diff --git a/0111-OvmfPkg-Disable-PcdFirstTimeWakeUpAPsBySipi.patch b/0111-OvmfPkg-Disable-PcdFirstTimeWakeUpAPsBySipi.patch new file mode 100644 index 0000000000000000000000000000000000000000..702732993c06811f0d9f1f01463ffb630493ab0d --- /dev/null +++ b/0111-OvmfPkg-Disable-PcdFirstTimeWakeUpAPsBySipi.patch @@ -0,0 +1,85 @@ +From 65516ad2e063622e06e2f0857f0847d5ad0824b3 Mon Sep 17 00:00:00 2001 +From: YuanhaoXie +Date: Tue, 22 Aug 2023 09:52:14 +0800 +Subject: [PATCH 1/3] OvmfPkg: Disable PcdFirstTimeWakeUpAPsBySipi + +commit 020cc9e2e7053bb62247b0babbbe80cb855592e5 upstream. + +Disable PcdFirstTimeWakeUpAPsBySipi for IntelTdx, Microvm, and Xen to +preserve the original execution of INIT-SIPI-SIPI. + +Cc: Eric Dong +Cc: Ray Ni +Cc: Rahul Kumar +Cc: Gerd Hoffmann +Cc: Ard Biesheuvel +Cc: Jiewen Yao +Cc: Jordan Justen +Signed-off-by: Yuanhao Xie +Acked-by: Gerd Hoffmann +--- + OvmfPkg/IntelTdx/IntelTdxX64.dsc | 8 ++++++++ + OvmfPkg/Microvm/MicrovmX64.dsc | 8 ++++++++ + OvmfPkg/OvmfXen.dsc | 8 ++++++++ + 3 files changed, 24 insertions(+) + +diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc +index e9cdd70f..020d12e2 100644 +--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc ++++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc +@@ -464,6 +464,14 @@ + # Point to the MdeModulePkg/Application/UiApp/UiApp.inf + gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0x21, 0xaa, 0x2c, 0x46, 0x14, 0x76, 0x03, 0x45, 0x83, 0x6e, 0x8a, 0xb6, 0xf4, 0x66, 0x23, 0x31 } + ++ # ++ # PcdFirstTimeWakeUpAPsBySipi determines whether to employ ++ # SIPI instead of the INIT-SIPI-SIPI sequence during APs ++ # initialization. Deactivate this parameter to preserve ++ # the original execution of INIT-SIPI-SIPI. ++ # ++ gUefiCpuPkgTokenSpaceGuid.PcdFirstTimeWakeUpAPsBySipi|FALSE ++ + ################################################################################ + # + # Pcd Dynamic Section - list of all EDK II PCD Entries defined by this Platform +diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc +index 2f758563..d2ef1e00 100644 +--- a/OvmfPkg/Microvm/MicrovmX64.dsc ++++ b/OvmfPkg/Microvm/MicrovmX64.dsc +@@ -566,6 +566,14 @@ + gEfiMdeModulePkgTokenSpaceGuid.PcdSerialPciDeviceInfo|{0xFF} + gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase|0x3f8 + ++ # ++ # PcdFirstTimeWakeUpAPsBySipi determines whether to employ ++ # SIPI instead of the INIT-SIPI-SIPI sequence during APs ++ # initialization. Deactivate this parameter to preserve ++ # the original execution of INIT-SIPI-SIPI. ++ # ++ gUefiCpuPkgTokenSpaceGuid.PcdFirstTimeWakeUpAPsBySipi|FALSE ++ + ################################################################################ + # + # Pcd Dynamic Section - list of all EDK II PCD Entries defined by this Platform +diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc +index 210578c1..dcb99d1f 100644 +--- a/OvmfPkg/OvmfXen.dsc ++++ b/OvmfPkg/OvmfXen.dsc +@@ -458,6 +458,14 @@ + # We populate DXE IPL tables with 1G pages preferably on Xen + gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable|TRUE + ++ # ++ # PcdFirstTimeWakeUpAPsBySipi determines whether to employ ++ # SIPI instead of the INIT-SIPI-SIPI sequence during APs ++ # initialization. Deactivate this parameter to preserve ++ # the original execution of INIT-SIPI-SIPI. ++ # ++ gUefiCpuPkgTokenSpaceGuid.PcdFirstTimeWakeUpAPsBySipi|FALSE ++ + ################################################################################ + # + # Pcd Dynamic Section - list of all EDK II PCD Entries defined by this Platform +-- +2.25.1 + diff --git a/0112-OvmfPkg-AmdSev-Disable-PcdFirstTimeWakeUpAPsBySipi.patch b/0112-OvmfPkg-AmdSev-Disable-PcdFirstTimeWakeUpAPsBySipi.patch new file mode 100644 index 0000000000000000000000000000000000000000..b4aba64ed1d31c0ee0400807fe173364a186154d --- /dev/null +++ b/0112-OvmfPkg-AmdSev-Disable-PcdFirstTimeWakeUpAPsBySipi.patch @@ -0,0 +1,47 @@ +From 84f0fb21e90100753b897b34162748216e44ec8d Mon Sep 17 00:00:00 2001 +From: Michael Roth +Date: Wed, 16 Aug 2023 15:11:46 -0500 +Subject: [PATCH 2/3] OvmfPkg/AmdSev: Disable PcdFirstTimeWakeUpAPsBySipi + +commit 8b66f9df1bb0fd5ebb743944d41cb33178cf2fdd upstream. + +PcdFirstTimeWakeUpAPsBySipi was recently introduced to indicate when the +full INIT-SIPI-SIPI sequence can be skipped for AP bringup. It is true +by default, but needs to be disabled for QEMU/OVMF where early INIT is +not simulated. Commit 1d76560146 ("OvmfPkg: Disable +PcdFirstTimeWakeUpAPsBySipi.") added changes to disable it by default +for OvmfPkg, but a similar change was not made for the AmdSev package. +This breaks booting of SEV and SNP guests. + +Fix this defaulting PcdFirstTimeWakeUpAPsBySipi to false for AmdSev +package, as was previously done for OvmfPkg variants. + +Fixes: eaffa1d7ff ("UefiCpuPkg:Wake up APs after power-up or RESET through SIPI.") +Signed-off-by: Michael Roth +Acked-by: Gerd Hoffmann +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 31bff348..44acbb7f 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -469,6 +469,14 @@ + gEfiMdeModulePkgTokenSpaceGuid.PcdConInConnectOnDemand|TRUE + gUefiOvmfPkgTokenSpaceGuid.PcdBootRestrictToFirmware|TRUE + ++ # ++ # INIT is now triggered before BIOS by ucode/hardware. In the OVMF ++ # environment, QEMU lacks a simulation for the INIT process. ++ # To address this, PcdFirstTimeWakeUpAPsBySipi set to FALSE to ++ # broadcast INIT-SIPI-SIPI for the first time. ++ # ++ gUefiCpuPkgTokenSpaceGuid.PcdFirstTimeWakeUpAPsBySipi|FALSE ++ + ################################################################################ + # + # Pcd Dynamic Section - list of all EDK II PCD Entries defined by this Platform +-- +2.25.1 + diff --git a/0113-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch b/0113-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch new file mode 100644 index 0000000000000000000000000000000000000000..b203853afa66b975ae7a1737eb015ae24c72fbcc --- /dev/null +++ b/0113-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch @@ -0,0 +1,73 @@ +From 04ae456fde2e20bce01155a4d9a581a7f1205160 Mon Sep 17 00:00:00 2001 +From: "Roth, Michael via groups.io" +Date: Wed, 16 Aug 2023 15:11:45 -0500 +Subject: [PATCH 3/3] OvmfPkg/AmdSev: fix BdsPlatform.c assertion failure + during boot + +commit f008890ae55929f7f17e7d2f8aff929255007d33 upstream. + +Booting an SEV guest with AmdSev OVMF package currently triggers the +following assertion with QEMU: + + InstallQemuFwCfgTables: installed 7 tables + PcRtc: Write 0x20 to CMOS location 0x32 + [Variable]END_OF_DXE is signaled + Initialize variable error flag (FF) + + ASSERT_EFI_ERROR (Status = Not Found) + ASSERT [BdsDxe] /home/VT_BUILD/ovmf/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c(1711): !(((INTN)(RETURN_STATUS)(Status)) < 0) + +This seems to be due to commit 81dc0d8b4c, which switched to using +PlatformBootManagerLib instead of PlatformBootManagerLibGrub. That pulls +in a dependency on gEfiS3SaveStateProtocolGuid provider being available +(which is asserted for in +BdsPlatform.c:PlatformBootManagerBeforeConsole()/SaveS3BootScript()), +but the libraries that provide it aren't currently included in the +build. Add them similarly to what's done for OvmfPkg. + +Fixes: 81dc0d8b4c ("OvmfPkg/AmdSev: stop using PlatformBootManagerLibGrub") +Signed-off-by: Michael Roth +Acked-by: Gerd Hoffmann +Acked-by: Jiewen Yao +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +++ + OvmfPkg/AmdSev/AmdSevX64.fdf | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 44acbb7f..29705131 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -201,6 +201,7 @@ + + SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf + OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf ++ S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf + + !include OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc + +@@ -718,6 +719,8 @@ + # + MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf + OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf ++ MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf ++ MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf + MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + # +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index b0d9033f..0bf87be2 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -279,6 +279,8 @@ INF OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.inf + + INF MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf + INF OvmfPkg/AcpiPlatformDxe/AcpiPlatformDxe.inf ++INF MdeModulePkg/Universal/Acpi/S3SaveStateDxe/S3SaveStateDxe.inf ++INF MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf + INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf + + INF FatPkg/EnhancedFatDxe/Fat.inf +-- +2.25.1 + diff --git a/0114-OvmfPkg-AmdSev-Integrate-grub2-x86_64-efi-modules-fr.patch b/0114-OvmfPkg-AmdSev-Integrate-grub2-x86_64-efi-modules-fr.patch new file mode 100644 index 0000000000000000000000000000000000000000..ddc5c805639dd86e1bf5016d968e77b4a3178d1c --- /dev/null +++ b/0114-OvmfPkg-AmdSev-Integrate-grub2-x86_64-efi-modules-fr.patch @@ -0,0 +1,89 @@ +From ac649358f044a4fa25327cf2ed6db6d35b8bd8be Mon Sep 17 00:00:00 2001 +From: hanliyang +Date: Fri, 2 Aug 2024 02:06:58 +0800 +Subject: [PATCH] OvmfPkg/AmdSev: Integrate grub2 x86_64-efi modules from the + system path to grub.efi which is used to support Full Disk Encryption + +The pull request at https://gitee.com/src-openeuler/grub2/pulls/468 +added efisecret.mod to the grub2-efi-x64-modules package. Based on this +package, we can build OVMF.fd using AmdSevX64.dsc to support booting a +VM with full disk encryption. + +* How to build the OVMF.fd manually: + + When we build the OVMF.fd which support full-disk encryption, we + should delete stale grub.efi in the source tree: + + $ rm OvmfPkg/AmdSev/Grub/grub.efi + + And specify the dsc file: + + $ OvmfPkg/build.sh ... -a X64 -p OvmfPkg/AmdSev/AmdSevX64.dsc ... + +Signed-off-by: hanliyang +--- + OvmfPkg/AmdSev/Grub/grub.cfg | 22 +++++++++++++++------- + OvmfPkg/AmdSev/Grub/grub.sh | 3 +-- + 2 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/OvmfPkg/AmdSev/Grub/grub.cfg b/OvmfPkg/AmdSev/Grub/grub.cfg +index 17be9427..93eea0b4 100644 +--- a/OvmfPkg/AmdSev/Grub/grub.cfg ++++ b/OvmfPkg/AmdSev/Grub/grub.cfg +@@ -10,16 +10,12 @@ + ## + + echo "Entering grub config" +-sevsecret ++cryptomount -s efisecret + if [ $? -ne 0 ]; then + echo "Failed to locate anything in the SEV secret area, prompting for password" ++ echo "OR" ++ echo "Failed to mount root securely, retrying with password prompt" + cryptomount -a +-else +- cryptomount -s +- if [ $? -ne 0 ]; then +- echo "Failed to mount root securely, retrying with password prompt" +- cryptomount -a +- fi + fi + set root= + for f in (crypto*); do +@@ -27,6 +23,18 @@ for f in (crypto*); do + set root=$f + set prefix=($root)/boot/grub + break; ++ elif [ -e $f/boot/grub2/grub.cfg ]; then ++ set root=$f ++ set prefix=($root)/boot/grub ++ break; ++ elif [ -e $f/grub/grub.cfg ]; then ++ set root=$f ++ set prefix=($root)/grub ++ break; ++ elif [ -e $f/grub2/grub.cfg ]; then ++ set root=$f ++ set prefix=($root)/grub2 ++ break; + fi + done + if [ x$root = x ]; then +diff --git a/OvmfPkg/AmdSev/Grub/grub.sh b/OvmfPkg/AmdSev/Grub/grub.sh +index 99807d72..760a03b8 100644 +--- a/OvmfPkg/AmdSev/Grub/grub.sh ++++ b/OvmfPkg/AmdSev/Grub/grub.sh +@@ -42,9 +42,8 @@ GRUB_MODULES=" + test + regexp + linux +- linuxefi + reboot +- sevsecret ++ efisecret + " + basedir=$(dirname -- "$0") + +-- +2.43.0 + diff --git a/edk2.spec b/edk2.spec index b44ba9a87118a4a2f05ea9e4b478fe3559a8b21e..b230246c5b9d8631db5cc6c2edca75dfe38240ac 100644 --- a/edk2.spec +++ b/edk2.spec @@ -7,7 +7,7 @@ Name: edk2 Version: %{stable_date} -Release: 23 +Release: 24 Summary: EFI Development Kit II License: BSD-2-Clause-Patent and OpenSSL and MIT URL: https://github.com/tianocore/edk2 @@ -171,8 +171,25 @@ patch108: 0108-Platform-Loongson-Remove-minimium-memory-size-limita.patch patch109: 0109-Platform-Loongson-Modify-loongarch-uefi-firmware-siz.patch patch110: 0110-fixup-fdt-parse-error.patch +# Fix some boot failures on OvmfPkg/AmdSev +patch111: 0111-OvmfPkg-Disable-PcdFirstTimeWakeUpAPsBySipi.patch +patch112: 0112-OvmfPkg-AmdSev-Disable-PcdFirstTimeWakeUpAPsBySipi.patch +patch113: 0113-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch + +# Get grub2 x64 module from CI system path when building OVMF.fd using +# AmdSevX64.dsc, this will enable the OVMF.amdsev.fd to support Full Disk +# Encryption right out of the box. +patch114: 0114-OvmfPkg-AmdSev-Integrate-grub2-x86_64-efi-modules-fr.patch + BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl +%ifarch x86_64 +# For build OVMF.fd using AmdSevX64.dsc, we need +# mtools mkfs.msdos grub2-mkimage grub2-efi-x64-modules packages +# if we don't touch dummy grub.efi. +BuildRequires: mtools dosfstools grub2-tools grub2-efi-x64-modules +%endif + %description EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. @@ -291,6 +308,27 @@ BUILD_OPTION="$BUILD_OPTION -D TPM_CONFIG_ENABLE=TRUE" build $BUILD_OPTION +%ifarch x86_64 + for ovmf_bin in $(ls Build/OvmfX64/*/FV/OVMF*.fd); do + mv ${ovmf_bin} ${ovmf_bin}.secure_boot + done + + BUILD_OPTION=$(echo $BUILD_OPTION | sed 's/ -D SECURE_BOOT_ENABLE=TRUE//g') + + build $BUILD_OPTION + + for ovmf_bin in $(ls Build/OvmfX64/*/FV/OVMF*.fd); do + mv ${ovmf_bin} $(echo ${ovmf_bin} | sed 's/\.fd/\.nosb\.fd/') + done + + for ovmf_bin in $(ls Build/OvmfX64/*/FV/OVMF*.fd.secure_boot); do + mv ${ovmf_bin} $(echo ${ovmf_bin} | sed 's/\.secure_boot//') + done + + BUILD_OPTION=$(echo $BUILD_OPTION | sed 's/ -p OvmfPkg\/OvmfPkgX64.dsc/ -p OvmfPkg\/AmdSev\/AmdSevX64.dsc/g') + build $BUILD_OPTION +%endif + %install cp CryptoPkg/Library/OpensslLib/openssl/LICENSE.txt LICENSE.openssl mkdir -p %{buildroot}%{_bindir} \ @@ -337,6 +375,10 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %ifarch x86_64 + mkdir -p %{buildroot}/usr/share/%{name}/ovmf.amdsev + mv Build/AmdSev/*/FV/OVMF*.fd %{buildroot}/usr/share/%{name}/ovmf.amdsev + mkdir -p %{buildroot}/usr/share/%{name}/ovmf.nosb + mv Build/OvmfX64/*/FV/OVMF*.nosb.fd %{buildroot}/usr/share/%{name}/ovmf.nosb mkdir -p %{buildroot}/usr/share/%{name}/ovmf cp Build/OvmfX64/*/FV/OVMF*.fd %{buildroot}/usr/share/%{name}/ovmf install -m 0644 edk2-ovmf-x64-nosb.json %{buildroot}%{_datadir}/qemu/firmware/10-edk2-ovmf-x64-nosb.json @@ -420,6 +462,8 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %license LICENSE.openssl %dir %{_datadir}/%{name} %{_datadir}/%{name}/ovmf +%{_datadir}/%{name}/ovmf.nosb +%{_datadir}/%{name}/ovmf.amdsev %{_datadir}/qemu/firmware/10-edk2-ovmf-x64-nosb.json %endif @@ -448,6 +492,12 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Wed Jun 25 2025 hanliyang - 202308-24 +- Build OVMF.fd using AmdSevX64.dsc to support Full Disk Encryption +- Add build process that uses OvmfPkg/AmdSev/AmdSevX64.dsc +- Fix boot failure on OvmfPkg/AmdSev +- Build OVMF without '-D SECURE_BOOT_ENABLE=TRUE' for X64 + * Mon Apr 28 2025 Wenlong Zhang - 202308-23 - fix Instance of library class RngLib is not found on loongarch64 - sync from 24.03-lts-sp1