Compare commits
12 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| 44e015517f | |||
| c043fa0fa2 | |||
| a889a0c096 | |||
| 90bba03aa7 | |||
| 296111820d | |||
| d9ff8fd6f6 | |||
| 2ecb60e0b5 | |||
| 1d1d8d37a7 | |||
| 4ebd8421da | |||
| c3fda1f3e7 | |||
| 0c44ce0ddc | |||
| ef8b3e1c2a |
3
brotli-e230f474b87134e8c6c85b630084c612057f253e.tar.gz
Normal file
3
brotli-e230f474b87134e8c6c85b630084c612057f253e.tar.gz
Normal file
@@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:a9ba3940267de5dd73581a47c2e81b3eb1e1df6a704138c599020d66f3677a92
|
||||
size 646535
|
||||
Binary file not shown.
BIN
descriptors.tar.xz
LFS
BIN
descriptors.tar.xz
LFS
Binary file not shown.
BIN
edk2-edk2-stable202502.tar.gz
LFS
BIN
edk2-edk2-stable202502.tar.gz
LFS
Binary file not shown.
3
edk2-edk2-stable202511.tar.gz
Normal file
3
edk2-edk2-stable202511.tar.gz
Normal file
@@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d919b0344afbd9ea16d757f99919860e26acc1e9246fff743e684128c2f04dd3
|
||||
size 18471528
|
||||
BIN
openssl-3.4.1.tar.gz
LFS
BIN
openssl-3.4.1.tar.gz
LFS
Binary file not shown.
@@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmerYOAACgkQIWCU39DL
|
||||
ge82Hw//TYSXl9ER8uSIRtlPTQ935P8n+1C9IIZOf6cWZgKR0AhLYRhGrrykv8zi
|
||||
aKNOclYfkCpMGpEAsRJIX/5FUVaXoOL7tCRTzqYOo/pjy1HOtpM+U7Rc2wBErg27
|
||||
3NN/YhuZ5d2oJ5fY7BEQmwAY5yNLh4Doi5ED+jsD5rCl8XqImfxJ7GnSioHKV8K9
|
||||
03TapTeJTR4aroLdKjWClgXY1cmRQhIMhhz+L8qPaVODbYKtx255zQVdLSdS8VPb
|
||||
XGf0aWktl9a/7btdixDUcbAd4UACzQXVESN8/fF5h+cpS2KMC9nXdV44ToK1xEhw
|
||||
skm/F6YSAdTrmG4t+Ywemnftq/WJlnEenoK858U8Bnu19cG/JTtV3ZBGZLTwsmHj
|
||||
RJ3DD2GAFjCHK1ImLdLOqVk4PNA9zIrr35sRL9h5Dav2BMUX/3kBuWE1vlGBo24X
|
||||
8O3pG5ShLXKYKmSKvBJejOS+HGt2IlyzW6WQBfULZQYyfalpM0+1cOeu2xSu61kz
|
||||
AC4ZzqKS7IWR19UeHhcmAfCdTDlO0hc6VvGM8xjPM5VL9m1oMUy/6JMiBbhm+nys
|
||||
zyOgQ+HCMwUox7lDuzzq5J0/OJtolTPr9KmmoCAAHsKXIiF/Ukcsg7UzEYmsgRoK
|
||||
dyumT1SEaVqRCLZIqSQ2TPe+iy/Dkz63JZBlbk4bvhR4ZpnrDSc=
|
||||
=FrNQ
|
||||
-----END PGP SIGNATURE-----
|
||||
BIN
openssl-3.5.1.tar.gz
LFS
Normal file
BIN
openssl-3.5.1.tar.gz
LFS
Normal file
Binary file not shown.
16
openssl-3.5.1.tar.gz.asc
Normal file
16
openssl-3.5.1.tar.gz.asc
Normal file
@@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmhjzLwACgkQIWCU39DL
|
||||
ge9rsA/5AXAEDd+2yayepyZHDamxMh9cMI8DcFnXG1NoxBgCh1P7DmdzGVRTbf8L
|
||||
V7dF063z86ebR/eIbT6QzYD+zfBd1pVMVlMe6S2/ZI+dDtJizaDdmExHsJeAJ/p/
|
||||
OeJ+ksM44eQcr0N2IUmUScr95/fZR3ED2HpAs224wMcbufe6PJUrbmyBbnPqw/Nf
|
||||
SHekc5xWAgoNT3tKKZxkjABmP8uSNtWsdn8QQuZyc7sB9Z/j5UuA/Oay7eVpQ5D8
|
||||
EiTQ1P+3u78wV/0Nqb3iDhgqShr7h7b9APgMUxQsNbvKVtoZI/7miskDz/dyNoqv
|
||||
FF9+oAhoRyC8XSQF1Td7HLLvsqqF31+iQdou5gmnrsoB6QLWEOBvfI+zOI7BckLj
|
||||
dZsa/oW6Rz1m12l5jqzorYrVYtbNfUJ7tunYMZOBnffK/VomE8XqmZuUVP+bQdZh
|
||||
zE+tLMBrIHb+h8MP3JnYsRzaYr1sN7lbLx5/7Gh1o1jpvzy57D628vbSWnbLoJuu
|
||||
l2ZjDNMAcKvcKba283lrV+Vm5aL4m/x4flsjeNiufTX50Ckzyd6U1L5Xq2wyHLuh
|
||||
kHIeO2UW9WeNud8UY5mYOBBbwHyh/9yWXphgEtxS2aSvKEIUkQ1V89e5U0Fu3pjU
|
||||
anJLQLYDc66CXfj82PK0Wq765bxIDnsRMggwgGh84U5eCvZWmMk=
|
||||
=nHMj
|
||||
-----END PGP SIGNATURE-----
|
||||
@@ -1,39 +0,0 @@
|
||||
From 95dec3e148d6ac27fc19e5a5c2396a3c3cf01633 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Lyu <richard.lyu@suse.com>
|
||||
Date: Mon, 17 Mar 2025 12:07:48 +0800
|
||||
Subject: [PATCH] Increase FVMAIN Size for Compatibility with 2MB Size Limit
|
||||
|
||||
In edk2-stable202502, the increase in code space caused an increase in
|
||||
size, leading to build failures for OVMF under the 2MB size limit due
|
||||
to insufficient space, because FVMAIN_COMPACT had insufficient space.
|
||||
|
||||
This patch adjusts the memory layout by reducing SEVFV size by 0x10000,
|
||||
as its usage is below 50%, and reallocates the freed 0x10000 space to
|
||||
FVMAIN_COMPACT. This ensures sufficient space to accommodate all code
|
||||
within the FD_SIZE_2MB.
|
||||
|
||||
Signed-off-by: Richard Lyu <richard.lyu@suse.com>
|
||||
---
|
||||
OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc b/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc
|
||||
index 6170c5993c..e2543a1535 100644
|
||||
--- a/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc
|
||||
+++ b/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc
|
||||
@@ -45,9 +45,9 @@ DEFINE FW_BLOCKS = 0x200
|
||||
DEFINE CODE_BASE_ADDRESS = 0xFFE20000
|
||||
DEFINE CODE_SIZE = 0x001E0000
|
||||
DEFINE CODE_BLOCKS = 0x1E0
|
||||
-DEFINE FVMAIN_SIZE = 0x001AC000
|
||||
-DEFINE SECFV_OFFSET = 0x001CC000
|
||||
-DEFINE SECFV_SIZE = 0x34000
|
||||
+DEFINE FVMAIN_SIZE = 0x001BC000
|
||||
+DEFINE SECFV_OFFSET = 0x001DC000
|
||||
+DEFINE SECFV_SIZE = 0x24000
|
||||
!endif
|
||||
|
||||
!if $(FD_SIZE_IN_KB) == 4096
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -1,32 +0,0 @@
|
||||
From 9bceb16000056f31119c79014788bc99d5cfdc3d Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Steffen <osteffen@redhat.com>
|
||||
Date: Tue, 17 Dec 2024 09:07:00 +0100
|
||||
Subject: [PATCH] Maintainers.txt: Add reviewer for SVSM vTPM related modules
|
||||
|
||||
Add reviewers for the TPM2 code under SecurityPkg/
|
||||
related to SVSM vTPM.
|
||||
|
||||
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
|
||||
---
|
||||
Maintainers.txt | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/Maintainers.txt b/Maintainers.txt
|
||||
index df7cfdeeaf..48c3afeae5 100644
|
||||
--- a/Maintainers.txt
|
||||
+++ b/Maintainers.txt
|
||||
@@ -599,6 +599,11 @@ SecurityPkg: Tcg related modules
|
||||
F: SecurityPkg/Tcg/
|
||||
R: Rahul Kumar <rahul1.kumar@intel.com> [rahul1-kumar]
|
||||
|
||||
+SecurityPkg: SVSM related modules
|
||||
+F: SecurityPkg/Library/Tpm2DeviceLibDTpm/*Svsm*
|
||||
+R: Oliver Steffen <osteffen@redhat.com> [osteffenrh]
|
||||
+R: Tom Lendacky <thomas.lendacky@amd.com> [tlendacky]
|
||||
+
|
||||
ShellPkg
|
||||
F: ShellPkg/
|
||||
W: https://github.com/tianocore/tianocore.github.io/wiki/ShellPkg
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -1,46 +0,0 @@
|
||||
From fa74200c92693add490b18615c2821ba72a2d58d Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Steffen <osteffen@redhat.com>
|
||||
Date: Wed, 11 Dec 2024 11:07:48 +0100
|
||||
Subject: [PATCH] MdePkg/AmdSev: Add SVSM protocol call numbers
|
||||
|
||||
Add protocol and call numbers as defined in the "Secure VM Service
|
||||
Module for SEV-SNP Guests" Publication # 58019 Revision: 1.00
|
||||
|
||||
https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58019.pdf
|
||||
|
||||
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
|
||||
---
|
||||
MdePkg/Include/Register/Amd/Svsm.h | 19 +++++++++++++++++++
|
||||
1 file changed, 19 insertions(+)
|
||||
|
||||
diff --git a/MdePkg/Include/Register/Amd/Svsm.h b/MdePkg/Include/Register/Amd/Svsm.h
|
||||
index 9a989f8031..704a3c70d9 100644
|
||||
--- a/MdePkg/Include/Register/Amd/Svsm.h
|
||||
+++ b/MdePkg/Include/Register/Amd/Svsm.h
|
||||
@@ -98,4 +98,23 @@ typedef union {
|
||||
UINT64 Uint64;
|
||||
} SVSM_FUNCTION;
|
||||
|
||||
+/// SVSM Guest Protocols
|
||||
+/// @{
|
||||
+#define SVSM_PROTOCOL_CORE 0
|
||||
+#define SVSM_PROTOCOL_ATTESTATION 1
|
||||
+#define SVSM_PROTOCOL_VTPM 2
|
||||
+/// @}
|
||||
+
|
||||
+/// SVSM Core Protocol calls
|
||||
+/// @{
|
||||
+#define SVSM_CORE_REMAP_CA 0
|
||||
+#define SVSM_CORE_PVALIDATE 1
|
||||
+#define SVSM_CORE_CREATE_VCPU 2
|
||||
+#define SVSM_CORE_DELETE_VCPU 3
|
||||
+#define SVSM_CORE_DEPOSIT_MEM 4
|
||||
+#define SVSM_CORE_WITHDRAW_MEM 5
|
||||
+#define SVSM_CORE_QUERY_PROTOCOL 6
|
||||
+#define SVSM_CORE_CONFIGURE_VTOM 7
|
||||
+/// @}
|
||||
+
|
||||
#endif
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -1,31 +0,0 @@
|
||||
From 70f806ec23fb1c376afe33f2f054819a03e21641 Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Steffen <osteffen@redhat.com>
|
||||
Date: Wed, 11 Dec 2024 11:17:07 +0100
|
||||
Subject: [PATCH] MdePkg/AmdSev: Add SVSM protocol vTPM call numbers
|
||||
|
||||
Add call numbers for the SVSM vTPM protocol, as defined in the "Secure
|
||||
VM Service Module for SEV-SNP Guests" Publication # 58019 Revision: 1.00
|
||||
|
||||
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
|
||||
---
|
||||
MdePkg/Include/Register/Amd/Svsm.h | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/MdePkg/Include/Register/Amd/Svsm.h b/MdePkg/Include/Register/Amd/Svsm.h
|
||||
index 704a3c70d9..08716a40b5 100644
|
||||
--- a/MdePkg/Include/Register/Amd/Svsm.h
|
||||
+++ b/MdePkg/Include/Register/Amd/Svsm.h
|
||||
@@ -117,4 +117,10 @@ typedef union {
|
||||
#define SVSM_CORE_CONFIGURE_VTOM 7
|
||||
/// @}
|
||||
|
||||
+/// SVSM vTPM Protocol calls
|
||||
+/// @{
|
||||
+#define SVSM_VTPM_QUERY 0
|
||||
+#define SVSM_VTPM_CMD 1
|
||||
+/// @}
|
||||
+
|
||||
#endif
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -1,57 +0,0 @@
|
||||
From c526b923ff146045e55208fa13b05de3720eddc2 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Lyu <richard.lyu@suse.com>
|
||||
Date: Wed, 10 Sep 2025 21:56:11 +0800
|
||||
Subject: [PATCH] OvmfPkg: Add NETWORK_ISCSI_DEFAULT_ENABLE build flag
|
||||
|
||||
REF: https://github.com/tianocore/edk2/issues/11483
|
||||
|
||||
Introduce a new build flag NETWORK_ISCSI_DEFAULT_ENABLE to control
|
||||
whether iSCSI support is enabled by default without setting fwcfg. This
|
||||
allows developers to decide at build time if the IScsiDxe driver should be
|
||||
included and enabled by default.
|
||||
|
||||
If NETWORK_ISCSI_DEFAULT_ENABLE is set to FALSE, IScsiDxe will still be
|
||||
built when NETWORK_ISCSI_ENABLE is TRUE, but the default PCD value
|
||||
(gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideDefaultValue) will be
|
||||
set to "no". This ensures iSCSI remains disabled at runtime unless enabled
|
||||
explicitly by fwcfg.
|
||||
|
||||
This change provides more flexibility for both build-time and runtime
|
||||
configuration of iSCSI support.
|
||||
|
||||
Signed-off-by: Richard Lyu <richard.lyu@suse.com>
|
||||
---
|
||||
OvmfPkg/Include/Dsc/NetworkComponents.dsc.inc | 4 +++-
|
||||
OvmfPkg/OvmfPkgX64.dsc | 1 +
|
||||
2 files changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/OvmfPkg/Include/Dsc/NetworkComponents.dsc.inc b/OvmfPkg/Include/Dsc/NetworkComponents.dsc.inc
|
||||
index 051fe950ce..288216373a 100644
|
||||
--- a/OvmfPkg/Include/Dsc/NetworkComponents.dsc.inc
|
||||
+++ b/OvmfPkg/Include/Dsc/NetworkComponents.dsc.inc
|
||||
@@ -48,7 +48,9 @@
|
||||
UefiDriverEntryPoint|OvmfPkg/Library/UefiDriverEntryPointFwCfgOverrideLib/UefiDriverEntryPointFwCfgOverrideLib.inf
|
||||
<PcdsFixedAtBuild>
|
||||
gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideFwCfgVarName|"opt/org.tianocore/ISCSISupport"
|
||||
- gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideDefaultValue|"no"
|
||||
+ !if $(NETWORK_ISCSI_DEFAULT_ENABLE) == FALSE
|
||||
+ gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideDefaultValue|"no"
|
||||
+ !endif
|
||||
}
|
||||
!endif
|
||||
|
||||
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
|
||||
index f859db6acd..7d7bb5dbb0 100644
|
||||
--- a/OvmfPkg/OvmfPkgX64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgX64.dsc
|
||||
@@ -51,6 +51,7 @@
|
||||
DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE
|
||||
DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE
|
||||
DEFINE NETWORK_ISCSI_ENABLE = TRUE
|
||||
+ DEFINE NETWORK_ISCSI_DEFAULT_ENABLE = FALSE
|
||||
DEFINE NETWORK_PXE_BOOT_ENABLE = TRUE
|
||||
|
||||
!include NetworkPkg/NetworkDefines.dsc.inc
|
||||
--
|
||||
2.46.1
|
||||
|
||||
36
ovmf-OvmfPkg-Adjust-Memory-Layout-for-2MB-OVMF.patch
Normal file
36
ovmf-OvmfPkg-Adjust-Memory-Layout-for-2MB-OVMF.patch
Normal file
@@ -0,0 +1,36 @@
|
||||
From e1b035647e201acb02195a9ffab210f8d3e96f89 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Lyu <richard.lyu@suse.com>
|
||||
Date: Wed, 3 Sep 2025 14:42:08 +0800
|
||||
Subject: [PATCH] OvmfPkg: Adjust Memory Layout for 2MB OVMF
|
||||
|
||||
This commit increases the space for FVMAIN_COMPACT to resolve
|
||||
build failures on 2MB OVMF firmware due to insufficient space. By
|
||||
reducing the size of SEVFV and reallocating the freed space to
|
||||
FVMAIN_COMPACT, this change ensures all necessary code can fit
|
||||
within the 2MB firmware size limit.
|
||||
|
||||
Signed-off-by: Richard Lyu richard.lyu@suse.com
|
||||
---
|
||||
OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc b/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc
|
||||
index e2543a1535..94ba51421f 100644
|
||||
--- a/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc
|
||||
+++ b/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc
|
||||
@@ -45,9 +45,9 @@ DEFINE FW_BLOCKS = 0x200
|
||||
DEFINE CODE_BASE_ADDRESS = 0xFFE20000
|
||||
DEFINE CODE_SIZE = 0x001E0000
|
||||
DEFINE CODE_BLOCKS = 0x1E0
|
||||
-DEFINE FVMAIN_SIZE = 0x001BC000
|
||||
-DEFINE SECFV_OFFSET = 0x001DC000
|
||||
-DEFINE SECFV_SIZE = 0x24000
|
||||
+DEFINE FVMAIN_SIZE = 0x001CC000
|
||||
+DEFINE SECFV_OFFSET = 0x001EC000
|
||||
+DEFINE SECFV_SIZE = 0x14000
|
||||
!endif
|
||||
|
||||
!if $(FD_SIZE_IN_KB) == 4096
|
||||
--
|
||||
2.46.1
|
||||
|
||||
@@ -1,52 +0,0 @@
|
||||
From 458198aa49c39fa61ab735c0fb3cd22d1f6fdee7 Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Steffen <osteffen@redhat.com>
|
||||
Date: Wed, 11 Dec 2024 12:09:32 +0100
|
||||
Subject: [PATCH] OvmfPkg/AmdSvmLib: Use named protocol and call constants
|
||||
|
||||
Make use of the named protocol and call constants for SVSM
|
||||
communication.
|
||||
|
||||
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
|
||||
---
|
||||
OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c b/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
|
||||
index 6c79ee7d91..dfaccdc9e9 100644
|
||||
--- a/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
|
||||
+++ b/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
|
||||
@@ -213,8 +213,8 @@ SvsmPvalidate (
|
||||
Caa = (SVSM_CAA *)AmdSvsmSnpGetCaa ();
|
||||
ZeroMem (Caa->SvsmBuffer, sizeof (Caa->SvsmBuffer));
|
||||
|
||||
- Function.Id.Protocol = 0;
|
||||
- Function.Id.CallId = 1;
|
||||
+ Function.Id.Protocol = SVSM_PROTOCOL_CORE;
|
||||
+ Function.Id.CallId = SVSM_CORE_PVALIDATE;
|
||||
|
||||
Request = (SVSM_PVALIDATE_REQUEST *)Caa->SvsmBuffer;
|
||||
EntryLimit = ((sizeof (Caa->SvsmBuffer) - sizeof (*Request)) /
|
||||
@@ -407,17 +407,17 @@ SvsmVmsaRmpAdjust (
|
||||
|
||||
SvsmCallData.Caa = (SVSM_CAA *)AmdSvsmSnpGetCaa ();
|
||||
|
||||
- Function.Id.Protocol = 0;
|
||||
+ Function.Id.Protocol = SVSM_PROTOCOL_CORE;
|
||||
|
||||
if (SetVmsa) {
|
||||
- Function.Id.CallId = 2;
|
||||
+ Function.Id.CallId = SVSM_CORE_CREATE_VCPU;
|
||||
|
||||
SvsmCallData.RaxIn = Function.Uint64;
|
||||
SvsmCallData.RcxIn = (UINT64)(UINTN)Vmsa;
|
||||
SvsmCallData.RdxIn = (UINT64)(UINTN)Vmsa + SIZE_4KB;
|
||||
SvsmCallData.R8In = ApicId;
|
||||
} else {
|
||||
- Function.Id.CallId = 3;
|
||||
+ Function.Id.CallId = SVSM_CORE_DELETE_VCPU;
|
||||
|
||||
SvsmCallData.RaxIn = Function.Uint64;
|
||||
SvsmCallData.RcxIn = (UINT64)(UINTN)Vmsa;
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -1,135 +0,0 @@
|
||||
From 40b4e190d37dca895f46d816eca154d07c761ae7 Mon Sep 17 00:00:00 2001
|
||||
From: Claudio Carvalho <cclaudio@linux.ibm.com>
|
||||
Date: Mon, 10 Jun 2024 22:29:57 +0300
|
||||
Subject: [PATCH] OvmfPkg/AmdSvsmLib: Add the SVSM vTPM protocol
|
||||
|
||||
As described in the SVSM specification, guest components can call to the
|
||||
SVSM vTPM through the vTPM protocol (protocol-id 2).
|
||||
|
||||
The SVSM vTPM protocol follows the Microsoft TPM Simulator interface
|
||||
(MSSIM) and supports two services:
|
||||
|
||||
- SVSM_VTPM_QUERY (call-id 0): query MSSIM commands and vTPM features
|
||||
supported.
|
||||
- SVSM_VTPM_CMD (call-id 1): send a MSSIM command to be run by the vTPM
|
||||
and get the result.
|
||||
|
||||
This patch adds support for SVSM_VTPM_QUERY and SVSM_VTPM_CMD to invoke
|
||||
a SVSM when the guest is running at VMPL0.
|
||||
|
||||
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Cc: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Co-authored-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
||||
Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
|
||||
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
|
||||
---
|
||||
OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c | 95 +++++++++++++++++++++++++
|
||||
1 file changed, 95 insertions(+)
|
||||
|
||||
diff --git a/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c b/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
|
||||
index dfaccdc9e9..e286ac0bc0 100644
|
||||
--- a/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
|
||||
+++ b/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
|
||||
@@ -498,3 +498,98 @@ AmdSvsmSnpVmsaRmpAdjust (
|
||||
return AmdSvsmIsSvsmPresent () ? SvsmVmsaRmpAdjust (Vmsa, ApicId, SetVmsa)
|
||||
: BaseVmsaRmpAdjust (Vmsa, SetVmsa);
|
||||
}
|
||||
+
|
||||
+/**
|
||||
+ Perform a SVSM_VTPM_QUERY operation
|
||||
+
|
||||
+ Query the support provided by the SVSM vTPM.
|
||||
+
|
||||
+ @param[out] PlatformCommands It will contain a bitmap indicating the
|
||||
+ supported vTPM platform commands.
|
||||
+ @param[out] Features It will contain a bitmap indicating the
|
||||
+ supported vTPM features.
|
||||
+
|
||||
+ @retval TRUE The query was processed.
|
||||
+ @retval FALSE The query was not processed.
|
||||
+
|
||||
+**/
|
||||
+BOOLEAN
|
||||
+EFIAPI
|
||||
+AmdSvsmVtpmQuery (
|
||||
+ OUT UINT64 *PlatformCommands,
|
||||
+ OUT UINT64 *Features
|
||||
+ )
|
||||
+{
|
||||
+ SVSM_CALL_DATA SvsmCallData;
|
||||
+ SVSM_FUNCTION Function;
|
||||
+ UINTN Ret;
|
||||
+
|
||||
+ if (!PlatformCommands && !Features) {
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
+ if (!AmdSvsmIsSvsmPresent ()) {
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
+ Function.Id.Protocol = SVSM_PROTOCOL_VTPM;
|
||||
+ Function.Id.CallId = SVSM_VTPM_QUERY;
|
||||
+
|
||||
+ SvsmCallData.Caa = (SVSM_CAA *)AmdSvsmSnpGetCaa ();
|
||||
+ SvsmCallData.RaxIn = Function.Uint64;
|
||||
+
|
||||
+ Ret = SvsmMsrProtocol (&SvsmCallData);
|
||||
+ if (Ret != 0) {
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
+ if (PlatformCommands) {
|
||||
+ *PlatformCommands = SvsmCallData.RcxOut;
|
||||
+ }
|
||||
+
|
||||
+ if (Features) {
|
||||
+ *Features = SvsmCallData.RdxOut;
|
||||
+ }
|
||||
+
|
||||
+ return TRUE;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ Perform a SVSM_VTPM_CMD operation
|
||||
+
|
||||
+ Send the specified vTPM platform command to the SVSM vTPM.
|
||||
+
|
||||
+ @param[in, out] Buffer It should contain the vTPM platform command
|
||||
+ request. The respective response will be returned
|
||||
+ in the same Buffer, but not all commands specify a
|
||||
+ response.
|
||||
+
|
||||
+ @retval TRUE The command was processed.
|
||||
+ @retval FALSE The command was not processed.
