From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73217+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73217+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611761472469.1960688448571; Wed, 24 Mar 2021 11:49:21 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 7hi5YY1788612xX41iUXzX1l; Wed, 24 Mar 2021 11:49:20 -0700 X-Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web12.25.1616599950939575559 for ; Wed, 24 Mar 2021 08:32:31 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mkBybhhoEFPE0R2CJEj614P9OIq//S+KGDkdpoKadzQ0LLgsO44ATAosZsbfEtImiB70QbhvgQGGZ4JE+frRVhSCSagM6k3SFCNs5Ttx14Of7GL8hnovIhJebEsZqsCn+h4Ont5A/vWFAQXRl0PlCaTAxUIHEgPjCgPQoWDp+TDQNIuDvoCVPSqoyJOntmYndw0VVo/nQIVKLxCfPyaWOCmYdGEBGmwQ9L40zeldOj6vdrBjpsPu+xrPNDpucw4teoWqvsDwjK3pC5HH4TcW2GadE/utqYRgDGveYczTpm/2VRDBXCcqqwIfpyfHYONuoCHVn0e4CKWzG8+1Csd/dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9sJMnLquLBpuV5DkD/ETuSiPDI2ZOt6f7mk8NIyM0bY=; b=VRv/RyzylkTy6+oY46tPb/G3jZmG8bTAn+lJiNvU13zI+25358NqOia7WfC8Ft81q9YO5vNgWH2A8rzLqSWXUsEY/THkrHKPTAuh4Dytz+U5bL6tmJbxHvbH3PaFgzGiehU/ksHmg4GkRY3dRxWbcKBRwvqt2fXuwItCPRxPqjoNMOOFNAj4zYFLC8haZdFI8JYbqhBUuJLz8go7Wtu9TntrM7GPNp/q6qZdTXfcaHV/50oiwB3brPMthwTISSHgba/yb4PqnXZE5ckRtbyfnFAFZzg93Z3EFOAma4QisBYxX3tGw6Bb2zpJlSJuHx7OhjggYl6Kk0hHVkIrOE75Vw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2541.namprd12.prod.outlook.com (2603:10b6:802:24::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:29 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:29 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 01/19] OvmfPkg: Reserve the Secrets and Cpuid page for the SEV-SNP guest Date: Wed, 24 Mar 2021 10:31:57 -0500 Message-Id: <20210324153215.17971-2-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:28 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: d962e520-efa2-4ca0-e44c-08d8eeda08cc X-MS-TrafficTypeDiagnostic: SN1PR12MB2541: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3968; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: XeNTq9rvk6u9o5EUYJ+FJFyw9XkRchFxxavhpy8duCIeiPwea5sZd4D9CzgOx9xvhWxeQ3x718S5N9nQc3xv40x+XFktx9KUrxjwfBr+gFBFZde06D40uC3UNO8le3ODFp+b+NHx+M2xRTcDaS33ShF73q/sZjRf/8We68AWMBYE4XwFA3OIhMknXSgb9v0TszSCSuzUYw0xXj+OflA3FlRv9QG4fg4I3MejfHXft/qaUBfBJ876gvvxgn8cpdFooXDwBQXF4K3cSJh4QtQWDWlzGG8V19WLTG/ZDk1wMPOSsqJviaSwyXGvhxwUPSOBJBZM8ZcnqMYbFz6I6ui5fzSEEAqC78RhhHze96aELS/3Dp6Qe8SBqSpE8WtI5Qa4ESyeBaFSR60PaAhZ5T0nxwXGIYel3ZObBZjdUHMjEBfPzjSEj68/bBjAb6MVLX2HCXbthlZGtnmT4XLS4J+QhU93mCcUFy0TNKII4CfTUZUBtfHJTGv5vbpZA7ue2/OIKnF2SUhb8wqIFLZ5aRFqVn4qWs9rGZQIa3TVew2QSjGO7XigN44WFNw9ZjXGnCkhxhP2F/Mpyxf5cL/E/xhyoqBqx+fUn8meJJ5vznYWbAQlnCJV5JJ386tXuwWPpLuu6ey/1oYfNyjG550YbTlJaRUWQBc+uP0IyDSgVqf0bnzeGJ9Bu+rrI8XW/21vqjILkV5j37v1ypaf9A5tAiqByKv1TZ4nDxKtYKeT/qP8u4a4xEvYJ4ELbJMMGba4Rm64 X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?776GZlXGiqT55KV9OMF5P2v9KUeBrP9Wd46EQpXcDnSwHte05BQ917qtR7eT?