diff --git a/0083-OvmfPkg-Disable-PcdFirstTimeWakeUpAPsBySipi.patch b/0083-OvmfPkg-Disable-PcdFirstTimeWakeUpAPsBySipi.patch new file mode 100644 index 0000000000000000000000000000000000000000..702732993c06811f0d9f1f01463ffb630493ab0d --- /dev/null +++ b/0083-OvmfPkg-Disable-PcdFirstTimeWakeUpAPsBySipi.patch @@ -0,0 +1,85 @@ +From 65516ad2e063622e06e2f0857f0847d5ad0824b3 Mon Sep 17 00:00:00 2001 +From: YuanhaoXie +Date: Tue, 22 Aug 2023 09:52:14 +0800 +Subject: [PATCH 1/3] OvmfPkg: Disable PcdFirstTimeWakeUpAPsBySipi + +commit 020cc9e2e7053bb62247b0babbbe80cb855592e5 upstream. + +Disable PcdFirstTimeWakeUpAPsBySipi for IntelTdx, Microvm, and Xen to +preserve the original execution of INIT-SIPI-SIPI. + +Cc: Eric Dong +Cc: Ray Ni +Cc: Rahul Kumar +Cc: Gerd Hoffmann +Cc: Ard Biesheuvel +Cc: Jiewen Yao +Cc: Jordan Justen +Signed-off-by: Yuanhao Xie +Acked-by: Gerd Hoffmann +--- + OvmfPkg/IntelTdx/IntelTdxX64.dsc | 8 ++++++++ + OvmfPkg/Microvm/MicrovmX64.dsc | 8 ++++++++ + OvmfPkg/OvmfXen.dsc | 8 ++++++++ + 3 files changed, 24 insertions(+) + +diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc +index e9cdd70f..020d12e2 100644 +--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc ++++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc +@@ -464,6 +464,14 @@ + # Point to the MdeModulePkg/Application/UiApp/UiApp.inf + gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0x21, 0xaa, 0x2c, 0x46, 0x14, 0x76, 0x03, 0x45, 0x83, 0x6e, 0x8a, 0xb6, 0xf4, 0x66, 0x23, 0x31 } + ++ # ++ # PcdFirstTimeWakeUpAPsBySipi determines whether to employ ++ # SIPI instead of the INIT-SIPI-SIPI sequence during APs ++ # initialization. Deactivate this parameter to preserve ++ # the original execution of INIT-SIPI-SIPI. ++ # ++ gUefiCpuPkgTokenSpaceGuid.PcdFirstTimeWakeUpAPsBySipi|FALSE ++ + ################################################################################ + # + # Pcd Dynamic Section - list of all EDK II PCD Entries defined by this Platform +diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc +index 2f758563..d2ef1e00 100644 +--- a/OvmfPkg/Microvm/MicrovmX64.dsc ++++ b/OvmfPkg/Microvm/MicrovmX64.dsc +@@ -566,6 +566,14 @@ + gEfiMdeModulePkgTokenSpaceGuid.PcdSerialPciDeviceInfo|{0xFF} + gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x3f8 + ++ # ++ # PcdFirstTimeWakeUpAPsBySipi determines whether to employ ++ # SIPI instead of the INIT-SIPI-SIPI sequence during APs ++ # initialization. Deactivate this parameter to preserve ++ # the original execution of INIT-SIPI-SIPI. ++ # ++ gUefiCpuPkgTokenSpaceGuid.PcdFirstTimeWakeUpAPsBySipi|FALSE ++ + ################################################################################ + # + # Pcd Dynamic Section - list of all EDK II PCD Entries defined by this Platform +diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc +index 210578c1..dcb99d1f 100644 +--- a/OvmfPkg/OvmfXen.dsc ++++ b/OvmfPkg/OvmfXen.dsc +@@ -458,6 +458,14 @@ + # We populate DXE IPL tables with 1G pages preferably on Xen + gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable|TRUE + ++ # ++ # PcdFirstTimeWakeUpAPsBySipi determines whether to employ ++ # SIPI instead of the INIT-SIPI-SIPI sequence during APs ++ # initialization. Deactivate this parameter to preserve ++ # the original execution of INIT-SIPI-SIPI. ++ # ++ gUefiCpuPkgTokenSpaceGuid.PcdFirstTimeWakeUpAPsBySipi|FALSE ++ + ################################################################################ + # + # Pcd Dynamic Section - list of all EDK II PCD Entries defined by this Platform +-- +2.25.1 + diff --git a/0084-OvmfPkg-AmdSev-Disable-PcdFirstTimeWakeUpAPsBySipi.patch b/0084-OvmfPkg-AmdSev-Disable-PcdFirstTimeWakeUpAPsBySipi.patch new file mode 100644 index 0000000000000000000000000000000000000000..b4aba64ed1d31c0ee0400807fe173364a186154d --- /dev/null +++ b/0084-OvmfPkg-AmdSev-Disable-PcdFirstTimeWakeUpAPsBySipi.patch @@ -0,0 +1,47 @@ +From 84f0fb21e90100753b897b34162748216e44ec8d Mon Sep 17 00:00:00 2001 +From: Michael Roth +Date: Wed, 16 Aug 2023 15:11:46 -0500 +Subject: [PATCH 2/3] OvmfPkg/AmdSev: Disable PcdFirstTimeWakeUpAPsBySipi + +commit 8b66f9df1bb0fd5ebb743944d41cb33178cf2fdd upstream. + +PcdFirstTimeWakeUpAPsBySipi was recently introduced to indicate when the +full INIT-SIPI-SIPI sequence can be skipped for AP bringup. It is true +by default, but needs to be disabled for QEMU/OVMF where early INIT is +not simulated. Commit 1d76560146 ("OvmfPkg: Disable +PcdFirstTimeWakeUpAPsBySipi.") added changes to disable it by default +for OvmfPkg, but a similar change was not made for the AmdSev package. +This breaks booting of SEV and SNP guests. + +Fix this defaulting PcdFirstTimeWakeUpAPsBySipi to false for AmdSev +package, as was previously done for OvmfPkg variants. + +Fixes: eaffa1d7ff ("UefiCpuPkg:Wake up APs after power-up or RESET through SIPI.") +Signed-off-by: Michael Roth +Acked-by: Gerd Hoffmann +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 31bff348..44acbb7f 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -469,6 +469,14 @@ + gEfiMdeModulePkgTokenSpaceGuid.PcdConInConnectOnDemand|TRUE + gUefiOvmfPkgTokenSpaceGuid.PcdBootRestrictToFirmware|TRUE + ++ # ++ # INIT is now triggered before BIOS by ucode/hardware. In the OVMF ++ # environment, QEMU lacks a simulation for the INIT process. ++ # To address this, PcdFirstTimeWakeUpAPsBySipi set to FALSE to ++ # broadcast INIT-SIPI-SIPI for the first time. ++ # ++ gUefiCpuPkgTokenSpaceGuid.PcdFirstTimeWakeUpAPsBySipi|FALSE ++ + ################################################################################ + # + # Pcd Dynamic Section - list of all EDK II PCD Entries defined by this Platform +-- +2.25.1 + diff --git a/0085-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch b/0085-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch new file mode 100644 index 0000000000000000000000000000000000000000..b203853afa66b975ae7a1737eb015ae24c72fbcc --- /dev/null +++ b/0085-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch @@ -0,0 +1,73 @@ +From 04ae456fde2e20bce01155a4d9a581a7f1205160 Mon Sep 17 00:00:00 2001 +From: "Roth, Michael via groups.io" +Date: Wed, 16 Aug 2023 15:11:45 -0500 +Subject: [PATCH 3/3] OvmfPkg/AmdSev: fix BdsPlatform.c assertion failure + during boot + +commit f008890ae55929f7f17e7d2f8aff929255007d33 upstream. + +Booting an SEV guest with AmdSev OVMF package currently triggers the +following assertion with QEMU: + + InstallQemuFwCfgTables: installed 7 tables + PcRtc: Write 0x20 to CMOS location 0x32 + [Variable]END_OF_DXE is signaled + Initialize variable error flag (FF) + + ASSERT_EFI_ERROR (Status = Not Found) + ASSERT [BdsDxe] /home/VT_BUILD/ovmf/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c(1711): !(((INTN)(RETURN_STATUS)(Status)) < 0) + +This seems to be due to commit 81dc0d8b4c, which switched to using +PlatformBootManagerLib instead of PlatformBootManagerLibGrub. That pulls +in a dependency on gEfiS3SaveStateProtocolGuid provider being available +(which is asserted for in +BdsPlatform.c:PlatformBootManagerBeforeConsole()/SaveS3BootScript()), +but the libraries that provide it aren't currently included in the +build. Add them similarly to what's done for OvmfPkg. + +Fixes: 81dc0d8b4c ("OvmfPkg/AmdSev: stop using PlatformBootManagerLibGrub") +Signed-off-by: Michael Roth +Acked-by: Gerd Hoffmann +Acked-by: Jiewen Yao +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +++ + OvmfPkg/AmdSev/AmdSevX64.fdf | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 44acbb7f..29705131 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -201,6 +201,7 @@ + + SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf + OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf ++ S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf + + !include OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc + +@@ -718,6 +719,8 @@ + # + MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf + OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf ++ MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf ++ MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf + MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + # +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index b0d9033f..0bf87be2 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -279,6 +279,8 @@ INF OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.inf + + INF MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf + INF OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf ++INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf ++INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf + INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + INF FatPkg/EnhancedFatDxe/Fat.inf +-- +2.25.1 + diff --git a/edk2.spec b/edk2.spec index 30d001465a750947fbaaa8529ae0f58396e5330c..e3fbe264d8c5ad6d3e6e92240936c86e2edd1058 100644 --- a/edk2.spec +++ b/edk2.spec @@ -7,7 +7,7 @@ Name: edk2 Version: %{stable_date} -Release: 19 +Release: 20 Summary: EFI Development Kit II License: BSD-2-Clause-Patent and OpenSSL and MIT URL: https://github.com/tianocore/edk2 @@ -132,6 +132,11 @@ patch80: 0080-Fix-timing-side-channel-CVE-2024-13176.patch patch81: 0081-Free-the-read-buffers-CVE-2024-4741.patch patch82: 0082-Process-key-length-CVE-2023-5363.patch +# Fix some boot failures on OvmfPkg/AmdSev +patch83: 0083-OvmfPkg-Disable-PcdFirstTimeWakeUpAPsBySipi.patch +patch84: 0084-OvmfPkg-AmdSev-Disable-PcdFirstTimeWakeUpAPsBySipi.patch +patch85: 0085-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch + BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl %description @@ -422,6 +427,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Thu Mar 13 2025 hanliyang - 202308-20 +- Fix boot failure on OvmfPkg/AmdSev + * Sun Mar 9 2025 shenyage - 202308-19 - fix bugs for CVE-2023-45236、CVE-2023-45237