Re: [edk2-devel] [PATCH V1 1/1] OvmfPkg/PlatformPei: Skip PlatformInitEmuVariableNvStore in SEV guest

[Lendacky, Thomas via groups.io]

On 4/14/23 05:20, Gerd Hoffmann wrote:
   Hi,
    -drive 
if=pflash,format=raw,unit=0,file=/root/kernels/qemu-install/OVMF_CODE.fd,readonly=on
    -drive if=pflash,format=raw,unit=1,file=./fedora.fd

  In this case, only OVMF_CODE.fd will be encrypted.
  The fedora.fd (OVMF_VARS.fd) will be unencrypted.

    -drive 
if=pflash,format=raw,unit=0,file=/root/kernels/qemu-install/OVMF.fd,readonly=on

  In this case, OVMF.fd will be encrypted, which includes the now memory
  backed variable store.

Can AmdSevInitialize() setup the mappings?

Is there a way to tell when OVMF.fd vs OVMF_VARS.fd/OVMF_CODE.fd is used?

Hmm, good question.  Can the guest figure what memory ranges are part
of the launch measurement?

I have a patch here (attached below) which refines flash detection and
can detect whenever varstore flash is writable or not.  I suspect that
doesn't help much though as flash probing requires mappings already
being correct.

Sorry for the delay, but, yeah, doesn't help. SEV and SEV-ES assert and 
SEV-SNP terminates because of accessing a shared page (in the RMP) as a 
private page (we don't support the generated 0x404 error code in the #VC 
handler).

Thanks,
Tom


take care,
   Gerd

commit fdab276a9f8a25f505b083b5e15180d093f515e3
Author: Gerd Hoffmann <kra...@redhat.com>
Date:   Tue Apr 4 11:25:37 2023 +0200

     OvmfPkg/QemuFlashFvbServicesRuntimeDxe: refine flash detection

diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c 
b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
index 82b2b70441bf..c088d560f829 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
@@ -118,8 +118,17 @@ QemuFlashDetected (
        *Ptr = OriginalUint8;
      } else if (ProbeUint8 == CLEARED_ARRAY_STATUS) {
        DEBUG ((DEBUG_INFO, "QemuFlashDetected => FD behaves as FLASH\n"));
-      FlashDetected = TRUE;
-      *Ptr          = READ_ARRAY_CMD;
+      *Ptr = WRITE_BYTE_CMD;
+      *Ptr = OriginalUint8;
+      *Ptr = READ_STATUS_CMD;
+      ProbeUint8 = *Ptr;
+      if (ProbeUint8 & 0x10 /* programming error */) {
+        DEBUG ((DEBUG_INFO, "QemuFlashDetected => FLASH is readonly\n"));
+      } else {
+        DEBUG ((DEBUG_INFO, "QemuFlashDetected => FLASH is writable\n"));
+        FlashDetected = TRUE;
+      }
+      *Ptr = READ_ARRAY_CMD;
      }
    }
  



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#103309): https://edk2.groups.io/g/devel/message/103309
Mute This Topic: https://groups.io/mt/97922617/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-