import OL edk2-20241117-4.0.1.el9_7.3

This commit is contained in:
eabdullin 2026-02-18 08:12:38 +00:00
parent 2870fa874c
commit 665d84ef1d
9 changed files with 636 additions and 4 deletions

View File

@ -1,4 +1,4 @@
9bbd7d85dbb5e444b296bc8b9bd9c07019703706 SOURCES/DBXUpdate-20250610.x64.bin
19a95204dd787b4809886db15655082cb28718e9 SOURCES/dtc-1.7.0.tar.xz
a0cdc45f583976eda09dd85740264e57333b3df2 SOURCES/edk2-0f3867fa6ef0.tar.xz
0a9cfae889c6436333fab963250b069058eec6cf SOURCES/openssl-rhel-0205b589887203b065154ddc8e8107c4ac8625a1.tar.xz
a76706261c8db8253a8ca7a3f187dc78df4c97e6 SOURCES/openssl-rhel-4000c8f49c400db3c5b4e8ccdd9af6cc3d04da19.tar.xz

2
.gitignore vendored
View File

@ -1,4 +1,4 @@
SOURCES/DBXUpdate-20250610.x64.bin
SOURCES/dtc-1.7.0.tar.xz
SOURCES/edk2-0f3867fa6ef0.tar.xz
SOURCES/openssl-rhel-0205b589887203b065154ddc8e8107c4ac8625a1.tar.xz
SOURCES/openssl-rhel-4000c8f49c400db3c5b4e8ccdd9af6cc3d04da19.tar.xz

View File

@ -0,0 +1,23 @@
From a194940b0fc62054430ca36b2bcec473a56745a1 Tue 30 Apr 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 30 Apr 2024 11:58:21 -0700
Subject: [PATCH] Replace upstream references
Orabug: 36569119
Signed-off-by: John McWalters <john.mcwalters@oracle.com>
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
diff --git a/CryptoPkg/Library/OpensslLib/openssl/apps/fipsinstall.c b/CryptoPkg/Library/OpensslLib/openssl/apps/fipsinstall.c
index e978057..67d6957 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/apps/fipsinstall.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/apps/fipsinstall.c
@@ -311,7 +311,7 @@ int fipsinstall_main(int argc, char **argv)
EVP_MAC *mac = NULL;
CONF *conf = NULL;
- BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n");
+ BIO_printf(bio_err, "This command is not enabled in the Oracle Linux OpenSSL build, please consult Oracle Linux documentation to learn how to enable FIPS mode\n");
return 1;
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)

View File

@ -0,0 +1,44 @@
From 5061a5a47f460614fdfc52f451bb5d3c59710281 Mon Sep 17 00:00:00 2001
From: Tom Lendacky <thomas.lendacky@amd.com>
Date: Tue, 22 Jul 2025 16:59:44 -0500
Subject: [PATCH 2/6] MdePkg: Add the COHERENCY_SFW_NO CPUID bit field
RH-Author: Luigi Leonardi <None>
RH-MergeRequest: 120: OvmfPkg/MemEncryptSevLib: Evict cache lines during SNP memory validation
RH-Jira: RHEL-125104
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Commit: [2/4] a18029a9c5d77d95fc4321099d693ee6c48d20e2
Update the CPUID 0x8000001F EBX definition to add the COHERENCY_SFW_NO
bit field. The COHERENCY_SFW_NO bit is used to indicate that the SEV-SNP
cache coherency mitigation is not needed.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
MdePkg/Include/Register/Amd/Cpuid.h | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/MdePkg/Include/Register/Amd/Cpuid.h b/MdePkg/Include/Register/Amd/Cpuid.h
index fdcbc475d5..0313ee2789 100644
--- a/MdePkg/Include/Register/Amd/Cpuid.h
+++ b/MdePkg/Include/Register/Amd/Cpuid.h
@@ -701,9 +701,14 @@ typedef union {
UINT32 ReducedPhysBits : 5;
///
- /// [Bit 31:12] Reserved
+ /// [Bit 30:12] Reserved
///
- UINT32 ReservedBits : 21;
+ UINT32 ReservedBits : 20;
+
+ ///
+ /// [Bit 31] SEV-SNP Cache Coherency Mitigation is not needed
+ ///
+ UINT32 CoherencySfwNo : 1;
} Bits;
///
/// All bit fields as a 32-bit value
--
2.50.1

View File

@ -0,0 +1,48 @@
From 577b49c346e58168a3d13732dea108481aa1f2f7 Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Wed, 15 Oct 2025 13:17:36 -0400
Subject: [PATCH] OvmfPkg/IoMmuDxe: Fix 1M and 2M buffer handling
RH-Author: Oliver Steffen <osteffen@redhat.com>
RH-MergeRequest: 118: OvmfPkg/IoMmuDxe: Fix 1M and 2M buffer handling
RH-Jira: RHEL-121875
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Commit: [1/1] 60631e325d212c237c21932424dee0ee2680236f
The IoMmu keeps a pool of pre-allocated shared buffers in various sizes
to serve requests. Usage is tracked in a bitmap.
The bitmap masks for the 1M and 2M buffer pools are incorrect, causing
the same buffers getting handed out repeatedly, causing corrupted device
accesses.
The masks needs to be kept in sync with mReservedMemRanges below.
This sets the correct values for:
- RESERVED_MEM_BITMAP_1M_MASK = (1 << 14) = 0x4000
- RESERVED_MEM_BITMAP_2M_MASK = (1 << 15) | (1 << 16) = 0x18000
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
(cherry picked from commit e27cfda33b429762975215cccba5837ee850d18e)
---
OvmfPkg/IoMmuDxe/IoMmuBuffer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/OvmfPkg/IoMmuDxe/IoMmuBuffer.c b/OvmfPkg/IoMmuDxe/IoMmuBuffer.c
index f8dcd5b7ec..6b9c38cf0d 100644
--- a/OvmfPkg/IoMmuDxe/IoMmuBuffer.c
+++ b/OvmfPkg/IoMmuDxe/IoMmuBuffer.c
@@ -23,8 +23,8 @@ extern BOOLEAN mReservedSharedMemSupported;
#define RESERVED_MEM_BITMAP_4K_MASK 0xf
#define RESERVED_MEM_BITMAP_32K_MASK 0xff0
#define RESERVED_MEM_BITMAP_128K_MASK 0x3000
-#define RESERVED_MEM_BITMAP_1M_MASK 0x40000
-#define RESERVED_MEM_BITMAP_2M_MASK 0x180000
+#define RESERVED_MEM_BITMAP_1M_MASK 0x4000
+#define RESERVED_MEM_BITMAP_2M_MASK 0x18000
#define RESERVED_MEM_BITMAP_MASK 0x1fffff
/**
--
2.50.1

View File

@ -0,0 +1,276 @@
From 7f0caaab35570e5adfe29e02e30d65412d55dffc Mon Sep 17 00:00:00 2001
From: Tom Lendacky <thomas.lendacky@amd.com>
Date: Tue, 22 Jul 2025 15:06:18 -0500
Subject: [PATCH 4/6] OvmfPkg/MemEncryptSevLib: Check if SEV-SNP coherency
mitigitation is needed
RH-Author: Luigi Leonardi <None>
RH-MergeRequest: 120: OvmfPkg/MemEncryptSevLib: Evict cache lines during SNP memory validation
RH-Jira: RHEL-125104
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Commit: [4/4] 81056c6ab2adb53ca17bc26fbd29d228ed1c40bb
CPUID bit Fn8000001F_EBX[31] defines the COHERNECY_SFW_NO CPUID bit that,
when set, indicates that the software mitigation for this vulnerability is
not needed.
Add support to check for this CPUID bit and avoid the mitigation if set.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
OvmfPkg/Include/Library/MemEncryptSevLib.h | 14 +++++
OvmfPkg/Include/WorkArea.h | 5 +-
.../DxeMemEncryptSevLibInternal.c | 54 +++++++++++++++++--
.../PeiMemEncryptSevLibInternal.c | 25 +++++++++
.../SecMemEncryptSevLibInternal.c | 25 +++++++++
.../X64/SnpPageStateChangeInternal.c | 10 ++--
OvmfPkg/ResetVector/Ia32/AmdSev.asm | 10 ++++
OvmfPkg/ResetVector/ResetVector.nasmb | 1 +
8 files changed, 135 insertions(+), 9 deletions(-)
diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h
index c5653539d8..d3d4f6fa9a 100644
--- a/OvmfPkg/Include/Library/MemEncryptSevLib.h
+++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h
@@ -178,6 +178,20 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
VOID
);
+/**
+ Returns a boolean to indicate whether the SEV-SNP cache line eviction
+ mitigation is needed.
+
+ @retval TRUE Cache line eviction mitigation required
+ @retval FALSE Cache line eviction migigation not required
+
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevSnpDoCoherencyMitigation (
+ VOID
+ );
+
/**
Returns the encryption state of the specified virtual address range.
diff --git a/OvmfPkg/Include/WorkArea.h b/OvmfPkg/Include/WorkArea.h
index 731ef4a7d0..7de0fe3499 100644
--- a/OvmfPkg/Include/WorkArea.h
+++ b/OvmfPkg/Include/WorkArea.h
@@ -52,6 +52,8 @@ typedef struct _SEC_SEV_ES_WORK_AREA {
// Flags:
// - BIT0 - VC: Indicator that the VC handler was called. It is used
// during the SevFeature detection in OvmfPkg/ResetVector/Ia32/AmdSev.asm
+ // - BIT1 - CSFW_NO: Indicator that the SEV-SNP cache line evication
+ // mitigation is not needed.
//
UINT8 Flags;
UINT8 Reserved[7];
@@ -63,7 +65,8 @@ typedef struct _SEC_SEV_ES_WORK_AREA {
UINT8 WorkBuffer[1024];
} SEC_SEV_ES_WORK_AREA;
-#define SEV_ES_WORK_AREA_VC BIT0
+#define SEV_ES_WORK_AREA_FLAG_VC BIT0
+#define SEV_ES_WORK_AREA_FLAG_CSFW_NO BIT1
//
// The SEV work area definition.
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
index 9947d663de..aace322e5a 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
@@ -18,10 +18,12 @@
#include <Uefi/UefiBaseType.h>
#include <ConfidentialComputingGuestAttr.h>
-STATIC UINT64 mCurrentAttr = 0;
-STATIC BOOLEAN mCurrentAttrRead = FALSE;
-STATIC UINT64 mSevEncryptionMask = 0;
-STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE;
+STATIC UINT64 mCurrentAttr = 0;
+STATIC BOOLEAN mCurrentAttrRead = FALSE;
+STATIC UINT64 mSevEncryptionMask = 0;
+STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE;
+STATIC BOOLEAN mSevSnpCoherencySfwNo = FALSE;
+STATIC BOOLEAN mSevSnpCoherencySfwNoRead = FALSE;
/**
The function check if the specified Attr is set.
@@ -180,3 +182,47 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
{
return ConfidentialComputingGuestHas (CCAttrFeatureAmdSevEsDebugVirtualization);
}
+
+/**
+ Returns a boolean to indicate if the CPUID COHERENCY_SFW_NO bit is set.
+
+ @retval TRUE The COHERENCY_SFW_NO bit is set.
+ @retval FALSE The COHERENCY_SFW_NO bit is not set.
+
+**/
+STATIC
+BOOLEAN
+MemEncryptCoherencSfwNo (
+ VOID
+ )
+{
+ CPUID_MEMORY_ENCRYPTION_INFO_EBX RegEbx;
+
+ if (!mSevSnpCoherencySfwNoRead) {
+ AsmCpuid (0x8000001F, NULL, &RegEbx.Uint32, NULL, NULL);
+ if (RegEbx.Bits.CoherencySfwNo == 1) {
+ mSevSnpCoherencySfwNo = TRUE;
+ }
+
+ mSevSnpCoherencySfwNoRead = TRUE;
+ }
+
+ return mSevSnpCoherencySfwNo;
+}
+
+/**
+ Returns a boolean to indicate whether the SEV-SNP cache line eviction
+ mitigation is needed.
+
+ @retval TRUE Cache line eviction mitigation required
+ @retval FALSE Cache line eviction migigation not required
+
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevSnpDoCoherencyMitigation (
+ VOID
+ )
+{
+ return MemEncryptSevSnpIsEnabled () && !MemEncryptCoherencSfwNo ();
+}
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
index f381b9255b..3eeb4831ab 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
@@ -160,3 +160,28 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
return Msr.Bits.DebugVirtualization ? TRUE : FALSE;
}
+
+/**
+ Returns a boolean to indicate whether the SEV-SNP cache line eviction
+ mitigation is needed.
+
+ @retval TRUE Cache line eviction mitigation required
+ @retval FALSE Cache line eviction migigation not required
+
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevSnpDoCoherencyMitigation (
+ VOID
+ )
+{
+ SEC_SEV_ES_WORK_AREA *SevEsWorkArea;
+
+ SevEsWorkArea = GetSevEsWorkArea ();
+ if (SevEsWorkArea == NULL) {
+ return FALSE;
+ }
+
+ return MemEncryptSevSnpIsEnabled () &&
+ ((SevEsWorkArea->Flags & SEV_ES_WORK_AREA_FLAG_CSFW_NO) == 0);
+}
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
index 946bed2ada..05c93de3e5 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
@@ -161,6 +161,31 @@ MemEncryptSevEsDebugVirtualizationIsEnabled (
return Msr.Bits.DebugVirtualization ? TRUE : FALSE;
}
+/**
+ Returns a boolean to indicate whether the SEV-SNP cache line eviction
+ mitigation is needed.
+
+ @retval TRUE Cache line eviction mitigation required
+ @retval FALSE Cache line eviction migigation not required
+
+**/
+BOOLEAN
+EFIAPI
+MemEncryptSevSnpDoCoherencyMitigation (
+ VOID
+ )
+{
+ SEC_SEV_ES_WORK_AREA *SevEsWorkArea;
+
+ SevEsWorkArea = GetSevEsWorkArea ();
+ if (SevEsWorkArea == NULL) {
+ return FALSE;
+ }
+
+ return MemEncryptSevSnpIsEnabled () &&
+ ((SevEsWorkArea->Flags & SEV_ES_WORK_AREA_FLAG_CSFW_NO) == 0);
+}
+
/**
Locate the page range that covers the initial (pre-SMBASE-relocation) SMRAM
Save State Map.
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c
index 7b6ba063df..ef3aec4b30 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c
@@ -315,10 +315,12 @@ InternalSetPageState (
if (State == SevSnpPagePrivate) {
AmdSvsmSnpPvalidate (Info);
- for (Index = 0; Index <= Info->Header.EndEntry; Index++) {
- Address = LShiftU64 ((UINT64)Info->Entry[Index].GuestFrameNumber, EFI_PAGE_SHIFT);
- RmpPageSize = Info->Entry[Index].PageSize;
- SevEvictCache (Address, RmpPageSize == PvalidatePageSize2MB ? PAGES_PER_2MB_ENTRY : 1);
+ if (MemEncryptSevSnpDoCoherencyMitigation ()) {
+ for (Index = 0; Index <= Info->Header.EndEntry; Index++) {
+ Address = LShiftU64 ((UINT64)Info->Entry[Index].GuestFrameNumber, EFI_PAGE_SHIFT);
+ RmpPageSize = Info->Entry[Index].PageSize;
+ SevEvictCache (Address, RmpPageSize == PvalidatePageSize2MB ? PAGES_PER_2MB_ENTRY : 1);
+ }
}
}
}
diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32/AmdSev.asm
index de09a59ef7..22b696419a 100644
--- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm
+++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm
@@ -249,9 +249,19 @@ ClearSevEsWorkArea:
; Check for SEV memory encryption feature:
; CPUID Fn8000_001F[EAX] - Bit 1
+ ; Check for the COHERENCY_SFW_NO feature:
+ ; CPUID Fn8000_001F[EBX] - Bit 31
; CPUID raises a #VC exception if running as an SEV-ES guest
mov eax, 0x8000001f
cpuid
+
+ ; If COHERENCY_SFW_NO is set, set the CSFW_NO bit in the FLAGS field
+ ; of the workarea (this can be set regardless of whether SEV is enabled).
+ bt ebx, 31
+ jnc CheckSev
+ or byte[SEV_ES_WORK_AREA_FLAGS], SEV_ES_WORK_AREA_FLAG_CSFW_NO
+
+CheckSev:
bt eax, 1
jnc NoSev
diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb
index a63b859f39..956116fbda 100644
--- a/OvmfPkg/ResetVector/ResetVector.nasmb
+++ b/OvmfPkg/ResetVector/ResetVector.nasmb
@@ -65,6 +65,7 @@
%define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 16)
%define SEV_ES_WORK_AREA_FLAGS (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 24)
%define SEV_ES_WORK_AREA_FLAG_VC 0x01
+%define SEV_ES_WORK_AREA_FLAG_CSFW_NO 0x02
%define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize))
%define SEV_SNP_SECRETS_BASE (FixedPcdGet32 (PcdOvmfSnpSecretsBase))
%define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize))
--
2.50.1

View File

@ -0,0 +1,102 @@
From b0742923771293c2366a0bee9ff199c3cae99a56 Mon Sep 17 00:00:00 2001
From: Tom Lendacky <thomas.lendacky@amd.com>
Date: Tue, 12 Aug 2025 14:43:32 -0500
Subject: [PATCH 1/6] OvmfPkg/MemEncryptSevLib: Evict cache lines during SNP
memory validation
RH-Author: Luigi Leonardi <None>
RH-MergeRequest: 120: OvmfPkg/MemEncryptSevLib: Evict cache lines during SNP memory validation
RH-Jira: RHEL-125104
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Commit: [1/4] ad17f1ab0d291246a50e2907052ae90f8b63b765
An SNP cache coherency vulnerability may require a mitigation to evict
cache lines after memory has been validated. Perform this mitigation
after having validated memory.
CVE-2024-36331
Signed-off-by: Michael Roth <michael.roth@amd.com>
Co-developed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
.../X64/SnpPageStateChangeInternal.c | 41 ++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c
index e073f3937c..7b6ba063df 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c
@@ -22,6 +22,8 @@
#include "SnpPageStateChange.h"
+#define PAGES_PER_2MB_ENTRY 512
+
STATIC
UINTN
MemoryStateToGhcbOp (
@@ -213,6 +215,33 @@ PageStateChange (
}
}
+STATIC
+VOID
+SevEvictCache (
+ IN EFI_PHYSICAL_ADDRESS Address,
+ IN UINTN NumPages
+ )
+{
+ #if defined (__GNUC__) || defined (__clang__)
+ volatile UINT8 Val __attribute__ ((__unused__));
+ #else
+ volatile UINT8 Val;
+ #endif
+ UINT8 *Bytes = (UINT8 *)Address;
+ UINTN PageIdx;
+
+ /*
+ * For SEV guests, a read from the first/last cache-lines of a 4K page
+ * using the guest key is sufficient to cause a flush of all cache-lines
+ * associated with that 4K page without incurring all the overhead of a
+ * full CLFLUSH sequence.
+ */
+ for (PageIdx = 0; PageIdx < NumPages; PageIdx++) {
+ Val = Bytes[PageIdx * SIZE_4KB];
+ Val = Bytes[PageIdx * SIZE_4KB + SIZE_4KB - 1];
+ }
+}
+
/**
The function is used to set the page state when SEV-SNP is active. The page state
transition consist of changing the page ownership in the RMP table, and using the
@@ -231,8 +260,12 @@ InternalSetPageState (
IN UINTN PscBufferSize
)
{
- EFI_PHYSICAL_ADDRESS NextAddress, EndAddress;
+ EFI_PHYSICAL_ADDRESS NextAddress;
+ EFI_PHYSICAL_ADDRESS EndAddress;
+ EFI_PHYSICAL_ADDRESS Address;
SNP_PAGE_STATE_CHANGE_INFO *Info;
+ UINTN RmpPageSize;
+ UINTN Index;
EndAddress = BaseAddress + EFI_PAGES_TO_SIZE (NumPages);
@@ -281,6 +314,12 @@ InternalSetPageState (
//
if (State == SevSnpPagePrivate) {
AmdSvsmSnpPvalidate (Info);
+
+ for (Index = 0; Index <= Info->Header.EndEntry; Index++) {
+ Address = LShiftU64 ((UINT64)Info->Entry[Index].GuestFrameNumber, EFI_PAGE_SHIFT);
+ RmpPageSize = Info->Entry[Index].PageSize;
+ SevEvictCache (Address, RmpPageSize == PvalidatePageSize2MB ? PAGES_PER_2MB_ENTRY : 1);
+ }
}
}
}
--
2.50.1

View File

@ -0,0 +1,98 @@
From f70bc75a9a7f096716e2003da96821f80ad6abbe Mon Sep 17 00:00:00 2001
From: Tom Lendacky <thomas.lendacky@amd.com>
Date: Tue, 22 Jul 2025 13:38:22 -0500
Subject: [PATCH 3/6] OvmfPkg/ResetVector: Make ReceivedVc a flag in SEV-ES
workarea
RH-Author: Luigi Leonardi <None>
RH-MergeRequest: 120: OvmfPkg/MemEncryptSevLib: Evict cache lines during SNP memory validation
RH-Jira: RHEL-125104
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Commit: [3/4] 1a275cdbdad997cacc2e201de3012b4326b046d0
In preparation for adding another indicator flag, change the ReceivedVc
field into a flags field. Since the code is used by both assembler and
C files, use bitmasks for field definitions. The VC flag is bit 0.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
OvmfPkg/Include/WorkArea.h | 10 ++++++----
OvmfPkg/ResetVector/Ia32/AmdSev.asm | 10 +++++-----
OvmfPkg/ResetVector/ResetVector.nasmb | 3 ++-
3 files changed, 13 insertions(+), 10 deletions(-)
diff --git a/OvmfPkg/Include/WorkArea.h b/OvmfPkg/Include/WorkArea.h
index e3b415db2c..731ef4a7d0 100644
--- a/OvmfPkg/Include/WorkArea.h
+++ b/OvmfPkg/Include/WorkArea.h
@@ -49,11 +49,11 @@ typedef struct _SEC_SEV_ES_WORK_AREA {
UINT64 EncryptionMask;
+ // Flags:
+ // - BIT0 - VC: Indicator that the VC handler was called. It is used
+ // during the SevFeature detection in OvmfPkg/ResetVector/Ia32/AmdSev.asm
//
- // Indicator that the VC handler is called. It is used during the SevFeature
- // detection in OvmfPkg/ResetVector/Ia32/AmdSev.c
- //
- UINT8 ReceivedVc;
+ UINT8 Flags;
UINT8 Reserved[7];
// Used by SEC to generate Page State Change requests. This should be
@@ -63,6 +63,8 @@ typedef struct _SEC_SEV_ES_WORK_AREA {
UINT8 WorkBuffer[1024];
} SEC_SEV_ES_WORK_AREA;
+#define SEV_ES_WORK_AREA_VC BIT0
+
//
// The SEV work area definition.
//
diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32/AmdSev.asm
index 827c874312..de09a59ef7 100644
--- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm
+++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm
@@ -306,9 +306,9 @@ NoSev:
; Perform an SEV-ES sanity check by seeing if a #VC exception occurred.
;
; If SEV-ES is enabled, the CPUID instruction will trigger a #VC exception
- ; where the RECEIVED_VC offset in the workarea will be set to one.
+ ; where the VC bit in the FLAGS field in the workarea will be set to one.
;
- cmp byte[SEV_ES_WORK_AREA_RECEIVED_VC], 0
+ test byte[SEV_ES_WORK_AREA_FLAGS], SEV_ES_WORK_AREA_FLAG_VC
jz NoSevPass
;
@@ -402,9 +402,9 @@ SevEsIdtVmmComm:
; If we're here, then we are an SEV-ES guest and this
; was triggered by a CPUID instruction
;
- ; Set the recievedVc field in the workarea to communicate that
- ; a #VC was taken.
- mov byte[SEV_ES_WORK_AREA_RECEIVED_VC], 1
+ ; Set the VC bit in the FLAGS field in the workarea to communicate
+ ; that a #VC was taken.
+ or byte[SEV_ES_WORK_AREA_FLAGS], SEV_ES_WORK_AREA_FLAG_VC
pop ecx ; Error code
cmp ecx, 0x72 ; Be sure it was CPUID
diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb
index 7279ac64b1..a63b859f39 100644
--- a/OvmfPkg/ResetVector/ResetVector.nasmb
+++ b/OvmfPkg/ResetVector/ResetVector.nasmb
@@ -63,7 +63,8 @@
%define SEV_ES_WORK_AREA_STATUS_MSR (FixedPcdGet32 (PcdSevEsWorkAreaBase))
%define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 8)
%define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 16)
-%define SEV_ES_WORK_AREA_RECEIVED_VC (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 24)
+%define SEV_ES_WORK_AREA_FLAGS (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 24)
+%define SEV_ES_WORK_AREA_FLAG_VC 0x01
%define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize))
%define SEV_SNP_SECRETS_BASE (FixedPcdGet32 (PcdOvmfSnpSecretsBase))
%define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize))
--
2.50.1

