[edk2-devel] [RFC PATCH 13/19] OvmfPkg/SecMain: Validate the data/code pages used for the PEI phase
Brijesh Singh
brijesh.singh at amd.com
Wed Mar 24 15:32:09 UTC 2021
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
The VMM launch sequence should have validated all the data pages used
in the SEC phase. Before decompressing the firmware volume, validate
the data/code pages used during the decompression steps, and any other
pages used during the PEI phase entry.
Cc: James Bottomley <jejb at linux.ibm.com>
Cc: Min Xu <min.m.xu at intel.com>
Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Tom Lendacky <thomas.lendacky at amd.com>
Cc: Jordan Justen <jordan.l.justen at intel.com>
Cc: Ard Biesheuvel <ardb+tianocore at kernel.org>
Cc: Laszlo Ersek <lersek at redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh at amd.com>
---
OvmfPkg/Sec/SecMain.c | 26 ++++++++++++++++++++
OvmfPkg/Sec/SecMain.inf | 2 ++
2 files changed, 28 insertions(+)
diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c
index df6722b546..b491810376 100644
--- a/OvmfPkg/Sec/SecMain.c
+++ b/OvmfPkg/Sec/SecMain.c
@@ -351,6 +351,32 @@ DecompressMemFvs (
return Status;
}
+ if (MemEncryptSevSnpIsEnabled ()) {
+ EFI_PHYSICAL_ADDRESS LaunchValidatedBase, LaunchValidatedEnd;
+ UINTN Size;
+
+ //
+ // The VMM launch sequence should have validated the memory range from
+ // MEMFD_BASE_ADDRESS to PcdOvmfPeiMemFvBase. The PCD values are also
+ // accessible through PcdOvmfSnpLaunchValidatedStart, and PcdOvmfSnpLaunchValidatedEnd.
+ // The pre-validation was sufficent to access the data pages used in the SEC
+ // phase.
+ //
+ // Now that we are getting ready to decompress firmware volumes, and enter
+ // to PEI phase. Lets validate the code/data pages used for entering to the
+ // PEI phase.
+ //
+ // See FvmainCompactScratchEnd.fdf.inc for more detail.
+ //
+ LaunchValidatedBase =
+ (EFI_PHYSICAL_ADDRESS)(UINTN) PcdGet32 (PcdOvmfSnpLaunchValidatedStart);
+ LaunchValidatedEnd = LaunchValidatedBase +
+ (EFI_PHYSICAL_ADDRESS)(UINTN) PcdGet32 (PcdOvmfSnpLaunchValidatedEnd);
+ Size = PcdGet32 (PcdOvmfDecompressionScratchEnd) - LaunchValidatedEnd;
+
+ MemEncryptSevSnpValidateSystemRam (LaunchValidatedEnd, EFI_SIZE_TO_PAGES (Size));
+ }
+
Status = ExtractGuidedSectionGetInfo (
Section,
&OutputBufferSize,
diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf
index 7f78dcee27..207accb53c 100644
--- a/OvmfPkg/Sec/SecMain.inf
+++ b/OvmfPkg/Sec/SecMain.inf
@@ -70,6 +70,8 @@
gUefiOvmfPkgTokenSpaceGuid.PcdGuidedExtractHandlerTableSize
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDecompressionScratchEnd
gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpLaunchValidatedStart
+ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpLaunchValidatedEnd
[FeaturePcd]
gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#73229): https://edk2.groups.io/g/devel/message/73229
Mute This Topic: https://groups.io/mt/81584590/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list