rpms/edk2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fixes for AMD SEV on OVMF_CODE.fd; add Provides for bundled OpenSSL

Browse Source
This commit is contained in:
Paolo Bonzini 2018-07-23 10:57:29 +02:00
parent 720bc3e5a3
commit 83f3ca8d0b
5 changed files with 423 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
0055-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-mark-Flash-me.patch Normal file
View File

@ -0,0 +1,96 @@
From 966363d5a34839399e3d9f68d4f4efb4b1a9ec66 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Fri, 6 Jul 2018 10:00:40 -0500
Subject: [PATCH] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: mark Flash memory
range as MMIO
The flash memory range is an IO address and should be presented as Memory
Mapped IO in EFI Runtime mapping. This information can be used by OS
when mapping the flash memory range.
It is especially helpful in SEV guest case, in which IO addresses should
be mapped as unencrypted. If memory region is not marked as MMIO then OS
maps the range as encrypted.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Julien Grall <julien.grall@linaro.org>
Cc: Justen Jordan L <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
---
.../FwBlockService.c | 30 ++++++++++++++-----
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c
index 558b395dff..b3f428bb42 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c
@@ -831,12 +831,13 @@ ValidateFvHeader (
STATIC
EFI_STATUS
-MarkMemoryRangeForRuntimeAccess (
+MarkIoMemoryRangeForRuntimeAccess (
EFI_PHYSICAL_ADDRESS BaseAddress,
UINTN Length
)
{
EFI_STATUS Status;
+ EFI_GCD_MEMORY_SPACE_DESCRIPTOR GcdDescriptor;
//
// Mark flash region as runtime memory
@@ -847,18 +848,31 @@ MarkMemoryRangeForRuntimeAccess (
);
Status = gDS->AddMemorySpace (
- EfiGcdMemoryTypeSystemMemory,
+ EfiGcdMemoryTypeMemoryMappedIo,
BaseAddress,
Length,
EFI_MEMORY_UC | EFI_MEMORY_RUNTIME
);
ASSERT_EFI_ERROR (Status);
- Status = gBS->AllocatePages (
- AllocateAddress,
- EfiRuntimeServicesData,
- EFI_SIZE_TO_PAGES (Length),
- &BaseAddress
+ Status = gDS->AllocateMemorySpace (
+ EfiGcdAllocateAddress,
+ EfiGcdMemoryTypeMemoryMappedIo,
+ 0,
+ Length,
+ &BaseAddress,
+ gImageHandle,
+ NULL
+ );
+ ASSERT_EFI_ERROR (Status);
+
+ Status = gDS->GetMemorySpaceDescriptor (BaseAddress, &GcdDescriptor);
+ ASSERT_EFI_ERROR (Status);
+
+ Status = gDS->SetMemorySpaceAttributes (
+ BaseAddress,
+ Length,
+ GcdDescriptor.Attributes | EFI_MEMORY_RUNTIME
);
ASSERT_EFI_ERROR (Status);
@@ -1091,7 +1105,7 @@ FvbInitialize (
//
InstallProtocolInterfaces (FvbDevice);
- MarkMemoryRangeForRuntimeAccess (BaseAddress, Length);
+ MarkIoMemoryRangeForRuntimeAccess (BaseAddress, Length);
//
// Set several PCD values to point to flash
--
2.17.1

191
0056-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-Do-not-expose.patch Normal file
View File

