summaryrefslogtreecommitdiffstats
path: root/OvmfPkg/AmdSevDxe
diff options
context:
space:
mode:
authorMichael Roth <michael.roth@amd.com>2023-04-26 04:32:55 +0800
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>2023-04-26 13:39:01 +0000
commitf384303dc563fab096f265a0227a13a3df403a70 (patch)
tree49c4545b46db1533ce052a3953c1b275bbb6aebe /OvmfPkg/AmdSevDxe
parentede0bd1496405f72147308b9570efba0234349b2 (diff)
downloadedk2-f384303dc563fab096f265a0227a13a3df403a70.tar.gz
edk2-f384303dc563fab096f265a0227a13a3df403a70.tar.bz2
edk2-f384303dc563fab096f265a0227a13a3df403a70.zip
OvmfPkg/AmdSevDxe: Allocate SEV-SNP CC blob as EfiACPIReclaimMemory
The SEV-SNP Confidential Computing blob contains metadata that should remain accessible for the life of the guest. Allocate it as EfiACPIReclaimMemory to ensure the memory isn't overwritten by the guest operating system later. Reported-by: Dov Murik <dovmurik@linux.ibm.com> Suggested-by: Dov Murik <dovmurik@linux.ibm.com> Reviewed-by: Dov Murik <dovmurik@linux.ibm.com> Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Roth <michael.roth@amd.com>
Diffstat (limited to 'OvmfPkg/AmdSevDxe')
-rw-r--r--OvmfPkg/AmdSevDxe/AmdSevDxe.c62
1 files changed, 48 insertions, 14 deletions
diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
index 05b728d32a..df807066fa 100644
--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c
+++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
@@ -28,15 +28,36 @@
// Present, initialized, tested bits defined in MdeModulePkg/Core/Dxe/DxeMain.h
#define EFI_MEMORY_INTERNAL_MASK 0x0700000000000000ULL
-STATIC CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION mSnpBootDxeTable = {
- SIGNATURE_32 ('A', 'M', 'D', 'E'),
- 1,
- 0,
- (UINT64)(UINTN)FixedPcdGet32 (PcdOvmfSnpSecretsBase),
- FixedPcdGet32 (PcdOvmfSnpSecretsSize),
- (UINT64)(UINTN)FixedPcdGet32 (PcdOvmfCpuidBase),
- FixedPcdGet32 (PcdOvmfCpuidSize),
-};
+STATIC
+EFI_STATUS
+AllocateConfidentialComputingBlob (
+ OUT CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION **CcBlobPtr
+ )
+{
+ EFI_STATUS Status;
+ CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION *CcBlob;
+
+ Status = gBS->AllocatePool (
+ EfiACPIReclaimMemory,
+ sizeof (CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION),
+ (VOID **)&CcBlob
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ CcBlob->Header = SIGNATURE_32 ('A', 'M', 'D', 'E');
+ CcBlob->Version = 1;
+ CcBlob->Reserved1 = 0;
+ CcBlob->SecretsPhysicalAddress = (UINT64)(UINTN)FixedPcdGet32 (PcdOvmfSnpSecretsBase);
+ CcBlob->SecretsSize = FixedPcdGet32 (PcdOvmfSnpSecretsSize);
+ CcBlob->CpuidPhysicalAddress = (UINT64)(UINTN)FixedPcdGet32 (PcdOvmfCpuidBase);
+ CcBlob->CpuidLSize = FixedPcdGet32 (PcdOvmfCpuidSize);
+
+ *CcBlobPtr = CcBlob;
+
+ return EFI_SUCCESS;
+}
STATIC EFI_HANDLE mAmdSevDxeHandle = NULL;
@@ -175,10 +196,11 @@ AmdSevDxeEntryPoint (
IN EFI_SYSTEM_TABLE *SystemTable
)
{
- EFI_STATUS Status;
- EFI_GCD_MEMORY_SPACE_DESCRIPTOR *AllDescMap;
- UINTN NumEntries;
- UINTN Index;
+ EFI_STATUS Status;
+ EFI_GCD_MEMORY_SPACE_DESCRIPTOR *AllDescMap;
+ UINTN NumEntries;
+ UINTN Index;
+ CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION *SnpBootDxeTable;
//
// Do nothing when SEV is not enabled
@@ -284,6 +306,18 @@ AmdSevDxeEntryPoint (
}
}
+ Status = AllocateConfidentialComputingBlob (&SnpBootDxeTable);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((
+ DEBUG_ERROR,
+ "%a: AllocateConfidentialComputingBlob(): %r\n",
+ __func__,
+ Status
+ ));
+ ASSERT (FALSE);
+ CpuDeadLoop ();
+ }
+
if (MemEncryptSevSnpIsEnabled ()) {
//
// Memory acceptance began being required in SEV-SNP, so install the
@@ -321,7 +355,7 @@ AmdSevDxeEntryPoint (
//
return gBS->InstallConfigurationTable (
&gConfidentialComputingSevSnpBlobGuid,
- &mSnpBootDxeTable
+ SnpBootDxeTable
);
}