diff --git a/SOURCES/edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch b/SOURCES/edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch
new file mode 100644
index 0000000..2a92c02
--- /dev/null
+++ b/SOURCES/edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch
@@ -0,0 +1,51 @@
+From c4096f74a41bde4fc62576222e0c9622152d7701 Mon Sep 17 00:00:00 2001
+From: Pawel Polawski <ppolawsk@redhat.com>
+Date: Tue, 4 Jan 2022 15:16:40 +0800
+Subject: [PATCH 2/2] OvmfPkg/AmdSev/SecretPei: Mark SEV launch secret area as
+ reserved
+
+RH-Author: Pawel Polawski <ppolawsk@redhat.com>
+RH-MergeRequest: 10: OvmfPkg/AmdSev/SecretPei: Mark SEV launch secret area as reserved
+RH-Commit: [1/1] a8f099d508e2e7b39697945acaa767c43577b1e6 (elkoniu/edk2)
+RH-Bugzilla: 2041754
+RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Mark the SEV launch secret MEMFD area as reserved, which will allow the
+guest OS to use it during the lifetime of the OS, without creating
+copies of the sensitive content.
+
+Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
+Cc: Jordan Justen <jordan.l.justen@intel.com>
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Cc: Brijesh Singh <brijesh.singh@amd.com>
+Cc: Erdem Aktas <erdemaktas@google.com>
+Cc: James Bottomley <jejb@linux.ibm.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Min Xu <min.m.xu@intel.com>
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
+Signed-off-by: Dov Murik <dovmurik@linux.ibm.com>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+Acked-by: Jiewen Yao <Jiewen.Yao@intel.com>
+Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>
+---
+ OvmfPkg/AmdSev/SecretPei/SecretPei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
+index db94c26b54..6bf1a55dea 100644
+--- a/OvmfPkg/AmdSev/SecretPei/SecretPei.c
++++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c
+@@ -19,7 +19,7 @@ InitializeSecretPei (
+ BuildMemoryAllocationHob (
+ PcdGet32 (PcdSevLaunchSecretBase),
+ ALIGN_VALUE (PcdGet32 (PcdSevLaunchSecretSize), EFI_PAGE_SIZE),
+- EfiBootServicesData
++ EfiReservedMemoryType
+ );
+
+ return EFI_SUCCESS;
+--
+2.27.0
+
diff --git a/SOURCES/edk2-ovmf-amdsev.json b/SOURCES/edk2-ovmf-amdsev.json
new file mode 100644
index 0000000..a5fbf85
--- /dev/null
+++ b/SOURCES/edk2-ovmf-amdsev.json
@@ -0,0 +1,30 @@
+{
+ "description": "OVMF with SEV-ES support",
+ "interface-types": [
+ "uefi"
+ ],
+ "mapping": {
+ "device": "flash",
+ "mode": "stateless",
+ "executable": {
+ "filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd",
+ "format": "raw"
+ }
+ },
+ "targets": [
+ {
+ "architecture": "x86_64",
+ "machines": [
+ "pc-q35-rhel8.5.0"
+ ]
+ }
+ ],
+ "features": [
+ "amd-sev",
+ "amd-sev-es",
+ "verbose-dynamic"
+ ],
+ "tags": [
+
+ ]
+}
diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec
index 5836d90..28b8bcf 100644
--- a/SPECS/edk2.spec
+++ b/SPECS/edk2.spec
@@ -24,7 +24,7 @@ ExclusiveArch: x86_64 aarch64
Name: edk2
Version: %{GITDATE}git%{GITCOMMIT}
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: UEFI firmware for 64-bit virtual machines
License: BSD-2-Clause-Patent and OpenSSL and MIT
URL: http://www.tianocore.org
@@ -45,6 +45,7 @@ Source11: edk2-aarch64.json
Source12: edk2-ovmf-sb.json
Source13: edk2-ovmf.json
Source14: edk2-ovmf-cc.json
+Source15: edk2-ovmf-amdsev.json
Patch0008: 0008-BaseTools-do-not-build-BrotliCompress-RH-only.patch
Patch0009: 0009-MdeModulePkg-remove-package-private-Brotli-include-p.patch
@@ -93,6 +94,8 @@ Patch49: edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch
Patch50: edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch
# For bz#1935497 - edk2 implements and/or uses the deprecated MD5 and SHA-1 algorithms by default
Patch51: edk2-OvmfPkg-rework-TPM-configuration.patch
+# For bz#2041755 - Mark SEV launch secret area as reserved
+Patch52: edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch
# python3-devel and libuuid-devel are required for building tools.
@@ -201,7 +204,7 @@ git config am.keepcr true
%autosetup -T -D -n edk2-%{GITCOMMIT} -S git_am
cp -a -- %{SOURCE1} %{SOURCE3} .
-cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} .
+cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} .
tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
# Format the Red Hat-issued certificate that is to be enrolled as both Platform
@@ -293,6 +296,11 @@ build ${OVMF_FLAGS} -a X64 \
build ${OVMF_SB_FLAGS} -a IA32 -a X64 \
-p OvmfPkg/OvmfPkgIa32X64.dsc
+# Build AmdSev
+touch OvmfPkg/AmdSev/Grub/grub.efi # dummy
+build ${OVMF_FLAGS} -a X64 \
+ -p OvmfPkg/AmdSev/AmdSevX64.dsc
+
# Sanity check: the varstore templates must be identical.
cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd
@@ -368,6 +376,9 @@ install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.secboot.fd \
install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/UefiShell.iso \
%{buildroot}%{_datadir}/%{name}/ovmf/UefiShell.iso
+install -m 0644 Build/AmdSev/DEBUG_%{TOOLCHAIN}/FV/OVMF.fd \
+ %{buildroot}%{_datadir}/%{name}/ovmf/OVMF.amdsev.fd
+
ln -s ../%{name}/ovmf/OVMF_CODE.secboot.fd %{buildroot}%{_datadir}/OVMF/
ln -s ../%{name}/ovmf/OVMF_VARS.fd %{buildroot}%{_datadir}/OVMF/
ln -s ../%{name}/ovmf/OVMF_VARS.secboot.fd %{buildroot}%{_datadir}/OVMF/
@@ -384,6 +395,8 @@ install -m 0644 edk2-ovmf.json \
%{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf.json
install -m 0644 edk2-ovmf-cc.json \
%{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json
+install -m 0644 edk2-ovmf-amdsev.json \
+ %{buildroot}%{_datadir}/qemu/firmware/50-edk2-ovmf-amdsev.json
# endif build_ovmf
%endif
@@ -474,6 +487,7 @@ KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$')
%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd
%{_datadir}/%{name}/ovmf/OVMF_VARS.fd
%{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd
+%{_datadir}/%{name}/ovmf/OVMF.amdsev.fd
%{_datadir}/%{name}/ovmf/UefiShell.iso
%{_datadir}/OVMF/OVMF_CODE.secboot.fd
%{_datadir}/OVMF/OVMF_VARS.fd
@@ -483,6 +497,7 @@ KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$')
%{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi
%{_datadir}/qemu/firmware/40-edk2-ovmf-sb.json
%{_datadir}/qemu/firmware/50-edk2-ovmf-cc.json
+%{_datadir}/qemu/firmware/50-edk2-ovmf-amdsev.json
%{_datadir}/qemu/firmware/50-edk2-ovmf.json
# endif build_ovmf
%endif
@@ -531,6 +546,14 @@ KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$')
%changelog
+* Wed Feb 23 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-3
+- edk2-spec-build-amdsev-variant.patch [bz#2054661]
+- edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch [bz#2041755]
+- Resolves: bz#2054661
+ (RFE: Support measured AMD SEV boot with kernel/initrd/cmdline in OVMF)
+- Resolves: bz#2041755
+ (Mark SEV launch secret area as reserved)
+
* Tue Feb 08 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-2
- edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch [bz#1935497]
- edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch [bz#1935497]