[edk2-devel] [PATCH v3 5/6] OvmfPkg/AmdSev: assign and protect the Sev Secret area

Ard Biesheuvel ard.biesheuvel at arm.com
Tue Dec 1 07:54:19 UTC 2020 

Hi James,

On 11/30/20 9:28 PM, James Bottomley wrote:
> Create a one page secret area in the MEMFD and protect the area with a
> boot time HOB.
> 

I take it 'protect' here only means prevent the memory from being used 
for somethine else? In the context of security, encryption, secrets, 
etc, it might be useful to call that out.



> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077
> Signed-off-by: James Bottomley <jejb at linux.ibm.com>
> Reviewed-by: Laszlo Ersek <lersek at redhat.com>
> ---
>   OvmfPkg/AmdSev/AmdSevX64.dsc           |  1 +
>   OvmfPkg/AmdSev/AmdSevX64.fdf           |  4 +++
>   OvmfPkg/AmdSev/SecretPei/SecretPei.inf | 35 ++++++++++++++++++++++++++
>   OvmfPkg/AmdSev/SecretPei/SecretPei.c   | 25 ++++++++++++++++++
>   4 files changed, 65 insertions(+)
>   create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.inf
>   create mode 100644 OvmfPkg/AmdSev/SecretPei/SecretPei.c
> 
> diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
> index 18707725b3e4..e9c522bedad9 100644
> --- a/OvmfPkg/AmdSev/AmdSevX64.dsc
> +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
> @@ -613,6 +613,7 @@ [Components]
>     OvmfPkg/PlatformPei/PlatformPei.inf
>     UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf
>     UefiCpuPkg/CpuMpPei/CpuMpPei.inf
> +  OvmfPkg/AmdSev/SecretPei/SecretPei.inf
>   
>   !if $(TPM_ENABLE) == TRUE
>     OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
> index 1aa95826384a..b2656a1cf6fc 100644
> --- a/OvmfPkg/AmdSev/AmdSevX64.fdf
> +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
> @@ -59,6 +59,9 @@ [FD.MEMFD]
>   0x00B000|0x001000
>   gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize
>   
> +0x00C000|0x001000
> +gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
> +
>   0x010000|0x010000
>   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
>   
> @@ -138,6 +141,7 @@ [FV.PEIFV]
>   INF  MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
>   INF  UefiCpuPkg/Universal/Acpi/S3Resume2Pei/S3Resume2Pei.inf
>   INF  UefiCpuPkg/CpuMpPei/CpuMpPei.inf
> +INF  OvmfPkg/AmdSev/SecretPei/SecretPei.inf
>   
>   !if $(TPM_ENABLE) == TRUE
>   INF  OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
> diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.inf b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
> new file mode 100644
> index 000000000000..08be156c4bc0
> --- /dev/null
> +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.inf
> @@ -0,0 +1,35 @@
> +## @file
> +#  PEI support for SEV Secrets
> +#
> +#  Copyright (C) 2020 James Bottomley, IBM Corporation.
> +#
> +#  SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> +  INF_VERSION                    = 0x00010005
> +  BASE_NAME                      = SecretPei
> +  FILE_GUID                      = 45260dde-0c3c-4b41-a226-ef3803fac7d4
> +  MODULE_TYPE                    = PEIM
> +  VERSION_STRING                 = 1.0
> +  ENTRY_POINT                    = InitializeSecretPei
> +
> +[Sources]
> +  SecretPei.c
> +
> +[Packages]
> +  OvmfPkg/OvmfPkg.dec
> +  MdePkg/MdePkg.dec
> +
> +[LibraryClasses]
> +  HobLib
> +  PeimEntryPoint
> +  PcdLib
> +
> +[FixedPcd]
> +  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
> +  gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
> +
> +[Depex]
> +  TRUE
> diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
> new file mode 100644
> index 000000000000..ad491515dd5d
> --- /dev/null
> +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
> @@ -0,0 +1,25 @@
> +/** @file
> +  SEV Secret boot time HOB placement
> +
> +  Copyright (C) 2020 James Bottomley, IBM Corporation.
> +  SPDX-License-Identifier: BSD-2-Clause-Patent
> +**/
> +#include <PiPei.h>
> +#include <Library/HobLib.h>
> +#include <Library/PcdLib.h>
> +
> +EFI_STATUS
> +EFIAPI
> +InitializeSecretPei (
> +  IN       EFI_PEI_FILE_HANDLE  FileHandle,
> +  IN CONST EFI_PEI_SERVICES     **PeiServices
> +  )
> +{
> +  BuildMemoryAllocationHob (
> +    PcdGet32 (PcdSevLaunchSecretBase),
> +    PcdGet32 (PcdSevLaunchSecretSize),
> +    EfiBootServicesData
> +    );
> +
> +  return EFI_SUCCESS;
> +}
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#68123): https://edk2.groups.io/g/devel/message/68123
Mute This Topic: https://groups.io/mt/78617873/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list