From nobody Sat Nov 2 10:34:15 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; dkim=fail spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1493138179125997.5167698344228; Tue, 25 Apr 2017 09:36:19 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id E33FB2193CF68; Tue, 25 Apr 2017 09:36:14 -0700 (PDT) Received: from mail-oi0-x242.google.com (mail-oi0-x242.google.com [IPv6:2607:f8b0:4003:c06::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id B4B132193CF44 for ; Tue, 25 Apr 2017 09:36:12 -0700 (PDT) Received: by mail-oi0-x242.google.com with SMTP id a3so31962657oii.3 for ; Tue, 25 Apr 2017 09:36:12 -0700 (PDT) Received: from brijesh-build-machine.amd.com ([165.204.77.1]) by smtp.gmail.com with ESMTPSA id j17sm9666356ota.24.2017.04.25.09.36.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 25 Apr 2017 09:36:11 -0700 (PDT) X-Original-To: edk2-devel@lists.01.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=8ZjosuPj+kbLI8IAu31VoB5CKVo/aLUHmAg4Ed1vcXc=; b=kqAO2qnVuQNAARw5qpoOoq9cTJgVSLgMbnl7hpyd/jdYCx3L/kczRnZ/s0+UhkRtfI xxjyu+DE83fWzyVmP60/uuF6REW6LjMaqKdBaG4jmhDKzbY9A0mxGv1zYkoFfXSpz7xv 5Y0pAIo6sTPaxA4hrA/t7d29DotWKjt/zSoq5kPZKirNLjUVB37uSIC9XdhMiial+hRz 7Go9iZHPIjMk+NKYcqXJ/ZN2Gab7g+80vvVBJl7/NSNorP/nq1vLqX+Kd/QEP//SYQuZ /f3icuW/ZBfgsSNNxp+yCS6oaybhecq1DX3acsI3/E1qBGooxy+sPGH42MSP0nnNClBP naOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=8ZjosuPj+kbLI8IAu31VoB5CKVo/aLUHmAg4Ed1vcXc=; b=ko5EJ/bc8lyM8E3gP+24KO391oAJm0ATdIqIocdUJZ/j6WY9l1XhhXh2Es6RsFdiOQ vm6ukk4LhuvHsOC5yLRzX3PiNdxeg0wBYGbHIKm28vjqPH0qT3PP+CUtCmf/WovUlrtU SZZkKAPHpA9cwYmSEmnWhwT2lzma8C13MZL3MrmdrZv1FOoz4rKcDaqStdj4uUe9Ttvz cCMXTkRmBI6r5Cp5p5IPWgGrM0rxEW5TRge1nep4Q4P4HltRqa7/I8j+zMvwN5WnSlW1 D5DUE9SR9bTgCozDNKg/LTnjZcMZFQIPKrF1IpqRdIf0w92moHlsFlcfH4fdl8MP0tSH hw/g== X-Gm-Message-State: AN3rC/7XMVteLT8uMc6PHE0tkC8EUpiQQUhM7VlH4KH575CepYalia1m aBTS/+P17zUQsQ== X-Received: by 10.202.95.3 with SMTP id t3mr2548910oib.74.1493138171917; Tue, 25 Apr 2017 09:36:11 -0700 (PDT) From: Brijesh Singh To: edk2-devel@lists.01.org, lersek@redhat.com, jordan.l.justen@intel.com Date: Tue, 25 Apr 2017 12:34:14 -0400 Message-Id: <1493138064-7816-6-git-send-email-brijesh.ksingh@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1493138064-7816-1-git-send-email-brijesh.ksingh@gmail.com> References: <1493138064-7816-1-git-send-email-brijesh.ksingh@gmail.com> Subject: [edk2] [RFC v3 05/15] OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: thomas.lendacky@amd.com, brijesh.singh@amd.com, ard.biesheuvel@linaro.org, liming.gao@intel.com, leo.duran@amd.com, jiewen.yao@intel.com, star.zeng@intel.com MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" From: Brijesh Singh Secure Encrypted Virtualization (SEV) guest VMs have the concept of private and shared memory. Private memory is encrypted with the guest-specific key, while shared memory may be encrypted with hypervisor key. Certain types of memory (namely instruction pages and guest page tables) are always treated as private memory by the hardware. For data memory, SEV guest VMs can choose which pages they would like to be private. The choice is done using the standard CPU page tables using the C-bit. When building the initial page table we mark all the memory as private. The patch initializes the memory encryption PCD, the PCD is used by DxeCore when building the initial page table. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkgIa32.dsc | 3 + OvmfPkg/OvmfPkgIa32X64.dsc | 3 + OvmfPkg/OvmfPkgX64.dsc | 3 + OvmfPkg/PlatformPei/PlatformPei.inf | 3 + OvmfPkg/PlatformPei/Platform.h | 5 ++ OvmfPkg/PlatformPei/AmdSev.c | 62 ++++++++++++++++++++ OvmfPkg/PlatformPei/Platform.c | 1 + 7 files changed, 80 insertions(+) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index ea45d8f606ee..04e7e0fe948f 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -507,6 +507,9 @@ [PcdsDynamicDefault] gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds|50000 =20 + # Set memory encryption mask + gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0 + !if $(SMM_REQUIRE) =3D=3D TRUE gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode|0x01 gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index dc38c60a70a7..882dc8daacc8 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -515,6 +515,9 @@ [PcdsDynamicDefault] gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds|50000 =20 + # Set memory encryption mask + gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0 + !if $(SMM_REQUIRE) =3D=3D TRUE gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode|0x01 gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 99df6d80a395..3cfd09a3f260 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -514,6 +514,9 @@ [PcdsDynamicDefault] gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber|64 gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds|50000 =20 + # Set memory encryption mask + gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0 + !if $(SMM_REQUIRE) =3D=3D TRUE gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode|0x01 gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmApSyncTimeout|100000 diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/Plat= formPei.inf index 53c6dd445a0e..a9a7a76c7325 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -29,6 +29,7 @@ [Defines] # =20 [Sources] + AmdSev.c Cmos.c FeatureControl.c Fv.c @@ -60,6 +61,7 @@ [LibraryClasses] QemuFwCfgLib QemuFwCfgS3Lib MtrrLib + MemEncryptSevLib PcdLib =20 [Pcd] @@ -94,6 +96,7 @@ [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable + gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask gUefiCpuPkgTokenSpaceGuid.PcdCpuLocalApicBaseAddress gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds diff --git a/OvmfPkg/PlatformPei/Platform.h b/OvmfPkg/PlatformPei/Platform.h index 18f42c3f0ea8..a7729b9df44b 100644 --- a/OvmfPkg/PlatformPei/Platform.h +++ b/OvmfPkg/PlatformPei/Platform.h @@ -88,6 +88,11 @@ XenDetect ( VOID ); =20 +VOID +AmdSevInitialize ( + VOID + ); + extern BOOLEAN mXen; =20 VOID diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c new file mode 100644 index 000000000000..26f7c3fdbb13 --- /dev/null +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -0,0 +1,62 @@ +/**@file + Initialize Secure Encrypted Virtualization (SEV) support + + Copyright (c) 2017, Advanced Micro Devices. All rights reserved.
+ + This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD + License which accompanies this distribution. The full text of the licen= se + may be found at http://opensource.org/licenses/bsd-license.php + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMP= LIED. + +**/ +// +// The package level header files this module uses +// +#include + +#include +#include +#include +#include +#include + +/** + + Function checks if SEV support is available, if present then it sets + the dynamic PcdPteMemoryEncryptionAddressOrMask with memory encryption m= ask. + + **/ +VOID +EFIAPI +AmdSevInitialize ( + VOID + ) +{ + CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx; + UINT64 EncryptionMask; + RETURN_STATUS PcdStatus; + + // + // Check if SEV is enabled + // + if (!MemEncryptSevIsEnabled ()) { + return; + } + + // + // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position) + // + AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL); + EncryptionMask =3D LShiftU64 (1, Ebx.Bits.PtePosBits); + + // + // Set Memory Encryption Mask PCD + // + PcdStatus =3D PcdSet64S (PcdPteMemoryEncryptionAddressOrMask, Encryption= Mask); + ASSERT_RETURN_ERROR (PcdStatus); + + DEBUG ((DEBUG_INFO, "SEV is enabled (mask 0x%lx)\n", EncryptionMask)); +} diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c index 77a8a16c15b8..49e6c668015a 100644 --- a/OvmfPkg/PlatformPei/Platform.c +++ b/OvmfPkg/PlatformPei/Platform.c @@ -667,6 +667,7 @@ InitializePlatform ( NoexecDxeInitialization (); } =20 + AmdSevInitialize (); MiscInitialization (); InstallFeatureControlCallback (); =20 --=20 2.7.4 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel