From 16d2b2315aff2a3170f139e53791d8f1e374c5f9 Mon Sep 17 00:00:00 2001 From: hanliyang Date: Tue, 8 Apr 2025 12:20:40 +0000 Subject: [PATCH] Build OVMF.fd using AmdSevX64.dsc to support Full Disk Encryption The pull request at https://gitee.com/src-openeuler/grub2/pulls/468 added efisecret.mod to the grub2-efi-x64-modules package. Based on this package, we can build OVMF.fd using AmdSevX64.dsc to support booting a VM with full disk encryption. Signed-off-by: hanliyang --- ...ntegrate-grub2-x86_64-efi-modules-fr.patch | 89 +++++++++++++++++++ edk2.spec | 22 +++-- 2 files changed, 105 insertions(+), 6 deletions(-) create mode 100644 0089-OvmfPkg-AmdSev-Integrate-grub2-x86_64-efi-modules-fr.patch diff --git a/0089-OvmfPkg-AmdSev-Integrate-grub2-x86_64-efi-modules-fr.patch b/0089-OvmfPkg-AmdSev-Integrate-grub2-x86_64-efi-modules-fr.patch new file mode 100644 index 0000000..ddc5c80 --- /dev/null +++ b/0089-OvmfPkg-AmdSev-Integrate-grub2-x86_64-efi-modules-fr.patch @@ -0,0 +1,89 @@ +From ac649358f044a4fa25327cf2ed6db6d35b8bd8be Mon Sep 17 00:00:00 2001 +From: hanliyang +Date: Fri, 2 Aug 2024 02:06:58 +0800 +Subject: [PATCH] OvmfPkg/AmdSev: Integrate grub2 x86_64-efi modules from the + system path to grub.efi which is used to support Full Disk Encryption + +The pull request at https://gitee.com/src-openeuler/grub2/pulls/468 +added efisecret.mod to the grub2-efi-x64-modules package. Based on this +package, we can build OVMF.fd using AmdSevX64.dsc to support booting a +VM with full disk encryption. + +* How to build the OVMF.fd manually: + + When we build the OVMF.fd which support full-disk encryption, we + should delete stale grub.efi in the source tree: + + $ rm OvmfPkg/AmdSev/Grub/grub.efi + + And specify the dsc file: + + $ OvmfPkg/build.sh ... -a X64 -p OvmfPkg/AmdSev/AmdSevX64.dsc ... + +Signed-off-by: hanliyang +--- + OvmfPkg/AmdSev/Grub/grub.cfg | 22 +++++++++++++++------- + OvmfPkg/AmdSev/Grub/grub.sh | 3 +-- + 2 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/OvmfPkg/AmdSev/Grub/grub.cfg b/OvmfPkg/AmdSev/Grub/grub.cfg +index 17be9427..93eea0b4 100644 +--- a/OvmfPkg/AmdSev/Grub/grub.cfg ++++ b/OvmfPkg/AmdSev/Grub/grub.cfg +@@ -10,16 +10,12 @@ + ## + + echo "Entering grub config" +-sevsecret ++cryptomount -s efisecret + if [ $? -ne 0 ]; then + echo "Failed to locate anything in the SEV secret area, prompting for password" ++ echo "OR" ++ echo "Failed to mount root securely, retrying with password prompt" + cryptomount -a +-else +- cryptomount -s +- if [ $? -ne 0 ]; then +- echo "Failed to mount root securely, retrying with password prompt" +- cryptomount -a +- fi + fi + set root= + for f in (crypto*); do +@@ -27,6 +23,18 @@ for f in (crypto*); do + set root=$f + set prefix=($root)/boot/grub + break; ++ elif [ -e $f/boot/grub2/grub.cfg ]; then ++ set root=$f ++ set prefix=($root)/boot/grub ++ break; ++ elif [ -e $f/grub/grub.cfg ]; then ++ set root=$f ++ set prefix=($root)/grub ++ break; ++ elif [ -e $f/grub2/grub.cfg ]; then ++ set root=$f ++ set prefix=($root)/grub2 ++ break; + fi + done + if [ x$root = x ]; then +diff --git a/OvmfPkg/AmdSev/Grub/grub.sh b/OvmfPkg/AmdSev/Grub/grub.sh +index 99807d72..760a03b8 100644 +--- a/OvmfPkg/AmdSev/Grub/grub.sh ++++ b/OvmfPkg/AmdSev/Grub/grub.sh +@@ -42,9 +42,8 @@ GRUB_MODULES=" + test + regexp + linux +- linuxefi + reboot +- sevsecret ++ efisecret + " + basedir=$(dirname -- "$0") + +-- +2.43.0 + diff --git a/edk2.spec b/edk2.spec index e18120d..589ff82 100644 --- a/edk2.spec +++ b/edk2.spec @@ -7,7 +7,7 @@ Name: edk2 Version: %{stable_date} -Release: 24 +Release: 25 Summary: EFI Development Kit II License: BSD-2-Clause-Patent and OpenSSL and MIT URL: https://github.com/tianocore/edk2 @@ -146,8 +146,20 @@ patch87: 0087-Harden-BN_GF2m_poly2arr-against-misuse.patch # Fix CVE-2024-38797 patch88: 0088-SecurityPkg-Out-of-bound-read-in-HashPeImageByType.patch +# Get grub2 x64 module from CI system path when building OVMF.fd using +# AmdSevX64.dsc, this will enable the OVMF.amdsev.fd to support Full Disk +# Encryption right out of the box. +patch89: 0089-OvmfPkg-AmdSev-Integrate-grub2-x86_64-efi-modules-fr.patch + BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl +%ifarch x86_64 +# For build OVMF.fd using AmdSevX64.dsc, we need +# mtools mkfs.msdos grub2-mkimage grub2-efi-x64-modules packages +# if we don't touch dummy grub.efi. +BuildRequires: mtools dosfstools grub2-tools grub2-efi-x64-modules +%endif + %description EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. @@ -275,11 +287,6 @@ build $BUILD_OPTION mv ${ovmf_bin} $(echo ${ovmf_bin} | sed 's/\.secure_boot//') done - # Build OVMF using OvmfPkg/AmdSev/AmdSevX64.dsc. The build depends on - # OvmfPkg/AmdSev/Grub/grub.efi, and grub.efi further depends on Grub - # with efisecret support. When the build system's native Grub - # supports efisecret, remove this fake OvmfPkg/AmdSev/Grub/grub.efi. - touch OvmfPkg/AmdSev/Grub/grub.efi BUILD_OPTION=$(echo $BUILD_OPTION | sed 's/ -p OvmfPkg\/OvmfPkgX64.dsc/ -p OvmfPkg\/AmdSev\/AmdSevX64.dsc/g') build $BUILD_OPTION %endif @@ -447,6 +454,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Mon Apr 28 2025 hanliyang - 202308-25 +- Build OVMF.fd using AmdSevX64.dsc to support Full Disk Encryption + * Sun Apr 27 2025 huyu - 202308-24 - fix CVE-2024-38797 -- Gitee