|
||||
+
|
||||
+**/
|
||||
+BOOLEAN
|
||||
+EFIAPI
|
||||
+AmdSvsmVtpmCmd (
|
||||
+ IN OUT UINT8 *Buffer
|
||||
+ )
|
||||
+{
|
||||
+ SVSM_CALL_DATA SvsmCallData;
|
||||
+ SVSM_FUNCTION Function;
|
||||
+ UINTN Ret;
|
||||
+
|
||||
+ if (!AmdSvsmIsSvsmPresent ()) {
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
+ Function.Id.Protocol = SVSM_PROTOCOL_VTPM;
|
||||
+ Function.Id.CallId = SVSM_VTPM_CMD;
|
||||
+
|
||||
+ SvsmCallData.Caa = (SVSM_CAA *)AmdSvsmSnpGetCaa ();
|
||||
+ SvsmCallData.RaxIn = Function.Uint64;
|
||||
+ SvsmCallData.RcxIn = (UINT64)(UINTN)Buffer;
|
||||
+
|
||||
+ Ret = SvsmMsrProtocol (&SvsmCallData);
|
||||
+
|
||||
+ return (Ret == 0) ? TRUE : FALSE;
|
||||
+}
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
From 27a1b19ba5d3bc13562e443cebbd283c60615b89 Mon Sep 17 00:00:00 2001
|
||||
From cbc73cbf6bec0387fe7a049b659485feaeed00ea Mon Sep 17 00:00:00 2001
|
||||
From: Richard Lyu <richard.lyu@suse.com>
|
||||
Date: Thu, 26 Jun 2025 09:50:53 +0800
|
||||
Subject: [PATCH] OvmfPkg/ArmVirtPkg: Keep JSON stack cookie files for
|
||||
@@ -14,29 +14,25 @@ cookie values are retained in the build directory.
|
||||
This patch includes the necessary StackCookieValues*.json files under the Build/
|
||||
directory to ensure reproducible builds for Ovmf and ArmVirt platforms.
|
||||
---
|
||||
Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues32.json | 1 +
|
||||
Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues64.json | 1 +
|
||||
Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues32.json | 1 +
|
||||
Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues64.json | 1 +
|
||||
Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues32.json | 1 +
|
||||
Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues64.json | 1 +
|
||||
Build/IntelTdx/DEBUG_GCC5/StackCookieValues32.json | 1 +
|
||||
Build/IntelTdx/DEBUG_GCC5/StackCookieValues64.json | 1 +
|
||||
Build/Ovmf3264/DEBUG_GCC5/StackCookieValues32.json | 1 +
|
||||
Build/Ovmf3264/DEBUG_GCC5/StackCookieValues64.json | 1 +
|
||||
Build/OvmfIa32/DEBUG_GCC5/StackCookieValues32.json | 1 +
|
||||
Build/OvmfIa32/DEBUG_GCC5/StackCookieValues64.json | 1 +
|
||||
Build/OvmfX64/DEBUG_GCC5/StackCookieValues32.json | 1 +
|
||||
Build/OvmfX64/DEBUG_GCC5/StackCookieValues64.json | 1 +
|
||||
Build/OvmfXen/DEBUG_GCC5/StackCookieValues32.json | 1 +
|
||||
Build/OvmfXen/DEBUG_GCC5/StackCookieValues64.json | 1 +
|
||||
Build/RiscVVirtQemu/DEBUG_GCC5/StackCookieValues32.json | 1 +
|
||||
Build/RiscVVirtQemu/DEBUG_GCC5/StackCookieValues64.json | 1 +
|
||||
14 files changed, 14 insertions(+)
|
||||
create mode 100644 Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues32.json
|
||||
create mode 100644 Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues64.json
|
||||
create mode 100644 Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues32.json
|
||||
create mode 100644 Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues64.json
|
||||
12 files changed, 12 insertions(+)
|
||||
create mode 100644 Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues32.json
|
||||
create mode 100644 Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues64.json
|
||||
create mode 100644 Build/IntelTdx/DEBUG_GCC5/StackCookieValues32.json
|
||||
create mode 100644 Build/IntelTdx/DEBUG_GCC5/StackCookieValues64.json
|
||||
create mode 100644 Build/Ovmf3264/DEBUG_GCC5/StackCookieValues32.json
|
||||
create mode 100644 Build/Ovmf3264/DEBUG_GCC5/StackCookieValues64.json
|
||||
create mode 100644 Build/OvmfIa32/DEBUG_GCC5/StackCookieValues32.json
|
||||
create mode 100644 Build/OvmfIa32/DEBUG_GCC5/StackCookieValues64.json
|
||||
create mode 100644 Build/OvmfX64/DEBUG_GCC5/StackCookieValues32.json
|
||||
create mode 100644 Build/OvmfX64/DEBUG_GCC5/StackCookieValues64.json
|
||||
create mode 100644 Build/OvmfXen/DEBUG_GCC5/StackCookieValues32.json
|
||||
@@ -44,35 +40,35 @@ directory to ensure reproducible builds for Ovmf and ArmVirt platforms.
|
||||
create mode 100644 Build/RiscVVirtQemu/DEBUG_GCC5/StackCookieValues32.json
|
||||
create mode 100644 Build/RiscVVirtQemu/DEBUG_GCC5/StackCookieValues64.json
|
||||
|
||||
diff --git a/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues32.json b/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues32.json
|
||||
diff --git a/Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues32.json b/Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues32.json
|
||||
new file mode 100644
|
||||
index 0000000000..279006e935
|
||||
--- /dev/null
|
||||
+++ b/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues32.json
|
||||
+++ b/Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues32.json
|
||||
@@ -0,0 +1 @@
|
||||
+[3120319409, 3986684851, 2532066904, 2838841122, 1510610980, 3527598979, 2145389557, 915756566, 4288287152, 1592508515, 1649905414, 3214646158, 4125604801, 2636301533, 3186946058, 1297075897, 1536483215, 2684947706, 378837761, 2034357240, 1254156149, 3274923813, 1869941960, 2430363232, 2619983763, 789706441, 474468987, 4170744684, 2067453149, 80774667, 1188610392, 3484306439, 2129190303, 3706887221, 1441685697, 2832623778, 2272607630, 3766098863, 1387705257, 3531882784, 78420450, 2425693472, 2515037057, 2842949431, 2167471722, 2373850526, 2185844797, 1771878221, 3826200111, 233544227, 3019808295, 3255256900, 3737050793, 1272285847, 4114161312, 704148315, 2912601610, 3781534488, 56787233, 816583130, 2471213939, 2813874809, 2630289327, 1173288302, 1862737445, 2551923525, 1820462035, 1796829267, 1714358393, 2634249466, 176661566, 428907315, 2772923224, 1648291025, 2674956839, 2691960542, 1859704968, 709746926, 492109362, 3781180214, 4222775360, 2893670436, 2425292886, 1064615051, 3854554544, 1690467402, 356470947, 4203480635, 3958554922, 3830455836, 4051513359, 2084475517, 728710918, 2413960477, 1005365008, 117621347, 1988965873, 542004264, 1543091876, 856808939]
|
||||
\ No newline at end of file
|
||||
diff --git a/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues64.json b/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues64.json
|
||||
diff --git a/Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues64.json b/Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues64.json
|
||||
new file mode 100644
|
||||
index 0000000000..189f1bb32c
|
||||
--- /dev/null
|
||||
+++ b/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/StackCookieValues64.json
|
||||
+++ b/Build/ArmVirtQemu-AArch64/DEBUG_GCC5/StackCookieValues64.json
|
||||
@@ -0,0 +1 @@
|
||||
+[7518985701012212569, 2601960957474891530, 17831311744988480182, 16652208568711364861, 11779046321730877689, 4265457871546500992, 7292254499229112648, 223890800426602719, 2838072854045228586, 17406395504460044440, 15908843496796806072, 14702662319704085758, 9867044736590216777, 1826029253899249568, 13211023111777598167, 15781671485427291330, 10363743021216146144, 5806329751690313006, 15745089491775103262, 17509746045803567900, 1447711951392380165, 6118366145278105860, 4383356545218844403, 16245693987825670584, 2780554830603218012, 12970299634944553151, 3222388605624008866, 15814383424087557059, 15988086447905475558, 16116025969641329513, 6426405161833441255, 3254481667731922028, 6488541859345202975, 10574901139024748597, 3024566360722566355, 16062071326447635275, 12345606174395125886, 6794103055184511112, 11215411239298654461, 16898959837531392298, 11392129473298461016, 8804779203101922496, 18248956894608479019, 3405499931018446142, 17086893422507178606, 15658544032726530242, 8364333522488247864, 3279785515391664592, 13243140800673203277, 5966586998550012975, 16565158092620888628, 12638930544692949903, 1246241189792785842, 15194422135212677813, 12698266719810819587, 1534974055018719502, 12670636876876282922, 15558200550263511669, 3503220298365529701, 7528003967410398907, 17951113451990505790, 11966189487560109058, 9487073780776752004, 16989174121673443471, 11983187886593000791, 14034832459830322267, 7699754122092779654, 11045278550085659092, 15517258337126557177, 11994491770159532604, 12391224518810430854, 16412011954261833814, 6823393608276975560, 8049664586953865101, 105554461905525278, 1108289617734621870, 3107169899130739186, 16009603271400150224, 2287840628984514055, 16506851535775780356, 3856407398241994124, 15057357339963415331, 7421988999323764657, 16263909762531412778, 5520741619830646734, 12658567612226487844, 4150397776403010384, 4506124991939010117, 8337570680160461228, 1773277438796706851, 4411225815945427420, 14662834929794280164, 2744390976482384579, 5016066739309353833, 2446711385473505783, 7207045095118849468, 5059656042334578233, 5000969109599430964, 2861557136012695307, 4840563942385966137]
|
||||
\ No newline at end of file
|
||||
diff --git a/Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues32.json b/Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues32.json
|
||||
diff --git a/Build/IntelTdx/DEBUG_GCC5/StackCookieValues32.json b/Build/IntelTdx/DEBUG_GCC5/StackCookieValues32.json
|
||||
new file mode 100644
|
||||
index 0000000000..279006e935
|
||||
--- /dev/null
|
||||
+++ b/Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues32.json
|
||||
+++ b/Build/IntelTdx/DEBUG_GCC5/StackCookieValues32.json
|
||||
@@ -0,0 +1 @@
|
||||
+[3120319409, 3986684851, 2532066904, 2838841122, 1510610980, 3527598979, 2145389557, 915756566, 4288287152, 1592508515, 1649905414, 3214646158, 4125604801, 2636301533, 3186946058, 1297075897, 1536483215, 2684947706, 378837761, 2034357240, 1254156149, 3274923813, 1869941960, 2430363232, 2619983763, 789706441, 474468987, 4170744684, 2067453149, 80774667, 1188610392, 3484306439, 2129190303, 3706887221, 1441685697, 2832623778, 2272607630, 3766098863, 1387705257, 3531882784, 78420450, 2425693472, 2515037057, 2842949431, 2167471722, 2373850526, 2185844797, 1771878221, 3826200111, 233544227, 3019808295, 3255256900, 3737050793, 1272285847, 4114161312, 704148315, 2912601610, 3781534488, 56787233, 816583130, 2471213939, 2813874809, 2630289327, 1173288302, 1862737445, 2551923525, 1820462035, 1796829267, 1714358393, 2634249466, 176661566, 428907315, 2772923224, 1648291025, 2674956839, 2691960542, 1859704968, 709746926, 492109362, 3781180214, 4222775360, 2893670436, 2425292886, 1064615051, 3854554544, 1690467402, 356470947, 4203480635, 3958554922, 3830455836, 4051513359, 2084475517, 728710918, 2413960477, 1005365008, 117621347, 1988965873, 542004264, 1543091876, 856808939]
|
||||
\ No newline at end of file
|
||||
diff --git a/Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues64.json b/Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues64.json
|
||||
diff --git a/Build/IntelTdx/DEBUG_GCC5/StackCookieValues64.json b/Build/IntelTdx/DEBUG_GCC5/StackCookieValues64.json
|
||||
new file mode 100644
|
||||
index 0000000000..189f1bb32c
|
||||
--- /dev/null
|
||||
+++ b/Build/ArmVirtQemu-ARM/DEBUG_GCC5/StackCookieValues64.json
|
||||
+++ b/Build/IntelTdx/DEBUG_GCC5/StackCookieValues64.json
|
||||
@@ -0,0 +1 @@
|
||||
+[7518985701012212569, 2601960957474891530, 17831311744988480182, 16652208568711364861, 11779046321730877689, 4265457871546500992, 7292254499229112648, 223890800426602719, 2838072854045228586, 17406395504460044440, 15908843496796806072, 14702662319704085758, 9867044736590216777, 1826029253899249568, 13211023111777598167, 15781671485427291330, 10363743021216146144, 5806329751690313006, 15745089491775103262, 17509746045803567900, 1447711951392380165, 6118366145278105860, 4383356545218844403, 16245693987825670584, 2780554830603218012, 12970299634944553151, 3222388605624008866, 15814383424087557059, 15988086447905475558, 16116025969641329513, 6426405161833441255, 3254481667731922028, 6488541859345202975, 10574901139024748597, 3024566360722566355, 16062071326447635275, 12345606174395125886, 6794103055184511112, 11215411239298654461, 16898959837531392298, 11392129473298461016, 8804779203101922496, 18248956894608479019, 3405499931018446142, 17086893422507178606, 15658544032726530242, 8364333522488247864, 3279785515391664592, 13243140800673203277, 5966586998550012975, 16565158092620888628, 12638930544692949903, 1246241189792785842, 15194422135212677813, 12698266719810819587, 1534974055018719502, 12670636876876282922, 15558200550263511669, 3503220298365529701, 7528003967410398907, 17951113451990505790, 11966189487560109058, 9487073780776752004, 16989174121673443471, 11983187886593000791, 14034832459830322267, 7699754122092779654, 11045278550085659092, 15517258337126557177, 11994491770159532604, 12391224518810430854, 16412011954261833814, 6823393608276975560, 8049664586953865101, 105554461905525278, 1108289617734621870, 3107169899130739186, 16009603271400150224, 2287840628984514055, 16506851535775780356, 3856407398241994124, 15057357339963415331, 7421988999323764657, 16263909762531412778, 5520741619830646734, 12658567612226487844, 4150397776403010384, 4506124991939010117, 8337570680160461228, 1773277438796706851, 4411225815945427420, 14662834929794280164, 2744390976482384579, 5016066739309353833, 2446711385473505783, 7207045095118849468, 5059656042334578233, 5000969109599430964, 2861557136012695307, 4840563942385966137]
|
||||
\ No newline at end of file
|
||||
@@ -92,22 +88,6 @@ index 0000000000..189f1bb32c
|
||||
@@ -0,0 +1 @@
|
||||
+[7518985701012212569, 2601960957474891530, 17831311744988480182, 16652208568711364861, 11779046321730877689, 4265457871546500992, 7292254499229112648, 223890800426602719, 2838072854045228586, 17406395504460044440, 15908843496796806072, 14702662319704085758, 9867044736590216777, 1826029253899249568, 13211023111777598167, 15781671485427291330, 10363743021216146144, 5806329751690313006, 15745089491775103262, 17509746045803567900, 1447711951392380165, 6118366145278105860, 4383356545218844403, 16245693987825670584, 2780554830603218012, 12970299634944553151, 3222388605624008866, 15814383424087557059, 15988086447905475558, 16116025969641329513, 6426405161833441255, 3254481667731922028, 6488541859345202975, 10574901139024748597, 3024566360722566355, 16062071326447635275, 12345606174395125886, 6794103055184511112, 11215411239298654461, 16898959837531392298, 11392129473298461016, 8804779203101922496, 18248956894608479019, 3405499931018446142, 17086893422507178606, 15658544032726530242, 8364333522488247864, 3279785515391664592, 13243140800673203277, 5966586998550012975, 16565158092620888628, 12638930544692949903, 1246241189792785842, 15194422135212677813, 12698266719810819587, 1534974055018719502, 12670636876876282922, 15558200550263511669, 3503220298365529701, 7528003967410398907, 17951113451990505790, 11966189487560109058, 9487073780776752004, 16989174121673443471, 11983187886593000791, 14034832459830322267, 7699754122092779654, 11045278550085659092, 15517258337126557177, 11994491770159532604, 12391224518810430854, 16412011954261833814, 6823393608276975560, 8049664586953865101, 105554461905525278, 1108289617734621870, 3107169899130739186, 16009603271400150224, 2287840628984514055, 16506851535775780356, 3856407398241994124, 15057357339963415331, 7421988999323764657, 16263909762531412778, 5520741619830646734, 12658567612226487844, 4150397776403010384, 4506124991939010117, 8337570680160461228, 1773277438796706851, 4411225815945427420, 14662834929794280164, 2744390976482384579, 5016066739309353833, 2446711385473505783, 7207045095118849468, 5059656042334578233, 5000969109599430964, 2861557136012695307, 4840563942385966137]
|
||||
\ No newline at end of file
|
||||
diff --git a/Build/OvmfIa32/DEBUG_GCC5/StackCookieValues32.json b/Build/OvmfIa32/DEBUG_GCC5/StackCookieValues32.json
|
||||
new file mode 100644
|
||||
index 0000000000..279006e935
|
||||
--- /dev/null
|
||||
+++ b/Build/OvmfIa32/DEBUG_GCC5/StackCookieValues32.json
|
||||
@@ -0,0 +1 @@
|
||||
+[3120319409, 3986684851, 2532066904, 2838841122, 1510610980, 3527598979, 2145389557, 915756566, 4288287152, 1592508515, 1649905414, 3214646158, 4125604801, 2636301533, 3186946058, 1297075897, 1536483215, 2684947706, 378837761, 2034357240, 1254156149, 3274923813, 1869941960, 2430363232, 2619983763, 789706441, 474468987, 4170744684, 2067453149, 80774667, 1188610392, 3484306439, 2129190303, 3706887221, 1441685697, 2832623778, 2272607630, 3766098863, 1387705257, 3531882784, 78420450, 2425693472, 2515037057, 2842949431, 2167471722, 2373850526, 2185844797, 1771878221, 3826200111, 233544227, 3019808295, 3255256900, 3737050793, 1272285847, 4114161312, 704148315, 2912601610, 3781534488, 56787233, 816583130, 2471213939, 2813874809, 2630289327, 1173288302, 1862737445, 2551923525, 1820462035, 1796829267, 1714358393, 2634249466, 176661566, 428907315, 2772923224, 1648291025, 2674956839, 2691960542, 1859704968, 709746926, 492109362, 3781180214, 4222775360, 2893670436, 2425292886, 1064615051, 3854554544, 1690467402, 356470947, 4203480635, 3958554922, 3830455836, 4051513359, 2084475517, 728710918, 2413960477, 1005365008, 117621347, 1988965873, 542004264, 1543091876, 856808939]
|
||||
\ No newline at end of file
|
||||
diff --git a/Build/OvmfIa32/DEBUG_GCC5/StackCookieValues64.json b/Build/OvmfIa32/DEBUG_GCC5/StackCookieValues64.json
|
||||
new file mode 100644
|
||||
index 0000000000..189f1bb32c
|
||||
--- /dev/null
|
||||
+++ b/Build/OvmfIa32/DEBUG_GCC5/StackCookieValues64.json
|
||||
@@ -0,0 +1 @@
|
||||
+[7518985701012212569, 2601960957474891530, 17831311744988480182, 16652208568711364861, 11779046321730877689, 4265457871546500992, 7292254499229112648, 223890800426602719, 2838072854045228586, 17406395504460044440, 15908843496796806072, 14702662319704085758, 9867044736590216777, 1826029253899249568, 13211023111777598167, 15781671485427291330, 10363743021216146144, 5806329751690313006, 15745089491775103262, 17509746045803567900, 1447711951392380165, 6118366145278105860, 4383356545218844403, 16245693987825670584, 2780554830603218012, 12970299634944553151, 3222388605624008866, 15814383424087557059, 15988086447905475558, 16116025969641329513, 6426405161833441255, 3254481667731922028, 6488541859345202975, 10574901139024748597, 3024566360722566355, 16062071326447635275, 12345606174395125886, 6794103055184511112, 11215411239298654461, 16898959837531392298, 11392129473298461016, 8804779203101922496, 18248956894608479019, 3405499931018446142, 17086893422507178606, 15658544032726530242, 8364333522488247864, 3279785515391664592, 13243140800673203277, 5966586998550012975, 16565158092620888628, 12638930544692949903, 1246241189792785842, 15194422135212677813, 12698266719810819587, 1534974055018719502, 12670636876876282922, 15558200550263511669, 3503220298365529701, 7528003967410398907, 17951113451990505790, 11966189487560109058, 9487073780776752004, 16989174121673443471, 11983187886593000791, 14034832459830322267, 7699754122092779654, 11045278550085659092, 15517258337126557177, 11994491770159532604, 12391224518810430854, 16412011954261833814, 6823393608276975560, 8049664586953865101, 105554461905525278, 1108289617734621870, 3107169899130739186, 16009603271400150224, 2287840628984514055, 16506851535775780356, 3856407398241994124, 15057357339963415331, 7421988999323764657, 16263909762531412778, 5520741619830646734, 12658567612226487844, 4150397776403010384, 4506124991939010117, 8337570680160461228, 1773277438796706851, 4411225815945427420, 14662834929794280164, 2744390976482384579, 5016066739309353833, 2446711385473505783, 7207045095118849468, 5059656042334578233, 5000969109599430964, 2861557136012695307, 4840563942385966137]
|
||||
\ No newline at end of file
|
||||
diff --git a/Build/OvmfX64/DEBUG_GCC5/StackCookieValues32.json b/Build/OvmfX64/DEBUG_GCC5/StackCookieValues32.json
|
||||
new file mode 100644
|
||||
index 0000000000..279006e935
|
||||
@@ -157,5 +137,5 @@ index 0000000000..189f1bb32c
|
||||
+[7518985701012212569, 2601960957474891530, 17831311744988480182, 16652208568711364861, 11779046321730877689, 4265457871546500992, 7292254499229112648, 223890800426602719, 2838072854045228586, 17406395504460044440, 15908843496796806072, 14702662319704085758, 9867044736590216777, 1826029253899249568, 13211023111777598167, 15781671485427291330, 10363743021216146144, 5806329751690313006, 15745089491775103262, 17509746045803567900, 1447711951392380165, 6118366145278105860, 4383356545218844403, 16245693987825670584, 2780554830603218012, 12970299634944553151, 3222388605624008866, 15814383424087557059, 15988086447905475558, 16116025969641329513, 6426405161833441255, 3254481667731922028, 6488541859345202975, 10574901139024748597, 3024566360722566355, 16062071326447635275, 12345606174395125886, 6794103055184511112, 11215411239298654461, 16898959837531392298, 11392129473298461016, 8804779203101922496, 18248956894608479019, 3405499931018446142, 17086893422507178606, 15658544032726530242, 8364333522488247864, 3279785515391664592, 13243140800673203277, 5966586998550012975, 16565158092620888628, 12638930544692949903, 1246241189792785842, 15194422135212677813, 12698266719810819587, 1534974055018719502, 12670636876876282922, 15558200550263511669, 3503220298365529701, 7528003967410398907, 17951113451990505790, 11966189487560109058, 9487073780776752004, 16989174121673443471, 11983187886593000791, 14034832459830322267, 7699754122092779654, 11045278550085659092, 15517258337126557177, 11994491770159532604, 12391224518810430854, 16412011954261833814, 6823393608276975560, 8049664586953865101, 105554461905525278, 1108289617734621870, 3107169899130739186, 16009603271400150224, 2287840628984514055, 16506851535775780356, 3856407398241994124, 15057357339963415331, 7421988999323764657, 16263909762531412778, 5520741619830646734, 12658567612226487844, 4150397776403010384, 4506124991939010117, 8337570680160461228, 1773277438796706851, 4411225815945427420, 14662834929794280164, 2744390976482384579, 5016066739309353833, 2446711385473505783, 7207045095118849468, 5059656042334578233, 5000969109599430964, 2861557136012695307, 4840563942385966137]
|
||||
\ No newline at end of file
|
||||
--
|
||||
2.43.0
|
||||
2.51.0
|
||||
|
||||
|
||||
@@ -1,45 +0,0 @@
|
||||
From 856bdc8eec0fd450ffb582808ad9649a5d02b480 Mon Sep 17 00:00:00 2001
|
||||
From: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
Date: Fri, 25 Apr 2025 12:49:52 -0500
|
||||
Subject: [PATCH] OvmfPkg/CcExitLib: Use the proper register when filtering
|
||||
MSRs
|
||||
|
||||
The MsrExit() routine uses an incorrect register to check for the CAA MSR.
|
||||
Instead of checking RCX, the input register for RDMSR/WRMSR that holds the
|
||||
MSR value, it is checking RAX, which results in failure to detect the CAA
|
||||
MSR request. The check should only be checking the lower 32-bits of the
|
||||
register (ECX), too.
|
||||
|
||||
Change the check in MsrExit() to check the MSR value contained in ECX.
|
||||
|
||||
Fixes: 47001ab98914 ("Ovmfpkg/CcExitLib: Provide SVSM discovery support")
|
||||
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
---
|
||||
OvmfPkg/Library/CcExitLib/CcExitVcHandler.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
|
||||
index 2031fa9e22..2c12f78f8d 100644
|
||||
--- a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
|
||||
+++ b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
|
||||
@@ -701,6 +701,7 @@ MsrExit (
|
||||
MSR_SVSM_CAA_REGISTER Msr;
|
||||
UINT64 ExitInfo1;
|
||||
UINT64 Status;
|
||||
+ UINT32 EcxIn;
|
||||
|
||||
ExitInfo1 = 0;
|
||||
|
||||
@@ -708,7 +709,8 @@ MsrExit (
|
||||
// The SVSM CAA MSR is a software implemented MSR and not supported
|
||||
// by the hardware, handle it directly.
|
||||
//
|
||||
- if (Regs->Rax == MSR_SVSM_CAA) {
|
||||
+ EcxIn = (UINT32)(UINTN)Regs->Rcx;
|
||||
+ if (EcxIn == MSR_SVSM_CAA) {
|
||||
// Writes to the SVSM CAA MSR are ignored
|
||||
if (*(InstructionData->OpCodes + 1) == 0x30) {
|
||||
return 0;
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -1,43 +0,0 @@
|
||||
From 06b2f9dc4385ccf5ca4b86deb14832daa373629f Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Steffen <osteffen@redhat.com>
|
||||
Date: Wed, 11 Dec 2024 11:10:24 +0100
|
||||
Subject: [PATCH] OvmfPkg: Use Tpm2Device lib with SVSM vTPM support
|
||||
|
||||
Switch over to Tpm2InstanceLibDTpmSvsm as the Tpm2 implementation to
|
||||
support vTPMs provided by an SVSM.
|
||||
|
||||
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
|
||||
---
|
||||
OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc | 2 +-
|
||||
OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc
|
||||
index 75ae09571e..2ea17084bd 100644
|
||||
--- a/OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc
|
||||
+++ b/OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc
|
||||
@@ -6,7 +6,7 @@
|
||||
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
|
||||
<LibraryClasses>
|
||||
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
|
||||
- NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
|
||||
+ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
|
||||
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
|
||||
NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
|
||||
NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
|
||||
diff --git a/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc b/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc
|
||||
index 351ca5bb28..ff5346aae7 100644
|
||||
--- a/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc
|
||||
+++ b/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc
|
||||
@@ -30,7 +30,7 @@
|
||||
!if $(TPM1_ENABLE) == TRUE
|
||||
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
|
||||
!endif
|
||||
- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
|
||||
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
|
||||
!endif
|
||||
|
||||
!if $(TPM2_ENABLE) == TRUE || $(CC_MEASUREMENT_ENABLE) == TRUE
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -1,29 +1,19 @@
|
||||
From 7b9e33357945b23e6bcdb21fb9d0ba5859ad9b0b Mon Sep 17 00:00:00 2001
|
||||
From 772bda5290449d46546b7b19cda083ed50536e7b Mon Sep 17 00:00:00 2001
|
||||
From: Richard Lyu <richard.lyu@suse.com>
|
||||
Date: Tue, 14 Jan 2025 19:31:48 +0800
|
||||
Subject: [PATCH] ovmf Revert add stack cookie support to MSVC and GCC
|
||||
Date: Thu, 29 May 2025 14:25:56 +0800
|
||||
Subject: [PATCH] Revert "BaseTools: Add Stack Cookie Support to MSVC and GCC
|
||||
IA32/X64/ARM/AARCH64"
|
||||
|
||||
This reverts commit f53f029122d4493e9db95e2424dd8f067f247661.
|
||||
---
|
||||
BaseTools/Conf/tools_def.template | 65 +++++++++++++++----------------
|
||||
1 file changed, 31 insertions(+), 34 deletions(-)
|
||||
BaseTools/Conf/tools_def.template | 41 ++++++++++++++-----------------
|
||||
1 file changed, 19 insertions(+), 22 deletions(-)
|
||||
|
||||
Index: edk2-edk2-stable202502/BaseTools/Conf/tools_def.template
|
||||
Index: edk2-edk2-stable202511/BaseTools/Conf/tools_def.template
|
||||
===================================================================
|
||||
--- edk2-edk2-stable202502.orig/BaseTools/Conf/tools_def.template
|
||||
+++ edk2-edk2-stable202502/BaseTools/Conf/tools_def.template
|
||||
@@ -21,9 +21,8 @@
|
||||
# - Add GCC and GCCNOLTO
|
||||
# - Deprecate GCC48, GCC49 and GCC5.
|
||||
# 3.01 - Add toolchain for VS2022
|
||||
-# 3.02 - Enable stack cookies for IA32, X64, ARM, and AARCH64 builds for GCC and MSVC
|
||||
#
|
||||
-#!VERSION=3.02
|
||||
+#!VERSION=3.01
|
||||
|
||||
IDENTIFIER = Default TOOL_CHAIN_CONF
|
||||
|
||||
@@ -636,9 +635,9 @@ NOOPT_VS2017_AARCH64_DLINK_FLAGS = /NO
|
||||
--- edk2-edk2-stable202511.orig/BaseTools/Conf/tools_def.template
|
||||
+++ edk2-edk2-stable202511/BaseTools/Conf/tools_def.template
|
||||
@@ -608,9 +608,9 @@ NOOPT_VS2017_AARCH64_DLINK_FLAGS = /NO
|
||||
*_VS2019_IA32_PP_PATH = DEF(VS2019_BIN_IA32)\cl.exe
|
||||
*_VS2019_IA32_ASM_PATH = DEF(VS2019_BIN_IA32)\ml.exe
|
||||
|
||||
@@ -36,7 +26,7 @@ Index: edk2-edk2-stable202502/BaseTools/Conf/tools_def.template
|
||||
|
||||
DEBUG_VS2019_IA32_ASM_FLAGS = /nologo /c /WX /W3 /Cx /coff /Zd /Zi
|
||||
RELEASE_VS2019_IA32_ASM_FLAGS = /nologo /c /WX /W3 /Cx /coff /Zd
|
||||
@@ -666,9 +665,9 @@ NOOPT_VS2019_IA32_DLINK_FLAGS = /NOLOG
|
||||
@@ -638,9 +638,9 @@ NOOPT_VS2019_IA32_DLINK_FLAGS = /NOLOG
|
||||
*_VS2019_X64_DLINK_PATH = DEF(VS2019_BIN_X64)\link.exe
|
||||
*_VS2019_X64_ASLDLINK_PATH = DEF(VS2019_BIN_X64)\link.exe
|
||||
|
||||
@@ -49,33 +39,7 @@ Index: edk2-edk2-stable202502/BaseTools/Conf/tools_def.template
|
||||
|
||||
DEBUG_VS2019_X64_ASM_FLAGS = /nologo /c /WX /W3 /Cx /Zd /Zi
|
||||
RELEASE_VS2019_X64_ASM_FLAGS = /nologo /c /WX /W3 /Cx /Zd
|
||||
@@ -696,9 +695,9 @@ NOOPT_VS2019_X64_DLINK_FLAGS = /NOLOG
|
||||
*_VS2019_ARM_ASLPP_PATH = DEF(VS2019_BIN_ARM)\cl.exe
|
||||
*_VS2019_ARM_ASLDLINK_PATH = DEF(VS2019_BIN_ARM)\link.exe
|
||||
|
||||
- DEBUG_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
|
||||
-RELEASE_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
|
||||
-NOOPT_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
|
||||
+ DEBUG_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
|
||||
+RELEASE_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
|
||||
+NOOPT_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
|
||||
|
||||
DEBUG_VS2019_ARM_ASM_FLAGS = /nologo /g
|
||||
RELEASE_VS2019_ARM_ASM_FLAGS = /nologo
|
||||
@@ -722,9 +721,9 @@ NOOPT_VS2019_ARM_DLINK_FLAGS = /NOL
|
||||
*_VS2019_AARCH64_ASLPP_PATH = DEF(VS2019_BIN_AARCH64)\cl.exe
|
||||
*_VS2019_AARCH64_ASLDLINK_PATH = DEF(VS2019_BIN_AARCH64)\link.exe
|
||||
|
||||
- DEBUG_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
|
||||
-RELEASE_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
|
||||
-NOOPT_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
|
||||
+ DEBUG_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
|
||||
+RELEASE_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
|
||||
+NOOPT_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
|
||||
|
||||
DEBUG_VS2019_AARCH64_ASM_FLAGS = /nologo /g
|
||||
RELEASE_VS2019_AARCH64_ASM_FLAGS = /nologo
|
||||
@@ -779,9 +778,9 @@ NOOPT_VS2019_AARCH64_DLINK_FLAGS = /NO
|
||||
@@ -725,9 +725,9 @@ NOOPT_VS2019_AARCH64_DLINK_FLAGS = /NO
|
||||
*_VS2022_IA32_ASM_PATH = DEF(VS2022_BIN_IA32)\ml.exe
|
||||
|
||||
*_VS2022_IA32_MAKE_FLAGS = /nologo
|
||||
@@ -88,7 +52,7 @@ Index: edk2-edk2-stable202502/BaseTools/Conf/tools_def.template
|
||||
|
||||
DEBUG_VS2022_IA32_ASM_FLAGS = /nologo /c /WX /W3 /Cx /coff /Zd /Zi
|
||||
RELEASE_VS2022_IA32_ASM_FLAGS = /nologo /c /WX /W3 /Cx /coff /Zd
|
||||
@@ -815,9 +814,9 @@ NOOPT_VS2022_IA32_DLINK_FLAGS = /NOLOG
|
||||
@@ -761,9 +761,9 @@ NOOPT_VS2022_IA32_DLINK_FLAGS = /NOLOG
|
||||
*_VS2022_X64_DLINK_PATH = DEF(VS2022_BIN_X64)\link.exe
|
||||
*_VS2022_X64_ASLDLINK_PATH = DEF(VS2022_BIN_X64)\link.exe
|
||||
|
||||
@@ -101,50 +65,21 @@ Index: edk2-edk2-stable202502/BaseTools/Conf/tools_def.template
|
||||
|
||||
DEBUG_VS2022_X64_ASM_FLAGS = /nologo /c /WX /W3 /Cx /Zd /Zi
|
||||
RELEASE_VS2022_X64_ASM_FLAGS = /nologo /c /WX /W3 /Cx /Zd
|
||||
@@ -852,9 +851,9 @@ NOOPT_VS2022_X64_DLINK_FLAGS = /NOLOG
|
||||
*_VS2022_ARM_ASLDLINK_PATH = DEF(VS2022_BIN_ARM)\link.exe
|
||||
|
||||
*_VS2022_ARM_MAKE_FLAGS = /nologo
|
||||
- DEBUG_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
|
||||
-RELEASE_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
|
||||
-NOOPT_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
|
||||
+ DEBUG_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
|
||||
+RELEASE_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
|
||||
+NOOPT_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
|
||||
|
||||
DEBUG_VS2022_ARM_ASM_FLAGS = /nologo /g
|
||||
RELEASE_VS2022_ARM_ASM_FLAGS = /nologo
|
||||
@@ -885,9 +884,9 @@ NOOPT_VS2022_ARM_DLINK_FLAGS = /NOL
|
||||
*_VS2022_AARCH64_ASLDLINK_PATH = DEF(VS2022_BIN_AARCH64)\link.exe
|
||||
|
||||
*_VS2022_AARCH64_MAKE_FLAGS = /nologo
|
||||
- DEBUG_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
|
||||
-RELEASE_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
|
||||
-NOOPT_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
|
||||
+ DEBUG_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
|
||||
+RELEASE_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
|
||||
+NOOPT_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
|
||||
|
||||
DEBUG_VS2022_AARCH64_ASM_FLAGS = /nologo /g
|
||||
RELEASE_VS2022_AARCH64_ASM_FLAGS = /nologo
|
||||
@@ -919,13 +918,11 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --a
|
||||
*_*_*_DTCPP_PATH = DEF(DTCPP_BIN)
|
||||
@@ -833,10 +833,10 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --a
|
||||
*_*_*_DTC_PATH = DEF(DTC_BIN)
|
||||
|
||||
-# All supported GCC archs except LOONGARCH64 support -mstack-protector-guard=global, so set that on everything except LOONGARCH64
|
||||
# All supported GCC archs except LOONGARCH64 support -mstack-protector-guard=global, so set that on everything except LOONGARCH64
|
||||
-DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common -fstack-protector
|
||||
-DEFINE GCC_IA32_X64_CC_FLAGS = -mstack-protector-guard=global
|
||||
-DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -fno-pic -fno-pie -mstack-protector-guard=global
|
||||
+DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common
|
||||
+DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -fno-pic -fno-pie
|
||||
+DEFINE GCC_IA32_X64_CC_FLAGS =
|
||||
DEFINE GCC_LOONGARCH64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mabi=lp64d -fno-asynchronous-unwind-tables -Wno-address -fno-short-enums -fsigned-char -ffunction-sections -fdata-sections
|
||||
DEFINE GCC_ARM_CC_XIPFLAGS = -mno-unaligned-access
|
||||
-DEFINE GCC_AARCH64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -fno-short-enums -fverbose-asm -funsigned-char -ffunction-sections -fdata-sections -Wno-address -fno-asynchronous-unwind-tables -fno-unwind-tables -fno-pic -fno-pie -ffixed-x18 -mstack-protector-guard=global
|
||||
+DEFINE GCC_AARCH64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -fno-short-enums -fverbose-asm -funsigned-char -ffunction-sections -fdata-sections -Wno-address -fno-asynchronous-unwind-tables -fno-unwind-tables -fno-pic -fno-pie -ffixed-x18
|
||||
DEFINE GCC_AARCH64_CC_XIPFLAGS = -mstrict-align -mgeneral-regs-only
|
||||
DEFINE GCC_RISCV64_CC_XIPFLAGS = -mstrict-align -mgeneral-regs-only
|
||||
DEFINE GCC_DLINK2_FLAGS_COMMON = -Wl,--script=$(EDK_TOOLS_PATH)/Scripts/GccBase.lds
|
||||
@@ -961,8 +958,8 @@ DEFINE GCC_DEPS_FLAGS = -MM
|
||||
@@ -864,8 +864,8 @@ DEFINE GCC_DEPS_FLAGS = -MM
|
||||
|
||||
DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
|
||||
DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20
|
||||
@@ -155,12 +90,3 @@ Index: edk2-edk2-stable202502/BaseTools/Conf/tools_def.template
|
||||
DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
|
||||
DEFINE GCC48_IA32_X64_DLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive
|
||||
DEFINE GCC48_IA32_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON)
|
||||
@@ -971,7 +968,7 @@ DEFINE GCC48_X64_DLINK2_FLAGS = -
|
||||
DEFINE GCC48_ASM_FLAGS = DEF(GCC_ASM_FLAGS)
|
||||
DEFINE GCC48_ARM_ASM_FLAGS = $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian
|
||||
DEFINE GCC48_AARCH64_ASM_FLAGS = $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian
|
||||
-DEFINE GCC48_ARM_CC_FLAGS = $(PLATFORM_FLAGS) DEF(GCC_ARM_CC_FLAGS) -mword-relocations
|
||||
+DEFINE GCC48_ARM_CC_FLAGS = $(PLATFORM_FLAGS) DEF(GCC_ARM_CC_FLAGS) -fstack-protector -mword-relocations
|
||||
DEFINE GCC48_ARM_CC_XIPFLAGS = DEF(GCC_ARM_CC_XIPFLAGS)
|
||||
DEFINE GCC48_AARCH64_CC_FLAGS = $(PLATFORM_FLAGS) -mcmodel=large DEF(GCC_AARCH64_CC_FLAGS)
|
||||
DEFINE GCC48_AARCH64_CC_XIPFLAGS = DEF(GCC_AARCH64_CC_XIPFLAGS)
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
From b8324bc3d5d44e5b1644a66f1b6e07b6e4ad9350 Mon Sep 17 00:00:00 2001
|
||||
From: "Lee, Chun-Yi" <jlee@suse.com>
|
||||
Date: Wed, 15 Feb 2023 14:39:37 +0800
|
||||
From f059118317b6d3a1dfdeec45494d279842c855e4 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Lyu <richard.lyu@suse.com>
|
||||
Date: Thu, 29 May 2025 13:22:47 +0800
|
||||
Subject: [PATCH] Revert "OvmfPkg/OvmfXen: Set PcdFSBClock"
|
||||
|
||||
This reverts commit 71cdb91f313380152d7bf38cfeebe76f5b2d39ac.
|
||||
@@ -10,13 +10,13 @@ This reverts commit 71cdb91f313380152d7bf38cfeebe76f5b2d39ac.
|
||||
OvmfPkg/XenPlatformPei/XenPlatformPei.inf | 1 -
|
||||
3 files changed, 3 insertions(+), 6 deletions(-)
|
||||
|
||||
Index: edk2-edk2-stable202302/OvmfPkg/OvmfXen.dsc
|
||||
===================================================================
|
||||
--- edk2-edk2-stable202302.orig/OvmfPkg/OvmfXen.dsc
|
||||
+++ edk2-edk2-stable202302/OvmfPkg/OvmfXen.dsc
|
||||
@@ -456,6 +456,9 @@
|
||||
# Point to the MdeModulePkg/Application/UiApp/UiApp.inf
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0x21, 0xaa, 0x2c, 0x46, 0x14, 0x76, 0x03, 0x45, 0x83, 0x6e, 0x8a, 0xb6, 0xf4, 0x66, 0x23, 0x31 }
|
||||
diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
|
||||
index 088c63f5c2..6f636a79a2 100644
|
||||
--- a/OvmfPkg/OvmfXen.dsc
|
||||
+++ b/OvmfPkg/OvmfXen.dsc
|
||||
@@ -451,6 +451,9 @@
|
||||
# Point to the MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0xdc, 0x5b, 0xc2, 0xee, 0xf2, 0x67, 0x95, 0x4d, 0xb1, 0xd5, 0xf8, 0x1b, 0x20, 0x39, 0xd1, 0x1d }
|
||||
|
||||
+ ## Xen vlapic's frequence is 100 MHz
|
||||
+ gEfiMdePkgTokenSpaceGuid.PcdFSBClock|100000000
|
||||
@@ -24,7 +24,7 @@ Index: edk2-edk2-stable202302/OvmfPkg/OvmfXen.dsc
|
||||
# We populate DXE IPL tables with 1G pages preferably on Xen
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable|TRUE
|
||||
|
||||
@@ -486,7 +489,6 @@
|
||||
@@ -484,7 +487,6 @@
|
||||
gUefiOvmfPkgTokenSpaceGuid.PcdPciMmio64Base|0x0
|
||||
gUefiOvmfPkgTokenSpaceGuid.PcdPciMmio64Size|0x800000000
|
||||
|
||||
@@ -32,11 +32,11 @@ Index: edk2-edk2-stable202302/OvmfPkg/OvmfXen.dsc
|
||||
gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|0
|
||||
|
||||
# Set video resolution for text setup.
|
||||
Index: edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/Xen.c
|
||||
===================================================================
|
||||
--- edk2-edk2-stable202302.orig/OvmfPkg/XenPlatformPei/Xen.c
|
||||
+++ edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/Xen.c
|
||||
@@ -634,9 +634,5 @@ CalibrateLapicTimer (
|
||||
diff --git a/OvmfPkg/XenPlatformPei/Xen.c b/OvmfPkg/XenPlatformPei/Xen.c
|
||||
index a54fd55c70..68ae4801ae 100644
|
||||
--- a/OvmfPkg/XenPlatformPei/Xen.c
|
||||
+++ b/OvmfPkg/XenPlatformPei/Xen.c
|
||||
@@ -613,9 +613,5 @@ CalibrateLapicTimer (
|
||||
Freq = DivU64x64Remainder (Dividend, TscTick2 - TscTick, NULL);
|
||||
DEBUG ((DEBUG_INFO, "APIC Freq % 8lu Hz\n", Freq));
|
||||
|
||||
@@ -46,10 +46,10 @@ Index: edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/Xen.c
|
||||
-
|
||||
UnmapXenPage (SharedInfo);
|
||||
}
|
||||
Index: edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
|
||||
===================================================================
|
||||
--- edk2-edk2-stable202302.orig/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
|
||||
+++ edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
|
||||
diff --git a/OvmfPkg/XenPlatformPei/XenPlatformPei.inf b/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
|
||||
index 20c27ff34b..790f4af551 100644
|
||||
--- a/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
|
||||
+++ b/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
|
||||
@@ -86,7 +86,6 @@
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
|
||||
@@ -58,3 +58,6 @@ Index: edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
|
||||
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy
|
||||
gUefiCpuPkgTokenSpaceGuid.PcdCpuLocalApicBaseAddress
|
||||
|
||||
--
|
||||
2.43.0
|
||||
|
||||
|
||||
765
ovmf-Revert-OvmfPkg-RiscVVirt-Add-SecureBootDefaultKeysIn.patch
Normal file
765
ovmf-Revert-OvmfPkg-RiscVVirt-Add-SecureBootDefaultKeysIn.patch
Normal file
@@ -0,0 +1,765 @@
|
||||
From 96eb23c5556ed28d2242669bed9eb818285251b6 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Lyu <richard.lyu@suse.com>
|
||||
Date: Wed, 17 Dec 2025 11:35:31 +0800
|
||||
Subject: [PATCH] Revert "OvmfPkg/RiscVVirt: Add SecureBootDefaultKeysInit
|
||||
module."
|
||||
|
||||
This reverts commit 35a3ceb882b57da0964c8b4a038e8808b3dc2b13.
|
||||
---
|
||||
.../SecureBootDefaultKeysInit.c | 643 ------------------
|
||||
.../SecureBootDefaultKeysInit.inf | 49 --
|
||||
OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc | 2 +-
|
||||
OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf | 18 -
|
||||
4 files changed, 1 insertion(+), 711 deletions(-)
|
||||
delete mode 100644 OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.c
|
||||
delete mode 100644 OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf
|
||||
|
||||
diff --git a/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.c b/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.c
|
||||
deleted file mode 100644
|
||||
index 037174dc6a..0000000000
|
||||
--- a/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.c
|
||||
+++ /dev/null
|
||||
@@ -1,643 +0,0 @@
|
||||
-/** @file
|
||||
- This driver init default Secure Boot variables
|
||||
-
|
||||
- Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
|
||||
- (C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
|
||||
- Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
|
||||
- Copyright (c) 2021, Semihalf All rights reserved.<BR>
|
||||
- Copyright (c) 2021, Ampere Computing LLC. All rights reserved.<BR>
|
||||
- Copyright (C) 2023-2025 Advanced Micro Devices, Inc. All rights reserved.
|
||||
-
|
||||
- SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
-
|
||||
-**/
|
||||
-
|
||||
-#include <Uefi.h>
|
||||
-#include <UefiSecureBoot.h>
|
||||
-#include <Library/BaseLib.h>
|
||||
-#include <Library/BaseMemoryLib.h>
|
||||
-#include <Library/DebugLib.h>
|
||||
-#include <Library/DxeServicesLib.h>
|
||||
-#include <Library/MemoryAllocationLib.h>
|
||||
-#include <Library/UefiBootServicesTableLib.h>
|
||||
-#include <Library/UefiRuntimeServicesTableLib.h>
|
||||
-#include <Library/UefiLib.h>
|
||||
-#include <Guid/AuthenticatedVariableFormat.h>
|
||||
-#include <Guid/ImageAuthentication.h>
|
||||
-#include <Library/SecureBootVariableLib.h>
|
||||
-#include <Library/SecureBootVariableProvisionLib.h>
|
||||
-
|
||||
-/**
|
||||
- Set PKDefault Variable.
|
||||
-
|
||||
- @param[in] X509Data X509 Certificate data.
|
||||
- @param[in] X509DataSize X509 Certificate data size.
|
||||
-
|
||||
- @retval EFI_SUCCESS PKDefault is set successfully.
|
||||
-
|
||||
-**/
|
||||
-EFI_STATUS
|
||||
-SetPkDefault (
|
||||
- IN UINT8 *X509Data,
|
||||
- IN UINTN X509DataSize
|
||||
- )
|
||||
-{
|
||||
- EFI_STATUS Status;
|
||||
- UINT32 Attr;
|
||||
- UINTN DataSize;
|
||||
- EFI_SIGNATURE_LIST *PkCert;
|
||||
- EFI_SIGNATURE_DATA *PkCertData;
|
||||
-
|
||||
- PkCert = NULL;
|
||||
-
|
||||
- //
|
||||
- // Allocate space for PK certificate list and initialize it.
|
||||
- // Create PK database entry with SignatureHeaderSize equals 0.
|
||||
- //
|
||||
- PkCert = (EFI_SIGNATURE_LIST *)AllocateZeroPool (
|
||||
- sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1
|
||||
- + X509DataSize
|
||||
- );
|
||||
- if (PkCert == NULL) {
|
||||
- Status = EFI_OUT_OF_RESOURCES;
|
||||
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __func__, Status));
|
||||
- goto ON_EXIT;
|
||||
- }
|
||||
-
|
||||
- PkCert->SignatureListSize = (UINT32)(sizeof (EFI_SIGNATURE_LIST)
|
||||
- + sizeof (EFI_SIGNATURE_DATA) - 1
|
||||
- + X509DataSize);
|
||||
- PkCert->SignatureSize = (UINT32)(sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
|
||||
- PkCert->SignatureHeaderSize = 0;
|
||||
- CopyGuid (&PkCert->SignatureType, &gEfiCertX509Guid);
|
||||
- PkCertData = (EFI_SIGNATURE_DATA *)((UINTN)PkCert
|
||||
- + sizeof (EFI_SIGNATURE_LIST)
|
||||
- + PkCert->SignatureHeaderSize);
|
||||
- CopyGuid (&PkCertData->SignatureOwner, &gEfiGlobalVariableGuid);
|
||||
- //
|
||||
- // Fill the PK database with PKpub data from X509 certificate file.
|
||||
- //
|
||||
- CopyMem (&(PkCertData->SignatureData[0]), X509Data, X509DataSize);
|
||||
-
|
||||
- Attr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;
|
||||
- DataSize = PkCert->SignatureListSize;
|
||||
-
|
||||
- Status = gRT->SetVariable (
|
||||
- EFI_PK_DEFAULT_VARIABLE_NAME,
|
||||
- &gEfiGlobalVariableGuid,
|
||||
- Attr,
|
||||
- DataSize,
|
||||
- PkCert
|
||||
- );
|
||||
- if (EFI_ERROR (Status)) {
|
||||
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __func__, Status));
|
||||
- goto ON_EXIT;
|
||||
- }
|
||||
-
|
||||
-ON_EXIT:
|
||||
-
|
||||
- if (PkCert != NULL) {
|
||||
- FreePool (PkCert);
|
||||
- }
|
||||
-
|
||||
- return Status;
|
||||
-}
|
||||
-
|
||||
-/**
|
||||
- Set KDKDefault Variable.
|
||||
-
|
||||
- @param[in] X509Data X509 Certificate data.
|
||||
- @param[in] X509DataSize X509 Certificate data size.
|
||||
-
|
||||
- @retval EFI_SUCCESS KEKDefault is set successfully.
|
||||
-
|
||||
-**/
|
||||
-EFI_STATUS
|
||||
-SetKekDefault (
|
||||
- IN UINT8 *X509Data,
|
||||
- IN UINTN X509DataSize
|
||||
- )
|
||||
-{
|
||||
- EFI_STATUS Status;
|
||||
- EFI_SIGNATURE_DATA *KEKSigData;
|
||||
- EFI_SIGNATURE_LIST *KekSigList;
|
||||
- UINTN DataSize;
|
||||
- UINTN KekSigListSize;
|
||||
- UINT32 Attr;
|
||||
-
|
||||
- KekSigList = NULL;
|
||||
- KekSigListSize = 0;
|
||||
- DataSize = 0;
|
||||
- KEKSigData = NULL;
|
||||
-
|
||||
- KekSigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize;
|
||||
- KekSigList = (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSize);
|
||||
- if (KekSigList == NULL) {
|
||||
- Status = EFI_OUT_OF_RESOURCES;
|
||||
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __func__, Status));
|
||||
- goto ON_EXIT;
|
||||
- }
|
||||
-
|
||||
- //
|
||||
- // Fill Certificate Database parameters.
|
||||
- //
|
||||
- KekSigList->SignatureListSize = (UINT32)KekSigListSize;
|
||||
- KekSigList->SignatureHeaderSize = 0;
|
||||
- KekSigList->SignatureSize = (UINT32)(sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
|
||||
- CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid);
|
||||
-
|
||||
- KEKSigData = (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof (EFI_SIGNATURE_LIST));
|
||||
- CopyGuid (&KEKSigData->SignatureOwner, &gEfiGlobalVariableGuid);
|
||||
- CopyMem (KEKSigData->SignatureData, X509Data, X509DataSize);
|
||||
-
|
||||
- //
|
||||
- // Check if KEK been already existed.
|
||||
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
|
||||
- // new kek to original variable
|
||||
- //
|
||||
- Attr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;
|
||||
-
|
||||
- Status = gRT->GetVariable (
|
||||
- EFI_KEK_DEFAULT_VARIABLE_NAME,
|
||||
- &gEfiGlobalVariableGuid,
|
||||
- NULL,
|
||||
- &DataSize,
|
||||
- NULL
|
||||
- );
|
||||
- if (Status == EFI_BUFFER_TOO_SMALL) {
|
||||
- Attr |= EFI_VARIABLE_APPEND_WRITE;
|
||||
- } else if (Status != EFI_NOT_FOUND) {
|
||||
- DEBUG ((DEBUG_ERROR, "%a: Cannot get the value of KEK: %r\n", __func__, Status));
|
||||
- goto ON_EXIT;
|
||||
- }
|
||||
-
|
||||
- Status = gRT->SetVariable (
|
||||
- EFI_KEK_DEFAULT_VARIABLE_NAME,
|
||||
- &gEfiGlobalVariableGuid,
|
||||
- Attr,
|
||||
- KekSigListSize,
|
||||
- KekSigList
|
||||
- );
|
||||
- if (EFI_ERROR (Status)) {
|
||||
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __func__, Status));
|
||||
- goto ON_EXIT;
|
||||
- }
|
||||
-
|
||||
-ON_EXIT:
|
||||
-
|
||||
- if (KekSigList != NULL) {
|
||||
- FreePool (KekSigList);
|
||||
- }
|
||||
-
|
||||
- return Status;
|
||||
-}
|
||||
-
|
||||
-/**
|
||||
- Checks if the file content complies with EFI_VARIABLE_AUTHENTICATION_2 format
|
||||
-
|
||||
- @param[in] Data Data.
|
||||
- @param[in] DataSize Data size.
|
||||
-
|
||||
- @retval TRUE The content is EFI_VARIABLE_AUTHENTICATION_2 format.
|
||||
- @retval FALSE The content is NOT a EFI_VARIABLE_AUTHENTICATION_2 format.
|
||||
-
|
||||
-**/
|
||||
-BOOLEAN
|
||||
-IsAuthentication2Format (
|
||||
- IN UINT8 *Data,
|
||||
- IN UINTN DataSize
|
||||
- )
|
||||
-{
|
||||
- EFI_VARIABLE_AUTHENTICATION_2 *Auth2;
|
||||
- BOOLEAN IsAuth2Format;
|
||||
-
|
||||
- IsAuth2Format = FALSE;
|
||||
-
|
||||
- Auth2 = (EFI_VARIABLE_AUTHENTICATION_2 *)Data;
|
||||
- if (Auth2->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) {
|
||||
- goto ON_EXIT;
|
||||
- }
|
||||
-
|
||||
- if (CompareGuid (&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType)) {
|
||||
- IsAuth2Format = TRUE;
|
||||
- }
|
||||
-
|
||||
-ON_EXIT:
|
||||
-
|
||||
- return IsAuth2Format;
|
||||
-}
|
||||
-
|
||||
-/**
|
||||
- Set signature database with the data of EFI_VARIABLE_AUTHENTICATION_2 format.
|
||||
-
|
||||
- @param[in] AuthData AUTHENTICATION_2 data.
|
||||
- @param[in] AuthDataSize AUTHENTICATION_2 data size.
|
||||
- @param[in] VariableName Variable name of signature database, must be
|
||||
- EFI_DB_DEFAULT_VARIABLE_NAME or EFI_DBX_DEFAULT_VARIABLE_NAME or EFI_DBT_DEFAULT_VARIABLE_NAME.
|
||||
-
|
||||
- @retval EFI_SUCCESS New signature is set successfully.
|
||||
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
|
||||
- @retval EFI_UNSUPPORTED Unsupported command.
|
||||
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
|
||||
-
|
||||
-**/
|
||||
-EFI_STATUS
|
||||
-SetAuthentication2ToSigDb (
|
||||
- IN UINT8 *AuthData,
|
||||
- IN UINTN AuthDataSize,
|
||||
- IN CHAR16 *VariableName
|
||||
- )
|
||||
-{
|
||||
- EFI_STATUS Status;
|
||||
- UINTN DataSize;
|
||||
- UINT32 Attr;
|
||||
- UINT8 *Data;
|
||||
-
|
||||
- Attr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;
|
||||
-
|
||||
- //
|
||||
- // Check if SigDB variable has been already existed.
|
||||
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
|
||||
- // new signature data to original variable
|
||||
- //
|
||||
- DataSize = 0;
|
||||
- Status = gRT->GetVariable (
|
||||
- VariableName,
|
||||
- &gEfiGlobalVariableGuid,
|
||||
- NULL,
|
||||
- &DataSize,
|
||||
- NULL
|
||||
- );
|
||||
- if (Status == EFI_BUFFER_TOO_SMALL) {
|
||||
- Attr |= EFI_VARIABLE_APPEND_WRITE;
|
||||
- } else if (Status != EFI_NOT_FOUND) {
|
||||
- DEBUG ((DEBUG_ERROR, "%a: Cannot get the value of signature database: %r\n", __func__, Status));
|
||||
- return Status;
|
||||
- }
|
||||
-
|
||||
- //
|
||||
- // Ignore AUTHENTICATION_2 region. Only the actual certificate is needed.
|
||||
- //
|
||||
- DataSize = AuthDataSize - ((EFI_VARIABLE_AUTHENTICATION_2 *)AuthData)->AuthInfo.Hdr.dwLength - sizeof (EFI_TIME);
|
||||
- Data = AuthData + (AuthDataSize - DataSize);
|
||||
-
|
||||
- Status = gRT->SetVariable (
|
||||
- VariableName,
|
||||
- &gEfiGlobalVariableGuid,
|
||||
- Attr,
|
||||
- DataSize,
|
||||
- Data
|
||||
- );
|
||||
-
|
||||
- return Status;
|
||||
-}
|
||||
-
|
||||
-/**
|
||||
-
|
||||
- Set signature database with the data of X509 format.
|
||||
-
|
||||
- @param[in] X509Data X509 Certificate data.
|
||||
- @param[in] X509DataSize X509 Certificate data size.
|
||||
- @param[in] VariableName Variable name of signature database, must be
|
||||
- EFI_DB_DEFAULT_VARIABLE_NAME or EFI_DBX_DEFAULT_VARIABLE_NAME or EFI_DBT_DEFAULT_VARIABLE_NAME.
|
||||
- @param[in] SignatureOwnerGuid Guid of the signature owner.
|
||||
-
|
||||
- @retval EFI_SUCCESS New X509 is enrolled successfully.
|
||||
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
|
||||
-
|
||||
-**/
|
||||
-EFI_STATUS
|
||||
-SetX509ToSigDb (
|
||||
- IN UINT8 *X509Data,
|
||||
- IN UINTN X509DataSize,
|
||||
- IN CHAR16 *VariableName,
|
||||
- IN EFI_GUID *SignatureOwnerGuid
|
||||
- )
|
||||
-{
|
||||
- EFI_STATUS Status;
|
||||
- EFI_SIGNATURE_LIST *SigDBCert;
|
||||
- EFI_SIGNATURE_DATA *SigDBCertData;
|
||||
- VOID *Data;
|
||||
- UINTN DataSize;
|
||||
- UINTN SigDBSize;
|
||||
- UINT32 Attr;
|
||||
-
|
||||
- SigDBSize = 0;
|
||||
- DataSize = 0;
|
||||
- SigDBCert = NULL;
|
||||
- SigDBCertData = NULL;
|
||||
- Data = NULL;
|
||||
-
|
||||
- SigDBSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize;
|
||||
- Data = AllocateZeroPool (SigDBSize);
|
||||
- if (Data == NULL) {
|
||||
- Status = EFI_OUT_OF_RESOURCES;
|
||||
- DEBUG ((DEBUG_ERROR, "%a: Cannot allocate memory: %r\n", __func__, Status));
|
||||
- goto ON_EXIT;
|
||||
- }
|
||||
-
|
||||
- //
|
||||
- // Fill Certificate Database parameters.
|
||||
- //
|
||||
- SigDBCert = (EFI_SIGNATURE_LIST *)Data;
|
||||
- SigDBCert->SignatureListSize = (UINT32)SigDBSize;
|
||||
- SigDBCert->SignatureHeaderSize = 0;
|
||||
- SigDBCert->SignatureSize = (UINT32)(sizeof (EFI_SIGNATURE_DATA) - 1 + X509DataSize);
|
||||
- CopyGuid (&SigDBCert->SignatureType, &gEfiCertX509Guid);
|
||||
-
|
||||
- SigDBCertData = (EFI_SIGNATURE_DATA *)((UINT8 *)SigDBCert + sizeof (EFI_SIGNATURE_LIST));
|
||||
- CopyGuid (&SigDBCertData->SignatureOwner, SignatureOwnerGuid);
|
||||
- CopyMem ((UINT8 *)(SigDBCertData->SignatureData), X509Data, X509DataSize);
|
||||
-
|
||||
- //
|
||||
- // Check if signature database entry has been already existed.
|
||||
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
|
||||
- // new signature data to original variable
|
||||
- //
|
||||
- Attr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;
|
||||
-
|
||||
- Status = gRT->GetVariable (
|
||||
- VariableName,
|
||||
- &gEfiGlobalVariableGuid,
|
||||
- NULL,
|
||||
- &DataSize,
|
||||
- NULL
|
||||
- );
|
||||
- if (Status == EFI_BUFFER_TOO_SMALL) {
|
||||
- Attr |= EFI_VARIABLE_APPEND_WRITE;
|
||||
- } else if (Status != EFI_NOT_FOUND) {
|
||||
- goto ON_EXIT;
|
||||
- }
|
||||
-
|
||||
- Status = gRT->SetVariable (
|
||||
- VariableName,
|
||||
- &gEfiGlobalVariableGuid,
|
||||
- Attr,
|
||||
- SigDBSize,
|
||||
- Data
|
||||
- );
|
||||
- if (EFI_ERROR (Status)) {
|
||||
- DEBUG ((DEBUG_ERROR, "%a: Cannot set signature database: %r\n", __func__, Status));
|
||||
- goto ON_EXIT;
|
||||
- }
|
||||
-
|
||||
-ON_EXIT:
|
||||
-
|
||||
- if (Data != NULL) {
|
||||
- FreePool (Data);
|
||||
- }
|
||||
-
|
||||
- return Status;
|
||||
-}
|
||||
-
|
||||
-/**
|
||||
-
|
||||
- Set signature database.
|
||||
-
|
||||
- @param[in] Data Data.
|
||||
- @param[in] DataSize Data size.
|
||||
- @param[in] VariableName Variable name of signature database, must be
|
||||
- EFI_DB_DEFAULT_VARIABLE_NAME or EFI_DBX_DEFAULT_VARIABLE_NAME or EFI_DBT_DEFAULT_VARIABLE_NAME.
|
||||
- @param[in] SignatureOwnerGuid Guid of the signature owner.
|
||||
-
|
||||
- @retval EFI_SUCCESS Signature is set successfully.
|
||||
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
|
||||
-
|
||||
-**/
|
||||
-EFI_STATUS
|
||||
-SetSignatureDatabase (
|
||||
- IN UINT8 *Data,
|
||||
- IN UINTN DataSize,
|
||||
- IN CHAR16 *VariableName,
|
||||
- IN EFI_GUID *SignatureOwnerGuid
|
||||
- )
|
||||
-{
|
||||
- if (IsAuthentication2Format (Data, DataSize)) {
|
||||
- return SetAuthentication2ToSigDb (Data, DataSize, VariableName);
|
||||
- } else {
|
||||
- return SetX509ToSigDb (Data, DataSize, VariableName, SignatureOwnerGuid);
|
||||
- }
|
||||
-}
|
||||
-
|
||||
-/** Initializes PKDefault variable with data from FFS section.
|
||||
-
|
||||
- @retval EFI_SUCCESS Variable was initialized successfully.
|
||||
- @retval EFI_UNSUPPORTED Variable already exists.
|
||||
-**/
|
||||
-EFI_STATUS
|
||||
-InitPkDefault (
|
||||
- IN VOID
|
||||
- )
|
||||
-{
|
||||
- EFI_STATUS Status;
|
||||
- UINT8 *Data;
|
||||
- UINTN DataSize;
|
||||
-
|
||||
- //
|
||||
- // Check if variable exists, if so do not change it
|
||||
- //
|
||||
- Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
|
||||
- if (Status == EFI_SUCCESS) {
|
||||
- DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));
|
||||
- FreePool (Data);
|
||||
- return EFI_UNSUPPORTED;
|
||||
- }
|
||||
-
|
||||
- //
|
||||
- // Variable does not exist, can be initialized
|
||||
- //
|
||||
- DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));
|
||||
-
|
||||
- //
|
||||
- // Enroll default PK.
|
||||
- //
|
||||
- Status = GetSectionFromFv (
|
||||
- &gDefaultPKFileGuid,
|
||||
- EFI_SECTION_RAW,
|
||||
- 0,
|
||||
- (VOID **)&Data,
|
||||
- &DataSize
|
||||
- );
|
||||
- if (!EFI_ERROR (Status)) {
|
||||
- SetPkDefault (Data, DataSize);
|
||||
- }
|
||||
-
|
||||
- return EFI_SUCCESS;
|
||||
-}
|
||||
-
|
||||
-/** Initializes KEKDefault variable with data from FFS section.
|
||||
-
|
||||
- @retval EFI_SUCCESS Variable was initialized successfully.
|
||||
- @retval EFI_UNSUPPORTED Variable already exists.
|
||||
-**/
|
||||
-EFI_STATUS
|
||||
-InitKekDefault (
|
||||
- IN VOID
|
||||
- )
|
||||
-{
|
||||
- EFI_STATUS Status;
|
||||
- UINTN Index;
|
||||
- UINT8 *Data;
|
||||
- UINTN DataSize;
|
||||
-
|
||||
- //
|
||||
- // Check if variable exists, if so do not change it
|
||||
- //
|
||||
- Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
|
||||
- if (Status == EFI_SUCCESS) {
|
||||
- DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
|
||||
- FreePool (Data);
|
||||
- return EFI_UNSUPPORTED;
|
||||
- }
|
||||
-
|
||||
- Index = 0;
|
||||
- do {
|
||||
- Status = GetSectionFromFv (
|
||||
- &gDefaultKEKFileGuid,
|
||||
- EFI_SECTION_RAW,
|
||||
- Index,
|
||||
- (VOID **)&Data,
|
||||
- &DataSize
|
||||
- );
|
||||
- if (!EFI_ERROR (Status)) {
|
||||
- SetKekDefault (Data, DataSize);
|
||||
- Index++;
|
||||
- }
|
||||
- } while (Status == EFI_SUCCESS);
|
||||
-
|
||||
- return EFI_SUCCESS;
|
||||
-}
|
||||
-
|
||||
-/** Initializes dbDefault variable with data from FFS section.
|
||||
-
|
||||
- @retval EFI_SUCCESS Variable was initialized successfully.
|
||||
- @retval EFI_UNSUPPORTED Variable already exists.
|
||||
-**/
|
||||
-EFI_STATUS
|
||||
-InitDbDefault (
|
||||
- IN VOID
|
||||
- )
|
||||
-{
|
||||
- EFI_STATUS Status;
|
||||
- UINTN Index;
|
||||
- UINT8 *Data;
|
||||
- UINTN DataSize;
|
||||
-
|
||||
- Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
|
||||
- if (Status == EFI_SUCCESS) {
|
||||
- DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));
|
||||
- FreePool (Data);
|
||||
- return EFI_UNSUPPORTED;
|
||||
- }
|
||||
-
|
||||
- DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));
|
||||
-
|
||||
- Index = 0;
|
||||
- do {
|
||||
- Status = GetSectionFromFv (
|
||||
- &gDefaultdbFileGuid,
|
||||
- EFI_SECTION_RAW,
|
||||
- Index,
|
||||
- (VOID **)&Data,
|
||||
- &DataSize
|
||||
- );
|
||||
- if (!EFI_ERROR (Status)) {
|
||||
- SetSignatureDatabase (Data, DataSize, EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid);
|
||||
- Index++;
|
||||
- }
|
||||
- } while (Status == EFI_SUCCESS);
|
||||
-
|
||||
- return EFI_SUCCESS;
|
||||
-}
|
||||
-
|
||||
-/** Initializes dbxDefault variable with data from FFS section.
|
||||
-
|
||||
- @retval EFI_SUCCESS Variable was initialized successfully.
|
||||
- @retval EFI_UNSUPPORTED Variable already exists.
|
||||
-**/
|
||||
-EFI_STATUS
|
||||
-InitDbxDefault (
|
||||
- IN VOID
|
||||
- )
|
||||
-{
|
||||
- EFI_STATUS Status;
|
||||
- UINTN Index;
|
||||
- UINT8 *Data;
|
||||
- UINTN DataSize;
|
||||
-
|
||||
- //
|
||||
- // Check if variable exists, if so do not change it
|
||||
- //
|
||||
- Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
|
||||
- if (Status == EFI_SUCCESS) {
|
||||
- DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
|
||||
- FreePool (Data);
|
||||
- return EFI_UNSUPPORTED;
|
||||
- }
|
||||
-
|
||||
- //
|
||||
- // Variable does not exist, can be initialized
|
||||
- //
|
||||
- DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
|
||||
-
|
||||
- Index = 0;
|
||||
- do {
|
||||
- Status = GetSectionFromFv (
|
||||
- &gDefaultdbxFileGuid,
|
||||
- EFI_SECTION_RAW,
|
||||
- Index,
|
||||
- (VOID **)&Data,
|
||||
- &DataSize
|
||||
- );
|
||||
- if (!EFI_ERROR (Status)) {
|
||||
- SetSignatureDatabase (Data, DataSize, EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid);
|
||||
- Index++;
|
||||
- }
|
||||
- } while (Status == EFI_SUCCESS);
|
||||
-
|
||||
- return EFI_SUCCESS;
|
||||
-}
|
||||
-
|
||||
-/**
|
||||
- Initializes default SecureBoot certificates with data from FFS section.
|
||||
-
|
||||
- @param[in] ImageHandle The firmware allocated handle for the EFI image.
|
||||
- @param[in] SystemTable A pointer to the EFI System Table.
|
||||
-
|
||||
- @retval EFI_SUCCESS Variable was initialized successfully.
|
||||
-**/
|
||||
-EFI_STATUS
|
||||
-EFIAPI
|
||||
-SecureBootDefaultKeysInitEntry (
|
||||
- IN EFI_HANDLE ImageHandle,
|
||||
- IN EFI_SYSTEM_TABLE *SystemTable
|
||||
- )
|
||||
-{
|
||||
- EFI_STATUS Status;
|
||||
-
|
||||
- Status = InitPkDefault ();
|
||||
- if (EFI_ERROR (Status)) {
|
||||
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __func__, Status));
|
||||
- return Status;
|
||||
- }
|
||||
-
|
||||
- Status = InitKekDefault ();
|
||||
- if (EFI_ERROR (Status)) {
|
||||
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __func__, Status));
|
||||
- return Status;
|
||||
- }
|
||||
-
|
||||
- Status = InitDbDefault ();
|
||||
- if (EFI_ERROR (Status)) {
|
||||
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __func__, Status));
|
||||
- return Status;
|
||||
- }
|
||||
-
|
||||
- Status = InitDbxDefault ();
|
||||
- if (EFI_ERROR (Status)) {
|
||||
- DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbxDefault: %r\n", __func__, Status));
|
||||
- return Status;
|
||||
- }
|
||||
-
|
||||
- return EFI_SUCCESS;
|
||||
-}
|
||||
diff --git a/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf b/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf
|
||||
deleted file mode 100644
|
||||
index 0127841733..0000000000
|
||||
--- a/OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf
|
||||
+++ /dev/null
|
||||
@@ -1,49 +0,0 @@
|
||||
-## @file
|
||||
-# Initializes Secure Boot default keys
|
||||
-#
|
||||
-# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
|
||||
-# Copyright (c) 2021, Semihalf All rights reserved.<BR>
|
||||
-# Copyright (C) 2023-2025 Advanced Micro Devices, Inc. All rights reserved.
|
||||
-#
|
||||
-# SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
-#
|
||||
-##
|
||||
-
|
||||
-[Defines]
|
||||
- INF_VERSION = 1.29
|
||||
- BASE_NAME = SecureBootDefaultKeysInit
|
||||
- FILE_GUID = 384D1860-7306-11F0-B8B4-F53A5CB787AC
|
||||
- MODULE_TYPE = DXE_DRIVER
|
||||
- VERSION_STRING = 1.0
|
||||
- ENTRY_POINT = SecureBootDefaultKeysInitEntry
|
||||
-
|
||||
-[Sources]
|
||||
- SecureBootDefaultKeysInit.c
|
||||
-
|
||||
-[Packages]
|
||||
- MdeModulePkg/MdeModulePkg.dec
|
||||
- MdePkg/MdePkg.dec
|
||||
- SecurityPkg/SecurityPkg.dec
|
||||
-
|
||||
-[LibraryClasses]
|
||||
- DebugLib
|
||||
- DxeServicesLib
|
||||
- SecureBootVariableLib
|
||||
- SecureBootVariableProvisionLib
|
||||
- UefiBootServicesTableLib
|
||||
- UefiDriverEntryPoint
|
||||
-
|
||||
-[Guids]
|
||||
- gDefaultdbFileGuid
|
||||
- gDefaultdbxFileGuid
|
||||
- gDefaultKEKFileGuid
|
||||
- gDefaultPKFileGuid
|
||||
- gEfiCertPkcs7Guid
|
||||
- gEfiCertX509Guid
|
||||
- gEfiCustomModeEnableGuid
|
||||
- gEfiImageSecurityDatabaseGuid
|
||||
- gEfiSecureBootEnableDisableGuid
|
||||
-
|
||||
-[Depex]
|
||||
- gEfiVariableArchProtocolGuid AND
|
||||
- gEfiVariableWriteArchProtocolGuid
|
||||
diff --git a/OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc b/OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc
|
||||
index a7c4f842bb..0c1162b845 100644
|
||||
--- a/OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc
|
||||
+++ b/OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc
|
||||
@@ -392,7 +392,7 @@
|
||||
!endif
|
||||
}
|
||||
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
|
||||
- OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf
|
||||
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
|
||||
!else
|
||||
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
|
||||
!endif
|
||||
diff --git a/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf b/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf
|
||||
index 1f37eb6894..a71ce1ae0b 100644
|
||||
--- a/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf
|
||||
+++ b/OvmfPkg/RiscVVirt/RiscVVirtQemu.fdf
|
||||
@@ -89,24 +89,6 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
|
||||
!endif
|
||||
!if $(SECURE_BOOT_ENABLE) == TRUE
|
||||
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
|
||||
- INF OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf
|
||||
-
|
||||
- FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 {
|
||||
- SECTION RAW = OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootKeys/PK/PK.cer
|
||||
- }
|
||||
-
|
||||
- FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 {
|
||||
- SECTION RAW = OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootKeys/KEK/MicCorKEKCA2011_2011-06-24.crt
|
||||
- }
|
||||
-
|
||||
- FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 {
|
||||
- SECTION RAW = OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootKeys/db/MicWinProPCA2011_2011-10-19.crt
|
||||
- SECTION RAW = OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootKeys/db/MicCorUEFCA2011_2011-06-27.crt
|
||||
- }
|
||||
-
|
||||
- FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f {
|
||||
- SECTION RAW = OvmfPkg/RiscVVirt/Feature/SecureBoot/SecureBootKeys/dbx/dbxupdate_x64.bin
|
||||
- }
|
||||
!endif
|
||||
INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
|
||||
INF MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
|
||||
--
|
||||
2.51.0
|
||||
|
||||
@@ -1,781 +0,0 @@
|
||||
From e868ece3c7d12be79f46da64b7c841d0486ac621 Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Steffen <osteffen@redhat.com>
|
||||
Date: Wed, 11 Dec 2024 11:48:07 +0100
|
||||
Subject: [PATCH] SecurityPkg/Tpm2DeviceLibDTpm: Add TPM2 lib supporting SVSM
|
||||
vTPM
|
||||
|
||||
SEV-SNP provides a feature known as VM Privilege Level (VMPL), which
|
||||
allows for services to be run in the guest at different privilege
|
||||
levels. By running at VMPL0 (most privileged VM level), the SVSM can be
|
||||
used to provide privileged services, e.g. a virtual TPM, for the guest
|
||||
rather than trust such services from the hypervisor.
|
||||
|
||||
This patch adds a DTpm driver to communicate with a virtual TPM running
|
||||
in the SVSM. The driver follows the vTPM protocol documented in the SVSM
|
||||
specification.
|
||||
|
||||
SVSM vTPM functionality is available as new device and instance
|
||||
libraries, which can be consumed optionally, keeping changes to the
|
||||
regular TPM implementation minimal.
|
||||
|
||||
Cc: Jiewen Yao <jiewen.yao@intel.com>
|
||||
Co-authored-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
||||
Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
|
||||
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
|
||||
---
|
||||
.../Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.c | 96 +++++++++++
|
||||
.../Tpm2DeviceLibDTpmSvsm.inf | 66 ++++++++
|
||||
.../Tpm2InstanceLibDTpmSvsm.c | 64 ++++++++
|
||||
.../Tpm2InstanceLibDTpmSvsm.inf | 60 +++++++
|
||||
.../Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h | 2 +-
|
||||
.../Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c | 123 ++++++++++++++
|
||||
.../Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.h | 30 ++++
|
||||
.../Library/Tpm2DeviceLibDTpm/Tpm2Svsm.c | 152 ++++++++++++++++++
|
||||
.../Library/Tpm2DeviceLibDTpm/Tpm2Svsm.h | 25 +++
|
||||
SecurityPkg/SecurityPkg.ci.yaml | 1 +
|
||||
SecurityPkg/SecurityPkg.dec | 10 ++
|
||||
SecurityPkg/SecurityPkg.dsc | 12 ++
|
||||
12 files changed, 640 insertions(+), 1 deletion(-)
|
||||
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.c
|
||||
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
|
||||
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.c
|
||||
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
|
||||
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
|
||||
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.h
|
||||
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.c
|
||||
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.h
|
||||
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.c
|
||||
new file mode 100644
|
||||
index 0000000000..922b859168
|
||||
--- /dev/null
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.c
|
||||
@@ -0,0 +1,96 @@
|
||||
+/** @file
|
||||
+ This library is a TPM2 DTPM instance, supporting SVSM based vTPMs and regular
|
||||
+ TPM2s at the same time.
|
||||
+ Choosing this library means platform uses and only uses DTPM device as TPM2 engine.
|
||||
+
|
||||
+Copyright (c) 2024 Red Hat
|
||||
+SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+
|
||||
+**/
|
||||
+
|
||||
+#include <Library/BaseLib.h>
|
||||
+#include <Library/Tpm2DeviceLib.h>
|
||||
+
|
||||
+#include "Tpm2DeviceLibDTpm.h"
|
||||
+#include "Tpm2PtpSvsmShim.h"
|
||||
+
|
||||
+/**
|
||||
+ This service enables the sending of commands to the TPM2.
|
||||
+
|
||||
+ @param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
|
||||
+ @param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
|
||||
+ @param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
|
||||
+ @param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
|
||||
+
|
||||
+ @retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
|
||||
+ @retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
|
||||
+ @retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+Tpm2SubmitCommand (
|
||||
+ IN UINT32 InputParameterBlockSize,
|
||||
+ IN UINT8 *InputParameterBlock,
|
||||
+ IN OUT UINT32 *OutputParameterBlockSize,
|
||||
+ IN UINT8 *OutputParameterBlock
|
||||
+ )
|
||||
+{
|
||||
+ return SvsmDTpm2SubmitCommand (
|
||||
+ InputParameterBlockSize,
|
||||
+ InputParameterBlock,
|
||||
+ OutputParameterBlockSize,
|
||||
+ OutputParameterBlock
|
||||
+ );
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ This service requests to use TPM2.
|
||||
+
|
||||
+ @retval EFI_SUCCESS Get the control of the TPM2 chip.
|
||||
+ @retval EFI_NOT_FOUND TPM2 not found.
|
||||
+ @retval EFI_DEVICE_ERROR Unexpected device behavior.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+Tpm2RequestUseTpm (
|
||||
+ VOID
|
||||
+ )
|
||||
+{
|
||||
+ return SvsmDTpm2RequestUseTpm ();
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ This service registers a TPM2 device.
|
||||
+
|
||||
+ @param Tpm2Device TPM2 device
|
||||
+
|
||||
+ @retval EFI_SUCCESS TPM2 device was registered successfully.
|
||||
+ @retval EFI_UNSUPPORTED System does not support registering this TPM2 device.
|
||||
+ @retval EFI_ALREADY_STARTED This TPM2 device is already registered.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+Tpm2RegisterTpm2DeviceLib (
|
||||
+ IN TPM2_DEVICE_INTERFACE *Tpm2Device
|
||||
+ )
|
||||
+{
|
||||
+ return EFI_UNSUPPORTED;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ Initialize the library and cache SVSM vTPM presence state and TPM interface type, if applicable.
|
||||
+
|
||||
+ @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support registering a DTPM2.0 instance
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+Tpm2DeviceLibConstructorSvsm (
|
||||
+ VOID
|
||||
+ )
|
||||
+{
|
||||
+ if (TryUseSvsmVTpm ()) {
|
||||
+ return EFI_SUCCESS;
|
||||
+ } else {
|
||||
+ return InternalTpm2DeviceLibDTpmCommonConstructor ();
|
||||
+ }
|
||||
+}
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
|
||||
new file mode 100644
|
||||
index 0000000000..da48bd3c60
|
||||
--- /dev/null
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
|
||||
@@ -0,0 +1,66 @@
|
||||
+## @file
|
||||
+# Provides SVSM based vTPM and regular TPM 2.0 TIS/PTP functions for DTPM
|
||||
+#
|
||||
+# Spec Compliance Info:
|
||||
+# "TCG PC Client Platform TPM Profile(PTP) Specification Family 2.0 Level 00 Revision 00.43"
|
||||
+# "TCG PC Client Specific TPM Interface Specification(TIS) Version 1.3"
|
||||
+#
|
||||
+# This library implements TIS (TPM Interface Specification) and
|
||||
+# PTP (Platform TPM Profile) functions which is
|
||||
+# used for every TPM 2.0 command. Choosing this library means platform uses and
|
||||
+# only uses TPM 2.0 DTPM device.
|
||||
+#
|
||||
+# This version of the library additionally supports SVSM based vTPMs for confidential
|
||||
+# virtual machines under AMD-SEV SNP.
|
||||
+#
|
||||
+# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
|
||||
+# Copyright (c) Microsoft Corporation.
|
||||
+# Copyright (c) 2024 Red Hat
|
||||
+# SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+#
|
||||
+##
|
||||
+
|
||||
+[Defines]
|
||||
+ INF_VERSION = 1.30
|
||||
+ BASE_NAME = Tpm2DeviceLibDTpmSvsm
|
||||
+ MODULE_UNI_FILE = Tpm2DeviceLibDTpm.uni
|
||||
+ FILE_GUID = EE79D4E4-8538-4FE6-A7EF-4095CB6B38E7
|
||||
+ MODULE_TYPE = BASE
|
||||
+ VERSION_STRING = 1.0
|
||||
+ LIBRARY_CLASS = Tpm2DeviceLib|PEIM DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
|
||||
+ CONSTRUCTOR = Tpm2DeviceLibConstructorSvsm
|
||||
+#
|
||||
+# The following information is for reference only and not required by the build tools.
|
||||
+#
|
||||
+# VALID_ARCHITECTURES = X64
|
||||
+#
|
||||
+
|
||||
+[Sources]
|
||||
+ Tpm2Tis.c
|
||||
+ Tpm2Svsm.c
|
||||
+ Tpm2PtpSvsmShim.c
|
||||
+ Tpm2Ptp.c
|
||||
+ Tpm2DeviceLibDTpmSvsm.c
|
||||
+ Tpm2DeviceLibDTpmBase.c
|
||||
+ Tpm2DeviceLibDTpm.h
|
||||
+
|
||||
+[Packages]
|
||||
+ MdePkg/MdePkg.dec
|
||||
+ SecurityPkg/SecurityPkg.dec
|
||||
+ UefiCpuPkg/UefiCpuPkg.dec
|
||||
+
|
||||
+[LibraryClasses]
|
||||
+ BaseLib
|
||||
+ BaseMemoryLib
|
||||
+ IoLib
|
||||
+ TimerLib
|
||||
+ DebugLib
|
||||
+ PcdLib
|
||||
+ AmdSvsmLib
|
||||
+
|
||||
+[Pcd]
|
||||
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress ## CONSUMES
|
||||
+ gEfiSecurityPkgTokenSpaceGuid.PcdActiveTpmInterfaceType ## PRODUCES
|
||||
+ gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass ## PRODUCES
|
||||
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmPresence ## PRODUCES
|
||||
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmBufferPtr ## PRODUCES
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.c
|
||||
new file mode 100644
|
||||
index 0000000000..fda0b86347
|
||||
--- /dev/null
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.c
|
||||
@@ -0,0 +1,64 @@
|
||||
+/** @file
|
||||
+ This library is a TPM2 DTPM instance, supporting SVSM based vTPMs and regular
|
||||
+ TPM2s at the same time.
|
||||
+
|
||||
+ It can be registered to Tpm2 Device router, to be active TPM2 engine,
|
||||
+ based on platform setting.
|
||||
+
|
||||
+Copyright (c) 2024 Red Hat
|
||||
+SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+
|
||||
+**/
|
||||
+
|
||||
+#include <Library/BaseLib.h>
|
||||
+#include <Library/Tpm2DeviceLib.h>
|
||||
+
|
||||
+#include <Guid/TpmInstance.h>
|
||||
+
|
||||
+#include "Tpm2Ptp.h"
|
||||
+#include "Tpm2DeviceLibDTpm.h"
|
||||
+#include "Tpm2PtpSvsmShim.h"
|
||||
+
|
||||
+TPM2_DEVICE_INTERFACE mDTpm2InternalTpm2Device = {
|
||||
+ TPM_DEVICE_INTERFACE_TPM20_DTPM,
|
||||
+ SvsmDTpm2SubmitCommand,
|
||||
+ SvsmDTpm2RequestUseTpm,
|
||||
+};
|
||||
+
|
||||
+/**
|
||||
+ Registers DTPM2.0 instance and caches current active TPM interface type.
|
||||
+
|
||||
+ @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support registering a DTPM2.0 instance
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+Tpm2InstanceLibDTpmConstructorSvsm (
|
||||
+ VOID
|
||||
+ )
|
||||
+{
|
||||
+ EFI_STATUS Status;
|
||||
+
|
||||
+ Status = Tpm2RegisterTpm2DeviceLib (&mDTpm2InternalTpm2Device);
|
||||
+
|
||||
+ if (Status == EFI_UNSUPPORTED) {
|
||||
+ //
|
||||
+ // Unsupported means platform policy does not need this instance enabled.
|
||||
+ //
|
||||
+ return EFI_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
+ if (Status != EFI_SUCCESS) {
|
||||
+ return Status;
|
||||
+ }
|
||||
+
|
||||
+ if (TryUseSvsmVTpm ()) {
|
||||
+ // SVSM vTPM found.
|
||||
+ return EFI_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
+ // No SVSM vTPM found; set up regular DTPM Ptp implementation
|
||||
+ Status = InternalTpm2DeviceLibDTpmCommonConstructor ();
|
||||
+ DumpPtpInfo ((VOID *)(UINTN)PcdGet64 (PcdTpmBaseAddress));
|
||||
+
|
||||
+ return Status;
|
||||
+}
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
|
||||
new file mode 100644
|
||||
index 0000000000..4baf363c11
|
||||
--- /dev/null
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
|
||||
@@ -0,0 +1,60 @@
|
||||
+## @file
|
||||
+# Provides a DTPM instance for SVSM based vTPMs and TPM 2.0 TIS/PTP.
|
||||
+#
|
||||
+# This library can be registered to Tpm 2.0 device router, to be active TPM 2.0
|
||||
+# engine, based on platform setting. It supports both TIS (TPM Interface Specification)
|
||||
+# and PTP (Platform TPM Profile) functions.
|
||||
+#
|
||||
+# This version of the library additionally supports SVSM based vTPMs for confidential
|
||||
+# virtual machines under AMD SEV-SNP.
|
||||
+#
|
||||
+# Copyright (c) 2024 Red Hat
|
||||
+# SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+#
|
||||
+##
|
||||
+
|
||||
+[Defines]
|
||||
+ INF_VERSION = 1.30
|
||||
+ BASE_NAME = Tpm2InstanceLibDTpmSvsm
|
||||
+ MODULE_UNI_FILE = Tpm2InstanceLibDTpm.uni
|
||||
+ FILE_GUID = C7777207-A8DF-47E4-AA3C-E8BF74E7F233
|
||||
+ MODULE_TYPE = BASE
|
||||
+ VERSION_STRING = 1.0
|
||||
+ LIBRARY_CLASS = NULL
|
||||
+ CONSTRUCTOR = Tpm2InstanceLibDTpmConstructorSvsm
|
||||
+
|
||||
+#
|
||||
+# The following information is for reference only and not required by the build tools.
|
||||
+#
|
||||
+# VALID_ARCHITECTURES = X64
|
||||
+#
|
||||
+
|
||||
+[Sources]
|
||||
+ Tpm2Tis.c
|
||||
+ Tpm2Svsm.c
|
||||
+ Tpm2Ptp.c
|
||||
+ Tpm2PtpSvsmShim.c
|
||||
+ Tpm2InstanceLibDTpmSvsm.c
|
||||
+ Tpm2DeviceLibDTpmBase.c
|
||||
+ Tpm2DeviceLibDTpm.h
|
||||
+
|
||||
+[Packages]
|
||||
+ MdePkg/MdePkg.dec
|
||||
+ SecurityPkg/SecurityPkg.dec
|
||||
+ UefiCpuPkg/UefiCpuPkg.dec
|
||||
+
|
||||
+[LibraryClasses]
|
||||
+ BaseLib
|
||||
+ BaseMemoryLib
|
||||
+ IoLib
|
||||
+ TimerLib
|
||||
+ DebugLib
|
||||
+ PcdLib
|
||||
+ AmdSvsmLib
|
||||
+
|
||||
+[Pcd]
|
||||
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress ## CONSUMES
|
||||
+ gEfiSecurityPkgTokenSpaceGuid.PcdActiveTpmInterfaceType ## PRODUCES
|
||||
+ gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass ## PRODUCES
|
||||
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmPresence ## PRODUCES
|
||||
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmBufferPtr ## PRODUCES
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
|
||||
index 238d6e8dba..95e7ce246a 100644
|
||||
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
|
||||
@@ -1,5 +1,5 @@
|
||||
/** @file
|
||||
- PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by dTPM2.0 library.
|
||||
+ PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by DTPM2.0 library.
|
||||
|
||||
Copyright (c) 2024 Red Hat
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
|
||||
new file mode 100644
|
||||
index 0000000000..8a49fe936f
|
||||
--- /dev/null
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
|
||||
@@ -0,0 +1,123 @@
|
||||
+/** @file
|
||||
+ PTP (Platform TPM Profile) CRB (Command Response Buffer) interface shim that switches between
|
||||
+ SVSM vTPM Ptp and regular Ptp implementations.
|
||||
+
|
||||
+ Use TryUseSvsmVTpm () do check for SVSM vTPM presnece and initialzie the shim.
|
||||
+
|
||||
+ The SVSM vTPM presence state is cached across library instances.
|
||||
+
|
||||
+Copyright (c) 2024 Red Hat
|
||||
+SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+
|
||||
+**/
|
||||
+
|
||||
+#include <Uefi.h>
|
||||
+#include <Library/Tpm2DeviceLib.h>
|
||||
+#include <Library/PcdLib.h>
|
||||
+#include <Library/DebugLib.h>
|
||||
+#include "Tpm2Ptp.h"
|
||||
+#include "Tpm2Svsm.h"
|
||||
+
|
||||
+/// SVSM vTPM presence state as stored in PcdSvsmVTpmPresence
|
||||
+/// @{
|
||||
+#define SVSM_VTPM_PRESENCE_UNKNOWN 0xFF
|
||||
+#define SVSM_VTPM_PRESENT 0x01
|
||||
+#define SVSM_VTPM_ABSENT 0x00
|
||||
+/// @}
|
||||
+
|
||||
+static BOOLEAN mUseSvsmVTpm = FALSE;
|
||||
+
|
||||
+/**
|
||||
+ Initializes SVSM vTPM if present, or otherwise uses TCG PTP method.
|
||||
+
|
||||
+ If an SVSM based vTPM is found, use it from now on.
|
||||
+ If none is found, call the regular Ptp TPM implementation instead.
|
||||
+
|
||||
+ This function is meant to be called from the DTpm library constructor.
|
||||
+ If it has not been called, the regular Ptp implementation is used.
|
||||
+
|
||||
+ @retval TRUE SVSM vTPM is present.
|
||||
+ @retval FALSE SVSM vTPM was not discovered.
|
||||
+ */
|
||||
+BOOLEAN
|
||||
+EFIAPI
|
||||
+TryUseSvsmVTpm (
|
||||
+ )
|
||||
+{
|
||||
+ UINT8 SvsmVTpmPresence = (UINT8)PcdGet8 (PcdSvsmVTpmPresence);
|
||||
+
|
||||
+ if (SvsmVTpmPresence == SVSM_VTPM_PRESENCE_UNKNOWN) {
|
||||
+ SvsmVTpmPresence = Tpm2SvsmQueryTpmSendCmd () ? SVSM_VTPM_PRESENT : SVSM_VTPM_ABSENT;
|
||||
+ PcdSet8S (PcdSvsmVTpmPresence, SvsmVTpmPresence);
|
||||
+ if (SvsmVTpmPresence == SVSM_VTPM_PRESENT) {
|
||||
+ DEBUG ((DEBUG_INFO, " Found SVSM vTPM\n"));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ mUseSvsmVTpm = SvsmVTpmPresence == SVSM_VTPM_PRESENT;
|
||||
+ return mUseSvsmVTpm;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ This service enables the sending of commands to the selected TPM2.
|
||||
+
|
||||
+ Commands are send to either the SVSM vTPM or the regular Ptp based TPM, depending
|
||||
+ on what was discovered by TryUseSvsmVTpm ().
|
||||
+
|
||||
+ @param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
|
||||
+ @param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
|
||||
+ @param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
|
||||
+ @param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
|
||||
+
|
||||
+ @retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
|
||||
+ @retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
|
||||
+ @retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+SvsmDTpm2SubmitCommand (
|
||||
+ IN UINT32 InputParameterBlockSize,
|
||||
+ IN UINT8 *InputParameterBlock,
|
||||
+ IN OUT UINT32 *OutputParameterBlockSize,
|
||||
+ IN UINT8 *OutputParameterBlock
|
||||
+ )
|
||||
+{
|
||||
+ if (mUseSvsmVTpm) {
|
||||
+ return Tpm2SvsmTpmSendCommand (
|
||||
+ InputParameterBlock,
|
||||
+ InputParameterBlockSize,
|
||||
+ OutputParameterBlock,
|
||||
+ OutputParameterBlockSize
|
||||
+ );
|
||||
+ } else {
|
||||
+ return DTpm2SubmitCommand (
|
||||
+ InputParameterBlockSize,
|
||||
+ InputParameterBlock,
|
||||
+ OutputParameterBlockSize,
|
||||
+ OutputParameterBlock
|
||||
+ );
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ This service requests to use TPM2.
|
||||
+
|
||||
+ Depending on what was discovered by TryUseSvsmVTpm (), this function either
|
||||
+ returns EFI_SUCCESS, for SVSM vTPM, or calls the regular Ptp implementation.
|
||||
+
|
||||
+ @retval EFI_SUCCESS Get the control of the TPM2 chip.
|
||||
+ @retval EFI_NOT_FOUND TPM2 not found.
|
||||
+ @retval EFI_DEVICE_ERROR Unexpected device behavior.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+SvsmDTpm2RequestUseTpm (
|
||||
+ VOID
|
||||
+ )
|
||||
+{
|
||||
+ if (mUseSvsmVTpm) {
|
||||
+ return EFI_SUCCESS;
|
||||
+ } else {
|
||||
+ return DTpm2RequestUseTpm ();
|
||||
+ }
|
||||
+}
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.h b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.h
|
||||
new file mode 100644
|
||||
index 0000000000..6a604f8020
|
||||
--- /dev/null
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.h
|
||||
@@ -0,0 +1,30 @@
|
||||
+/** @file
|
||||
+ PTP (Platform TPM Profile) CRB (Command Response Buffer) interface shim that switches between
|
||||
+ SVSM vTPM Ptp and regular Ptp implementations.
|
||||
+
|
||||
+ Use TryUseSvsmVTpm () do check for SVSM vTPM presnece and initialzie the shim.
|
||||
+
|
||||
+Copyright (c) 2024 Red Hat
|
||||
+SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+
|
||||
+**/
|
||||
+
|
||||
+BOOLEAN
|
||||
+EFIAPI
|
||||
+TryUseSvsmVTpm (
|
||||
+ );
|
||||
+
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+SvsmDTpm2SubmitCommand (
|
||||
+ IN UINT32 InputParameterBlockSize,
|
||||
+ IN UINT8 *InputParameterBlock,
|
||||
+ IN OUT UINT32 *OutputParameterBlockSize,
|
||||
+ IN UINT8 *OutputParameterBlock
|
||||
+ );
|
||||
+
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+SvsmDTpm2RequestUseTpm (
|
||||
+ VOID
|
||||
+ );
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.c
|
||||
new file mode 100644
|
||||
index 0000000000..d9b5907c75
|
||||
--- /dev/null
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.c
|
||||
@@ -0,0 +1,152 @@
|
||||
+/** @file
|
||||
+ SVSM TPM communication
|
||||
+
|
||||
+Copyright (C) 2024 James.Bottomley@HansenPartnership.com
|
||||
+Copyright (C) 2024 IBM Corporation
|
||||
+Copyright (C) 2024 Red Hat
|
||||
+
|
||||
+SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+
|
||||
+**/
|
||||
+
|
||||
+#include <Uefi.h>
|
||||
+#include <Library/BaseLib.h>
|
||||
+#include <Library/BaseMemoryLib.h>
|
||||
+#include <Library/MemoryAllocationLib.h>
|
||||
+#include <Library/AmdSvsmLib.h>
|
||||
+#include <Library/PcdLib.h>
|
||||
+
|
||||
+#include "Tpm2Svsm.h"
|
||||
+
|
||||
+/**
|
||||
+ Platform commands (MSSIM commands) can be sent through the
|
||||
+ SVSM_VTPM_CMD operation. Each command can have its own
|
||||
+ request and response structures.
|
||||
+**/
|
||||
+#define TPM_SEND_COMMAND 8
|
||||
+
|
||||
+#pragma pack(1)
|
||||
+typedef struct _TPM2_SEND_CMD_REQ {
|
||||
+ UINT32 Cmd;
|
||||
+ UINT8 Locality;
|
||||
+ UINT32 BufSize;
|
||||
+ UINT8 Buf[];
|
||||
+} TPM2_SEND_CMD_REQ;
|
||||
+
|
||||
+typedef struct _TPM2_SEND_CMD_RESP {
|
||||
+ UINT32 Size;
|
||||
+ UINT8 Buf[];
|
||||
+} TPM2_SEND_CMD_RESP;
|
||||
+#pragma pack()
|
||||
+
|
||||
+/* Max req/resp buffer size */
|
||||
+#define TPM_PLATFORM_MAX_BUFFER 4096
|
||||
+
|
||||
+typedef union {
|
||||
+ TPM2_SEND_CMD_REQ req;
|
||||
+ TPM2_SEND_CMD_RESP resp;
|
||||
+} SVSM_TPM_CMD_BUFFER;
|
||||
+
|
||||
+STATIC_ASSERT (sizeof (SVSM_TPM_CMD_BUFFER) <= TPM_PLATFORM_MAX_BUFFER, "SVSM_TPM_CMD_BUFFER too large");
|
||||
+
|
||||
+/**
|
||||
+ Probe the SVSM vTPM for TPM_SEND_COMMAND support. The
|
||||
+ TPM_SEND_COMMAND platform command can be used to execute a
|
||||
+ TPM command and get the result.
|
||||
+
|
||||
+ @retval TRUE TPM_SEND_COMMAND is supported.
|
||||
+ @retval FALSE TPM_SEND_COMMAND is not supported.
|
||||
+
|
||||
+**/
|
||||
+BOOLEAN
|
||||
+Tpm2SvsmQueryTpmSendCmd (
|
||||
+ VOID
|
||||
+ )
|
||||
+{
|
||||
+ UINT64 PlatformCmdBitmap;
|
||||
+ UINT64 TpmSendMask;
|
||||
+
|
||||
+ PlatformCmdBitmap = 0;
|
||||
+ TpmSendMask = 1 << TPM_SEND_COMMAND;
|
||||
+
|
||||
+ if (!AmdSvsmVtpmQuery (&PlatformCmdBitmap, NULL)) {
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
+ return ((PlatformCmdBitmap & TpmSendMask) == TpmSendMask) ? TRUE : FALSE;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ Send a TPM command to the SVSM vTPM and return the TPM response.
|
||||
+
|
||||
+ @param[in] BufferIn It should contain the marshaled
|
||||
+ TPM command.
|
||||
+ @param[in] SizeIn Size of the TPM command.
|
||||
+ @param[out] BufferOut It will contain the marshaled
|
||||
+ TPM response.
|
||||
+ @param[in, out] SizeOut Size of the BufferOut; it will also
|
||||
+ be used to return the size of the
|
||||
+ TPM response
|
||||
+
|
||||
+ @retval EFI_SUCCESS Operation completed successfully.
|
||||
+ @retval EFI_INVALID_PARAMETER Buffer not provided.
|
||||
+ @retval EFI_BUFFER_TOO_SMALL Response data buffer is too small.
|
||||
+ @retval EFI_DEVICE_ERROR Unexpected device behavior.
|
||||
+ @retval EFI_OUT_OF_RESOURCES Out of memory when allocating internal buffer.
|
||||
+ @retval EFI_UNSUPPORTED Unsupported TPM version
|
||||
+
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+Tpm2SvsmTpmSendCommand (
|
||||
+ IN UINT8 *BufferIn,
|
||||
+ IN UINT32 SizeIn,
|
||||
+ OUT UINT8 *BufferOut,
|
||||
+ IN OUT UINT32 *SizeOut
|
||||
+ )
|
||||
+{
|
||||
+ STATIC SVSM_TPM_CMD_BUFFER *Buffer = NULL;
|
||||
+
|
||||
+ if ((SizeIn == 0) || !BufferIn || !SizeOut || !BufferOut) {
|
||||
+ return EFI_INVALID_PARAMETER;
|
||||
+ }
|
||||
+
|
||||
+ if (SizeIn > TPM_PLATFORM_MAX_BUFFER - sizeof (TPM2_SEND_CMD_REQ)) {
|
||||
+ return EFI_BUFFER_TOO_SMALL;
|
||||
+ }
|
||||
+
|
||||
+ if (Buffer == NULL) {
|
||||
+ STATIC_ASSERT (sizeof (UINT64) >= sizeof (UINTN), "Pointer size larger than 64bit");
|
||||
+ Buffer = (SVSM_TPM_CMD_BUFFER *)(UINTN)PcdGet64 (PcdSvsmVTpmBufferPtr);
|
||||
+
|
||||
+ if (Buffer == NULL) {
|
||||
+ Buffer = (SVSM_TPM_CMD_BUFFER *)AllocatePages (EFI_SIZE_TO_PAGES (TPM_PLATFORM_MAX_BUFFER));
|
||||
+ if (Buffer == NULL) {
|
||||
+ DEBUG ((DEBUG_ERROR, "Unable to allocate SVSM vTPM buffer: %r", EFI_OUT_OF_RESOURCES));
|
||||
+ return EFI_OUT_OF_RESOURCES;
|
||||
+ }
|
||||
+
|
||||
+ PcdSet64S (PcdSvsmVTpmBufferPtr, (UINTN)(VOID *)Buffer);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ Buffer->req.Cmd = TPM_SEND_COMMAND;
|
||||
+ Buffer->req.Locality = 0;
|
||||
+ Buffer->req.BufSize = SizeIn;
|
||||
+ CopyMem (Buffer->req.Buf, BufferIn, SizeIn);
|
||||
+
|
||||
+ if (!AmdSvsmVtpmCmd ((UINT8 *)Buffer)) {
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ if (Buffer->resp.Size > TPM_PLATFORM_MAX_BUFFER - sizeof (TPM2_SEND_CMD_RESP)) {
|
||||
+ return EFI_DEVICE_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ if (Buffer->resp.Size > *SizeOut) {
|
||||
+ return EFI_BUFFER_TOO_SMALL;
|
||||
+ }
|
||||
+
|
||||
+ CopyMem (BufferOut, Buffer->resp.Buf, Buffer->resp.Size);
|
||||
+ *SizeOut = Buffer->resp.Size;
|
||||
+ return EFI_SUCCESS;
|
||||
+}
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.h b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.h
|
||||
new file mode 100644
|
||||
index 0000000000..f94901601f
|
||||
--- /dev/null
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.h
|
||||
@@ -0,0 +1,25 @@
|
||||
+/** @file
|
||||
+ SVSM TPM communication
|
||||
+
|
||||
+Copyright (C) 2024 James.Bottomley@HansenPartnership.com
|
||||
+Copyright (C) 2024 IBM Corporation
|
||||
+Copyright (C) 2024 Red Hat
|
||||
+
|
||||
+SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+
|
||||
+**/
|
||||
+
|
||||
+#include <Library/BaseLib.h>
|
||||
+
|
||||
+BOOLEAN
|
||||
+Tpm2SvsmQueryTpmSendCmd (
|
||||
+ VOID
|
||||
+ );
|
||||
+
|
||||
+EFI_STATUS
|
||||
+Tpm2SvsmTpmSendCommand (
|
||||
+ IN UINT8 *BufferIn,
|
||||
+ IN UINT32 SizeIn,
|
||||
+ OUT UINT8 *BufferOut,
|
||||
+ IN OUT UINT32 *SizeOut
|
||||
+ );
|
||||
diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPkg.ci.yaml
|
||||
index 26fedd179c..a0fa965381 100644
|
||||
--- a/SecurityPkg/SecurityPkg.ci.yaml
|
||||
+++ b/SecurityPkg/SecurityPkg.ci.yaml
|
||||
@@ -48,6 +48,7 @@
|
||||
"AcceptableDependencies": [
|
||||
"MdePkg/MdePkg.dec",
|
||||
"MdeModulePkg/MdeModulePkg.dec",
|
||||
+ "UefiCpuPkg/UefiCpuPkg.dec",
|
||||
"UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec",
|
||||
"SecurityPkg/SecurityPkg.dec",
|
||||
"StandaloneMmPkg/StandaloneMmPkg.dec",
|
||||
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
|
||||
index 0589cfaf68..17fd0aeb81 100644
|
||||
--- a/SecurityPkg/SecurityPkg.dec
|
||||
+++ b/SecurityPkg/SecurityPkg.dec
|
||||
@@ -604,6 +604,16 @@
|
||||
## This PCD records LASA field in CC EVENTLOG ACPI table.
|
||||
gEfiSecurityPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLasa|0|UINT64|0x00010026
|
||||
|
||||
+ ## This PCD caches the presence state of a AMD SEV-SNP SVSM-provided vTPM.
|
||||
+ # 0xFF - Unknown - Probing needed
|
||||
+ # 0x00 - No - Use regular TPM
|
||||
+ # 0x01 - Yes - SVSM vTPM present
|
||||
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmPresence|0xFF|UINT8|0x00020030
|
||||
+
|
||||
+ ## This PCD stores the pointer to the communication buffer for a
|
||||
+ # AMD SEV-SNP SVSM-provided vTPM.
|
||||
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmBufferPtr|0|UINT64|0x00020031
|
||||
+
|
||||
[PcdsFeatureFlag]
|
||||
## Indicates if the platform requires PK to be self-signed when setting the PK in setup mode.
|
||||
# TRUE - Require PK to be self-signed.
|
||||
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
|
||||
index ea6a14c328..945a2dd393 100644
|
||||
--- a/SecurityPkg/SecurityPkg.dsc
|
||||
+++ b/SecurityPkg/SecurityPkg.dsc
|
||||
@@ -369,6 +369,18 @@
|
||||
TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
|
||||
}
|
||||
|
||||
+ #
|
||||
+ # AMD SEV-SNP SVSM vTPM
|
||||
+ #
|
||||
+ SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf {
|
||||
+ <LibraryClasses>
|
||||
+ AmdSvsmLib|UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.inf
|
||||
+ }
|
||||
+ SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf {
|
||||
+ <LibraryClasses>
|
||||
+ AmdSvsmLib|UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.inf
|
||||
+ }
|
||||
+
|
||||
#
|
||||
# Hash2
|
||||
#
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -1,199 +0,0 @@
|
||||
From edf5e365c104fb86623b6359ac53d79777d521bf Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Steffen <osteffen@redhat.com>
|
||||
Date: Mon, 16 Dec 2024 17:25:36 +0100
|
||||
Subject: [PATCH] SecurityPkg/Tpm2DeviceLibDTpm: Add header file for Tpm2Ptp.c
|
||||
|
||||
A some of functions implemented in Tpm2Ptp.c are forward declared in a
|
||||
couple of places. To clean this up, introduce a header that contains
|
||||
these declarations in a central place and use it instead.
|
||||
|
||||
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
|
||||
---
|
||||
.../Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c | 35 +-----------
|
||||
.../Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c | 45 +---------------
|
||||
.../Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c | 2 +
|
||||
.../Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h | 53 +++++++++++++++++++
|
||||
4 files changed, 57 insertions(+), 78 deletions(-)
|
||||
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
|
||||
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
|
||||
index e0897417ba..828fb856ad 100644
|
||||
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
|
||||
@@ -13,42 +13,9 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
#include <Library/Tpm2DeviceLib.h>
|
||||
#include <Library/PcdLib.h>
|
||||
|
||||
+#include "Tpm2Ptp.h"
|
||||
#include "Tpm2DeviceLibDTpm.h"
|
||||
|
||||
-/**
|
||||
- This service enables the sending of commands to the TPM2.
|
||||
-
|
||||
- @param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
|
||||
- @param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
|
||||
- @param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
|
||||
- @param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
|
||||
-
|
||||
- @retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
|
||||
- @retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
|
||||
- @retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
|
||||
-**/
|
||||
-EFI_STATUS
|
||||
-EFIAPI
|
||||
-DTpm2SubmitCommand (
|
||||
- IN UINT32 InputParameterBlockSize,
|
||||
- IN UINT8 *InputParameterBlock,
|
||||
- IN OUT UINT32 *OutputParameterBlockSize,
|
||||
- IN UINT8 *OutputParameterBlock
|
||||
- );
|
||||
-
|
||||
-/**
|
||||
- This service requests use TPM2.
|
||||
-
|
||||
- @retval EFI_SUCCESS Get the control of TPM2 chip.
|
||||
- @retval EFI_NOT_FOUND TPM2 not found.
|
||||
- @retval EFI_DEVICE_ERROR Unexpected device behavior.
|
||||
-**/
|
||||
-EFI_STATUS
|
||||
-EFIAPI
|
||||
-DTpm2RequestUseTpm (
|
||||
- VOID
|
||||
- );
|
||||
-
|
||||
/**
|
||||
This service enables the sending of commands to the TPM2.
|
||||
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
|
||||
index 11796d5b97..2762626575 100644
|
||||
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
|
||||
@@ -16,52 +16,9 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
#include <Guid/TpmInstance.h>
|
||||
|
||||
+#include "Tpm2Ptp.h"
|
||||
#include "Tpm2DeviceLibDTpm.h"
|
||||
|
||||
-/**
|
||||
- Dump PTP register information.
|
||||
-
|
||||
- @param[in] Register Pointer to PTP register.
|
||||
-**/
|
||||
-VOID
|
||||
-DumpPtpInfo (
|
||||
- IN VOID *Register
|
||||
- );
|
||||
-
|
||||
-/**
|
||||
- This service enables the sending of commands to the TPM2.
|
||||
-
|
||||
- @param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
|
||||
- @param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
|
||||
- @param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
|
||||
- @param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
|
||||
-
|
||||
- @retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
|
||||
- @retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
|
||||
- @retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
|
||||
-**/
|
||||
-EFI_STATUS
|
||||
-EFIAPI
|
||||
-DTpm2SubmitCommand (
|
||||
- IN UINT32 InputParameterBlockSize,
|
||||
- IN UINT8 *InputParameterBlock,
|
||||
- IN OUT UINT32 *OutputParameterBlockSize,
|
||||
- IN UINT8 *OutputParameterBlock
|
||||
- );
|
||||
-
|
||||
-/**
|
||||
- This service requests use TPM2.
|
||||
-
|
||||
- @retval EFI_SUCCESS Get the control of TPM2 chip.
|
||||
- @retval EFI_NOT_FOUND TPM2 not found.
|
||||
- @retval EFI_DEVICE_ERROR Unexpected device behavior.
|
||||
-**/
|
||||
-EFI_STATUS
|
||||
-EFIAPI
|
||||
-DTpm2RequestUseTpm (
|
||||
- VOID
|
||||
- );
|
||||
-
|
||||
TPM2_DEVICE_INTERFACE mDTpm2InternalTpm2Device = {
|
||||
TPM_DEVICE_INTERFACE_TPM20_DTPM,
|
||||
DTpm2SubmitCommand,
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
|
||||
index dee01d9707..d1565c72d7 100644
|
||||
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
|
||||
@@ -22,6 +22,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
#include "Tpm2DeviceLibDTpm.h"
|
||||
|
||||
+#include "Tpm2Ptp.h"
|
||||
+
|
||||
//
|
||||
// Execution of the command may take from several seconds to minutes for certain
|
||||
// commands, such as key generation.
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
|
||||
new file mode 100644
|
||||
index 0000000000..238d6e8dba
|
||||
--- /dev/null
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
|
||||
@@ -0,0 +1,53 @@
|
||||
+/** @file
|
||||
+ PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by dTPM2.0 library.
|
||||
+
|
||||
+Copyright (c) 2024 Red Hat
|
||||
+SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
+
|
||||
+**/
|
||||
+
|
||||
+#include <Uefi.h>
|
||||
+
|
||||
+/**
|
||||
+ Dump PTP register information.
|
||||
+
|
||||
+ @param[in] Register Pointer to PTP register.
|
||||
+**/
|
||||
+VOID
|
||||
+DumpPtpInfo (
|
||||
+ IN VOID *Register
|
||||
+ );
|
||||
+
|
||||
+/**
|
||||
+ This service enables the sending of commands to the TPM2.
|
||||
+
|
||||
+ @param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
|
||||
+ @param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
|
||||
+ @param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
|
||||
+ @param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
|
||||
+
|
||||
+ @retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
|
||||
+ @retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
|
||||
+ @retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+DTpm2SubmitCommand (
|
||||
+ IN UINT32 InputParameterBlockSize,
|
||||
+ IN UINT8 *InputParameterBlock,
|
||||
+ IN OUT UINT32 *OutputParameterBlockSize,
|
||||
+ IN UINT8 *OutputParameterBlock
|
||||
+ );
|
||||
+
|
||||
+/**
|
||||
+ This service requests use TPM2.
|
||||
+
|
||||
+ @retval EFI_SUCCESS Get the control of TPM2 chip.
|
||||
+ @retval EFI_NOT_FOUND TPM2 not found.
|
||||
+ @retval EFI_DEVICE_ERROR Unexpected device behavior.
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+DTpm2RequestUseTpm (
|
||||
+ VOID
|
||||
+ );
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -1,153 +0,0 @@
|
||||
From c2d8e9236787270384bab6af9d9db0071468e9e5 Mon Sep 17 00:00:00 2001
|
||||
From: Jacob Xu <jacobhxu@google.com>
|
||||
Date: Fri, 28 Mar 2025 18:49:58 +0000
|
||||
Subject: [PATCH] SecurityPkg-Tpm2DeviceLibDTpm: Check SNP enabled prior to
|
||||
using AmdSvsmLib
|
||||
|
||||
AmdSvsmLib currently doesn't check if SNP enabled, thus using AmdSvsmLib
|
||||
may errantly cause the caller code to believe SVSM is present. This
|
||||
leads to boot failure on non-SNP enabled VMs.
|
||||
|
||||
We use the PcdConfidentialComputingGuestAttr since it remains valid
|
||||
after MpInitLib runs which invalidates PcdSevEsWorkArea's cached
|
||||
sev-status msr which we use to check for SNP enabled in other places.
|
||||
|
||||
The added functions ConfidentialComputingGuestHas() and
|
||||
AmdMemEncryptionAttrCheck() are copied from MpLib.c, which is intended
|
||||
to be replaced later on with a more minimal library perhaps in MdePkg to
|
||||
cleanup some of the circular dependencies currently surrounding SvsmLib.
|
||||
|
||||
Signed-off-by: Jacob Xu <jacobhxu@google.com>
|
||||
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
|
||||
Suggested-by: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
---
|
||||
.../Tpm2DeviceLibDTpmSvsm.inf | 1 +
|
||||
.../Tpm2InstanceLibDTpmSvsm.inf | 1 +
|
||||
.../Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c | 79 +++++++++++++++++++
|
||||
3 files changed, 81 insertions(+)
|
||||
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
|
||||
index da48bd3c60..0efcd4fca7 100644
|
||||
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
|
||||
@@ -64,3 +64,4 @@
|
||||
gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass ## PRODUCES
|
||||
gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmPresence ## PRODUCES
|
||||
gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmBufferPtr ## PRODUCES
|
||||
+ gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONSUMES
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
|
||||
index 4baf363c11..357dfeb21f 100644
|
||||
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
|
||||
@@ -58,3 +58,4 @@
|
||||
gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass ## PRODUCES
|
||||
gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmPresence ## PRODUCES
|
||||
gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmBufferPtr ## PRODUCES
|
||||
+ gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONSUMES
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
|
||||
index 8a49fe936f..b8c592043a 100644
|
||||
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
|
||||
@@ -15,6 +15,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
#include <Library/Tpm2DeviceLib.h>
|
||||
#include <Library/PcdLib.h>
|
||||
#include <Library/DebugLib.h>
|
||||
+#include <ConfidentialComputingGuestAttr.h>
|
||||
#include "Tpm2Ptp.h"
|
||||
#include "Tpm2Svsm.h"
|
||||
|
||||
@@ -27,6 +28,80 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
static BOOLEAN mUseSvsmVTpm = FALSE;
|
||||
|
||||
+/**
|
||||
+ The function check if the specified Attr is set.
|
||||
+
|
||||
+ @param[in] CurrentAttr The current attribute.
|
||||
+ @param[in] Attr The attribute to check.
|
||||
+
|
||||
+ @retval TRUE The specified Attr is set.
|
||||
+ @retval FALSE The specified Attr is not set.
|
||||
+
|
||||
+**/
|
||||
+STATIC
|
||||
+BOOLEAN
|
||||
+AmdMemEncryptionAttrCheck (
|
||||
+ IN UINT64 CurrentAttr,
|
||||
+ IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr
|
||||
+ )
|
||||
+{
|
||||
+ UINT64 CurrentLevel;
|
||||
+
|
||||
+ CurrentLevel = CurrentAttr & CCAttrTypeMask;
|
||||
+
|
||||
+ switch (Attr) {
|
||||
+ case CCAttrAmdSev:
|
||||
+ //
|
||||
+ // SEV is automatically enabled if SEV-ES or SEV-SNP is active.
|
||||
+ //
|
||||
+ return CurrentLevel >= CCAttrAmdSev;
|
||||
+ case CCAttrAmdSevEs:
|
||||
+ //
|
||||
+ // SEV-ES is automatically enabled if SEV-SNP is active.
|
||||
+ //
|
||||
+ return CurrentLevel >= CCAttrAmdSevEs;
|
||||
+ case CCAttrAmdSevSnp:
|
||||
+ return CurrentLevel == CCAttrAmdSevSnp;
|
||||
+ case CCAttrFeatureAmdSevEsDebugVirtualization:
|
||||
+ return !!(CurrentAttr & CCAttrFeatureAmdSevEsDebugVirtualization);
|
||||
+ default:
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ Check if the specified confidential computing attribute is active.
|
||||
+
|
||||
+ @param[in] Attr The attribute to check.
|
||||
+
|
||||
+ @retval TRUE The specified Attr is active.
|
||||
+ @retval FALSE The specified Attr is not active.
|
||||
+
|
||||
+**/
|
||||
+STATIC
|
||||
+BOOLEAN
|
||||
+EFIAPI
|
||||
+ConfidentialComputingGuestHas (
|
||||
+ IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr
|
||||
+ )
|
||||
+{
|
||||
+ UINT64 CurrentAttr;
|
||||
+
|
||||
+ //
|
||||
+ // Get the current CC attribute.
|
||||
+ //
|
||||
+ CurrentAttr = PcdGet64 (PcdConfidentialComputingGuestAttr);
|
||||
+
|
||||
+ //
|
||||
+ // If attr is for the AMD group then call AMD specific checks.
|
||||
+ //
|
||||
+ if (((RShiftU64 (CurrentAttr, 8)) & 0xff) == 1) {
|
||||
+ return AmdMemEncryptionAttrCheck (CurrentAttr, Attr);
|
||||
+ }
|
||||
+
|
||||
+ return (CurrentAttr == Attr);
|
||||
+}
|
||||
+
|
||||
/**
|
||||
Initializes SVSM vTPM if present, or otherwise uses TCG PTP method.
|
||||
|
||||
@@ -44,6 +119,10 @@ EFIAPI
|
||||
TryUseSvsmVTpm (
|
||||
)
|
||||
{
|
||||
+ if (!ConfidentialComputingGuestHas (CCAttrAmdSevSnp)) {
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
UINT8 SvsmVTpmPresence = (UINT8)PcdGet8 (PcdSvsmVTpmPresence);
|
||||
|
||||
if (SvsmVTpmPresence == SVSM_VTPM_PRESENCE_UNKNOWN) {
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -1,89 +0,0 @@
|
||||
From 87f454532a612066c3caacd240782fc40f31c152 Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Steffen <osteffen@redhat.com>
|
||||
Date: Tue, 7 Jan 2025 12:58:21 +0100
|
||||
Subject: [PATCH] SecurityPkg/Tpm2DeviceLibDTpm: Improve spelling/grammar of
|
||||
comments
|
||||
|
||||
Fix some spelling/grammar mistakes in the documentation comments.
|
||||
|
||||
Suggested-by: Dionna Glaze <dionnaglaze@google.com>
|
||||
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
|
||||
---
|
||||
.../Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c | 14 +++++++-------
|
||||
.../Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c | 4 ++--
|
||||
SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c | 2 +-
|
||||
3 files changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
|
||||
index 7cc55df436..e0897417ba 100644
|
||||
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
|
||||
@@ -79,9 +79,9 @@ Tpm2SubmitCommand (
|
||||
}
|
||||
|
||||
/**
|
||||
- This service requests use TPM2.
|
||||
+ This service requests to use TPM2.
|
||||
|
||||
- @retval EFI_SUCCESS Get the control of TPM2 chip.
|
||||
+ @retval EFI_SUCCESS Get the control of the TPM2 chip.
|
||||
@retval EFI_NOT_FOUND TPM2 not found.
|
||||
@retval EFI_DEVICE_ERROR Unexpected device behavior.
|
||||
**/
|
||||
@@ -95,13 +95,13 @@ Tpm2RequestUseTpm (
|
||||
}
|
||||
|
||||
/**
|
||||
- This service register TPM2 device.
|
||||
+ This service registers a TPM2 device.
|
||||
|
||||
@param Tpm2Device TPM2 device
|
||||
|
||||
- @retval EFI_SUCCESS This TPM2 device is registered successfully.
|
||||
- @retval EFI_UNSUPPORTED System does not support register this TPM2 device.
|
||||
- @retval EFI_ALREADY_STARTED System already register this TPM2 device.
|
||||
+ @retval EFI_SUCCESS TPM2 device was registered successfully.
|
||||
+ @retval EFI_UNSUPPORTED System does not support registering this TPM2 device.
|
||||
+ @retval EFI_ALREADY_STARTED This TPM2 device is already registered.
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
@@ -115,7 +115,7 @@ Tpm2RegisterTpm2DeviceLib (
|
||||
/**
|
||||
The function caches current active TPM interface type.
|
||||
|
||||
- @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support register DTPM2.0 instance
|
||||
+ @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support registering a DTPM2.0 instance
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
|
||||
index 7d3e4bef86..11796d5b97 100644
|
||||
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
|
||||
@@ -69,9 +69,9 @@ TPM2_DEVICE_INTERFACE mDTpm2InternalTpm2Device = {
|
||||
};
|
||||
|
||||
/**
|
||||
- The function register DTPM2.0 instance and caches current active TPM interface type.
|
||||
+ Registers DTPM2.0 instance and caches current active TPM interface type.
|
||||
|
||||
- @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support register DTPM2.0 instance
|
||||
+ @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support registering a DTPM2.0 instance
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
|
||||
index eac9f0e299..dee01d9707 100644
|
||||
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
|
||||
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/** @file
|
||||
- PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by dTPM2.0 library.
|
||||
+ PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by DTPM2.0 library.
|
||||
|
||||
Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.<BR>
|
||||
Copyright (c), Microsoft Corporation.
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -1,129 +0,0 @@
|
||||
From 87d4cdd09e4d9432c150a3a029dcad7da38bcffa Mon Sep 17 00:00:00 2001
|
||||
From: Claudio Carvalho <cclaudio@linux.ibm.com>
|
||||
Date: Mon, 10 Jun 2024 22:29:25 +0300
|
||||
Subject: [PATCH] UefiCpuPkg/AmdSvsmLib: Stub the SVSM vTPM protocol for
|
||||
non-VMPL0 guests
|
||||
|
||||
We need to stub the SVSM vTPM protocol in the UefiCpuPkg in order to
|
||||
support a SEV-SNP guest running under a SVSM at VMPL1 or lower.
|
||||
|
||||
Cc: Ray Ni <ray.ni@intel.com>
|
||||
Cc: Rahul Kumar <rahul1.kumar@intel.com>
|
||||
Cc: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
|
||||
Co-authored-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
||||
Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
|
||||
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
|
||||
---
|
||||
UefiCpuPkg/Include/Library/AmdSvsmLib.h | 41 ++++++++++++++++
|
||||
.../Library/AmdSvsmLibNull/AmdSvsmLibNull.c | 47 +++++++++++++++++++
|
||||
2 files changed, 88 insertions(+)
|
||||
|
||||
diff --git a/UefiCpuPkg/Include/Library/AmdSvsmLib.h b/UefiCpuPkg/Include/Library/AmdSvsmLib.h
|
||||
index 40e0e5bd42..693b79bda5 100644
|
||||
--- a/UefiCpuPkg/Include/Library/AmdSvsmLib.h
|
||||
+++ b/UefiCpuPkg/Include/Library/AmdSvsmLib.h
|
||||
@@ -98,4 +98,45 @@ AmdSvsmSnpVmsaRmpAdjust (
|
||||
IN BOOLEAN SetVmsa
|
||||
);
|
||||
|
||||
+/**
|
||||
+ Perform a SVSM_VTPM_QUERY operation
|
||||
+
|
||||
+ Query the support provided by the SVSM vTPM.
|
||||
+
|
||||
+ @param[out] PlatformCommands It will contain a bitmap indicating the
|
||||
+ supported vTPM platform commands.
|
||||
+ @param[out] Features It will contain a bitmap indicating the
|
||||
+ supported vTPM features.
|
||||
+
|
||||
+ @retval TRUE The query was processed.
|
||||
+ @retval FALSE The query was not processed.
|
||||
+
|
||||
+**/
|
||||
+BOOLEAN
|
||||
+EFIAPI
|
||||
+AmdSvsmVtpmQuery (
|
||||
+ OUT UINT64 *PlatformCommands,
|
||||
+ OUT UINT64 *Features
|
||||
+ );
|
||||
+
|
||||
+/**
|
||||
+ Perform a SVSM_VTPM_CMD operation
|
||||
+
|
||||
+ Send the specified vTPM platform command to the SVSM vTPM.
|
||||
+
|
||||
+ @param[in, out] Buffer It should contain the vTPM platform command
|
||||
+ request. The respective response will be returned
|
||||
+ in the same Buffer, but not all commands specify a
|
||||
+ response.
|
||||
+
|
||||
+ @retval TRUE The command was processed.
|
||||
+ @retval FALSE The command was not processed.
|
||||
+
|
||||
+**/
|
||||
+BOOLEAN
|
||||
+EFIAPI
|
||||
+AmdSvsmVtpmCmd (
|
||||
+ IN OUT UINT8 *Buffer
|
||||
+ );
|
||||
+
|
||||
#endif
|
||||
diff --git a/UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c b/UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c
|
||||
index a83fcbd6ce..fc6871c7b2 100644
|
||||
--- a/UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c
|
||||
+++ b/UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c
|
||||
@@ -106,3 +106,50 @@ AmdSvsmSnpVmsaRmpAdjust (
|
||||
{
|
||||
return EFI_UNSUPPORTED;
|
||||
}
|
||||
+
|
||||
+/**
|
||||
+ Perform a SVSM_VTPM_QUERY operation
|
||||
+
|
||||
+ Query the support provided by the SVSM vTPM.
|
||||
+
|
||||
+ @param[out] PlatformCommands It will contain a bitmap indicating the
|
||||
+ supported vTPM platform commands.
|
||||
+ @param[out] Features It will contain a bitmap indicating the
|
||||
+ supported vTPM features.
|
||||
+
|
||||
+ @retval TRUE The query was processed.
|
||||
+ @retval FALSE The query was not processed.
|
||||
+
|
||||
+**/
|
||||
+BOOLEAN
|
||||
+EFIAPI
|
||||
+AmdSvsmVtpmQuery (
|
||||
+ OUT UINT64 *PlatformCommands,
|
||||
+ OUT UINT64 *Features
|
||||
+ )
|
||||
+{
|
||||
+ return FALSE;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ Perform a SVSM_VTPM_CMD operation
|
||||
+
|
||||
+ Send the specified vTPM platform command to the SVSM vTPM.
|
||||
+
|
||||
+ @param[in, out] Buffer It should contain the vTPM platform command
|
||||
+ request. The respective response will be returned
|
||||
+ in the same Buffer, but not all commands specify a
|
||||
+ response.
|
||||
+
|
||||
+ @retval TRUE The command was processed.
|
||||
+ @retval FALSE The command was not processed.
|
||||
+
|
||||
+**/
|
||||
+BOOLEAN
|
||||
+EFIAPI
|
||||
+AmdSvsmVtpmCmd (
|
||||
+ IN OUT UINT8 *Buffer
|
||||
+ )
|
||||
+{
|
||||
+ return FALSE;
|
||||
+}
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -1,242 +0,0 @@
|
||||
From dca5d26bc57ef4a554448e41d302e732bca03d8a Mon Sep 17 00:00:00 2001
|
||||
From: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
Date: Thu, 27 Mar 2025 14:30:58 -0500
|
||||
Subject: [PATCH] UefiCpuPkg/MpInitLib: Fix SNP AP creation when using known
|
||||
APIC IDs
|
||||
|
||||
A typical initial AP boot up will choose a CpuNumber based on the ApIndex
|
||||
value that it gets back after a locked increment of the ApIndex value.
|
||||
The ApIndex to APIC ID relationship is random, which is not an issue when
|
||||
a broadcast INIT-SIPI is performed.
|
||||
|
||||
With SNP and a hypervisor that supports retrieval of the known APIC IDs,
|
||||
the broadcast INIT-SIPI method is replaced by waking each individual vCPU.
|
||||
In this situation, a specific VMSA is associated with a specific APIC ID.
|
||||
However, random assignment of an ApIndex can break this association. This
|
||||
isn't typically an issue, because the AP bring-up finishes with the AP
|
||||
issuing a HLT instruction, which is intercepted by the hypervisor and the
|
||||
AP won't run again until the next INIT-SIPI. However, when HLT isn't
|
||||
intercepted by the hypervisor (Qemu '-overcommit cpu-pm=on' parameter),
|
||||
then the HLT does not exit to the hypervisor. On the next INIT-SIPI, it
|
||||
can happen that a VMRUN is executed with a different VMSA address than
|
||||
was originally used, and if that VMSA is still in a VMRUN on another AP,
|
||||
then the executing VMRUN will fail, crashing the guest.
|
||||
|
||||
To fix this issue, add a CPU exchange info field, SevSnpKnownInitApicId,
|
||||
that indicates the APs are starting with an already known initial APIC ID
|
||||
and set the initial APIC ID and APIC ID in the CPU_INFO_IN_HOB HOB.
|
||||
During AP boot, the SevSnpKnownInitApicId field will result in the
|
||||
CpuNumber being set to the index with a matching APIC ID (similar to AP
|
||||
booting when the InitFlag != ApInitConfig).
|
||||
|
||||
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
|
||||
---
|
||||
UefiCpuPkg/Library/MpInitLib/AmdSev.c | 2 +
|
||||
UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 1 +
|
||||
UefiCpuPkg/Library/MpInitLib/MpLib.h | 1 +
|
||||
UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c | 38 +++++++++---
|
||||
UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm | 60 ++++++++++++++++++-
|
||||
UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 4 ++
|
||||
6 files changed, 98 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/UefiCpuPkg/Library/MpInitLib/AmdSev.c b/UefiCpuPkg/Library/MpInitLib/AmdSev.c
|
||||
index 75429e3dae..5108873c3b 100644
|
||||
--- a/UefiCpuPkg/Library/MpInitLib/AmdSev.c
|
||||
+++ b/UefiCpuPkg/Library/MpInitLib/AmdSev.c
|
||||
@@ -293,6 +293,8 @@ FillExchangeInfoDataSevEs (
|
||||
);
|
||||
ExchangeInfo->ExtTopoAvail = !!ExtTopoEbx.Bits.LogicalProcessors;
|
||||
}
|
||||
+
|
||||
+ ExchangeInfo->SevSnpKnownInitApicId = FALSE;
|
||||
}
|
||||
|
||||
/**
|
||||
diff --git a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
|
||||
index 317e627b58..d8ba9ea124 100644
|
||||
--- a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
|
||||
+++ b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
|
||||
@@ -97,6 +97,7 @@ struc MP_CPU_EXCHANGE_INFO
|
||||
.SevSnpIsEnabled CTYPE_BOOLEAN 1
|
||||
.GhcbBase: CTYPE_UINTN 1
|
||||
.ExtTopoAvail: CTYPE_BOOLEAN 1
|
||||
+ .SevSnpKnownInitApicId: CTYPE_BOOLEAN 1
|
||||
endstruc
|
||||
|
||||
MP_CPU_EXCHANGE_INFO_OFFSET equ (Flat32Start - RendezvousFunnelProcStart)
|
||||
diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h
|
||||
index 145538b6ee..a63bb81bef 100644
|
||||
--- a/UefiCpuPkg/Library/MpInitLib/MpLib.h
|
||||
+++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h
|
||||
@@ -239,6 +239,7 @@ typedef struct {
|
||||
BOOLEAN SevSnpIsEnabled;
|
||||
UINTN GhcbBase;
|
||||
BOOLEAN ExtTopoAvail;
|
||||
+ BOOLEAN SevSnpKnownInitApicId;
|
||||
} MP_CPU_EXCHANGE_INFO;
|
||||
|
||||
#pragma pack()
|
||||
diff --git a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c
|
||||
index a75e1e2018..56cd7a1138 100644
|
||||
--- a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c
|
||||
+++ b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c
|
||||
@@ -271,18 +271,27 @@ SevSnpCreateAP (
|
||||
IN INTN ProcessorNumber
|
||||
)
|
||||
{
|
||||
- CPU_INFO_IN_HOB *CpuInfoInHob;
|
||||
- CPU_AP_DATA *CpuData;
|
||||
- UINTN Index;
|
||||
- UINTN MaxIndex;
|
||||
- UINT32 ApicId;
|
||||
- EFI_HOB_GUID_TYPE *GuidHob;
|
||||
- GHCB_APIC_IDS *GhcbApicIds;
|
||||
+ CPU_INFO_IN_HOB *CpuInfoInHob;
|
||||
+ CPU_AP_DATA *CpuData;
|
||||
+ UINTN Index;
|
||||
+ UINTN MaxIndex;
|
||||
+ UINT32 ApicId;
|
||||
+ EFI_HOB_GUID_TYPE *GuidHob;
|
||||
+ GHCB_APIC_IDS *GhcbApicIds;
|
||||
+ volatile MP_CPU_EXCHANGE_INFO *ExchangeInfo;
|
||||
|
||||
ASSERT (CpuMpData->MpCpuExchangeInfo->BufferStart < 0x100000);
|
||||
|
||||
+ ExchangeInfo = CpuMpData->MpCpuExchangeInfo;
|
||||
CpuInfoInHob = (CPU_INFO_IN_HOB *)(UINTN)CpuMpData->CpuInfoInHob;
|
||||
|
||||
+ //
|
||||
+ // Set to FALSE by default. This is only set to TRUE when the InitFlag
|
||||
+ // is equal to ApInitConfig and the GHCB APIC ID List NAE event has
|
||||
+ // been called.
|
||||
+ //
|
||||
+ ExchangeInfo->SevSnpKnownInitApicId = FALSE;
|
||||
+
|
||||
if (ProcessorNumber < 0) {
|
||||
if (CpuMpData->InitFlag == ApInitConfig) {
|
||||
//
|
||||
@@ -294,6 +303,14 @@ SevSnpCreateAP (
|
||||
GuidHob = GetFirstGuidHob (&gGhcbApicIdsGuid);
|
||||
GhcbApicIds = (GHCB_APIC_IDS *)(*(UINTN *)GET_GUID_HOB_DATA (GuidHob));
|
||||
MaxIndex = MIN (GhcbApicIds->NumEntries, PcdGet32 (PcdCpuMaxLogicalProcessorNumber));
|
||||
+
|
||||
+ //
|
||||
+ // Set to TRUE so that ApicId and SEV-SNP SaveArea stay in sync. When
|
||||
+ // the InitFlag is ApInitConfig, the random order of AP initialization
|
||||
+ // can end up with an Index / ApicId mismatch (see X64/AmdSev.nasm).
|
||||
+ //
|
||||
+ ExchangeInfo->SevSnpKnownInitApicId = TRUE;
|
||||
+ DEBUG ((DEBUG_INFO, "SEV-SNP: Using known initial APIC IDs\n"));
|
||||
} else {
|
||||
//
|
||||
// APs have been previously started.
|
||||
@@ -308,6 +325,13 @@ SevSnpCreateAP (
|
||||
if (CpuMpData->InitFlag == ApInitConfig) {
|
||||
ApicId = GhcbApicIds->ApicIds[Index];
|
||||
|
||||
+ //
|
||||
+ // Set the ApicId values so that the proper AP data structure
|
||||
+ // can be found during boot.
|
||||
+ //
|
||||
+ CpuInfoInHob[Index].InitialApicId = ApicId;
|
||||
+ CpuInfoInHob[Index].ApicId = ApicId;
|
||||
+
|
||||
//
|
||||
// For the first boot, use the BSP register information.
|
||||
//
|
||||
diff --git a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm
|
||||
index 2efa3cb104..66d63a2b90 100644
|
||||
--- a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm
|
||||
+++ b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm
|
||||
@@ -15,6 +15,57 @@
|
||||
|
||||
%define SIZE_4KB 0x1000
|
||||
|
||||
+;
|
||||
+; This function will ensure that CpuNumber and ApicId are in sync when using
|
||||
+; the ApicIds retrieved via the GHCB APIC ID List NAE event to start the APs
|
||||
+; when the InitFlag is ApInitConfig. If this is not done, the CpuNumber to
|
||||
+; ApicId relationship may not hold, which would result in the ApicId to VSMA
|
||||
+; relationship getting out of sync after the first AP boot.
|
||||
+;
|
||||
+SevSnpGetInitCpuNumber:
|
||||
+ ;
|
||||
+ ; If not an SNP guest, leave EBX (CpuNumber) as is
|
||||
+ ;
|
||||
+ lea edi, [esi + MP_CPU_EXCHANGE_INFO_FIELD (SevSnpIsEnabled)]
|
||||
+ cmp byte [edi], 1 ; SevSnpIsEnabled
|
||||
+ jne SevSnpGetCpuNumberDone
|
||||
+
|
||||
+ ;
|
||||
+ ; If not starting the AP with a specific ApicId, leave EBX (CpuNumber) as is
|
||||
+ ;
|
||||
+ lea edi, [esi + MP_CPU_EXCHANGE_INFO_FIELD (SevSnpKnownInitApicId)]
|
||||
+ cmp byte [edi], 1 ; SevSnpKnownInitApicId
|
||||
+ jne SevSnpGetCpuNumberDone
|
||||
+
|
||||
+ ;
|
||||
+ ; Use existing code to retrieve the ApicId. SevEsGetApicId will return to
|
||||
+ ; the SevSnpGetInitApicId label if SevSnpKnownInitApicId is set.
|
||||
+ ;
|
||||
+ jmp SevEsGetApicId
|
||||
+
|
||||
+SevSnpGetInitApicId:
|
||||
+ ;
|
||||
+ ; EDX holds the ApicId, get processor number for this AP
|
||||
+ ;
|
||||
+ xor ebx, ebx
|
||||
+ lea eax, [esi + MP_CPU_EXCHANGE_INFO_FIELD (CpuInfo)]
|
||||
+ mov rdi, [eax]
|
||||
+
|
||||
+SevSnpGetNextProcNumber:
|
||||
+ cmp dword [rdi + CPU_INFO_IN_HOB.InitialApicId], edx ; APIC ID match?
|
||||
+ jz SevSnpGetCpuNumberDone
|
||||
+ add rdi, CPU_INFO_IN_HOB_size
|
||||
+ inc ebx
|
||||
+ jmp SevSnpGetNextProcNumber
|
||||
+
|
||||
+SevSnpGetCpuNumberDone:
|
||||
+ ;
|
||||
+ ; If SevSnpKnownInitApicId is set, EBX now holds the CpuNumber for this
|
||||
+ ; ApicId, which matches how it was started in SevSnpCreateAP(). Otherwise,
|
||||
+ ; EBX is unchanged and holds the CpuNumber based on the startup order.
|
||||
+ ;
|
||||
+ OneTimeCallRet SevSnpGetInitCpuNumber
|
||||
+
|
||||
RegisterGhcbGpa:
|
||||
;
|
||||
; Register GHCB GPA when SEV-SNP is enabled
|
||||
@@ -193,7 +244,14 @@ RestoreGhcb:
|
||||
|
||||
mov rdx, rbx
|
||||
|
||||
- ; x2APIC ID or APIC ID is in EDX
|
||||
+ ;
|
||||
+ ; x2APIC ID or APIC ID is in EDX. If SevSnpKnownInitApicId is set, then
|
||||
+ ; return to SevSnpGetInitApicId, otherwise return to GetProcessorNumber.
|
||||
+ ;
|
||||
+ lea edi, [esi + MP_CPU_EXCHANGE_INFO_FIELD (SevSnpKnownInitApicId)]
|
||||
+ cmp byte [edi], 1 ; SevSnpKnownInitApicId
|
||||
+ je SevSnpGetInitApicId
|
||||
+
|
||||
jmp GetProcessorNumber
|
||||
|
||||
SevEsGetApicIdExit:
|
||||
diff --git a/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm b/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm
|
||||
index 40e80ffab4..95ee65e288 100644
|
||||
--- a/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm
|
||||
+++ b/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm
|
||||
@@ -173,6 +173,10 @@ LongModeStart:
|
||||
lock xadd dword [edi], ebx ; EBX = ApIndex++
|
||||
inc ebx ; EBX is CpuNumber
|
||||
|
||||
+ ; If running under AMD SEV-SNP and starting with a known ApicId,
|
||||
+ ; adjust EBX to be the actual CpuNumber
|
||||
+ OneTimeCall SevSnpGetInitCpuNumber
|
||||
+
|
||||
; program stack
|
||||
mov edi, esi
|
||||
add edi, MP_CPU_EXCHANGE_INFO_FIELD (StackSize)
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -1,207 +1,212 @@
|
||||
From 263791566fbe25755aebde54c98d5aea061414f3 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Tue, 24 Jun 2014 11:57:32 +0800
|
||||
Subject: [PATCH 1/3] Add DebugPkg
|
||||
From d4fc3987941016cba0a2cd1d4037b87bc5937f5e Mon Sep 17 00:00:00 2001
|
||||
From: Richard Lyu <richard.lyu@suse.com>
|
||||
Date: Thu, 29 May 2025 12:12:23 +0800
|
||||
Subject: [PATCH] Add DebugPkg
|
||||
|
||||
---
|
||||
DebugPkg/DebugPkg.dec | 34 ++++
|
||||
DebugPkg/GdbSyms/GdbSyms.c | 70 +++++++
|
||||
DebugPkg/GdbSyms/GdbSyms.c | 78 ++++++++
|
||||
DebugPkg/GdbSyms/GdbSyms.inf | 57 ++++++
|
||||
DebugPkg/Scripts/gdb_uefi.py | 348 +++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 509 insertions(+)
|
||||
DebugPkg/Scripts/gdb_uefi.py | 350 +++++++++++++++++++++++++++++++++++
|
||||
OvmfPkg/OvmfPkgX64.dsc | 3 +
|
||||
5 files changed, 522 insertions(+)
|
||||
create mode 100644 DebugPkg/DebugPkg.dec
|
||||
create mode 100644 DebugPkg/GdbSyms/GdbSyms.c
|
||||
create mode 100644 DebugPkg/GdbSyms/GdbSyms.inf
|
||||
create mode 100644 DebugPkg/Scripts/gdb_uefi.py
|
||||
|
||||
Index: edk2-edk2-stable202302/DebugPkg/DebugPkg.dec
|
||||
===================================================================
|
||||
diff --git a/DebugPkg/DebugPkg.dec b/DebugPkg/DebugPkg.dec
|
||||
new file mode 100644
|
||||
index 0000000000..b39a660e45
|
||||
--- /dev/null
|
||||
+++ edk2-edk2-stable202302/DebugPkg/DebugPkg.dec
|
||||
+++ b/DebugPkg/DebugPkg.dec
|
||||
@@ -0,0 +1,34 @@
|
||||
+## @file
|
||||
+# Debug package - various useful stuff for debugging.
|
||||
+#
|
||||
+# Copyright (c) 2006 - 2011, Andrei Warkentin <andreiw@motorola.com>
|
||||
+#
|
||||
+# This program and the accompanying materials
|
||||
+# are licensed and made available under the terms and conditions of the BSD License
|
||||
+# which accompanies this distribution. The full text of the license may be found at
|
||||
+# http://opensource.org/licenses/bsd-license.php
|
||||
+#
|
||||
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
+#
|
||||
+##
|
||||
+
|
||||
+[Defines]
|
||||
+ DEC_VERSION = 0x00010005
|
||||
+ PACKAGE_NAME = DebugPkg
|
||||
+ PACKAGE_GUID = 2d234f34-50e5-4b9d-b8e3-5562334d87e5
|
||||
+ PACKAGE_VERSION = 0.1
|
||||
+
|
||||
+[Includes]
|
||||
+ Include
|
||||
+
|
||||
+[Guids]
|
||||
+
|
||||
+[Protocols]
|
||||
+
|
||||
+[PcdsFixedAtBuild]
|
||||
+
|
||||
+[PcdsDynamic]
|
||||
+
|
||||
+[LibraryClasses]
|
||||
+
|
||||
Index: edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.c
|
||||
===================================================================
|
||||
+## @file
|
||||
+# Debug package - various useful stuff for debugging.
|
||||
+#
|
||||
+# Copyright (c) 2006 - 2011, Andrei Warkentin <andreiw@motorola.com>
|
||||
+#
|
||||
+# This program and the accompanying materials
|
||||
+# are licensed and made available under the terms and conditions of the BSD License
|
||||
+# which accompanies this distribution. The full text of the license may be found at
|
||||
+# http://opensource.org/licenses/bsd-license.php
|
||||
+#
|
||||
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
+#
|
||||
+##
|
||||
+
|
||||
+[Defines]
|
||||
+ DEC_VERSION = 0x00010005
|
||||
+ PACKAGE_NAME = DebugPkg
|
||||
+ PACKAGE_GUID = 2d234f34-50e5-4b9d-b8e3-5562334d87e5
|
||||
+ PACKAGE_VERSION = 0.1
|
||||
+
|
||||
+[Includes]
|
||||
+ Include
|
||||
+
|
||||
+[Guids]
|
||||
+
|
||||
+[Protocols]
|
||||
+
|
||||
+[PcdsFixedAtBuild]
|
||||
+
|
||||
+[PcdsDynamic]
|
||||
+
|
||||
+[LibraryClasses]
|
||||
+
|
||||
diff --git a/DebugPkg/GdbSyms/GdbSyms.c b/DebugPkg/GdbSyms/GdbSyms.c
|
||||
new file mode 100644
|
||||
index 0000000000..9780cff802
|
||||
--- /dev/null
|
||||
+++ edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.c
|
||||
+++ b/DebugPkg/GdbSyms/GdbSyms.c
|
||||
@@ -0,0 +1,78 @@
|
||||
+/** @file
|
||||
+
|
||||
+ Bare-minimum GDB symbols needed for reloading symbols.
|
||||
+
|
||||
+ This is not a "driver" and should not be placed in a FD.
|
||||
+
|
||||
+ Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com>
|
||||
+
|
||||
+ This program and the accompanying materials
|
||||
+ are licensed and made available under the terms and conditions of the BSD License
|
||||
+ which accompanies this distribution. The full text of the license may be found at
|
||||
+ http://opensource.org/licenses/bsd-license.php
|
||||
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
+
|
||||
+**/
|
||||
+
|
||||
+#include "PiDxe.h"
|
||||
+
|
||||
+#include <Library/UefiLib.h>
|
||||
+#include <Library/UefiDriverEntryPoint.h>
|
||||
+#include <Library/BaseLib.h>
|
||||
+#include <Library/UefiRuntimeLib.h>
|
||||
+#include <Library/DebugLib.h>
|
||||
+#include <Library/BaseMemoryLib.h>
|
||||
+#include <Library/MemoryAllocationLib.h>
|
||||
+#include <Library/UefiBootServicesTableLib.h>
|
||||
+#include <Library/DevicePathLib.h>
|
||||
+#include <Library/PcdLib.h>
|
||||
+#include <Guid/DebugImageInfoTable.h>
|
||||
+
|
||||
+/**
|
||||
+ Main entry point.
|
||||
+
|
||||
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.
|
||||
+ @param[in] SystemTable A pointer to the EFI System Table.
|
||||
+
|
||||
+ @retval EFI_SUCCESS Successfully initialized.
|
||||
+
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+Initialize (
|
||||
+ IN EFI_HANDLE ImageHandle,
|
||||
+ IN EFI_SYSTEM_TABLE *SystemTable
|
||||
+ )
|
||||
+{
|
||||
+ EFI_SYSTEM_TABLE_POINTER ESTP;
|
||||
+ EFI_DEBUG_IMAGE_INFO_TABLE_HEADER EDIITH;
|
||||
+ EFI_IMAGE_DOS_HEADER EIDH;
|
||||
+ EFI_IMAGE_OPTIONAL_HEADER_UNION EIOHU;
|
||||
+ EFI_IMAGE_DEBUG_DIRECTORY_ENTRY EIDDE;
|
||||
+ EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY EIDCNE;
|
||||
+ EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY EIDCRE;
|
||||
+ EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY EIDCME;
|
||||
+ UINTN Dummy =
|
||||
+ (UINTN) &ESTP |
|
||||
+ (UINTN) &EDIITH |
|
||||
+ (UINTN) &EIDH |
|
||||
+ (UINTN) &EIOHU |
|
||||
+ (UINTN) &EIDDE |
|
||||
+ (UINTN) &EIDCNE |
|
||||
+ (UINTN) &EIDCRE |
|
||||
+ (UINTN) &EIDCME |
|
||||
+ 1
|
||||
+ ;
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &ESTP));
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EDIITH));
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDH));
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIOHU));
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDDE));
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCNE));
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCRE));
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCME));
|
||||
+ return !!Dummy & EFI_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+
|
||||
Index: edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.inf
|
||||
===================================================================
|
||||
+/** @file
|
||||
+
|
||||
+ Bare-minimum GDB symbols needed for reloading symbols.
|
||||
+
|
||||
+ This is not a "driver" and should not be placed in a FD.
