edk2/SOURCES/0026-OvmfPkg-AmdSevDxe-Shim...

From 5870362631ee204936f495b8e60eb2611bb05c3b Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Wed, 16 Aug 2023 12:09:40 +0200
Subject: [PATCH] OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only)

RH-Author: Oliver Steffen <osteffen@redhat.com>
RH-MergeRequest: 46: OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only)
RH-Bugzilla: 2218196
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [1/1] 9bf3bb989e36253aa34bf82ecfe8faa7312e8d22 (osteffen/edk2)

Add a callback at the end of the Dxe phase that sets the
"FB_NO_REBOOT" variable under the Shim GUID.
This is a workaround for a boot loop in case a confidential
guest that uses shim is booted with a vtpm device present.

BZ 2218196

Signed-off-by: Oliver Steffen <osteffen@redhat.com>

patch_name: edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch
present_in_specfile: true
location_in_specfile: 44
---
 OvmfPkg/AmdSevDxe/AmdSevDxe.c   | 42 +++++++++++++++++++++++++++++++++
 OvmfPkg/AmdSevDxe/AmdSevDxe.inf |  2 ++
 2 files changed, 44 insertions(+)

diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
index db3675ae86..f639c093a2 100644
--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c
+++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
@@ -19,6 +19,7 @@
 #include <Library/MemoryAllocationLib.h>
 #include <Library/UefiBootServicesTableLib.h>
 #include <Guid/ConfidentialComputingSevSnpBlob.h>
+#include <Guid/GlobalVariable.h>
 #include <Library/PcdLib.h>
 #include <Pi/PrePiDxeCis.h>
 #include <Protocol/SevMemoryAcceptance.h>
@@ -28,6 +29,10 @@
 // Present, initialized, tested bits defined in MdeModulePkg/Core/Dxe/DxeMain.h
 #define EFI_MEMORY_INTERNAL_MASK  0x0700000000000000ULL
 
+static EFI_GUID  ShimLockGuid = {
+  0x605dab50, 0xe046, 0x4300, { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 }
+};
+
 STATIC
 EFI_STATUS
 AllocateConfidentialComputingBlob (
@@ -191,6 +196,32 @@ STATIC EDKII_MEMORY_ACCEPT_PROTOCOL  mMemoryAcceptProtocol = {
   AmdSevMemoryAccept
 };
 
+VOID
+EFIAPI
+PopulateVarstore (
+  EFI_EVENT  Event,
+  VOID       *Context
+  )
+{
+  EFI_SYSTEM_TABLE  *SystemTable = (EFI_SYSTEM_TABLE *)Context;
+  EFI_STATUS        Status;
+
+  DEBUG ((DEBUG_INFO, "Populating Varstore\n"));
+  UINT32  data = 1;
+
+  Status = SystemTable->RuntimeServices->SetVariable (
+                                           L"FB_NO_REBOOT",
+                                           &ShimLockGuid,
+                                           EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                                           sizeof (data),
+                                           &data
+                                           );
+  ASSERT_EFI_ERROR (Status);
+
+  Status = SystemTable->BootServices->CloseEvent (Event);
+  ASSERT_EFI_ERROR (Status);
+}
+
 EFI_STATUS
 EFIAPI
 AmdSevDxeEntryPoint (
@@ -203,6 +234,7 @@ AmdSevDxeEntryPoint (
   UINTN                                     NumEntries;
   UINTN                                     Index;
   CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION  *SnpBootDxeTable;
+  EFI_EVENT                                 PopulateVarstoreEvent;
 
   //
   // Do nothing when SEV is not enabled
@@ -361,5 +393,15 @@ AmdSevDxeEntryPoint (
                   );
   }
 
+  Status = gBS->CreateEventEx (
+                  EVT_NOTIFY_SIGNAL,
+                  TPL_CALLBACK,
+                  PopulateVarstore,
+                  SystemTable,
+                  &gEfiEndOfDxeEventGroupGuid,
+                  &PopulateVarstoreEvent
+                  );
+  ASSERT_EFI_ERROR (Status);
+
   return EFI_SUCCESS;
 }
diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
index e7c7d526c9..09cbd2b0ca 100644
--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
@@ -54,6 +54,8 @@
 [Guids]
   gConfidentialComputingSevSnpBlobGuid
   gEfiEventBeforeExitBootServicesGuid
+  gEfiEndOfDxeEventGroupGuid              ## CONSUMES ## Event
+
 
 [Pcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId
import edk2-20231122-6.el9_4.2 2 months ago			`From 5870362631ee204936f495b8e60eb2611bb05c3b Mon Sep 17 00:00:00 2001`
import edk2-20230524-3.el9 11 months ago			`From: Oliver Steffen <osteffen@redhat.com>`
			`Date: Wed, 16 Aug 2023 12:09:40 +0200`
import edk2-20231122-6.el9_4.2 2 months ago			`Subject: [PATCH] OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only)`
import edk2-20230524-3.el9 11 months ago
			`RH-Author: Oliver Steffen <osteffen@redhat.com>`
			`RH-MergeRequest: 46: OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only)`
			`RH-Bugzilla: 2218196`
			`RH-Acked-by: Gerd Hoffmann <None>`
			`RH-Commit: [1/1] 9bf3bb989e36253aa34bf82ecfe8faa7312e8d22 (osteffen/edk2)`

			`Add a callback at the end of the Dxe phase that sets the`
			`"FB_NO_REBOOT" variable under the Shim GUID.`
			`This is a workaround for a boot loop in case a confidential`
			`guest that uses shim is booted with a vtpm device present.`

			`BZ 2218196`

			`Signed-off-by: Oliver Steffen <osteffen@redhat.com>`
import edk2-20231122-6.el9_4.2 2 months ago
			`patch_name: edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch`
			`present_in_specfile: true`
			`location_in_specfile: 44`
import edk2-20230524-3.el9 11 months ago			`---`
			`OvmfPkg/AmdSevDxe/AmdSevDxe.c \| 42 +++++++++++++++++++++++++++++++++`
			`OvmfPkg/AmdSevDxe/AmdSevDxe.inf \| 2 ++`
			`2 files changed, 44 insertions(+)`

			`diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c`
			`index db3675ae86..f639c093a2 100644`
			`--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c`
			`+++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c`
			`@@ -19,6 +19,7 @@`
			`#include <Library/MemoryAllocationLib.h>`
			`#include <Library/UefiBootServicesTableLib.h>`
			`#include <Guid/ConfidentialComputingSevSnpBlob.h>`
			`+#include <Guid/GlobalVariable.h>`
			`#include <Library/PcdLib.h>`
			`#include <Pi/PrePiDxeCis.h>`
			`#include <Protocol/SevMemoryAcceptance.h>`
			`@@ -28,6 +29,10 @@`
			`// Present, initialized, tested bits defined in MdeModulePkg/Core/Dxe/DxeMain.h`
			`#define EFI_MEMORY_INTERNAL_MASK 0x0700000000000000ULL`

			`+static EFI_GUID ShimLockGuid = {`
			`+ 0x605dab50, 0xe046, 0x4300, { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 }`
			`+};`
			`+`
			`STATIC`
			`EFI_STATUS`
			`AllocateConfidentialComputingBlob (`
			`@@ -191,6 +196,32 @@ STATIC EDKII_MEMORY_ACCEPT_PROTOCOL mMemoryAcceptProtocol = {`
			`AmdSevMemoryAccept`
			`};`

			`+VOID`
			`+EFIAPI`
			`+PopulateVarstore (`
			`+ EFI_EVENT Event,`
			`+ VOID *Context`
			`+ )`
			`+{`
			`+ EFI_SYSTEM_TABLE SystemTable = (EFI_SYSTEM_TABLE )Context;`
			`+ EFI_STATUS Status;`
			`+`
			`+ DEBUG ((DEBUG_INFO, "Populating Varstore\n"));`
			`+ UINT32 data = 1;`
			`+`
			`+ Status = SystemTable->RuntimeServices->SetVariable (`
			`+ L"FB_NO_REBOOT",`
			`+ &ShimLockGuid,`
			`+ EFI_VARIABLE_RUNTIME_ACCESS \| EFI_VARIABLE_BOOTSERVICE_ACCESS,`
			`+ sizeof (data),`
			`+ &data`
			`+ );`
			`+ ASSERT_EFI_ERROR (Status);`
			`+`
			`+ Status = SystemTable->BootServices->CloseEvent (Event);`
			`+ ASSERT_EFI_ERROR (Status);`
			`+}`
			`+`
			`EFI_STATUS`
			`EFIAPI`
			`AmdSevDxeEntryPoint (`
			`@@ -203,6 +234,7 @@ AmdSevDxeEntryPoint (`
			`UINTN NumEntries;`
			`UINTN Index;`
			`CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION *SnpBootDxeTable;`
			`+ EFI_EVENT PopulateVarstoreEvent;`

			`//`
			`// Do nothing when SEV is not enabled`
			`@@ -361,5 +393,15 @@ AmdSevDxeEntryPoint (`
			`);`
			`}`

			`+ Status = gBS->CreateEventEx (`
			`+ EVT_NOTIFY_SIGNAL,`
			`+ TPL_CALLBACK,`
			`+ PopulateVarstore,`
			`+ SystemTable,`
			`+ &gEfiEndOfDxeEventGroupGuid,`
			`+ &PopulateVarstoreEvent`
			`+ );`
			`+ ASSERT_EFI_ERROR (Status);`
			`+`
			`return EFI_SUCCESS;`
			`}`
			`diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf`
			`index e7c7d526c9..09cbd2b0ca 100644`
			`--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf`
			`+++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf`
			`@@ -54,6 +54,8 @@`
			`[Guids]`
			`gConfidentialComputingSevSnpBlobGuid`
			`gEfiEventBeforeExitBootServicesGuid`
			`+ gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event`
			`+`

			`[Pcd]`
			`gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId`