1. Patchew
  2. EDK2
  3. [edk2] [RFC v3 00/15] x86: Secure Encrypted Virtualization (AMD)
  4. View patch

[edk2] [RFC v3 15/15] OvmfPkg/AmdSevDxe: Add AmdSevDxe driver

Brijesh Singh posted 15 patches 7 years, 6 months ago
There is a newer version of this series
[edk2] [RFC v3 15/15] OvmfPkg/AmdSevDxe: Add AmdSevDxe driver
Posted by Brijesh Singh 7 years, 6 months ago 
From: Brijesh Singh <brijesh.singh@amd.com>

When SEV is enabled, the MMIO memory range must be mapped as unencrypted
(i.e C-bit cleared). The patch adds a DXE driver that runs early in boot
and clears the memory encryption attribute from MMIO and NonExistent
memory ranges. By clearing the C-bit from NonExistent memory space will
gurantee that any MMIO adds done later (e.g PciHostBridge) will be
mapped as unencrypted .


Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 OvmfPkg/OvmfPkgIa32X64.dsc      |  1 +
 OvmfPkg/OvmfPkgX64.dsc          |  1 +
 OvmfPkg/OvmfPkgIa32X64.fdf      |  2 +
 OvmfPkg/OvmfPkgX64.fdf          |  2 +
 OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 43 +++++++++++++
 OvmfPkg/AmdSevDxe/AmdSevDxe.c   | 67 ++++++++++++++++++++
 6 files changed, 116 insertions(+)

diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index da7b8d398462..311f152fca0a 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -805,6 +805,7 @@ [Components.X64]
 !endif
 
   OvmfPkg/PlatformDxe/Platform.inf
+  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
 
 !if $(SMM_REQUIRE) == TRUE
   OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 8bf7cf8e75a6..70f700373f20 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -803,6 +803,7 @@ [Components]
 !endif
 
   OvmfPkg/PlatformDxe/Platform.inf
+  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
 
 !if $(SMM_REQUIRE) == TRUE
   OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 5233314139bc..12871860d001 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -190,6 +190,7 @@ [FV.DXEFV]
 APRIORI DXE {
   INF  MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
   INF  MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
+  INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
 !if $(SMM_REQUIRE) == FALSE
   INF  OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
 !endif
@@ -351,6 +352,7 @@ [FV.DXEFV]
 INF  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
 INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 INF  OvmfPkg/PlatformDxe/Platform.inf
+INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
 
 !if $(SMM_REQUIRE) == TRUE
 INF  OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 36150101e784..ae6e66a1c08d 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -190,6 +190,7 @@ [FV.DXEFV]
 APRIORI DXE {
   INF  MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
   INF  MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
+  INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
 !if $(SMM_REQUIRE) == FALSE
   INF  OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
 !endif
@@ -351,6 +352,7 @@ [FV.DXEFV]
 INF  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
 INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 INF  OvmfPkg/PlatformDxe/Platform.inf
+INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
 
 !if $(SMM_REQUIRE) == TRUE
 INF  OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
new file mode 100644
index 000000000000..633387f6d2c7
--- /dev/null
+++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
@@ -0,0 +1,43 @@
+#/** @file
+#
+#  AmdSevDxe driver clears the C-bit from MMIO region
+#
+#  Copyright (c) 2017, AMD Inc. All rights reserved.<BR>
+#
+#  This program and the accompanying materials
+#  are licensed and made available under the terms and conditions of the BSD
+#  License which accompanies this distribution.  The full text of the license may
+#  be found at http://opensource.org/licenses/bsd-license.php
+#
+#  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+#
+#**/
+
+[Defines]
+  INF_VERSION                    = 1.25
+  BASE_NAME                      = AmdSevDxe
+  FILE_GUID                      = 2ec9da37-ee35-4de9-86c5-6d9a81dc38a7
+  MODULE_TYPE                    = DXE_DRIVER
+  VERSION_STRING                 = 1.0
+  ENTRY_POINT                    = AmdSevDxeEntryPoint
+
+[Sources]
+  AmdSevDxe.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  OvmfPkg/OvmfPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  DebugLib
+  DxeServicesTableLib
+  MemEncryptSevLib
+  UefiBootServicesTableLib
+  UefiDriverEntryPoint
+  UefiLib
+
+[Depex]
+  TRUE
diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
new file mode 100644
index 000000000000..4c863ff604dc
--- /dev/null
+++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
@@ -0,0 +1,67 @@
+/** @file
+
+  The driver runs early in DXE phase and clears C-bit from MMIO memory space.
+
+  Copyright (c) 2017, AMD Inc. All rights reserved.<BR>
+
+  This program and the accompanying materials
+  are licensed and made available under the terms and conditions of the BSD
+  License which accompanies this distribution.  The full text of the license may
+  be found at http://opensource.org/licenses/bsd-license.php
+
+  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <PiDxe.h>
+
+#include <Library/BaseLib.h>
+#include <Library/UefiLib.h>
+#include <Library/DebugLib.h>
+#include <Library/UefiDriverEntryPoint.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/DxeServicesTableLib.h>
+#include <Library/MemEncryptSevLib.h>
+
+EFI_STATUS
+EFIAPI
+AmdSevDxeEntryPoint (
+  IN EFI_HANDLE         ImageHandle,
+  IN EFI_SYSTEM_TABLE   *SystemTable
+  )
+{
+  EFI_GCD_MEMORY_SPACE_DESCRIPTOR  *AllDescMap;
+  UINTN                            NumEntries;
+  UINTN                            Index;
+  EFI_STATUS                       Status;
+
+  //
+  // Do nothing when SEV is not enabled
+  //
+  if (!MemEncryptSevIsEnabled ()) {
+    return EFI_SUCCESS;
+  }
+
+  //
+  // Iterate through the GCD map and clear the C-bit from MMIO and NonExistent
+  // memory space. The NonExistent memory space will be used for mapping the MMIO
+  // space added later (eg PciRootBridge). By clearing both known NonExistent
+  // memory space can gurantee that any MMIO added later will have C-bit cleared.
+  //
+  Status = gDS->GetMemorySpaceMap (&NumEntries, &AllDescMap);
+  if (Status == EFI_SUCCESS) {
+    for (Index = 0; Index < NumEntries; Index++) {
+      CONST EFI_GCD_MEMORY_SPACE_DESCRIPTOR *Desc;
+
+      Desc = &AllDescMap[Index];
+      if (Desc->GcdMemoryType == EfiGcdMemoryTypeMemoryMappedIo ||
+          Desc->GcdMemoryType == EfiGcdMemoryTypeNonExistent) {
+        Status = MemEncryptSevClearPageEncMask (Desc->BaseAddress, EFI_SIZE_TO_PAGES(Desc->Length), FALSE);
+        ASSERT_EFI_ERROR(Status);
+      }
+    }
+  }
+
+  return Status;
+}
-- 
2.7.4

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.