= =?us-ascii?Q?ntYl03bzPbghCHc0SwUY04R4XNAvd918AJCWgg61iLNR1YR4tzuiUvDOx5HH?= =?us-ascii?Q?wueXWZgMzbVSMWz1IX71w5PS5OceEg5Wc76f9mJHtNH/DMd/iPJodm68MHVH?= =?us-ascii?Q?oL6uEGDZ2MVTmkxdFBJnneixYhhx/PWprwWaJRR9KHFPHNShCmb4sw2kV4BW?= =?us-ascii?Q?m+Mgf52+x4pL6Bf+/e2R/uSfkTNOGmMygTuCc6JSNvzq0nY1u3oH0vIRApT9?= =?us-ascii?Q?ajURM8s89djN245Wzn4B4vr5GC7D8o3wVZsg3/7s1Ol3lnRTXOJbWu8i/0Mr?= =?us-ascii?Q?d+SBN+kzwrFi4Pj1k/xCtEDWh8Fe/Utnn2TxFr7Vve72C2Y0NOLO7/g2wbNF?= =?us-ascii?Q?cuLctbX2LdSMamnSOna1y0BlOoJR8jJvS3h2LM9HfjA4xyDpVK7Wlb2CvfWE?= =?us-ascii?Q?RuQxoAKbQByhHAF/EHlty2Yvbu8omvRXQCxMfw7f9hACNC/yx91UsQuKbFYh?= =?us-ascii?Q?ITrhYbN0DLX0sgksdBeAtUgawhCsR0jmX6F0U2nBQJUBEWZ0QUFNgJzc9PJB?= =?us-ascii?Q?Q6B2ZwdHLgvlTrm6gY3YChQ9XpbrszgmaCKrQHlx78sDwIMyJPOU6QdIg60Y?= =?us-ascii?Q?4Atbq57PDDb4fG1/6tFyyxFhQIx1akjKLXRrfvSxHj8Eyidmd3mSwL0kXpzs?= =?us-ascii?Q?GAF0LgfnB8RmBZ4T0zTlueKe/p7n0gywshMl1CpwY2imew+g33QAcopWeihR?= =?us-ascii?Q?uAWDHrRZ4yE1a4pn2cpieie1zbh4JApsrSlSq2YyJWpDJt/J+KOUjbnI3CP9?= =?us-ascii?Q?yOBEbhpZQ0hla6z3SatqUg6OpT+9C0WYQbC7BZKM995+uqU8CJc3g3vgiTYt?= =?us-ascii?Q?pgCi4Ms3akU55iVyG6U+IeekJJHqhd86mWKQpg+ZwndfsTuVyrNZWhBDfKNk?= =?us-ascii?Q?ULiPMQlj9xDLv7qI2tkkR5UolAZi7fZQ0OZbIPwEpPbJAHUaIdW7WGP72q/T?= =?us-ascii?Q?EDSR3RqLHONUtUgiD1pDpJw1xw5kwyGi36PGUvrH4u+iVL9Ob56Lsr7+9YGX?= =?us-ascii?Q?a7G0EHy/cnbb8GbqcOM3psxoyN6EgPssxxJu5JkD78sH7SzB/7SreilGvzNa?= =?us-ascii?Q?yJDZTE9A/apctAXIIETQpm3WfCar9yptl1pbue2hhKMoQ5i1kSQxxaHBwWum?= =?us-ascii?Q?EcP6wtQEByrg9pNnR2bi1CreErWcxFSXG5LrQp0vEadFHihiEEaFcXhfXtnq?= =?us-ascii?Q?1chmCHX1gWzCfIh/jJGQx1hbfN+haelrMnCPq7E2pOiNlzsBv4QgoGMjY7HK?= =?us-ascii?Q?KxCuigGaAkYm4ZCr7LeLzbPU?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: d962e520-efa2-4ca0-e44c-08d8eeda08cc X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:29.2980 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: awSUd+A50QRFzZqtttXdN0X84ZZaDSfTnskhRVQ9aS9M0ArU2+cYhdC/SVBdzCef3EGi3JOi7yd/OiTfaFJnjQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2541 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: ZpE5107FEbARJg7NGmlSGDiwx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611760; bh=jYz7PRYK/3lOmLVqjTAFXwt3S0hczN6KaWJ3LKss//U=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=jiuIJAuy55esidUL0Yu1kmk9erOIIw/oPBVn7QfPW3vz9zR0O6uSgRa5a2NCDr+MDOg 3bAYQIUmU07QfhD1Gn9HSlpmUYiHn7e8Kxq6ovHWUrN691QHRG/XLl7e03GvmsKGasOdT 0udw+aMuK62oSGt4hZdmJ/w+NQwTXEgvtv4= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 During the SEV-SNP guest launch sequence, two special pages need to be inserted, the secrets page and cpuid page. The secrets page, contain the VM platform communication keys. The guest BIOS and OS can use this key to communicate with the SEV firmware to get the attestation report. The Cpuid page, contain the CPUIDs entries filtered through the AMD-SEV firmware. The VMM will locate the secrets and cpuid page addresses through a fixed GUID and pass them to SEV firmware to populate further. For more information about the page content, see the SEV-SNP spec. To simplify the pre-validation range calculation in the next patch, the CPUID and Secrets pages are moved to the start of the MEMFD_BASE_ADDRESS. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 8 +++++++ OvmfPkg/OvmfPkgX64.fdf | 24 ++++++++++++-------- OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 19 ++++++++++++++++ OvmfPkg/ResetVector/ResetVector.inf | 4 ++++ OvmfPkg/ResetVector/ResetVector.nasmb | 2 ++ 5 files changed, 48 insertions(+), 9 deletions(-) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 4348bb45c6..062926772d 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -317,6 +317,14 @@ gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|0x0|UINT32|0x42 gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize|0x0|UINT32|0x43 =20 + ## The base address of the CPUID page used by SEV-SNP + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpCpuidBase|0|UINT32|0x48 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpCpuidSize|0|UINT32|0x49 + + ## The base address of the Secrets page used by SEV-SNP + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|0|UINT32|0x50 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize|0|UINT32|0x51 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index d519f85328..ea214600be 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -67,27 +67,33 @@ ErasePolarity =3D 1 BlockSize =3D 0x10000 NumBlocks =3D 0xD0 =20 -0x000000|0x006000 +0x000000|0x001000 +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpCpuidBase|gUefiOvmfPkgTokenSpaceGuid.= PcdOvmfSnpCpuidSize + +0x001000|0x001000 +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|gUefiOvmfPkgTokenSpaceGui= d.PcdOvmfSnpSecretsSize + +0x002000|0x006000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecPageTablesSize =20 -0x006000|0x001000 +0x008000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfLockBoxStorageBase|gUefiOvmfPkgTokenSpac= eGuid.PcdOvmfLockBoxStorageSize =20 -0x007000|0x001000 +0x009000|0x001000 gEfiMdePkgTokenSpaceGuid.PcdGuidedExtractHandlerTableAddress|gUefiOvmfPkgT= okenSpaceGuid.PcdGuidedExtractHandlerTableSize =20 -0x008000|0x001000 +0x00A000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableBase|gUefiOvmfPkgTokenSp= aceGuid.PcdOvmfSecGhcbPageTableSize =20 -0x009000|0x002000 +0x00B000|0x002000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|gUefiOvmfPkgTokenSpaceGuid.P= cdOvmfSecGhcbSize =20 -0x00B000|0x001000 -gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.P= cdSevEsWorkAreaSize - -0x00C000|0x001000 +0x00D000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecGhcbBackupSize =20 +0x00F000|0x001000 +gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.P= cdSevEsWorkAreaSize + 0x010000|0x010000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecPeiTempRamSize =20 diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVe= ctor/Ia16/ResetVectorVtf0.asm index 9c0b5853a4..5456f02924 100644 --- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm +++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm @@ -47,6 +47,25 @@ TIMES (15 - ((guidedStructureEnd - guidedStructureStart = + 15) % 16)) DB 0 ; guidedStructureStart: =20 +; +; SEV-SNP boot support +; +; sevSnpBlock: +; For the initial boot of SEV-SNP guest, a Secrets and CPUID page must be +; reserved by the BIOS at a RAM area defined by SEV_SNP_SECRETS_PAGE +; and SEV_SNP_CPUID_PAGE. A VMM will locate this information using the +; SEV-SNP boot block. +; +; GUID (SEV-SNP boot block): bd39c0c2-2f8e-4243-83e8-1b74cebcb7d9 +; +sevSnpBootBlockStart: + DD SEV_SNP_SECRETS_PAGE + DD SEV_SNP_CPUID_PAGE + DW sevSnpBootBlockEnd - sevSnpBootBlockStart + DB 0xC2, 0xC0, 0x39, 0xBD, 0x8e, 0x2F, 0x43, 0x42 + DB 0x83, 0xE8, 0x1B, 0x74, 0xCE, 0xBC, 0xB7, 0xD9 +sevSnpBootBlockEnd: + ; ; SEV Secret block ; diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese= tVector.inf index dc38f68919..d890bb6b29 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -37,6 +37,10 @@ gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpCpuidSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index 5fbacaed5f..2c194958f4 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -75,6 +75,8 @@ %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase)) %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + = 8) %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) = + 16) + %define SEV_SNP_SECRETS_PAGE FixedPcdGet32 (PcdOvmfSnpSecretsBase) + %define SEV_SNP_CPUID_PAGE FixedPcdGet32 (PcdOvmfSnpCpuidBase) %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)= + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) %include "Ia32/Flat32ToFlat64.asm" %include "Ia32/PageTables64.asm" --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73217): https://edk2.groups.io/g/devel/message/73217 Mute This Topic: https://groups.io/mt/81584577/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73218+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73218+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611747501224.0690951594214; Wed, 24 Mar 2021 11:49:07 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id dNcHYY1788612xXB4eXNEQQS; Wed, 24 Mar 2021 11:49:07 -0700 X-Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web12.25.1616599950939575559 for ; Wed, 24 Mar 2021 08:32:32 