* Wed Feb 23 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-3
- edk2-spec-build-amdsev-variant.patch [bz#2054661] - edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch [bz#2041755] - Resolves: bz#2054661 (RFE: Support measured AMD SEV boot with kernel/initrd/cmdline in OVMF) - Resolves: bz#2041755 (Mark SEV launch secret area as reserved)
This commit is contained in:
parent
088600e053
commit
16c9a4257a
@ -0,0 +1,51 @@
|
|||||||
|
From c4096f74a41bde4fc62576222e0c9622152d7701 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pawel Polawski <ppolawsk@redhat.com>
|
||||||
|
Date: Tue, 4 Jan 2022 15:16:40 +0800
|
||||||
|
Subject: [PATCH 2/2] OvmfPkg/AmdSev/SecretPei: Mark SEV launch secret area as
|
||||||
|
reserved
|
||||||
|
|
||||||
|
RH-Author: Pawel Polawski <ppolawsk@redhat.com>
|
||||||
|
RH-MergeRequest: 10: OvmfPkg/AmdSev/SecretPei: Mark SEV launch secret area as reserved
|
||||||
|
RH-Commit: [1/1] a8f099d508e2e7b39697945acaa767c43577b1e6 (elkoniu/edk2)
|
||||||
|
RH-Bugzilla: 2041754
|
||||||
|
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
|
||||||
|
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
|
||||||
|
Mark the SEV launch secret MEMFD area as reserved, which will allow the
|
||||||
|
guest OS to use it during the lifetime of the OS, without creating
|
||||||
|
copies of the sensitive content.
|
||||||
|
|
||||||
|
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
|
||||||
|
Cc: Jordan Justen <jordan.l.justen@intel.com>
|
||||||
|
Cc: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Cc: Brijesh Singh <brijesh.singh@amd.com>
|
||||||
|
Cc: Erdem Aktas <erdemaktas@google.com>
|
||||||
|
Cc: James Bottomley <jejb@linux.ibm.com>
|
||||||
|
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||||
|
Cc: Min Xu <min.m.xu@intel.com>
|
||||||
|
Cc: Tom Lendacky <thomas.lendacky@amd.com>
|
||||||
|
Cc: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
|
||||||
|
Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
|
||||||
|
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Acked-by: Jiewen Yao <Jiewen.Yao@intel.com>
|
||||||
|
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>
|
||||||
|
---
|
||||||
|
OvmfPkg/AmdSev/SecretPei/SecretPei.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
|
||||||
|
index db94c26b54..6bf1a55dea 100644
|
||||||
|
--- a/OvmfPkg/AmdSev/SecretPei/SecretPei.c
|
||||||
|
+++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
|
||||||
|
@@ -19,7 +19,7 @@ InitializeSecretPei (
|
||||||
|
BuildMemoryAllocationHob (
|
||||||
|
PcdGet32 (PcdSevLaunchSecretBase),
|
||||||
|
ALIGN_VALUE (PcdGet32 (PcdSevLaunchSecretSize), EFI_PAGE_SIZE),
|
||||||
|
- EfiBootServicesData
|
||||||
|
+ EfiReservedMemoryType
|
||||||
|
);
|
||||||
|
|
||||||
|
return EFI_SUCCESS;
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
30
edk2-ovmf-amdsev.json
Normal file
30
edk2-ovmf-amdsev.json
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
{
|
||||||
|
"description": "OVMF with SEV-ES support",
