This RFC series provides support for AMD's new Secure Encrypted
Virtualization (SEV) feature.
SEV is an extension to the AMD-V architecture which supports running
multiple VMs under the control of a hypervisor. The SEV feature allows
the memory contents of a virtual machine (VM) to be transparently encrypted
with a key unique to the guest VM. The memory controller contains a
high performance encryption engine which can be programmed with multiple
keys for use by a different VMs in the system. The programming and
management of these keys is handled by the AMD Secure Processor firmware
which exposes a commands for these tasks.
SEV guest VMs have the concept of private and shared memory. Private memory is
encrypted with the guest-specific key, while shared memory may be encrypted
with hypervisor key. Certain types of memory (namely instruction pages and
guest page tables) are always treated as private memory by the hardware.
For data memory, SEV guest VMs can choose which pages they would like to be
private. The choice is done using the standard CPU page tables using the C-bit,
and is fully controlled by the guest. Due to security reasons all the DMA
operations inside the guest must be performed on shared pages (C-bit clear).
Note that since C-bit is only controllable by the guest OS when it is operating
in 64-bit or 32-bit PAE mode, in all other modes the SEV hardware forces the
C-bit to a 1.
KVM SEV RFC [1] extends the KVM_FEATURE cpuid instruction to indicate whether
SEV is enabled. When SEV is enabled then OVMF can use cpuid Fn8000_001F[BX]
to get the C-bit position in PTE.
The following links provide additional details:
AMD Memory Encryption whitepaper:
http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf
AMD64 Architecture Programmer's Manual:
http://support.amd.com/TechDocs/24593.pdf
SME is section 7.10
SEV is section 15.34
Secure Encrypted Virutualization Key Management:
http://support.amd.com/TechDocs/55766_SEV-KM API_Specification.pdf
KVM Forum Presentation:
http://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf
[1] http://marc.info/?l=linux-mm&m=148846752931115&w=2
---
Patch is based on commit a11928f (BaseTools/Source/C/Makefiles: Fix
NmakeSubdirs.bat always return 0)
TODO:
- Unroll the IoFifo write function when SEV is active.
- Clear the encryption attribute from VGA framebuffer memory so that hypervisor
can read the guest framebuffer console
- add DMA support when SEV is active
Since the DMA operations must be performed on shread pages, I am thinking
that once the DMA library patch [2] is accepted then I can import it in
OvmfPkg and make the SEV specific changes (mainly clearing the C-bit on
DMA addresses).
[2] https://lists.01.org/pipermail/edk2-devel/2017-March/008109.html
- investigate SMM/SMI support
- add virtio support
Brijesh Singh (5):
OvmfPkg/ResetVector: Set memory encryption when SEV is active
OvmfPkg/MemcryptSevLib: Add SEV helper library
OvmfPkg/PlatformPei: Initialize SEV support
OvmfPkg/BaseIoLibIntrinsic: import BaseIoLibIntrinsic package
OvmfPkg/BaseIoLibIntrinsic: Unroll String I/O when SEV is active
OvmfPkg/Include/Library/MemcryptSevLib.h | 42 ++++++
.../BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf | 3
.../BaseIoLibIntrinsic/BaseIoLibIntrinsic.uni | 0
.../BaseIoLibIntrinsicInternal.h | 0
OvmfPkg/Library/BaseIoLibIntrinsic/Ia32/IoFifo.asm | 0
.../Library/BaseIoLibIntrinsic/Ia32/IoFifo.nasm | 19 +++
