VARS.fd
%{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd %{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd
%{_datadir}/%{name}/ovmf/OVMF.amdsev.fd
%{_datadir}/%{name}/ovmf/UefiShell.iso %{_datadir}/%{name}/ovmf/UefiShell.iso
%{_datadir}/OVMF/OVMF_CODE.secboot.fd %{_datadir}/OVMF/OVMF_CODE.secboot.fd
%{_datadir}/OVMF/OVMF_VARS.fd %{_datadir}/OVMF/OVMF_VARS.fd
@ -483,6 +497,7 @@ KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$')
%{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi %{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi
%{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json %{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json
%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json %{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json
%{_datadir}/qemu/firmware/50-edk2-ovmf-amdsev.json
%{_datadir}/qemu/firmware/50-edk2-ovmf.json %{_datadir}/qemu/firmware/50-edk2-ovmf.json
# endif build_ovmf # endif build_ovmf
%endif %endif
@ -531,6 +546,14 @@ KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$')
%changelog %changelog
* Wed Feb 23 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-3
- edk2-spec-build-amdsev-variant.patch [bz#2054661]
- edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch [bz#2041755]
- Resolves: bz#2054661
(RFE: Support measured AMD SEV boot with kernel/initrd/cmdline in OVMF)
- Resolves: bz#2041755
(Mark SEV launch secret area as reserved)
* Tue Feb 08 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-2 * Tue Feb 08 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-2
- edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch [bz#1935497] - edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch [bz#1935497]
- edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch [bz#1935497] - edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch [bz#1935497]