[edk2] [RFC PATCH v1 1/5] OvmfPkg/ResetVector: Set memory encryption when SEV is active

Brijesh Singh posted 5 patches 7 years, 8 months ago
There is a newer version of this series
[edk2] [RFC PATCH v1 1/5] OvmfPkg/ResetVector: Set memory encryption when SEV is active
Posted by Brijesh Singh 7 years, 8 months ago
SEV guest VMs have the concept of private and shared memory. Private
memory is encrypted with the guest-specific key, while shared memory
may be encrypted with hypervisor key. The C-bit (encryption attribute)
in PTE indicates whether the page is private or shared.

If SEV is active, set the memory encryption attribute while building
the page table.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 OvmfPkg/ResetVector/Ia32/PageTables64.asm |   52 +++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
index 6201cad..eaf9732 100644
--- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
+++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
@@ -26,6 +26,7 @@ BITS    32
 %define PAGE_GLOBAL           0x0100
 %define PAGE_2M_MBO            0x080
 %define PAGE_2M_PAT          0x01000
+%define KVM_FEATURE_SEV         0x08
 
 %define PAGE_2M_PDE_ATTR (PAGE_2M_MBO + \
                           PAGE_ACCESSED + \
@@ -37,6 +38,33 @@ BITS    32
                        PAGE_READ_WRITE + \
                        PAGE_PRESENT)
 
+; Check if Secure Encrypted Virtualization (SEV) feature
+; is enabled in KVM
+;
+;  If SEV is enabled, then EAX will contain Memory encryption bit position
+;
+CheckKVMSEVFeature:
+    ; Check for SEV feature
+    ;  CPUID KVM_FEATURE - Bit 8
+    mov       eax, 0x40000001
+    cpuid
+    bt        eax, KVM_FEATURE_SEV
+    jnc       NoSev
+
+    ; Get memory encryption information
+    ; CPUID Fn8000_001F[EBX] - Bits 5:0
+    ;
+    mov       eax,  0x8000001f
+    cpuid
+    mov       eax, ebx
+    and       eax, 0x3f
+    jmp       SevExit
+
+NoSev:
+    xor       eax, eax
+
+SevExit:
+    OneTimeCallRet CheckKVMSEVFeature
 
 ;
 ; Modified:  EAX, ECX
@@ -60,18 +88,41 @@ clearPageTablesMemoryLoop:
     mov     dword[ecx * 4 + PT_ADDR (0) - 4], eax
     loop    clearPageTablesMemoryLoop
 
+    ; Check if it SEV-enabled Guest
+    ;
+    OneTimeCall   CheckKVMSEVFeature
+    xor     edx, edx
+    test    eax, eax
+    jz      SevNotActive
+
+    ; If SEV is enabled, Memory encryption bit is always above 31
+    mov     ebx, 32
+    sub     ebx, eax
+    bts     edx, eax
+
+SevNotActive:
+
+    ;
     ;
     ; Top level Page Directory Pointers (1 * 512GB entry)
     ;
+    ; edx contain the memory encryption bit mask, must be applied
+    ; to upper 31 bit on 64-bit address
+    ;
     mov     dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR
+    mov     dword[PT_ADDR (4)], edx
 
     ;
     ; Next level Page Directory Pointers (4 * 1GB entries => 4GB)
     ;
     mov     dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR
+    mov     dword[PT_ADDR (0x1004)], edx
     mov     dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR
+    mov     dword[PT_ADDR (0x100C)], edx
     mov     dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR
+    mov     dword[PT_ADDR (0x1004)], edx
     mov     dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR
+    mov     dword[PT_ADDR (0x100C)], edx
 
     ;
     ; Page Table Entries (2048 * 2MB entries => 4GB)
@@ -83,6 +134,7 @@ pageTableEntriesLoop:
     shl     eax, 21
     add     eax, PAGE_2M_PDE_ATTR
     mov     [ecx * 8 + PT_ADDR (0x2000 - 8)], eax
+    mov     [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx
     loop    pageTableEntriesLoop
 
     ;

