Add support to enable search for confidential computing blob in the EFI system configuration table for KVM-Unit-Tests. The SEV-SNP Confidential Computing (CC) blob (GHCB spec, Table-5) contains metadata that needs to remain accessible during the guest's lifetime. The metadata contains information on SNP reserved pages such as pointers to SNP secrets page and SNP CPUID table. Having access to SNP CPUID table aids in providing CPUID #VC handler support. Also, Determining the presence of SNP CC blob in KUT guest verfies whether OVMF has properly provided the CC blob to the guest via the system configuration table. Put out a warning message in case the CC blob is not found. Import the definitions of CC_BLOB_SEV_HDR_MAGIC and cc_blob_sev_info structure from upstream linux (arch/x86/include/asm/sev.h). Signed-off-by: Pavan Kumar Paluri <papaluri@xxxxxxx> --- lib/linux/efi.h | 1 + lib/x86/amd_sev.h | 18 ++++++++++++++++++ x86/amd_sev.c | 30 ++++++++++++++++++++++++++++++ 3 files changed, 49 insertions(+) diff --git a/lib/linux/efi.h b/lib/linux/efi.h index 8fa23ad078ce..64323ff498f5 100644 --- a/lib/linux/efi.h +++ b/lib/linux/efi.h @@ -69,6 +69,7 @@ typedef guid_t efi_guid_t; #define DEVICE_TREE_GUID EFI_GUID(0xb1b621d5, 0xf19c, 0x41a5, 0x83, 0x0b, 0xd9, 0x15, 0x2c, 0x69, 0xaa, 0xe0) #define LOADED_IMAGE_PROTOCOL_GUID EFI_GUID(0x5b1b31a1, 0x9562, 0x11d2, 0x8e, 0x3f, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b) +#define EFI_CC_BLOB_GUID EFI_GUID(0x067b1f5f, 0xcf26, 0x44c5, 0x85, 0x54, 0x93, 0xd7, 0x77, 0x91, 0x2d, 0x42) #define EFI_LOAD_FILE2_PROTOCOL_GUID EFI_GUID(0x4006c0c1, 0xfcb3, 0x403e, 0x99, 0x6d, 0x4a, 0x6c, 0x87, 0x24, 0xe0, 0x6d) #define LINUX_EFI_INITRD_MEDIA_GUID EFI_GUID(0x5568e427, 0x68fc, 0x4f3d, 0xac, 0x74, 0xca, 0x55, 0x52, 0x31, 0xcc, 0x68) diff --git a/lib/x86/amd_sev.h b/lib/x86/amd_sev.h index 4c58e761c4af..70f3763fe231 100644 --- a/lib/x86/amd_sev.h +++ b/lib/x86/amd_sev.h @@ -106,6 +106,24 @@ struct es_em_ctxt { struct es_fault_info fi; }; +/* + * AMD SEV Confidential computing blob structure. The structure is + * defined in OVMF UEFI firmware header: + * https://github.com/tianocore/edk2/blob/master/OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h + */ +#define CC_BLOB_SEV_HDR_MAGIC 0x45444d41 +struct cc_blob_sev_info { + u32 magic; + u16 version; + u16 reserved; + u64 secrets_phys; + u32 secrets_len; + u32 rsvd1; + u64 cpuid_phys; + u32 cpuid_len; + u32 rsvd2; +} __packed; + /* * AMD Programmer's Manual Volume 3 * - Section "Function 8000_0000h - Maximum Extended Function Number and Vendor String" diff --git a/x86/amd_sev.c b/x86/amd_sev.c index 3e6e9129cfaa..4c34a5965a1b 100644 --- a/x86/amd_sev.c +++ b/x86/amd_sev.c @@ -69,8 +69,35 @@ static void test_sev_es_activation(void) } } +/* Check to find if SEV-SNP's Confidential Computing Blob is present */ +static efi_status_t find_cc_blob_efi(void) +{ + struct cc_blob_sev_info *snp_cc_blob; + efi_status_t status; + + status = efi_get_system_config_table(EFI_CC_BLOB_GUID, + (void **)&snp_cc_blob); + + if (status != EFI_SUCCESS) + return status; + + if (!snp_cc_blob) { + printf("SEV-SNP CC blob not found\n"); + return EFI_NOT_FOUND; + } + + if (snp_cc_blob->magic != CC_BLOB_SEV_HDR_MAGIC) { + printf("SEV-SNP CC blob header/signature mismatch"); + return EFI_UNSUPPORTED; + } + + return EFI_SUCCESS; +} + static void test_sev_snp_activation(void) { + efi_status_t status; + report_info("TEST: SEV-SNP Activation test"); if (!(rdmsr(MSR_SEV_STATUS) & SEV_SNP_ENABLED_MASK)) { @@ -79,6 +106,9 @@ static void test_sev_snp_activation(void) } report_info("SEV-SNP is enabled"); + + status = find_cc_blob_efi(); + report(status == EFI_SUCCESS, "SEV-SNP CC-blob presence"); } static void test_stringio(void) -- 2.34.1