diff --git a/0028-OvmfPkg-MemEncryptSevLib-Check-the-guest-type-before.patch b/0028-OvmfPkg-MemEncryptSevLib-Check-the-guest-type-before.patch new file mode 100644 index 0000000..4b3dfb3 --- /dev/null +++ b/0028-OvmfPkg-MemEncryptSevLib-Check-the-guest-type-before.patch @@ -0,0 +1,230 @@ +From 418ad50beaffaeb4b7b25d86b935f122f1740ebd Mon Sep 17 00:00:00 2001 +From: Brijesh Singh +Date: Wed, 1 Dec 2021 10:24:07 -0600 +Subject: [PATCH 1/1] OvmfPkg/MemEncryptSevLib: Check the guest type before + EsWorkarea access + +The commit 80e67af9afca added support for a generic workarea concept. +The workarea header contains the information of the guest type. The +header is populated by ResetVector code during the guest detection. + +Currently, the InternalMemEncryptSevStatus() reads the EsWorkArea to +determine the C-bit position. The EsWorkArea PCD is valid only for the +SEV guest type. Add a check of the guest type before accessing the +EsWorkArea PCD. + +Fixes: 80e67af9afca ("OvmfPkg: introduce a common work area") +Cc: James Bottomley +Cc: Min Xu +Cc: Jiewen Yao +Cc: Tom Lendacky +Cc: Jordan Justen +Cc: Ard Biesheuvel +Cc: Erdem Aktas +Cc: Gerd Hoffmann +Cc: Qi Zhou +Signed-off-by: Brijesh Singh +Message-Id: <20211201162407.3323063-1-brijesh.singh@amd.com> +Signed-off-by: Gerd Hoffmann +--- + .../DxeMemEncryptSevLib.inf | 2 + + .../PeiMemEncryptSevLib.inf | 2 + + .../SecMemEncryptSevLib.inf | 2 + + .../PeiMemEncryptSevLibInternal.c | 50 +++++++++++++++- + .../SecMemEncryptSevLibInternal.c | 58 ++++++++++++++++++- + 5 files changed, 110 insertions(+), 4 deletions(-) + +diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf +index f2e162d68076..ca3d82ef93bf 100644 +--- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf ++++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf +@@ -54,4 +54,6 @@ [FeaturePcd] + gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire + + [Pcd] ++ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask ++ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader +diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +index 03a78c32df28..2f27b5569d7a 100644 +--- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf ++++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +@@ -54,4 +54,6 @@ [FeaturePcd] + gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire + + [FixedPcd] ++ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ++ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader +diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf +index 279c38bfbc2c..36c4f906d554 100644 +--- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf ++++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf +@@ -48,4 +48,6 @@ [LibraryClasses] + PcdLib + + [FixedPcd] ++ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ++ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader +diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c +index e2fd109d120f..c61bee4c4779 100644 +--- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c ++++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c +@@ -24,6 +24,52 @@ STATIC BOOLEAN mSevStatusChecked = FALSE; + STATIC UINT64 mSevEncryptionMask = 0; + STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE; + ++/** ++ Determine if the SEV is active. ++ ++ During the early booting, GuestType is set in the work area. Verify that it ++ is an SEV guest. ++ ++ @retval TRUE SEV is enabled ++ @retval FALSE SEV is not enabled ++ ++ **/ ++STATIC ++BOOLEAN ++IsSevGuest ( ++ VOID ++ ) ++{ ++ OVMF_WORK_AREA *WorkArea; ++ ++ // ++ // Ensure that the size of the Confidential Computing work area header ++ // is same as what is provided through a fixed PCD. ++ // ++ ASSERT ((UINTN) FixedPcdGet32 (PcdOvmfConfidentialComputingWorkAreaHeader) == ++ sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER)); ++ ++ WorkArea = (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase); ++ ++ return ((WorkArea != NULL) && (WorkArea->Header.GuestType == GUEST_TYPE_AMD_SEV)); ++} ++ ++STATIC ++SEC_SEV_ES_WORK_AREA * ++GetSevEsWorkArea ( ++ VOID ++ ) ++{ ++ // ++ // Before accessing the Es workarea lets verify that its SEV guest ++ // ++ if (!IsSevGuest()) { ++ return NULL; ++ } ++ ++ return (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); ++} ++ + /** + Reads and sets the status of SEV features. + +@@ -43,7 +89,7 @@ InternalMemEncryptSevStatus ( + + ReadSevMsr = FALSE; + +- SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); ++ SevEsWorkArea = GetSevEsWorkArea (); + if (SevEsWorkArea != NULL && SevEsWorkArea->EncryptionMask != 0) { + // + // The MSR has been read before, so it is safe to read it again and avoid +@@ -139,7 +185,7 @@ MemEncryptSevGetEncryptionMask ( + if (!mSevEncryptionMaskSaved) { + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + +- SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); ++ SevEsWorkArea = GetSevEsWorkArea (); + if (SevEsWorkArea != NULL) { + mSevEncryptionMask = SevEsWorkArea->EncryptionMask; + } else { +diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c +index 56d8f3f3183f..f906f0de1b6c 100644 +--- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c ++++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c +@@ -17,6 +17,52 @@ + #include + #include + ++/** ++ Determine if the SEV is active. ++ ++ During the early booting, GuestType is set in the work area. Verify that it ++ is an SEV guest. ++ ++ @retval TRUE SEV is enabled ++ @retval FALSE SEV is not enabled ++ ++ **/ ++STATIC ++BOOLEAN ++IsSevGuest ( ++ VOID ++ ) ++{ ++ OVMF_WORK_AREA *WorkArea; ++ ++ // ++ // Ensure that the size of the Confidential Computing work area header ++ // is same as what is provided through a fixed PCD. ++ // ++ ASSERT ((UINTN) FixedPcdGet32 (PcdOvmfConfidentialComputingWorkAreaHeader) == ++ sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER)); ++ ++ WorkArea = (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase); ++ ++ return ((WorkArea != NULL) && (WorkArea->Header.GuestType == GUEST_TYPE_AMD_SEV)); ++} ++ ++STATIC ++SEC_SEV_ES_WORK_AREA * ++GetSevEsWorkArea ( ++ VOID ++ ) ++{ ++ // ++ // Before accessing the Es workarea lets verify that its SEV guest ++ // ++ if (!IsSevGuest()) { ++ return NULL; ++ } ++ ++ return (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); ++} ++ + /** + Reads and sets the status of SEV features. + +@@ -35,7 +81,8 @@ InternalMemEncryptSevStatus ( + + ReadSevMsr = FALSE; + +- SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); ++ ++ SevEsWorkArea = GetSevEsWorkArea (); + if (SevEsWorkArea != NULL && SevEsWorkArea->EncryptionMask != 0) { + // + // The MSR has been read before, so it is safe to read it again and avoid +@@ -115,7 +162,14 @@ MemEncryptSevGetEncryptionMask ( + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + UINT64 EncryptionMask; + +- SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); ++ // ++ // Before accessing the Es workarea lets verify that its SEV guest ++ // ++ if (!IsSevGuest()) { ++ return 0; ++ } ++ ++ SevEsWorkArea = GetSevEsWorkArea (); + if (SevEsWorkArea != NULL) { + EncryptionMask = SevEsWorkArea->EncryptionMask; + } else { +-- +2.33.1 + diff --git a/edk2.spec b/edk2.spec index e9ef8a5..a5e38f5 100644 --- a/edk2.spec +++ b/edk2.spec @@ -97,6 +97,7 @@ Patch0024: 0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch Patch0025: 0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch Patch0026: 0026-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch Patch0027: 0027-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch +Patch0028: 0028-OvmfPkg-MemEncryptSevLib-Check-the-guest-type-before.patch # Fedora specific Patch1000: fedora-Tweak-the-tools_def-to-support-cross-compiling.patch