[edk2-devel] [PATCH 1/1] OvmfPkg/AmdSev: introduce EMBED_GRUB=FALSE to skip including Grub image

Dov Murik dovmurik at linux.ibm.com
Wed Jul 7 17:38:01 UTC 2021 


On 07/07/2021 13:51, James Bottomley wrote:
> On Wed, 2021-07-07 at 10:42 +0000, Dov Murik wrote:
>> The AmdSevX64 target includes an embedded Grub image to support
>> secure
>> (measured) boot of confidential guests with encrypted root images.
>>
>> However, it is sometimes convenient to build this target without an
>> embedded Grub.  We introduce the EMBED_GRUB setting (defaults to
>> TRUE),
>> which conditions the generation (grub.sh) and inclusion of the Grub
>> image.  Now building AmdSevX64 with -DEMBED_GRUB=FALSE allows it.
>>
>> Cc: Laszlo Ersek <lersek at redhat.com>
>> Cc: Ard Biesheuvel <ardb+tianocore at kernel.org>
>> Cc: Jordan Justen <jordan.l.justen at intel.com>
>> Cc: Ashish Kalra <ashish.kalra at amd.com>
>> Cc: Brijesh Singh <brijesh.singh at amd.com>
>> Cc: Erdem Aktas <erdemaktas at google.com>
>> Cc: James Bottomley <jejb at linux.ibm.com>
>> Cc: Jiewen Yao <jiewen.yao at intel.com>
>> Cc: Min Xu <min.m.xu at intel.com>
>> Cc: Tom Lendacky <thomas.lendacky at amd.com>
>> Cc: Tobin Feldman-Fitzthum <tobin at linux.ibm.com>
>> Signed-off-by: Dov Murik <dovmurik at linux.ibm.com>
>> ---
>>  OvmfPkg/AmdSev/AmdSevX64.dsc | 16 +++++++++++++++-
>>  OvmfPkg/AmdSev/AmdSevX64.fdf |  2 ++
>>  2 files changed, 17 insertions(+), 1 deletion(-)
>>
>> diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc
>> b/OvmfPkg/AmdSev/AmdSevX64.dsc
>> index 1d487befae08..ba7d6fe6b749 100644
>> --- a/OvmfPkg/AmdSev/AmdSevX64.dsc
>> +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
>> @@ -25,7 +25,6 @@ [Defines]
>>    BUILD_TARGETS                  = NOOPT|DEBUG|RELEASE
>>    SKUID_IDENTIFIER               = DEFAULT
>>    FLASH_DEFINITION               = OvmfPkg/AmdSev/AmdSevX64.fdf
>> -  PREBUILD                       = sh OvmfPkg/AmdSev/Grub/grub.sh
>>  
>>    #
>>    # Defines for default states.  These can be changed on the command
>> line.
>> @@ -40,6 +39,19 @@ [Defines]
>>    #
>>    DEFINE BUILD_SHELL             = FALSE
>>  
>> +  #
>> +  # Embed Grub into the OVMF image so they are measured together
>> when launching
>> +  # confidential guest
>> +  #
>> +  DEFINE EMBED_GRUB              = TRUE
>> +
>> +!if $(EMBED_GRUB) == TRUE
>> +  #
>> +  # This step builds the grub.efi binary image if needed
>> +  #
>> +  PREBUILD                       = sh OvmfPkg/AmdSev/Grub/grub.sh
>> +!endif
>> +
>>    #
>>    # Device drivers
>>    #
>> @@ -784,7 +796,9 @@ [Components]
>>    }
>>  !endif
>>    OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
>> +!if $(EMBED_GRUB) == TRUE
>>    OvmfPkg/AmdSev/Grub/Grub.inf
>> +!endif
>>  !if $(BUILD_SHELL) == TRUE
>>    ShellPkg/Application/Shell/Shell.inf {
>>      <LibraryClasses>
>> diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf
>> b/OvmfPkg/AmdSev/AmdSevX64.fdf
>> index 9977b0f00a18..ee3d96bb813f 100644
>> --- a/OvmfPkg/AmdSev/AmdSevX64.fdf
>> +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
>> @@ -270,7 +270,9 @@ [FV.DXEFV]
>>  INF  OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellC
>> ommand.inf
>>  !endif
>>  INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
>> +!if $(EMBED_GRUB) == TRUE
>>  INF  OvmfPkg/AmdSev/Grub/Grub.inf
>> +!endif
>>  !if $(BUILD_SHELL) == TRUE
>>  INF  ShellPkg/Application/Shell/Shell.inf
>>  !endif
> 
> This likely isn't enough: the boot pathway of the AmdSev package is
> stripped down and designed to fail if grub won't boot, so if you set
> EMBED_GRUB = false, you'll likely build a system that won't boot.  This
> would still work for the Kata use case, if the kernel and initrd are
> plumbed back in, but it won't work for the generic use case. 

You're right.  That's why I left the default as EMBED_GRUB=TRUE.  And
for Kata (that is, with the edk2 patches from the "Measured SEV boot
with kernel/initrd/cmdline​" series) we'll build with EMBED_GRUB=FALSE
because we don't have an encrypted disk there.


Note that currently it's a bit difficult to build with EMBED_GRUB=TRUE
because it expects to run grub-mkimage and include modules which are not
upstream; so for most cases user needs to prepare a special grub dir
with modules etc and also make sure that that is the one used in
grub.sh.  (To ease that pain maybe we can include grub as a git
submodule or something like that, and point it to a revision with the
modules we require.  But this might cause other dependency pain which I
might not think of.)



> I think
> the change log needs to describe the use cases so we don't end up
> getting a load of annoyed people building systems that won't work for
> them.

Yes.  Is there documentation for the different -D settings somewhere, or
should I add it to the .dsc file (and the commit log) ?



> 
> There's also the broader question of whether this should all be
> integrated back into OvmfX64Pkg with more determination done at
> runtime, so we can build fewer separate binaries?
> 

I'm not sure about merging in OvmfX64Pkg, but for AmdSevX64 if we build
with embedded grub then determination *is* done at runtime: if there's a
-kernel fw_cfg entry and all the measured hashes are OK, then it boots
via -kernel/-initrd; otherwise, it'll go to grub and try to boot from
encrypted disk.

-Dov


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#77556): https://edk2.groups.io/g/devel/message/77556
Mute This Topic: https://groups.io/mt/84041501/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list