|
||||||
|
"interface-types": [
|
||||||
|
"uefi"
|
||||||
|
],
|
||||||
|
"mapping": {
|
||||||
|
"device": "flash",
|
||||||
|
"mode": "stateless",
|
||||||
|
"executable": {
|
||||||
|
"filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd",
|
||||||
|
"format": "raw"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"targets": [
|
||||||
|
{
|
||||||
|
"architecture": "x86_64",
|
||||||
|
"machines": [
|
||||||
|
"pc-q35-rhel8.5.0"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"features": [
|
||||||
|
"amd-sev",
|
||||||
|
"amd-sev-es",
|
||||||
|
"verbose-dynamic"
|
||||||
|
],
|
||||||
|
"tags": [
|
||||||
|
|
||||||
|
]
|
||||||
|
}
|
27
edk2.spec
27
edk2.spec
@ -24,7 +24,7 @@ ExclusiveArch: x86_64 aarch64
|
|||||||
|
|
||||||
Name: edk2
|
Name: edk2
|
||||||
Version: %{GITDATE}git%{GITCOMMIT}
|
Version: %{GITDATE}git%{GITCOMMIT}
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: UEFI firmware for 64-bit virtual machines
|
Summary: UEFI firmware for 64-bit virtual machines
|
||||||
License: BSD-2-Clause-Patent and OpenSSL and MIT
|
License: BSD-2-Clause-Patent and OpenSSL and MIT
|
||||||
URL: http://www.tianocore.org
|
URL: http://www.tianocore.org
|
||||||
@ -45,6 +45,7 @@ Source11: edk2-aarch64.json
|
|||||||
Source12: edk2-ovmf-sb.json
|
Source12: edk2-ovmf-sb.json
|
||||||
Source13: edk2-ovmf.json
|
Source13: edk2-ovmf.json
|
||||||
Source14: edk2-ovmf-cc.json
|
Source14: edk2-ovmf-cc.json
|
||||||
|
Source15: edk2-ovmf-amdsev.json
|
||||||
|
|
||||||
Patch0008: 0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch
|
Patch0008: 0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch
|
||||||
Patch0009: 0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch
|
Patch0009: 0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch
|
||||||
@ -93,6 +94,8 @@ Patch49: edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch
|
|||||||
Patch50: edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch
|
Patch50: edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch
|
||||||
# For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default
|
# For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default
|
||||||
Patch51: edk2-OvmfPkg-rework-TPM-configuration.patch
|
Patch51: edk2-OvmfPkg-rework-TPM-configuration.patch
|
||||||
|
# For bz#2041755 - Mark SEV launch secret area as reserved
|
||||||
|
Patch52: edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch
|
||||||
|
|
||||||
|
|
||||||
# python3-devel and libuuid-devel are required for building tools.
|
# python3-devel and libuuid-devel are required for building tools.
|
||||||
@ -201,7 +204,7 @@ git config am.keepcr true
|
|||||||
%autosetup -T -D -n edk2-%{GITCOMMIT} -S git_am
|
%autosetup -T -D -n edk2-%{GITCOMMIT} -S git_am
|
||||||
|
|
||||||
cp -a -- %{SOURCE1} %{SOURCE3} .
|
cp -a -- %{SOURCE1} %{SOURCE3} .
|
||||||
cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} .
|
cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} .