@ -0,0 +1,191 @@
From 3b3d016b7b867d7e4782af9a6b54e110d155a1b3 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Fri, 6 Jul 2018 10:00:41 -0500
Subject: [PATCH] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Do not expose
MMIO in SMM build
In the SMM build, only an SMM driver is using the address range hence we
do not need to expose the flash MMIO range in EFI runtime mapping.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Julien Grall <julien.grall@linaro.org>
Cc: Justen Jordan L <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
---
.../FwBlockService.h | 7 +++
.../FwBlockService.c | 50 -------------------
.../FwBlockServiceDxe.c | 50 +++++++++++++++++++
.../FwBlockServiceSmm.c | 13 +++++
4 files changed, 70 insertions(+), 50 deletions(-)
diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.h b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.h
index 1f9287b087..178f578d49 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.h
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.h
@@ -189,4 +189,11 @@ VOID
InstallVirtualAddressChangeHandler (
VOID
);
+
+EFI_STATUS
+MarkIoMemoryRangeForRuntimeAccess (
+ IN EFI_PHYSICAL_ADDRESS BaseAddress,
+ IN UINTN Length
+ );
+
#endif
diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c
index b3f428bb42..eec8b1b1ae 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c
@@ -829,56 +829,6 @@ ValidateFvHeader (
return EFI_SUCCESS;
}
-STATIC
-EFI_STATUS
-MarkIoMemoryRangeForRuntimeAccess (
- EFI_PHYSICAL_ADDRESS BaseAddress,
- UINTN Length
- )
-{
- EFI_STATUS Status;
- EFI_GCD_MEMORY_SPACE_DESCRIPTOR GcdDescriptor;
-
- //
- // Mark flash region as runtime memory
- //
- Status = gDS->RemoveMemorySpace (
- BaseAddress,
- Length
- );
-
- Status = gDS->AddMemorySpace (
- EfiGcdMemoryTypeMemoryMappedIo,
- BaseAddress,
- Length,
- EFI_MEMORY_UC | EFI_MEMORY_RUNTIME
- );
- ASSERT_EFI_ERROR (Status);
-
- Status = gDS->AllocateMemorySpace (
- EfiGcdAllocateAddress,
- EfiGcdMemoryTypeMemoryMappedIo,
- 0,
- Length,
- &BaseAddress,
- gImageHandle,
- NULL
- );
- ASSERT_EFI_ERROR (Status);
-
- Status = gDS->GetMemorySpaceDescriptor (BaseAddress, &GcdDescriptor);
- ASSERT_EFI_ERROR (Status);
-
- Status = gDS->SetMemorySpaceAttributes (
- BaseAddress,
- Length,
- GcdDescriptor.Attributes | EFI_MEMORY_RUNTIME
- );
- ASSERT_EFI_ERROR (Status);
-
- return Status;
-}
-
STATIC
EFI_STATUS
InitializeVariableFvHeader (
diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
index 63b308658e..37deece363 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
@@ -17,6 +17,7 @@
#include <Guid/EventGroup.h>
#include <Library/DebugLib.h>
#include <Library/DevicePathLib.h>
+#include <Library/DxeServicesTableLib.h>
#include <Library/PcdLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/UefiRuntimeLib.h>
@@ -155,3 +156,52 @@ InstallVirtualAddressChangeHandler (
);
ASSERT_EFI_ERROR (Status);
}
+
+EFI_STATUS
+MarkIoMemoryRangeForRuntimeAccess (
+ IN EFI_PHYSICAL_ADDRESS BaseAddress,
+ IN UINTN Length
+ )
+{
+ EFI_STATUS Status;
+ EFI_GCD_MEMORY_SPACE_DESCRIPTOR GcdDescriptor;
+
+ //
+ // Mark flash region as runtime memory
+ //
+ Status = gDS->RemoveMemorySpace (
+ BaseAddress,
+ Length
+ );
+
+ Status = gDS->AddMemorySpace (
+ EfiGcdMemoryTypeMemoryMappedIo,
+ BaseAddress,
+ Length,
+ EFI_MEMORY_UC | EFI_MEMORY_RUNTIME
+ );
+ ASSERT_EFI_ERROR (Status);
+
+ Status = gDS->AllocateMemorySpace (
+ EfiGcdAllocateAddress,
+ EfiGcdMemoryTypeMemoryMappedIo,
+ 0,
+ Length,
+ &BaseAddress,
+ gImageHandle,
+ NULL
+ );
+ ASSERT_EFI_ERROR (Status);
+
+ Status = gDS->GetMemorySpaceDescriptor (BaseAddress, &GcdDescriptor);
+ ASSERT_EFI_ERROR (Status);
+
+ Status = gDS->SetMemorySpaceAttributes (
+ BaseAddress,
+ Length,
+ GcdDescriptor.Attributes | EFI_MEMORY_RUNTIME
+ );
+ ASSERT_EFI_ERROR (Status);
+
+ return Status;
+}
diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c
index e0617f2503..af08fa69d4 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c
@@ -67,3 +67,16 @@ InstallVirtualAddressChangeHandler (
// Nothing.
//
}
+
+EFI_STATUS
+MarkIoMemoryRangeForRuntimeAccess (
+ IN EFI_PHYSICAL_ADDRESS BaseAddress,
+ IN UINTN Length
+ )
+{
+ //
+ // Nothing
+ //
+
+ return EFI_SUCCESS;
+}
--
2.17.1

73
0057-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-Restore-C-bit.patch Normal file
View File

@ -0,0 +1,73 @@
From 75b7aa9528bdd05a7ecf4e64a6beb478d31b402c Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Fri, 6 Jul 2018 10:00:42 -0500
Subject: [PATCH] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Restore C-bit
when SEV is active
AmdSevDxe maps the flash memory range with C=0, but
SetMemorySpaceAttributes() unconditionally resets the C-bit to '1'. Lets
restore the mapping back to C=0.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Julien Grall <julien.grall@linaro.org>
Cc: Justen Jordan L <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
---
.../FvbServicesRuntimeDxe.inf | 1 +
.../FwBlockServiceDxe.c | 17 +++++++++++++++++
2 files changed, 18 insertions(+)
diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
index d7b4ec06c4..86b244a009 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
@@ -53,6 +53,7 @@ [LibraryClasses]
DebugLib
DevicePathLib
DxeServicesTableLib
+ MemEncryptSevLib
MemoryAllocationLib
PcdLib
UefiBootServicesTableLib
diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
index 37deece363..1fbe1342a5 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c
@@ -18,6 +18,7 @@
#include <Library/DebugLib.h>
#include <Library/DevicePathLib.h>
#include <Library/DxeServicesTableLib.h>
+#include <Library/MemEncryptSevLib.h>
#include <Library/PcdLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/UefiRuntimeLib.h>
@@ -203,5 +204,21 @@ MarkIoMemoryRangeForRuntimeAccess (
);
ASSERT_EFI_ERROR (Status);
+ //
+ // When SEV is active, AmdSevDxe mapped the BaseAddress with C=0 but
+ // SetMemorySpaceAttributes() remaps the range with C=1. Let's restore
+ // the mapping so that both guest and hyervisor can access the flash
+ // memory range.
+ //
+ if (MemEncryptSevIsEnabled ()) {
+ Status = MemEncryptSevClearPageEncMask (
+ 0,
+ BaseAddress,
+ EFI_SIZE_TO_PAGES (Length),
+ FALSE
+ );
+ ASSERT_EFI_ERROR (Status);
+ }
+
return Status;
}
--
2.17.1

51
0058-MdeModulePkg-Variable-Check-EFI_MEMORY_RUNTIME-attri.patch Normal file
View File

