From 86c3fb820c65c128c833260152e2d9e3ce29c263 Mon Sep 17 00:00:00 2001 From: Miroslav Rezanina Date: Thu, 24 Aug 2023 04:43:25 -0400 Subject: [PATCH] * Thu Aug 24 2023 Miroslav Rezanina - 20230524-3 - edk2-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch [bz#2190244] - edk2-OvmfPkg-IoMmuDxe-add-locking-to-IoMmuAllocateBounceB.patch [bz#2211060] - edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch [bz#2218196] - Resolves: bz#2190244 ([EDK2] [AMDSERVER 9.3 Bug] OVMF AP Creation Fixes) - Resolves: bz#2211060 (SEV-es guest randomly stuck at boot to hard drive screen from powerdown and boot again) - Resolves: bz#2218196 (Add vtpm devices with OVMF.amdsev.fd causes VM reset) --- ...ix-BdsPlatform.c-assertion-failure-d.patch | 88 +++++++++++++ ...Dxe-Shim-Reboot-workaround-RHEL-only.patch | 120 ++++++++++++++++++ ...-add-locking-to-IoMmuAllocateBounceB.patch | 79 ++++++++++++ edk2.spec | 19 ++- 4 files changed, 305 insertions(+), 1 deletion(-) create mode 100644 edk2-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch create mode 100644 edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch create mode 100644 edk2-OvmfPkg-IoMmuDxe-add-locking-to-IoMmuAllocateBounceB.patch diff --git a/edk2-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch b/edk2-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch new file mode 100644 index 0000000..24bf75e --- /dev/null +++ b/edk2-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch @@ -0,0 +1,88 @@ +From 673ed284a598bf94d39f01f118158e55e5c04645 Mon Sep 17 00:00:00 2001 +From: Michael Roth +Date: Wed, 16 Aug 2023 15:11:45 -0500 +Subject: [PATCH 1/3] OvmfPkg/AmdSev: fix BdsPlatform.c assertion failure + during boot + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 44: OvmfPkg/AmdSev: fix BdsPlatform.c assertion failure during boot +RH-Bugzilla: 2190244 +RH-Acked-by: Oliver Steffen +RH-Commit: [1/1] 44f18b2324cbd4aa1840613d9a8d19f0fbec7b1b (kraxel.rh/centos-src-edk2) + +Booting an SEV guest with AmdSev OVMF package currently triggers the +following assertion with QEMU: + + InstallQemuFwCfgTables: installed 7 tables + PcRtc: Write 0x20 to CMOS location 0x32 + [Variable]END_OF_DXE is signaled + Initialize variable error flag (FF) + + ASSERT_EFI_ERROR (Status = Not Found) + ASSERT [BdsDxe] /home/VT_BUILD/ovmf/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c(1711): !(((INTN)(RETURN_STATUS)(Status)) < 0) + +This seems to be due to commit 81dc0d8b4c, which switched to using +PlatformBootManagerLib instead of PlatformBootManagerLibGrub. That +pulls in a dependency on gEfiS3SaveStateProtocolGuid provider being +available (which is asserted for in +BdsPlatform.c:PlatformBootManagerBeforeConsole()/SaveS3BootScript()), +but the libraries that provide it aren't currently included in the +build. Add them similarly to what's done for OvmfPkg. + +Fixes: 81dc0d8b4c ("OvmfPkg/AmdSev: stop using PlatformBootManagerLibGrub") +Cc: Gerd Hoffmann +Cc: Ray Ni +Cc: Erdem Aktas +Cc: James Bottomley +Cc: Jiewen Yao +Cc: Min Xu +Cc: Tom Lendacky +Signed-off-by: Michael Roth +Acked-by: Jiewen Yao +Acked-by: Gerd Hoffmann +Message-ID: <20230816201146.1634348-2-michael.roth@amd.com> +Signed-off-by: Gerd Hoffmann + +List-Archive: https://edk2.groups.io/g/devel/message/107806 +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +++ + OvmfPkg/AmdSev/AmdSevX64.fdf | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 427df673f3..8d165ed05a 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -199,6 +199,7 @@ + + SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf + OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf ++ S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf + + !include OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc + +@@ -715,6 +716,8 @@ + # + MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf + OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf ++ MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf ++ MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf + MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + # +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index a48c93e2a5..3e6ee61823 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -269,6 +269,8 @@ INF OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.inf + + INF MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf + INF OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf ++INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf ++INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf + INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + INF FatPkg/EnhancedFatDxe/Fat.inf +-- +2.39.3 + diff --git a/edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch b/edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch new file mode 100644 index 0000000..509a34f --- /dev/null +++ b/edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch @@ -0,0 +1,120 @@ +From 9f0b4df867e6a2d56838e4048be245eac3fcc18e Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Wed, 16 Aug 2023 12:09:40 +0200 +Subject: [PATCH 3/3] OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only) + +RH-Author: Oliver Steffen +RH-MergeRequest: 46: OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only) +RH-Bugzilla: 2218196 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/1] 9bf3bb989e36253aa34bf82ecfe8faa7312e8d22 (osteffen/edk2) + +Add a callback at the end of the Dxe phase that sets the +"FB_NO_REBOOT" variable under the Shim GUID. +This is a workaround for a boot loop in case a confidential +guest that uses shim is booted with a vtpm device present. + +BZ 2218196 + +Signed-off-by: Oliver Steffen +--- + OvmfPkg/AmdSevDxe/AmdSevDxe.c | 42 +++++++++++++++++++++++++++++++++ + OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 2 ++ + 2 files changed, 44 insertions(+) + +diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c +index db3675ae86..f639c093a2 100644 +--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c ++++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -28,6 +29,10 @@ + // Present, initialized, tested bits defined in MdeModulePkg/Core/Dxe/DxeMain.h + #define EFI_MEMORY_INTERNAL_MASK 0x0700000000000000ULL + ++static EFI_GUID ShimLockGuid = { ++ 0x605dab50, 0xe046, 0x4300, { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } ++}; ++ + STATIC + EFI_STATUS + AllocateConfidentialComputingBlob ( +@@ -191,6 +196,32 @@ STATIC EDKII_MEMORY_ACCEPT_PROTOCOL mMemoryAcceptProtocol = { + AmdSevMemoryAccept + }; + ++VOID ++EFIAPI ++PopulateVarstore ( ++ EFI_EVENT Event, ++ VOID *Context ++ ) ++{ ++ EFI_SYSTEM_TABLE *SystemTable = (EFI_SYSTEM_TABLE *)Context; ++ EFI_STATUS Status; ++ ++ DEBUG ((DEBUG_INFO, "Populating Varstore\n")); ++ UINT32 data = 1; ++ ++ Status = SystemTable->RuntimeServices->SetVariable ( ++ L"FB_NO_REBOOT", ++ &ShimLockGuid, ++ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS, ++ sizeof (data), ++ &data ++ ); ++ ASSERT_EFI_ERROR (Status); ++ ++ Status = SystemTable->BootServices->CloseEvent (Event); ++ ASSERT_EFI_ERROR (Status); ++} ++ + EFI_STATUS + EFIAPI + AmdSevDxeEntryPoint ( +@@ -203,6 +234,7 @@ AmdSevDxeEntryPoint ( + UINTN NumEntries; + UINTN Index; + CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION *SnpBootDxeTable; ++ EFI_EVENT PopulateVarstoreEvent; + + // + // Do nothing when SEV is not enabled +@@ -361,5 +393,15 @@ AmdSevDxeEntryPoint ( + ); + } + ++ Status = gBS->CreateEventEx ( ++ EVT_NOTIFY_SIGNAL, ++ TPL_CALLBACK, ++ PopulateVarstore, ++ SystemTable, ++ &gEfiEndOfDxeEventGroupGuid, ++ &PopulateVarstoreEvent ++ ); ++ ASSERT_EFI_ERROR (Status); ++ + return EFI_SUCCESS; + } +diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf +index e7c7d526c9..09cbd2b0ca 100644 +--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf ++++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf +@@ -54,6 +54,8 @@ + [Guids] + gConfidentialComputingSevSnpBlobGuid + gEfiEventBeforeExitBootServicesGuid ++ gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event ++ + + [Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId +-- +2.39.3 + diff --git a/edk2-OvmfPkg-IoMmuDxe-add-locking-to-IoMmuAllocateBounceB.patch b/edk2-OvmfPkg-IoMmuDxe-add-locking-to-IoMmuAllocateBounceB.patch new file mode 100644 index 0000000..db656a9 --- /dev/null +++ b/edk2-OvmfPkg-IoMmuDxe-add-locking-to-IoMmuAllocateBounceB.patch @@ -0,0 +1,79 @@ +From 7f3f6e3088655e33600aacd886aa51d19c01c59a Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 19 Jul 2023 18:31:29 +0200 +Subject: [PATCH 2/3] OvmfPkg/IoMmuDxe: add locking to + IoMmuAllocateBounceBuffer + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 45: OvmfPkg/IoMmuDxe: add locking to IoMmuAllocateBounceBuffer +RH-Bugzilla: 2211060 +RH-Acked-by: Oliver Steffen +RH-Commit: [1/1] c4998c57651df23342a0cd6e8982bf59f306da83 (kraxel.rh/centos-src-edk2) + +Searching for an unused bounce buffer in mReservedMemBitmap and +reserving the buffer by flipping the bit is a critical section +which must not be interrupted. Raise the TPL level to ensure +that. + +Without this fix it can happen that IoMmuDxe hands out the same +bounce buffer twice, causing trouble down the road. Seen happening +in practice with VirtioNetDxe setting up the network interface (and +calling into IoMmuDxe from a polling timer callback) in parallel with +Boot Manager doing some disk I/O. An ASSERT() in VirtioNet caught +the buffer inconsistency. + +Full story with lots of details and discussions is available here: +https://bugzilla.redhat.com/show_bug.cgi?id=2211060 + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit a52044a9e602bc168cdf5d73a48952bfc9edb521) +--- + OvmfPkg/IoMmuDxe/IoMmuBuffer.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/OvmfPkg/IoMmuDxe/IoMmuBuffer.c b/OvmfPkg/IoMmuDxe/IoMmuBuffer.c +index c8f6cf4818..103003cae3 100644 +--- a/OvmfPkg/IoMmuDxe/IoMmuBuffer.c ++++ b/OvmfPkg/IoMmuDxe/IoMmuBuffer.c +@@ -367,7 +367,9 @@ IoMmuAllocateBounceBuffer ( + { + EFI_STATUS Status; + UINT32 ReservedMemBitmap; ++ EFI_TPL OldTpl; + ++ OldTpl = gBS->RaiseTPL (TPL_NOTIFY); + ReservedMemBitmap = 0; + Status = InternalAllocateBuffer ( + Type, +@@ -378,6 +380,7 @@ IoMmuAllocateBounceBuffer ( + ); + MapInfo->ReservedMemBitmap = ReservedMemBitmap; + mReservedMemBitmap |= ReservedMemBitmap; ++ gBS->RestoreTPL (OldTpl); + + ASSERT (Status == EFI_SUCCESS); + +@@ -395,6 +398,8 @@ IoMmuFreeBounceBuffer ( + IN OUT MAP_INFO *MapInfo + ) + { ++ EFI_TPL OldTpl; ++ + if (MapInfo->ReservedMemBitmap == 0) { + gBS->FreePages (MapInfo->PlainTextAddress, MapInfo->NumberOfPages); + } else { +@@ -407,9 +412,11 @@ IoMmuFreeBounceBuffer ( + mReservedMemBitmap, + mReservedMemBitmap & ((UINT32)(~MapInfo->ReservedMemBitmap)) + )); ++ OldTpl = gBS->RaiseTPL (TPL_NOTIFY); + MapInfo->PlainTextAddress = 0; + mReservedMemBitmap &= (UINT32)(~MapInfo->ReservedMemBitmap); + MapInfo->ReservedMemBitmap = 0; ++ gBS->RestoreTPL (OldTpl); + } + + return EFI_SUCCESS; +-- +2.39.3 + diff --git a/edk2.spec b/edk2.spec index 8526959..d1e087f 100644 --- a/edk2.spec +++ b/edk2.spec @@ -18,7 +18,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE} -Release: 2%{?dist} +Release: 3%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: BSD-2-Clause-Patent and OpenSSL and MIT URL: http://www.tianocore.org @@ -101,6 +101,12 @@ Patch39: edk2-OvmfPkg-PlatformInitLib-check-PcdUse1GPageTable.patch Patch40: edk2-OvmfPkg-OvmfPkgIa32X64-enable-1G-pages.patch # For RHEL-644 - enable gigabyte pages Patch41: edk2-OvmfPkg-MicrovmX64-enable-1G-pages.patch +# For bz#2190244 - [EDK2] [AMDSERVER 9.3 Bug] OVMF AP Creation Fixes +Patch42: edk2-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch +# For bz#2211060 - SEV-es guest randomly stuck at boot to hard drive screen from powerdown and boot again +Patch43: edk2-OvmfPkg-IoMmuDxe-add-locking-to-IoMmuAllocateBounceB.patch +# For bz#2218196 - Add vtpm devices with OVMF.amdsev.fd causes VM reset +Patch44: edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch # python3-devel and libuuid-devel are required for building tools. @@ -420,6 +426,17 @@ install -m 0644 \ %changelog +* Thu Aug 24 2023 Miroslav Rezanina - 20230524-3 +- edk2-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch [bz#2190244] +- edk2-OvmfPkg-IoMmuDxe-add-locking-to-IoMmuAllocateBounceB.patch [bz#2211060] +- edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch [bz#2218196] +- Resolves: bz#2190244 + ([EDK2] [AMDSERVER 9.3 Bug] OVMF AP Creation Fixes) +- Resolves: bz#2211060 + (SEV-es guest randomly stuck at boot to hard drive screen from powerdown and boot again) +- Resolves: bz#2218196 + (Add vtpm devices with OVMF.amdsev.fd causes VM reset) + * Mon Jul 10 2023 Miroslav Rezanina - 20230524-2 - edk2-ArmVirt-add-VirtioSerialDxe-to-ArmVirtQemu-builds.patch [RHEL-643] - edk2-ArmVirt-PlatformBootManagerLib-factor-out-IsVirtio.patch [RHEL-643]