Overview

File ovmf-bsc1192126-OvmfPkg-PlatformPei-Always-reserve-the-SEV-ES-work-a.patch of Package ovmf.37683

From ca8fc17359bc5c6916045e511fb0e9839868e8bf Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Mon, 20 Dec 2021 12:47:30 +0800
Subject: [PATCH] OvmfPkg/PlatformPei: Always reserve the SEV-ES work area

This is a workaround patch to always reserve the SEV-ES work area,
otherwise InternalMemEncryptSevStatus() may triggers unlimited reset
because OS writes to the area. (bsc#1192126, bsc#1187245)

The better solution is that checking the SEV-ES work area be reserved
in InternalMemEncryptSevStatus() before accessing the area. But
currently I didn't see appropriate API to confirm that.

The issue can not be reproduced on edk2-stable202111 because the
following patchset:
    80e67af9afcac3b OvmfPkg: introduce a common work area
    ab77b6031b03733 OvmfPkg/ResetVector: update SEV support to use new
work
                    area format
    b9af5037b270c47 OvmfPkg/ResetVector: move the GHCB page setup in
                    AmdSev.asm

But, too many changes since edk2-stable202008 for SEV, backporting the
above patches must also backported many patches of SEV. So I choice to
apply the workaround patch. The PcdSevEsWorkArea will always be reserved
as an ACPI_NVS region as this. The size is 4K:

[    0.000000] efi: mem06: [ACPI Mem NVS|   |  |  |  |  |  |  |  |  |
|WB|WT|WC|UC] range=[0x000000000080b000-0x000000000080bfff] (0MB)

This patch will not be sent to upstream.

Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
 OvmfPkg/PlatformPei/MemDetect.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c
index 2deec128f4..7350511d48 100644
--- a/OvmfPkg/PlatformPei/MemDetect.c
+++ b/OvmfPkg/PlatformPei/MemDetect.c
@@ -939,7 +939,7 @@ InitializeRamRegions (
     }
 
 #ifdef MDE_CPU_X64
-    if (MemEncryptSevEsIsEnabled ()) {
+    if (((SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase)) != NULL) {
       //
       // If SEV-ES is enabled, reserve the SEV-ES work area.
       //
@@ -953,7 +953,7 @@ InitializeRamRegions (
       BuildMemoryAllocationHob (
         (EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaBase),
         (UINT64)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaSize),
-        mS3Supported ? EfiACPIMemoryNVS : EfiBootServicesData
+        EfiACPIMemoryNVS
         );
     }
 #endif
-- 
2.26.2
openSUSE Build Service is sponsored by
Places