From nobody Sun Feb  8 20:59:06 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12
 as permitted sender) client-ip=66.175.222.12;
 envelope-from=bounce+27952+63512+1787277+3901457@groups.io;
 helo=web01.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+63512+1787277+3901457@groups.io;
	arc=fail (BodyHash is different from the expected one)
Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by
 mx.zohomail.com
	with SMTPS id 1596134984941462.71506853809535;
 Thu, 30 Jul 2020 11:49:44 -0700 (PDT)
Return-Path: <bounce+27952+63512+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id 44B1YY1788612xIisjXcLBjc;
 Thu, 30 Jul 2020 11:49:44 -0700
X-Received: from NAM11-CO1-obe.outbound.protection.outlook.com
 (NAM11-CO1-obe.outbound.protection.outlook.com [40.107.220.72])
 by mx.groups.io with SMTP id smtpd.web10.1814.1596134984093023099
 for <devel@edk2.groups.io>;
 Thu, 30 Jul 2020 11:49:44 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Idq22ktssbwC/clGjzIDSR0Vnf09RC06vQ1QDZEuNwmSzi7GL5S/yvbMcHyMCB+q5lH3+zpA2p39OrEQbBsYJRMOabVuQPLxaGKUt7ZVXj7nhwDU0isTs4A/F50DXmmhoRz/ybZ90gPUyFlXhXbfBgL13obEvVhzDMvI9JkjYoVax2ZsDAgAF9/szMhHcaugErbNpdXLM1XIxb2a5+J3UfQfHN4rK2bVsdIQfpAf3hDl8k+NGZJmmEGV+MCrPju9VDbtC/UWUQ285vj9TxxenID/QVHssAGOdjnVHTLmM+Fm/Cb7PSXzunIIN5wbKw3LMZbKaLNWoPhN8ay7+9bh8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=JkyhLOofvIbow8VdM+XsfKiaUSck6a3v3S8jdpNjfQo=;
 b=R82XGB4r8iIbvgedTCgDGKVHJmO74F26kWohNnjet+hGL30Y0usKtih3CYg1Ub0wU72MX8NRwL3klupMImZwFCxEqmSqwVEkLBJm+ZFCGrX1iz2nMo4PhNIliYob98ZZ8no+vCfdYeDzQq9qPBaNF79p38N1JeUf/shKH5jfCUcyZkY2ny72emCA+xgw5bJlbfJ2L8znaB6ujI/yj+cb9gvvsoLioYRQdnikstQeomKybYrkjcMo3UXTWCX+zeLsrUIcQi1liY6mXKLc73C1BOS0yPYZFZ+Wv8SRJosSi/ZY2dsWn4TrDmtB+JcDFBygupiz5JK6DR1eZJ5lcr1F6A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass
 header.d=amd.com; arc=none
X-Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7)
 by
 DM6PR12MB4092.namprd12.prod.outlook.com (2603:10b6:5:214::14) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.3239.16; Thu, 30 Jul 2020 18:49:43 +0000
X-Received: from DM5PR12MB1355.namprd12.prod.outlook.com
 ([fe80::25ec:e6ba:197c:4eb0]) by DM5PR12MB1355.namprd12.prod.outlook.com
 ([fe80::25ec:e6ba:197c:4eb0%8]) with mapi id 15.20.3239.020; Thu, 30 Jul 2020
 18:49:43 +0000
From: "Lendacky, Thomas" <thomas.lendacky@amd.com>
To: devel@edk2.groups.io
CC: Brijesh Singh <brijesh.singh@amd.com>,
	Ard Biesheuvel <ard.biesheuvel@arm.com>,
	Eric Dong <eric.dong@intel.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Laszlo Ersek <lersek@redhat.com>,
	Liming Gao <liming.gao@intel.com>,
	Michael D Kinney <michael.d.kinney@intel.com>,
	Ray Ni <ray.ni@intel.com>,
	Anthony Perard <anthony.perard@citrix.com>,
	Julien Grall <julien@xen.org>
Subject: [edk2-devel] [PATCH v13 35/46] OvmfPkg/PlatformPei: Reserve SEV-ES
 work area if S3 is supported
Date: Thu, 30 Jul 2020 13:43:47 -0500
Message-ID: 
 <164fed78e2bde9486c7a4cc2c9851ff5476b76fb.1596134638.git.thomas.lendacky@amd.com>
In-Reply-To: <cover.1596134638.git.thomas.lendacky@amd.com>
