From 83f3ca8d0b80290055c97d6dbbbaeba29cef53f4 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 23 Jul 2018 10:57:29 +0200 Subject: [PATCH] Fixes for AMD SEV on OVMF_CODE.fd; add Provides for bundled OpenSSL --- ...hFvbServicesRuntimeDxe-mark-Flash-me.patch | 96 +++++++++ ...hFvbServicesRuntimeDxe-Do-not-expose.patch | 191 ++++++++++++++++++ ...hFvbServicesRuntimeDxe-Restore-C-bit.patch | 73 +++++++ ...iable-Check-EFI_MEMORY_RUNTIME-attri.patch | 51 +++++ edk2.spec | 13 +- 5 files changed, 423 insertions(+), 1 deletion(-) create mode 100644 0055-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-mark-Flash-me.patch create mode 100644 0056-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-Do-not-expose.patch create mode 100644 0057-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-Restore-C-bit.patch create mode 100644 0058-MdeModulePkg-Variable-Check-EFI_MEMORY_RUNTIME-attri.patch diff --git a/0055-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-mark-Flash-me.patch b/0055-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-mark-Flash-me.patch new file mode 100644 index 0000000..f054242 --- /dev/null +++ b/0055-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-mark-Flash-me.patch @@ -0,0 +1,96 @@ +From 966363d5a34839399e3d9f68d4f4efb4b1a9ec66 Mon Sep 17 00:00:00 2001 +From: Brijesh Singh +Date: Fri, 6 Jul 2018 10:00:40 -0500 +Subject: [PATCH] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: mark Flash memory + range as MMIO + +The flash memory range is an IO address and should be presented as Memory +Mapped IO in EFI Runtime mapping. This information can be used by OS +when mapping the flash memory range. + +It is especially helpful in SEV guest case, in which IO addresses should +be mapped as unencrypted. If memory region is not marked as MMIO then OS +maps the range as encrypted. + +Cc: Ard Biesheuvel +Cc: Anthony Perard +Cc: Julien Grall +Cc: Justen Jordan L +Cc: Laszlo Ersek +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Brijesh Singh +Reviewed-by: Laszlo Ersek +Regression-tested-by: Laszlo Ersek +--- + .../FwBlockService.c | 30 ++++++++++++++----- + 1 file changed, 22 insertions(+), 8 deletions(-) + +diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c +index 558b395dff..b3f428bb42 100644 +--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c ++++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c +@@ -831,12 +831,13 @@ ValidateFvHeader ( + + STATIC + EFI_STATUS +-MarkMemoryRangeForRuntimeAccess ( ++MarkIoMemoryRangeForRuntimeAccess ( + EFI_PHYSICAL_ADDRESS BaseAddress, + UINTN Length + ) + { + EFI_STATUS Status; ++ EFI_GCD_MEMORY_SPACE_DESCRIPTOR GcdDescriptor; + + // + // Mark flash region as runtime memory +@@ -847,18 +848,31 @@ MarkMemoryRangeForRuntimeAccess ( + ); + + Status = gDS->AddMemorySpace ( +- EfiGcdMemoryTypeSystemMemory, ++ EfiGcdMemoryTypeMemoryMappedIo, + BaseAddress, + Length, + EFI_MEMORY_UC | EFI_MEMORY_RUNTIME + ); + ASSERT_EFI_ERROR (Status); + +- Status = gBS->AllocatePages ( +- AllocateAddress, +- EfiRuntimeServicesData, +- EFI_SIZE_TO_PAGES (Length), +- &BaseAddress ++ Status = gDS->AllocateMemorySpace ( ++ EfiGcdAllocateAddress, ++ EfiGcdMemoryTypeMemoryMappedIo, ++ 0, ++ Length, ++ &BaseAddress, ++ gImageHandle, ++ NULL ++ ); ++ ASSERT_EFI_ERROR (Status); ++ ++ Status = gDS->GetMemorySpaceDescriptor (BaseAddress, &GcdDescriptor); ++ ASSERT_EFI_ERROR (Status); ++ ++ Status = gDS->SetMemorySpaceAttributes ( ++ BaseAddress, ++ Length, ++ GcdDescriptor.Attributes | EFI_MEMORY_RUNTIME + ); + ASSERT_EFI_ERROR (Status); + +@@ -1091,7 +1105,7 @@ FvbInitialize ( + // + InstallProtocolInterfaces (FvbDevice); + +- MarkMemoryRangeForRuntimeAccess (BaseAddress, Length); ++ MarkIoMemoryRangeForRuntimeAccess (BaseAddress, Length); + + // + // Set several PCD values to point to flash +-- +2.17.1 + diff --git a/0056-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-Do-not-expose.patch b/0056-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-Do-not-expose.patch new file mode 100644 index 0000000..3acfb6b --- /dev/null +++ b/0056-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-Do-not-expose.patch @@ -0,0 +1,191 @@ +From 3b3d016b7b867d7e4782af9a6b54e110d155a1b3 Mon Sep 17 00:00:00 2001 +From: Brijesh Singh +Date: Fri, 6 Jul 2018 10:00:41 -0500 +Subject: [PATCH] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Do not expose + MMIO in SMM build + +In the SMM build, only an SMM driver is using the address range hence we +do not need to expose the flash MMIO range in EFI runtime mapping. + +Cc: Ard Biesheuvel +Cc: Anthony Perard +Cc: Julien Grall +Cc: Justen Jordan L +Cc: Laszlo Ersek +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Brijesh Singh +Reviewed-by: Laszlo Ersek +Regression-tested-by: Laszlo Ersek +--- + .../FwBlockService.h | 7 +++ + .../FwBlockService.c | 50 ------------------- + .../FwBlockServiceDxe.c | 50 +++++++++++++++++++ + .../FwBlockServiceSmm.c | 13 +++++ + 4 files changed, 70 insertions(+), 50 deletions(-) + +diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.h b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.h +index 1f9287b087..178f578d49 100644 +--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.h ++++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.h +@@ -189,4 +189,11 @@ VOID + InstallVirtualAddressChangeHandler ( + VOID + ); ++ ++EFI_STATUS ++MarkIoMemoryRangeForRuntimeAccess ( ++ IN EFI_PHYSICAL_ADDRESS BaseAddress, ++ IN UINTN Length ++ ); ++ + #endif +diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c +index b3f428bb42..eec8b1b1ae 100644 +--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c ++++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c +@@ -829,56 +829,6 @@ ValidateFvHeader ( + return EFI_SUCCESS; + } + +-STATIC +-EFI_STATUS +-MarkIoMemoryRangeForRuntimeAccess ( +- EFI_PHYSICAL_ADDRESS BaseAddress, +- UINTN Length +- ) +-{ +- EFI_STATUS Status; +- EFI_GCD_MEMORY_SPACE_DESCRIPTOR GcdDescriptor; +- +- // +- // Mark flash region as runtime memory +- // +- Status = gDS->RemoveMemorySpace ( +- BaseAddress, +- Length +- ); +- +- Status = gDS->AddMemorySpace ( +- EfiGcdMemoryTypeMemoryMappedIo, +- BaseAddress, +- Length, +- EFI_MEMORY_UC | EFI_MEMORY_RUNTIME +- ); +- ASSERT_EFI_ERROR (Status); +- +- Status = gDS->AllocateMemorySpace ( +- EfiGcdAllocateAddress, +- EfiGcdMemoryTypeMemoryMappedIo, +- 0, +- Length, +- &BaseAddress, +- gImageHandle, +- NULL +- ); +- ASSERT_EFI_ERROR (Status); +- +- Status = gDS->GetMemorySpaceDescriptor (BaseAddress, &GcdDescriptor); +- ASSERT_EFI_ERROR (Status); +- +- Status = gDS->SetMemorySpaceAttributes ( +- BaseAddress, +- Length, +- GcdDescriptor.Attributes | EFI_MEMORY_RUNTIME +- ); +- ASSERT_EFI_ERROR (Status); +- +- return Status; +-} +- + STATIC + EFI_STATUS + InitializeVariableFvHeader ( +diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c +index 63b308658e..37deece363 100644 +--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c ++++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -155,3 +156,52 @@ InstallVirtualAddressChangeHandler ( + ); + ASSERT_EFI_ERROR (Status); + } ++ ++EFI_STATUS ++MarkIoMemoryRangeForRuntimeAccess ( ++ IN EFI_PHYSICAL_ADDRESS BaseAddress, ++ IN UINTN Length ++ ) ++{ ++ EFI_STATUS Status; ++ EFI_GCD_MEMORY_SPACE_DESCRIPTOR GcdDescriptor; ++ ++ // ++ // Mark flash region as runtime memory ++ // ++ Status = gDS->RemoveMemorySpace ( ++ BaseAddress, ++ Length ++ ); ++ ++ Status = gDS->AddMemorySpace ( ++ EfiGcdMemoryTypeMemoryMappedIo, ++ BaseAddress, ++ Length, ++ EFI_MEMORY_UC | EFI_MEMORY_RUNTIME ++ ); ++ ASSERT_EFI_ERROR (Status); ++ ++ Status = gDS->AllocateMemorySpace ( ++ EfiGcdAllocateAddress, ++ EfiGcdMemoryTypeMemoryMappedIo, ++ 0, ++ Length, ++ &BaseAddress, ++ gImageHandle, ++ NULL ++ ); ++ ASSERT_EFI_ERROR (Status); ++ ++ Status = gDS->GetMemorySpaceDescriptor (BaseAddress, &GcdDescriptor); ++ ASSERT_EFI_ERROR (Status); ++ ++ Status = gDS->SetMemorySpaceAttributes ( ++ BaseAddress, ++ Length, ++ GcdDescriptor.Attributes | EFI_MEMORY_RUNTIME ++ ); ++ ASSERT_EFI_ERROR (Status); ++ ++ return Status; ++} +diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c +index e0617f2503..af08fa69d4 100644 +--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c ++++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c +@@ -67,3 +67,16 @@ InstallVirtualAddressChangeHandler ( + // Nothing. + // + } ++ ++EFI_STATUS ++MarkIoMemoryRangeForRuntimeAccess ( ++ IN EFI_PHYSICAL_ADDRESS BaseAddress, ++ IN UINTN Length ++ ) ++{ ++ // ++ // Nothing ++ // ++ ++ return EFI_SUCCESS; ++} +-- +2.17.1 + diff --git a/0057-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-Restore-C-bit.patch b/0057-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-Restore-C-bit.patch new file mode 100644 index 0000000..62c05d8 --- /dev/null +++ b/0057-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-Restore-C-bit.patch @@ -0,0 +1,73 @@ +From 75b7aa9528bdd05a7ecf4e64a6beb478d31b402c Mon Sep 17 00:00:00 2001 +From: Brijesh Singh +Date: Fri, 6 Jul 2018 10:00:42 -0500 +Subject: [PATCH] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Restore C-bit + when SEV is active + +AmdSevDxe maps the flash memory range with C=0, but +SetMemorySpaceAttributes() unconditionally resets the C-bit to '1'. Lets +restore the mapping back to C=0. + +Cc: Ard Biesheuvel +Cc: Anthony Perard +Cc: Julien Grall +Cc: Justen Jordan L +Cc: Laszlo Ersek +Contributed-under: TianoCore Contribution Agreement 1.1 +Signed-off-by: Brijesh Singh +Reviewed-by: Laszlo Ersek +Regression-tested-by: Laszlo Ersek +--- + .../FvbServicesRuntimeDxe.inf | 1 + + .../FwBlockServiceDxe.c | 17 +++++++++++++++++ + 2 files changed, 18 insertions(+) + +diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf +index d7b4ec06c4..86b244a009 100644 +--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf ++++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf +@@ -53,6 +53,7 @@ [LibraryClasses] + DebugLib + DevicePathLib + DxeServicesTableLib ++ MemEncryptSevLib + MemoryAllocationLib + PcdLib + UefiBootServicesTableLib +diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c +index 37deece363..1fbe1342a5 100644 +--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c ++++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -203,5 +204,21 @@ MarkIoMemoryRangeForRuntimeAccess ( + ); + ASSERT_EFI_ERROR (Status); + ++ // ++ // When SEV is active, AmdSevDxe mapped the BaseAddress with C=0 but ++ // SetMemorySpaceAttributes() remaps the range with C=1. Let's restore ++ // the mapping so that both guest and hyervisor can access the flash ++ // memory range. ++ // ++ if (MemEncryptSevIsEnabled ()) { ++ Status = MemEncryptSevClearPageEncMask ( ++ 0, ++ BaseAddress, ++ EFI_SIZE_TO_PAGES (Length), ++ FALSE ++ ); ++ ASSERT_EFI_ERROR (Status); ++ } ++ + return Status; + } +-- +2.17.1 + diff --git a/0058-MdeModulePkg-Variable-Check-EFI_MEMORY_RUNTIME-attri.patch b/0058-MdeModulePkg-Variable-Check-EFI_MEMORY_RUNTIME-attri.patch new file mode 100644 index 0000000..cfdff0a --- /dev/null +++ b/0058-MdeModulePkg-Variable-Check-EFI_MEMORY_RUNTIME-attri.patch @@ -0,0 +1,51 @@ +From f88290964fe528ffeb67ff108e8174fc2ce52741 Mon Sep 