mirror of https://github.com/acidanthera/audk.git
6995a1b79b
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198 A GHCB page is needed during the Sec phase, so this new page must be created. Since the #VC exception handler routines assume that a per-CPU variable area is immediately after the GHCB, this per-CPU variable area must also be created. Since the GHCB must be marked as an un-encrypted, or shared, page, an additional pagetable page is required to break down the 2MB region where the GHCB page lives into 4K pagetable entries. Create a new entry in the OVMF memory layout for the new page table page and for the SEC GHCB and per-CPU variable pages. After breaking down the 2MB page, update the GHCB page table entry to remove the encryption mask. The GHCB page will be used by the SEC #VC exception handler. The #VC exception handler will fill in the necessary fields of the GHCB and exit to the hypervisor using the VMGEXIT instruction. The hypervisor then accesses the GHCB in order to perform the requested function. Four new fixed PCDs are needed to support the SEC GHCB page: - PcdOvmfSecGhcbBase UINT32 value that is the base address of the GHCB used during the SEC phase. - PcdOvmfSecGhcbSize UINT32 value that is the size, in bytes, of the GHCB area used during the SEC phase. - PcdOvmfSecGhcbPageTableBase UINT32 value that is address of a page table page used to break down the 2MB page into 512 4K pages. - PcdOvmfSecGhcbPageTableSize UINT32 value that is the size, in bytes, of the page table page. Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Regression-tested-by: Laszlo Ersek <lersek@redhat.com> |
||
---|---|---|
.. | ||
8254TimerDxe | ||
8259InterruptControllerDxe | ||
AcpiPlatformDxe | ||
AcpiTables | ||
AmdSevDxe | ||
Bhyve | ||
CompatImageLoaderDxe | ||
CpuHotplugSmm | ||
CpuS3DataDxe | ||
Csm | ||
EmuVariableFvbRuntimeDxe | ||
EnrollDefaultKeys | ||
Include | ||
IncompatiblePciDeviceSupportDxe | ||
IoMmuDxe | ||
Library | ||
LinuxInitrdDynamicShellCommand | ||
LsiScsiDxe | ||
MptScsiDxe | ||
PciHotPlugInitDxe | ||
PlatformCI | ||
PlatformDxe | ||
PlatformPei | ||
PvScsiDxe | ||
QemuFlashFvbServicesRuntimeDxe | ||
QemuKernelLoaderFsDxe | ||
QemuRamfbDxe | ||
QemuVideoDxe | ||
ResetVector | ||
SataControllerDxe | ||
Sec | ||
SioBusDxe | ||
SmbiosPlatformDxe | ||
SmmAccess | ||
SmmControl2Dxe | ||
Tcg/Tcg2Config | ||
Virtio10Dxe | ||
VirtioBlkDxe | ||
VirtioGpuDxe | ||
VirtioNetDxe | ||
VirtioPciDeviceDxe | ||
VirtioRngDxe | ||
VirtioScsiDxe | ||
XenBusDxe | ||
XenIoPciDxe | ||
XenIoPvhDxe | ||
XenPlatformPei | ||
XenPvBlkDxe | ||
XenResetVector | ||
XenTimerDxe | ||
FvmainCompactScratchEnd.fdf.inc | ||
License.txt | ||
OvmfPkg.ci.yaml | ||
OvmfPkg.dec | ||
OvmfPkgDefines.fdf.inc | ||
OvmfPkgIa32.dsc | ||
OvmfPkgIa32.fdf | ||
OvmfPkgIa32X64.dsc | ||
OvmfPkgIa32X64.fdf | ||
OvmfPkgX64.dsc | ||
OvmfPkgX64.fdf | ||
OvmfXen.dsc | ||
OvmfXen.fdf | ||
OvmfXenElfHeaderGenerator.c | ||
README | ||
VarStore.fdf.inc | ||
build.sh |
README
=== OVMF OVERVIEW === The Open Virtual Machine Firmware (OVMF) project aims to support firmware for Virtual Machines using the edk2 code base. More information can be found at: http://www.tianocore.org/ovmf/ === STATUS === Current capabilities: * IA32 and X64 architectures * QEMU (0.10.0 or later) - Video, keyboard, IDE, CD-ROM, serial - Runs UEFI shell - Optional NIC support. Requires QEMU (0.12.2 or later) * UEFI Linux boots * UEFI Windows 8 boots * UEFI Windows 7 & Windows 2008 Server boot (see important notes below!) === FUTURE PLANS === * Test/Stabilize UEFI Self-Certification Tests (SCT) results === BUILDING OVMF === Pre-requisites: * Build environment capable of build the edk2 MdeModulePkg. * A properly configured ASL compiler: - Intel ASL compiler: Available from http://www.acpica.org - Microsoft ASL compiler: Available from http://www.acpi.info * NASM: http://www.nasm.us/ Update Conf/target.txt ACTIVE_PLATFORM for OVMF: PEI arch DXE arch UEFI interfaces * OvmfPkg/OvmfPkgIa32.dsc IA32 IA32 IA32 * OvmfPkg/OvmfPkgIa32X64.dsc IA32 X64 X64 * OvmfPkg/OvmfPkgX64.dsc X64 X64 X64 Update Conf/target.txt TARGET_ARCH based on the .dsc file: TARGET_ARCH * OvmfPkg/OvmfPkgIa32.dsc IA32 * OvmfPkg/OvmfPkgIa32X64.dsc IA32 X64 * OvmfPkg/OvmfPkgX64.dsc X64 Following the edk2 build process, you will find the OVMF binaries under the $WORKSPACE/Build/*/*/FV directory. The actual path will depend on how your build is configured. You can expect to find these binary outputs: * OVMF.FD - Please note! This filename has changed. Older releases used OVMF.Fv. * OvmfVideo.rom - This file is not built separately any longer, starting with svn r13520. More information on building OVMF can be found at: https://github.com/tianocore/tianocore.github.io/wiki/How%20to%20build%20OVMF === RUNNING OVMF on QEMU === * QEMU 0.12.2 or later is required. * Be sure to use qemu-system-x86_64, if you are using and X64 firmware. (qemu-system-x86_64 works for the IA32 firmware as well, of course.) * Use OVMF for QEMU firmware (3 options available) - Option 1: QEMU 1.6 or newer; Use QEMU -pflash parameter * QEMU/OVMF will use emulated flash, and fully support UEFI variables * Run qemu with: -pflash path/to/OVMF.fd * Note that this option is required for running SecureBoot-enabled builds (-D SECURE_BOOT_ENABLE). - Option 2: Use QEMU -bios parameter * Note that UEFI variables will be partially emulated, and non-volatile variables may lose their contents after a reboot * Run qemu with: -bios path/to/OVMF.fd - Option 3: Use QEMU -L parameter * Note that UEFI variables will be partially emulated, and non-volatile variables may lose their contents after a reboot * Either copy, rename or symlink OVMF.fd => bios.bin * Use the QEMU -L parameter to specify the directory where the bios.bin file is located. * The EFI shell is built into OVMF builds at this time, so it should run automatically if a UEFI boot application is not found on the removable media. * On Linux, newer version of QEMU may enable KVM feature, and this might cause OVMF to fail to boot. The QEMU '-no-kvm' may allow OVMF to boot. * Capturing OVMF debug messages on qemu: - The default OVMF build writes debug messages to IO port 0x402. The following qemu command line options save them in the file called debug.log: '-debugcon file:debug.log -global isa-debugcon.iobase=0x402'. - It is possible to revert to the original behavior, when debug messages were written to the emulated serial port (potentially intermixing OVMF debug output with UEFI serial console output). For this the '-D DEBUG_ON_SERIAL_PORT' option has to be passed to the build command (see the next section), and in order to capture the serial output qemu needs to be started with eg. '-serial file:serial.log'. - Debug messages fall into several categories. Logged vs. suppressed categories are controlled at OVMF build time by the 'gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel' bitmask (an UINT32 value) in the selected .dsc file. Individual bits of this bitmask are defined in <MdePkg/Include/Library/DebugLib.h>. One non-default bit (with some performance impact) that is frequently set for debugging is 0x00400000 (DEBUG_VERBOSE). - The RELEASE build target ('-b RELEASE' build option, see below) disables all debug messages. The default build target is DEBUG. === Build Scripts === On systems with the bash shell you can use OvmfPkg/build.sh to simplify building and running OVMF. So, for example, to build + run OVMF X64: $ OvmfPkg/build.sh -a X64 $ OvmfPkg/build.sh -a X64 qemu And to run a 64-bit UEFI bootable ISO image: $ OvmfPkg/build.sh -a X64 qemu -cdrom /path/to/disk-image.iso To build a 32-bit OVMF without debug messages using GCC 4.8: $ OvmfPkg/build.sh -a IA32 -b RELEASE -t GCC48 === SMM support === Requirements: * SMM support requires QEMU 2.5. * The minimum required QEMU machine type is "pc-q35-2.5". * SMM with KVM requires Linux 4.4 (host). OVMF is capable of utilizing SMM if the underlying QEMU or KVM hypervisor emulates SMM. SMM is put to use in the S3 suspend and resume infrastructure, and in the UEFI variable driver stack. The purpose is (virtual) hardware separation between the runtime guest OS and the firmware (OVMF), with the intent to make Secure Boot actually secure, by preventing the runtime guest OS from tampering with the variable store and S3 areas. For SMM support, OVMF must be built with the "-D SMM_REQUIRE" option. The resultant firmware binary will check if QEMU actually provides SMM emulation; if it doesn't, then OVMF will log an error and trigger an assertion failure during boot (even in RELEASE builds). Both the naming of the flag (SMM_REQUIRE, instead of SMM_ENABLE), and this behavior are consistent with the goal described above: this is supposed to be a security feature, and fallbacks are not allowed. Similarly, a pflash-backed variable store is a requirement. QEMU should be started with the options listed below (in addition to any other guest-specific flags). The command line should be gradually composed from the hints below. '\' is used to extend the command line to multiple lines, and '^' can be used on Windows. * QEMU binary and options specific to 32-bit guests: $ qemu-system-i386 -cpu coreduo,-nx \ or $ qemu-system-x86_64 -cpu <MODEL>,-lm,-nx \ * QEMU binary for running 64-bit guests (no particular options): $ qemu-system-x86_64 \ * Flags common to all SMM scenarios (only the Q35 machine type is supported): -machine q35,smm=on,accel=(tcg|kvm) \ -m ... \ -smp ... \ -global driver=cfi.pflash01,property=secure,value=on \ -drive if=pflash,format=raw,unit=0,file=OVMF_CODE.fd,readonly=on \ -drive if=pflash,format=raw,unit=1,file=copy_of_OVMF_VARS.fd \ * In order to disable S3, add: -global ICH9-LPC.disable_s3=1 \ === Network Support === OVMF provides a UEFI network stack by default. Its lowest level driver is the NIC driver, higher levels are generic. In order to make DHCP, PXE Boot, and eg. socket test utilities from the StdLib edk2 package work, (1) qemu has to be configured to emulate a NIC, (2) a matching UEFI NIC driver must be available when OVMF boots. (If a NIC is configured for the virtual machine, and -- dependent on boot order -- PXE booting is attempted, but no DHCP server responds to OVMF's DHCP DISCOVER message at startup, the boot process may take approx. 3 seconds longer.) * For each NIC emulated by qemu, a GPLv2 licensed UEFI driver is available from the iPXE project. The qemu source distribution, starting with version 1.5, contains prebuilt binaries of these drivers (and of course allows one to rebuild them from source as well). This is the recommended set of drivers. * Use the qemu -netdev and -device options, or the legacy -net option, to enable NIC support: <http://wiki.qemu.org/Documentation/Networking>. * For a qemu >= 1.5 binary running *without* any "-M machine" option where "machine" would identify a < qemu-1.5 configuration (for example: "-M pc-i440fx-1.4" or "-M pc-0.13"), the iPXE drivers are automatically available to and configured for OVMF in the default qemu installation. * For a qemu binary in [0.13, 1.5), or a qemu >= 1.5 binary with an "-M machine" option where "machine" selects a < qemu-1.5 configuration: - download a >= 1.5.0-rc1 source tarball from <http://wiki.qemu.org/Download>, - extract the following iPXE driver files from the tarball and install them in a location that is accessible to qemu processes (this may depend on your SELinux configuration, for example): qemu-VERSION/pc-bios/efi-e1000.rom qemu-VERSION/pc-bios/efi-ne2k_pci.rom qemu-VERSION/pc-bios/efi-pcnet.rom qemu-VERSION/pc-bios/efi-rtl8139.rom qemu-VERSION/pc-bios/efi-virtio.rom - extend the NIC's -device option on the qemu command line with a matching "romfile=" optarg: -device e1000,...,romfile=/full/path/to/efi-e1000.rom -device ne2k_pci,...,romfile=/full/path/to/efi-ne2k_pci.rom -device pcnet,...,romfile=/full/path/to/efi-pcnet.rom -device rtl8139,...,romfile=/full/path/to/efi-rtl8139.rom -device virtio-net-pci,...,romfile=/full/path/to/efi-virtio.rom * Independently of the iPXE NIC drivers, the default OVMF build provides a basic virtio-net driver, located in OvmfPkg/VirtioNetDxe. * Also independently of the iPXE NIC drivers, Intel's proprietary E1000 NIC driver (from the BootUtil distribution) can be embedded in the OVMF image at build time: - Download BootUtil: - Navigate to https://downloadcenter.intel.com/download/19186/Ethernet-Intel-Ethernet-Connections-Boot-Utility-Preboot-Images-and-EFI-Drivers - Click the download link for "PREBOOT.EXE". - Accept the Intel Software License Agreement that appears. - Unzip "PREBOOT.EXE" into a separate directory (this works with the "unzip" utility on platforms different from Windows as well). - Copy the "APPS/EFI/EFIx64/E3522X2.EFI" driver binary to "Intel3.5/EFIX64/E3522X2.EFI" in your WORKSPACE. - Intel have stopped distributing an IA32 driver binary (which used to match the filename pattern "E35??E2.EFI"), thus this method will only work for the IA32X64 and X64 builds of OVMF. - Include the driver in OVMF during the build: - Add "-D E1000_ENABLE" to your build command (only when building "OvmfPkg/OvmfPkgIa32X64.dsc" or "OvmfPkg/OvmfPkgX64.dsc"). - For example: "build -D E1000_ENABLE". * When a matching iPXE driver is configured for a NIC as described above, it takes priority over other drivers that could possibly drive the card too: | e1000 ne2k_pci pcnet rtl8139 virtio-net-pci ---------------------+------------------------------------------------ iPXE | x x x x x VirtioNetDxe | x Intel BootUtil (X64) | x === HTTPS Boot === HTTPS Boot is an alternative solution to PXE. It replaces the tftp server with a HTTPS server so the firmware can download the images through a trusted and encrypted connection. * To enable HTTPS Boot, you have to build OVMF with -D NETWORK_HTTP_BOOT_ENABLE and -D NETWORK_TLS_ENABLE. The former brings in the HTTP stack from NetworkPkg while the latter enables TLS support in both NetworkPkg and CryptoPkg. If you want to exclude the unsecured HTTP connection completely, OVMF has to be built with -D NETWORK_ALLOW_HTTP_CONNECTIONS=FALSE so that only the HTTPS connections will be accepted. * By default, there is no trusted certificate. The user has to import the certificates either manually with "Tls Auth Configuration" utility in the firmware UI or through the fw_cfg entry, etc/edk2/https/cacerts. -fw_cfg name=etc/edk2/https/cacerts,file=<certdb> The blob for etc/edk2/https/cacerts has to be in the format of Signature Database(*1). You can use p11-kit(*2) or efisiglit(*3) to create the certificate list. If you want to create the certificate list based on the CA certificates in your local host, p11-kit will be a good choice. Here is the command to create the list: p11-kit extract --format=edk2-cacerts --filter=ca-anchors \ --overwrite --purpose=server-auth <certdb> If you only want to import one certificate, efisiglist is the tool for you: efisiglist -a <cert file> -o <certdb> Please note that the certificate has to be in the DER format. You can also append a certificate to the existing list with the following command: efisiglist -i <old certdb> -a <cert file> -o <new certdb> NOTE: You may need the patch to make efisiglist generate the correct header. (https://github.com/rhboot/pesign/pull/40) * Besides the trusted certificates, it's also possible to configure the trusted cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/ciphers. -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites> OVMF expects a binary UINT16 array which comprises the cipher suites HEX IDs(*4). If the cipher suite list is given, OVMF will choose the cipher suite from the intersection of the given list and the built-in cipher suites. Otherwise, OVMF just chooses whatever proper cipher suites from the built-in ones. While the tool(*5) to create the cipher suite array is still under development, the array can be generated with the following script: export LC_ALL=C openssl ciphers -V \ | sed -r -n \ -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \ | xargs -r -- printf -- '%b' > ciphers.bin This script creates ciphers.bin that contains all the cipher suite IDs supported by openssl according to the local host configuration. You may want to enable only a limited set of cipher suites. Then, you should check the validity of your list first: openssl ciphers -V <cipher list> If all the cipher suites in your list map to the proper HEX IDs, go ahead to modify the script and execute it: export LC_ALL=C openssl ciphers -V <cipher list> \ | sed -r -n \ -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \ | xargs -r -- printf -- '%b' > ciphers.bin * In the future (after release 2.12), QEMU should populate both above fw_cfg files automatically from the local host configuration, and enable the user to override either with dedicated options or properties. (*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A. (*2) p11-kit: https://github.com/p11-glue/p11-kit/ (*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisiglist.c (*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table (*5) update-crypto-policies: https://gitlab.com/redhat-crypto/fedora-crypto-policies === OVMF Flash Layout === Like all current IA32/X64 system designs, OVMF's firmware device (rom/flash) appears in QEMU's physical address space just below 4GB (0x100000000). OVMF supports building a 1MB, 2MB or 4MB flash image (see the DSC files for the FD_SIZE_1MB, FD_SIZE_2MB, FD_SIZE_4MB build defines). The base address for the 1MB image in QEMU physical memory is 0xfff00000. The base address for the 2MB image is 0xffe00000. The base address for the 4MB image is 0xffc00000. Using the 1MB or 2MB image, the layout of the firmware device in memory looks like: +--------------------------------------- 4GB (0x100000000) | VTF0 (16-bit reset code) and OVMF SEC | (SECFV, 208KB/0x34000) +--------------------------------------- varies based on flash size | | Compressed main firmware image | (FVMAIN_COMPACT) | +--------------------------------------- base + 0x20000 | Fault-tolerant write (FTW) | Spare blocks (64KB/0x10000) +--------------------------------------- base + 0x10000 | FTW Work block (4KB/0x1000) +--------------------------------------- base + 0x0f000 | Event log area (4KB/0x1000) +--------------------------------------- base + 0x0e000 | Non-volatile variable storage | area (56KB/0xe000) +--------------------------------------- base address Using the 4MB image, the layout of the firmware device in memory looks like: +--------------------------------------- base + 0x400000 (4GB/0x100000000) | VTF0 (16-bit reset code) and OVMF SEC | (SECFV, 208KB/0x34000) +--------------------------------------- base + 0x3cc000 | | Compressed main firmware image | (FVMAIN_COMPACT, 3360KB/0x348000) | +--------------------------------------- base + 0x84000 | Fault-tolerant write (FTW) | Spare blocks (264KB/0x42000) +--------------------------------------- base + 0x42000 | FTW Work block (4KB/0x1000) +--------------------------------------- base + 0x41000 | Event log area (4KB/0x1000) +--------------------------------------- base + 0x40000 | Non-volatile variable storage | area (256KB/0x40000) +--------------------------------------- base address (0xffc00000) The code in SECFV locates FVMAIN_COMPACT, and decompresses the main firmware (MAINFV) into RAM memory at address 0x800000. The remaining OVMF firmware then uses this decompressed firmware volume image. === UEFI Windows 7 & Windows 2008 Server === * One of the '-vga std' and '-vga qxl' QEMU options should be used. * Only one video mode, 1024x768x32, is supported at OS runtime. * The '-vga qxl' QEMU option is recommended. After booting the installed guest OS, select the video card in Device Manager, and upgrade its driver to the QXL XDDM one. Download location: <http://www.spice-space.org/download.html>, Guest | Windows binaries. This enables further resolutions at OS runtime, and provides S3 (suspend/resume) capability.