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MxGVz/Jpgn81ONJrEmbIae8fSV1dbGkdMXdItMR+WKSNGelHvJTPIW/lUXHxOeFJhAOwHKT+QAS19mzkpN0tepVrNwgqS4gVj2KfgY23a+XgKh4zr0iLK1oG3Pr3Lq+sXkN6NKqWzb1I6ueBhWuCjQxawpuHNPP0VlQXFdYi/0gcWThvZHvymZw1NezlVCjUyClLlccwwv4h2KnZeHAqnwWRs/24sOeRrl4lmn6P8ic39NvZaezYjrWNoB1W7+OW/3tF8HWOWecxY2lrv4VGJLNAAOimfL0Fm0bdk24+1fPmZUtsDFoPt6Lgxnm9RYfqPXmUebKxKRE3/pCGWUIWUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EwPVpIpZ9xvU7DWnYOOvMIHQu2fSPlxOJtDC4pref0k=; b=c/EyCoBDruJ9uaHui585hgEyZ2HafZbSNK8sHoB9/vlZEPJ1HfSoVbuJbzCCbNL/EPNCAffxPFREBrY6o/gSYmh0/y6rA+9s0GAvukbbAfmRHxxAYTLeyFQfVvkpjCbsRy7MOOH81RyTyeGOwirJZBrLXuo5Vly8VkMS6hziadVNVU+mV7kZksjZwJz7um7dySsYfDckVOK6QCttQcYts4+c1pR/jY/kNgZvkKEasjAcReR9EWzmVkDIEIVTGoCyh+Gw6mllC8tMJmZSuAALH8w9G66vWG/nVUXnIU9jgrn0lrqJTR63gC4Ip8G1QWcB0MuANBCq3RTWueAnSOCLNg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2541.namprd12.prod.outlook.com (2603:10b6:802:24::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:29 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:29 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 02/19] OvmfPkg: validate the data pages used in the SEC phase Date: Wed, 24 Mar 2021 10:31:58 -0500 Message-Id: <20210324153215.17971-3-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:29 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 04995a66-aa34-4b24-e6e9-08d8eeda0922 X-MS-TrafficTypeDiagnostic: SN1PR12MB2541: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: nSIUB69o8M+Sup601/AVdo4DgU+7J25R2siy4UkabLFB01l1JfAT1sWwj2hbPha+wctC8xwPkiwpBBp6LraxFDWMdcNHnmw9xievEiH7ByJsoqrbcmDwSS5Tyn3XECdEr5TfKhqvsYqG1VNkzoEaT4S/cb0ArQZVr85QMKmVXdYR4ssXDuCNlbZT7aw15XIj/gZWELUHihQMTKcnFGEJes3N9rcKihWQ2CbOLKQCQTZP97DQAAxhDX1QBfGrcG6xaVpp7Agapjwt//cUzMGKKMJol6FXyeYOBaR9GrBW0n3bn7WGh+4whpjI3RPHp4W3Hj97wENDjnz/Tw+WvhJ74H3rFcsM4sIJwH4NbmxTTExR0CXrZ+2TSN8d3ADFaOeQqorM4gaKJ+qkc6LP0Zsve/kK/+SujohAuFmnjrKmr2OO/0dLHxZF0F79dU94FPGLXv4mZ0UTCG5thzZ5rooNxu5/UJexyxRBalesa0cZcVeNUAVD/eeVvQnzAQj8RXwECg9409qV4eq/hjBH5SawqAZ489V6ful8l65aIgOHrpLmaddsuVdNNCoVxlmI2LmEaDeIGGNBGyTLGs8q4beW7TPe3rRyPN5FtFL3LDxAcejx6gF+7nsQ2tQnpdlNEKw5dK5sBDBKH1/H6lo2DwDQXhHqRnp19gSldhYdA0aP/h8VEVI0W+3jeZ+M0j+fZQp6kgpbHW7v+bgmWvEEeGJRuTDcF4wnF4tl9KcQbRggcE+KVNDHa4VGDJeuAMuIq0W1 X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?STOkmO57P9Dp+iq5g7kLU+h6eKfg39v3/QYQkAzr0yzry5m316KwABDlAEtp?= =?us-ascii?Q?4WosnPss7H2stwQO7RctGEixR9i6qjlHrS9PKOtNoAukseyFyzMEhjq5Dz+9?= =?us-ascii?Q?X5q8FN6Hs5lR8Y6bV3OsH2rofpID0RhUIaWug5Xed2nhBIiUyViGG0tYa2Be?= =?us-ascii?Q?1yzoj8m8uRkh7mGT9VRkDuaGqNJ2gTLCJ9jJjCGdQC6jO+iFKOanA8Lfd1xE?= =?us-ascii?Q?27j/Jqakt6bODLqkOYaOK8E4mAJx9453QhcXZWdI8tcbdOhZdeddsIhmvFMs?= =?us-ascii?Q?wDedbhDHIU08jIPVSPLqrf18JcoO/tmwtBSdiSI5QP8blEZMUtGPDRcPwHCr?= =?us-ascii?Q?R3ADZpEKjC4dCP1fOHT1RXu8gi0Go96nFHGqdNcybYYJTiyzyYzNq/nYEA2L?= =?us-ascii?Q?HAUikr7w4M031OuoRoXmV3oWqh9H5OVr3/gnc8HKfqPcO3mDY8Qx3OICGYJP?