[edk2-devel] [PATCH v3 6/6] OvmfPkg/AmdSev: Expose the Sev Secret area using a configuration table
James Bottomley
jejb at linux.ibm.com
Mon Nov 30 20:28:19 UTC 2020
Now that the secret area is protected by a boot time HOB, extract its
location details into a configuration table referenced by
gSevLaunchSecretGuid so the boot loader or OS can locate it before a
call to ExitBootServices().
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3077
Signed-off-by: James Bottomley <jejb at linux.ibm.com>
Reviewed-by: Laszlo Ersek <lersek at redhat.com>
---
OvmfPkg/OvmfPkg.dec | 1 +
OvmfPkg/AmdSev/AmdSevX64.dsc | 1 +
OvmfPkg/AmdSev/AmdSevX64.fdf | 1 +
OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf | 37 ++++++++++++++++++++++++++
OvmfPkg/Include/Guid/SevLaunchSecret.h | 28 +++++++++++++++++++
OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 26 ++++++++++++++++++
6 files changed, 94 insertions(+)
create mode 100644 OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
create mode 100644 OvmfPkg/Include/Guid/SevLaunchSecret.h
create mode 100644 OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
index 7d27f8e16040..8a294116efaa 100644
--- a/OvmfPkg/OvmfPkg.dec
+++ b/OvmfPkg/OvmfPkg.dec
@@ -117,6 +117,7 @@ [Guids]
gLinuxEfiInitrdMediaGuid = {0x5568e427, 0x68fc, 0x4f3d, {0xac, 0x74, 0xca, 0x55, 0x52, 0x31, 0xcc, 0x68}}
gQemuKernelLoaderFsMediaGuid = {0x1428f772, 0xb64a, 0x441e, {0xb8, 0xc3, 0x9e, 0xbd, 0xd7, 0xf8, 0x93, 0xc7}}
gGrubFileGuid = {0xb5ae312c, 0xbc8a, 0x43b1, {0x9c, 0x62, 0xeb, 0xb8, 0x26, 0xdd, 0x5d, 0x07}}
+ gSevLaunchSecretGuid = {0xadf956ad, 0xe98c, 0x484c, {0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47}}
[Ppis]
# PPI whose presence in the PPI database signals that the TPM base address
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index e9c522bedad9..bb7697eb324b 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -778,6 +778,7 @@ [Components]
gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
}
!endif
+ OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
OvmfPkg/AmdSev/Grub/Grub.inf
!if $(BUILD_SHELL) == TRUE
ShellPkg/Application/Shell/Shell.inf {
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index b2656a1cf6fc..e8fd4b8c7b89 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -269,6 +269,7 @@ [FV.DXEFV]
!if $(TOOL_CHAIN_TAG) != "XCODE5" && $(BUILD_SHELL) == TRUE
INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
!endif
+INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
INF OvmfPkg/AmdSev/Grub/Grub.inf
!if $(BUILD_SHELL) == TRUE
INF ShellPkg/Application/Shell/Shell.inf
diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
new file mode 100644
index 000000000000..62ab00a3d382
--- /dev/null
+++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
@@ -0,0 +1,37 @@
+## @file
+# Sev Secret configuration Table installer
+#
+# Copyright (C) 2020 James Bottomley, IBM Corporation.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = SecretDxe
+ FILE_GUID = 6e2b9619-8810-4e9d-a177-d432bb9abeda
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ ENTRY_POINT = InitializeSecretDxe
+
+[Sources]
+ SecretDxe.c
+
+[Packages]
+ OvmfPkg/OvmfPkg.dec
+ MdePkg/MdePkg.dec
+
+[LibraryClasses]
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
+
+[Guids]
+ gSevLaunchSecretGuid
+
+[FixedPcd]
+ gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase
+ gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
+
+[Depex]
+ TRUE
diff --git a/OvmfPkg/Include/Guid/SevLaunchSecret.h b/OvmfPkg/Include/Guid/SevLaunchSecret.h
new file mode 100644
index 000000000000..fa5f3830bc2b
--- /dev/null
+++ b/OvmfPkg/Include/Guid/SevLaunchSecret.h
@@ -0,0 +1,28 @@
+ /** @file
+ UEFI Configuration Table for exposing the SEV Launch Secret location to UEFI
+ applications (boot loaders).
+
+ Copyright (C) 2020 James Bottomley, IBM Corporation.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+ **/
+
+#ifndef SEV_LAUNCH_SECRET_H_
+#define SEV_LAUNCH_SECRET_H_
+
+#include <Uefi/UefiBaseType.h>
+
+#define SEV_LAUNCH_SECRET_GUID \
+ { 0xadf956ad, \
+ 0xe98c, \
+ 0x484c, \
+ { 0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47 }, \
+ }
+
+typedef struct {
+ UINT32 Base;
+ UINT32 Size;
+} SEV_LAUNCH_SECRET_LOCATION;
+
+extern EFI_GUID gSevLaunchSecretGuid;
+
+#endif // SEV_LAUNCH_SECRET_H_
diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
new file mode 100644
index 000000000000..d8cc9b00946a
--- /dev/null
+++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c
@@ -0,0 +1,26 @@
+/** @file
+ SEV Secret configuration table constructor
+
+ Copyright (C) 2020 James Bottomley, IBM Corporation.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <PiDxe.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Guid/SevLaunchSecret.h>
+
+STATIC SEV_LAUNCH_SECRET_LOCATION mSecretDxeTable = {
+ FixedPcdGet32 (PcdSevLaunchSecretBase),
+ FixedPcdGet32 (PcdSevLaunchSecretSize),
+};
+
+EFI_STATUS
+EFIAPI
+InitializeSecretDxe(
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ return gBS->InstallConfigurationTable (&gSevLaunchSecretGuid,
+ &mSecretDxeTable
+ );
+}
--
2.26.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#68093): https://edk2.groups.io/g/devel/message/68093
Mute This Topic: https://groups.io/mt/78617882/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list