[edk2-devel] [PATCH RFC v2 11/28] OvmfPkg: Reserve Secrets page in MEMFD

James Bottomley jejb at linux.ibm.com
Thu May 6 16:02:37 UTC 2021


On Wed, 2021-05-05 at 21:33 +0200, Laszlo Ersek wrote:
> On 05/05/21 15:11, Brijesh Singh wrote:
> > On 5/5/21 1:42 AM, Dov Murik wrote:
[...]
> > > Would it make sense to always use EfiACPIMemoryNVS for the
> > > injected secret area, even for regular SEV (non-SNP)?
> > 
> > Ideally yes. Maybe James had some reasons for choosing the
> > EfiBootServicesData. If I had to guess, it was mainly because there
> > no guest kernel support which consumes the SEV secrets page.
> 
> git-blame fingers commit bff2811c6d99 ("OvmfPkg/AmdSev: assign and
> reserve the Sev Secret area", 2020-12-14).
> 
> Commit bff2811c6d99 makes it clear that the area in question lives in
> MEMFD.
> 
> We're populating the area in the PEI phase. We don't want anything in
> DXE to overwrite it.
> 
> Once the bootloader (and/or perhaps the kernel's EFI stub) fetched
> the secret from that particular location, there is no need to prevent
> later parts of the OS (the actual kernel) from repurposing that area.
> That's why EfiBootServicesData was used.

That's right: originally the design was not to have the boot secrets
survive boot because they should already be copied into their correct,
and presumably protected, locations by the time exit boot services
comes.  The grub code actually shreds the secret in the page once it
consumes it, so the area for a simple disk secret should be empty
anyway.

James




-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#74800): https://edk2.groups.io/g/devel/message/74800
Mute This Topic: https://groups.io/mt/82479058/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-





More information about the edk2-devel-archive mailing list