pool/ovmf
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

base: pool:factory
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main
..
compare: pool:slfo-main
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main

3 Commits
factory ... slfo-main

Author SHA256 Message Date
Richard Lyu
e2f05fed82 Add backported patch to enable iSCSI boot support by default (bsc#1245454) 
- Add backported patch to enable iSCSI boot support by default (bsc#1245454)
    - ovmf-OvmfPkg-Add-NETWORK_ISCSI_DEFAULT_ENABLE-build-flag.patch
        502f0dfda4 OvmfPkg: Add NETWORK_ISCSI_DEFAULT_ENABLE build flag
    - Add build flag NETWORK_ISCSI_DEFAULT_ENABLE for x64 OVMF to enable iSCSI boot support by default
 2025-09-26 13:21:52 +08:00
Richard Lyu
86b00fdffd Update firmware descriptors 
- Update firmware descriptors to remove tab whitespace (bsc#1247847)
    - Replace tab whitespace with spaces in 50-ovmf-x86_64-sev.json
    - Replace tab whitespace with spaces in 50-ovmf-x86_64-sev-snp.json
- Update firmware descriptors for SEV-SNP and TDX (bsc#1247847)
    - Add 50-ovmf-x86_64-sev-snp.json to support the 'amd-sev-snp' feature.
    - Remove the sev-snp feature from 50-ovmf-x86_64-sev.json.
    - Update the device in 60-ovmf-x86_64-tdx.json from 'pflash' to 'memory'.
 2025-09-26 13:19:18 +08:00
Adrian Schröter
0532de05fa Sync changes to SLFO-1.2 branch 2025-08-20 10:02:10 +02:00
32 changed files with 2609 additions and 2347 deletions
Expand all files Collapse all files

3
brotli-e230f474b87134e8c6c85b630084c612057f253e.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a9ba3940267de5dd73581a47c2e81b3eb1e1df6a704138c599020d66f3677a92
size 646535

BIN
brotli-f4153a09f87cbb9c826d8fc12c74642bb2d879ea.tar.gz LFS Normal file
View File

Binary file not shown.

BIN
descriptors.tar.xz LFS
View File

Binary file not shown.

BIN
edk2-edk2-stable202502.tar.gz LFS Normal file
View File

Binary file not shown.

3
edk2-edk2-stable202511.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d919b0344afbd9ea16d757f99919860e26acc1e9246fff743e684128c2f04dd3
size 18471528

BIN
openssl-3.4.1.tar.gz LFS Normal file
View File

Binary file not shown.

16
openssl-3.4.1.tar.gz.asc Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmerYOAACgkQIWCU39DL
ge82Hw//TYSXl9ER8uSIRtlPTQ935P8n+1C9IIZOf6cWZgKR0AhLYRhGrrykv8zi
aKNOclYfkCpMGpEAsRJIX/5FUVaXoOL7tCRTzqYOo/pjy1HOtpM+U7Rc2wBErg27
3NN/YhuZ5d2oJ5fY7BEQmwAY5yNLh4Doi5ED+jsD5rCl8XqImfxJ7GnSioHKV8K9
03TapTeJTR4aroLdKjWClgXY1cmRQhIMhhz+L8qPaVODbYKtx255zQVdLSdS8VPb
XGf0aWktl9a/7btdixDUcbAd4UACzQXVESN8/fF5h+cpS2KMC9nXdV44ToK1xEhw
skm/F6YSAdTrmG4t+Ywemnftq/WJlnEenoK858U8Bnu19cG/JTtV3ZBGZLTwsmHj
RJ3DD2GAFjCHK1ImLdLOqVk4PNA9zIrr35sRL9h5Dav2BMUX/3kBuWE1vlGBo24X
8O3pG5ShLXKYKmSKvBJejOS+HGt2IlyzW6WQBfULZQYyfalpM0+1cOeu2xSu61kz
AC4ZzqKS7IWR19UeHhcmAfCdTDlO0hc6VvGM8xjPM5VL9m1oMUy/6JMiBbhm+nys
zyOgQ+HCMwUox7lDuzzq5J0/OJtolTPr9KmmoCAAHsKXIiF/Ukcsg7UzEYmsgRoK
dyumT1SEaVqRCLZIqSQ2TPe+iy/Dkz63JZBlbk4bvhR4ZpnrDSc=
=FrNQ
-----END PGP SIGNATURE-----

BIN
openssl-3.5.1.tar.gz LFS
View File

Binary file not shown.

16
openssl-3.5.1.tar.gz.asc
View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmhjzLwACgkQIWCU39DL
ge9rsA/5AXAEDd+2yayepyZHDamxMh9cMI8DcFnXG1NoxBgCh1P7DmdzGVRTbf8L
V7dF063z86ebR/eIbT6QzYD+zfBd1pVMVlMe6S2/ZI+dDtJizaDdmExHsJeAJ/p/
OeJ+ksM44eQcr0N2IUmUScr95/fZR3ED2HpAs224wMcbufe6PJUrbmyBbnPqw/Nf
SHekc5xWAgoNT3tKKZxkjABmP8uSNtWsdn8QQuZyc7sB9Z/j5UuA/Oay7eVpQ5D8
EiTQ1P+3u78wV/0Nqb3iDhgqShr7h7b9APgMUxQsNbvKVtoZI/7miskDz/dyNoqv
FF9+oAhoRyC8XSQF1Td7HLLvsqqF31+iQdou5gmnrsoB6QLWEOBvfI+zOI7BckLj
dZsa/oW6Rz1m12l5jqzorYrVYtbNfUJ7tunYMZOBnffK/VomE8XqmZuUVP+bQdZh
zE+tLMBrIHb+h8MP3JnYsRzaYr1sN7lbLx5/7Gh1o1jpvzy57D628vbSWnbLoJuu
l2ZjDNMAcKvcKba283lrV+Vm5aL4m/x4flsjeNiufTX50Ckzyd6U1L5Xq2wyHLuh
kHIeO2UW9WeNud8UY5mYOBBbwHyh/9yWXphgEtxS2aSvKEIUkQ1V89e5U0Fu3pjU
anJLQLYDc66CXfj82PK0Wq765bxIDnsRMggwgGh84U5eCvZWmMk=
=nHMj
-----END PGP SIGNATURE-----

39
ovmf-Increase-FVMAIN-Size-for-Compatibility-with-2MB-Size.patch Normal file
View File

@@ -0,0 +1,39 @@
From 95dec3e148d6ac27fc19e5a5c2396a3c3cf01633 Mon Sep 17 00:00:00 2001
From: Richard Lyu <richard.lyu@suse.com>
Date: Mon, 17 Mar 2025 12:07:48 +0800
Subject: [PATCH] Increase FVMAIN Size for Compatibility with 2MB Size Limit
In edk2-stable202502, the increase in code space caused an increase in
size, leading to build failures for OVMF under the 2MB size limit due
to insufficient space, because FVMAIN_COMPACT had insufficient space.
This patch adjusts the memory layout by reducing SEVFV size by 0x10000,
as its usage is below 50%, and reallocates the freed 0x10000 space to
FVMAIN_COMPACT. This ensures sufficient space to accommodate all code
within the FD_SIZE_2MB.
Signed-off-by: Richard Lyu <richard.lyu@suse.com>
---
OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc b/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc
index 6170c5993c..e2543a1535 100644
--- a/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc
+++ b/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc
@@ -45,9 +45,9 @@ DEFINE FW_BLOCKS = 0x200
DEFINE CODE_BASE_ADDRESS = 0xFFE20000
DEFINE CODE_SIZE = 0x001E0000
DEFINE CODE_BLOCKS = 0x1E0
-DEFINE FVMAIN_SIZE = 0x001AC000
-DEFINE SECFV_OFFSET = 0x001CC000
-DEFINE SECFV_SIZE = 0x34000
+DEFINE FVMAIN_SIZE = 0x001BC000
+DEFINE SECFV_OFFSET = 0x001DC000
+DEFINE SECFV_SIZE = 0x24000
!endif
!if $(FD_SIZE_IN_KB) == 4096
--
2.43.0

32
ovmf-Maintainers.txt-Add-reviewer-for-SVSM-vTPM-related-m.patch Normal file
View File

@@ -0,0 +1,32 @@
From 9bceb16000056f31119c79014788bc99d5cfdc3d Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Tue, 17 Dec 2024 09:07:00 +0100
Subject: [PATCH] Maintainers.txt: Add reviewer for SVSM vTPM related modules
Add reviewers for the TPM2 code under SecurityPkg/
related to SVSM vTPM.
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
Maintainers.txt | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/Maintainers.txt b/Maintainers.txt
index df7cfdeeaf..48c3afeae5 100644
--- a/Maintainers.txt
+++ b/Maintainers.txt
@@ -599,6 +599,11 @@ SecurityPkg: Tcg related modules
F: SecurityPkg/Tcg/
R: Rahul Kumar <rahul1.kumar@intel.com> [rahul1-kumar]
+SecurityPkg: SVSM related modules
+F: SecurityPkg/Library/Tpm2DeviceLibDTpm/*Svsm*
+R: Oliver Steffen <osteffen@redhat.com> [osteffenrh]
+R: Tom Lendacky <thomas.lendacky@amd.com> [tlendacky]
+
ShellPkg
F: ShellPkg/
W: https://github.com/tianocore/tianocore.github.io/wiki/ShellPkg
--
2.43.0

46
ovmf-MdePkg-AmdSev-Add-SVSM-protocol-call-numbers.patch Normal file
View File

@@ -0,0 +1,46 @@
From fa74200c92693add490b18615c2821ba72a2d58d Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Wed, 11 Dec 2024 11:07:48 +0100
Subject: [PATCH] MdePkg/AmdSev: Add SVSM protocol call numbers
Add protocol and call numbers as defined in the "Secure VM Service
Module for SEV-SNP Guests" Publication # 58019 Revision: 1.00
https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58019.pdf
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
MdePkg/Include/Register/Amd/Svsm.h | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/MdePkg/Include/Register/Amd/Svsm.h b/MdePkg/Include/Register/Amd/Svsm.h
index 9a989f8031..704a3c70d9 100644
--- a/MdePkg/Include/Register/Amd/Svsm.h
+++ b/MdePkg/Include/Register/Amd/Svsm.h
@@ -98,4 +98,23 @@ typedef union {
UINT64 Uint64;
} SVSM_FUNCTION;
+/// SVSM Guest Protocols
+/// @{
+#define SVSM_PROTOCOL_CORE 0
+#define SVSM_PROTOCOL_ATTESTATION 1
+#define SVSM_PROTOCOL_VTPM 2
+/// @}
+
+/// SVSM Core Protocol calls
+/// @{
+#define SVSM_CORE_REMAP_CA 0
+#define SVSM_CORE_PVALIDATE 1
+#define SVSM_CORE_CREATE_VCPU 2
+#define SVSM_CORE_DELETE_VCPU 3
+#define SVSM_CORE_DEPOSIT_MEM 4
+#define SVSM_CORE_WITHDRAW_MEM 5
+#define SVSM_CORE_QUERY_PROTOCOL 6
+#define SVSM_CORE_CONFIGURE_VTOM 7
+/// @}
+
#endif
--
2.43.0

31
ovmf-MdePkg-AmdSev-Add-SVSM-protocol-vTPM-call-numbers.patch Normal file
View File

@@ -0,0 +1,31 @@
From 70f806ec23fb1c376afe33f2f054819a03e21641 Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Wed, 11 Dec 2024 11:17:07 +0100
Subject: [PATCH] MdePkg/AmdSev: Add SVSM protocol vTPM call numbers
Add call numbers for the SVSM vTPM protocol, as defined in the "Secure
VM Service Module for SEV-SNP Guests" Publication # 58019 Revision: 1.00
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
MdePkg/Include/Register/Amd/Svsm.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/MdePkg/Include/Register/Amd/Svsm.h b/MdePkg/Include/Register/Amd/Svsm.h
index 704a3c70d9..08716a40b5 100644
--- a/MdePkg/Include/Register/Amd/Svsm.h
+++ b/MdePkg/Include/Register/Amd/Svsm.h
@@ -117,4 +117,10 @@ typedef union {
#define SVSM_CORE_CONFIGURE_VTOM 7
/// @}
+/// SVSM vTPM Protocol calls
+/// @{
+#define SVSM_VTPM_QUERY 0
+#define SVSM_VTPM_CMD 1
+/// @}
+
#endif
--
2.43.0

57
ovmf-OvmfPkg-Add-NETWORK_ISCSI_DEFAULT_ENABLE-build-flag.patch Normal file
View File

@@ -0,0 +1,57 @@
From c526b923ff146045e55208fa13b05de3720eddc2 Mon Sep 17 00:00:00 2001
From: Richard Lyu <richard.lyu@suse.com>
Date: Wed, 10 Sep 2025 21:56:11 +0800
Subject: [PATCH] OvmfPkg: Add NETWORK_ISCSI_DEFAULT_ENABLE build flag
REF: https://github.com/tianocore/edk2/issues/11483
Introduce a new build flag NETWORK_ISCSI_DEFAULT_ENABLE to control
whether iSCSI support is enabled by default without setting fwcfg. This
allows developers to decide at build time if the IScsiDxe driver should be
included and enabled by default.
If NETWORK_ISCSI_DEFAULT_ENABLE is set to FALSE, IScsiDxe will still be
built when NETWORK_ISCSI_ENABLE is TRUE, but the default PCD value
(gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideDefaultValue) will be
set to "no". This ensures iSCSI remains disabled at runtime unless enabled
explicitly by fwcfg.
This change provides more flexibility for both build-time and runtime
configuration of iSCSI support.
Signed-off-by: Richard Lyu <richard.lyu@suse.com>
---
OvmfPkg/Include/Dsc/NetworkComponents.dsc.inc | 4 +++-
OvmfPkg/OvmfPkgX64.dsc | 1 +
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/Include/Dsc/NetworkComponents.dsc.inc b/OvmfPkg/Include/Dsc/NetworkComponents.dsc.inc
index 051fe950ce..288216373a 100644
--- a/OvmfPkg/Include/Dsc/NetworkComponents.dsc.inc
+++ b/OvmfPkg/Include/Dsc/NetworkComponents.dsc.inc
@@ -48,7 +48,9 @@
UefiDriverEntryPoint|OvmfPkg/Library/UefiDriverEntryPointFwCfgOverrideLib/UefiDriverEntryPointFwCfgOverrideLib.inf
<PcdsFixedAtBuild>
gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideFwCfgVarName|"opt/org.tianocore/ISCSISupport"
- gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideDefaultValue|"no"
+ !if $(NETWORK_ISCSI_DEFAULT_ENABLE) == FALSE
+ gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideDefaultValue|"no"
+ !endif
}
!endif
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index f859db6acd..7d7bb5dbb0 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -51,6 +51,7 @@
DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE
DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE
DEFINE NETWORK_ISCSI_ENABLE = TRUE
+ DEFINE NETWORK_ISCSI_DEFAULT_ENABLE = FALSE
DEFINE NETWORK_PXE_BOOT_ENABLE = TRUE
!include NetworkPkg/NetworkDefines.dsc.inc
--
2.46.1

36
ovmf-OvmfPkg-Adjust-Memory-Layout-for-2MB-OVMF.patch
View File

@@ -1,36 +0,0 @@
From e1b035647e201acb02195a9ffab210f8d3e96f89 Mon Sep 17 00:00:00 2001
From: Richard Lyu <richard.lyu@suse.com>
Date: Wed, 3 Sep 2025 14:42:08 +0800
Subject: [PATCH] OvmfPkg: Adjust Memory Layout for 2MB OVMF
This commit increases the space for FVMAIN_COMPACT to resolve
build failures on 2MB OVMF firmware due to insufficient space. By
reducing the size of SEVFV and reallocating the freed space to
FVMAIN_COMPACT, this change ensures all necessary code can fit
within the 2MB firmware size limit.
Signed-off-by: Richard Lyu richard.lyu@suse.com
---
OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc b/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc
index e2543a1535..94ba51421f 100644
--- a/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc
+++ b/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc
@@ -45,9 +45,9 @@ DEFINE FW_BLOCKS = 0x200
DEFINE CODE_BASE_ADDRESS = 0xFFE20000
DEFINE CODE_SIZE = 0x001E0000
DEFINE CODE_BLOCKS = 0x1E0
-DEFINE FVMAIN_SIZE = 0x001BC000
-DEFINE SECFV_OFFSET = 0x001DC000
-DEFINE SECFV_SIZE = 0x24000
+DEFINE FVMAIN_SIZE = 0x001CC000
+DEFINE SECFV_OFFSET = 0x001EC000
+DEFINE SECFV_SIZE = 0x14000
!endif
!if $(FD_SIZE_IN_KB) == 4096
--
2.46.1

52
ovmf-OvmfPkg-AmdSvmLib-Use-named-protocol-and-call-consta.patch Normal file
View File

@@ -0,0 +1,52 @@
From 458198aa49c39fa61ab735c0fb3cd22d1f6fdee7 Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Wed, 11 Dec 2024 12:09:32 +0100
Subject: [PATCH] OvmfPkg/AmdSvmLib: Use named protocol and call constants
Make use of the named protocol and call constants for SVSM
communication.
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c b/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
index 6c79ee7d91..dfaccdc9e9 100644
--- a/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
+++ b/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
@@ -213,8 +213,8 @@ SvsmPvalidate (
Caa = (SVSM_CAA *)AmdSvsmSnpGetCaa ();
ZeroMem (Caa->SvsmBuffer, sizeof (Caa->SvsmBuffer));
- Function.Id.Protocol = 0;
- Function.Id.CallId = 1;
+ Function.Id.Protocol = SVSM_PROTOCOL_CORE;
+ Function.Id.CallId = SVSM_CORE_PVALIDATE;
Request = (SVSM_PVALIDATE_REQUEST *)Caa->SvsmBuffer;
EntryLimit = ((sizeof (Caa->SvsmBuffer) - sizeof (*Request)) /
@@ -407,17 +407,17 @@ SvsmVmsaRmpAdjust (
SvsmCallData.Caa = (SVSM_CAA *)AmdSvsmSnpGetCaa ();
- Function.Id.Protocol = 0;
+ Function.Id.Protocol = SVSM_PROTOCOL_CORE;
if (SetVmsa) {
- Function.Id.CallId = 2;
+ Function.Id.CallId = SVSM_CORE_CREATE_VCPU;
SvsmCallData.RaxIn = Function.Uint64;
SvsmCallData.RcxIn = (UINT64)(UINTN)Vmsa;
SvsmCallData.RdxIn = (UINT64)(UINTN)Vmsa + SIZE_4KB;
SvsmCallData.R8In = ApicId;
} else {
- Function.Id.CallId = 3;
+ Function.Id.CallId = SVSM_CORE_DELETE_VCPU;
SvsmCallData.RaxIn = Function.Uint64;
SvsmCallData.RcxIn = (UINT64)(UINTN)Vmsa;
--
2.43.0

135
ovmf-OvmfPkg-AmdSvsmLib-Add-the-SVSM-vTPM-protocol.patch Normal file
View File

