From 8b87eb9dfba054331ed16204f36c4885aefc3c94 Mon Sep 17 00:00:00 2001 From: Tom Lendacky Date: Wed, 8 Jan 2025 12:22:43 -0600 Subject: [PATCH] OvmfPkg: Use the OvmfPkg version of CcProbeLib Currently, multiple dsc files within the OvmfPkg directory use the NULL version of the CcProbeLib library. However, these packages have support for confidential guests (usage of CcExitLib, MemEncrypt{Sev,Tdx}Lib, etc.) and should be using the OvmfPkg version of the CcProbeLib. The use of the NULL library causes the PCI option ROM to be enabled, which can't be trusted as it originates from the hypervisor. The use of the NULL library also causes a KVM hypervisor error when attempting to map/back the option ROM region when running an SEV-SNP guest. Update the various dsc files to reference the OvmfPkg version of the CcProbeLib library and prevent usage of PCI option ROMs. Signed-off-by: Tom Lendacky --- OvmfPkg/AmdSev/AmdSevX64.dsc | 5 ++++- OvmfPkg/CloudHv/CloudHvX64.dsc | 7 ++++++- OvmfPkg/Microvm/MicrovmX64.dsc | 5 ++++- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index c875d9e56e33..e0eaa3c5744b 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -142,7 +142,6 @@ PciCapLib|OvmfPkg/Library/BasePciCapLib/BasePciCapLib.inf PciCapPciSegmentLib|OvmfPkg/Library/BasePciCapPciSegmentLib/BasePciCapPciSegmentLib.inf PciCapPciIoLib|OvmfPkg/Library/UefiPciCapPciIoLib/UefiPciCapPciIoLib.inf - CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicSev.inf OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf SerialPortLib|PcAtChipsetPkg/Library/SerialIoLib/SerialIoLib.inf @@ -165,6 +164,7 @@ VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf + CcProbeLib|OvmfPkg/Library/CcProbeLib/DxeCcProbeLib.inf LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf @@ -232,6 +232,7 @@ CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf CcExitLib|OvmfPkg/Library/CcExitLib/SecCcExitLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf + CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf [LibraryClasses.common.PEI_CORE] HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf @@ -248,6 +249,7 @@ DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformRomDebugLibIoPort.inf !endif PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf + CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf [LibraryClasses.common.PEIM] HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf @@ -277,6 +279,7 @@ QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf + CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf PlatformInitLib|OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf [LibraryClasses.common.DXE_CORE] diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc index 1e2aa56cd447..bbd99318e686 100644 --- a/OvmfPkg/CloudHv/CloudHvX64.dsc +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc @@ -160,7 +160,6 @@ PciCapLib|OvmfPkg/Library/BasePciCapLib/BasePciCapLib.inf PciCapPciSegmentLib|OvmfPkg/Library/BasePciCapPciSegmentLib/BasePciCapPciSegmentLib.inf PciCapPciIoLib|OvmfPkg/Library/UefiPciCapPciIoLib/UefiPciCapPciIoLib.inf - CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicSev.inf OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf SerialPortLib|PcAtChipsetPkg/Library/SerialIoLib/SerialIoLib.inf @@ -187,6 +186,9 @@ ImagePropertiesRecordLib|MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.inf !if $(SMM_REQUIRE) == FALSE LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf + CcProbeLib|OvmfPkg/Library/CcProbeLib/DxeCcProbeLib.inf +!else + CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf !endif CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf @@ -270,6 +272,7 @@ CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf CcExitLib|OvmfPkg/Library/CcExitLib/SecCcExitLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf + CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf [LibraryClasses.common.PEI_CORE] HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf @@ -286,6 +289,7 @@ DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf !endif PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf + CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf [LibraryClasses.common.PEIM] HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf @@ -314,6 +318,7 @@ QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgLibNull.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf + CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf PlatformInitLib|OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf [LibraryClasses.common.DXE_CORE] diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc index 8ba7aeeadd8e..4ac2fc2640fa 100644 --- a/OvmfPkg/Microvm/MicrovmX64.dsc +++ b/OvmfPkg/Microvm/MicrovmX64.dsc @@ -163,7 +163,6 @@ PciCapLib|OvmfPkg/Library/BasePciCapLib/BasePciCapLib.inf PciCapPciSegmentLib|OvmfPkg/Library/BasePciCapPciSegmentLib/BasePciCapPciSegmentLib.inf PciCapPciIoLib|OvmfPkg/Library/UefiPciCapPciIoLib/UefiPciCapPciIoLib.inf - CcProbeLib|MdePkg/Library/CcProbeLibNull/CcProbeLibNull.inf IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicSev.inf OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf SerialPortLib|PcAtChipsetPkg/Library/SerialIoLib/SerialIoLib.inf @@ -186,6 +185,7 @@ VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf + CcProbeLib|OvmfPkg/Library/CcProbeLib/DxeCcProbeLib.inf LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf @@ -278,6 +278,7 @@ CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf CcExitLib|OvmfPkg/Library/CcExitLib/SecCcExitLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf + CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf [LibraryClasses.common.PEI_CORE] HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf @@ -294,6 +295,7 @@ DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformRomDebugLibIoPort.inf !endif PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf + CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf [LibraryClasses.common.PEIM] HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf @@ -322,6 +324,7 @@ QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf + CcProbeLib|OvmfPkg/Library/CcProbeLib/SecPeiCcProbeLib.inf PlatformInitLib|OvmfPkg/Library/PlatformInitLib/PlatformInitLib.inf [LibraryClasses.common.DXE_CORE]