diff options
author | Michael Roth <michael.roth@amd.com> | 2023-04-26 04:32:55 +0800 |
---|---|---|
committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2023-04-26 13:39:01 +0000 |
commit | f384303dc563fab096f265a0227a13a3df403a70 (patch) | |
tree | 49c4545b46db1533ce052a3953c1b275bbb6aebe /OvmfPkg/AmdSevDxe | |
parent | ede0bd1496405f72147308b9570efba0234349b2 (diff) | |
download | edk2-f384303dc563fab096f265a0227a13a3df403a70.tar.gz edk2-f384303dc563fab096f265a0227a13a3df403a70.tar.bz2 edk2-f384303dc563fab096f265a0227a13a3df403a70.zip |
OvmfPkg/AmdSevDxe: Allocate SEV-SNP CC blob as EfiACPIReclaimMemory
The SEV-SNP Confidential Computing blob contains metadata that should
remain accessible for the life of the guest. Allocate it as
EfiACPIReclaimMemory to ensure the memory isn't overwritten by the guest
operating system later.
Reported-by: Dov Murik <dovmurik@linux.ibm.com>
Suggested-by: Dov Murik <dovmurik@linux.ibm.com>
Reviewed-by: Dov Murik <dovmurik@linux.ibm.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael Roth <michael.roth@amd.com>
Diffstat (limited to 'OvmfPkg/AmdSevDxe')
-rw-r--r-- | OvmfPkg/AmdSevDxe/AmdSevDxe.c | 62 |
1 files changed, 48 insertions, 14 deletions
diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c index 05b728d32a..df807066fa 100644 --- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c +++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c @@ -28,15 +28,36 @@ // Present, initialized, tested bits defined in MdeModulePkg/Core/Dxe/DxeMain.h
#define EFI_MEMORY_INTERNAL_MASK 0x0700000000000000ULL
-STATIC CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION mSnpBootDxeTable = {
- SIGNATURE_32 ('A', 'M', 'D', 'E'),
- 1,
- 0,
- (UINT64)(UINTN)FixedPcdGet32 (PcdOvmfSnpSecretsBase),
- FixedPcdGet32 (PcdOvmfSnpSecretsSize),
- (UINT64)(UINTN)FixedPcdGet32 (PcdOvmfCpuidBase),
- FixedPcdGet32 (PcdOvmfCpuidSize),
-};
+STATIC
+EFI_STATUS
+AllocateConfidentialComputingBlob (
+ OUT CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION **CcBlobPtr
+ )
+{
+ EFI_STATUS Status;
+ CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION *CcBlob;
+
+ Status = gBS->AllocatePool (
+ EfiACPIReclaimMemory,
+ sizeof (CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION),
+ (VOID **)&CcBlob
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ CcBlob->Header = SIGNATURE_32 ('A', 'M', 'D', 'E');
+ CcBlob->Version = 1;
+ CcBlob->Reserved1 = 0;
+ CcBlob->SecretsPhysicalAddress = (UINT64)(UINTN)FixedPcdGet32 (PcdOvmfSnpSecretsBase);
+ CcBlob->SecretsSize = FixedPcdGet32 (PcdOvmfSnpSecretsSize);
+ CcBlob->CpuidPhysicalAddress = (UINT64)(UINTN)FixedPcdGet32 (PcdOvmfCpuidBase);
+ CcBlob->CpuidLSize = FixedPcdGet32 (PcdOvmfCpuidSize);
+
+ *CcBlobPtr = CcBlob;
+
+ return EFI_SUCCESS;
+}
STATIC EFI_HANDLE mAmdSevDxeHandle = NULL;
@@ -175,10 +196,11 @@ AmdSevDxeEntryPoint ( IN EFI_SYSTEM_TABLE *SystemTable
)
{
- EFI_STATUS Status;
- EFI_GCD_MEMORY_SPACE_DESCRIPTOR *AllDescMap;
- UINTN NumEntries;
- UINTN Index;
+ EFI_STATUS Status;
+ EFI_GCD_MEMORY_SPACE_DESCRIPTOR *AllDescMap;
+ UINTN NumEntries;
+ UINTN Index;
+ CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION *SnpBootDxeTable;
//
// Do nothing when SEV is not enabled
@@ -284,6 +306,18 @@ AmdSevDxeEntryPoint ( }
}
+ Status = AllocateConfidentialComputingBlob (&SnpBootDxeTable);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((
+ DEBUG_ERROR,
+ "%a: AllocateConfidentialComputingBlob(): %r\n",
+ __func__,
+ Status
+ ));
+ ASSERT (FALSE);
+ CpuDeadLoop ();
+ }
+
if (MemEncryptSevSnpIsEnabled ()) {
//
// Memory acceptance began being required in SEV-SNP, so install the
@@ -321,7 +355,7 @@ AmdSevDxeEntryPoint ( //
return gBS->InstallConfigurationTable (
&gConfidentialComputingSevSnpBlobGuid,
- &mSnpBootDxeTable
+ SnpBootDxeTable
);
}
|