Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ovmf for openSUSE:Factory checked in at 2021-02-01 13:25:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ovmf (Old) and /work/SRC/openSUSE:Factory/.ovmf.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ovmf" Mon Feb 1 13:25:58 2021 rev:57 rq:867412 version:202011 Changes: -------- --- /work/SRC/openSUSE:Factory/ovmf/ovmf.changes 2021-01-18 11:26:14.380401789 +0100 +++ /work/SRC/openSUSE:Factory/.ovmf.new.28504/ovmf.changes 2021-02-01 13:26:07.917909709 +0100 @@ -1,0 +2,13 @@ +Thu Jan 28 07:56:37 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com> + +- Add ovmf-jscSLE-16075-SEV-ES-use-physical-address.patch as the + follow-up patch for SEV-ES to fix the flash writing + (jsc#SLE-16075) +- Update 50-xen-hvm-x86_64.json to add "nvram-template" and change + the firmware file to ovmf-x86_64-ms-4m.bin + (bsc#1180050, bsc#1181264) +- Refresh ovmf-bsc1180079-amd-sev-es-mitigation.patch + + Use "git format-patch --no-renames" to generate the patch to + avoid confusing quilt with the renamed files + +------------------------------------------------------------------- New: ---- ovmf-jscSLE-16075-SEV-ES-use-physical-address.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ovmf.spec ++++++ --- /var/tmp/diff_new_pack.HXFsOl/_old 2021-02-01 13:26:09.185911682 +0100 +++ /var/tmp/diff_new_pack.HXFsOl/_new 2021-02-01 13:26:09.189911688 +0100 @@ -53,6 +53,7 @@ Patch4: %{name}-disable-ia32-firmware-piepic.patch Patch5: %{name}-set-fixed-enroll-time.patch Patch6: %{name}-bsc1180079-amd-sev-es-mitigation.patch +Patch7: %{name}-jscSLE-16075-SEV-ES-use-physical-address.patch BuildRequires: bc BuildRequires: cross-arm-binutils BuildRequires: cross-arm-gcc%{gcc_version} @@ -170,6 +171,7 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 # add openssl pushd CryptoPkg/Library/OpensslLib/openssl ++++++ descriptors.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/50-xen-hvm-x86_64.json new/descriptors/50-xen-hvm-x86_64.json --- old/descriptors/50-xen-hvm-x86_64.json 2021-01-11 09:49:32.705887365 +0100 +++ new/descriptors/50-xen-hvm-x86_64.json 2021-01-28 08:48:20.032736806 +0100 @@ -6,7 +6,11 @@ "mapping": { "device": "flash", "executable": { - "filename": "@DATADIR@/ovmf-x86_64-4m.bin", + "filename": "@DATADIR@/ovmf-x86_64-ms-4m.bin", + "format": "raw" + }, + "nvram-template": { + "filename": "@DATADIR@/ovmf-x86_64-ms-4m-vars.bin", "format": "raw" } }, ++++++ ovmf-bsc1180079-amd-sev-es-mitigation.patch ++++++ ++++ 2520 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/ovmf/ovmf-bsc1180079-amd-sev-es-mitigation.patch ++++ and /work/SRC/openSUSE:Factory/.ovmf.new.28504/ovmf-bsc1180079-amd-sev-es-mitigation.patch ++++++ ovmf-jscSLE-16075-SEV-ES-use-physical-address.patch ++++++ From 3d750c55d1f11ed9cef88698c7caff7495d1450f Mon Sep 17 00:00:00 2001 From: Tom Lendacky <thomas.lendacky@amd.com> Date: Sat, 23 Jan 2021 07:57:44 -0600 Subject: [PATCH 1/1] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Use physical address with SEV-ES BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3183 Under SEV-ES, a write to the flash device is done using a direct VMGEXIT to perform an MMIO write. The address provided to the MMIO write must be the physical address of the MMIO write destitnation. During boot, OVMF runs with an identity mapped pagetable structure so that VA == PA and the VMGEXIT MMIO write destination is just the virtual address of the flash area address being written. However, when the UEFI SetVirtualAddressMap() API is invoked, an identity mapped pagetable structure may not be in place and using the virtual address for the flash area address is no longer valid. This results in writes to the flash not being performed successfully. This can be seen by attempting to change the boot order under Linux. The update will appear to be performed, based on the output of the command. But rebooting the guest will show that the new boot order has not been set. To remedy this, save the value of the flash base physical address before converting the address as part of SetVirtualAddressMap(). The physical address can then be calculated by obtaining the offset of the MMIO target virtual address relative to the flash base virtual address and adding that to the original flash base physical address. The resulting value produces a successful MMIO write during runtime services. Fixes: 437eb3f7a8db7681afe0e6064d3a8edb12abb766 Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Message-Id: <84a5f9161541db5aa3b57c96b737afbcb4b6189d.1611410263.git.thomas.lendacky@amd.com> [lersek@redhat.com: SetVitualAddressMap() -> SetVirtualAddressMap() typo fix, in both the commit message and the code comment] Reviewed-by: Laszlo Ersek <lersek@redhat.com> (cherry picked from commit 3a3501862f73095059bb05cc28147c8e899488f2) --- .../QemuFlashDxe.c | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c index 1b0742967f71..63daa0b55b49 100644 --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlashDxe.c @@ -16,11 +16,17 @@ #include "QemuFlash.h" +STATIC EFI_PHYSICAL_ADDRESS mSevEsFlashPhysBase; + VOID QemuFlashConvertPointers ( VOID ) { + if (MemEncryptSevEsIsEnabled ()) { + mSevEsFlashPhysBase = (UINTN) mFlashBase; + } + EfiConvertPointer (0x0, (VOID **) &mFlashBase); } @@ -52,11 +58,23 @@ QemuFlashPtrWrite ( if (MemEncryptSevEsIsEnabled ()) { MSR_SEV_ES_GHCB_REGISTER Msr; GHCB *Ghcb; + EFI_PHYSICAL_ADDRESS PhysAddr; BOOLEAN InterruptState; Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); Ghcb = Msr.Ghcb; + // + // The MMIO write needs to be to the physical address of the flash pointer. + // Since this service is available as part of the EFI runtime services, + // account for a non-identity mapped VA after SetVirtualAddressMap(). + // + if (mSevEsFlashPhysBase == 0) { + PhysAddr = (UINTN) Ptr; + } else { + PhysAddr = mSevEsFlashPhysBase + (Ptr - mFlashBase); + } + // // Writing to flash is emulated by the hypervisor through the use of write // protection. This won't work for an SEV-ES guest because the write won't @@ -68,7 +86,7 @@ QemuFlashPtrWrite ( Ghcb->SharedBuffer[0] = Value; Ghcb->SaveArea.SwScratch = (UINT64) (UINTN) Ghcb->SharedBuffer; VmgSetOffsetValid (Ghcb, GhcbSwScratch); - VmgExit (Ghcb, SVM_EXIT_MMIO_WRITE, (UINT64) (UINTN) Ptr, 1); + VmgExit (Ghcb, SVM_EXIT_MMIO_WRITE, PhysAddr, 1); VmgDone (Ghcb, InterruptState); } else { *Ptr = Value; -- 2.29.2