View File

@ -6,7 +6,7 @@ ExclusiveArch: x86_64 aarch64
%define TOOLCHAIN GCC
%define OPENSSL_VER 3.0.7
%define OPENSSL_HASH 0205b589887203b065154ddc8e8107c4ac8625a1
%define OPENSSL_HASH 4000c8f49c400db3c5b4e8ccdd9af6cc3d04da19
%define DBXDATE 20250610
@ -21,7 +21,7 @@ ExclusiveArch: x86_64 aarch64
Name: edk2
Version: %{GITDATE}
Release: 4%{?dist}
Release: 4.0.1%{?dist}.3
Summary: UEFI firmware for 64-bit virtual machines
License: BSD-2-Clause-Patent and Apache-2.0 and MIT
URL: http://www.tianocore.org
@ -51,6 +51,9 @@ Source45: 60-edk2-ovmf-x64-inteltdx.json
Source80: edk2-build.py
Source82: edk2-build.rhel-9
#Oracle patch
Source1000: 1000-replace-upstream-references.patch
Source90: DBXUpdate-%{DBXDATE}.x64.bin
Patch1: 0003-Remove-paths-leading-to-submodules.patch
Patch2: 0004-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
@ -89,6 +92,16 @@ Patch34: 0036-OvmfPkg-PlatformInitLib-enable-x2apic-mode-if-needed.patch
Patch35: 0037-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch
# For RHEL-70865 - SNP guest failed to boot with SVSM using OVMF.amdsev.fd [rhel-9.7]
Patch36: edk2-OvmfPkg-Use-the-OvmfPkg-version-of-CcProbeLib.patch
# For RHEL-121875 - Fail to create AMD SEV SLES 15 SP4 guest via virt-install --cdrom [rhel-9.7.z]
Patch37: edk2-OvmfPkg-IoMmuDxe-Fix-1M-and-2M-buffer-handling.patch
# For RHEL-125104 - [edk2] VM panic on booting SNP guest with large memory on Genoa [rhel-9.7.z]
Patch38: edk2-OvmfPkg-MemEncryptSevLib-Evict-cache-lines-during-SN.patch
# For RHEL-125104 - [edk2] VM panic on booting SNP guest with large memory on Genoa [rhel-9.7.z]
Patch39: edk2-MdePkg-Add-the-COHERENCY_SFW_NO-CPUID-bit-field.patch
# For RHEL-125104 - [edk2] VM panic on booting SNP guest with large memory on Genoa [rhel-9.7.z]
Patch40: edk2-OvmfPkg-ResetVector-Make-ReceivedVc-a-flag-in-SEV-ES.patch
# For RHEL-125104 - [edk2] VM panic on booting SNP guest with large memory on Genoa [rhel-9.7.z]
Patch41: edk2-OvmfPkg-MemEncryptSevLib-Check-if-SEV-SNP-coherency-.patch
# python3-devel and libuuid-devel are required for building tools.
# python3-devel is also needed for varstore template generation and
@ -200,6 +213,9 @@ cp -a -- %{SOURCE90} .
tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
tar -xf %{SOURCE3} --strip-components=1 --directory MdePkg/Library/BaseFdtLib/libfdt
#Apply Oracle patches
patch -p1 < %{SOURCE1000}
# Done by %setup, but we do not use it for the auxiliary tarballs
chmod -Rf a+rX,u+w,g-w,o-w .
@ -424,6 +440,31 @@ install -m 0644 \
%changelog
* Tue Feb 17 2026 EL Errata <el-errata_ww@oracle.com> - 20241117-4.0.1.el9_7.3
- Replace upstream references [Orabug:36569119]
* Mon Nov 17 2025 Jon Maloy <jmaloy@redhat.com> - 20241117-4.el9_7.3
- edk2-OvmfPkg-MemEncryptSevLib-Evict-cache-lines-during-SN.patch [RHEL-125104]
- edk2-MdePkg-Add-the-COHERENCY_SFW_NO-CPUID-bit-field.patch [RHEL-125104]
- edk2-OvmfPkg-ResetVector-Make-ReceivedVc-a-flag-in-SEV-ES.patch [RHEL-125104]
- edk2-OvmfPkg-MemEncryptSevLib-Check-if-SEV-SNP-coherency-.patch [RHEL-125104]
- edk2-openssl-flatten-contents-of-openssl-tarball.patch [RHEL-115923]
- edk2-Bumped-openssl-submodule-to-version-3.0.7-29.1.patch [RHEL-115923]
- Resolves: RHEL-125104
([edk2] VM panic on booting SNP guest with large memory on Genoa [rhel-9.7.z])
- Resolves: RHEL-115923
(CVE-2025-9230 edk2: Out-of-bounds read & write in RFC 3211 KEK Unwrap [rhel-9.7.z])
* Thu Oct 30 2025 Jon Maloy <jmaloy@redhat.com> - 20241117-4.el9_7.2
- edk2-OvmfPkg-IoMmuDxe-Fix-1M-and-2M-buffer-handling.patch [RHEL-121875]
- Resolves: RHEL-121875
(Fail to create AMD SEV SLES 15 SP4 guest via virt-install --cdrom [rhel-9.7.z])
* Tue Oct 28 2025 Jon Maloy <jmaloy@redhat.com> - 20241117-4.el9_7.1
- edk2-OvmfPkg-IoMmuDxe-Fix-1M-and-2M-buffer-handling.patch [RHEL-121875]
- Resolves: RHEL-121875
(Fail to create AMD SEV SLES 15 SP4 guest via virt-install --cdrom [rhel-9.7.z])
* Fri Jul 04 2025 Miroslav Rezanina <mrezanin@redhat.com> - 20241117-4
- edk2-update-dbx-to-20250610.patch [RHEL-96869]
- Resolves: RHEL-96869