Support not only kernel hashes but also full-disk-encryption for OVMF.fd build by AmdSevX64.dsc #6
Conversation
…ption
The live migration for Hygon CSV1/2/3 guest depends on the KVM
hypercall KVM_HC_MAP_GPA_RANGE, add code to sync page enc/dec
status to KVM.
The MMIO routine of VC handler will get memory encrypt status to
validate MMIO address. MemEncryptSevGetEncryptionMask() will enable
interrupt while interrupt must be disabled during VC. During DXE
stage, VC routine as below:
CcExitHandleVc
-> MemEncryptSevGetAddressRangeState
-> MemEncryptSevGetEncryptionMask->PcdGet64(PcdPteMemoryEncryptionAddressOrMask)
[ hly: Fix the changelog of edk2 (2024.08-2deepin1). ]
Signed-off-by: hanliyang <[email protected]>
When we place grub FV package into OVMF.fd to support full-disk
encryption, we need provide grub components as the build env.
===
Prerequisite:
1. If the grub in your system has already support efisecret module, then
you should run cmds as follows to support build OVMF.fd.
$ cd /usr
$ sudo tar --transform='s/^/grub\// -zcf grub.tar.gz lib/grub/
$ sudo mv grub.tar.gz /opt
$ cd /opt/
$ sudo tar -xzf grub.tar.gz
2. If the grub in your system does not support efisecret module, then we
can clone the grub repository and checkout to commit 578c95298 ("
kern: Add lockdown support"), and backport the following patch series:
https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00257.html
https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00258.html
https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00259.html
https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00260.html
After we have prepared for the grub codes, we should build it and
install the grub components to /opt/grub. The steps is shown as below:
$ ./bootstrap
$ ./autogen.sh
$ ./configure --target=x86_64 --with-platform=efi -prefix=/grub
$ make -j$(getconf _NPROCESSORS_ONLN)
$ sudo make install DESTDIR=/opt/
$ cd /opt/
$ sudo tar -zcf grub.tar.gz grub
Note: the grub.tar.gz metioned above will be used when enabling
full-disk encryption in the guest.
===
Build OVMF.fd:
When we build the OVMF.fd which support full-disk encryption, we should
delete stale grub.efi in the source tree:
$ rm OvmfPkg/AmdSev/Grub/grub.efi
And specify the dsc file:
$ OvmfPkg/build.sh ... -a X64 -p OvmfPkg/AmdSev/AmdSevX64.dsc ...
Signed-off-by: hanliyang <[email protected]>
=== Prerequisite: See the `Prerequisite 1.` in the previous commit's message. === Build OVMF.CSV.fd: Actually, the OVMF.CSV.fd mentioned here is the OVMF.fd mentioned in the previous commit's message. In order build the OVMF.fd and save it, we rename it to OVMF.CSV.fd. When we build the OVMF.CSV.fd which support full-disk encryption, we should delete stale grub.efi in the source tree: $ rm OvmfPkg/AmdSev/Grub/grub.efi And specify build target: $ dpkg-buildpackage -us -uc -b -T build-ovmf-csv After completion of the build process, the OVMF.CSV.fd will be saved to debian/ovmf-install/OVMF.CSV.fd. Signed-off-by: hanliyang <[email protected]>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hi @wojiaohanliyang. Thanks for your PR. I'm waiting for a deepin-community member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
TAG Bot TAG: 2024.08-2deepin3 |
|
/topic hygon-20241128 |
|
Add topic: hygon-20241128 successed. |
Update OvmfPkg/AmdSev/Grub/grub.{sh,cfg} to support full-disk-encryption. This functionality depends on deepin-community/grub2#18.
$ cd /usr
$ sudo tar --transform='s/^/grub//' -zcf grub.tar.gz lib/grub/x86_64-efi
$ mv grub.tar.gz /opt/
$ cd /opt/
$ tar -xzf grub.tar.gz
$ cd /path/to/edk2-repo
$ dpkg-buildpackage -us -uc -b
$ dpkg-buildpackage -us -uc -b build-ovmf-csv # debian/ovmf-install/OVMF.CSV.fd is the OVMF file which support
Kernel hashesandFull-Disk-Encryption