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [RFC PATCH v1 1/5] OvmfPkg/ResetVector: Set memory encryption when SEV is active
Posted by Jordan Justen 7 years, 8 months ago
On 2017-03-06 15:27:35, Brijesh Singh wrote:
> SEV guest VMs have the concept of private and shared memory. Private
> memory is encrypted with the guest-specific key, while shared memory
> may be encrypted with hypervisor key. The C-bit (encryption attribute)
> in PTE indicates whether the page is private or shared.
> 
> If SEV is active, set the memory encryption attribute while building
> the page table.
> 
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> ---
>  OvmfPkg/ResetVector/Ia32/PageTables64.asm |   52 +++++++++++++++++++++++++++++
>  1 file changed, 52 insertions(+)
> 
> diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> index 6201cad..eaf9732 100644
> --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> @@ -26,6 +26,7 @@ BITS    32
>  %define PAGE_GLOBAL           0x0100
>  %define PAGE_2M_MBO            0x080
>  %define PAGE_2M_PAT          0x01000
> +%define KVM_FEATURE_SEV         0x08
>  
>  %define PAGE_2M_PDE_ATTR (PAGE_2M_MBO + \
>                            PAGE_ACCESSED + \
> @@ -37,6 +38,33 @@ BITS    32
>                         PAGE_READ_WRITE + \
>                         PAGE_PRESENT)
>  
> +; Check if Secure Encrypted Virtualization (SEV) feature
> +; is enabled in KVM
> +;
> +;  If SEV is enabled, then EAX will contain Memory encryption bit position
> +;
> +CheckKVMSEVFeature:

Code style would be CheckKvmSevFeature.

-Jordan

> +    ; Check for SEV feature
> +    ;  CPUID KVM_FEATURE - Bit 8
> +    mov       eax, 0x40000001
> +    cpuid
> +    bt        eax, KVM_FEATURE_SEV
> +    jnc       NoSev
> +
> +    ; Get memory encryption information
> +    ; CPUID Fn8000_001F[EBX] - Bits 5:0
> +    ;
> +    mov       eax,  0x8000001f
> +    cpuid
> +    mov       eax, ebx
> +    and       eax, 0x3f
> +    jmp       SevExit
> +
> +NoSev:
> +    xor       eax, eax
> +
> +SevExit:
> +    OneTimeCallRet CheckKVMSEVFeature
>  
>  ;
>  ; Modified:  EAX, ECX
> @@ -60,18 +88,41 @@ clearPageTablesMemoryLoop:
>      mov     dword[ecx * 4 + PT_ADDR (0) - 4], eax
>      loop    clearPageTablesMemoryLoop
>  
> +    ; Check if it SEV-enabled Guest
> +    ;
> +    OneTimeCall   CheckKVMSEVFeature
> +    xor     edx, edx
> +    test    eax, eax
> +    jz      SevNotActive
> +
> +    ; If SEV is enabled, Memory encryption bit is always above 31
> +    mov     ebx, 32
> +    sub     ebx, eax
> +    bts     edx, eax
> +
> +SevNotActive:
> +
> +    ;
>      ;
>      ; Top level Page Directory Pointers (1 * 512GB entry)
>      ;
> +    ; edx contain the memory encryption bit mask, must be applied
> +    ; to upper 31 bit on 64-bit address
> +    ;
>      mov     dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR
> +    mov     dword[PT_ADDR (4)], edx
>  
>      ;
>      ; Next level Page Directory Pointers (4 * 1GB entries => 4GB)
>      ;
>      mov     dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR
> +    mov     dword[PT_ADDR (0x1004)], edx
>      mov     dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR
> +    mov     dword[PT_ADDR (0x100C)], edx
>      mov     dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR
> +    mov     dword[PT_ADDR (0x1004)], edx
>      mov     dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR
> +    mov     dword[PT_ADDR (0x100C)], edx
>  
>      ;
>      ; Page Table Entries (2048 * 2MB entries => 4GB)
> @@ -83,6 +134,7 @@ pageTableEntriesLoop:
>      shl     eax, 21
>      add     eax, PAGE_2M_PDE_ATTR
>      mov     [ecx * 8 + PT_ADDR (0x2000 - 8)], eax
> +    mov     [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx
>      loop    pageTableEntriesLoop
>  
>      ;
> 
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [RFC PATCH v1 1/5] OvmfPkg/ResetVector: Set memory encryption when SEV is active
Posted by Brijesh Singh 7 years, 8 months ago
On Wed, Mar 8, 2017 at 12:38 PM, Jordan Justen <jordan.l.justen@intel.com>
wrote:

> On 2017-03-06 15:27:35, Brijesh Singh wrote:
> > SEV guest VMs have the concept of private and shared memory. Private
> > memory is encrypted with the guest-specific key, while shared memory
> > may be encrypted with hypervisor key. The C-bit (encryption attribute)
> > in PTE indicates whether the page is private or shared.
> >
> > If SEV is active, set the memory encryption attribute while building
> > the page table.
> >
> > Contributed-under: TianoCore Contribution Agreement 1.0
> > Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> > ---
> >  OvmfPkg/ResetVector/Ia32/PageTables64.asm |   52
> +++++++++++++++++++++++++++++
> >  1 file changed, 52 insertions(+)
> >
> > diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> > index 6201cad..eaf9732 100644
> > --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> > +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> > @@ -26,6 +26,7 @@ BITS    32
> >  %define PAGE_GLOBAL           0x0100
> >  %define PAGE_2M_MBO            0x080
> >  %define PAGE_2M_PAT          0x01000
> > +%define KVM_FEATURE_SEV         0x08
> >
> >  %define PAGE_2M_PDE_ATTR (PAGE_2M_MBO + \
> >                            PAGE_ACCESSED + \
> > @@ -37,6 +38,33 @@ BITS    32
> >                         PAGE_READ_WRITE + \
> >                         PAGE_PRESENT)
> >
> > +; Check if Secure Encrypted Virtualization (SEV) feature
> > +; is enabled in KVM
> > +;
> > +;  If SEV is enabled, then EAX will contain Memory encryption bit
> position
> > +;
> > +CheckKVMSEVFeature:
>
> Code style would be CheckKvmSevFeature.
>
>

Thanks Jordan, I will fix the coding style in next rev




> > +    ; Check for SEV feature
> > +    ;  CPUID KVM_FEATURE - Bit 8
> > +    mov       eax, 0x40000001
> > +    cpuid
> > +    bt        eax, KVM_FEATURE_SEV
> > +    jnc       NoSev
> > +
> > +    ; Get memory encryption information
> > +    ; CPUID Fn8000_001F[EBX] - Bits 5:0
> > +    ;
> > +    mov       eax,  0x8000001f
> > +    cpuid
> > +    mov       eax, ebx
> > +    and       eax, 0x3f
> > +    jmp       SevExit
> > +
> > +NoSev:
> > +    xor       eax, eax
> > +
> > +SevExit:
> > +    OneTimeCallRet CheckKVMSEVFeature
> >
> >  ;
> >  ; Modified:  EAX, ECX
> > @@ -60,18 +88,41 @@ clearPageTablesMemoryLoop:
> >      mov     dword[ecx * 4 + PT_ADDR (0) - 4], eax
> >      loop    clearPageTablesMemoryLoop
> >
> > +    ; Check if it SEV-enabled Guest
> > +    ;
> > +    OneTimeCall   CheckKVMSEVFeature
> > +    xor     edx, edx
> > +    test    eax, eax
> > +    jz      SevNotActive
> > +
> > +    ; If SEV is enabled, Memory encryption bit is always above 31
> > +    mov     ebx, 32
> > +    sub     ebx, eax
> > +    bts     edx, eax
> > +
> > +SevNotActive:
> > +
> > +    ;
> >      ;
> >      ; Top level Page Directory Pointers (1 * 512GB entry)
> >      ;
> > +    ; edx contain the memory encryption bit mask, must be applied
> > +    ; to upper 31 bit on 64-bit address
> > +    ;
> >      mov     dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR
> > +    mov     dword[PT_ADDR (4)], edx
> >
> >      ;
> >      ; Next level Page Directory Pointers (4 * 1GB entries => 4GB)
> >      ;
> >      mov     dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR
> > +    mov     dword[PT_ADDR (0x1004)], edx
> >      mov     dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR
> > +    mov     dword[PT_ADDR (0x100C)], edx
> >      mov     dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR
> > +    mov     dword[PT_ADDR (0x1004)], edx
> >      mov     dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR
> > +    mov     dword[PT_ADDR (0x100C)], edx
> >
> >      ;
> >      ; Page Table Entries (2048 * 2MB entries => 4GB)
> > @@ -83,6 +134,7 @@ pageTableEntriesLoop:
> >      shl     eax, 21
> >      add     eax, PAGE_2M_PDE_ATTR
> >      mov     [ecx * 8 + PT_ADDR (0x2000 - 8)], eax
> > +    mov     [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx
> >      loop    pageTableEntriesLoop
> >
> >      ;
> >
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
>



-- 
Confusion is always the most honest response.
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel