[edk2-devel] [PATCH V1 1/1] OvmfPkg/PlatformPei: Skip PlatformInitEmuVariableNvStore in SEV guest

Tue, 28 Mar 2023 22:23:41 -0700 

From: Min M Xu <min.m...@intel.com>

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4379

PlatformInitEmuVariableNvStore is called to initialize the
EmuVariableNvStore with the content pointed by
PcdOvmfFlashNvStorageVariableBase. This is because when OVMF is launched
with -bios parameter, UEFI variables will be partially emulated, and
non-volatile variables may lose their contents after a reboot. This makes
the secure boot feature not working.

But in SEV guest, this design doesn't work. Because at this point the
variable store mapping is still private/encrypted, OVMF will see
ciphertext. So we skip the call of PlatformInitEmuVariableNvStore in
SEV guest.

Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Cc: Michael Roth <michael.r...@amd.com>
Cc: Gerd Hoffmann <kra...@redhat.com>
Reported-by: Joey Lee <j...@suse.com>
Tested-by: Joey Lee <j...@suse.com>
Signed-off-by: Min Xu <min.m...@intel.com>
---
 OvmfPkg/PlatformPei/Platform.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
index 148240342b4b..be9ba3e00124 100644
--- a/OvmfPkg/PlatformPei/Platform.c
+++ b/OvmfPkg/PlatformPei/Platform.c
@@ -223,7 +223,20 @@ ReserveEmuVariableNvStore (
   PcdStatus     = PcdSet64S (PcdEmuVariableNvStoreReserved, VariableStore);
 
  #ifdef SECURE_BOOT_FEATURE_ENABLED
-  PlatformInitEmuVariableNvStore ((VOID *)(UINTN)VariableStore);
+  //
+  // PlatformInitEmuVariableNvStore is called to initialize the 
EmuVariableNvStore
+  // with the content pointed by PcdOvmfFlashNvStorageVariableBase. This is 
because
+  // when OVMF is launched with -bios parameter, UEFI variables will be 
partially emulated,
+  // and non-volatile variables may lose their contents after a reboot. This 
makes the secure
+  // boot feature not working.
+  // But in SEV guest, this design doesn't work. Because at this point the 
variable store
+  // mapping is still private/encrypted, OVMF will see ciphertext. So we skip 
the call
+  // of PlatformInitEmuVariableNvStore in SEV guest.
+  //
+  if (!MemEncryptSevIsEnabled ()) {
+    PlatformInitEmuVariableNvStore ((VOID *)(UINTN)VariableStore);
+  }
+
  #endif
 
   ASSERT_RETURN_ERROR (PcdStatus);
-- 
2.39.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#102098): https://edk2.groups.io/g/devel/message/102098
Mute This Topic: https://groups.io/mt/97922617/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to