!338 [openEuler-24.03-LTS]Confidential Computing Full Disk Encryption: Support build OVMF.fd using AmdSevX64.dsc to support Full Disk Encryption
From: @hanliyang Reviewed-by: @caojinhuahw Signed-off-by: @caojinhuahw
This commit is contained in:
openeuler-ci-bot
Gitee
commit
c1f344c4d9
@ -0,0 +1,89 @@
|
||||
From ac649358f044a4fa25327cf2ed6db6d35b8bd8be Mon Sep 17 00:00:00 2001
|
||||
From: hanliyang <hanliyang@hygon.cn>
|
||||
Date: Fri, 2 Aug 2024 02:06:58 +0800
|
||||
Subject: [PATCH] OvmfPkg/AmdSev: Integrate grub2 x86_64-efi modules from the
|
||||
system path to grub.efi which is used to support Full Disk Encryption
|
||||
|
||||
The pull request at https://gitee.com/src-openeuler/grub2/pulls/468
|
||||
added efisecret.mod to the grub2-efi-x64-modules package. Based on this
|
||||
package, we can build OVMF.fd using AmdSevX64.dsc to support booting a
|
||||
VM with full disk encryption.
|
||||
|
||||
* How to build the OVMF.fd manually:
|
||||
|
||||
When we build the OVMF.fd which support full-disk encryption, we
|
||||
should delete stale grub.efi in the source tree:
|
||||
|
||||
$ rm OvmfPkg/AmdSev/Grub/grub.efi
|
||||
|
||||
And specify the dsc file:
|
||||
|
||||
$ OvmfPkg/build.sh ... -a X64 -p OvmfPkg/AmdSev/AmdSevX64.dsc ...
|
||||
|
||||
Signed-off-by: hanliyang <hanliyang@hygon.cn>
|
||||
---
|
||||
OvmfPkg/AmdSev/Grub/grub.cfg | 22 +++++++++++++++-------
|
||||
OvmfPkg/AmdSev/Grub/grub.sh | 3 +--
|
||||
2 files changed, 16 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/OvmfPkg/AmdSev/Grub/grub.cfg b/OvmfPkg/AmdSev/Grub/grub.cfg
|
||||
index 17be9427..93eea0b4 100644
|
||||
--- a/OvmfPkg/AmdSev/Grub/grub.cfg
|
||||
+++ b/OvmfPkg/AmdSev/Grub/grub.cfg
|
||||
@@ -10,16 +10,12 @@
|
||||
##
|
||||
|
||||
echo "Entering grub config"
|
||||
-sevsecret
|
||||
+cryptomount -s efisecret
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Failed to locate anything in the SEV secret area, prompting for password"
|
||||
+ echo "OR"
|
||||
+ echo "Failed to mount root securely, retrying with password prompt"
|
||||
cryptomount -a
|
||||
-else
|
||||
- cryptomount -s
|
||||
- if [ $? -ne 0 ]; then
|
||||
- echo "Failed to mount root securely, retrying with password prompt"
|
||||
- cryptomount -a
|
||||
- fi
|
||||
fi
|
||||
set root=
|
||||
for f in (crypto*); do
|
||||
@@ -27,6 +23,18 @@ for f in (crypto*); do
|
||||
set root=$f
|
||||
set prefix=($root)/boot/grub
|
||||
break;
|
||||
+ elif [ -e $f/boot/grub2/grub.cfg ]; then
|
||||
+ set root=$f
|
||||
+ set prefix=($root)/boot/grub
|
||||
+ break;
|
||||
+ elif [ -e $f/grub/grub.cfg ]; then
|
||||
+ set root=$f
|
||||
+ set prefix=($root)/grub
|
||||
+ break;
|
||||
+ elif [ -e $f/grub2/grub.cfg ]; then
|
||||
+ set root=$f
|
||||
+ set prefix=($root)/grub2
|
||||
+ break;
|
||||
fi
|
||||
done
|
||||
if [ x$root = x ]; then
|
||||
diff --git a/OvmfPkg/AmdSev/Grub/grub.sh b/OvmfPkg/AmdSev/Grub/grub.sh
|
||||
index 99807d72..760a03b8 100644
|
||||
--- a/OvmfPkg/AmdSev/Grub/grub.sh
|
||||
+++ b/OvmfPkg/AmdSev/Grub/grub.sh
|
||||
@@ -42,9 +42,8 @@ GRUB_MODULES="
|
||||
test
|
||||
regexp
|
||||
linux
|
||||
- linuxefi
|
||||
reboot
|
||||
- sevsecret
|
||||
+ efisecret
|
||||
"
|
||||
basedir=$(dirname -- "$0")
|
||||
|
||||
--
|
||||
2.43.0
|
||||
|
||||
22
edk2.spec
22
edk2.spec
@ -7,7 +7,7 @@
|
||||
|
||||
Name: edk2
|
||||
Version: %{stable_date}
|
||||
Release: 24
|
||||
Release: 25
|
||||
Summary: EFI Development Kit II
|
||||
License: BSD-2-Clause-Patent and OpenSSL and MIT
|
||||
URL: https://github.com/tianocore/edk2
|
||||
@ -146,8 +146,20 @@ patch87: 0087-Harden-BN_GF2m_poly2arr-against-misuse.patch
|
||||
# Fix CVE-2024-38797
|
||||
patch88: 0088-SecurityPkg-Out-of-bound-read-in-HashPeImageByType.patch
|
||||
|
||||
# Get grub2 x64 module from CI system path when building OVMF.fd using
|
||||
# AmdSevX64.dsc, this will enable the OVMF.amdsev.fd to support Full Disk
|
||||
# Encryption right out of the box.
|
||||
patch89: 0089-OvmfPkg-AmdSev-Integrate-grub2-x86_64-efi-modules-fr.patch
|
||||
|
||||
BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl
|
||||
|
||||
%ifarch x86_64
|
||||
# For build OVMF.fd using AmdSevX64.dsc, we need
|
||||
# mtools mkfs.msdos grub2-mkimage grub2-efi-x64-modules packages
|
||||
# if we don't touch dummy grub.efi.
|
||||
BuildRequires: mtools dosfstools grub2-tools grub2-efi-x64-modules
|
||||
%endif
|
||||
|
||||
%description
|
||||
EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.
|
||||
|
||||
@ -275,11 +287,6 @@ build $BUILD_OPTION
|
||||
mv ${ovmf_bin} $(echo ${ovmf_bin} | sed 's/\.secure_boot//')
|
||||
done
|
||||
|
||||
# Build OVMF using OvmfPkg/AmdSev/AmdSevX64.dsc. The build depends on
|
||||
# OvmfPkg/AmdSev/Grub/grub.efi, and grub.efi further depends on Grub
|
||||
# with efisecret support. When the build system's native Grub
|
||||
# supports efisecret, remove this fake OvmfPkg/AmdSev/Grub/grub.efi.
|
||||
touch OvmfPkg/AmdSev/Grub/grub.efi
|
||||
BUILD_OPTION=$(echo $BUILD_OPTION | sed 's/ -p OvmfPkg\/OvmfPkgX64.dsc/ -p OvmfPkg\/AmdSev\/AmdSevX64.dsc/g')
|
||||
build $BUILD_OPTION
|
||||
%endif
|
||||
@ -447,6 +454,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Apr 28 2025 hanliyang<hanliyang@hygon.cn> - 202308-25
|
||||
- Build OVMF.fd using AmdSevX64.dsc to support Full Disk Encryption
|
||||
|
||||
* Sun Apr 27 2025 huyu<huyu70@h-partners.com> - 202308-24
|
||||
- fix CVE-2024-38797
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user