References: <cover.1596134638.git.thomas.lendacky@amd.com>
X-ClientProxiedBy: DM3PR08CA0020.namprd08.prod.outlook.com
 (2603:10b6:0:52::30) To DM5PR12MB1355.namprd12.prod.outlook.com
 (2603:10b6:3:6e::7)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-Received: from tlendack-t1.amd.com (165.204.77.1) by
 DM3PR08CA0020.namprd08.prod.outlook.com (2603:10b6:0:52::30) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.16 via Frontend
 Transport; Thu, 30 Jul 2020 18:49:41 +0000
X-Originating-IP: [165.204.77.1]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: a59a810b-fd32-4ce4-876a-08d834b9523e
X-MS-TrafficTypeDiagnostic: DM6PR12MB4092:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: 
 <DM6PR12MB4092AE76975C6EFED26B0A66EC710@DM6PR12MB4092.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: 
 OUi3pSpoH/fDVFNpYmK/OzM0iN6WpK5LfnDzYXqh8cAYvly7U/CQfibfeZ5xFxubITwIzkqKXfXh/Tqs18c32YGj0QvUP1ikqsHneF+i4DQfUe9gGowYSFWGG11qW2CP4jyKPi6+cHVmQxNgsKUBvCfAt46gkeiaPotLk/DqNLGZJKWK10JsaDLQGgPCXMW+h0SryEfA3EpSdVTAQYIlEKwlgBlYw6sp2ELRniSs6B2zMpOPO+O3m9WyENzZVSqDW7T1VplW4pPe1cGN2Kvjk7xgnedubVeYJUEkGATDseLbdih8jInU4IhPYy5Qp1uc/9GYGBye9bCOwkmdsn92NsIfTDk+AzHvVzJ9P/Jg3+BmlLT2FNLHBA43iQ50B1z+Dgny/TnDj7uOq7NrukbBQgxnUL3Kxyg+b7b8EeReiBeWWz/umsCisvftA6bCMHVm9qcNOtcgflfA2syJgREieg==
X-MS-Exchange-AntiSpam-MessageData: 
 e2xDXXTdarpLHA829xoShgqex9X8Y/mfNEnxRMTzdQ6JLH5fRnCLhAwHCRIoAH6v9eSRAfOH2jtI9Ndo5YDe3c2MIY+/jMEnKFlVmV1hZO/1u+ohW7h9JrgXD62hbfNoNMtlhCad5abCWkMzUU61OH6DRPpkqNThssCJBK4RF0NgmZ8aA8dRqrgzV+iO4N5anWTQszrwzyHmRsjrhmK2g4ZA9/xmjfazu8nTmWnBjYAF0nXrpjGzlL+q0kcB4wWKSYtkhj8NLEEkrpXfKDZJwJ0YAZWJkJ0gtUeCj6iiQS7zCYnuto4q2IqmLFz8GaV2VR5Hs0IC1PgcHsQnn7OD+Je2888RVZqFs/mC0vPQelIvUhUKcxAen8W+dOgh0IF6ohoaDE6srDeAkYcdETCIVj+ITCl7A61hsEAIWdVgf/WUyfhSR9JzS4bm4EeMoZHaUCTWL+AjOhBPTbcKkdxU2HjIyAPgN0EdgYEpeZaKK154j4efW0D97QgsFmuccftJwYAN1/Jg3TBCRS4qAGC9DeL+fObBbOVD4dDtx7/MKmEJNSVwjFm7ub+S6/8Hfbc8/ddSveip+2zq8NUwrTiHUqlCBD3NjCaC5Q8XubywmdLVsF5Xibe7goVAU8DqoObMT3XAEiEzCThXjom7Ho5FJQ==
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 a59a810b-fd32-4ce4-876a-08d834b9523e
X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jul 2020 18:49:42.9797
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 /8zO34VhkeoWCdEIDz5y3Ln1fFMbhULu9AEMfSVH5PpKi329d4rXEJBLZiidvXmKj3YWy3em2GEQxwiPs7tA+A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4092
Precedence: Bulk
List-Unsubscribe: <https://edk2.groups.io/g/devel/unsub>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,thomas.lendacky@amd.com
X-Gm-Message-State: onVv0MzGiYaEuBYMicN4cZXix1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1596134984;
 bh=R9y3SjOBGcj/QVPl59lzlwHz8og2WdT1ZsyZlOwqUdI=;
 h=CC:Content-Type:Date:From:Reply-To:Subject:To;
 b=ZC6s+qaJoPb8vV4MKEfoMveihT37IVVxGIEAsKiYCMvH7el5h/c8AZfqAHY5FI5MsX2
 ufAYe52zMw0nDz+J4lGPCvlVLSg2CcGUL3U1LOP4z0eW1HhbqYNTC/CNxWcCuw7RYur63
 R2KJDH0D+j+p28lIOpfbsphfwSaNEn8Pqnc=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Type: text/plain; charset="utf-8"

