The pull request at https://gitee.com/src-openeuler/grub2/pulls/468
added efisecret.mod to the grub2-efi-x64-modules package. Based on this
package, we can build OVMF.fd using AmdSevX64.dsc to support booting a
VM with full disk encryption.
Signed-off-by: hanliyang <hanliyang@hygon.cn>
The build depends on OvmfPkg/AmdSev/Grub/grub.efi, and grub.efi further
depends on Grub with efisecret support. When the build system's native
Grub supports efisecret, remove this fake OvmfPkg/AmdSev/Grub/grub.efi.
Signed-off-by: hanliyang <hanliyang@hygon.cn>
This PR backports 3 commits:
020cc9e2e705 OvmfPkg: Disable PcdFirstTimeWakeUpAPsBySipi
8b66f9df1bb0 OvmfPkg/AmdSev: Disable PcdFirstTimeWakeUpAPsBySipi
f008890ae559 OvmfPkg/AmdSev: fix BdsPlatform.c assertion failure during boot
from upstream to fix the regression of boot failure on OvmfPkg/AmdSev
Signed-off-by: hanliyang <hanliyang@hygon.cn>
When building OVMF{_CODE}.fd using OvmfPkgX64.dsc and define
SECURE_BOOT_ENABLE=TRUE, the OVMF{_CODE}.fd will failure to boot the
AMD SEV/SEV-ES/SEV-SNP and Hygon CSV/CSV2/CSV3 VMs. The root cause
is that the upstream commit 4f173db8b45b ("OvmfPkg/PlatformInitLib:
Add functions for EmuVariableNvStore") rename the function from
TdxValidateCfv to PlatformValidateNvVarStore, and place the function
PlatformValidateNvVarStore to the common lib PlatformInitLib.
I have submitted a bugzilla to the community:
https://bugzilla.tianocore.org/show_bug.cgi?id=4807
and sent partial fix patches to the mailing lists:
https://edk2.groups.io/g/devel/message/119921?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Acreated%2C%2COvmfPkg%2FPlatformInitLib%3A+Detect+FlashNvVarStore+before+validate+it%2C20%2C2%2C0%2C107212891
I don't have a machine that supports SEV-SNP, so I ultimately can't
fully fix the issue, and the patches I sent couldn't be accepted.
In order to support boot AMD SEV... and Hygon CSV... VMs using the OVMF
from the RPM package, I modified the edk2.spec to build OVMF.fd,
OVMF_CODE.fd and OVMF_VARS.fd without the build option
' -D SECURE_BOOT_ENABLE=TRUE'.
Signed-off-by: hanliyang <hanliyang@hygon.cn>
The live migration of Hygon CSV1/2/3 guest depends on the KVM
hypercall KVM_HC_MAP_GPA_RANGE, add code to sync page enc/dec
status to KVM.
The MMIO routine of VC handler will get memory encrypt status to
validate MMIO address. MemEncryptSevGetEncryptionMask() will enable
interrupt while interrupt must be disabled during VC. During DXE
stage, VC routine as below:
CcExitHandleVc
-> MemEncryptSevGetAddressRangeState
-> MemEncryptSevGetEncryptionMask->PcdGet64(PcdPteMemoryEncryptionAddressOrMask)
Signed-off-by: hanliyang <hanliyang@hygon.cn>
As commit(2997ae387397) make EFI_LOADER_DATA non-executable, old
operation system using old GRUB cannot boot. As we need to support
these operation systems, make EFI_LOADER_DATA executable again.
Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