.../Library/BaseIoLibIntrinsic/Ia32/SevIoFifo.nasm | 141 ++++++++++++++++++++
OvmfPkg/Library/BaseIoLibIntrinsic/IoHighLevel.c | 0
OvmfPkg/Library/BaseIoLibIntrinsic/IoLib.c | 0
OvmfPkg/Library/BaseIoLibIntrinsic/IoLibArm.c | 0
OvmfPkg/Library/BaseIoLibIntrinsic/IoLibEbc.c | 0
OvmfPkg/Library/BaseIoLibIntrinsic/IoLibGcc.c | 0
OvmfPkg/Library/BaseIoLibIntrinsic/IoLibIcc.c | 0
OvmfPkg/Library/BaseIoLibIntrinsic/IoLibIpf.c | 0
.../Library/BaseIoLibIntrinsic/IoLibMmioBuffer.c | 0
OvmfPkg/Library/BaseIoLibIntrinsic/IoLibMsc.c | 0
OvmfPkg/Library/BaseIoLibIntrinsic/X64/IoFifo.asm | 0
OvmfPkg/Library/BaseIoLibIntrinsic/X64/IoFifo.nasm | 19 +++
.../Library/BaseIoLibIntrinsic/X64/SevIoFifo.nasm | 143 ++++++++++++++++++++
OvmfPkg/Library/MemcryptSevLib/MemcryptSevLib.c | 66 +++++++++
OvmfPkg/Library/MemcryptSevLib/MemcryptSevLib.inf | 44 ++++++
OvmfPkg/OvmfPkgIa32X64.dsc | 6 +
OvmfPkg/OvmfPkgX64.dsc | 6 +
OvmfPkg/PlatformPei/Platform.c | 6 +
OvmfPkg/PlatformPei/PlatformPei.inf | 1
OvmfPkg/ResetVector/Ia32/PageTables64.asm | 52 +++++++
26 files changed, 545 insertions(+), 3 deletions(-)
create mode 100644 OvmfPkg/Include/Library/MemcryptSevLib.h
copy MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf => OvmfPkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf (94%)
copy MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.uni => OvmfPkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.uni (100%)
copy MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicInternal.h => OvmfPkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicInternal.h (100%)
copy MdePkg/Library/BaseIoLibIntrinsic/Ia32/IoFifo.asm => OvmfPkg/Library/BaseIoLibIntrinsic/Ia32/IoFifo.asm (100%)
copy MdePkg/Library/BaseIoLibIntrinsic/Ia32/IoFifo.nasm => OvmfPkg/Library/BaseIoLibIntrinsic/Ia32/IoFifo.nasm (87%)
create mode 100644 OvmfPkg/Library/BaseIoLibIntrinsic/Ia32/SevIoFifo.nasm
copy MdePkg/Library/BaseIoLibIntrinsic/IoHighLevel.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoHighLevel.c (100%)
copy MdePkg/Library/BaseIoLibIntrinsic/IoLib.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLib.c (100%)
copy MdePkg/Library/BaseIoLibIntrinsic/IoLibArm.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLibArm.c (100%)
copy MdePkg/Library/BaseIoLibIntrinsic/IoLibEbc.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLibEbc.c (100%)
copy MdePkg/Library/BaseIoLibIntrinsic/IoLibGcc.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLibGcc.c (100%)
copy MdePkg/Library/BaseIoLibIntrinsic/IoLibIcc.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLibIcc.c (100%)
copy MdePkg/Library/BaseIoLibIntrinsic/IoLibIpf.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLibIpf.c (100%)
copy MdePkg/Library/BaseIoLibIntrinsic/IoLibMmioBuffer.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLibMmioBuffer.c (100%)
copy MdePkg/Library/BaseIoLibIntrinsic/IoLibMsc.c => OvmfPkg/Library/BaseIoLibIntrinsic/IoLibMsc.c (100%)
copy MdePkg/Library/BaseIoLibIntrinsic/X64/IoFifo.asm => OvmfPkg/Library/BaseIoLibIntrinsic/X64/IoFifo.asm (100%)
copy MdePkg/Library/BaseIoLibIntrinsic/X64/IoFifo.nasm => OvmfPkg/Library/BaseIoLibIntrinsic/X64/IoFifo.nasm (88%)
create mode 100644 OvmfPkg/Library/BaseIoLibIntrinsic/X64/SevIoFifo.nasm
create mode 100644 OvmfPkg/Library/MemcryptSevLib/MemcryptSevLib.c
create mode 100644 OvmfPkg/Library/MemcryptSevLib/MemcryptSevLib.inf
--
Brijesh Singh
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel