packages/edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!338 [openEuler-24.03-LTS]Confidential Computing Full Disk Encryption: Support build OVMF.fd using AmdSevX64.dsc to support Full Disk Encryption

Browse Source 
From: @hanliyang 
Reviewed-by: @caojinhuahw 
Signed-off-by: @caojinhuahw
This commit is contained in:
openeuler-ci-bot 2025-05-07 10:32:35 +00:00 committed by Gitee
commit c1f344c4d9
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 105 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
0089-OvmfPkg-AmdSev-Integrate-grub2-x86_64-efi-modules-fr.patch Normal file
View File

@ -0,0 +1,89 @@
From ac649358f044a4fa25327cf2ed6db6d35b8bd8be Mon Sep 17 00:00:00 2001
From: hanliyang <hanliyang@hygon.cn>
Date: Fri, 2 Aug 2024 02:06:58 +0800
Subject: [PATCH] OvmfPkg/AmdSev: Integrate grub2 x86_64-efi modules from the
system path to grub.efi which is used to support Full Disk Encryption
The pull request at https://gitee.com/src-openeuler/grub2/pulls/468
added efisecret.mod to the grub2-efi-x64-modules package. Based on this
package, we can build OVMF.fd using AmdSevX64.dsc to support booting a
VM with full disk encryption.
* How to build the OVMF.fd manually:
When we build the OVMF.fd which support full-disk encryption, we
should delete stale grub.efi in the source tree:
$ rm OvmfPkg/AmdSev/Grub/grub.efi
And specify the dsc file:
$ OvmfPkg/build.sh ... -a X64 -p OvmfPkg/AmdSev/AmdSevX64.dsc ...
Signed-off-by: hanliyang <hanliyang@hygon.cn>
---
OvmfPkg/AmdSev/Grub/grub.cfg | 22 +++++++++++++++-------
OvmfPkg/AmdSev/Grub/grub.sh | 3 +--
2 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/OvmfPkg/AmdSev/Grub/grub.cfg b/OvmfPkg/AmdSev/Grub/grub.cfg
index 17be9427..93eea0b4 100644
--- a/OvmfPkg/AmdSev/Grub/grub.cfg
+++ b/OvmfPkg/AmdSev/Grub/grub.cfg
@@ -10,16 +10,12 @@
##
echo "Entering grub config"
-sevsecret
+cryptomount -s efisecret
if [ $? -ne 0 ]; then
echo "Failed to locate anything in the SEV secret area, prompting for password"
+ echo "OR"
+ echo "Failed to mount root securely, retrying with password prompt"
cryptomount -a
-else
- cryptomount -s
- if [ $? -ne 0 ]; then
- echo "Failed to mount root securely, retrying with password prompt"
- cryptomount -a
- fi
fi
set root=
for f in (crypto*); do
@@ -27,6 +23,18 @@ for f in (crypto*); do
set root=$f
set prefix=($root)/boot/grub
break;
+ elif [ -e $f/boot/grub2/grub.cfg ]; then
+ set root=$f
+ set prefix=($root)/boot/grub
+ break;
+ elif [ -e $f/grub/grub.cfg ]; then
+ set root=$f
+ set prefix=($root)/grub
+ break;
+ elif [ -e $f/grub2/grub.cfg ]; then
+ set root=$f
+ set prefix=($root)/grub2
+ break;
fi
done
if [ x$root = x ]; then
diff --git a/OvmfPkg/AmdSev/Grub/grub.sh b/OvmfPkg/AmdSev/Grub/grub.sh
index 99807d72..760a03b8 100644
--- a/OvmfPkg/AmdSev/Grub/grub.sh
+++ b/OvmfPkg/AmdSev/Grub/grub.sh
@@ -42,9 +42,8 @@ GRUB_MODULES="
test
regexp
linux
- linuxefi
reboot
- sevsecret
+ efisecret
"
basedir=$(dirname -- "$0")
--
2.43.0

22
edk2.spec
View File

@ -7,7 +7,7 @@
Name: edk2 Name: edk2
Version: %{stable_date} Version: %{stable_date}
Release: 24 Release: 25
Summary: EFI Development Kit II Summary: EFI Development Kit II
License: BSD-2-Clause-Patent and OpenSSL and MIT License: BSD-2-Clause-Patent and OpenSSL and MIT
URL: https://github.com/tianocore/edk2 URL: https://github.com/tianocore/edk2
@ -146,8 +146,20 @@ patch87: 0087-Harden-BN_GF2m_poly2arr-against-misuse.patch
# Fix CVE-2024-38797 # Fix CVE-2024-38797
patch88: 0088-SecurityPkg-Out-of-bound-read-in-HashPeImageByType.patch patch88: 0088-SecurityPkg-Out-of-bound-read-in-HashPeImageByType.patch
# Get grub2 x64 module from CI system path when building OVMF.fd using
# AmdSevX64.dsc, this will enable the OVMF.amdsev.fd to support Full Disk
# Encryption right out of the box.
patch89: 0089-OvmfPkg-AmdSev-Integrate-grub2-x86_64-efi-modules-fr.patch
BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl
%ifarch x86_64
# For build OVMF.fd using AmdSevX64.dsc, we need
# mtools mkfs.msdos grub2-mkimage grub2-efi-x64-modules packages
# if we don't touch dummy grub.efi.
BuildRequires: mtools dosfstools grub2-tools grub2-efi-x64-modules
%endif
%description %description
EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.
@ -275,11 +287,6 @@ build $BUILD_OPTION
mv ${ovmf_bin} $(echo ${ovmf_bin} | sed 's/\.secure_boot//') mv ${ovmf_bin} $(echo ${ovmf_bin} | sed 's/\.secure_boot//')
done done
# Build OVMF using OvmfPkg/AmdSev/AmdSevX64.dsc. The build depends on
# OvmfPkg/AmdSev/Grub/grub.efi, and grub.efi further depends on Grub
# with efisecret support. When the build system's native Grub
# supports efisecret, remove this fake OvmfPkg/AmdSev/Grub/grub.efi.
touch OvmfPkg/AmdSev/Grub/grub.efi
BUILD_OPTION=$(echo $BUILD_OPTION | sed 's/ -p OvmfPkg\/OvmfPkgX64.dsc/ -p OvmfPkg\/AmdSev\/AmdSevX64.dsc/g') BUILD_OPTION=$(echo $BUILD_OPTION | sed 's/ -p OvmfPkg\/OvmfPkgX64.dsc/ -p OvmfPkg\/AmdSev\/AmdSevX64.dsc/g')
build $BUILD_OPTION build $BUILD_OPTION
%endif %endif
@ -447,6 +454,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
%endif %endif
%changelog %changelog
* Mon Apr 28 2025 hanliyang<hanliyang@hygon.cn> - 202308-25
- Build OVMF.fd using AmdSevX64.dsc to support Full Disk Encryption
* Sun Apr 27 2025 huyu<huyu70@h-partners.com> - 202308-24 * Sun Apr 27 2025 huyu<huyu70@h-partners.com> - 202308-24
- fix CVE-2024-38797 - fix CVE-2024-38797