(if kernel hashes are not used).
Note that for SNP, the launch secret part of the page (lower 3KB) are
not relevant and will remain zero. The last 1KB is used for the hashes.
This should have no effect on OvmfPkgX64 targets (which don't define
PcdSevLaunchSecretBase).
Signed-off-by: Dov Murik
01
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
Signed-off-by: Dov Murik
---
OvmfPkg/AmdSev/AmdSevX64.fdf | 27 ++--
1 file changed, 14 insertions(+), 13 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 5fb3b5
.groups.io/g/devel/message/88137
Dov Murik (2):
OvmfPkg/AmdSev: Reorder MEMFD pages to match the order in
OvmfPkgX64.fdf
OvmfPkg/ResetVector: Define SNP metadata for kernel hashes
OvmfPkg/AmdSev/AmdSevX64.fdf| 27 ++--
OvmfPkg/ResetVector/ResetVector.nasmb
On 23/02/2023 16:58, Dov Murik wrote:
>
>
> On 21/02/2023 11:38, Gerd Hoffmann wrote:
>> On Mon, Feb 20, 2023 at 08:44:23AM -0600, Tom Lendacky wrote:
>>> On 2/20/23 02:49, Dov Murik wrote:
>>>> In order to allow the VMM (such as QEMU) to add a page with
On 21/02/2023 11:38, Gerd Hoffmann wrote:
> On Mon, Feb 20, 2023 at 08:44:23AM -0600, Tom Lendacky wrote:
>> On 2/20/23 02:49, Dov Murik wrote:
>>> In order to allow the VMM (such as QEMU) to add a page with hashes of
>>> kernel/initrd/cmdline for measured direct
(which don't define
PcdSevLaunchSecretBase).
Signed-off-by: Dov Murik
---
OvmfPkg/ResetVector/ResetVector.nasmb | 14 +-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb
b/OvmfPkg/ResetVector/ResetVector.nasmb
index 94fbb0a87b37
01
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
Signed-off-by: Dov Murik
---
OvmfPkg/AmdSev/AmdSevX64.fdf | 27 ++--
1 file changed, 14 insertions(+), 13 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 5fb3b5
Dov Murik (2):
OvmfPkg/AmdSev: Reorder MEMFD pages to match the order in
OvmfPkgX64.fdf
OvmfPkg/ResetVector: Exclude SEV launch secrets page from
pre-validation
OvmfPkg/AmdSev/AmdSevX64.fdf | 27 ++--
OvmfPkg/ResetVector/ResetVector.nasmb | 14 +-
2
On 16/02/2023 10:06, Dov Murik wrote:
> (Note: This is a new version of this one-year-old patch series; the v1
> series [1] got a few Acked-by but it's been so long that I don't
> consider them relevant anymore.)
>
> AMD SEV and SEV-ES support measured direct boot with
> ker
(which don't define
PcdSevLaunchSecretBase).
Signed-off-by: Dov Murik
---
OvmfPkg/ResetVector/ResetVector.nasmb | 14 +-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb
b/OvmfPkg/ResetVector/ResetVector.nasmb
index 94fbb0a87b37
Aktas
Cc: James Bottomley
Cc: Min Xu
Cc: Tom Lendacky
Cc: Michael Roth
Cc: Ashish Kalra
Cc: Mario Smarduch
Cc: Tobin Feldman-Fitzthum
---
v2 changes:
* Rebased on master
* Updated AmdSev MEMFD size to match OvmfX64
v1:
[1] https://edk2.groups.io/g/devel/message/88137
Dov Murik (2
01
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
Signed-off-by: Dov Murik
---
OvmfPkg/AmdSev/AmdSevX64.fdf | 27 ++--
1 file changed, 14 insertions(+), 13 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 5fb3b5
vel@edk2.groups.io On Behalf Of Roth,
>> Michael via groups.io
>> Sent: Thursday, December 22, 2022 12:07 AM
>> To: devel@edk2.groups.io
>> Cc: Tom Lendacky ; Ni, Ray
>> ; Dov Murik
>> Subject: [edk2-devel] [PATCH 1/4] OvmfPkg/AmdSevDxe: Allocate SEV-SNP CC
>>
ating system later.
>
> Reported-by: Dov Murik
> Suggested-by: Dov Murik
> Signed-off-by: Michael Roth
Reviewed-by: Dov Murik
> ---
> OvmfPkg/AmdSevDxe/AmdSevDxe.c | 62 +++
> 1 file changed, 48 insertions(+), 14 deletions(-)
&g
ky
Signed-off-by: Dov Murik
---
v3 changes:
* Whitespace fix
v2 changes:
* Allocate with EfiACPIReclaimMemory memory type (thanks Ard)
---
OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 22 ++--
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/OvmfPkg/AmdSev/SecretDxe/Secr
ent: Monday, December 12, 2022 11:01 PM
>> To: Dov Murik ; devel@edk2.groups.io
>> Cc: Tobin Feldman-Fitzthum ; Ard Biesheuvel
>> ; Aktas, Erdem ;
>> Gerd Hoffmann ; James Bottomley
>> ; Yao, Jiewen ; Justen, Jordan
>> L ; Michael Roth ; Xu,
>> Min M ; T
Justen
Cc: Michael Roth
Cc: Min Xu
Cc: Tobin Feldman-Fitzthum
Cc: Tom Lendacky
Signed-off-by: Dov Murik
---
v2 changes:
* Allocate with EfiACPIReclaimMemory memory type (thanks Ard)
---
OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 22 ++--
1 file changed, 16 insertions(+), 6 dele
Thanks Ard for reviewing this patch.
On 09/12/2022 1:02, Ard Biesheuvel wrote:
> On Thu, 8 Dec 2022 at 09:08, Dov Murik wrote:
>>
>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4186
>>
>> Commit 079a58276b98 ("OvmfPkg/AmdSev/SecretPei: Mark SEV launch sec
c: Min Xu
Cc: Tobin Feldman-Fitzthum
Cc: Tom Lendacky
Signed-off-by: Dov Murik
---
OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf | 2 ++
OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 17 +++--
2 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.i
Gerd, thanks for the cleanup.
Tested-by: Dov Murik
Reviewed-by: Dov Murik
On 02/06/2022 12:11, Gerd Hoffmann wrote:
> Signed-off-by: Gerd Hoffmann
> ---
> OvmfPkg/AmdSev/AmdSevX64.dsc | 47
> OvmfPkg/AmdSev/AmdSevX64.fdf | 15 ---
On 30/03/2022 22:35, Brijesh Singh wrote:
>
>
> On 3/30/22 14:31, Dov Murik wrote:
>>
>>
>> On 30/03/2022 22:27, Brijesh Singh wrote:
>>>
>>>
>>> On 3/30/22 01:04, Dov Murik wrote:
>>>>
>>>>
>>>> On 30/0
On 30/03/2022 22:27, Brijesh Singh wrote:
>
>
> On 3/30/22 01:04, Dov Murik wrote:
>>
>>
>> On 30/03/2022 8:20, Gerd Hoffmann wrote:
>>> Hi,
>>>
>>>> Check if that page is defined; if it is, skip it in the metadata list.
>>&g
On 30/03/2022 8:20, Gerd Hoffmann wrote:
> Hi,
>
>> Check if that page is defined; if it is, skip it in the metadata list.
>> In such case, VMM should fill the page with the hashes content, or
>> explicitly update it as a zero page (if kernel hashes are not used).
>
> Is it an option to
On 30/03/2022 8:14, Gerd Hoffmann wrote:
> On Tue, Mar 29, 2022 at 03:32:36PM +0300, Dov Murik wrote:
>> Thanks Gerd for reviewing.
>>
>> On 29/03/2022 14:36, Gerd Hoffmann wrote:
>>> On Mon, Mar 28, 2022 at 06:45:29PM +, Dov Murik wrote:
>>>&
Thanks Gerd for reviewing.
On 29/03/2022 14:36, Gerd Hoffmann wrote:
> On Mon, Mar 28, 2022 at 06:45:29PM +0000, Dov Murik wrote:
>> Reorder the pages in the MEMFD section of AmdSevX64.fdf so that it
>> matches the same order used in OvmfPkgX64.fdf.
>
> Makes sense.
>
&
amBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize
Cc: Ard Biesheuvel
Cc: Jiewen Yao
Cc: Jordan Justen
Cc: Gerd Hoffmann
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Cc: Tobin Feldman-Fitzthum
Signed-off-by: Dov Murik
---
OvmfPkg/
will be published soon.
Cc: Ard Biesheuvel
Cc: Jiewen Yao
Cc: Jordan Justen
Cc: Gerd Hoffmann
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Cc: Tobin Feldman-Fitzthum
Dov Murik (2):
OvmfPkg/AmdSev: Reorder MEMFD pages to match the order
(which don't define
PcdSevLaunchSecretBase).