@ -0,0 +1,51 @@
From f88290964fe528ffeb67ff108e8174fc2ce52741 Mon Sep 17 00:00:00 2001
From: Brijesh Singh <brijesh.singh@amd.com>
Date: Wed, 4 Jul 2018 10:02:16 +0800
Subject: [PATCH] MdeModulePkg/Variable: Check EFI_MEMORY_RUNTIME attribute
before setting it
Set the EFI_MEMORY_RUNTIME attribute in FtwNotificationEvent() only if
the attribute is not already present. This will ensure that the attributes
set by the platform drivers (e.g Ovmf pflash) is not lost.
Cc: Dong Eric <eric.dong@intel.com>
Cc: Justen Jordan L <jordan.l.justen@intel.com>
Cc: Zeng Star <star.zeng@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Reviewed-by: Star Zeng <star.zeng@intel.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
.../Universal/Variable/RuntimeDxe/VariableDxe.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
index 6b04f4f7b3..23186176be 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
@@ -412,13 +412,15 @@ FtwNotificationEvent (
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_WARN, "Variable driver failed to get flash memory attribute.\n"));
} else {
- Status = gDS->SetMemorySpaceAttributes (
- BaseAddress,
- Length,
- GcdDescriptor.Attributes | EFI_MEMORY_RUNTIME
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_WARN, "Variable driver failed to add EFI_MEMORY_RUNTIME attribute to Flash.\n"));
+ if ((GcdDescriptor.Attributes & EFI_MEMORY_RUNTIME) == 0) {
+ Status = gDS->SetMemorySpaceAttributes (
+ BaseAddress,
+ Length,
+ GcdDescriptor.Attributes | EFI_MEMORY_RUNTIME
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_WARN, "Variable driver failed to add EFI_MEMORY_RUNTIME attribute to Flash.\n"));
+ }
}
}
--
2.17.1

13
edk2.spec
View File

@ -35,7 +35,7 @@
Name: edk2
Version: %{edk2_date}git%{edk2_githash}
Release: 4%{dist}
Release: 5%{dist}
Summary: EFI Development Kit II
Group: Applications/Emulators
@ -74,6 +74,10 @@ Patch0051: 0051-ArmVirtPkg-PlatformBootManagerLib-connect-Virtio-RNG.patch
Patch0052: 0052-OvmfPkg-PlatformBootManagerLib-connect-Virtio-RNG-de.patch
Patch0053: 0053-ArmVirtPkg-unify-HttpLib-resolutions-in-ArmVirt.dsc..patch
Patch0054: 0054-ArmVirtPkg-ArmVirtQemu-enable-the-IPv6-stack.patch
Patch0055: 0055-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-mark-Flash-me.patch
Patch0056: 0056-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-Do-not-expose.patch
Patch0057: 0057-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-Restore-C-bit.patch
Patch0058: 0058-MdeModulePkg-Variable-Check-EFI_MEMORY_RUNTIME-attri.patch
%if 0%{?cross:1}
# Tweak the tools_def to support cross-compiling.
@ -171,6 +175,7 @@ Summary: Open Virtual Machine Firmware
# OVMF includes the Secure Boot and IPv6 features; it has a builtin OpenSSL
# library.
License: BSD and OpenSSL
Provides: bundled(openssl)
Provides: OVMF = %{version}-%{release}
Obsoletes: OVMF < %{version}-%{release}
BuildArch: noarch
@ -185,6 +190,7 @@ Summary: Open Virtual Machine Firmware
# OVMF includes the Secure Boot and IPv6 features; it has a builtin OpenSSL
# library.
License: BSD and OpenSSL
Provides: bundled(openssl)
BuildArch: noarch
%description ovmf-ia32
EFI Development Kit II
@ -199,6 +205,7 @@ Obsoletes: AAVMF < %{version}-%{release}
BuildArch: noarch
# No Secure Boot for AAVMF yet, but we include OpenSSL for the IPv6 stack.
License: BSD and OpenSSL
Provides: bundled(openssl)
%description aarch64
EFI Development Kit II
AARCH64 UEFI Firmware
@ -519,6 +526,10 @@ install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_
%changelog
* Mon Jul 23 2018 Paolo Bonzini <pbonzini@redhat.com> - 20180529gitee3198e672e2-5
- Fixes for AMD SEV on OVMF_CODE.fd
- Add Provides for bundled OpenSSL
* Wed Jul 18 2018 Paolo Bonzini <pbonzini@redhat.com> - 20180529gitee3198e672e2-4
- Enable IPv6