|
||||||
tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
|
tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
|
||||||
|
|
||||||
# Format the Red Hat-issued certificate that is to be enrolled as both Platform
|
# Format the Red Hat-issued certificate that is to be enrolled as both Platform
|
||||||
@ -293,6 +296,11 @@ build ${OVMF_FLAGS} -a X64 \
|
|||||||
build ${OVMF_SB_FLAGS} -a IA32 -a X64 \
|
build ${OVMF_SB_FLAGS} -a IA32 -a X64 \
|
||||||
-p OvmfPkg/OvmfPkgIa32X64.dsc
|
-p OvmfPkg/OvmfPkgIa32X64.dsc
|
||||||
|
|
||||||
|
# Build AmdSev
|
||||||
|
touch OvmfPkg/AmdSev/Grub/grub.efi # dummy
|
||||||
|
build ${OVMF_FLAGS} -a X64 \
|
||||||
|
-p OvmfPkg/AmdSev/AmdSevX64.dsc
|
||||||
|
|
||||||
# Sanity check: the varstore templates must be identical.
|
# Sanity check: the varstore templates must be identical.
|
||||||
cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
|
cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
|
||||||
Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd
|
Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd
|
||||||
@ -368,6 +376,9 @@ install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.secboot.fd \
|
|||||||
install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/UefiShell.iso \
|
install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/UefiShell.iso \
|
||||||
%{buildroot}%{_datadir}/%{name}/ovmf/UefiShell.iso
|
%{buildroot}%{_datadir}/%{name}/ovmf/UefiShell.iso
|
||||||
|
|
||||||
|
install -m 0644 Build/AmdSev/DEBUG_%{TOOLCHAIN}/FV/OVMF.fd \
|
||||||
|
%{buildroot}%{_datadir}/%{name}/ovmf/OVMF.amdsev.fd
|
||||||
|
|
||||||
ln -s ../%{name}/ovmf/OVMF_CODE.secboot.fd %{buildroot}%{_datadir}/OVMF/
|
ln -s ../%{name}/ovmf/OVMF_CODE.secboot.fd %{buildroot}%{_datadir}/OVMF/
|
||||||
ln -s ../%{name}/ovmf/OVMF_VARS.fd %{buildroot}%{_datadir}/OVMF/
|
ln -s ../%{name}/ovmf/OVMF_VARS.fd %{buildroot}%{_datadir}/OVMF/
|
||||||
ln -s ../%{name}/ovmf/OVMF_VARS.secboot.fd %{buildroot}%{_datadir}/OVMF/
|
ln -s ../%{name}/ovmf/OVMF_VARS.secboot.fd %{buildroot}%{_datadir}/OVMF/
|
||||||
@ -384,6 +395,8 @@ install -m 0644 edk2-ovmf.json \
|
|||||||
%{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf.json
|
%{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf.json
|
||||||
install -m 0644 edk2-ovmf-cc.json \
|
install -m 0644 edk2-ovmf-cc.json \
|
||||||
%{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json
|
%{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json
|
||||||
|
install -m 0644 edk2-ovmf-amdsev.json \
|
||||||
|
%{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf-amdsev.json
|
||||||
|
|
||||||
# endif build_ovmf
|
# endif build_ovmf
|
||||||
%endif
|
%endif
|
||||||
@ -474,6 +487,7 @@ KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$')
|
|||||||
%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd
|
%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd
|
||||||
%{_datadir}/%{name}/ovmf/OVMF_VARS.fd
|
%{_datadir}/%{name}/ovmf/OVMF_VARS.fd
|
||||||
%{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd
|
%{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd
|
||||||
|
%{_datadir}/%{name}/ovmf/OVMF.amdsev.fd
|
||||||
%{_datadir}/%{name}/ovmf/UefiShell.iso
|
%{_datadir}/%{name}/ovmf/UefiShell.iso
|
||||||
%{_datadir}/OVMF/OVMF_CODE.secboot.fd
|
%{_datadir}/OVMF/OVMF_CODE.secboot.fd
|
||||||
%{_datadir}/OVMF/OVMF_VARS.fd
|
%{_datadir}/OVMF/OVMF_VARS.fd
|
||||||
@ -483,6 +497,7 @@ KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$')
|
|||||||
%{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi
|
%{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi
|
||||||
%{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json
|
%{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json
|
||||||
%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json
|
%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json
|
||||||
|
%{_datadir}/qemu/firmware/50-edk2-ovmf-amdsev.json
|
||||||
%{_datadir}/qemu/firmware/50-edk2-ovmf.json
|
%{_datadir}/qemu/firmware/50-edk2-ovmf.json
|
||||||
# endif build_ovmf
|
# endif build_ovmf
|
||||||
%endif
|
%endif
|
||||||
@ -531,6 +546,14 @@ KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$')
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Feb 23 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-3
|
||||||
|
- edk2-spec-build-amdsev-variant.patch [bz#2054661]
|
||||||
|
- edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch [bz#2041755]
|
||||||
|
- Resolves: bz#2054661
|
||||||
|
(RFE: Support measured AMD SEV boot with kernel/initrd/cmdline in OVMF)
|
||||||
|
- Resolves: bz#2041755
|
||||||
|
(Mark SEV launch secret area as reserved)
|
||||||
|
|
||||||
* Tue Feb 08 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-2
|
* Tue Feb 08 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-2
|
||||||
- edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch [bz#1935497]
|
- edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch [bz#1935497]
|
||||||
- edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch [bz#1935497]
|
- edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch [bz#1935497]
|
||||||
|
Loading…
Reference in New Issue
Block a user