SEV guest VMs have the concept of private and shared memory. Private
memory is encrypted with the guest-specific key, while shared memory
may be encrypted with hypervisor key. The C-bit (encryption attribute)
in PTE indicates whether the page is private or shared.
If SEV is active, set the memory encryption attribute while building
the page table.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
OvmfPkg/ResetVector/Ia32/PageTables64.asm | 52 +++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
index 6201cad..eaf9732 100644
--- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
+++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
@@ -26,6 +26,7 @@ BITS 32
%define PAGE_GLOBAL 0x0100
%define PAGE_2M_MBO 0x080
%define PAGE_2M_PAT 0x01000
+%define KVM_FEATURE_SEV 0x08
%define PAGE_2M_PDE_ATTR (PAGE_2M_MBO + \
PAGE_ACCESSED + \
@@ -37,6 +38,33 @@ BITS 32
PAGE_READ_WRITE + \
PAGE_PRESENT)
+; Check if Secure Encrypted Virtualization (SEV) feature
+; is enabled in KVM
+;
+; If SEV is enabled, then EAX will contain Memory encryption bit position
+;
+CheckKVMSEVFeature:
+ ; Check for SEV feature
+ ; CPUID KVM_FEATURE - Bit 8
+ mov eax, 0x40000001
+ cpuid
+ bt eax, KVM_FEATURE_SEV
+ jnc NoSev
+
+ ; Get memory encryption information
+ ; CPUID Fn8000_001F[EBX] - Bits 5:0
+ ;
+ mov eax, 0x8000001f
+ cpuid
+ mov eax, ebx
+ and eax, 0x3f
+ jmp SevExit
+
+NoSev:
+ xor eax, eax
+
+SevExit:
+ OneTimeCallRet CheckKVMSEVFeature
;
; Modified: EAX, ECX
@@ -60,18 +88,41 @@ clearPageTablesMemoryLoop:
mov dword[ecx * 4 + PT_ADDR (0) - 4], eax
loop clearPageTablesMemoryLoop
+ ; Check if it SEV-enabled Guest
+ ;
+ OneTimeCall CheckKVMSEVFeature
+ xor edx, edx
+ test eax, eax
+ jz SevNotActive
+
+ ; If SEV is enabled, Memory encryption bit is always above 31
+ mov ebx, 32
+ sub ebx, eax
+ bts edx, eax
+
+SevNotActive:
+
+ ;
;
; Top level Page Directory Pointers (1 * 512GB entry)
;
+ ; edx contain the memory encryption bit mask, must be applied
+ ; to upper 31 bit on 64-bit address
+ ;
mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR
+ mov dword[PT_ADDR (4)], edx
;
; Next level Page Directory Pointers (4 * 1GB entries => 4GB)
;
mov dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR
+ mov dword[PT_ADDR (0x1004)], edx
mov dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR
+ mov dword[PT_ADDR (0x100C)], edx
mov dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR
+ mov dword[PT_ADDR (0x1004)], edx
mov dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR
+ mov dword[PT_ADDR (0x100C)], edx
;
; Page Table Entries (2048 * 2MB entries => 4GB)
@@ -83,6 +134,7 @@ pageTableEntriesLoop:
shl eax, 21
add eax, PAGE_2M_PDE_ATTR
mov [ecx * 8 + PT_ADDR (0x2000 - 8)], eax
+ mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx
loop pageTableEntriesLoop
;
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
On 2017-03-06 15:27:35, Brijesh Singh wrote: > SEV guest VMs have the concept of private and shared memory. Private > memory is encrypted with the guest-specific key, while shared memory > may be encrypted with hypervisor key. The C-bit (encryption attribute) > in PTE indicates whether the page is private or shared. > > If SEV is active, set the memory encryption attribute while building > the page table. > > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> > --- > OvmfPkg/ResetVector/Ia32/PageTables64.asm | 52 +++++++++++++++++++++++++++++ > 1 file changed, 52 insertions(+) > > diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm > index 6201cad..eaf9732 100644 > --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm > +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm > @@ -26,6 +26,7 @@ BITS 32 > %define PAGE_GLOBAL 0x0100 > %define PAGE_2M_MBO 0x080 > %define PAGE_2M_PAT 0x01000 > +%define KVM_FEATURE_SEV 0x08 > > %define PAGE_2M_PDE_ATTR (PAGE_2M_MBO + \ > PAGE_ACCESSED + \ > @@ -37,6 +38,33 @@ BITS 32 > PAGE_READ_WRITE + \ > PAGE_PRESENT) > > +; Check if Secure Encrypted Virtualization (SEV) feature > +; is enabled in KVM > +; > +; If SEV is enabled, then EAX will contain Memory encryption bit position > +; > +CheckKVMSEVFeature: Code style would be CheckKvmSevFeature. -Jordan > + ; Check for SEV feature > + ; CPUID KVM_FEATURE - Bit 8 > + mov eax, 0x40000001 > + cpuid > + bt eax, KVM_FEATURE_SEV > + jnc NoSev > + > + ; Get memory encryption information > + ; CPUID Fn8000_001F[EBX] - Bits 5:0 > + ; > + mov eax, 0x8000001f > + cpuid > + mov eax, ebx > + and eax, 0x3f > + jmp SevExit > + > +NoSev: > + xor eax, eax > + > +SevExit: > + OneTimeCallRet CheckKVMSEVFeature > > ; > ; Modified: EAX, ECX > @@ -60,18 +88,41 @@ clearPageTablesMemoryLoop: > mov dword[ecx * 4 + PT_ADDR (0) - 4], eax > loop clearPageTablesMemoryLoop > > + ; Check if it SEV-enabled Guest > + ; > + OneTimeCall CheckKVMSEVFeature > + xor edx, edx > + test eax, eax > + jz SevNotActive > + > + ; If SEV is enabled, Memory encryption bit is always above 31 > + mov ebx, 32 > + sub ebx, eax > + bts edx, eax > + > +SevNotActive: > + > + ; > ; > ; Top level Page Directory Pointers (1 * 512GB entry) > ; > + ; edx contain the memory encryption bit mask, must be applied > + ; to upper 31 bit on 64-bit address > + ; > mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR > + mov dword[PT_ADDR (4)], edx > > ; > ; Next level Page Directory Pointers (4 * 1GB entries => 4GB) > ; > mov dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR > + mov dword[PT_ADDR (0x1004)], edx > mov dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR > + mov dword[PT_ADDR (0x100C)], edx > mov dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR > + mov dword[PT_ADDR (0x1004)], edx > mov dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR > + mov dword[PT_ADDR (0x100C)], edx > > ; > ; Page Table Entries (2048 * 2MB entries => 4GB) > @@ -83,6 +134,7 @@ pageTableEntriesLoop: > shl eax, 21 > add eax, PAGE_2M_PDE_ATTR > mov [ecx * 8 + PT_ADDR (0x2000 - 8)], eax > + mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx > loop pageTableEntriesLoop > > ; > > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
On Wed, Mar 8, 2017 at 12:38 PM, Jordan Justen <jordan.l.justen@intel.com> wrote: > On 2017-03-06 15:27:35, Brijesh Singh wrote: > > SEV guest VMs have the concept of private and shared memory. Private > > memory is encrypted with the guest-specific key, while shared memory > > may be encrypted with hypervisor key. The C-bit (encryption attribute) > > in PTE indicates whether the page is private or shared. > > > > If SEV is active, set the memory encryption attribute while building > > the page table. > > > > Contributed-under: TianoCore Contribution Agreement 1.0 > > Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> > > --- > > OvmfPkg/ResetVector/Ia32/PageTables64.asm | 52 > +++++++++++++++++++++++++++++ > > 1 file changed, 52 insertions(+) > > > > diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm > b/OvmfPkg/ResetVector/Ia32/PageTables64.asm > > index 6201cad..eaf9732 100644 > > --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm > > +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm > > @@ -26,6 +26,7 @@ BITS 32 > > %define PAGE_GLOBAL 0x0100 > > %define PAGE_2M_MBO 0x080 > > %define PAGE_2M_PAT 0x01000 > > +%define KVM_FEATURE_SEV 0x08 > > > > %define PAGE_2M_PDE_ATTR (PAGE_2M_MBO + \ > > PAGE_ACCESSED + \ > > @@ -37,6 +38,33 @@ BITS 32 > > PAGE_READ_WRITE + \ > > PAGE_PRESENT) > > > > +; Check if Secure Encrypted Virtualization (SEV) feature > > +; is enabled in KVM > > +; > > +; If SEV is enabled, then EAX will contain Memory encryption bit > position > > +; > > +CheckKVMSEVFeature: > > Code style would be CheckKvmSevFeature. > > Thanks Jordan, I will fix the coding style in next rev > > + ; Check for SEV feature > > + ; CPUID KVM_FEATURE - Bit 8 > > + mov eax, 0x40000001 > > + cpuid > > + bt eax, KVM_FEATURE_SEV > > + jnc NoSev > > + > > + ; Get memory encryption information > > + ; CPUID Fn8000_001F[EBX] - Bits 5:0 > > + ; > > + mov eax, 0x8000001f > > + cpuid > > + mov eax, ebx > > + and eax, 0x3f > > + jmp SevExit > > + > > +NoSev: > > + xor eax, eax > > + > > +SevExit: > > + OneTimeCallRet CheckKVMSEVFeature > > > > ; > > ; Modified: EAX, ECX > > @@ -60,18 +88,41 @@ clearPageTablesMemoryLoop: > > mov dword[ecx * 4 + PT_ADDR (0) - 4], eax > > loop clearPageTablesMemoryLoop > > > > + ; Check if it SEV-enabled Guest > > + ; > > + OneTimeCall CheckKVMSEVFeature > > + xor edx, edx > > + test eax, eax > > + jz SevNotActive > > + > > + ; If SEV is enabled, Memory encryption bit is always above 31 > > + mov ebx, 32 > > + sub ebx, eax > > + bts edx, eax > > + > > +SevNotActive: > > + > > + ; > > ; > > ; Top level Page Directory Pointers (1 * 512GB entry) > > ; > > + ; edx contain the memory encryption bit mask, must be applied > > + ; to upper 31 bit on 64-bit address > > + ; > > mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR > > + mov dword[PT_ADDR (4)], edx > > > > ; > > ; Next level Page Directory Pointers (4 * 1GB entries => 4GB) > > ; > > mov dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR > > + mov dword[PT_ADDR (0x1004)], edx > > mov dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR > > + mov dword[PT_ADDR (0x100C)], edx > > mov dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR > > + mov dword[PT_ADDR (0x1004)], edx > > mov dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR > > + mov dword[PT_ADDR (0x100C)], edx > > > > ; > > ; Page Table Entries (2048 * 2MB entries => 4GB) > > @@ -83,6 +134,7 @@ pageTableEntriesLoop: > > shl eax, 21 > > add eax, PAGE_2M_PDE_ATTR > > mov [ecx * 8 + PT_ADDR (0x2000 - 8)], eax > > + mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx > > loop pageTableEntriesLoop > > > > ; > > > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org > > https://lists.01.org/mailman/listinfo/edk2-devel > -- Confusion is always the most honest response. _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
© 2016 - 2024 Red Hat, Inc.