|
||||
+
|
||||
+ Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com>
|
||||
+
|
||||
+ This program and the accompanying materials
|
||||
+ are licensed and made available under the terms and conditions of the BSD License
|
||||
+ which accompanies this distribution. The full text of the license may be found at
|
||||
+ http://opensource.org/licenses/bsd-license.php
|
||||
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
+
|
||||
+**/
|
||||
+
|
||||
+#include "PiDxe.h"
|
||||
+
|
||||
+#include <Library/UefiLib.h>
|
||||
+#include <Library/UefiDriverEntryPoint.h>
|
||||
+#include <Library/BaseLib.h>
|
||||
+#include <Library/UefiRuntimeLib.h>
|
||||
+#include <Library/DebugLib.h>
|
||||
+#include <Library/BaseMemoryLib.h>
|
||||
+#include <Library/MemoryAllocationLib.h>
|
||||
+#include <Library/UefiBootServicesTableLib.h>
|
||||
+#include <Library/DevicePathLib.h>
|
||||
+#include <Library/PcdLib.h>
|
||||
+#include <Guid/DebugImageInfoTable.h>
|
||||
+
|
||||
+/**
|
||||
+ Main entry point.
|
||||
+
|
||||
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.
|
||||
+ @param[in] SystemTable A pointer to the EFI System Table.
|
||||
+
|
||||
+ @retval EFI_SUCCESS Successfully initialized.
|
||||
+
|
||||
+**/
|
||||
+EFI_STATUS
|
||||
+EFIAPI
|
||||
+Initialize (
|
||||
+ IN EFI_HANDLE ImageHandle,
|
||||
+ IN EFI_SYSTEM_TABLE *SystemTable
|
||||
+ )
|
||||
+{
|
||||
+ EFI_SYSTEM_TABLE_POINTER ESTP;
|
||||
+ EFI_DEBUG_IMAGE_INFO_TABLE_HEADER EDIITH;
|
||||
+ EFI_IMAGE_DOS_HEADER EIDH;
|
||||
+ EFI_IMAGE_OPTIONAL_HEADER_UNION EIOHU;
|
||||
+ EFI_IMAGE_DEBUG_DIRECTORY_ENTRY EIDDE;
|
||||
+ EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY EIDCNE;
|
||||
+ EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY EIDCRE;
|
||||
+ EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY EIDCME;
|
||||
+ UINTN Dummy =
|
||||
+ (UINTN) &ESTP |
|
||||
+ (UINTN) &EDIITH |
|
||||
+ (UINTN) &EIDH |
|
||||
+ (UINTN) &EIOHU |
|
||||
+ (UINTN) &EIDDE |
|
||||
+ (UINTN) &EIDCNE |
|
||||
+ (UINTN) &EIDCRE |
|
||||
+ (UINTN) &EIDCME |
|
||||
+ 1
|
||||
+ ;
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &ESTP));
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EDIITH));
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDH));
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIOHU));
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDDE));
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCNE));
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCRE));
|
||||
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCME));
|
||||
+ return !!Dummy & EFI_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+
|
||||
diff --git a/DebugPkg/GdbSyms/GdbSyms.inf b/DebugPkg/GdbSyms/GdbSyms.inf
|
||||
new file mode 100644
|
||||
index 0000000000..0a18a33c73
|
||||
--- /dev/null
|
||||
+++ edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.inf
|
||||
+++ b/DebugPkg/GdbSyms/GdbSyms.inf
|
||||
@@ -0,0 +1,57 @@
|
||||
+## @file
|
||||
+#
|
||||
+# Bare-minimum GDB symbols needed for reloading symbols.
|
||||
+#
|
||||
+# This is not a "driver" and should not be placed in a FD.
|
||||
+#
|
||||
+# Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com>
|
||||
+#
|
||||
+# This program and the accompanying materials
|
||||
+# are licensed and made available under the terms and conditions of the BSD License
|
||||
+# which accompanies this distribution. The full text of the license may be found at
|
||||
+# http://opensource.org/licenses/bsd-license.php
|
||||
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
+#
|
||||
+##
|
||||
+
|
||||
+[Defines]
|
||||
+ INF_VERSION = 0x00010005
|
||||
+ BASE_NAME = GdbSyms
|
||||
+ FILE_GUID = 22abcb60-fb40-42ac-b01f-3ab1fad9aad8
|
||||
+ MODULE_TYPE = DXE_DRIVER
|
||||
+ VERSION_STRING = 1.0
|
||||
+ ENTRY_POINT = Initialize
|
||||
+
|
||||
+#
|
||||
+# The following information is for reference only and not required by the build tools.
|
||||
+#
|
||||
+# VALID_ARCHITECTURES = IA32 X64 IPF EBC ARM
|
||||
+#
|
||||
+
|
||||
+[Sources]
|
||||
+ GdbSyms.c
|
||||
+
|
||||
+[Packages]
|
||||
+ MdePkg/MdePkg.dec
|
||||
+ MdeModulePkg/MdeModulePkg.dec
|
||||
+
|
||||
+[LibraryClasses]
|
||||
+ BaseLib
|
||||
+ BaseMemoryLib
|
||||
+ DebugLib
|
||||
+ DxeServicesTableLib
|
||||
+ HobLib
|
||||
+ MemoryAllocationLib
|
||||
+ PcdLib
|
||||
+ UefiBootServicesTableLib
|
||||
+ UefiDriverEntryPoint
|
||||
+ UefiLib
|
||||
+
|
||||
+[Guids]
|
||||
+
|
||||
+[Protocols]
|
||||
+
|
||||
+[Depex]
|
||||
+ TRUE
|
||||
+
|
||||
Index: edk2-edk2-stable202302/DebugPkg/Scripts/gdb_uefi.py
|
||||
===================================================================
|
||||
+## @file
|
||||
+#
|
||||
+# Bare-minimum GDB symbols needed for reloading symbols.
|
||||
+#
|
||||
+# This is not a "driver" and should not be placed in a FD.
|
||||
+#
|
||||
+# Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com>
|
||||
+#
|
||||
+# This program and the accompanying materials
|
||||
+# are licensed and made available under the terms and conditions of the BSD License
|
||||
+# which accompanies this distribution. The full text of the license may be found at
|
||||
+# http://opensource.org/licenses/bsd-license.php
|
||||
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
+#
|
||||
+##
|
||||
+
|
||||
+[Defines]
|
||||
+ INF_VERSION = 0x00010005
|
||||
+ BASE_NAME = GdbSyms
|
||||
+ FILE_GUID = 22abcb60-fb40-42ac-b01f-3ab1fad9aad8
|
||||
+ MODULE_TYPE = DXE_DRIVER
|
||||
+ VERSION_STRING = 1.0
|
||||
+ ENTRY_POINT = Initialize
|
||||
+
|
||||
+#
|
||||
+# The following information is for reference only and not required by the build tools.
|
||||
+#
|
||||
+# VALID_ARCHITECTURES = IA32 X64 IPF EBC ARM
|
||||
+#
|
||||
+
|
||||
+[Sources]
|
||||
+ GdbSyms.c
|
||||
+
|
||||
+[Packages]
|
||||
+ MdePkg/MdePkg.dec
|
||||
+ MdeModulePkg/MdeModulePkg.dec
|
||||
+
|
||||
+[LibraryClasses]
|
||||
+ BaseLib
|
||||
+ BaseMemoryLib
|
||||
+ DebugLib
|
||||
+ DxeServicesTableLib
|
||||
+ HobLib
|
||||
+ MemoryAllocationLib
|
||||
+ PcdLib
|
||||
+ UefiBootServicesTableLib
|
||||
+ UefiDriverEntryPoint
|
||||
+ UefiLib
|
||||
+
|
||||
+[Guids]
|
||||
+
|
||||
+[Protocols]
|
||||
+
|
||||
+[Depex]
|
||||
+ TRUE
|
||||
+
|
||||
diff --git a/DebugPkg/Scripts/gdb_uefi.py b/DebugPkg/Scripts/gdb_uefi.py
|
||||
new file mode 100644
|
||||
index 0000000000..3db87a4de4
|
||||
--- /dev/null
|
||||
+++ edk2-edk2-stable202302/DebugPkg/Scripts/gdb_uefi.py
|
||||
+++ b/DebugPkg/Scripts/gdb_uefi.py
|
||||
@@ -0,0 +1,350 @@
|
||||
+"""
|
||||
+Allows loading TianoCore symbols into a GDB session attached to EFI
|
||||
@@ -553,13 +558,20 @@ Index: edk2-edk2-stable202302/DebugPkg/Scripts/gdb_uefi.py
|
||||
+ReloadUefi ()
|
||||
+
|
||||
+
|
||||
Index: edk2-edk2-stable202302/OvmfPkg/OvmfPkgX64.dsc
|
||||
===================================================================
|
||||
--- edk2-edk2-stable202302.orig/OvmfPkg/OvmfPkgX64.dsc
|
||||
+++ edk2-edk2-stable202302/OvmfPkg/OvmfPkgX64.dsc
|
||||
@@ -1123,3 +1123,5 @@
|
||||
# TPM support
|
||||
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
|
||||
index 60fccc19d2..a2784bbd40 100644
|
||||
--- a/OvmfPkg/OvmfPkgX64.dsc
|
||||
+++ b/OvmfPkg/OvmfPkgX64.dsc
|
||||
@@ -1063,6 +1063,9 @@
|
||||
#
|
||||
!include OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc
|
||||
|
||||
+ DebugPkg/GdbSyms/GdbSyms.inf
|
||||
+
|
||||
+ DebugPkg/GdbSyms/GdbSyms.inf
|
||||
+
|
||||
#
|
||||
# Smbios Measurement support
|
||||
#
|
||||
--
|
||||
2.43.0
|
||||
|
||||
|
||||
1282
ovmf.changes
1282
ovmf.changes
File diff suppressed because it is too large
Load Diff
135
ovmf.spec
135
ovmf.spec
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package ovmf
|
||||
#
|
||||
# Copyright (c) 2025 SUSE LLC
|
||||
# Copyright (c) 2026 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -18,7 +18,7 @@
|
||||
|
||||
|
||||
%undefine _build_create_debug
|
||||
%global openssl_version 3.4.1
|
||||
%global openssl_version 3.5.1
|
||||
%global softfloat_version b64af41c3276f
|
||||
%if 0%{?suse_version} < 1599
|
||||
%bcond_with build_riscv64
|
||||
@@ -27,7 +27,7 @@
|
||||
%endif
|
||||
|
||||
Name: ovmf
|
||||
Version: 202502
|
||||
Version: 202511
|
||||
Release: 0
|
||||
Summary: Open Virtual Machine Firmware
|
||||
License: BSD-2-Clause-Patent
|
||||
@@ -50,7 +50,7 @@ Source9: public-mipi-sys-t-1.1-edk2.tar.gz
|
||||
# mbedtls: https://github.com/Mbed-TLS/mbedtls
|
||||
Source10: mbedtls-3.3.0.tar.gz
|
||||
# brotli: https://github.com/google/brotli
|
||||
Source11: brotli-f4153a09f87cbb9c826d8fc12c74642bb2d879ea.tar.gz
|
||||
Source11: brotli-e230f474b87134e8c6c85b630084c612057f253e.tar.gz
|
||||
# libspdm: https://github.com/DMTF/libspdm.git
|
||||
Source12: libspdm-50924a4c8145fc721e17208f55814d2b38766fe6.tar.gz
|
||||
# pylibfdt: https://github.com/devicetree-org/pylibfdt
|
||||
@@ -60,9 +60,10 @@ Source101: gdb_uefi.py.in
|
||||
Patch1: %{name}-gdb-symbols.patch
|
||||
Patch2: %{name}-pie.patch
|
||||
Patch3: %{name}-disable-ia32-firmware-piepic.patch
|
||||
# Bug 1245454 - iSCSI boot support is disabled in OVMF images
|
||||
Patch4: %{name}-OvmfPkg-Add-NETWORK_ISCSI_DEFAULT_ENABLE-build-flag.patch
|
||||
Patch4: %{name}-OvmfPkg-Adjust-Memory-Layout-for-2MB-OVMF.patch
|
||||
Patch6: %{name}-ignore-spurious-GCC-12-warning.patch
|
||||
# Bug 1255113 - Build Failure for RISC-V 64 When Secure Boot is Enabled Due to SecureBootDefaultKeysInit module
|
||||
Patch7: %{name}-Revert-OvmfPkg-RiscVVirt-Add-SecureBootDefaultKeysIn.patch
|
||||
# Bug 1207095 - ASSERT [ArmCpuDxe] /home/abuild/rpmbuild/BUILD/edk2-edk2-stable202211/ArmPkg/Library/DefaultExceptionHandlerLib/AArch64/DefaultExceptionHandler.c(333): ((BOOLEAN)(0==1))
|
||||
Patch8: %{name}-Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch
|
||||
# Bug 1205613 - L3: win 2k22 UEFI xen VMs cannot boot in xen after upgrade
|
||||
@@ -74,27 +75,10 @@ Patch10: %{name}-Revert-Add-Stack-Cookie-Support-to-MSVC-and-GCC.patch
|
||||
Patch11: %{name}-BaseTools-Using-gcc12-for-building-image.patch
|
||||
%endif
|
||||
%endif
|
||||
Patch12: %{name}-Increase-FVMAIN-Size-for-Compatibility-with-2MB-Size.patch
|
||||
# Bug 1240420 - UEFI boot breaks: X64 Exception Type - 0E(#PF - Page-Fault) CPU Apic ID - 00000000
|
||||
Patch13: %{name}-UefiCpuPkg-Disable-EFI-memory-attributes-protocol.patch
|
||||
# Add vTPM support for SVSM in OVMF (jsc#PED-12743, jsc#PED-12767)
|
||||
Patch14: %{name}-Maintainers.txt-Add-reviewer-for-SVSM-vTPM-related-m.patch
|
||||
Patch15: %{name}-UefiCpuPkg-AmdSvsmLib-Stub-the-SVSM-vTPM-protocol-fo.patch
|
||||
Patch16: %{name}-OvmfPkg-AmdSvsmLib-Add-the-SVSM-vTPM-protocol.patch
|
||||
Patch17: %{name}-OvmfPkg-Use-Tpm2Device-lib-with-SVSM-vTPM-support.patch
|
||||
Patch18: %{name}-OvmfPkg-AmdSvmLib-Use-named-protocol-and-call-consta.patch
|
||||
Patch19: %{name}-MdePkg-AmdSev-Add-SVSM-protocol-call-numbers.patch
|
||||
Patch20: %{name}-MdePkg-AmdSev-Add-SVSM-protocol-vTPM-call-numbers.patch
|
||||
Patch21: %{name}-SecurityPkg-Tpm2DeviceLibDTpm-Add-header-file-for-Tp.patch
|
||||
Patch22: %{name}-SecurityPkg-Tpm2DeviceLibDTpm-Add-TPM2-lib-supportin.patch
|
||||
Patch23: %{name}-SecurityPkg-Tpm2DeviceLibDTpm-Improve-spelling-gramm.patch
|
||||
Patch24: %{name}-SecurityPkg-Tpm2DeviceLibDTpm-Check-SNP-enabled-prio.patch
|
||||
# Bug 1243199 - SVSM: [OVMF] Fix MSR register filtering for CAA MSR
|
||||
Patch25: %{name}-OvmfPkg-CcExitLib-Use-the-proper-register-when-filte.patch
|
||||
# Bug 1244218 - ovmf: non-deterministic .bin files (about unreproducible)
|
||||
Patch26: %{name}-OvmfPkg-ArmVirtPkg-Keep-JSON-stack-cookie-files.patch
|
||||
# Impl: SEV-SNP: [OVMF] AP Creation using APIC ID list results in VMRUN exit with #VMEXIT_INVALID (jsc#PED-13202)
|
||||
Patch27: %{name}-UefiCpuPkg-MpInitLib-Fix-SNP-AP-creation.patch
|
||||
Patch14: %{name}-OvmfPkg-ArmVirtPkg-Keep-JSON-stack-cookie-files.patch
|
||||
BuildRequires: bc
|
||||
BuildRequires: cross-arm-binutils
|
||||
BuildRequires: cross-arm-gcc%{gcc_version}
|
||||
@@ -154,19 +138,6 @@ firmware for Virtual Machines using the edk2 code base.
|
||||
|
||||
This package contains the tools from edk2.
|
||||
|
||||
%package -n qemu-ovmf-ia32
|
||||
Summary: Open Virtual Machine Firmware - QEMU rom images (IA32)
|
||||
Group: System/Emulators/PC
|
||||
Requires: qemu
|
||||
BuildArch: noarch
|
||||
|
||||
%description -n qemu-ovmf-ia32
|
||||
The Open Virtual Machine Firmware (OVMF) project aims to support
|
||||
firmware for Virtual Machines using the edk2 code base.
|
||||
|
||||
This package contains UEFI rom images for exercising UEFI secure
|
||||
boot in a qemu environment (IA32)
|
||||
|
||||
%package -n qemu-ovmf-x86_64
|
||||
Summary: Open Virtual Machine Firmware - QEMU rom images (x86_64)
|
||||
Group: System/Emulators/PC
|
||||
@@ -202,15 +173,6 @@ BuildArch: noarch
|
||||
This package contains the UEFI rom image (AArch64) for QEMU cortex-a57
|
||||
virt board.
|
||||
|
||||
%package -n qemu-uefi-aarch32
|
||||
Summary: UEFI QEMU rom image (AArch32)
|
||||
Group: System/Emulators/PC
|
||||
BuildArch: noarch
|
||||
|
||||
%description -n qemu-uefi-aarch32
|
||||
This package contains the UEFI rom image (AArch32) for QEMU cortex-a15
|
||||
virt board.
|
||||
|
||||
%if %{with build_riscv64}
|
||||
%package -n qemu-uefi-riscv64
|
||||
Summary: UEFI QEMU rom image (RISC-V 64)
|
||||
@@ -294,19 +256,6 @@ echo `gcc -dumpversion`
|
||||
TOOL_CHAIN=GCC$(gcc -dumpversion|sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/')
|
||||
%endif
|
||||
|
||||
# Flavors for x86
|
||||
FLAVORS_X86=("ovmf-ia32")
|
||||
BUILD_OPTIONS_X86=" \
|
||||
$OVMF_FLAGS \
|
||||
-D FD_SIZE_2MB \
|
||||
-D SECURE_BOOT_ENABLE \
|
||||
-D BUILD_SHELL=FALSE \
|
||||
-a IA32 \
|
||||
-p OvmfPkg/OvmfPkgIa32.dsc \
|
||||
-b DEBUG \
|
||||
-t $TOOL_CHAIN \
|
||||
"
|
||||
|
||||
# Flavors for x86_64: 2MB, 4MB, 4MB+SMM and AMD SEV
|
||||
FLAVORS_X64=("ovmf-x86_64" "ovmf-x86_64-4m" "ovmf-x86_64-smm" "ovmf-x86_64-sev" "ovmf-x86_64-tdx")
|
||||
# Flavors will NOT enroll default kek/db keys
|
||||
@@ -334,14 +283,6 @@ BUILD_OPTIONS_AA64=" \
|
||||
-t $TOOL_CHAIN \
|
||||
"
|
||||
|
||||
# Flavors for arm
|
||||
FLAVORS_AA32=("aavmf-aarch32")
|
||||
BUILD_OPTIONS_AA32=" \
|
||||
-a ARM \
|
||||
-p ArmVirtPkg/ArmVirtQemu.dsc \
|
||||
-b DEBUG \
|
||||
-t $TOOL_CHAIN \
|
||||
"
|
||||
%if %{with build_riscv64}
|
||||
# Flavors for riscv
|
||||
FLAVORS_RV64=("riscv")
|
||||
@@ -374,20 +315,6 @@ export CXX=g++-12
|
||||
# Import the build functions
|
||||
source ./edksetup.sh
|
||||
|
||||
### Build x86 UEFI Images ###
|
||||
%ifnarch %{ix86} x86_64
|
||||
# Assign the cross-compiler prefix
|
||||
export ${TOOL_CHAIN}_BIN="x86_64-suse-linux-"
|
||||
%endif
|
||||
build $BUILD_OPTIONS_X86
|
||||
|
||||
cp Build/OvmfIa32/DEBUG_*/FV/OVMF.fd ovmf-ia32.bin
|
||||
cp Build/OvmfIa32/DEBUG_*/FV/OVMF_CODE.fd ovmf-ia32-code.bin
|
||||
cp Build/OvmfIa32/DEBUG_*/FV/OVMF_VARS.fd ovmf-ia32-vars.bin
|
||||
|
||||
# Remove the temporary build files to reduce the disk usage (bsc#1178244)
|
||||
rm -rf Build/OvmfIa32/
|
||||
|
||||
### Build x86_64 UEFI Images ###
|
||||
%ifarch x86_64
|
||||
collect_x86_64_debug_files()
|
||||
@@ -426,7 +353,7 @@ OUTDIR_X64=(
|
||||
[ovmf-x86_64-4m]="OvmfX64"
|
||||
[ovmf-x86_64-smm]="Ovmf3264"
|
||||
[ovmf-x86_64-sev]="OvmfX64"
|
||||
[ovmf-x86_64-tdx]="OvmfX64"
|
||||
[ovmf-x86_64-tdx]="IntelTdx"
|
||||
)
|
||||
|
||||
%ifnarch x86_64
|
||||
@@ -486,34 +413,17 @@ export ${TOOL_CHAIN}_AARCH64_PREFIX="aarch64-suse-linux-"
|
||||
# Build the UEFI image without keys
|
||||
build $BUILD_OPTIONS_AA64
|
||||
|
||||
cp Build/ArmVirtQemu-AARCH64/DEBUG_GCC*/FV/QEMU_EFI.fd qemu-uefi-aarch64.bin
|
||||
cp Build/ArmVirtQemu-AARCH64/DEBUG_GCC*/FV/QEMU_EFI.fd aavmf-aarch64-code.bin
|
||||
cp Build/ArmVirtQemu-AArch64/DEBUG_GCC*/FV/QEMU_EFI.fd qemu-uefi-aarch64.bin
|
||||
cp Build/ArmVirtQemu-AArch64/DEBUG_GCC*/FV/QEMU_EFI.fd aavmf-aarch64-code.bin
|
||||
truncate -s 64M aavmf-aarch64-code.bin
|
||||
cp Build/ArmVirtQemu-AARCH64/DEBUG_GCC*/FV/QEMU_VARS.fd aavmf-aarch64-vars.bin
|
||||
cp Build/ArmVirtQemu-AArch64/DEBUG_GCC*/FV/QEMU_VARS.fd aavmf-aarch64-vars.bin
|
||||
truncate -s 64M aavmf-aarch64-vars.bin
|
||||
|
||||
# Remove the temporary build files to reduce the disk usage (bsc#1178244)
|
||||
rm -rf Build/ArmVirtQemu-AARCH64/
|
||||
rm -rf Build/ArmVirtQemu-AArch64/
|
||||
|
||||
# Build with keys done later (shared between archs)
|
||||
|
||||
### Build AARCH32 UEFI Images ###
|
||||
%ifnarch armv7hl
|
||||
# Assign the cross-compiler prefix
|
||||
export ${TOOL_CHAIN}_ARM_PREFIX="arm-suse-linux-gnueabi-"
|
||||
%endif
|
||||
# Build the UEFI image
|
||||
build $BUILD_OPTIONS_AA32
|
||||
|
||||
cp Build/ArmVirtQemu-ARM/DEBUG_GCC*/FV/QEMU_EFI.fd qemu-uefi-aarch32.bin
|
||||
cp Build/ArmVirtQemu-ARM/DEBUG_GCC*/FV/QEMU_EFI.fd aavmf-aarch32-code.bin
|
||||
truncate -s 64M aavmf-aarch32-code.bin
|
||||
cp Build/ArmVirtQemu-ARM/DEBUG_GCC*/FV/QEMU_VARS.fd aavmf-aarch32-vars.bin
|
||||
truncate -s 64M aavmf-aarch32-vars.bin
|
||||
|
||||
# Remove the temporary build files to reduce the disk usage (bsc#1178244)
|
||||
rm -rf Build/ArmVirtQemu-ARM/
|
||||
|
||||
### Build RISCV64 UEFI Images ###
|
||||
%if %{with build_riscv64}
|
||||
%ifnarch riscv64
|
||||
@@ -602,7 +512,6 @@ generate_sb_var_templates()
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
# Generate the variable stores with default Secure Boot keys
|
||||
@@ -662,13 +571,6 @@ rm %{buildroot}%{_datadir}/qemu/firmware/*-riscv64*.json
|
||||
%doc BaseTools/UserManuals/EfiRom_Utility_Man_Page.rtf
|
||||
%{_bindir}/EfiRom
|
||||
|
||||
%files -n qemu-ovmf-ia32
|
||||
%license License.txt License-ovmf.txt
|
||||
%dir %{_datadir}/qemu/
|
||||
%{_datadir}/qemu/ovmf-ia32*.bin
|
||||
%dir %{_datadir}/qemu/firmware
|
||||
%{_datadir}/qemu/firmware/*-ia32*.json
|
||||
|
||||
%files -n qemu-ovmf-x86_64
|
||||
%license License.txt License-ovmf.txt
|
||||
%dir %{_datadir}/qemu/
|
||||
@@ -694,15 +596,6 @@ rm %{buildroot}%{_datadir}/qemu/firmware/*-riscv64*.json
|
||||
%dir %{_datadir}/qemu/firmware
|
||||
%{_datadir}/qemu/firmware/*-aarch64*.json
|
||||
|
||||
%files -n qemu-uefi-aarch32
|
||||
%license License.txt
|
||||
%dir %{_datadir}/qemu/
|
||||
%{_datadir}/qemu/qemu-uefi-aarch32.bin
|
||||
%{_datadir}/qemu/aavmf-aarch32-code.bin
|
||||
%{_datadir}/qemu/aavmf-aarch32-vars.bin
|
||||
%dir %{_datadir}/qemu/firmware
|
||||
%{_datadir}/qemu/firmware/*-aarch32*.json
|
||||
|
||||
%if %{with build_riscv64}
|
||||
%files -n qemu-uefi-riscv64
|
||||
%license License.txt
|
||||
@@ -713,4 +606,4 @@ rm %{buildroot}%{_datadir}/qemu/firmware/*-riscv64*.json
|
||||
%{_datadir}/qemu/firmware/*-riscv64*.json
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
%changelog
|
||||
|
||||
Reference in New Issue
Block a user