[edk2-devel] [PATCH v6 06/29] OvmfPkg/ResetVector: pre-validate the data pages used in SEC phase

Min Xu min.m.xu at intel.com
Mon Sep 6 01:10:36 UTC 2021 

On September 2, 2021 4:20 PM, Gerd Hoffmann wrote:
>   Hi,
> 
> > During the guest creation time, the VMM encrypts the OVMF_CODE.fd
> > using the SEV-SNP firmware provided LAUNCH_UPDATE_DATA command. In
> > addition to encrypting the content, the command also validates the
> memory region.
> > This allows us to execute the code without going through the
> > validation sequence.
> 
> Hmm, tdx must handle this too.
> 
> > +
> > +
> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpHypervisorPreValidatedStart|0x0
> > + |UINT32|0x56
> > +
> > +
> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpHypervisorPreValidatedEnd|0x0|
> U
> > + INT32|0x57
> 
> So maybe we should drop the "Snp" from the name here ...
> 
> >  ; GUID (SEV-SNP boot block): bd39c0c2-2f8e-4243-83e8-1b74cebcb7d9
> >  ;
> >  sevSnpBootBlockStart:
> > +    DD      SNP_HV_VALIDATED_START
> > +    DD      SNP_HV_VALIDATED_END
> 
> ... and store the range which needs validation in another, not snp-specific
> block?
> 
> Jiewen? Min?
We pack all the Tdx information into  a blob (TdxMetadata). These tdx information
Includes the BFV(i.e. OVMF_CODE.fd), the CFV(i.e. OVMF_VARS.fd), TdMailbox, etc.
The offset to the TdxMetadata is in the GUIDed chain in ResetVectorVtf0.asm.
;
; GUID : e47a6535-984a-4798-865e-4685a7bf8ec2
;
tdxMetadataOffsetStart:
    DD      (OVMF_IMAGE_SIZE_IN_KB * 1024 - (fourGigabytes - TdxMetadataGuid - 16))
    DW      tdxMetadataOffsetEnd - tdxMetadataOffsetStart
    DB      0x35, 0x65, 0x7a, 0xe4, 0x4a, 0x98, 0x98, 0x47
    DB      0x86, 0x5e, 0x46, 0x85, 0xa7, 0xbf, 0x8e, 0xc2
tdxMetadataOffsetEnd:

In the future new metadata can be added into the TdxMetadata without changes
in ResetVectorVtf0.asm.

Thanks!
Min


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#80253): https://edk2.groups.io/g/devel/message/80253
Mute This Topic: https://groups.io/mt/85306660/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list