@@ -0,0 +1,135 @@
From 40b4e190d37dca895f46d816eca154d07c761ae7 Mon Sep 17 00:00:00 2001
From: Claudio Carvalho <cclaudio@linux.ibm.com>
Date: Mon, 10 Jun 2024 22:29:57 +0300
Subject: [PATCH] OvmfPkg/AmdSvsmLib: Add the SVSM vTPM protocol
As described in the SVSM specification, guest components can call to the
SVSM vTPM through the vTPM protocol (protocol-id 2).
The SVSM vTPM protocol follows the Microsoft TPM Simulator interface
(MSSIM) and supports two services:
- SVSM_VTPM_QUERY (call-id 0): query MSSIM commands and vTPM features
supported.
- SVSM_VTPM_CMD (call-id 1): send a MSSIM command to be run by the vTPM
and get the result.
This patch adds support for SVSM_VTPM_QUERY and SVSM_VTPM_CMD to invoke
a SVSM when the guest is running at VMPL0.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Co-authored-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c | 95 +++++++++++++++++++++++++
1 file changed, 95 insertions(+)
diff --git a/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c b/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
index dfaccdc9e9..e286ac0bc0 100644
--- a/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
+++ b/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
@@ -498,3 +498,98 @@ AmdSvsmSnpVmsaRmpAdjust (
return AmdSvsmIsSvsmPresent () ? SvsmVmsaRmpAdjust (Vmsa, ApicId, SetVmsa)
: BaseVmsaRmpAdjust (Vmsa, SetVmsa);
}
+
+/**
+ Perform a SVSM_VTPM_QUERY operation
+
+ Query the support provided by the SVSM vTPM.
+
+ @param[out] PlatformCommands It will contain a bitmap indicating the
+ supported vTPM platform commands.
+ @param[out] Features It will contain a bitmap indicating the
+ supported vTPM features.
+
+ @retval TRUE The query was processed.
+ @retval FALSE The query was not processed.
+
+**/
+BOOLEAN
+EFIAPI
+AmdSvsmVtpmQuery (
+ OUT UINT64 *PlatformCommands,
+ OUT UINT64 *Features
+ )
+{
+ SVSM_CALL_DATA SvsmCallData;
+ SVSM_FUNCTION Function;
+ UINTN Ret;
+
+ if (!PlatformCommands && !Features) {
+ return FALSE;
+ }
+
+ if (!AmdSvsmIsSvsmPresent ()) {
+ return FALSE;
+ }
+
+ Function.Id.Protocol = SVSM_PROTOCOL_VTPM;
+ Function.Id.CallId = SVSM_VTPM_QUERY;
+
+ SvsmCallData.Caa = (SVSM_CAA *)AmdSvsmSnpGetCaa ();
+ SvsmCallData.RaxIn = Function.Uint64;
+
+ Ret = SvsmMsrProtocol (&SvsmCallData);
+ if (Ret != 0) {
+ return FALSE;
+ }
+
+ if (PlatformCommands) {
+ *PlatformCommands = SvsmCallData.RcxOut;
+ }
+
+ if (Features) {
+ *Features = SvsmCallData.RdxOut;
+ }
+
+ return TRUE;
+}
+
+/**
+ Perform a SVSM_VTPM_CMD operation
+
+ Send the specified vTPM platform command to the SVSM vTPM.
+
+ @param[in, out] Buffer It should contain the vTPM platform command
+ request. The respective response will be returned
+ in the same Buffer, but not all commands specify a
+ response.
+
+ @retval TRUE The command was processed.
+ @retval FALSE The command was not processed.
+
+**/
+BOOLEAN
+EFIAPI
+AmdSvsmVtpmCmd (
+ IN OUT UINT8 *Buffer
+ )
+{
+ SVSM_CALL_DATA SvsmCallData;
+ SVSM_FUNCTION Function;
+ UINTN Ret;
+
+ if (!AmdSvsmIsSvsmPresent ()) {
+ return FALSE;
+ }
+
+ Function.Id.Protocol = SVSM_PROTOCOL_VTPM;
+ Function.Id.CallId = SVSM_VTPM_CMD;
+
+ SvsmCallData.Caa = (SVSM_CAA *)AmdSvsmSnpGetCaa ();
+ SvsmCallData.RaxIn = Function.Uint64;
+ SvsmCallData.RcxIn = (UINT64)(UINTN)Buffer;
+
+ Ret = SvsmMsrProtocol (&SvsmCallData);
+
+ return (Ret == 0) ? TRUE : FALSE;
+}
--
2.43.0

58
ovmf-OvmfPkg-ArmVirtPkg-Keep-JSON-stack-cookie-files.patch
View File

@@ -1,4 +1,4 @@
From cbc73cbf6bec0387fe7a049b659485feaeed00ea Mon Sep 17 00:00:00 2001
From 27a1b19ba5d3bc13562e443cebbd283c60615b89 Mon Sep 17 00:00:00 2001
From: Richard Lyu <richard.lyu@suse.com>
Date: Thu, 26 Jun 2025 09:50:53 +0800
Subject: [PATCH] OvmfPkg/ArmVirtPkg: Keep JSON stack cookie files for
@@ -14,25 +14,29 @@ cookie values are retained in the build directory.
This patch includes the necessary StackCookieValues*.json files under the Build/
directory to ensure reproducible builds for Ovmf and ArmVirt platforms.
---
Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues32.json | 1 +
Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues64.json | 1 +
Build/IntelTdx/DEBUG_GCC5/StackCookieValues32.json | 1 +
Build/IntelTdx/DEBUG_GCC5/StackCookieValues64.json | 1 +
Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues32.json | 1 +
Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues64.json | 1 +
Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues32.json | 1 +
Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues64.json | 1 +
Build/Ovmf3264/DEBUG_GCC5/StackCookieValues32.json | 1 +
Build/Ovmf3264/DEBUG_GCC5/StackCookieValues64.json | 1 +
Build/OvmfIa32/DEBUG_GCC5/StackCookieValues32.json | 1 +
Build/OvmfIa32/DEBUG_GCC5/StackCookieValues64.json | 1 +
Build/OvmfX64/DEBUG_GCC5/StackCookieValues32.json | 1 +
Build/OvmfX64/DEBUG_GCC5/StackCookieValues64.json | 1 +
Build/OvmfXen/DEBUG_GCC5/StackCookieValues32.json | 1 +
Build/OvmfXen/DEBUG_GCC5/StackCookieValues64.json | 1 +
Build/RiscVVirtQemu/DEBUG_GCC5/StackCookieValues32.json | 1 +
Build/RiscVVirtQemu/DEBUG_GCC5/StackCookieValues64.json | 1 +
12 files changed, 12 insertions(+)
create mode 100644 Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues32.json
create mode 100644 Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues64.json
create mode 100644 Build/IntelTdx/DEBUG_GCC5/StackCookieValues32.json
create mode 100644 Build/IntelTdx/DEBUG_GCC5/StackCookieValues64.json
14 files changed, 14 insertions(+)
create mode 100644 Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues32.json
create mode 100644 Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues64.json
create mode 100644 Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues32.json
create mode 100644 Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues64.json
create mode 100644 Build/Ovmf3264/DEBUG_GCC5/StackCookieValues32.json
create mode 100644 Build/Ovmf3264/DEBUG_GCC5/StackCookieValues64.json
create mode 100644 Build/OvmfIa32/DEBUG_GCC5/StackCookieValues32.json
create mode 100644 Build/OvmfIa32/DEBUG_GCC5/StackCookieValues64.json
create mode 100644 Build/OvmfX64/DEBUG_GCC5/StackCookieValues32.json
create mode 100644 Build/OvmfX64/DEBUG_GCC5/StackCookieValues64.json
create mode 100644 Build/OvmfXen/DEBUG_GCC5/StackCookieValues32.json
@@ -40,35 +44,35 @@ directory to ensure reproducible builds for Ovmf and ArmVirt platforms.
create mode 100644 Build/RiscVVirtQemu/DEBUG_GCC5/StackCookieValues32.json
create mode 100644 Build/RiscVVirtQemu/DEBUG_GCC5/StackCookieValues64.json
diff --git a/Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues32.json b/Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues32.json
diff --git a/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues32.json b/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues32.json
new file mode 100644
index 0000000000..279006e935
--- /dev/null
+++ b/Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues32.json
+++ b/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues32.json
@@ -0,0 +1 @@
+[3120319409, 3986684851, 2532066904, 2838841122, 1510610980, 3527598979, 2145389557, 915756566, 4288287152, 1592508515, 1649905414, 3214646158, 4125604801, 2636301533, 3186946058, 1297075897, 1536483215, 2684947706, 378837761, 2034357240, 1254156149, 3274923813, 1869941960, 2430363232, 2619983763, 789706441, 474468987, 4170744684, 2067453149, 80774667, 1188610392, 3484306439, 2129190303, 3706887221, 1441685697, 2832623778, 2272607630, 3766098863, 1387705257, 3531882784, 78420450, 2425693472, 2515037057, 2842949431, 2167471722, 2373850526, 2185844797, 1771878221, 3826200111, 233544227, 3019808295, 3255256900, 3737050793, 1272285847, 4114161312, 704148315, 2912601610, 3781534488, 56787233, 816583130, 2471213939, 2813874809, 2630289327, 1173288302, 1862737445, 2551923525, 1820462035, 1796829267, 1714358393, 2634249466, 176661566, 428907315, 2772923224, 1648291025, 2674956839, 2691960542, 1859704968, 709746926, 492109362, 3781180214, 4222775360, 2893670436, 2425292886, 1064615051, 3854554544, 1690467402, 356470947, 4203480635, 3958554922, 3830455836, 4051513359, 2084475517, 728710918, 2413960477, 1005365008, 117621347, 1988965873, 542004264, 1543091876, 856808939]
\ No newline at end of file
diff --git a/Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues64.json b/Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues64.json
diff --git a/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues64.json b/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues64.json
new file mode 100644
index 0000000000..189f1bb32c
--- /dev/null
+++ b/Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues64.json
+++ b/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues64.json
@@ -0,0 +1 @@
+[7518985701012212569, 2601960957474891530, 17831311744988480182, 16652208568711364861, 11779046321730877689, 4265457871546500992, 7292254499229112648, 223890800426602719, 2838072854045228586, 17406395504460044440, 15908843496796806072, 14702662319704085758, 9867044736590216777, 1826029253899249568, 13211023111777598167, 15781671485427291330, 10363743021216146144, 5806329751690313006, 15745089491775103262, 17509746045803567900, 1447711951392380165, 6118366145278105860, 4383356545218844403, 16245693987825670584, 2780554830603218012, 12970299634944553151, 3222388605624008866, 15814383424087557059, 15988086447905475558, 16116025969641329513, 6426405161833441255, 3254481667731922028, 6488541859345202975, 10574901139024748597, 3024566360722566355, 16062071326447635275, 12345606174395125886, 6794103055184511112, 11215411239298654461, 16898959837531392298, 11392129473298461016, 8804779203101922496, 18248956894608479019, 3405499931018446142, 17086893422507178606, 15658544032726530242, 8364333522488247864, 3279785515391664592, 13243140800673203277, 5966586998550012975, 16565158092620888628, 12638930544692949903, 1246241189792785842, 15194422135212677813, 12698266719810819587, 1534974055018719502, 12670636876876282922, 15558200550263511669, 3503220298365529701, 7528003967410398907, 17951113451990505790, 11966189487560109058, 9487073780776752004, 16989174121673443471, 11983187886593000791, 14034832459830322267, 7699754122092779654, 11045278550085659092, 15517258337126557177, 11994491770159532604, 12391224518810430854, 16412011954261833814, 6823393608276975560, 8049664586953865101, 105554461905525278, 1108289617734621870, 3107169899130739186, 16009603271400150224, 2287840628984514055, 16506851535775780356, 3856407398241994124, 15057357339963415331, 7421988999323764657, 16263909762531412778, 5520741619830646734, 12658567612226487844, 4150397776403010384, 4506124991939010117, 8337570680160461228, 1773277438796706851, 4411225815945427420, 14662834929794280164, 2744390976482384579, 5016066739309353833, 2446711385473505783, 7207045095118849468, 5059656042334578233, 5000969109599430964, 2861557136012695307, 4840563942385966137]
\ No newline at end of file
diff --git a/Build/IntelTdx/DEBUG_GCC5/StackCookieValues32.json b/Build/IntelTdx/DEBUG_GCC5/StackCookieValues32.json
diff --git a/Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues32.json b/Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues32.json
new file mode 100644
index 0000000000..279006e935
--- /dev/null
+++ b/Build/IntelTdx/DEBUG_GCC5/StackCookieValues32.json
+++ b/Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues32.json
@@ -0,0 +1 @@
+[3120319409, 3986684851, 2532066904, 2838841122, 1510610980, 3527598979, 2145389557, 915756566, 4288287152, 1592508515, 1649905414, 3214646158, 4125604801, 2636301533, 3186946058, 1297075897, 1536483215, 2684947706, 378837761, 2034357240, 1254156149, 3274923813, 1869941960, 2430363232, 2619983763, 789706441, 474468987, 4170744684, 2067453149, 80774667, 1188610392, 3484306439, 2129190303, 3706887221, 1441685697, 2832623778, 2272607630, 3766098863, 1387705257, 3531882784, 78420450, 2425693472, 2515037057, 2842949431, 2167471722, 2373850526, 2185844797, 1771878221, 3826200111, 233544227, 3019808295, 3255256900, 3737050793, 1272285847, 4114161312, 704148315, 2912601610, 3781534488, 56787233, 816583130, 2471213939, 2813874809, 2630289327, 1173288302, 1862737445, 2551923525, 1820462035, 1796829267, 1714358393, 2634249466, 176661566, 428907315, 2772923224, 1648291025, 2674956839, 2691960542, 1859704968, 709746926, 492109362, 3781180214, 4222775360, 2893670436, 2425292886, 1064615051, 3854554544, 1690467402, 356470947, 4203480635, 3958554922, 3830455836, 4051513359, 2084475517, 728710918, 2413960477, 1005365008, 117621347, 1988965873, 542004264, 1543091876, 856808939]
\ No newline at end of file
diff --git a/Build/IntelTdx/DEBUG_GCC5/StackCookieValues64.json b/Build/IntelTdx/DEBUG_GCC5/StackCookieValues64.json
diff --git a/Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues64.json b/Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues64.json
new file mode 100644
index 0000000000..189f1bb32c
--- /dev/null
+++ b/Build/IntelTdx/DEBUG_GCC5/StackCookieValues64.json
+++ b/Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues64.json
@@ -0,0 +1 @@
+[7518985701012212569, 2601960957474891530, 17831311744988480182, 16652208568711364861, 11779046321730877689, 4265457871546500992, 7292254499229112648, 223890800426602719, 2838072854045228586, 17406395504460044440, 15908843496796806072, 14702662319704085758, 9867044736590216777, 1826029253899249568, 13211023111777598167, 15781671485427291330, 10363743021216146144, 5806329751690313006, 15745089491775103262, 17509746045803567900, 1447711951392380165, 6118366145278105860, 4383356545218844403, 16245693987825670584, 2780554830603218012, 12970299634944553151, 3222388605624008866, 15814383424087557059, 15988086447905475558, 16116025969641329513, 6426405161833441255, 3254481667731922028, 6488541859345202975, 10574901139024748597, 3024566360722566355, 16062071326447635275, 12345606174395125886, 6794103055184511112, 11215411239298654461, 16898959837531392298, 11392129473298461016, 8804779203101922496, 18248956894608479019, 3405499931018446142, 17086893422507178606, 15658544032726530242, 8364333522488247864, 3279785515391664592, 13243140800673203277, 5966586998550012975, 16565158092620888628, 12638930544692949903, 1246241189792785842, 15194422135212677813, 12698266719810819587, 1534974055018719502, 12670636876876282922, 15558200550263511669, 3503220298365529701, 7528003967410398907, 17951113451990505790, 11966189487560109058, 9487073780776752004, 16989174121673443471, 11983187886593000791, 14034832459830322267, 7699754122092779654, 11045278550085659092, 15517258337126557177, 11994491770159532604, 12391224518810430854, 16412011954261833814, 6823393608276975560, 8049664586953865101, 105554461905525278, 1108289617734621870, 3107169899130739186, 16009603271400150224, 2287840628984514055, 16506851535775780356, 3856407398241994124, 15057357339963415331, 7421988999323764657, 16263909762531412778, 5520741619830646734, 12658567612226487844, 4150397776403010384, 4506124991939010117, 8337570680160461228, 1773277438796706851, 4411225815945427420, 14662834929794280164, 2744390976482384579, 5016066739309353833, 2446711385473505783, 7207045095118849468, 5059656042334578233, 5000969109599430964, 2861557136012695307, 4840563942385966137]
\ No newline at end of file
@@ -88,6 +92,22 @@ index 0000000000..189f1bb32c
@@ -0,0 +1 @@
+[7518985701012212569, 2601960957474891530, 17831311744988480182, 16652208568711364861, 11779046321730877689, 4265457871546500992, 7292254499229112648, 223890800426602719, 2838072854045228586, 17406395504460044440, 15908843496796806072, 14702662319704085758, 9867044736590216777, 1826029253899249568, 13211023111777598167, 15781671485427291330, 10363743021216146144, 5806329751690313006, 15745089491775103262, 17509746045803567900, 1447711951392380165, 6118366145278105860, 4383356545218844403, 16245693987825670584, 2780554830603218012, 12970299634944553151, 3222388605624008866, 15814383424087557059, 15988086447905475558, 16116025969641329513, 6426405161833441255, 3254481667731922028, 6488541859345202975, 10574901139024748597, 3024566360722566355, 16062071326447635275, 12345606174395125886, 6794103055184511112, 11215411239298654461, 16898959837531392298, 11392129473298461016, 8804779203101922496, 18248956894608479019, 3405499931018446142, 17086893422507178606, 15658544032726530242, 8364333522488247864, 3279785515391664592, 13243140800673203277, 5966586998550012975, 16565158092620888628, 12638930544692949903, 1246241189792785842, 15194422135212677813, 12698266719810819587, 1534974055018719502, 12670636876876282922, 15558200550263511669, 3503220298365529701, 7528003967410398907, 17951113451990505790, 11966189487560109058, 9487073780776752004, 16989174121673443471, 11983187886593000791, 14034832459830322267, 7699754122092779654, 11045278550085659092, 15517258337126557177, 11994491770159532604, 12391224518810430854, 16412011954261833814, 6823393608276975560, 8049664586953865101, 105554461905525278, 1108289617734621870, 3107169899130739186, 16009603271400150224, 2287840628984514055, 16506851535775780356, 3856407398241994124, 15057357339963415331, 7421988999323764657, 16263909762531412778, 5520741619830646734, 12658567612226487844, 4150397776403010384, 4506124991939010117, 8337570680160461228, 1773277438796706851, 4411225815945427420, 14662834929794280164, 2744390976482384579, 5016066739309353833, 2446711385473505783, 7207045095118849468, 5059656042334578233, 5000969109599430964, 2861557136012695307, 4840563942385966137]
\ No newline at end of file
diff --git a/Build/OvmfIa32/DEBUG_GCC5/StackCookieValues32.json b/Build/OvmfIa32/DEBUG_GCC5/StackCookieValues32.json
new file mode 100644
index 0000000000..279006e935
--- /dev/null
+++ b/Build/OvmfIa32/DEBUG_GCC5/StackCookieValues32.json
@@ -0,0 +1 @@
+[3120319409, 3986684851, 2532066904, 2838841122, 1510610980, 3527598979, 2145389557, 915756566, 4288287152, 1592508515, 1649905414, 3214646158, 4125604801, 2636301533, 3186946058, 1297075897, 1536483215, 2684947706, 378837761, 2034357240, 1254156149, 3274923813, 1869941960, 2430363232, 2619983763, 789706441, 474468987, 4170744684, 2067453149, 80774667, 1188610392, 3484306439, 2129190303, 3706887221, 1441685697, 2832623778, 2272607630, 3766098863, 1387705257, 3531882784, 78420450, 2425693472, 2515037057, 2842949431, 2167471722, 2373850526, 2185844797, 1771878221, 3826200111, 233544227, 3019808295, 3255256900, 3737050793, 1272285847, 4114161312, 704148315, 2912601610, 3781534488, 56787233, 816583130, 2471213939, 2813874809, 2630289327, 1173288302, 1862737445, 2551923525, 1820462035, 1796829267, 1714358393, 2634249466, 176661566, 428907315, 2772923224, 1648291025, 2674956839, 2691960542, 1859704968, 709746926, 492109362, 3781180214, 4222775360, 2893670436, 2425292886, 1064615051, 3854554544, 1690467402, 356470947, 4203480635, 3958554922, 3830455836, 4051513359, 2084475517, 728710918, 2413960477, 1005365008, 117621347, 1988965873, 542004264, 1543091876, 856808939]
\ No newline at end of file
diff --git a/Build/OvmfIa32/DEBUG_GCC5/StackCookieValues64.json b/Build/OvmfIa32/DEBUG_GCC5/StackCookieValues64.json
new file mode 100644
index 0000000000..189f1bb32c
--- /dev/null
+++ b/Build/OvmfIa32/DEBUG_GCC5/StackCookieValues64.json
@@ -0,0 +1 @@
+[7518985701012212569, 2601960957474891530, 17831311744988480182, 16652208568711364861, 11779046321730877689, 4265457871546500992, 7292254499229112648, 223890800426602719, 2838072854045228586, 17406395504460044440, 15908843496796806072, 14702662319704085758, 9867044736590216777, 1826029253899249568, 13211023111777598167, 15781671485427291330, 10363743021216146144, 5806329751690313006, 15745089491775103262, 17509746045803567900, 1447711951392380165, 6118366145278105860, 4383356545218844403, 16245693987825670584, 2780554830603218012, 12970299634944553151, 3222388605624008866, 15814383424087557059, 15988086447905475558, 16116025969641329513, 6426405161833441255, 3254481667731922028, 6488541859345202975, 10574901139024748597, 3024566360722566355, 16062071326447635275, 12345606174395125886, 6794103055184511112, 11215411239298654461, 16898959837531392298, 11392129473298461016, 8804779203101922496, 18248956894608479019, 3405499931018446142, 17086893422507178606, 15658544032726530242, 8364333522488247864, 3279785515391664592, 13243140800673203277, 5966586998550012975, 16565158092620888628, 12638930544692949903, 1246241189792785842, 15194422135212677813, 12698266719810819587, 1534974055018719502, 12670636876876282922, 15558200550263511669, 3503220298365529701, 7528003967410398907, 17951113451990505790, 11966189487560109058, 9487073780776752004, 16989174121673443471, 11983187886593000791, 14034832459830322267, 7699754122092779654, 11045278550085659092, 15517258337126557177, 11994491770159532604, 12391224518810430854, 16412011954261833814, 6823393608276975560, 8049664586953865101, 105554461905525278, 1108289617734621870, 3107169899130739186, 16009603271400150224, 2287840628984514055, 16506851535775780356, 3856407398241994124, 15057357339963415331, 7421988999323764657, 16263909762531412778, 5520741619830646734, 12658567612226487844, 4150397776403010384, 4506124991939010117, 8337570680160461228, 1773277438796706851, 4411225815945427420, 14662834929794280164, 2744390976482384579, 5016066739309353833, 2446711385473505783, 7207045095118849468, 5059656042334578233, 5000969109599430964, 2861557136012695307, 4840563942385966137]
\ No newline at end of file
diff --git a/Build/OvmfX64/DEBUG_GCC5/StackCookieValues32.json b/Build/OvmfX64/DEBUG_GCC5/StackCookieValues32.json
new file mode 100644
index 0000000000..279006e935
@@ -137,5 +157,5 @@ index 0000000000..189f1bb32c
+[7518985701012212569, 2601960957474891530, 17831311744988480182, 16652208568711364861, 11779046321730877689, 4265457871546500992, 7292254499229112648, 223890800426602719, 2838072854045228586, 17406395504460044440, 15908843496796806072, 14702662319704085758, 9867044736590216777, 1826029253899249568, 13211023111777598167, 15781671485427291330, 10363743021216146144, 5806329751690313006, 15745089491775103262, 17509746045803567900, 1447711951392380165, 6118366145278105860, 4383356545218844403, 16245693987825670584, 2780554830603218012, 12970299634944553151, 3222388605624008866, 15814383424087557059, 15988086447905475558, 16116025969641329513, 6426405161833441255, 3254481667731922028, 6488541859345202975, 10574901139024748597, 3024566360722566355, 16062071326447635275, 12345606174395125886, 6794103055184511112, 11215411239298654461, 16898959837531392298, 11392129473298461016, 8804779203101922496, 18248956894608479019, 3405499931018446142, 17086893422507178606, 15658544032726530242, 8364333522488247864, 3279785515391664592, 13243140800673203277, 5966586998550012975, 16565158092620888628, 12638930544692949903, 1246241189792785842, 15194422135212677813, 12698266719810819587, 1534974055018719502, 12670636876876282922, 15558200550263511669, 3503220298365529701, 7528003967410398907, 17951113451990505790, 11966189487560109058, 9487073780776752004, 16989174121673443471, 11983187886593000791, 14034832459830322267, 7699754122092779654, 11045278550085659092, 15517258337126557177, 11994491770159532604, 12391224518810430854, 16412011954261833814, 6823393608276975560, 8049664586953865101, 105554461905525278, 1108289617734621870, 3107169899130739186, 16009603271400150224, 2287840628984514055, 16506851535775780356, 3856407398241994124, 15057357339963415331, 7421988999323764657, 16263909762531412778, 5520741619830646734, 12658567612226487844, 4150397776403010384, 4506124991939010117, 8337570680160461228, 1773277438796706851, 4411225815945427420, 14662834929794280164, 2744390976482384579, 5016066739309353833, 2446711385473505783, 7207045095118849468, 5059656042334578233, 5000969109599430964, 2861557136012695307, 4840563942385966137]
\ No newline at end of file
--
2.51.0
2.43.0

