[edk2-devel] [PATCH V1 1/1] OvmfPkg/PlatformPei: Skip PlatformInitEmuVariableNvStore in SEV guest

Mon May 1 19:06:36 UTC 2023

On 4/28/23 03:41, Gerd Hoffmann wrote:
>    Hi,
> 
>> I'd have to dig much deeper to see if there's a way to identify whether a
>> VARS file was specified on the Qemu command line. I *think* (please correct
>> me if I'm missing something) for SEV and SEV-ES it would be straight forward
>> to try and access the memory as shared and check the headers. If they're
>> valid, then a VARS file was specified on the command line and should remain
>> mapped shared. If they aren't valid, a VARS file wasn't specified and you
>> have either the full OVMF.fd file or just the OVMF_CODE.fd with memory
>> backing the VARS that, in either case, should be mapped private.
> 
> OVMF_CODE.fd + OVMF_VARS.fd is *identical* to just OVMF.fd, i.e. the
> guest will see valid varstore headers in both cases.

It is identical except in how they are mapped. With a split OVMF_CODE.fd / 
OVMF_VARS.fd, the OVMF_CODE.fd file is mapped private and the OVMF_VARS.fd 
is mapped shared because the hypervisor is updating the contents of 
OVMF_VARS.fd. With OVMF.fd, the whole file is mapped private because 
updates to the variables are not retained, so the hypervisor isn't 
updating the contents.

I'll give the patch below a try in the next day or two.

Thanks,
Tom

> 
> The split into code part and vars part allows to (a) easily update the
> code without screwing up the vars, and (b) map both with different
> properties, i.e. code read-only and vars read/write.
> 
> Does the patch below help?
> 
> take care,
>    Gerd
> 
>  From 3971f9453ded3032f5918dc9d181ecc0b6f97862 Mon Sep 17 00:00:00 2001
> From: Gerd Hoffmann <kraxel at redhat.com>
> Date: Fri, 28 Apr 2023 10:34:23 +0200
> Subject: [PATCH 1/1] [testing] try setup mmio in QemuFlashBeforeProbe (dxe)
> 
> ---
>   .../QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c | 15 ++++++++++++---
>   1 file changed, 12 insertions(+), 3 deletions(-)
> 
> diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c
> index d57f7ca25ccf..3a6280ab9c3a 100644
> --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c
> +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c
> @@ -37,9 +37,18 @@ QemuFlashBeforeProbe (
>     IN  UINTN                 FdBlockCount
>     )
>   {
> -  //
> -  // Do nothing
> -  //
> +  EFI_STATUS  Status;
> +
> +  if (MemEncryptSevIsEnabled ()) {
> +    Status = MemEncryptSevClearMmioPageEncMask (
> +             0,
> +             BaseAddress,
> +             EFI_SIZE_TO_PAGES (FdBlockSize * FdBlockCount)
> +             );
> +    if (EFI_ERROR(Status)) {
> +      DEBUG ((DEBUG_WARN, "%a: MemEncryptSevClearMmioPageEncMask: %r\n", __func__, Status));
> +    }
> +  }
>   }
>   
>   /**

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#103824): https://edk2.groups.io/g/devel/message/103824
Mute This Topic: https://groups.io/mt/97922617/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-