diff --git a/0048-OvmfPkg-AmdSev-SecretDxe-Allocate-secret-location-as.patch b/0048-OvmfPkg-AmdSev-SecretDxe-Allocate-secret-location-as.patch new file mode 100644 index 0000000000000000000000000000000000000000..e80d3698f56a355f5df138d8a82b2b1e0efc5b01 --- /dev/null +++ b/0048-OvmfPkg-AmdSev-SecretDxe-Allocate-secret-location-as.patch @@ -0,0 +1,73 @@ +From 02916fa2f7b92b060bbdc70b2083d0fcf6139624 Mon Sep 17 00:00:00 2001 +From: Dov Murik +Date: Thu, 15 Dec 2022 13:11:51 +0000 +Subject: [PATCH] OvmfPkg/AmdSev/SecretDxe: Allocate secret location as + EfiACPIReclaimMemory + +BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4186 + +Commit 079a58276b98 ("OvmfPkg/AmdSev/SecretPei: Mark SEV launch secret +area as reserved") marked the launch secret area itself (1 page) as +reserved so the guest OS can use it during the lifetime of the OS. +However, the address and size of the secret area held in the +CONFIDENTIAL_COMPUTING_SECRET_LOCATION struct are declared as STATIC in +OVMF (in AmdSev/SecretDxe); therefore there's no guarantee that it will +not be written over by OS data. + +Fix this by allocating the memory for the +CONFIDENTIAL_COMPUTING_SECRET_LOCATION struct with the +EfiACPIReclaimMemory memory type to ensure the guest OS will not reuse +this memory. + +Fixes: 079a58276b98 ("OvmfPkg/AmdSev/SecretPei: Mark SEV launch secret ...") +Signed-off-by: Dov Murik +Reviewed-by: Tom Lendacky +Reviewed-by: Ard Biesheuvel +--- + OvmfPkg/AmdSev/SecretDxe/SecretDxe.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c +index 934ad20..c851176 100644 +--- a/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c ++++ b/OvmfPkg/AmdSev/SecretDxe/SecretDxe.c +@@ -8,11 +8,6 @@ + #include + #include + +-STATIC CONFIDENTIAL_COMPUTING_SECRET_LOCATION mSecretDxeTable = { +- FixedPcdGet32 (PcdSevLaunchSecretBase), +- FixedPcdGet32 (PcdSevLaunchSecretSize), +-}; +- + EFI_STATUS + EFIAPI + InitializeSecretDxe( +@@ -20,8 +15,23 @@ InitializeSecretDxe( + IN EFI_SYSTEM_TABLE *SystemTable + ) + { ++ EFI_STATUS Status; ++ CONFIDENTIAL_COMPUTING_SECRET_LOCATION *SecretDxeTable; ++ ++ Status = gBS->AllocatePool ( ++ EfiACPIReclaimMemory, ++ sizeof (CONFIDENTIAL_COMPUTING_SECRET_LOCATION), ++ (VOID **)&SecretDxeTable ++ ); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ ++ SecretDxeTable->Base = FixedPcdGet32 (PcdSevLaunchSecretBase); ++ SecretDxeTable->Size = FixedPcdGet32 (PcdSevLaunchSecretSize); ++ + return gBS->InstallConfigurationTable ( + &gConfidentialComputingSecretGuid, +- &mSecretDxeTable ++ SecretDxeTable + ); + } +-- +2.41.0 + diff --git a/edk2.spec b/edk2.spec index 65d7309f714e9eac5073bf25f55de2e34c1571b5..edcb979f62d0a71e0fe5168fca0220710684cc47 100644 --- a/edk2.spec +++ b/edk2.spec @@ -85,6 +85,8 @@ Patch1017: 0046-anolis-OvmfPkg-BaseMemEncryptLib-Return-SUCCESS-if-n.patch # Fix the isue that interrupt is enabled in MMIO VC handler Patch1018: 0047-anolis-OvmfPkg-BaseMemEncryptLib-Save-memory-encrypt.patch +Patch1019: 0048-OvmfPkg-AmdSev-SecretDxe-Allocate-secret-location-as.patch + # python3-devel and libuuid-devel are required for building tools. # python3-devel is also needed for varstore template generation and # verification with "ovmf-vars-generator". @@ -527,6 +529,10 @@ true %endif %changelog +* Wed Jan 24 2024 Baoshun Fang - 20220126gitbb1bba3d77-6.0.3 +- 0048-OvmfPkg-AmdSev-SecretDxe-Allocate-secret-location-as.patch +- Resolves: bz#8033 + * Thu Jan 11 2024 Xin Jiang - 20220126gitbb1bba3d77-6.0.2 - 0047-anolis-OvmfPkg-BaseMemEncryptLib-Save-memory-encrypt.patch - Fix the isue that interrupt is enabled in MMIO VC handler