From: Tom Lendacky <thomas.lendacky@amd.com>

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2198

Protect the SEV-ES work area memory used by an SEV-ES guest.

Regarding the lifecycle of the SEV-ES memory area:
  PcdSevEsWorkArea

(a) when and how it is initialized after first boot of the VM

  If SEV-ES is enabled, the SEV-ES area is initialized during
  the SEC phase [OvmfPkg/ResetVector/Ia32/PageTables64.asm].

(b) how it is protected from memory allocations during DXE

  If SEV-ES is enabled, then InitializeRamRegions()
  [OvmfPkg/PlatformPei/MemDetect.c] protects the ranges with either
  an AcpiNVS (S3 enabled) or BootServicesData (S3 disabled) memory
  allocation HOB, in PEI.

(c) how it is protected from the OS

  If S3 is enabled, then (b) reserves it from the OS too.

  If S3 is disabled, then the range needs no protection.

(d) how it is accessed on the S3 resume path

  It is rewritten same as in (a), which is fine because (b) reserved it.

(e) how it is accessed on the warm reset path

  It is rewritten same as in (a).

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Julien Grall <julien@xen.org>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
 OvmfPkg/PlatformPei/PlatformPei.inf |  2 ++
 OvmfPkg/PlatformPei/MemDetect.c     | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/Plat=
formPei.inf
index 4742e1bdf42b..c53be2f4925c 100644
--- a/OvmfPkg/PlatformPei/PlatformPei.inf
+++ b/OvmfPkg/PlatformPei/PlatformPei.inf
@@ -118,6 +118,8 @@ [FixedPcd]
   gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType
   gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesCode
   gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesData
+  gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase
+  gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize
=20
 [FeaturePcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable
diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetec=
t.c
index 6b5fee166b5d..ffbbef891a11 100644
--- a/OvmfPkg/PlatformPei/MemDetect.c
+++ b/OvmfPkg/PlatformPei/MemDetect.c
@@ -940,5 +940,25 @@ InitializeRamRegions (
           );
       }
     }
+
+#ifdef MDE_CPU_X64
+    if (MemEncryptSevEsIsEnabled ()) {
+      //
+      // If SEV-ES is enabled, reserve the SEV-ES work area.
+      //
+      // Since this memory range will be used by the Reset Vector on S3
+      // resume, it must be reserved as ACPI NVS.
+      //
+      // If S3 is unsupported, then various drivers might still write to t=
he
+      // work area. We ought to prevent DXE from serving allocation reques=
ts
+      // such that they would overlap the work area.
+      //
+      BuildMemoryAllocationHob (
+        (EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaBase),
+        (UINT64)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaSize),
+        mS3Supported ? EfiACPIMemoryNVS : EfiBootServicesData
+        );
+    }
+#endif
   }
 }
--=20
2.27.0


-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#63512): https://edk2.groups.io/g/devel/message/63512
Mute This Topic: https://groups.io/mt/75892807/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-