diff --git a/SOURCES/edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch b/SOURCES/edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch new file mode 100644 index 0000000..2a92c02 --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch @@ -0,0 +1,51 @@ +From c4096f74a41bde4fc62576222e0c9622152d7701 Mon Sep 17 00:00:00 2001 +From: Pawel Polawski +Date: Tue, 4 Jan 2022 15:16:40 +0800 +Subject: [PATCH 2/2] OvmfPkg/AmdSev/SecretPei: Mark SEV launch secret area as + reserved + +RH-Author: Pawel Polawski +RH-MergeRequest: 10: OvmfPkg/AmdSev/SecretPei: Mark SEV launch secret area as reserved +RH-Commit: [1/1] a8f099d508e2e7b39697945acaa767c43577b1e6 (elkoniu/edk2) +RH-Bugzilla: 2041754 +RH-Acked-by: Oliver Steffen +RH-Acked-by: Gerd Hoffmann + +Mark the SEV launch secret MEMFD area as reserved, which will allow the +guest OS to use it during the lifetime of the OS, without creating +copies of the sensitive content. + +Cc: Ard Biesheuvel +Cc: Jordan Justen +Cc: Gerd Hoffmann +Cc: Brijesh Singh +Cc: Erdem Aktas +Cc: James Bottomley +Cc: Jiewen Yao +Cc: Min Xu +Cc: Tom Lendacky +Cc: Tobin Feldman-Fitzthum +Signed-off-by: Dov Murik +Acked-by: Gerd Hoffmann +Acked-by: Jiewen Yao +Reviewed-by: Brijesh Singh +--- + OvmfPkg/AmdSev/SecretPei/SecretPei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPei/SecretPei.c +index db94c26b54..6bf1a55dea 100644 +--- a/OvmfPkg/AmdSev/SecretPei/SecretPei.c ++++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c +@@ -19,7 +19,7 @@ InitializeSecretPei ( + BuildMemoryAllocationHob ( + PcdGet32 (PcdSevLaunchSecretBase), + ALIGN_VALUE (PcdGet32 (PcdSevLaunchSecretSize), EFI_PAGE_SIZE), +- EfiBootServicesData ++ EfiReservedMemoryType + ); + + return EFI_SUCCESS; +-- +2.27.0 + diff --git a/SOURCES/edk2-ovmf-amdsev.json b/SOURCES/edk2-ovmf-amdsev.json new file mode 100644 index 0000000..a5fbf85 --- /dev/null +++ b/SOURCES/edk2-ovmf-amdsev.json @@ -0,0 +1,30 @@ +{ + "description": "OVMF with SEV-ES support", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode": "stateless", + "executable": { + "filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-rhel8.5.0" + ] + } + ], + "features": [ + "amd-sev", + "amd-sev-es", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec index 5836d90..28b8bcf 100644 --- a/SPECS/edk2.spec +++ b/SPECS/edk2.spec @@ -24,7 +24,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 2%{?dist} +Release: 3%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: BSD-2-Clause-Patent and OpenSSL and MIT URL: http://www.tianocore.org @@ -45,6 +45,7 @@ Source11: edk2-aarch64.json Source12: edk2-ovmf-sb.json Source13: edk2-ovmf.json Source14: edk2-ovmf-cc.json +Source15: edk2-ovmf-amdsev.json Patch0008: 0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch Patch0009: 0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch @@ -93,6 +94,8 @@ Patch49: edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch Patch50: edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch # For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default Patch51: edk2-OvmfPkg-rework-TPM-configuration.patch +# For bz#2041755 - Mark SEV launch secret area as reserved +Patch52: edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch # python3-devel and libuuid-devel are required for building tools. @@ -201,7 +204,7 @@ git config am.keepcr true %autosetup -T -D -n edk2-%{GITCOMMIT} -S git_am cp -a -- %{SOURCE1} %{SOURCE3} . -cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} . +cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} . tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x # Format the Red Hat-issued certificate that is to be enrolled as both Platform @@ -293,6 +296,11 @@ build ${OVMF_FLAGS} -a X64 \ build ${OVMF_SB_FLAGS} -a IA32 -a X64 \ -p OvmfPkg/OvmfPkgIa32X64.dsc +# Build AmdSev +touch OvmfPkg/AmdSev/Grub/grub.efi # dummy +build ${OVMF_FLAGS} -a X64 \ + -p OvmfPkg/AmdSev/AmdSevX64.dsc + # Sanity check: the varstore templates must be identical. cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \ Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd @@ -368,6 +376,9 @@ install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.secboot.fd \ install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/UefiShell.iso \ %{buildroot}%{_datadir}/%{name}/ovmf/UefiShell.iso +install -m 0644 Build/AmdSev/DEBUG_%{TOOLCHAIN}/FV/OVMF.fd \ + %{buildroot}%{_datadir}/%{name}/ovmf/OVMF.amdsev.fd + ln -s ../%{name}/ovmf/OVMF_CODE.secboot.fd %{buildroot}%{_datadir}/OVMF/ ln -s ../%{name}/ovmf/OVMF_VARS.fd %{buildroot}%{_datadir}/OVMF/ ln -s ../%{name}/ovmf/OVMF_VARS.secboot.fd %{buildroot}%{_datadir}/OVMF/ @@ -384,6 +395,8 @@ install -m 0644 edk2-ovmf.json \ %{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf.json install -m 0644 edk2-ovmf-cc.json \ %{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json +install -m 0644 edk2-ovmf-amdsev.json \ + %{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf-amdsev.json # endif build_ovmf %endif @@ -474,6 +487,7 @@ KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$') %{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd %{_datadir}/%{name}/ovmf/OVMF_VARS.fd %{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd +%{_datadir}/%{name}/ovmf/OVMF.amdsev.fd %{_datadir}/%{name}/ovmf/UefiShell.iso %{_datadir}/OVMF/OVMF_CODE.secboot.fd %{_datadir}/OVMF/OVMF_VARS.fd @@ -483,6 +497,7 @@ KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$') %{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi %{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json %{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json +%{_datadir}/qemu/firmware/50-edk2-ovmf-amdsev.json %{_datadir}/qemu/firmware/50-edk2-ovmf.json # endif build_ovmf %endif @@ -531,6 +546,14 @@ KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$') %changelog +* Wed Feb 23 2022 Miroslav Rezanina - 20220126gitbb1bba3d77-3 +- edk2-spec-build-amdsev-variant.patch [bz#2054661] +- edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch [bz#2041755] +- Resolves: bz#2054661 + (RFE: Support measured AMD SEV boot with kernel/initrd/cmdline in OVMF) +- Resolves: bz#2041755 + (Mark SEV launch secret area as reserved) + * Tue Feb 08 2022 Miroslav Rezanina - 20220126gitbb1bba3d77-2 - edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch [bz#1935497] - edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch [bz#1935497]