[+Tobin]
On 14/10/2021 21:17, Brijesh Singh wrote:
> The commit 80e67af9afca added support for the generic work area concept
> used mainly by the encrypted VMs but missed update the AmdSev package.
>
> Fixes: 80e67af9afca ("OvmfPkg: introduce a common work area")
Thanks Brijesh.
The fix does allow me to launch SEV-ES guests, which is good news.
However, the guest's measurement has changed, so I wonder what this
change causes.
The details:
I tested 3 commits (always building the AmdSevX64 target):
1. commit 7b4a99be8a39 - edk2-stable202108
I successfully launch SEV and SEV-ES guests and my measurement check
script verifies the digest correctly (including the "measured linux
boot" hashes table added by QEMU).
2. commit f10a112f08f3 - master (Oct 14)
I successfully launch SEV guests, but SEV-ES guests crash with "error:
kvm run failed Invalid argument". The measurement check verifies digest
correctly.
3. master + this AmdSevX64.fdf patch
I successfully launch SEV guests and measurement calculation is OK. As
far SEV-ES guests, the measurement check doesn't match what I expect. If
I ignore the mismatched measurement and continue the launch, the guest
runs OK with SEV-ES.
So this patch fixes the problem (SEV-ES guest crashes on launch) but
shows another problem (bad guest measurement).
Note that for this test, my measurement calculation script automatically
takes the OVMF image I'm using to boot the VM. From my reading of the
QEMU code, the only pieces that should affect the measurement is the
OVMF image, the hashes table, and the VMSAs for each vcpu. The OVMF
image is updated on every check, and the rest shouldn't have changed
between those 3 revisions that I tested.
It might be an issue with my measurement checking script which was
assuming something that has changed with the introduction of the new
work area, but I can't think of something like that. Note again that
plain SEV measurement is still working OK.
Do you encounter similar issues with VM measurement?
-Dov
> Cc: James Bottomley <j...@linux.ibm.com>
> Cc: Min Xu <min.m...@intel.com>
> Cc: Jiewen Yao <jiewen....@intel.com>
> Cc: Tom Lendacky <thomas.lenda...@amd.com>
> Cc: Jordan Justen <jordan.l.jus...@intel.com>
> Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org>
> Cc: Erdem Aktas <erdemak...@google.com>
> Cc: Gerd Hoffmann <kra...@redhat.com>
> Reported-by: Dov Murik <dovmu...@linux.ibm.com>
> Signed-off-by: Brijesh Singh <brijesh.si...@amd.com>
> ---
> OvmfPkg/AmdSev/AmdSevX64.fdf | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
> index 542722ac6b37..56626098862c 100644
> --- a/OvmfPkg/AmdSev/AmdSevX64.fdf
> +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
> @@ -57,7 +57,7 @@ [FD.MEMFD]
>
> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize
>
> 0x00B000|0x001000
> -gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize
> +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize
>
> 0x00C000|0x000C00
>
> gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize
> @@ -79,6 +79,13 @@ [FD.MEMFD]
>
> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize
> FV = DXEFV
>
> +##########################################################################################
> +# Set the SEV-ES specific work area PCDs
> +#
> +SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase = $(MEMFD_BASE_ADDRESS) +
> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase +
> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader
> +SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize =
> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize -
> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader
> +##########################################################################################
> +
>
> ################################################################################
>
> [FV.SECFV]
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#82179): https://edk2.groups.io/g/devel/message/82179
Mute This Topic: https://groups.io/mt/86321277/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