45
ovmf-OvmfPkg-CcExitLib-Use-the-proper-register-when-filte.patch Normal file
View File

@@ -0,0 +1,45 @@
From 856bdc8eec0fd450ffb582808ad9649a5d02b480 Mon Sep 17 00:00:00 2001
From: Tom Lendacky <thomas.lendacky@amd.com>
Date: Fri, 25 Apr 2025 12:49:52 -0500
Subject: [PATCH] OvmfPkg/CcExitLib: Use the proper register when filtering
MSRs
The MsrExit() routine uses an incorrect register to check for the CAA MSR.
Instead of checking RCX, the input register for RDMSR/WRMSR that holds the
MSR value, it is checking RAX, which results in failure to detect the CAA
MSR request. The check should only be checking the lower 32-bits of the
register (ECX), too.
Change the check in MsrExit() to check the MSR value contained in ECX.
Fixes: 47001ab98914 ("Ovmfpkg/CcExitLib: Provide SVSM discovery support")
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
OvmfPkg/Library/CcExitLib/CcExitVcHandler.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
index 2031fa9e22..2c12f78f8d 100644
--- a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
+++ b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
@@ -701,6 +701,7 @@ MsrExit (
MSR_SVSM_CAA_REGISTER Msr;
UINT64 ExitInfo1;
UINT64 Status;
+ UINT32 EcxIn;
ExitInfo1 = 0;
@@ -708,7 +709,8 @@ MsrExit (
// The SVSM CAA MSR is a software implemented MSR and not supported
// by the hardware, handle it directly.
//
- if (Regs->Rax == MSR_SVSM_CAA) {
+ EcxIn = (UINT32)(UINTN)Regs->Rcx;
+ if (EcxIn == MSR_SVSM_CAA) {
// Writes to the SVSM CAA MSR are ignored
if (*(InstructionData->OpCodes + 1) == 0x30) {
return 0;
--
2.43.0

43
ovmf-OvmfPkg-Use-Tpm2Device-lib-with-SVSM-vTPM-support.patch Normal file
View File

@@ -0,0 +1,43 @@
From 06b2f9dc4385ccf5ca4b86deb14832daa373629f Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Wed, 11 Dec 2024 11:10:24 +0100
Subject: [PATCH] OvmfPkg: Use Tpm2Device lib with SVSM vTPM support
Switch over to Tpm2InstanceLibDTpmSvsm as the Tpm2 implementation to
support vTPMs provided by an SVSM.
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc | 2 +-
OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc
index 75ae09571e..2ea17084bd 100644
--- a/OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc
+++ b/OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc
@@ -6,7 +6,7 @@
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
<LibraryClasses>
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
- NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
diff --git a/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc b/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc
index 351ca5bb28..ff5346aae7 100644
--- a/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc
+++ b/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc
@@ -30,7 +30,7 @@
!if $(TPM1_ENABLE) == TRUE
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
!endif
- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
!endif
!if $(TPM2_ENABLE) == TRUE || $(CC_MEASUREMENT_ENABLE) == TRUE
--
2.43.0

108
ovmf-Revert-Add-Stack-Cookie-Support-to-MSVC-and-GCC.patch
View File

@@ -1,19 +1,29 @@
From 772bda5290449d46546b7b19cda083ed50536e7b Mon Sep 17 00:00:00 2001
From 7b9e33357945b23e6bcdb21fb9d0ba5859ad9b0b Mon Sep 17 00:00:00 2001
From: Richard Lyu <richard.lyu@suse.com>
Date: Thu, 29 May 2025 14:25:56 +0800
Subject: [PATCH] Revert "BaseTools: Add Stack Cookie Support to MSVC and GCC
IA32/X64/ARM/AARCH64"
Date: Tue, 14 Jan 2025 19:31:48 +0800
Subject: [PATCH] ovmf Revert add stack cookie support to MSVC and GCC
This reverts commit f53f029122d4493e9db95e2424dd8f067f247661.
---
BaseTools/Conf/tools_def.template | 41 ++++++++++++++-----------------
1 file changed, 19 insertions(+), 22 deletions(-)
BaseTools/Conf/tools_def.template | 65 +++++++++++++++----------------
1 file changed, 31 insertions(+), 34 deletions(-)
Index: edk2-edk2-stable202511/BaseTools/Conf/tools_def.template
Index: edk2-edk2-stable202502/BaseTools/Conf/tools_def.template
===================================================================
--- edk2-edk2-stable202511.orig/BaseTools/Conf/tools_def.template
+++ edk2-edk2-stable202511/BaseTools/Conf/tools_def.template
@@ -608,9 +608,9 @@ NOOPT_VS2017_AARCH64_DLINK_FLAGS = /NO
--- edk2-edk2-stable202502.orig/BaseTools/Conf/tools_def.template
+++ edk2-edk2-stable202502/BaseTools/Conf/tools_def.template
@@ -21,9 +21,8 @@
# - Add GCC and GCCNOLTO
# - Deprecate GCC48, GCC49 and GCC5.
# 3.01 - Add toolchain for VS2022
-# 3.02 - Enable stack cookies for IA32, X64, ARM, and AARCH64 builds for GCC and MSVC
#
-#!VERSION=3.02
+#!VERSION=3.01
IDENTIFIER = Default TOOL_CHAIN_CONF
@@ -636,9 +635,9 @@ NOOPT_VS2017_AARCH64_DLINK_FLAGS = /NO
*_VS2019_IA32_PP_PATH = DEF(VS2019_BIN_IA32)\cl.exe
*_VS2019_IA32_ASM_PATH = DEF(VS2019_BIN_IA32)\ml.exe
@@ -26,7 +36,7 @@ Index: edk2-edk2-stable202511/BaseTools/Conf/tools_def.template
DEBUG_VS2019_IA32_ASM_FLAGS = /nologo /c /WX /W3 /Cx /coff /Zd /Zi
RELEASE_VS2019_IA32_ASM_FLAGS = /nologo /c /WX /W3 /Cx /coff /Zd
@@ -638,9 +638,9 @@ NOOPT_VS2019_IA32_DLINK_FLAGS = /NOLOG
@@ -666,9 +665,9 @@ NOOPT_VS2019_IA32_DLINK_FLAGS = /NOLOG
*_VS2019_X64_DLINK_PATH = DEF(VS2019_BIN_X64)\link.exe
*_VS2019_X64_ASLDLINK_PATH = DEF(VS2019_BIN_X64)\link.exe
@@ -39,7 +49,33 @@ Index: edk2-edk2-stable202511/BaseTools/Conf/tools_def.template
DEBUG_VS2019_X64_ASM_FLAGS = /nologo /c /WX /W3 /Cx /Zd /Zi
RELEASE_VS2019_X64_ASM_FLAGS = /nologo /c /WX /W3 /Cx /Zd
@@ -725,9 +725,9 @@ NOOPT_VS2019_AARCH64_DLINK_FLAGS = /NO
@@ -696,9 +695,9 @@ NOOPT_VS2019_X64_DLINK_FLAGS = /NOLOG
*_VS2019_ARM_ASLPP_PATH = DEF(VS2019_BIN_ARM)\cl.exe
*_VS2019_ARM_ASLDLINK_PATH = DEF(VS2019_BIN_ARM)\link.exe
- DEBUG_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
-RELEASE_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
-NOOPT_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
+ DEBUG_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
+RELEASE_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
+NOOPT_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
DEBUG_VS2019_ARM_ASM_FLAGS = /nologo /g
RELEASE_VS2019_ARM_ASM_FLAGS = /nologo
@@ -722,9 +721,9 @@ NOOPT_VS2019_ARM_DLINK_FLAGS = /NOL
*_VS2019_AARCH64_ASLPP_PATH = DEF(VS2019_BIN_AARCH64)\cl.exe
*_VS2019_AARCH64_ASLDLINK_PATH = DEF(VS2019_BIN_AARCH64)\link.exe
- DEBUG_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
-RELEASE_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
-NOOPT_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
+ DEBUG_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
+RELEASE_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
+NOOPT_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
DEBUG_VS2019_AARCH64_ASM_FLAGS = /nologo /g
RELEASE_VS2019_AARCH64_ASM_FLAGS = /nologo
@@ -779,9 +778,9 @@ NOOPT_VS2019_AARCH64_DLINK_FLAGS = /NO
*_VS2022_IA32_ASM_PATH = DEF(VS2022_BIN_IA32)\ml.exe
*_VS2022_IA32_MAKE_FLAGS = /nologo
@@ -52,7 +88,7 @@ Index: edk2-edk2-stable202511/BaseTools/Conf/tools_def.template
DEBUG_VS2022_IA32_ASM_FLAGS = /nologo /c /WX /W3 /Cx /coff /Zd /Zi
RELEASE_VS2022_IA32_ASM_FLAGS = /nologo /c /WX /W3 /Cx /coff /Zd
@@ -761,9 +761,9 @@ NOOPT_VS2022_IA32_DLINK_FLAGS = /NOLOG
@@ -815,9 +814,9 @@ NOOPT_VS2022_IA32_DLINK_FLAGS = /NOLOG
*_VS2022_X64_DLINK_PATH = DEF(VS2022_BIN_X64)\link.exe
*_VS2022_X64_ASLDLINK_PATH = DEF(VS2022_BIN_X64)\link.exe
@@ -65,21 +101,50 @@ Index: edk2-edk2-stable202511/BaseTools/Conf/tools_def.template
DEBUG_VS2022_X64_ASM_FLAGS = /nologo /c /WX /W3 /Cx /Zd /Zi
RELEASE_VS2022_X64_ASM_FLAGS = /nologo /c /WX /W3 /Cx /Zd
@@ -833,10 +833,10 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --a
@@ -852,9 +851,9 @@ NOOPT_VS2022_X64_DLINK_FLAGS = /NOLOG
*_VS2022_ARM_ASLDLINK_PATH = DEF(VS2022_BIN_ARM)\link.exe
*_VS2022_ARM_MAKE_FLAGS = /nologo
- DEBUG_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
-RELEASE_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
-NOOPT_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
+ DEBUG_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
+RELEASE_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
+NOOPT_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
DEBUG_VS2022_ARM_ASM_FLAGS = /nologo /g
RELEASE_VS2022_ARM_ASM_FLAGS = /nologo
@@ -885,9 +884,9 @@ NOOPT_VS2022_ARM_DLINK_FLAGS = /NOL
*_VS2022_AARCH64_ASLDLINK_PATH = DEF(VS2022_BIN_AARCH64)\link.exe
*_VS2022_AARCH64_MAKE_FLAGS = /nologo
- DEBUG_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
-RELEASE_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
-NOOPT_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
+ DEBUG_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
+RELEASE_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
+NOOPT_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
DEBUG_VS2022_AARCH64_ASM_FLAGS = /nologo /g
RELEASE_VS2022_AARCH64_ASM_FLAGS = /nologo
@@ -919,13 +918,11 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --a
*_*_*_DTCPP_PATH = DEF(DTCPP_BIN)
*_*_*_DTC_PATH = DEF(DTC_BIN)
# All supported GCC archs except LOONGARCH64 support -mstack-protector-guard=global, so set that on everything except LOONGARCH64
-# All supported GCC archs except LOONGARCH64 support -mstack-protector-guard=global, so set that on everything except LOONGARCH64
-DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common -fstack-protector
-DEFINE GCC_IA32_X64_CC_FLAGS = -mstack-protector-guard=global
-DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -fno-pic -fno-pie -mstack-protector-guard=global
+DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common
+DEFINE GCC_IA32_X64_CC_FLAGS =
+DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -fno-pic -fno-pie
DEFINE GCC_LOONGARCH64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mabi=lp64d -fno-asynchronous-unwind-tables -Wno-address -fno-short-enums -fsigned-char -ffunction-sections -fdata-sections
DEFINE GCC_ARM_CC_XIPFLAGS = -mno-unaligned-access
-DEFINE GCC_AARCH64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -fno-short-enums -fverbose-asm -funsigned-char -ffunction-sections -fdata-sections -Wno-address -fno-asynchronous-unwind-tables -fno-unwind-tables -fno-pic -fno-pie -ffixed-x18 -mstack-protector-guard=global
+DEFINE GCC_AARCH64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -fno-short-enums -fverbose-asm -funsigned-char -ffunction-sections -fdata-sections -Wno-address -fno-asynchronous-unwind-tables -fno-unwind-tables -fno-pic -fno-pie -ffixed-x18
DEFINE GCC_AARCH64_CC_XIPFLAGS = -mstrict-align -mgeneral-regs-only
DEFINE GCC_RISCV64_CC_XIPFLAGS = -mstrict-align -mgeneral-regs-only
DEFINE GCC_DLINK2_FLAGS_COMMON = -Wl,--script=$(EDK_TOOLS_PATH)/Scripts/GccBase.lds
@@ -864,8 +864,8 @@ DEFINE GCC_DEPS_FLAGS = -MM
@@ -961,8 +958,8 @@ DEFINE GCC_DEPS_FLAGS = -MM
DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20
@@ -90,3 +155,12 @@ Index: edk2-edk2-stable202511/BaseTools/Conf/tools_def.template
DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
DEFINE GCC48_IA32_X64_DLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive
DEFINE GCC48_IA32_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON)
@@ -971,7 +968,7 @@ DEFINE GCC48_X64_DLINK2_FLAGS = -
DEFINE GCC48_ASM_FLAGS = DEF(GCC_ASM_FLAGS)
DEFINE GCC48_ARM_ASM_FLAGS = $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian
DEFINE GCC48_AARCH64_ASM_FLAGS = $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian
-DEFINE GCC48_ARM_CC_FLAGS = $(PLATFORM_FLAGS) DEF(GCC_ARM_CC_FLAGS) -mword-relocations
+DEFINE GCC48_ARM_CC_FLAGS = $(PLATFORM_FLAGS) DEF(GCC_ARM_CC_FLAGS) -fstack-protector -mword-relocations
DEFINE GCC48_ARM_CC_XIPFLAGS = DEF(GCC_ARM_CC_XIPFLAGS)
DEFINE GCC48_AARCH64_CC_FLAGS = $(PLATFORM_FLAGS) -mcmodel=large DEF(GCC_AARCH64_CC_FLAGS)
DEFINE GCC48_AARCH64_CC_XIPFLAGS = DEF(GCC_AARCH64_CC_XIPFLAGS)

43
ovmf-Revert-OvmfPkg-OvmfXen-Set-PcdFSBClock.patch
View File

@@ -1,6 +1,6 @@
From f059118317b6d3a1dfdeec45494d279842c855e4 Mon Sep 17 00:00:00 2001
From: Richard Lyu <richard.lyu@suse.com>
Date: Thu, 29 May 2025 13:22:47 +0800
From b8324bc3d5d44e5b1644a66f1b6e07b6e4ad9350 Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Wed, 15 Feb 2023 14:39:37 +0800
Subject: [PATCH] Revert "OvmfPkg/OvmfXen: Set PcdFSBClock"
This reverts commit 71cdb91f313380152d7bf38cfeebe76f5b2d39ac.
@@ -10,13 +10,13 @@ This reverts commit 71cdb91f313380152d7bf38cfeebe76f5b2d39ac.
OvmfPkg/XenPlatformPei/XenPlatformPei.inf | 1 -
3 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
index 088c63f5c2..6f636a79a2 100644
--- a/OvmfPkg/OvmfXen.dsc
+++ b/OvmfPkg/OvmfXen.dsc
@@ -451,6 +451,9 @@
# Point to the MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf
gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0xdc, 0x5b, 0xc2, 0xee, 0xf2, 0x67, 0x95, 0x4d, 0xb1, 0xd5, 0xf8, 0x1b, 0x20, 0x39, 0xd1, 0x1d }
Index: edk2-edk2-stable202302/OvmfPkg/OvmfXen.dsc
===================================================================
--- edk2-edk2-stable202302.orig/OvmfPkg/OvmfXen.dsc
+++ edk2-edk2-stable202302/OvmfPkg/OvmfXen.dsc
@@ -456,6 +456,9 @@
# Point to the MdeModulePkg/Application/UiApp/UiApp.inf
gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0x21, 0xaa, 0x2c, 0x46, 0x14, 0x76, 0x03, 0x45, 0x83, 0x6e, 0x8a, 0xb6, 0xf4, 0x66, 0x23, 0x31 }
+ ## Xen vlapic's frequence is 100 MHz
+ gEfiMdePkgTokenSpaceGuid.PcdFSBClock|100000000
@@ -24,7 +24,7 @@ index 088c63f5c2..6f636a79a2 100644
# We populate DXE IPL tables with 1G pages preferably on Xen
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable|TRUE
@@ -484,7 +487,6 @@
@@ -486,7 +489,6 @@
gUefiOvmfPkgTokenSpaceGuid.PcdPciMmio64Base|0x0
gUefiOvmfPkgTokenSpaceGuid.PcdPciMmio64Size|0x800000000
@@ -32,11 +32,11 @@ index 088c63f5c2..6f636a79a2 100644
gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|0
# Set video resolution for text setup.
diff --git a/OvmfPkg/XenPlatformPei/Xen.c b/OvmfPkg/XenPlatformPei/Xen.c
index a54fd55c70..68ae4801ae 100644
--- a/OvmfPkg/XenPlatformPei/Xen.c
+++ b/OvmfPkg/XenPlatformPei/Xen.c
@@ -613,9 +613,5 @@ CalibrateLapicTimer (
Index: edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/Xen.c
===================================================================
--- edk2-edk2-stable202302.orig/OvmfPkg/XenPlatformPei/Xen.c
+++ edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/Xen.c
@@ -634,9 +634,5 @@ CalibrateLapicTimer (
Freq = DivU64x64Remainder (Dividend, TscTick2 - TscTick, NULL);
DEBUG ((DEBUG_INFO, "APIC Freq % 8lu Hz\n", Freq));
@@ -46,10 +46,10 @@ index a54fd55c70..68ae4801ae 100644
-
UnmapXenPage (SharedInfo);
}
diff --git a/OvmfPkg/XenPlatformPei/XenPlatformPei.inf b/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
index 20c27ff34b..790f4af551 100644
--- a/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
+++ b/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
Index: edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
===================================================================
--- edk2-edk2-stable202302.orig/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
+++ edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
@@ -86,7 +86,6 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
@@ -58,6 +58,3 @@ index 20c27ff34b..790f4af551 100644
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy
gUefiCpuPkgTokenSpaceGuid.PcdCpuLocalApicBaseAddress
--
2.43.0

765
ovmf-Revert-OvmfPkg-RiscVVirt-Add-SecureBootDefaultKeysIn.patch
View File

@@ -1,765 +0,0 @@
From 96eb23c5556ed28d2242669bed9eb818285251b6 Mon Sep 17 00:00:00 2001
From: Richard Lyu <richard.lyu@suse.com>
Date: Wed, 17 Dec 2025 11:35:31 +0800
Subject: [PATCH] Revert "OvmfPkg/RiscVVirt: Add SecureBootDefaultKeysInit
module."
This reverts commit 35a3ceb882b57da0964c8b4a038e8808b3dc2b13.
---
.../SecureBootDefaultKeysInit.c | 643 ------------------
.../SecureBootDefaultKeysInit.inf | 49 --
OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc | 2 +-
OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf | 18 -
4 files changed, 1 insertion(+), 711 deletions(-)
delete mode 100644 OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.c
delete mode 100644 OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf
diff --git a/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.c b/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.c
deleted file mode 100644
index 037174dc6a..0000000000
--- a/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.c
+++ /dev/null
@@ -1,643 +0,0 @@
-/** @file
- This driver init default Secure Boot variables
-
- Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
- (C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
- Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
- Copyright (c) 2021, Semihalf All rights reserved.<BR>
- Copyright (c) 2021, Ampere Computing LLC. All rights reserved.<BR>
- Copyright (C) 2023-2025 Advanced Micro Devices, Inc. All rights reserved.
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include <Uefi.h>
-#include <UefiSecureBoot.h>
-#include <Library/BaseLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/DebugLib.h>
-#include <Library/DxeServicesLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/UefiBootServicesTableLib.h>
-#include <Library/UefiRuntimeServicesTableLib.h>
-#include <Library/UefiLib.h>
-#include <Guid/AuthenticatedVariableFormat.h>
-#include <Guid/ImageAuthentication.h>
-#include <Library/SecureBootVariableLib.h>
-#include <Library/SecureBootVariableProvisionLib.h>
-
-/**
- Set PKDefault Variable.
-
- @param[in] X509Data X509 Certificate data.
- @param[in] X509DataSize X509 Certificate data size.
-
- @retval EFI_SUCCESS PKDefault is set successfully.
-
-**/
-EFI_STATUS
-SetPkDefault (
- IN UINT8 *X509Data,
- IN UINTN X509DataSize
- )
-{
- EFI_STATUS Status;
- UINT32 Attr;
- UINTN DataSize;
- EFI_SIGNATURE_LIST *PkCert;
- EFI_SIGNATURE_DATA *PkCertData;
-
- PkCert = NULL;
-
- //
- // Allocate space for PK certificate list and initialize it.
- // Create PK database entry with SignatureHeaderSize equals 0.
- //
- PkCert = (EFI_SIGNATURE_LIST *)AllocateZeroPool (
- sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1
- + X509DataSize
- );
- if (PkCert == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __func__, Status));
- goto ON_EXIT;
- }
-
- PkCert->SignatureListSize = (UINT32)(sizeof (EFI_SIGNATURE_LIST)
- + sizeof (EFI_SIGNATURE_DATA) - 1
- + X509DataSize);
- PkCert->SignatureSize = (UINT32)(sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- PkCert->SignatureHeaderSize = 0;
- CopyGuid (&PkCert->SignatureType, &gEfiCertX509Guid);
- PkCertData = (EFI_SIGNATURE_DATA *)((UINTN)PkCert
- + sizeof (EFI_SIGNATURE_LIST)
- + PkCert->SignatureHeaderSize);
- CopyGuid (&PkCertData->SignatureOwner, &gEfiGlobalVariableGuid);
- //
- // Fill the PK database with PKpub data from X509 certificate file.
- //
- CopyMem (&(PkCertData->SignatureData[0]), X509Data, X509DataSize);
-
- Attr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;
- DataSize = PkCert->SignatureListSize;
-
- Status = gRT->SetVariable (
- EFI_PK_DEFAULT_VARIABLE_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- DataSize,
- PkCert
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __func__, Status));
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (PkCert != NULL) {
- FreePool (PkCert);
- }
-
- return Status;
-}
-
-/**
- Set KDKDefault Variable.
-
- @param[in] X509Data X509 Certificate data.
- @param[in] X509DataSize X509 Certificate data size.
-
- @retval EFI_SUCCESS KEKDefault is set successfully.
-
-**/
-EFI_STATUS
-SetKekDefault (
- IN UINT8 *X509Data,
- IN UINTN X509DataSize
- )
-{
- EFI_STATUS Status;
- EFI_SIGNATURE_DATA *KEKSigData;
- EFI_SIGNATURE_LIST *KekSigList;
- UINTN DataSize;
- UINTN KekSigListSize;
- UINT32 Attr;
-
- KekSigList = NULL;
- KekSigListSize = 0;
- DataSize = 0;
- KEKSigData = NULL;
-
- KekSigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize;
- KekSigList = (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize);
- if (KekSigList == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __func__, Status));
- goto ON_EXIT;
- }
-
- //
- // Fill Certificate Database parameters.
- //
- KekSigList->SignatureListSize = (UINT32)KekSigListSize;
- KekSigList->SignatureHeaderSize = 0;
- KekSigList->SignatureSize = (UINT32)(sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid);
-
- KEKSigData = (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&KEKSigData->SignatureOwner, &gEfiGlobalVariableGuid);
- CopyMem (KEKSigData->SignatureData, X509Data, X509DataSize);
-
- //
- // Check if KEK been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new kek to original variable
- //
- Attr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;
-
- Status = gRT->GetVariable (
- EFI_KEK_DEFAULT_VARIABLE_NAME,
- &gEfiGlobalVariableGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot get the value of KEK: %r\n", __func__, Status));
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable (
- EFI_KEK_DEFAULT_VARIABLE_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- KekSigListSize,
- KekSigList
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __func__, Status));
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (KekSigList != NULL) {
- FreePool (KekSigList);
- }
-
- return Status;
-}
-
-/**
- Checks if the file content complies with EFI_VARIABLE_AUTHENTICATION_2 format
-
- @param[in] Data Data.
- @param[in] DataSize Data size.
-
- @retval TRUE The content is EFI_VARIABLE_AUTHENTICATION_2 format.
- @retval FALSE The content is NOT a EFI_VARIABLE_AUTHENTICATION_2 format.
-
-**/
-BOOLEAN
-IsAuthentication2Format (
- IN UINT8 *Data,
- IN UINTN DataSize
- )
-{
- EFI_VARIABLE_AUTHENTICATION_2 *Auth2;
- BOOLEAN IsAuth2Format;
-
- IsAuth2Format = FALSE;
-
- Auth2 = (EFI_VARIABLE_AUTHENTICATION_2 *)Data;
- if (Auth2->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) {
- goto ON_EXIT;
- }
-
- if (CompareGuid (&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType)) {
- IsAuth2Format = TRUE;
- }
-
-ON_EXIT:
-
- return IsAuth2Format;
-}
-
-/**
- Set signature database with the data of EFI_VARIABLE_AUTHENTICATION_2 format.
-
- @param[in] AuthData AUTHENTICATION_2 data.
- @param[in] AuthDataSize AUTHENTICATION_2 data size.
- @param[in] VariableName Variable name of signature database, must be
- EFI_DB_DEFAULT_VARIABLE_NAME or EFI_DBX_DEFAULT_VARIABLE_NAME or EFI_DBT_DEFAULT_VARIABLE_NAME.
-
- @retval EFI_SUCCESS New signature is set successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported command.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-SetAuthentication2ToSigDb (
- IN UINT8 *AuthData,
- IN UINTN AuthDataSize,
- IN CHAR16 *VariableName
- )
-{
- EFI_STATUS Status;
- UINTN DataSize;
- UINT32 Attr;
- UINT8 *Data;
-
- Attr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;
-
- //
- // Check if SigDB variable has been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new signature data to original variable
- //
- DataSize = 0;
- Status = gRT->GetVariable (
- VariableName,
- &gEfiGlobalVariableGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot get the value of signature database: %r\n", __func__, Status));
- return Status;
- }
-
- //
- // Ignore AUTHENTICATION_2 region. Only the actual certificate is needed.
- //
- DataSize = AuthDataSize - ((EFI_VARIABLE_AUTHENTICATION_2 *)AuthData)->AuthInfo.Hdr.dwLength - sizeof (EFI_TIME);
- Data = AuthData + (AuthDataSize - DataSize);
-
- Status = gRT->SetVariable (
- VariableName,
- &gEfiGlobalVariableGuid,
- Attr,
- DataSize,
- Data
- );
-
- return Status;
-}
-
-/**
-
- Set signature database with the data of X509 format.
-
- @param[in] X509Data X509 Certificate data.
- @param[in] X509DataSize X509 Certificate data size.
- @param[in] VariableName Variable name of signature database, must be
- EFI_DB_DEFAULT_VARIABLE_NAME or EFI_DBX_DEFAULT_VARIABLE_NAME or EFI_DBT_DEFAULT_VARIABLE_NAME.
- @param[in] SignatureOwnerGuid Guid of the signature owner.
-
- @retval EFI_SUCCESS New X509 is enrolled successfully.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-SetX509ToSigDb (
- IN UINT8 *X509Data,
- IN UINTN X509DataSize,
- IN CHAR16 *VariableName,
- IN EFI_GUID *SignatureOwnerGuid
- )
-{
- EFI_STATUS Status;
- EFI_SIGNATURE_LIST *SigDBCert;
- EFI_SIGNATURE_DATA *SigDBCertData;
- VOID *Data;
- UINTN DataSize;
- UINTN SigDBSize;
- UINT32 Attr;
-
- SigDBSize = 0;
- DataSize = 0;
- SigDBCert = NULL;
- SigDBCertData = NULL;
- Data = NULL;
-
- SigDBSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize;
- Data = AllocateZeroPool (SigDBSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- DEBUG ((DEBUG_ERROR, "%a: Cannot allocate memory: %r\n", __func__, Status));
- goto ON_EXIT;
- }
-
- //
- // Fill Certificate Database parameters.
- //
- SigDBCert = (EFI_SIGNATURE_LIST *)Data;
- SigDBCert->SignatureListSize = (UINT32)SigDBSize;
- SigDBCert->SignatureHeaderSize = 0;
- SigDBCert->SignatureSize = (UINT32)(sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- CopyGuid (&SigDBCert->SignatureType, &gEfiCertX509Guid);
-
- SigDBCertData = (EFI_SIGNATURE_DATA *)((UINT8 *)SigDBCert + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&SigDBCertData->SignatureOwner, SignatureOwnerGuid);
- CopyMem ((UINT8 *)(SigDBCertData->SignatureData), X509Data, X509DataSize);
-
- //
- // Check if signature database entry has been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new signature data to original variable
- //
- Attr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;
-
- Status = gRT->GetVariable (
- VariableName,
- &gEfiGlobalVariableGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable (
- VariableName,
- &gEfiGlobalVariableGuid,
- Attr,
- SigDBSize,
- Data
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot set signature database: %r\n", __func__, Status));
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (Data != NULL) {
- FreePool (Data);
- }
-
- return Status;
-}
-
-/**
-
- Set signature database.
-
- @param[in] Data Data.
- @param[in] DataSize Data size.
- @param[in] VariableName Variable name of signature database, must be
- EFI_DB_DEFAULT_VARIABLE_NAME or EFI_DBX_DEFAULT_VARIABLE_NAME or EFI_DBT_DEFAULT_VARIABLE_NAME.
- @param[in] SignatureOwnerGuid Guid of the signature owner.
-
- @retval EFI_SUCCESS Signature is set successfully.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-SetSignatureDatabase (
- IN UINT8 *Data,
- IN UINTN DataSize,
- IN CHAR16 *VariableName,
- IN EFI_GUID *SignatureOwnerGuid
- )
-{
- if (IsAuthentication2Format (Data, DataSize)) {
- return SetAuthentication2ToSigDb (Data, DataSize, VariableName);
- } else {
- return SetX509ToSigDb (Data, DataSize, VariableName, SignatureOwnerGuid);
- }
-}
-
-/** Initializes PKDefault variable with data from FFS section.
-
- @retval EFI_SUCCESS Variable was initialized successfully.
- @retval EFI_UNSUPPORTED Variable already exists.
-**/
-EFI_STATUS
-InitPkDefault (
- IN VOID
- )
-{
- EFI_STATUS Status;
- UINT8 *Data;
- UINTN DataSize;
-
- //
- // Check if variable exists, if so do not change it
- //
- Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
- if (Status == EFI_SUCCESS) {
- DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));
- FreePool (Data);
- return EFI_UNSUPPORTED;
- }
-
- //
- // Variable does not exist, can be initialized
- //
- DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));
-
- //
- // Enroll default PK.
- //
- Status = GetSectionFromFv (
- &gDefaultPKFileGuid,
- EFI_SECTION_RAW,
- 0,
- (VOID **)&Data,
- &DataSize
- );
- if (!EFI_ERROR (Status)) {
- SetPkDefault (Data, DataSize);
- }
-
- return EFI_SUCCESS;
-}
-
-/** Initializes KEKDefault variable with data from FFS section.
-
- @retval EFI_SUCCESS Variable was initialized successfully.
- @retval EFI_UNSUPPORTED Variable already exists.
-**/
-EFI_STATUS
-InitKekDefault (
- IN VOID
- )
-{
- EFI_STATUS Status;
- UINTN Index;
- UINT8 *Data;
- UINTN DataSize;
-
- //
- // Check if variable exists, if so do not change it
- //
- Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
- if (Status == EFI_SUCCESS) {
- DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
- FreePool (Data);
- return EFI_UNSUPPORTED;
- }
-
- Index = 0;
- do {
- Status = GetSectionFromFv (
- &gDefaultKEKFileGuid,
- EFI_SECTION_RAW,
- Index,
- (VOID **)&Data,
- &DataSize
- );
- if (!EFI_ERROR (Status)) {
- SetKekDefault (Data, DataSize);
- Index++;
- }
- } while (Status == EFI_SUCCESS);
-
- return EFI_SUCCESS;
-}
-
-/** Initializes dbDefault variable with data from FFS section.
-
- @retval EFI_SUCCESS Variable was initialized successfully.
- @retval EFI_UNSUPPORTED Variable already exists.
-**/
-EFI_STATUS
-InitDbDefault (
- IN VOID
- )
-{
- EFI_STATUS Status;
- UINTN Index;
- UINT8 *Data;
- UINTN DataSize;
-
- Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
- if (Status == EFI_SUCCESS) {
- DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));
- FreePool (Data);
- return EFI_UNSUPPORTED;
- }
-
- DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));
-
- Index = 0;
- do {
- Status = GetSectionFromFv (
- &gDefaultdbFileGuid,
- EFI_SECTION_RAW,
- Index,
- (VOID **)&Data,
- &DataSize
- );
- if (!EFI_ERROR (Status)) {
- SetSignatureDatabase (Data, DataSize, EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid);
- Index++;
- }
- } while (Status == EFI_SUCCESS);
-
- return EFI_SUCCESS;
-}
-
-/** Initializes dbxDefault variable with data from FFS section.
-
- @retval EFI_SUCCESS Variable was initialized successfully.
- @retval EFI_UNSUPPORTED Variable already exists.
-**/
-EFI_STATUS
-InitDbxDefault (
- IN VOID
- )
-{
- EFI_STATUS Status;
- UINTN Index;
- UINT8 *Data;
- UINTN DataSize;
-
- //
- // Check if variable exists, if so do not change it
- //
- Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
- if (Status == EFI_SUCCESS) {
- DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
- FreePool (Data);
- return EFI_UNSUPPORTED;
- }
-
- //
- // Variable does not exist, can be initialized
- //
- DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
-
- Index = 0;
- do {
- Status = GetSectionFromFv (
- &gDefaultdbxFileGuid,
- EFI_SECTION_RAW,
- Index,
- (VOID **)&Data,
- &DataSize
- );
- if (!EFI_ERROR (Status)) {
- SetSignatureDatabase (Data, DataSize, EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid);
- Index++;
- }
- } while (Status == EFI_SUCCESS);
-
- return EFI_SUCCESS;
-}
-
-/**
- Initializes default SecureBoot certificates with data from FFS section.
-
- @param[in] ImageHandle The firmware allocated handle for the EFI image.
- @param[in] SystemTable A pointer to the EFI System Table.
-
- @retval EFI_SUCCESS Variable was initialized successfully.
-**/
-EFI_STATUS
-EFIAPI
-SecureBootDefaultKeysInitEntry (
- IN EFI_HANDLE ImageHandle,
- IN EFI_SYSTEM_TABLE *SystemTable
- )
-{
- EFI_STATUS Status;
-
- Status = InitPkDefault ();
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __func__, Status));
- return Status;
- }
-
- Status = InitKekDefault ();
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __func__, Status));
- return Status;
- }
-
- Status = InitDbDefault ();
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __func__, Status));
- return Status;
- }
-
- Status = InitDbxDefault ();
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbxDefault: %r\n", __func__, Status));
- return Status;
- }
-
- return EFI_SUCCESS;
-}
diff --git a/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf b/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf
deleted file mode 100644
index 0127841733..0000000000
--- a/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf
+++ /dev/null
@@ -1,49 +0,0 @@
-## @file
-# Initializes Secure Boot default keys
-#
-# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
-# Copyright (c) 2021, Semihalf All rights reserved.<BR>
-# Copyright (C) 2023-2025 Advanced Micro Devices, Inc. All rights reserved.
-#
-# SPDX-License-Identifier: BSD-2-Clause-Patent
-#
-##
-
-[Defines]
- INF_VERSION = 1.29
- BASE_NAME = SecureBootDefaultKeysInit
- FILE_GUID = 384D1860-7306-11F0-B8B4-F53A5CB787AC
- MODULE_TYPE = DXE_DRIVER
- VERSION_STRING = 1.0
- ENTRY_POINT = SecureBootDefaultKeysInitEntry
-
-[Sources]
- SecureBootDefaultKeysInit.c
-
-[Packages]
- MdeModulePkg/MdeModulePkg.dec
- MdePkg/MdePkg.dec
- SecurityPkg/SecurityPkg.dec
-
-[LibraryClasses]
- DebugLib
- DxeServicesLib
- SecureBootVariableLib
- SecureBootVariableProvisionLib
- UefiBootServicesTableLib
- UefiDriverEntryPoint
-
-[Guids]
- gDefaultdbFileGuid
- gDefaultdbxFileGuid
- gDefaultKEKFileGuid
- gDefaultPKFileGuid
- gEfiCertPkcs7Guid
- gEfiCertX509Guid
- gEfiCustomModeEnableGuid
- gEfiImageSecurityDatabaseGuid
- gEfiSecureBootEnableDisableGuid
-
-[Depex]
- gEfiVariableArchProtocolGuid AND
- gEfiVariableWriteArchProtocolGuid
diff --git a/OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc b/OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc
index a7c4f842bb..0c1162b845 100644
--- a/OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc
+++ b/OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc
@@ -392,7 +392,7 @@
!endif
}
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
- OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
!else
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
!endif
diff --git a/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf b/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf
index 1f37eb6894..a71ce1ae0b 100644
--- a/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf
+++ b/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf
@@ -89,24 +89,6 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
!endif
!if $(SECURE_BOOT_ENABLE) == TRUE
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
- INF OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf
-
- FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 {
- SECTION RAW = OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootKeys/PK/PK.cer
- }
-
- FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 {
- SECTION RAW = OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootKeys/KEK/MicCorKEKCA2011_2011-06-24.crt
- }
-
- FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 {
- SECTION RAW = OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootKeys/db/MicWinProPCA2011_2011-10-19.crt
- SECTION RAW = OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootKeys/db/MicCorUEFCA2011_2011-06-27.crt
- }
-
- FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f {
- SECTION RAW = OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootKeys/dbx/dbxupdate_x64.bin
- }
!endif
INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
INF MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
--
2.51.0