17 00:00:00 2001 +From: Brijesh Singh +Date: Wed, 4 Jul 2018 10:02:16 +0800 +Subject: [PATCH] MdeModulePkg/Variable: Check EFI_MEMORY_RUNTIME attribute + before setting it + +Set the EFI_MEMORY_RUNTIME attribute in FtwNotificationEvent() only if +the attribute is not already present. This will ensure that the attributes +set by the platform drivers (e.g Ovmf pflash) is not lost. + +Cc: Dong Eric +Cc: Justen Jordan L +Cc: Zeng Star +Cc: Laszlo Ersek +Contributed-under: TianoCore Contribution Agreement 1.1 +Reviewed-by: Star Zeng +Signed-off-by: Brijesh Singh +--- + .../Universal/Variable/RuntimeDxe/VariableDxe.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c +index 6b04f4f7b3..23186176be 100644 +--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c ++++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c +@@ -412,13 +412,15 @@ FtwNotificationEvent ( + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_WARN, "Variable driver failed to get flash memory attribute.\n")); + } else { +- Status = gDS->SetMemorySpaceAttributes ( +- BaseAddress, +- Length, +- GcdDescriptor.Attributes | EFI_MEMORY_RUNTIME +- ); +- if (EFI_ERROR (Status)) { +- DEBUG ((DEBUG_WARN, "Variable driver failed to add EFI_MEMORY_RUNTIME attribute to Flash.\n")); ++ if ((GcdDescriptor.Attributes & EFI_MEMORY_RUNTIME) == 0) { ++ Status = gDS->SetMemorySpaceAttributes ( ++ BaseAddress, ++ Length, ++ GcdDescriptor.Attributes | EFI_MEMORY_RUNTIME ++ ); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_WARN, "Variable driver failed to add EFI_MEMORY_RUNTIME attribute to Flash.\n")); ++ } + } + } + +-- +2.17.1 + diff --git a/edk2.spec b/edk2.spec index 505adfe..0d615db 100644 --- a/edk2.spec +++ b/edk2.spec @@ -35,7 +35,7 @@ Name: edk2 Version: %{edk2_date}git%{edk2_githash} -Release: 4%{dist} +Release: 5%{dist} Summary: EFI Development Kit II Group: Applications/Emulators @@ -74,6 +74,10 @@ Patch0051: 0051-ArmVirtPkg-PlatformBootManagerLib-connect-Virtio-RNG.patch Patch0052: 0052-OvmfPkg-PlatformBootManagerLib-connect-Virtio-RNG-de.patch Patch0053: 0053-ArmVirtPkg-unify-HttpLib-resolutions-in-ArmVirt.dsc..patch Patch0054: 0054-ArmVirtPkg-ArmVirtQemu-enable-the-IPv6-stack.patch +Patch0055: 0055-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-mark-Flash-me.patch +Patch0056: 0056-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-Do-not-expose.patch +Patch0057: 0057-OvmfPkg-QemuFlashFvbServicesRuntimeDxe-Restore-C-bit.patch +Patch0058: 0058-MdeModulePkg-Variable-Check-EFI_MEMORY_RUNTIME-attri.patch %if 0%{?cross:1} # Tweak the tools_def to support cross-compiling. @@ -171,6 +175,7 @@ Summary: Open Virtual Machine Firmware # OVMF includes the Secure Boot and IPv6 features; it has a builtin OpenSSL # library. License: BSD and OpenSSL +Provides: bundled(openssl) Provides: OVMF = %{version}-%{release} Obsoletes: OVMF < %{version}-%{release} BuildArch: noarch @@ -185,6 +190,7 @@ Summary: Open Virtual Machine Firmware # OVMF includes the Secure Boot and IPv6 features; it has a builtin OpenSSL # library. License: BSD and OpenSSL +Provides: bundled(openssl) BuildArch: noarch %description ovmf-ia32 EFI Development Kit II @@ -199,6 +205,7 @@ Obsoletes: AAVMF < %{version}-%{release} BuildArch: noarch # No Secure Boot for AAVMF yet, but we include OpenSSL for the IPv6 stack. License: BSD and OpenSSL +Provides: bundled(openssl) %description aarch64 EFI Development Kit II AARCH64 UEFI Firmware @@ -519,6 +526,10 @@ install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_ %changelog +* Mon Jul 23 2018 Paolo Bonzini - 20180529gitee3198e672e2-5 +- Fixes for AMD SEV on OVMF_CODE.fd +- Add Provides for bundled OpenSSL + * Wed Jul 18 2018 Paolo Bonzini - 20180529gitee3198e672e2-4 - Enable IPv6