Cc: Ard Biesheuvel
Cc: Jiewen Yao
Cc: Jordan Justen
Cc: Gerd Hoffmann
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Cc: Tobin Feldman-Fitzthum
Signed-off-by: Dov Murik
---
OvmfPkg
On 04/01/2022 11:00, Yao, Jiewen wrote:
> Merged:
> https://github.com/tianocore/edk2/commit/079a58276b98dc97ca363e3bc8b35cc7baa56d76
>
Thanks!
-Dov
>> -Original Message-
>> From: devel@edk2.groups.io On Behalf Of Dov Murik
>> Sent: Tuesday, January 4
Yao
Cc: Min Xu
Cc: Tom Lendacky
Cc: Tobin Feldman-Fitzthum
Signed-off-by: Dov Murik
Acked-by: Gerd Hoffmann
Acked-by: Jiewen Yao
Reviewed-by: Brijesh Singh
---
Resending with Acked-by and Reviewed-by tags.
Please let me know if there's anything else missing.
Thanks,
-Dov
---
OvmfPkg
OS doesn't need to copy it around. This is also similar to the approach
taken in the SNP patches for the SNP-Secrets and SNP-CPUID pages.
Added bonus is that it's less code both in OVMF and in kernel's efi and
efi/libstub.
Thanks,
-Dov
On 02/11/2021 10:25, Dov Murik wrote:
> The confident
Yao
Cc: Min Xu
Cc: Tom Lendacky
Cc: Tobin Feldman-Fitzthum
Signed-off-by: Dov Murik
---
OvmfPkg/AmdSev/SecretPei/SecretPei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c
b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
index db94c26b54d1
uild-test the
> AmdSev variant.
Note that it will also allow (later) to test with QEMU with -kernel (AKA
direct measured Linux boot), which doesn't reach the grub part. (if the
CI supports such tests.)
>
> Acked-by: Jiewen Yao
> Acked-by: Ard Biesheuvel
> Signed-off-by: Gerd Hof
Thanks Gerd,
On 04/11/2021 11:21, Gerd Hoffmann wrote:
> Signed-off-by: Gerd Hoffmann
Reviewed-by: Dov Murik
Tested-by: Dov Murik
-Dov
> ---
> OvmfPkg/AmdSev/AmdSevX64.dsc | 47
> OvmfPkg/AmdSev/AmdSevX64.fdf | 15
> 2 fi
On 03/11/2021 8:07, Gerd Hoffmann wrote:
> Hi,
>
Does SEV need and/or use SMM mode? Looking through AmdSevX64.dsc
doesn't give a clear answer, on one hand there is a
LibraryClasses.common.SMM_CORE section, but on the other hand it uses
the non-SMM variable driver stack.
On 02/11/2021 15:29, Gerd Hoffmann wrote:
> Hi,
>
>>> I'm wondering whenever you actually tried to boot a sev guest
>>> in microvm?
>>
>> No I haven't tried. Do you want Microvm to be able to boot SEV guests,
>> or do you intentionally want to keep functionality out so it stays small?
>
>
Hi Gerd,
(I assume your comments are for patch 2/2)
On 02/11/2021 12:03, Gerd Hoffmann wrote:
> On Tue, Nov 02, 2021 at 07:34:21AM +0000, Dov Murik wrote:
>> The SEV launch secret area and the QEMU hashes table area were specified
>> in the OvmfPkg/AmdSev/AmdSevX64 MEMFD but
in
Linux).
Cc: Ard Biesheuvel
Cc: Jordan Justen
Cc: Gerd Hoffmann
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Cc: Tobin Feldman-Fitzthum
Signed-off-by: Dov Murik
---
Code is in:
https://github.com/confidential-containers-demo/edk2/tree
/MicrovmX64.fdf |
sha1sum
6ff89173952413fbdb7ffbbf42f8bc389c928500 -
$ sed -n -e '/FD.MEMFD/,/FV.SECFV/p' OvmfPkg/AmdSev/AmdSevX64.fdf | sha1sum
6ff89173952413fbdb7ffbbf42f8bc389c928500 -
Signed-off-by: Dov Murik
Cc: Ard Biesheuvel
Cc: Jordan Justen
Cc: Gerd Hoffmann
Cc: Brijesh
Xu
Cc: Tom Lendacky
Dov Murik (2):
OvmfPkg/OvmfPkgX64: Add SEV launch secret and hashes table areas to
MEMFD
OvmfPkg/Microvm: Add SEV launch secret and hashes table areas to MEMFD
OvmfPkg/Microvm/MicrovmX64.fdf | 8 +++-
OvmfPkg/OvmfPkgX64.fdf | 8 +++-
2 files changed
| sha1sum
6ff89173952413fbdb7ffbbf42f8bc389c928500 -
$ sed -n -e '/FD.MEMFD/,/FV.SECFV/p' OvmfPkg/AmdSev/AmdSevX64.fdf | sha1sum
6ff89173952413fbdb7ffbbf42f8bc389c928500 -
Signed-off-by: Dov Murik
Reported-by: Brijesh Singh
Cc: Ard Biesheuvel
Cc: Jordan Justen
Cc: Gerd Hoffmann
Cc
and Jiewen for your help with this issue.
-Dov
On 13/10/2021 12:35, Dov Murik wrote:
> Hello,
>
> I encountered the following problem when trying to launch SEV-ES
> (policy=0x5) guests with the OvmfPkg/AmdSev/AmdSevX64 package build:
>
>
> $ sudo /home/dmurik/git/qemu/build
On 17/10/2021 1:32, Brijesh Singh wrote:
>
> On 10/16/21 1:38 PM, Dov Murik wrote:
>> [+Tobin]
>>
>>
>> On 14/10/2021 21:17, Brijesh Singh wrote:
>>> The commit 80e67af9afca added support for the generic work area concept
>>> used mainly b
Cc: Min Xu
> Cc: Jiewen Yao
> Cc: Tom Lendacky
> Cc: Jordan Justen
> Cc: Ard Biesheuvel
> Cc: Erdem Aktas
> Cc: Gerd Hoffmann
> Reported-by: Dov Murik
> Signed-off-by: Brijesh Singh
> ---
> OvmfPkg/AmdSev/AmdSevX64.fdf | 9 -
> 1 file changed
Thanks Brijesh for looking into this.
On 13/10/2021 22:41, Brijesh Singh wrote:
> Hi Dov,
>
> On 10/13/21 2:35 AM, Dov Murik wrote:
>> Hello,
>>
>> I encountered the following problem when trying to launch SEV-ES
>> (policy=0x5) guests with the OvmfP
Hello,
I encountered the following problem when trying to launch SEV-ES
(policy=0x5) guests with the OvmfPkg/AmdSev/AmdSevX64 package build:
$ sudo /home/dmurik/git/qemu/build/qemu-system-x86_64 -enable-kvm
-machine q35 -smp 1 -m 2G -machine confidential-guest-support=sev0
-object
On 29/07/2021 12:51, Ard Biesheuvel wrote:
> On Wed, 28 Jul 2021 at 19:30, Dov Murik wrote:
>>
>>
>> On 28/07/2021 19:41, Yao, Jiewen wrote:
>>> For OvmfPkg, reviewed-by: Jiewen Yao
>>> For ArmVirtPkg, acked-by: Jiewen Yao
>>>
>>
>>
On 28/07/2021 19:41, Yao, Jiewen wrote:
> For OvmfPkg, reviewed-by: Jiewen Yao
> For ArmVirtPkg, acked-by: Jiewen Yao
>
Thanks Jiewen!
-Dov
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78303):
://bugzilla.tianocore.org/show_bug.cgi?id=3457
Signed-off-by: Dov Murik
---
ArmVirtPkg/ArmVirtQemu.dsc | 5 -
ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 -
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 7ef5e7297bc7
: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Signed-off-by: Dov Murik
Reviewed-by: Tom Lendacky
Reviewed-by: Brijesh Singh
---
OvmfPkg/AmdSev/SecretPei/SecretPei.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff
Kalra
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Co-developed-by: Dov Murik
Signed-off-by: Dov Murik
Signed-off-by: James Bottomley
Reviewed-by: Tom Lendacky
Reviewed-by: Brijesh
Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Signed-off-by: Dov Murik
Reviewed-by: Tom Lendacky
---
OvmfPkg/OvmfPkg.dec | 3 ++
OvmfPkg/Library/BlobVerifierLibNull
From: James Bottomley
Commit 96201ae7bf97 ("OvmfPkg/AmdSev/SecretDxe: make secret location
naming generic", 2020-12-15) replaced references to SEV with the generic
term Confidential Computing, but missed the file header comment. Fix
the naming in that header.
Cc: Ard Biesheuvel
Cc: Jordan
for injecting the hashes table into initial measured guest memory).
Cc: Ard Biesheuvel
Cc: Jordan Justen
Cc: Ashish Kalra
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Signed-off-by: Dov Murik
ps.io/g/devel/message/75567
Cc: Ard Biesheuvel
Cc: Jordan Justen
Cc: Ashish Kalra
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Cc: Leif Lindholm
Cc: Sami Mujawar
Dov Murik (8):
OvmfPkg/AmdSev: use GenericQemuLoadImageLib in AmdSev builds
Biesheuvel
Cc: Jordan Justen
Cc: Ashish Kalra
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Signed-off-by: Dov Murik
Reviewed-by: Brijesh Singh
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 2
Bottomley
Signed-off-by: James Bottomley
Signed-off-by: Dov Murik
---
OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierLibSevHashes.inf | 37
OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c | 202
2 files changed, 239 insertions(+)
diff --git
Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Co-developed-by: James Bottomley
Signed-off-by: James Bottomley
Signed-off-by: Dov Murik
Reviewed-by: Brijesh Singh
Reviewed-by: Tom Lendacky
From: James Bottomley
Support QEMU's -kernel option.
Create a QemuKernel.c for PlatformBootManagerLibGrub
which is an exact copy of the file
PlatformBootManagerLib/QemuKernel.c .
Cc: Ard Biesheuvel
Cc: Jordan Justen
Cc: Ashish Kalra
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Thanks for the explanations. Comments below:
On 25/07/2021 11:17, Yao, Jiewen wrote:
> Thank you Dov.
> Comment below:
>
>> -Original Message-----
>> From: Dov Murik
>> Sent: Sunday, July 25, 2021 3:53 PM
>> To: Yao, Jiewen ; devel@edk2.groups.io
>
irection
we're going to, then there's no need to separate the code.
Thanks,
-Dov
> Thank you
> Yao Jiewen
>
>
>> -Original Message-
>> From: devel@edk2.groups.io On Behalf Of Dov Murik
>> Sent: Thursday, July 22, 2021 4:43 PM
>> To: devel@edk2.grou
sizeof Ptr->Guid + sizeof Ptr->Len)) {
+ if (Ptr == NULL || Size < sizeof *Ptr ||
+ !CompareGuid (>Guid, _HASH_TABLE_GUID) ||
+ Ptr->Len < sizeof *Ptr || Ptr->Len > Size) {
return RETURN_SUCCESS;
}
On 22/07/2021 11:43, Dov Murik wrote:
> Add an implementation for
Biesheuvel
Cc: Jordan Justen
Cc: Ashish Kalra
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Signed-off-by: Dov Murik
Reviewed-by: Brijesh Singh
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 2
Bottomley
Signed-off-by: James Bottomley
Signed-off-by: Dov Murik
---
OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf | 37
OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c | 199
2 files changed, 236 insertions(+)
diff --git a/OvmfPkg/Library
Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Signed-off-by: Dov Murik
Reviewed-by: Tom Lendacky
---
OvmfPkg/OvmfPkg.dec | 3 ++
OvmfPkg/Library/BlobVerifierLib
for injecting the hashes table into initial measured guest memory).
Cc: Ard Biesheuvel
Cc: Jordan Justen
Cc: Ashish Kalra
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Signed-off-by: Dov Murik
From: James Bottomley
Support QEMU's -kernel option.
Create a QemuKernel.c for PlatformBootManagerLibGrub
which is an exact copy of the file
PlatformBootManagerLib/QemuKernel.c .
Cc: Ard Biesheuvel
Cc: Jordan Justen
Cc: Ashish Kalra
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
://bugzilla.tianocore.org/show_bug.cgi?id=3457
Signed-off-by: Dov Murik
---
ArmVirtPkg/ArmVirtQemu.dsc | 5 -
ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 -
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 7ef5e7297bc7
Kalra
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Co-developed-by: Dov Murik
Signed-off-by: Dov Murik
Signed-off-by: James Bottomley
Reviewed-by: Tom Lendacky
Reviewed-by: Brijesh
: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Signed-off-by: Dov Murik
Reviewed-by: Tom Lendacky
Reviewed-by: Brijesh Singh
---
OvmfPkg/AmdSev/SecretPei/SecretPei.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff
Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Co-developed-by: James Bottomley
Signed-off-by: James Bottomley
Signed-off-by: Dov Murik
Reviewed-by: Brijesh Singh
Reviewed-by: Tom Lendacky
Signed-off-by: Dov Murik
Reviewed-by: Tom Lendacky
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 6 +-
OvmfPkg/OvmfPkgIa32.dsc | 5 -
OvmfPkg/OvmfPkgIa32X64.dsc | 5 -
OvmfPkg/OvmfPkgX64.dsc | 5 -
4 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/OvmfPkg/AmdSev
ndholm
Cc: Sami Mujawar
---
Ard: please review patch 6 (ArmVirtPkg). Thanks.
Tom, Brijesh: I'll also send the diff for patch 10. Thanks.
---
Dov Murik (8):
OvmfPkg/AmdSev: use GenericQemuLoadImageLib in AmdSev builds
OvmfPkg: add library class BlobVerifierLib with null impl
From: James Bottomley
Commit 96201ae7bf97 ("OvmfPkg/AmdSev/SecretDxe: make secret location
naming generic", 2020-12-15) replaced references to SEV with the generic
term Confidential Computing, but missed the file header comment. Fix
the naming in that header.
Cc: Ard Biesheuvel
Cc: Jordan
anges it's not
supposed to, and that's why I think hardening this parsing function is a
good idea.
I'll submit another version with added validity checks of the hashes
table structure. I'll also add the INT32 explanation comment per Tom's
suggestion.
On Tue, Jul 20, 2021 at 08:04:00AM +, Dov M
On 20/07/2021 20:27, Ard Biesheuvel wrote:
> On Tue, 20 Jul 2021 at 19:22, Tom Lendacky wrote:
>>
>> On 7/20/21 3:03 AM, Dov Murik wrote:
>>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
>>
>> I believe the convention is that this line be in the
: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Signed-off-by: Dov Murik
---
OvmfPkg/AmdSev/SecretPei/SecretPei.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c
b
Biesheuvel
Cc: Jordan Justen
Cc: Ashish Kalra
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Signed-off-by: Dov Murik
Reviewed-by: Brijesh Singh
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 2
From: James Bottomley
Support QEMU's -kernel option.
Create a QemuKernel.c for PlatformBootManagerLibGrub
which is an exact copy of the file
PlatformBootManagerLib/QemuKernel.c .
Cc: Ard Biesheuvel
Cc: Jordan Justen
Cc: Ashish Kalra
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Co-developed-by: James Bottomley
Signed-off-by: James Bottomley
Signed-off-by: Dov Murik
Reviewed-by: Brijesh Singh
---
OvmfPkg
Signed-off-by: Dov Murik
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 6 +-
OvmfPkg/OvmfPkgIa32.dsc | 5 -
OvmfPkg/OvmfPkgIa32X64.dsc | 5 -
OvmfPkg/OvmfPkgX64.dsc | 5 -
4 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev
for injecting the hashes table into initial measured guest memory).
Cc: Ard Biesheuvel
Cc: Jordan Justen
Cc: Ashish Kalra
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Signed-off-by: Dov Murik
Bottomley
Signed-off-by: James Bottomley
Signed-off-by: Dov Murik
---
OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibSevHashes.inf | 37
OvmfPkg/Library/BlobVerifierLib/BlobVerifierSevHashes.c | 200
2 files changed, 237 insertions(+)
diff --git a/OvmfPkg/Library
Kalra
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Co-developed-by: Dov Murik
Signed-off-by: Dov Murik
Signed-off-by: James Bottomley
Reviewed-by: Tom Lendacky
---
OvmfPkg
://bugzilla.tianocore.org/show_bug.cgi?id=3457
Signed-off-by: Dov Murik
---
ArmVirtPkg/ArmVirtQemu.dsc | 5 -
ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 -
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 7ef5e7297bc7
Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
Signed-off-by: Dov Murik
---
OvmfPkg/OvmfPkg.dec | 3 ++
OvmfPkg/Library/BlobVerifierLib/BlobVerifierLibNull.inf | 24
a
Cc: Brijesh Singh
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Min Xu
Cc: Tom Lendacky
Cc: Leif Lindholm
Cc: Sami Mujawar
Dov Murik (8):
OvmfPkg/AmdSev: use GenericQemuLoadImageLib in AmdSev builds
OvmfPkg: add library class BlobVerifierLib with null implementation
OvmfPkg
From: James Bottomley
Commit 96201ae7bf97 ("OvmfPkg/AmdSev/SecretDxe: make secret location
naming generic", 2020-12-15) replaced references to SEV with the generic
term Confidential Computing, but missed the file header comment. Fix
the naming in that header.
Cc: Ard Biesheuvel
Cc: Jordan
On 19/07/2021 22:14, Dov Murik wrote:
>
>
> On 19/07/2021 18:21, Tom Lendacky wrote:
>> On 7/6/21 3:54 AM, Dov Murik wrote:
>>> From: James Bottomley
>>>
>>> Support QEMU's -kernel option.
>>>
>>> OvmfPkg/Library/PlatformBootManager
On 20/07/2021 1:36, Christoph Willing wrote:
> On 20/7/21 3:58 am, Dov Murik wrote:
>>
>>
>> On 19/07/2021 15:56, Christoph Willing wrote:
>>> Thanks for the clarification Dov.
>>>
>>> I've been trying with just "normal" VMs, not SEV. I
On 19/07/2021 10:09, Ard Biesheuvel wrote:
> On Mon, 19 Jul 2021 at 05:14, Ni, Ray wrote:
>>
>> This change generates the reset vector binary which only contains 1G page
>> table. If a platform doesn't support 1G page table, this will cause system
>> hang.
>>
>> To Ard and Jordan,
>> Can you
On 19/07/2021 18:19, Brijesh Singh wrote:
>
>
> On 7/19/21 7:22 AM, Dov Murik wrote:
>>> The patch itself is okay. Just curious, do we also need to add a
>>> verification for the QEMU FW cfg file ?
>>>
>>
>> I don't really understand. T
On 19/07/2021 20:28, Tom Lendacky wrote:
> On 7/6/21 3:55 AM, Dov Murik wrote:
>> Add an implementation for BlobVerifierLib that locates the SEV hashes
>> table and verifies that the calculated hashes of the kernel, initrd, and
>> cmdline blobs indeed match the e
On 19/07/2021 19:19, Tom Lendacky wrote:
> On 7/6/21 3:54 AM, Dov Murik wrote:
>> Round up the size of the SEV launch secret area to a whole page, as
>> required by BuildMemoryAllocationHob. This will allow the secret
>> area defined in the MEMFD to take less than a who
On 19/07/2021 18:57, Tom Lendacky wrote:
> On 7/6/21 3:54 AM, Dov Murik wrote:
>> In QemuKernelLoaderFsDxeEntrypoint we use FetchBlob to read the content
>> of the kernel/initrd/cmdline from the QEMU fw_cfg interface. Insert a
>> call to VerifyBlob after fetching to
On 19/07/2021 18:50, Tom Lendacky wrote:
> On 7/6/21 3:54 AM, Dov Murik wrote:
>> BlobVerifierLib will be used to verify blobs fetching them from QEMU's
>> firmware config (fw_cfg) in platforms that enable such verification.
>>
>> The null implementation NullBlobV
On 19/07/2021 18:21, Tom Lendacky wrote:
> On 7/6/21 3:54 AM, Dov Murik wrote:
>> From: James Bottomley
>>
>> Support QEMU's -kernel option.
>>
>> OvmfPkg/Library/PlatformBootManagerLibGrub/QemuKernel.c is an exact copy
>> of OvmfPkg/Library/Platform
On 19/07/2021 18:14, Tom Lendacky wrote:
> On 7/6/21 3:54 AM, Dov Murik wrote:
>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3457
>
> This BZ link should be part of all the commit messages in the series.
>
Oh I missed a few. I'll fix. Thanks.
> Thanks,
&
On 19/07/2021 15:56, Christoph Willing wrote:
> Thanks for the clarification Dov.
>
> I've been trying with just "normal" VMs, not SEV. I did already find and try
> the confidential-containers-demo sev-hashes-v2 branch but it didn't help -
> not surprising if it's not relevant to normal VMs.
On 18/07/2021 18:47, Brijesh Singh wrote:
>
> On 7/6/21 3:54 AM, Dov Murik wrote:
>> In QemuKernelLoaderFsDxeEntrypoint we use FetchBlob to read the content
>> of the kernel/initrd/cmdline from the QEMU fw_cfg interface. Insert a
>> call to VerifyBlob after fetching
1 - 100 of 164 matches
Mail list logo