781
ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Add-TPM2-lib-supportin.patch Normal file
View File

@@ -0,0 +1,781 @@
From e868ece3c7d12be79f46da64b7c841d0486ac621 Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Wed, 11 Dec 2024 11:48:07 +0100
Subject: [PATCH] SecurityPkg/Tpm2DeviceLibDTpm: Add TPM2 lib supporting SVSM
vTPM
SEV-SNP provides a feature known as VM Privilege Level (VMPL), which
allows for services to be run in the guest at different privilege
levels. By running at VMPL0 (most privileged VM level), the SVSM can be
used to provide privileged services, e.g. a virtual TPM, for the guest
rather than trust such services from the hypervisor.
This patch adds a DTpm driver to communicate with a virtual TPM running
in the SVSM. The driver follows the vTPM protocol documented in the SVSM
specification.
SVSM vTPM functionality is available as new device and instance
libraries, which can be consumed optionally, keeping changes to the
regular TPM implementation minimal.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Co-authored-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
.../Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.c | 96 +++++++++++
.../Tpm2DeviceLibDTpmSvsm.inf | 66 ++++++++
.../Tpm2InstanceLibDTpmSvsm.c | 64 ++++++++
.../Tpm2InstanceLibDTpmSvsm.inf | 60 +++++++
.../Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h | 2 +-
.../Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c | 123 ++++++++++++++
.../Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.h | 30 ++++
.../Library/Tpm2DeviceLibDTpm/Tpm2Svsm.c | 152 ++++++++++++++++++
.../Library/Tpm2DeviceLibDTpm/Tpm2Svsm.h | 25 +++
SecurityPkg/SecurityPkg.ci.yaml | 1 +
SecurityPkg/SecurityPkg.dec | 10 ++
SecurityPkg/SecurityPkg.dsc | 12 ++
12 files changed, 640 insertions(+), 1 deletion(-)
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.c
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.c
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.h
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.c
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.h
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.c
new file mode 100644
index 0000000000..922b859168
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.c
@@ -0,0 +1,96 @@
+/** @file
+ This library is a TPM2 DTPM instance, supporting SVSM based vTPMs and regular
+ TPM2s at the same time.
+ Choosing this library means platform uses and only uses DTPM device as TPM2 engine.
+
+Copyright (c) 2024 Red Hat
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/Tpm2DeviceLib.h>
+
+#include "Tpm2DeviceLibDTpm.h"
+#include "Tpm2PtpSvsmShim.h"
+
+/**
+ This service enables the sending of commands to the TPM2.
+
+ @param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
+ @param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
+ @param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
+ @param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
+
+ @retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
+ @retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
+ @retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
+**/
+EFI_STATUS
+EFIAPI
+Tpm2SubmitCommand (
+ IN UINT32 InputParameterBlockSize,
+ IN UINT8 *InputParameterBlock,
+ IN OUT UINT32 *OutputParameterBlockSize,
+ IN UINT8 *OutputParameterBlock
+ )
+{
+ return SvsmDTpm2SubmitCommand (
+ InputParameterBlockSize,
+ InputParameterBlock,
+ OutputParameterBlockSize,
+ OutputParameterBlock
+ );
+}
+
+/**
+ This service requests to use TPM2.
+
+ @retval EFI_SUCCESS Get the control of the TPM2 chip.
+ @retval EFI_NOT_FOUND TPM2 not found.
+ @retval EFI_DEVICE_ERROR Unexpected device behavior.
+**/
+EFI_STATUS
+EFIAPI
+Tpm2RequestUseTpm (
+ VOID
+ )
+{
+ return SvsmDTpm2RequestUseTpm ();
+}
+
+/**
+ This service registers a TPM2 device.
+
+ @param Tpm2Device TPM2 device
+
+ @retval EFI_SUCCESS TPM2 device was registered successfully.
+ @retval EFI_UNSUPPORTED System does not support registering this TPM2 device.
+ @retval EFI_ALREADY_STARTED This TPM2 device is already registered.
+**/
+EFI_STATUS
+EFIAPI
+Tpm2RegisterTpm2DeviceLib (
+ IN TPM2_DEVICE_INTERFACE *Tpm2Device
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Initialize the library and cache SVSM vTPM presence state and TPM interface type, if applicable.
+
+ @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support registering a DTPM2.0 instance
+**/
+EFI_STATUS
+EFIAPI
+Tpm2DeviceLibConstructorSvsm (
+ VOID
+ )
+{
+ if (TryUseSvsmVTpm ()) {
+ return EFI_SUCCESS;
+ } else {
+ return InternalTpm2DeviceLibDTpmCommonConstructor ();
+ }
+}
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
new file mode 100644
index 0000000000..da48bd3c60
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
@@ -0,0 +1,66 @@
+## @file
+# Provides SVSM based vTPM and regular TPM 2.0 TIS/PTP functions for DTPM
+#
+# Spec Compliance Info:
+# "TCG PC Client Platform TPM Profile(PTP) Specification Family 2.0 Level 00 Revision 00.43"
+# "TCG PC Client Specific TPM Interface Specification(TIS) Version 1.3"
+#
+# This library implements TIS (TPM Interface Specification) and
+# PTP (Platform TPM Profile) functions which is
+# used for every TPM 2.0 command. Choosing this library means platform uses and
+# only uses TPM 2.0 DTPM device.
+#
+# This version of the library additionally supports SVSM based vTPMs for confidential
+# virtual machines under AMD-SEV SNP.
+#
+# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.
+# Copyright (c) 2024 Red Hat
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 1.30
+ BASE_NAME = Tpm2DeviceLibDTpmSvsm
+ MODULE_UNI_FILE = Tpm2DeviceLibDTpm.uni
+ FILE_GUID = EE79D4E4-8538-4FE6-A7EF-4095CB6B38E7
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = Tpm2DeviceLib|PEIM DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
+ CONSTRUCTOR = Tpm2DeviceLibConstructorSvsm
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = X64
+#
+
+[Sources]
+ Tpm2Tis.c
+ Tpm2Svsm.c
+ Tpm2PtpSvsmShim.c
+ Tpm2Ptp.c
+ Tpm2DeviceLibDTpmSvsm.c
+ Tpm2DeviceLibDTpmBase.c
+ Tpm2DeviceLibDTpm.h
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ UefiCpuPkg/UefiCpuPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ IoLib
+ TimerLib
+ DebugLib
+ PcdLib
+ AmdSvsmLib
+
+[Pcd]
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress ## CONSUMES
+ gEfiSecurityPkgTokenSpaceGuid.PcdActiveTpmInterfaceType ## PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass ## PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmPresence ## PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmBufferPtr ## PRODUCES
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.c
new file mode 100644
index 0000000000..fda0b86347
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.c
@@ -0,0 +1,64 @@
+/** @file
+ This library is a TPM2 DTPM instance, supporting SVSM based vTPMs and regular
+ TPM2s at the same time.
+
+ It can be registered to Tpm2 Device router, to be active TPM2 engine,
+ based on platform setting.
+
+Copyright (c) 2024 Red Hat
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/Tpm2DeviceLib.h>
+
+#include <Guid/TpmInstance.h>
+
+#include "Tpm2Ptp.h"
+#include "Tpm2DeviceLibDTpm.h"
+#include "Tpm2PtpSvsmShim.h"
+
+TPM2_DEVICE_INTERFACE mDTpm2InternalTpm2Device = {
+ TPM_DEVICE_INTERFACE_TPM20_DTPM,
+ SvsmDTpm2SubmitCommand,
+ SvsmDTpm2RequestUseTpm,
+};
+
+/**
+ Registers DTPM2.0 instance and caches current active TPM interface type.
+
+ @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support registering a DTPM2.0 instance
+**/
+EFI_STATUS
+EFIAPI
+Tpm2InstanceLibDTpmConstructorSvsm (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+
+ Status = Tpm2RegisterTpm2DeviceLib (&mDTpm2InternalTpm2Device);
+
+ if (Status == EFI_UNSUPPORTED) {
+ //
+ // Unsupported means platform policy does not need this instance enabled.
+ //
+ return EFI_SUCCESS;
+ }
+
+ if (Status != EFI_SUCCESS) {
+ return Status;
+ }
+
+ if (TryUseSvsmVTpm ()) {
+ // SVSM vTPM found.
+ return EFI_SUCCESS;
+ }
+
+ // No SVSM vTPM found; set up regular DTPM Ptp implementation
+ Status = InternalTpm2DeviceLibDTpmCommonConstructor ();
+ DumpPtpInfo ((VOID *)(UINTN)PcdGet64 (PcdTpmBaseAddress));
+
+ return Status;
+}
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
new file mode 100644
index 0000000000..4baf363c11
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
@@ -0,0 +1,60 @@
+## @file
+# Provides a DTPM instance for SVSM based vTPMs and TPM 2.0 TIS/PTP.
+#
+# This library can be registered to Tpm 2.0 device router, to be active TPM 2.0
+# engine, based on platform setting. It supports both TIS (TPM Interface Specification)
+# and PTP (Platform TPM Profile) functions.
+#
+# This version of the library additionally supports SVSM based vTPMs for confidential
+# virtual machines under AMD SEV-SNP.
+#
+# Copyright (c) 2024 Red Hat
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 1.30
+ BASE_NAME = Tpm2InstanceLibDTpmSvsm
+ MODULE_UNI_FILE = Tpm2InstanceLibDTpm.uni
+ FILE_GUID = C7777207-A8DF-47E4-AA3C-E8BF74E7F233
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = NULL
+ CONSTRUCTOR = Tpm2InstanceLibDTpmConstructorSvsm
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = X64
+#
+
+[Sources]
+ Tpm2Tis.c
+ Tpm2Svsm.c
+ Tpm2Ptp.c
+ Tpm2PtpSvsmShim.c
+ Tpm2InstanceLibDTpmSvsm.c
+ Tpm2DeviceLibDTpmBase.c
+ Tpm2DeviceLibDTpm.h
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ UefiCpuPkg/UefiCpuPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ IoLib
+ TimerLib
+ DebugLib
+ PcdLib
+ AmdSvsmLib
+
+[Pcd]
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress ## CONSUMES
+ gEfiSecurityPkgTokenSpaceGuid.PcdActiveTpmInterfaceType ## PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass ## PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmPresence ## PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmBufferPtr ## PRODUCES
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
index 238d6e8dba..95e7ce246a 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
@@ -1,5 +1,5 @@
/** @file
- PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by dTPM2.0 library.
+ PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by DTPM2.0 library.
Copyright (c) 2024 Red Hat
SPDX-License-Identifier: BSD-2-Clause-Patent
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
new file mode 100644
index 0000000000..8a49fe936f
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
@@ -0,0 +1,123 @@
+/** @file
+ PTP (Platform TPM Profile) CRB (Command Response Buffer) interface shim that switches between
+ SVSM vTPM Ptp and regular Ptp implementations.
+
+ Use TryUseSvsmVTpm () do check for SVSM vTPM presnece and initialzie the shim.
+
+ The SVSM vTPM presence state is cached across library instances.
+
+Copyright (c) 2024 Red Hat
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Uefi.h>
+#include <Library/Tpm2DeviceLib.h>
+#include <Library/PcdLib.h>
+#include <Library/DebugLib.h>
+#include "Tpm2Ptp.h"
+#include "Tpm2Svsm.h"
+
+/// SVSM vTPM presence state as stored in PcdSvsmVTpmPresence
+/// @{
+#define SVSM_VTPM_PRESENCE_UNKNOWN 0xFF
+#define SVSM_VTPM_PRESENT 0x01
+#define SVSM_VTPM_ABSENT 0x00
+/// @}
+
+static BOOLEAN mUseSvsmVTpm = FALSE;
+
+/**
+ Initializes SVSM vTPM if present, or otherwise uses TCG PTP method.
+
+ If an SVSM based vTPM is found, use it from now on.
+ If none is found, call the regular Ptp TPM implementation instead.
+
+ This function is meant to be called from the DTpm library constructor.
+ If it has not been called, the regular Ptp implementation is used.
+
+ @retval TRUE SVSM vTPM is present.
+ @retval FALSE SVSM vTPM was not discovered.
+ */
+BOOLEAN
+EFIAPI
+TryUseSvsmVTpm (
+ )
+{
+ UINT8 SvsmVTpmPresence = (UINT8)PcdGet8 (PcdSvsmVTpmPresence);
+
+ if (SvsmVTpmPresence == SVSM_VTPM_PRESENCE_UNKNOWN) {
+ SvsmVTpmPresence = Tpm2SvsmQueryTpmSendCmd () ? SVSM_VTPM_PRESENT : SVSM_VTPM_ABSENT;
+ PcdSet8S (PcdSvsmVTpmPresence, SvsmVTpmPresence);
+ if (SvsmVTpmPresence == SVSM_VTPM_PRESENT) {
+ DEBUG ((DEBUG_INFO, " Found SVSM vTPM\n"));
+ }
+ }
+
+ mUseSvsmVTpm = SvsmVTpmPresence == SVSM_VTPM_PRESENT;
+ return mUseSvsmVTpm;
+}
+
+/**
+ This service enables the sending of commands to the selected TPM2.
+
+ Commands are send to either the SVSM vTPM or the regular Ptp based TPM, depending
+ on what was discovered by TryUseSvsmVTpm ().
+
+ @param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
+ @param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
+ @param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
+ @param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
+
+ @retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
+ @retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
+ @retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
+**/
+EFI_STATUS
+EFIAPI
+SvsmDTpm2SubmitCommand (
+ IN UINT32 InputParameterBlockSize,
+ IN UINT8 *InputParameterBlock,
+ IN OUT UINT32 *OutputParameterBlockSize,
+ IN UINT8 *OutputParameterBlock
+ )
+{
+ if (mUseSvsmVTpm) {
+ return Tpm2SvsmTpmSendCommand (
+ InputParameterBlock,
+ InputParameterBlockSize,
+ OutputParameterBlock,
+ OutputParameterBlockSize
+ );
+ } else {
+ return DTpm2SubmitCommand (
+ InputParameterBlockSize,
+ InputParameterBlock,
+ OutputParameterBlockSize,
+ OutputParameterBlock
+ );
+ }
+}
+
+/**
+ This service requests to use TPM2.
+
+ Depending on what was discovered by TryUseSvsmVTpm (), this function either
+ returns EFI_SUCCESS, for SVSM vTPM, or calls the regular Ptp implementation.
+
+ @retval EFI_SUCCESS Get the control of the TPM2 chip.
+ @retval EFI_NOT_FOUND TPM2 not found.
+ @retval EFI_DEVICE_ERROR Unexpected device behavior.
+**/
+EFI_STATUS
+EFIAPI
+SvsmDTpm2RequestUseTpm (
+ VOID
+ )
+{
+ if (mUseSvsmVTpm) {
+ return EFI_SUCCESS;
+ } else {
+ return DTpm2RequestUseTpm ();
+ }
+}
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.h b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.h
new file mode 100644
index 0000000000..6a604f8020
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.h
@@ -0,0 +1,30 @@
+/** @file
+ PTP (Platform TPM Profile) CRB (Command Response Buffer) interface shim that switches between
+ SVSM vTPM Ptp and regular Ptp implementations.
+
+ Use TryUseSvsmVTpm () do check for SVSM vTPM presnece and initialzie the shim.
+
+Copyright (c) 2024 Red Hat
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+BOOLEAN
+EFIAPI
+TryUseSvsmVTpm (
+ );
+
+EFI_STATUS
+EFIAPI
+SvsmDTpm2SubmitCommand (
+ IN UINT32 InputParameterBlockSize,
+ IN UINT8 *InputParameterBlock,
+ IN OUT UINT32 *OutputParameterBlockSize,
+ IN UINT8 *OutputParameterBlock
+ );
+
+EFI_STATUS
+EFIAPI
+SvsmDTpm2RequestUseTpm (
+ VOID
+ );
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.c
new file mode 100644
index 0000000000..d9b5907c75
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.c
@@ -0,0 +1,152 @@
+/** @file
+ SVSM TPM communication
+
+Copyright (C) 2024 James.Bottomley@HansenPartnership.com
+Copyright (C) 2024 IBM Corporation
+Copyright (C) 2024 Red Hat
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Uefi.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/AmdSvsmLib.h>
+#include <Library/PcdLib.h>
+
+#include "Tpm2Svsm.h"
+
+/**
+ Platform commands (MSSIM commands) can be sent through the
+ SVSM_VTPM_CMD operation. Each command can have its own
+ request and response structures.
+**/
+#define TPM_SEND_COMMAND 8
+
+#pragma pack(1)
+typedef struct _TPM2_SEND_CMD_REQ {
+ UINT32 Cmd;
+ UINT8 Locality;
+ UINT32 BufSize;
+ UINT8 Buf[];
+} TPM2_SEND_CMD_REQ;
+
+typedef struct _TPM2_SEND_CMD_RESP {
+ UINT32 Size;
+ UINT8 Buf[];
+} TPM2_SEND_CMD_RESP;
+#pragma pack()
+
+/* Max req/resp buffer size */
+#define TPM_PLATFORM_MAX_BUFFER 4096
+
+typedef union {
+ TPM2_SEND_CMD_REQ req;
+ TPM2_SEND_CMD_RESP resp;
+} SVSM_TPM_CMD_BUFFER;
+
+STATIC_ASSERT (sizeof (SVSM_TPM_CMD_BUFFER) <= TPM_PLATFORM_MAX_BUFFER, "SVSM_TPM_CMD_BUFFER too large");
+
+/**
+ Probe the SVSM vTPM for TPM_SEND_COMMAND support. The
+ TPM_SEND_COMMAND platform command can be used to execute a
+ TPM command and get the result.
+
+ @retval TRUE TPM_SEND_COMMAND is supported.
+ @retval FALSE TPM_SEND_COMMAND is not supported.
+
+**/
+BOOLEAN
+Tpm2SvsmQueryTpmSendCmd (
+ VOID
+ )
+{
+ UINT64 PlatformCmdBitmap;
+ UINT64 TpmSendMask;
+
+ PlatformCmdBitmap = 0;
+ TpmSendMask = 1 << TPM_SEND_COMMAND;
+
+ if (!AmdSvsmVtpmQuery (&PlatformCmdBitmap, NULL)) {
+ return FALSE;
+ }
+
+ return ((PlatformCmdBitmap & TpmSendMask) == TpmSendMask) ? TRUE : FALSE;
+}
+
+/**
+ Send a TPM command to the SVSM vTPM and return the TPM response.
+
+ @param[in] BufferIn It should contain the marshaled
+ TPM command.
+ @param[in] SizeIn Size of the TPM command.
+ @param[out] BufferOut It will contain the marshaled
+ TPM response.
+ @param[in, out] SizeOut Size of the BufferOut; it will also
+ be used to return the size of the
+ TPM response
+
+ @retval EFI_SUCCESS Operation completed successfully.
+ @retval EFI_INVALID_PARAMETER Buffer not provided.
+ @retval EFI_BUFFER_TOO_SMALL Response data buffer is too small.
+ @retval EFI_DEVICE_ERROR Unexpected device behavior.
+ @retval EFI_OUT_OF_RESOURCES Out of memory when allocating internal buffer.
+ @retval EFI_UNSUPPORTED Unsupported TPM version
+
+**/
+EFI_STATUS
+Tpm2SvsmTpmSendCommand (
+ IN UINT8 *BufferIn,
+ IN UINT32 SizeIn,
+ OUT UINT8 *BufferOut,
+ IN OUT UINT32 *SizeOut
+ )
+{
+ STATIC SVSM_TPM_CMD_BUFFER *Buffer = NULL;
+
+ if ((SizeIn == 0) || !BufferIn || !SizeOut || !BufferOut) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (SizeIn > TPM_PLATFORM_MAX_BUFFER - sizeof (TPM2_SEND_CMD_REQ)) {
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+ if (Buffer == NULL) {
+ STATIC_ASSERT (sizeof (UINT64) >= sizeof (UINTN), "Pointer size larger than 64bit");
+ Buffer = (SVSM_TPM_CMD_BUFFER *)(UINTN)PcdGet64 (PcdSvsmVTpmBufferPtr);
+
+ if (Buffer == NULL) {
+ Buffer = (SVSM_TPM_CMD_BUFFER *)AllocatePages (EFI_SIZE_TO_PAGES (TPM_PLATFORM_MAX_BUFFER));
+ if (Buffer == NULL) {
+ DEBUG ((DEBUG_ERROR, "Unable to allocate SVSM vTPM buffer: %r", EFI_OUT_OF_RESOURCES));
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ PcdSet64S (PcdSvsmVTpmBufferPtr, (UINTN)(VOID *)Buffer);
+ }
+ }
+
+ Buffer->req.Cmd = TPM_SEND_COMMAND;
+ Buffer->req.Locality = 0;
+ Buffer->req.BufSize = SizeIn;
+ CopyMem (Buffer->req.Buf, BufferIn, SizeIn);
+
+ if (!AmdSvsmVtpmCmd ((UINT8 *)Buffer)) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ if (Buffer->resp.Size > TPM_PLATFORM_MAX_BUFFER - sizeof (TPM2_SEND_CMD_RESP)) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ if (Buffer->resp.Size > *SizeOut) {
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+ CopyMem (BufferOut, Buffer->resp.Buf, Buffer->resp.Size);
+ *SizeOut = Buffer->resp.Size;
+ return EFI_SUCCESS;
+}
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.h b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.h
new file mode 100644
index 0000000000..f94901601f
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.h
@@ -0,0 +1,25 @@
+/** @file
+ SVSM TPM communication
+
+Copyright (C) 2024 James.Bottomley@HansenPartnership.com
+Copyright (C) 2024 IBM Corporation
+Copyright (C) 2024 Red Hat
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/BaseLib.h>
+
+BOOLEAN
+Tpm2SvsmQueryTpmSendCmd (
+ VOID
+ );
+
+EFI_STATUS
+Tpm2SvsmTpmSendCommand (
+ IN UINT8 *BufferIn,
+ IN UINT32 SizeIn,
+ OUT UINT8 *BufferOut,
+ IN OUT UINT32 *SizeOut
+ );
diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPkg.ci.yaml
index 26fedd179c..a0fa965381 100644
--- a/SecurityPkg/SecurityPkg.ci.yaml
+++ b/SecurityPkg/SecurityPkg.ci.yaml
@@ -48,6 +48,7 @@
"AcceptableDependencies": [
"MdePkg/MdePkg.dec",
"MdeModulePkg/MdeModulePkg.dec",
+ "UefiCpuPkg/UefiCpuPkg.dec",
"UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec",
"SecurityPkg/SecurityPkg.dec",
"StandaloneMmPkg/StandaloneMmPkg.dec",
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 0589cfaf68..17fd0aeb81 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -604,6 +604,16 @@
## This PCD records LASA field in CC EVENTLOG ACPI table.
gEfiSecurityPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLasa|0|UINT64|0x00010026
+ ## This PCD caches the presence state of a AMD SEV-SNP SVSM-provided vTPM.
+ # 0xFF - Unknown - Probing needed
+ # 0x00 - No - Use regular TPM
+ # 0x01 - Yes - SVSM vTPM present
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmPresence|0xFF|UINT8|0x00020030
+
+ ## This PCD stores the pointer to the communication buffer for a
+ # AMD SEV-SNP SVSM-provided vTPM.
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmBufferPtr|0|UINT64|0x00020031
+
[PcdsFeatureFlag]
## Indicates if the platform requires PK to be self-signed when setting the PK in setup mode.
# TRUE - Require PK to be self-signed.
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index ea6a14c328..945a2dd393 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -369,6 +369,18 @@
TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
}
+ #
+ # AMD SEV-SNP SVSM vTPM
+ #
+ SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf {
+ <LibraryClasses>
+ AmdSvsmLib|UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.inf
+ }
+ SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf {
+ <LibraryClasses>
+ AmdSvsmLib|UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.inf
+ }
+
#
# Hash2
#
--
2.43.0

199
ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Add-header-file-for-Tp.patch Normal file
View File

@@ -0,0 +1,199 @@
From edf5e365c104fb86623b6359ac53d79777d521bf Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Mon, 16 Dec 2024 17:25:36 +0100
Subject: [PATCH] SecurityPkg/Tpm2DeviceLibDTpm: Add header file for Tpm2Ptp.c
A some of functions implemented in Tpm2Ptp.c are forward declared in a
couple of places. To clean this up, introduce a header that contains
these declarations in a central place and use it instead.
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
.../Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c | 35 +-----------
.../Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c | 45 +---------------
.../Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c | 2 +
.../Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h | 53 +++++++++++++++++++
4 files changed, 57 insertions(+), 78 deletions(-)
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
index e0897417ba..828fb856ad 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
@@ -13,42 +13,9 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/Tpm2DeviceLib.h>
#include <Library/PcdLib.h>
+#include "Tpm2Ptp.h"
#include "Tpm2DeviceLibDTpm.h"
-/**
- This service enables the sending of commands to the TPM2.
-
- @param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
- @param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
- @param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
- @param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
-
- @retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
- @retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
- @retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
-**/
-EFI_STATUS
-EFIAPI
-DTpm2SubmitCommand (
- IN UINT32 InputParameterBlockSize,
- IN UINT8 *InputParameterBlock,
- IN OUT UINT32 *OutputParameterBlockSize,
- IN UINT8 *OutputParameterBlock
- );
-
-/**
- This service requests use TPM2.
-
- @retval EFI_SUCCESS Get the control of TPM2 chip.
- @retval EFI_NOT_FOUND TPM2 not found.
- @retval EFI_DEVICE_ERROR Unexpected device behavior.
-**/
-EFI_STATUS
-EFIAPI
-DTpm2RequestUseTpm (
- VOID
- );
-
/**
This service enables the sending of commands to the TPM2.
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
index 11796d5b97..2762626575 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
@@ -16,52 +16,9 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Guid/TpmInstance.h>
+#include "Tpm2Ptp.h"
#include "Tpm2DeviceLibDTpm.h"
-/**
- Dump PTP register information.
-
- @param[in] Register Pointer to PTP register.
-**/
-VOID
-DumpPtpInfo (
- IN VOID *Register
- );
-
-/**
- This service enables the sending of commands to the TPM2.
-
- @param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
- @param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
- @param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
- @param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
-
- @retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
- @retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
- @retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
-**/
-EFI_STATUS
-EFIAPI
-DTpm2SubmitCommand (
- IN UINT32 InputParameterBlockSize,
- IN UINT8 *InputParameterBlock,
- IN OUT UINT32 *OutputParameterBlockSize,
- IN UINT8 *OutputParameterBlock
- );
-
-/**
- This service requests use TPM2.
-
- @retval EFI_SUCCESS Get the control of TPM2 chip.
- @retval EFI_NOT_FOUND TPM2 not found.
- @retval EFI_DEVICE_ERROR Unexpected device behavior.
-**/
-EFI_STATUS
-EFIAPI
-DTpm2RequestUseTpm (
- VOID
- );
-
TPM2_DEVICE_INTERFACE mDTpm2InternalTpm2Device = {
TPM_DEVICE_INTERFACE_TPM20_DTPM,
DTpm2SubmitCommand,
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
index dee01d9707..d1565c72d7 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
@@ -22,6 +22,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include "Tpm2DeviceLibDTpm.h"
+#include "Tpm2Ptp.h"
+
//
// Execution of the command may take from several seconds to minutes for certain
// commands, such as key generation.
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
new file mode 100644
index 0000000000..238d6e8dba
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
@@ -0,0 +1,53 @@
+/** @file
+ PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by dTPM2.0 library.
+
+Copyright (c) 2024 Red Hat
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Uefi.h>
+
+/**
+ Dump PTP register information.
+
+ @param[in] Register Pointer to PTP register.
+**/
+VOID
+DumpPtpInfo (
+ IN VOID *Register
+ );
+
+/**
+ This service enables the sending of commands to the TPM2.
+
+ @param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
+ @param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
+ @param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
+ @param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
+
+ @retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
+ @retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
+ @retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
+**/
+EFI_STATUS
+EFIAPI
+DTpm2SubmitCommand (
+ IN UINT32 InputParameterBlockSize,
+ IN UINT8 *InputParameterBlock,
+ IN OUT UINT32 *OutputParameterBlockSize,
+ IN UINT8 *OutputParameterBlock
+ );
+
+/**
+ This service requests use TPM2.
+
+ @retval EFI_SUCCESS Get the control of TPM2 chip.
+ @retval EFI_NOT_FOUND TPM2 not found.
+ @retval EFI_DEVICE_ERROR Unexpected device behavior.
+**/
+EFI_STATUS
+EFIAPI
+DTpm2RequestUseTpm (
+ VOID
+ );
--
2.43.0

153
ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Check-SNP-enabled-prio.patch Normal file
View File

@@ -0,0 +1,153 @@
From c2d8e9236787270384bab6af9d9db0071468e9e5 Mon Sep 17 00:00:00 2001
From: Jacob Xu <jacobhxu@google.com>
Date: Fri, 28 Mar 2025 18:49:58 +0000
Subject: [PATCH] SecurityPkg-Tpm2DeviceLibDTpm: Check SNP enabled prior to
using AmdSvsmLib
AmdSvsmLib currently doesn't check if SNP enabled, thus using AmdSvsmLib
may errantly cause the caller code to believe SVSM is present. This
leads to boot failure on non-SNP enabled VMs.
We use the PcdConfidentialComputingGuestAttr since it remains valid
after MpInitLib runs which invalidates PcdSevEsWorkArea's cached
sev-status msr which we use to check for SNP enabled in other places.
The added functions ConfidentialComputingGuestHas() and
AmdMemEncryptionAttrCheck() are copied from MpLib.c, which is intended
to be replaced later on with a more minimal library perhaps in MdePkg to
cleanup some of the circular dependencies currently surrounding SvsmLib.
Signed-off-by: Jacob Xu <jacobhxu@google.com>
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
Suggested-by: Tom Lendacky <thomas.lendacky@amd.com>
---
.../Tpm2DeviceLibDTpmSvsm.inf | 1 +
.../Tpm2InstanceLibDTpmSvsm.inf | 1 +
.../Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c | 79 +++++++++++++++++++
3 files changed, 81 insertions(+)
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
index da48bd3c60..0efcd4fca7 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
@@ -64,3 +64,4 @@
gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass ## PRODUCES
gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmPresence ## PRODUCES
gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmBufferPtr ## PRODUCES
+ gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONSUMES
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
index 4baf363c11..357dfeb21f 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
@@ -58,3 +58,4 @@
gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass ## PRODUCES
gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmPresence ## PRODUCES
gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmBufferPtr ## PRODUCES
+ gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONSUMES
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
index 8a49fe936f..b8c592043a 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
@@ -15,6 +15,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/Tpm2DeviceLib.h>
#include <Library/PcdLib.h>
#include <Library/DebugLib.h>
+#include <ConfidentialComputingGuestAttr.h>
#include "Tpm2Ptp.h"
#include "Tpm2Svsm.h"
@@ -27,6 +28,80 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
static BOOLEAN mUseSvsmVTpm = FALSE;
+/**
+ The function check if the specified Attr is set.
+
+ @param[in] CurrentAttr The current attribute.
+ @param[in] Attr The attribute to check.
+
+ @retval TRUE The specified Attr is set.
+ @retval FALSE The specified Attr is not set.
+
+**/
+STATIC
+BOOLEAN
+AmdMemEncryptionAttrCheck (
+ IN UINT64 CurrentAttr,
+ IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr
+ )
+{
+ UINT64 CurrentLevel;
+
+ CurrentLevel = CurrentAttr & CCAttrTypeMask;
+
+ switch (Attr) {
+ case CCAttrAmdSev:
+ //
+ // SEV is automatically enabled if SEV-ES or SEV-SNP is active.
+ //
+ return CurrentLevel >= CCAttrAmdSev;
+ case CCAttrAmdSevEs:
+ //
+ // SEV-ES is automatically enabled if SEV-SNP is active.
+ //
+ return CurrentLevel >= CCAttrAmdSevEs;
+ case CCAttrAmdSevSnp:
+ return CurrentLevel == CCAttrAmdSevSnp;
+ case CCAttrFeatureAmdSevEsDebugVirtualization:
+ return !!(CurrentAttr & CCAttrFeatureAmdSevEsDebugVirtualization);
+ default:
+ return FALSE;
+ }
+}
+
+/**
+ Check if the specified confidential computing attribute is active.
+
+ @param[in] Attr The attribute to check.
+
+ @retval TRUE The specified Attr is active.
+ @retval FALSE The specified Attr is not active.
+
+**/
+STATIC
+BOOLEAN
+EFIAPI
+ConfidentialComputingGuestHas (
+ IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr
+ )
+{
+ UINT64 CurrentAttr;
+
+ //
+ // Get the current CC attribute.
+ //
+ CurrentAttr = PcdGet64 (PcdConfidentialComputingGuestAttr);
+
+ //
+ // If attr is for the AMD group then call AMD specific checks.
+ //
+ if (((RShiftU64 (CurrentAttr, 8)) & 0xff) == 1) {
+ return AmdMemEncryptionAttrCheck (CurrentAttr, Attr);
+ }
+
+ return (CurrentAttr == Attr);
+}
+
/**
Initializes SVSM vTPM if present, or otherwise uses TCG PTP method.
@@ -44,6 +119,10 @@ EFIAPI
TryUseSvsmVTpm (
)
{
+ if (!ConfidentialComputingGuestHas (CCAttrAmdSevSnp)) {
+ return FALSE;
+ }
+
UINT8 SvsmVTpmPresence = (UINT8)PcdGet8 (PcdSvsmVTpmPresence);
if (SvsmVTpmPresence == SVSM_VTPM_PRESENCE_UNKNOWN) {
--
2.43.0

89
ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Improve-spelling-gramm.patch Normal file
View File

@@ -0,0 +1,89 @@
From 87f454532a612066c3caacd240782fc40f31c152 Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Tue, 7 Jan 2025 12:58:21 +0100
Subject: [PATCH] SecurityPkg/Tpm2DeviceLibDTpm: Improve spelling/grammar of
comments
Fix some spelling/grammar mistakes in the documentation comments.
Suggested-by: Dionna Glaze <dionnaglaze@google.com>
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
.../Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c | 14 +++++++-------
.../Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c | 4 ++--
SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c | 2 +-
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
index 7cc55df436..e0897417ba 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
@@ -79,9 +79,9 @@ Tpm2SubmitCommand (
}
/**
- This service requests use TPM2.
+ This service requests to use TPM2.
- @retval EFI_SUCCESS Get the control of TPM2 chip.
+ @retval EFI_SUCCESS Get the control of the TPM2 chip.
@retval EFI_NOT_FOUND TPM2 not found.
@retval EFI_DEVICE_ERROR Unexpected device behavior.
**/
@@ -95,13 +95,13 @@ Tpm2RequestUseTpm (
}
/**
- This service register TPM2 device.
+ This service registers a TPM2 device.
@param Tpm2Device TPM2 device
- @retval EFI_SUCCESS This TPM2 device is registered successfully.
- @retval EFI_UNSUPPORTED System does not support register this TPM2 device.
- @retval EFI_ALREADY_STARTED System already register this TPM2 device.
+ @retval EFI_SUCCESS TPM2 device was registered successfully.
+ @retval EFI_UNSUPPORTED System does not support registering this TPM2 device.
+ @retval EFI_ALREADY_STARTED This TPM2 device is already registered.
**/
EFI_STATUS
EFIAPI
@@ -115,7 +115,7 @@ Tpm2RegisterTpm2DeviceLib (
/**
The function caches current active TPM interface type.
- @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support register DTPM2.0 instance
+ @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support registering a DTPM2.0 instance
**/
EFI_STATUS
EFIAPI
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
index 7d3e4bef86..11796d5b97 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
@@ -69,9 +69,9 @@ TPM2_DEVICE_INTERFACE mDTpm2InternalTpm2Device = {
};
/**
- The function register DTPM2.0 instance and caches current active TPM interface type.
+ Registers DTPM2.0 instance and caches current active TPM interface type.
- @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support register DTPM2.0 instance
+ @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support registering a DTPM2.0 instance
**/
EFI_STATUS
EFIAPI
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
index eac9f0e299..dee01d9707 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
@@ -1,5 +1,5 @@
/** @file
- PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by dTPM2.0 library.
+ PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by DTPM2.0 library.
Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.<BR>
Copyright (c), Microsoft Corporation.
--
2.43.0

129
ovmf-UefiCpuPkg-AmdSvsmLib-Stub-the-SVSM-vTPM-protocol-fo.patch Normal file
View File

@@ -0,0 +1,129 @@
From 87d4cdd09e4d9432c150a3a029dcad7da38bcffa Mon Sep 17 00:00:00 2001
From: Claudio Carvalho <cclaudio@linux.ibm.com>
Date: Mon, 10 Jun 2024 22:29:25 +0300
Subject: [PATCH] UefiCpuPkg/AmdSvsmLib: Stub the SVSM vTPM protocol for
non-VMPL0 guests
We need to stub the SVSM vTPM protocol in the UefiCpuPkg in order to
support a SEV-SNP guest running under a SVSM at VMPL1 or lower.
Cc: Ray Ni <ray.ni@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Co-authored-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
UefiCpuPkg/Include/Library/AmdSvsmLib.h | 41 ++++++++++++++++
.../Library/AmdSvsmLibNull/AmdSvsmLibNull.c | 47 +++++++++++++++++++
2 files changed, 88 insertions(+)
diff --git a/UefiCpuPkg/Include/Library/AmdSvsmLib.h b/UefiCpuPkg/Include/Library/AmdSvsmLib.h
index 40e0e5bd42..693b79bda5 100644
--- a/UefiCpuPkg/Include/Library/AmdSvsmLib.h
+++ b/UefiCpuPkg/Include/Library/AmdSvsmLib.h
@@ -98,4 +98,45 @@ AmdSvsmSnpVmsaRmpAdjust (
IN BOOLEAN SetVmsa
);
+/**
+ Perform a SVSM_VTPM_QUERY operation
+
+ Query the support provided by the SVSM vTPM.
+
+ @param[out] PlatformCommands It will contain a bitmap indicating the
+ supported vTPM platform commands.
+ @param[out] Features It will contain a bitmap indicating the
+ supported vTPM features.
+
+ @retval TRUE The query was processed.
+ @retval FALSE The query was not processed.
+
+**/
+BOOLEAN
+EFIAPI
+AmdSvsmVtpmQuery (
+ OUT UINT64 *PlatformCommands,
+ OUT UINT64 *Features
+ );
+
+/**
+ Perform a SVSM_VTPM_CMD operation
+
+ Send the specified vTPM platform command to the SVSM vTPM.
+
+ @param[in, out] Buffer It should contain the vTPM platform command
+ request. The respective response will be returned
+ in the same Buffer, but not all commands specify a
+ response.
+
+ @retval TRUE The command was processed.
+ @retval FALSE The command was not processed.
+
+**/
+BOOLEAN
+EFIAPI
+AmdSvsmVtpmCmd (
+ IN OUT UINT8 *Buffer
+ );
+
#endif
diff --git a/UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c b/UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c
index a83fcbd6ce..fc6871c7b2 100644
--- a/UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c
+++ b/UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c
@@ -106,3 +106,50 @@ AmdSvsmSnpVmsaRmpAdjust (
{
return EFI_UNSUPPORTED;
}
+
+/**
+ Perform a SVSM_VTPM_QUERY operation
+
+ Query the support provided by the SVSM vTPM.
+
+ @param[out] PlatformCommands It will contain a bitmap indicating the
+ supported vTPM platform commands.
+ @param[out] Features It will contain a bitmap indicating the
+ supported vTPM features.
+
+ @retval TRUE The query was processed.
+ @retval FALSE The query was not processed.
+
+**/
+BOOLEAN
+EFIAPI
+AmdSvsmVtpmQuery (
+ OUT UINT64 *PlatformCommands,
+ OUT UINT64 *Features
+ )
+{
+ return FALSE;
+}
+
+/**
+ Perform a SVSM_VTPM_CMD operation
+
+ Send the specified vTPM platform command to the SVSM vTPM.
+
+ @param[in, out] Buffer It should contain the vTPM platform command
+ request. The respective response will be returned
+ in the same Buffer, but not all commands specify a
+ response.
+
+ @retval TRUE The command was processed.
+ @retval FALSE The command was not processed.
+
+**/
+BOOLEAN
+EFIAPI
+AmdSvsmVtpmCmd (
+ IN OUT UINT8 *Buffer
+ )
+{
+ return FALSE;
+}
--
2.43.0

242
ovmf-UefiCpuPkg-MpInitLib-Fix-SNP-AP-creation.patch Normal file
View File

@@ -0,0 +1,242 @@
From dca5d26bc57ef4a554448e41d302e732bca03d8a Mon Sep 17 00:00:00 2001
From: Tom Lendacky <thomas.lendacky@amd.com>
Date: Thu, 27 Mar 2025 14:30:58 -0500
Subject: [PATCH] UefiCpuPkg/MpInitLib: Fix SNP AP creation when using known
APIC IDs
A typical initial AP boot up will choose a CpuNumber based on the ApIndex
value that it gets back after a locked increment of the ApIndex value.
The ApIndex to APIC ID relationship is random, which is not an issue when
a broadcast INIT-SIPI is performed.
With SNP and a hypervisor that supports retrieval of the known APIC IDs,
the broadcast INIT-SIPI method is replaced by waking each individual vCPU.
In this situation, a specific VMSA is associated with a specific APIC ID.
However, random assignment of an ApIndex can break this association. This
isn't typically an issue, because the AP bring-up finishes with the AP
issuing a HLT instruction, which is intercepted by the hypervisor and the
AP won't run again until the next INIT-SIPI. However, when HLT isn't
intercepted by the hypervisor (Qemu '-overcommit cpu-pm=on' parameter),
then the HLT does not exit to the hypervisor. On the next INIT-SIPI, it
can happen that a VMRUN is executed with a different VMSA address than
was originally used, and if that VMSA is still in a VMRUN on another AP,
then the executing VMRUN will fail, crashing the guest.
To fix this issue, add a CPU exchange info field, SevSnpKnownInitApicId,
that indicates the APs are starting with an already known initial APIC ID
and set the initial APIC ID and APIC ID in the CPU_INFO_IN_HOB HOB.
During AP boot, the SevSnpKnownInitApicId field will result in the
CpuNumber being set to the index with a matching APIC ID (similar to AP
booting when the InitFlag != ApInitConfig).
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
UefiCpuPkg/Library/MpInitLib/AmdSev.c | 2 +
UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 1 +
UefiCpuPkg/Library/MpInitLib/MpLib.h | 1 +
UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c | 38 +++++++++---
UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm | 60 ++++++++++++++++++-
UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 4 ++
6 files changed, 98 insertions(+), 8 deletions(-)
diff --git a/UefiCpuPkg/Library/MpInitLib/AmdSev.c b/UefiCpuPkg/Library/MpInitLib/AmdSev.c
index 75429e3dae..5108873c3b 100644
--- a/UefiCpuPkg/Library/MpInitLib/AmdSev.c
+++ b/UefiCpuPkg/Library/MpInitLib/AmdSev.c
@@ -293,6 +293,8 @@ FillExchangeInfoDataSevEs (
);
ExchangeInfo->ExtTopoAvail = !!ExtTopoEbx.Bits.LogicalProcessors;
}
+
+ ExchangeInfo->SevSnpKnownInitApicId = FALSE;
}
/**
diff --git a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
index 317e627b58..d8ba9ea124 100644
--- a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
+++ b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
@@ -97,6 +97,7 @@ struc MP_CPU_EXCHANGE_INFO
.SevSnpIsEnabled CTYPE_BOOLEAN 1
.GhcbBase: CTYPE_UINTN 1
.ExtTopoAvail: CTYPE_BOOLEAN 1
+ .SevSnpKnownInitApicId: CTYPE_BOOLEAN 1
endstruc
MP_CPU_EXCHANGE_INFO_OFFSET equ (Flat32Start - RendezvousFunnelProcStart)
diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h
index 145538b6ee..a63bb81bef 100644
--- a/UefiCpuPkg/Library/MpInitLib/MpLib.h
+++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h
@@ -239,6 +239,7 @@ typedef struct {
BOOLEAN SevSnpIsEnabled;
UINTN GhcbBase;
BOOLEAN ExtTopoAvail;
+ BOOLEAN SevSnpKnownInitApicId;
} MP_CPU_EXCHANGE_INFO;
#pragma pack()
diff --git a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c
index a75e1e2018..56cd7a1138 100644
--- a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c
+++ b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c
@@ -271,18 +271,27 @@ SevSnpCreateAP (
IN INTN ProcessorNumber
)
{
- CPU_INFO_IN_HOB *CpuInfoInHob;
- CPU_AP_DATA *CpuData;
- UINTN Index;
- UINTN MaxIndex;
- UINT32 ApicId;
- EFI_HOB_GUID_TYPE *GuidHob;
- GHCB_APIC_IDS *GhcbApicIds;
+ CPU_INFO_IN_HOB *CpuInfoInHob;
+ CPU_AP_DATA *CpuData;
+ UINTN Index;
+ UINTN MaxIndex;
+ UINT32 ApicId;
+ EFI_HOB_GUID_TYPE *GuidHob;
+ GHCB_APIC_IDS *GhcbApicIds;
+ volatile MP_CPU_EXCHANGE_INFO *ExchangeInfo;
ASSERT (CpuMpData->MpCpuExchangeInfo->BufferStart < 0x100000);
+ ExchangeInfo = CpuMpData->MpCpuExchangeInfo;
CpuInfoInHob = (CPU_INFO_IN_HOB *)(UINTN)CpuMpData->CpuInfoInHob;
+ //
+ // Set to FALSE by default. This is only set to TRUE when the InitFlag
+ // is equal to ApInitConfig and the GHCB APIC ID List NAE event has
+ // been called.
+ //
+ ExchangeInfo->SevSnpKnownInitApicId = FALSE;
+
if (ProcessorNumber < 0) {
if (CpuMpData->InitFlag == ApInitConfig) {
//
@@ -294,6 +303,14 @@ SevSnpCreateAP (
GuidHob = GetFirstGuidHob (&gGhcbApicIdsGuid);
GhcbApicIds = (GHCB_APIC_IDS *)(*(UINTN *)GET_GUID_HOB_DATA (GuidHob));
MaxIndex = MIN (GhcbApicIds->NumEntries, PcdGet32 (PcdCpuMaxLogicalProcessorNumber));
+
+ //
+ // Set to TRUE so that ApicId and SEV-SNP SaveArea stay in sync. When
+ // the InitFlag is ApInitConfig, the random order of AP initialization
+ // can end up with an Index / ApicId mismatch (see X64/AmdSev.nasm).
+ //
+ ExchangeInfo->SevSnpKnownInitApicId = TRUE;
+ DEBUG ((DEBUG_INFO, "SEV-SNP: Using known initial APIC IDs\n"));
} else {
//
// APs have been previously started.
@@ -308,6 +325,13 @@ SevSnpCreateAP (
if (CpuMpData->InitFlag == ApInitConfig) {
ApicId = GhcbApicIds->ApicIds[Index];
+ //
+ // Set the ApicId values so that the proper AP data structure
+ // can be found during boot.
+ //
+ CpuInfoInHob[Index].InitialApicId = ApicId;
+ CpuInfoInHob[Index].ApicId = ApicId;
+
//
// For the first boot, use the BSP register information.
//
diff --git a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm
index 2efa3cb104..66d63a2b90 100644
--- a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm
+++ b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm
@@ -15,6 +15,57 @@
%define SIZE_4KB 0x1000
+;
+; This function will ensure that CpuNumber and ApicId are in sync when using
+; the ApicIds retrieved via the GHCB APIC ID List NAE event to start the APs
+; when the InitFlag is ApInitConfig. If this is not done, the CpuNumber to
+; ApicId relationship may not hold, which would result in the ApicId to VSMA
+; relationship getting out of sync after the first AP boot.
+;
+SevSnpGetInitCpuNumber:
+ ;
+ ; If not an SNP guest, leave EBX (CpuNumber) as is
+ ;
+ lea edi, [esi + MP_CPU_EXCHANGE_INFO_FIELD (SevSnpIsEnabled)]
+ cmp byte [edi], 1 ; SevSnpIsEnabled
+ jne SevSnpGetCpuNumberDone
+
+ ;
+ ; If not starting the AP with a specific ApicId, leave EBX (CpuNumber) as is
+ ;
+ lea edi, [esi + MP_CPU_EXCHANGE_INFO_FIELD (SevSnpKnownInitApicId)]
+ cmp byte [edi], 1 ; SevSnpKnownInitApicId
+ jne SevSnpGetCpuNumberDone
+
+ ;
+ ; Use existing code to retrieve the ApicId. SevEsGetApicId will return to
+ ; the SevSnpGetInitApicId label if SevSnpKnownInitApicId is set.
+ ;
+ jmp SevEsGetApicId
+
+SevSnpGetInitApicId:
+ ;
+ ; EDX holds the ApicId, get processor number for this AP
+ ;
+ xor ebx, ebx
+ lea eax, [esi + MP_CPU_EXCHANGE_INFO_FIELD (CpuInfo)]
+ mov rdi, [eax]
+
+SevSnpGetNextProcNumber:
+ cmp dword [rdi + CPU_INFO_IN_HOB.InitialApicId], edx ; APIC ID match?
+ jz SevSnpGetCpuNumberDone
+ add rdi, CPU_INFO_IN_HOB_size
+ inc ebx
+ jmp SevSnpGetNextProcNumber
+
+SevSnpGetCpuNumberDone:
+ ;
+ ; If SevSnpKnownInitApicId is set, EBX now holds the CpuNumber for this
+ ; ApicId, which matches how it was started in SevSnpCreateAP(). Otherwise,
+ ; EBX is unchanged and holds the CpuNumber based on the startup order.
+ ;
+ OneTimeCallRet SevSnpGetInitCpuNumber
+
RegisterGhcbGpa:
;
; Register GHCB GPA when SEV-SNP is enabled
@@ -193,7 +244,14 @@ RestoreGhcb:
mov rdx, rbx
- ; x2APIC ID or APIC ID is in EDX
+ ;
+ ; x2APIC ID or APIC ID is in EDX. If SevSnpKnownInitApicId is set, then
+ ; return to SevSnpGetInitApicId, otherwise return to GetProcessorNumber.
+ ;
+ lea edi, [esi + MP_CPU_EXCHANGE_INFO_FIELD (SevSnpKnownInitApicId)]
+ cmp byte [edi], 1 ; SevSnpKnownInitApicId
+ je SevSnpGetInitApicId
+
jmp GetProcessorNumber
SevEsGetApicIdExit:
diff --git a/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm b/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm
index 40e80ffab4..95ee65e288 100644
--- a/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm
+++ b/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm
@@ -173,6 +173,10 @@ LongModeStart:
lock xadd dword [edi], ebx ; EBX = ApIndex++
inc ebx ; EBX is CpuNumber
+ ; If running under AMD SEV-SNP and starting with a known ApicId,
+ ; adjust EBX to be the actual CpuNumber
+ OneTimeCall SevSnpGetInitCpuNumber
+
; program stack
mov edi, esi
add edi, MP_CPU_EXCHANGE_INFO_FIELD (StackSize)
--
2.43.0

402
ovmf-gdb-symbols.patch
View File

@@ -1,212 +1,207 @@
From d4fc3987941016cba0a2cd1d4037b87bc5937f5e Mon Sep 17 00:00:00 2001
From: Richard Lyu <richard.lyu@suse.com>
Date: Thu, 29 May 2025 12:12:23 +0800
Subject: [PATCH] Add DebugPkg
From 263791566fbe25755aebde54c98d5aea061414f3 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 24 Jun 2014 11:57:32 +0800
Subject: [PATCH 1/3] Add DebugPkg
---
DebugPkg/DebugPkg.dec | 34 ++++
DebugPkg/GdbSyms/GdbSyms.c | 78 ++++++++
DebugPkg/GdbSyms/GdbSyms.c | 70 +++++++
DebugPkg/GdbSyms/GdbSyms.inf | 57 ++++++
DebugPkg/Scripts/gdb_uefi.py | 350 +++++++++++++++++++++++++++++++++++
OvmfPkg/OvmfPkgX64.dsc | 3 +
5 files changed, 522 insertions(+)
DebugPkg/Scripts/gdb_uefi.py | 348 +++++++++++++++++++++++++++++++++++
4 files changed, 509 insertions(+)
create mode 100644 DebugPkg/DebugPkg.dec
create mode 100644 DebugPkg/GdbSyms/GdbSyms.c
create mode 100644 DebugPkg/GdbSyms/GdbSyms.inf
create mode 100644 DebugPkg/Scripts/gdb_uefi.py
diff --git a/DebugPkg/DebugPkg.dec b/DebugPkg/DebugPkg.dec
new file mode 100644
index 0000000000..b39a660e45
Index: edk2-edk2-stable202302/DebugPkg/DebugPkg.dec
===================================================================
--- /dev/null
+++ b/DebugPkg/DebugPkg.dec
+++ edk2-edk2-stable202302/DebugPkg/DebugPkg.dec
@@ -0,0 +1,34 @@
+## @file
+# Debug package - various useful stuff for debugging.
+#
+# Copyright (c) 2006 - 2011, Andrei Warkentin <andreiw@motorola.com>
+#
+# This program and the accompanying materials
+# are licensed and made available under the terms and conditions of the BSD License
+# which accompanies this distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.php
+#
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+#
+##
+
+[Defines]
+ DEC_VERSION = 0x00010005
+ PACKAGE_NAME = DebugPkg
+ PACKAGE_GUID = 2d234f34-50e5-4b9d-b8e3-5562334d87e5
+ PACKAGE_VERSION = 0.1
+
+[Includes]
+ Include
+
+[Guids]
+
+[Protocols]
+
+[PcdsFixedAtBuild]
+
+[PcdsDynamic]
+
+[LibraryClasses]
+
diff --git a/DebugPkg/GdbSyms/GdbSyms.c b/DebugPkg/GdbSyms/GdbSyms.c
new file mode 100644
index 0000000000..9780cff802
+## @file
+# Debug package - various useful stuff for debugging.
+#
+# Copyright (c) 2006 - 2011, Andrei Warkentin <andreiw@motorola.com>
+#
+# This program and the accompanying materials
+# are licensed and made available under the terms and conditions of the BSD License
+# which accompanies this distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.php
+#
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+#
+##
+
+[Defines]
+ DEC_VERSION = 0x00010005
+ PACKAGE_NAME = DebugPkg
+ PACKAGE_GUID = 2d234f34-50e5-4b9d-b8e3-5562334d87e5
+ PACKAGE_VERSION = 0.1
+
+[Includes]
+ Include
+
+[Guids]
+
+[Protocols]
+
+[PcdsFixedAtBuild]
+
+[PcdsDynamic]
+
+[LibraryClasses]
+
Index: edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.c
===================================================================
--- /dev/null
+++ b/DebugPkg/GdbSyms/GdbSyms.c
+++ edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.c
@@ -0,0 +1,78 @@
+/** @file
+
+ Bare-minimum GDB symbols needed for reloading symbols.
+
+ This is not a "driver" and should not be placed in a FD.
+
+ Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com>
+
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD License
+ which accompanies this distribution. The full text of the license may be found at
+ http://opensource.org/licenses/bsd-license.php
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "PiDxe.h"
+
+#include <Library/UefiLib.h>
+#include <Library/UefiDriverEntryPoint.h>
+#include <Library/BaseLib.h>
+#include <Library/UefiRuntimeLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/DevicePathLib.h>
+#include <Library/PcdLib.h>
+#include <Guid/DebugImageInfoTable.h>
+
+/**
+ Main entry point.
+
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.
+ @param[in] SystemTable A pointer to the EFI System Table.
+
+ @retval EFI_SUCCESS Successfully initialized.
+
+**/
+EFI_STATUS
+EFIAPI
+Initialize (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_SYSTEM_TABLE_POINTER ESTP;
+ EFI_DEBUG_IMAGE_INFO_TABLE_HEADER EDIITH;
+ EFI_IMAGE_DOS_HEADER EIDH;
+ EFI_IMAGE_OPTIONAL_HEADER_UNION EIOHU;
+ EFI_IMAGE_DEBUG_DIRECTORY_ENTRY EIDDE;
+ EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY EIDCNE;
+ EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY EIDCRE;
+ EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY EIDCME;
+ UINTN Dummy =
+ (UINTN) &ESTP |
+ (UINTN) &EDIITH |
+ (UINTN) &EIDH |
+ (UINTN) &EIOHU |
+ (UINTN) &EIDDE |
+ (UINTN) &EIDCNE |
+ (UINTN) &EIDCRE |
+ (UINTN) &EIDCME |
+ 1
+ ;
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &ESTP));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EDIITH));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDH));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIOHU));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDDE));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCNE));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCRE));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCME));
+ return !!Dummy & EFI_SUCCESS;
+}
+
+
diff --git a/DebugPkg/GdbSyms/GdbSyms.inf b/DebugPkg/GdbSyms/GdbSyms.inf
new file mode 100644
index 0000000000..0a18a33c73
+/** @file
+
+ Bare-minimum GDB symbols needed for reloading symbols.
+
+ This is not a "driver" and should not be placed in a FD.
+
+ Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com>
+
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD License
+ which accompanies this distribution. The full text of the license may be found at
+ http://opensource.org/licenses/bsd-license.php
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "PiDxe.h"
+
+#include <Library/UefiLib.h>
+#include <Library/UefiDriverEntryPoint.h>
+#include <Library/BaseLib.h>
+#include <Library/UefiRuntimeLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/DevicePathLib.h>
+#include <Library/PcdLib.h>
+#include <Guid/DebugImageInfoTable.h>
+
+/**
+ Main entry point.
+
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.
+ @param[in] SystemTable A pointer to the EFI System Table.
+
+ @retval EFI_SUCCESS Successfully initialized.
+
+**/
+EFI_STATUS
+EFIAPI
+Initialize (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_SYSTEM_TABLE_POINTER ESTP;
+ EFI_DEBUG_IMAGE_INFO_TABLE_HEADER EDIITH;
+ EFI_IMAGE_DOS_HEADER EIDH;
+ EFI_IMAGE_OPTIONAL_HEADER_UNION EIOHU;
+ EFI_IMAGE_DEBUG_DIRECTORY_ENTRY EIDDE;
+ EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY EIDCNE;
+ EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY EIDCRE;
+ EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY EIDCME;
+ UINTN Dummy =
+ (UINTN) &ESTP |
+ (UINTN) &EDIITH |
+ (UINTN) &EIDH |
+ (UINTN) &EIOHU |
+ (UINTN) &EIDDE |
+ (UINTN) &EIDCNE |
+ (UINTN) &EIDCRE |
+ (UINTN) &EIDCME |
+ 1
+ ;
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &ESTP));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EDIITH));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDH));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIOHU));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDDE));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCNE));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCRE));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCME));
+ return !!Dummy & EFI_SUCCESS;
+}
+
+
Index: edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.inf
===================================================================
--- /dev/null
+++ b/DebugPkg/GdbSyms/GdbSyms.inf
+++ edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.inf
@@ -0,0 +1,57 @@
+## @file
+#
+# Bare-minimum GDB symbols needed for reloading symbols.
+#
+# This is not a "driver" and should not be placed in a FD.
+#
+# Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com>
+#
+# This program and the accompanying materials
+# are licensed and made available under the terms and conditions of the BSD License
+# which accompanies this distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.php
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = GdbSyms
+ FILE_GUID = 22abcb60-fb40-42ac-b01f-3ab1fad9aad8
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ ENTRY_POINT = Initialize
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 IPF EBC ARM
+#
+
+[Sources]
+ GdbSyms.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ DxeServicesTableLib
+ HobLib
+ MemoryAllocationLib
+ PcdLib
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
+ UefiLib
+
+[Guids]
+
+[Protocols]
+
+[Depex]
+ TRUE
+
diff --git a/DebugPkg/Scripts/gdb_uefi.py b/DebugPkg/Scripts/gdb_uefi.py
new file mode 100644
index 0000000000..3db87a4de4
+## @file
+#
+# Bare-minimum GDB symbols needed for reloading symbols.
+#
+# This is not a "driver" and should not be placed in a FD.
+#
+# Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com>
+#
+# This program and the accompanying materials
+# are licensed and made available under the terms and conditions of the BSD License
+# which accompanies this distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.php
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = GdbSyms
+ FILE_GUID = 22abcb60-fb40-42ac-b01f-3ab1fad9aad8
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ ENTRY_POINT = Initialize
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 IPF EBC ARM
+#
+
+[Sources]
+ GdbSyms.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ DxeServicesTableLib
+ HobLib
+ MemoryAllocationLib
+ PcdLib
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
+ UefiLib
+
+[Guids]
+
+[Protocols]
+
+[Depex]
+ TRUE
+
Index: edk2-edk2-stable202302/DebugPkg/Scripts/gdb_uefi.py
===================================================================
--- /dev/null
+++ b/DebugPkg/Scripts/gdb_uefi.py
+++ edk2-edk2-stable202302/DebugPkg/Scripts/gdb_uefi.py
@@ -0,0 +1,350 @@
+"""
+Allows loading TianoCore symbols into a GDB session attached to EFI
@@ -558,20 +553,13 @@ index 0000000000..3db87a4de4
+ReloadUefi ()
+
+
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 60fccc19d2..a2784bbd40 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -1063,6 +1063,9 @@
Index: edk2-edk2-stable202302/OvmfPkg/OvmfPkgX64.dsc
===================================================================
--- edk2-edk2-stable202302.orig/OvmfPkg/OvmfPkgX64.dsc
+++ edk2-edk2-stable202302/OvmfPkg/OvmfPkgX64.dsc
@@ -1123,3 +1123,5 @@
# TPM support
#
!include OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc
+ DebugPkg/GdbSyms/GdbSyms.inf
+
+
#
# Smbios Measurement support
#
--
2.43.0
+ DebugPkg/GdbSyms/GdbSyms.inf

1282
ovmf.changes
View File

File diff suppressed because it is too large Load Diff

135
ovmf.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package ovmf
#
# Copyright (c) 2026 SUSE LLC
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
%undefine _build_create_debug
%global openssl_version 3.5.1
%global openssl_version 3.4.1
%global softfloat_version b64af41c3276f
%if 0%{?suse_version} < 1599
%bcond_with build_riscv64
@@ -27,7 +27,7 @@
%endif
Name: ovmf
Version: 202511
Version: 202502
Release: 0
Summary: Open Virtual Machine Firmware
License: BSD-2-Clause-Patent
@@ -50,7 +50,7 @@ Source9: public-mipi-sys-t-1.1-edk2.tar.gz
# mbedtls: https://github.com/Mbed-TLS/mbedtls
Source10: mbedtls-3.3.0.tar.gz
# brotli: https://github.com/google/brotli
Source11: brotli-e230f474b87134e8c6c85b630084c612057f253e.tar.gz
Source11: brotli-f4153a09f87cbb9c826d8fc12c74642bb2d879ea.tar.gz
# libspdm: https://github.com/DMTF/libspdm.git
Source12: libspdm-50924a4c8145fc721e17208f55814d2b38766fe6.tar.gz
# pylibfdt: https://github.com/devicetree-org/pylibfdt
@@ -60,10 +60,9 @@ Source101: gdb_uefi.py.in
Patch1: %{name}-gdb-symbols.patch
Patch2: %{name}-pie.patch
Patch3: %{name}-disable-ia32-firmware-piepic.patch
Patch4: %{name}-OvmfPkg-Adjust-Memory-Layout-for-2MB-OVMF.patch
# Bug 1245454 - iSCSI boot support is disabled in OVMF images
Patch4: %{name}-OvmfPkg-Add-NETWORK_ISCSI_DEFAULT_ENABLE-build-flag.patch
Patch6: %{name}-ignore-spurious-GCC-12-warning.patch
# Bug 1255113 - Build Failure for RISC-V 64 When Secure Boot is Enabled Due to SecureBootDefaultKeysInit module
Patch7: %{name}-Revert-OvmfPkg-RiscVVirt-Add-SecureBootDefaultKeysIn.patch
# Bug 1207095 - ASSERT [ArmCpuDxe] /home/abuild/rpmbuild/BUILD/edk2-edk2-stable202211/ArmPkg/Library/DefaultExceptionHandlerLib/AArch64/DefaultExceptionHandler.c(333): ((BOOLEAN)(0==1))
Patch8: %{name}-Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch
# Bug 1205613 - L3: win 2k22 UEFI xen VMs cannot boot in xen after upgrade
@@ -75,10 +74,27 @@ Patch10: %{name}-Revert-Add-Stack-Cookie-Support-to-MSVC-and-GCC.patch
Patch11: %{name}-BaseTools-Using-gcc12-for-building-image.patch
%endif
%endif
Patch12: %{name}-Increase-FVMAIN-Size-for-Compatibility-with-2MB-Size.patch
# Bug 1240420 - UEFI boot breaks: X64 Exception Type - 0E(#PF - Page-Fault) CPU Apic ID - 00000000
Patch13: %{name}-UefiCpuPkg-Disable-EFI-memory-attributes-protocol.patch
# Add vTPM support for SVSM in OVMF (jsc#PED-12743, jsc#PED-12767)
Patch14: %{name}-Maintainers.txt-Add-reviewer-for-SVSM-vTPM-related-m.patch
Patch15: %{name}-UefiCpuPkg-AmdSvsmLib-Stub-the-SVSM-vTPM-protocol-fo.patch
Patch16: %{name}-OvmfPkg-AmdSvsmLib-Add-the-SVSM-vTPM-protocol.patch
Patch17: %{name}-OvmfPkg-Use-Tpm2Device-lib-with-SVSM-vTPM-support.patch
Patch18: %{name}-OvmfPkg-AmdSvmLib-Use-named-protocol-and-call-consta.patch
Patch19: %{name}-MdePkg-AmdSev-Add-SVSM-protocol-call-numbers.patch
Patch20: %{name}-MdePkg-AmdSev-Add-SVSM-protocol-vTPM-call-numbers.patch
Patch21: %{name}-SecurityPkg-Tpm2DeviceLibDTpm-Add-header-file-for-Tp.patch
Patch22: %{name}-SecurityPkg-Tpm2DeviceLibDTpm-Add-TPM2-lib-supportin.patch
Patch23: %{name}-SecurityPkg-Tpm2DeviceLibDTpm-Improve-spelling-gramm.patch
Patch24: %{name}-SecurityPkg-Tpm2DeviceLibDTpm-Check-SNP-enabled-prio.patch
# Bug 1243199 - SVSM: [OVMF] Fix MSR register filtering for CAA MSR
Patch25: %{name}-OvmfPkg-CcExitLib-Use-the-proper-register-when-filte.patch
# Bug 1244218 - ovmf: non-deterministic .bin files (about unreproducible)
Patch14: %{name}-OvmfPkg-ArmVirtPkg-Keep-JSON-stack-cookie-files.patch
Patch26: %{name}-OvmfPkg-ArmVirtPkg-Keep-JSON-stack-cookie-files.patch
# Impl: SEV-SNP: [OVMF] AP Creation using APIC ID list results in VMRUN exit with #VMEXIT_INVALID (jsc#PED-13202)
Patch27: %{name}-UefiCpuPkg-MpInitLib-Fix-SNP-AP-creation.patch
BuildRequires: bc
BuildRequires: cross-arm-binutils
BuildRequires: cross-arm-gcc%{gcc_version}
@@ -138,6 +154,19 @@ firmware for Virtual Machines using the edk2 code base.
This package contains the tools from edk2.
%package -n qemu-ovmf-ia32
Summary: Open Virtual Machine Firmware - QEMU rom images (IA32)
Group: System/Emulators/PC
Requires: qemu
BuildArch: noarch
%description -n qemu-ovmf-ia32
The Open Virtual Machine Firmware (OVMF) project aims to support
firmware for Virtual Machines using the edk2 code base.
This package contains UEFI rom images for exercising UEFI secure
boot in a qemu environment (IA32)
%package -n qemu-ovmf-x86_64
Summary: Open Virtual Machine Firmware - QEMU rom images (x86_64)
Group: System/Emulators/PC
@@ -173,6 +202,15 @@ BuildArch: noarch
This package contains the UEFI rom image (AArch64) for QEMU cortex-a57
virt board.
%package -n qemu-uefi-aarch32
Summary: UEFI QEMU rom image (AArch32)
Group: System/Emulators/PC
BuildArch: noarch
%description -n qemu-uefi-aarch32
This package contains the UEFI rom image (AArch32) for QEMU cortex-a15
virt board.
%if %{with build_riscv64}
%package -n qemu-uefi-riscv64
Summary: UEFI QEMU rom image (RISC-V 64)
@@ -256,6 +294,19 @@ echo `gcc -dumpversion`
TOOL_CHAIN=GCC$(gcc -dumpversion|sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/')
%endif
# Flavors for x86
FLAVORS_X86=("ovmf-ia32")
BUILD_OPTIONS_X86=" \
$OVMF_FLAGS \
-D FD_SIZE_2MB \
-D SECURE_BOOT_ENABLE \
-D BUILD_SHELL=FALSE \
-a IA32 \
-p OvmfPkg/OvmfPkgIa32.dsc \
-b DEBUG \
-t $TOOL_CHAIN \
"
# Flavors for x86_64: 2MB, 4MB, 4MB+SMM and AMD SEV
FLAVORS_X64=("ovmf-x86_64" "ovmf-x86_64-4m" "ovmf-x86_64-smm" "ovmf-x86_64-sev" "ovmf-x86_64-tdx")
# Flavors will NOT enroll default kek/db keys
@@ -283,6 +334,14 @@ BUILD_OPTIONS_AA64=" \
-t $TOOL_CHAIN \
"
# Flavors for arm
FLAVORS_AA32=("aavmf-aarch32")
BUILD_OPTIONS_AA32=" \
-a ARM \
-p ArmVirtPkg/ArmVirtQemu.dsc \
-b DEBUG \
-t $TOOL_CHAIN \
"
%if %{with build_riscv64}
# Flavors for riscv
FLAVORS_RV64=("riscv")
@@ -315,6 +374,20 @@ export CXX=g++-12
# Import the build functions
source ./edksetup.sh
### Build x86 UEFI Images ###
%ifnarch %{ix86} x86_64
# Assign the cross-compiler prefix
export ${TOOL_CHAIN}_BIN="x86_64-suse-linux-"
%endif
build $BUILD_OPTIONS_X86
cp Build/OvmfIa32/DEBUG_*/FV/OVMF.fd ovmf-ia32.bin
cp Build/OvmfIa32/DEBUG_*/FV/OVMF_CODE.fd ovmf-ia32-code.bin
cp Build/OvmfIa32/DEBUG_*/FV/OVMF_VARS.fd ovmf-ia32-vars.bin
# Remove the temporary build files to reduce the disk usage (bsc#1178244)
rm -rf Build/OvmfIa32/
### Build x86_64 UEFI Images ###
%ifarch x86_64
collect_x86_64_debug_files()
@@ -353,7 +426,7 @@ OUTDIR_X64=(
[ovmf-x86_64-4m]="OvmfX64"
[ovmf-x86_64-smm]="Ovmf3264"
[ovmf-x86_64-sev]="OvmfX64"
[ovmf-x86_64-tdx]="IntelTdx"
[ovmf-x86_64-tdx]="OvmfX64"
)
%ifnarch x86_64
@@ -413,17 +486,34 @@ export ${TOOL_CHAIN}_AARCH64_PREFIX="aarch64-suse-linux-"
# Build the UEFI image without keys
build $BUILD_OPTIONS_AA64
cp Build/ArmVirtQemu-AArch64/DEBUG_GCC*/FV/QEMU_EFI.fd qemu-uefi-aarch64.bin
cp Build/ArmVirtQemu-AArch64/DEBUG_GCC*/FV/QEMU_EFI.fd aavmf-aarch64-code.bin
cp Build/ArmVirtQemu-AARCH64/DEBUG_GCC*/FV/QEMU_EFI.fd qemu-uefi-aarch64.bin
cp Build/ArmVirtQemu-AARCH64/DEBUG_GCC*/FV/QEMU_EFI.fd aavmf-aarch64-code.bin
truncate -s 64M aavmf-aarch64-code.bin
cp Build/ArmVirtQemu-AArch64/DEBUG_GCC*/FV/QEMU_VARS.fd aavmf-aarch64-vars.bin
cp Build/ArmVirtQemu-AARCH64/DEBUG_GCC*/FV/QEMU_VARS.fd aavmf-aarch64-vars.bin
truncate -s 64M aavmf-aarch64-vars.bin
# Remove the temporary build files to reduce the disk usage (bsc#1178244)
rm -rf Build/ArmVirtQemu-AArch64/
rm -rf Build/ArmVirtQemu-AARCH64/
# Build with keys done later (shared between archs)
### Build AARCH32 UEFI Images ###
%ifnarch armv7hl
# Assign the cross-compiler prefix
export ${TOOL_CHAIN}_ARM_PREFIX="arm-suse-linux-gnueabi-"
%endif
# Build the UEFI image
build $BUILD_OPTIONS_AA32
cp Build/ArmVirtQemu-ARM/DEBUG_GCC*/FV/QEMU_EFI.fd qemu-uefi-aarch32.bin
cp Build/ArmVirtQemu-ARM/DEBUG_GCC*/FV/QEMU_EFI.fd aavmf-aarch32-code.bin
truncate -s 64M aavmf-aarch32-code.bin
cp Build/ArmVirtQemu-ARM/DEBUG_GCC*/FV/QEMU_VARS.fd aavmf-aarch32-vars.bin
truncate -s 64M aavmf-aarch32-vars.bin
# Remove the temporary build files to reduce the disk usage (bsc#1178244)
rm -rf Build/ArmVirtQemu-ARM/
### Build RISCV64 UEFI Images ###
%if %{with build_riscv64}
%ifnarch riscv64
@@ -512,6 +602,7 @@ generate_sb_var_templates()
done
done
fi
}
# Generate the variable stores with default Secure Boot keys
@@ -571,6 +662,13 @@ rm %{buildroot}%{_datadir}/qemu/firmware/*-riscv64*.json
%doc BaseTools/UserManuals/EfiRom_Utility_Man_Page.rtf
%{_bindir}/EfiRom
%files -n qemu-ovmf-ia32
%license License.txt License-ovmf.txt
%dir %{_datadir}/qemu/
%{_datadir}/qemu/ovmf-ia32*.bin
%dir %{_datadir}/qemu/firmware
%{_datadir}/qemu/firmware/*-ia32*.json
%files -n qemu-ovmf-x86_64
%license License.txt License-ovmf.txt
%dir %{_datadir}/qemu/
@@ -596,6 +694,15 @@ rm %{buildroot}%{_datadir}/qemu/firmware/*-riscv64*.json
%dir %{_datadir}/qemu/firmware
%{_datadir}/qemu/firmware/*-aarch64*.json
%files -n qemu-uefi-aarch32
%license License.txt
%dir %{_datadir}/qemu/
%{_datadir}/qemu/qemu-uefi-aarch32.bin
%{_datadir}/qemu/aavmf-aarch32-code.bin
%{_datadir}/qemu/aavmf-aarch32-vars.bin
%dir %{_datadir}/qemu/firmware
%{_datadir}/qemu/firmware/*-aarch32*.json
%if %{with build_riscv64}
%files -n qemu-uefi-riscv64
%license License.txt
@@ -606,4 +713,4 @@ rm %{buildroot}%{_datadir}/qemu/firmware/*-riscv64*.json
%{_datadir}/qemu/firmware/*-riscv64*.json
%endif
%changelog
%changelog