= =?us-ascii?Q?QSG7Ox2nHNDncEc0kS+Xk+ChbHL8tZ13WiSrafTnA4YQIv0oJ4xtdZr+d1Ur?= =?us-ascii?Q?rGuFh9UBWWJwCvgrur1aIXzROtZpu96+rHlQ+gcNvgbOoMc8UqS43Il+ZgB9?= =?us-ascii?Q?mm/pyVemD/SgSxgDvGWrwQG4G8LYr8tKsXkFFDTyc7WM87tKuiozOC361USL?= =?us-ascii?Q?OYMbImPQo9YiUS0mQlsjenT7dAp6n3weMj+u6AWwxu8SLA2RChw3GpML8TyP?= =?us-ascii?Q?jf4FR6qDy5zZXz/OryRNTKHiMIJJkgsgX0sDvLQhy6HMXRS2+sWR0MiSS4lX?= =?us-ascii?Q?0RbIJ6ehSej0uF/b4Q3vyvtEs7MVQkDLXwUmqhK34E/lHOe6Nqik4aVJHpy7?= =?us-ascii?Q?Xf5GcKCDqspXUl08WKtqGMk+NElLauHGSHS04cXtVM+6lAF/Xl9VXyxVvlOJ?= =?us-ascii?Q?/tEuwNNadAHLVMSUyAEVT9a+VkLbkfWr6vd/UUM8CvpFXTlYsGxEvMftm7NP?= =?us-ascii?Q?Z5OZCGHB0JT9c0vjSPdLbBw3zMeBYPlKkTWqgkurWQiBDjkOJwpjixM6R6Bl?= =?us-ascii?Q?o/pXsww8+tTxAAKya7iFXE+LY9kVaDGyEKYTb2DUKMZhRHnJvBO2ynPZ6QWw?= =?us-ascii?Q?05JhBO7wTlVZWb9pEOD3yCBo/I9pa4uo8eGimA+jFVlTY5rMtWFKjkyWPDUK?= =?us-ascii?Q?C0g4/xW/GgkbA/WBqQY1uREo99ffXD0IIpudqTFoCucwi0lUQ0GCNkJ+8mlY?= =?us-ascii?Q?vVvcIUiwMp81UYNWla6FvrrSWdl2Y4+oXjwp7AVXmM9xwv4YixKxJDpZGQMb?= =?us-ascii?Q?gxx/Uaan6V4VAYH0WMe+VVVD+025j3T/05BMTsfnxxMpN4DSDVqqFpfBbZhb?= =?us-ascii?Q?OW0pvBhEVHTBDXXJP1MDmfLY?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 04995a66-aa34-4b24-e6e9-08d8eeda0922 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:29.7747 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Z5bcj04iQsOO7MVzI2rSRQLRqn9cM7zTyMMoknqZBOtZN6iMGXq1yZ4CPrlrvimsx1Gk/df+I+uYZNmgQpCOzA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2541 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: 116RG2dVMqS0AqecSSJIgBKTx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611747; bh=Hrd9obwEGTRPAGFHxZYu+EVVlhOKL7jEzrawHzQQo34=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=NC7W/2FiVf42UhQvR9JxWMMck7oXSvo3Paefs1WNlx3Mfu+B9GNv1JmUtDbhYFSIjQ3 Ja97d2f+B0L/DqQoy3p136Odht9pA59k9GSB955VWGv9QNyslQOIT9OxCaIa1nux549jx 2FdAZRQIFwP9h6a7Nd3LppbzPtPaOeOKmuc= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 An SEV-SNP guest requires that private memory (aka pages mapped as encrypted) must be validated before being accessed. The validation process consist of the following sequence: 1) Set the memory encryption attribute in the page table (aka C-bit). Note: If the processor is in non-PAE mode, then all the memory accesses are considered private. 2) Add the memory range as private in the RMP table. This can be performed using the Page State Change VMGEXIT defined in the GHCB specification. 3) Use the PVALIDATE instruction to set the Validated Bit in the RMP table. During the guest creation time, the VMM encrypts the OVMF_CODE.fd using the SEV-SNP firmware provided LAUNCH_UPDATE_DATA command. In addition to encrypting the content, the command also validates the memory region. This allows us to execute the code without going through the validation sequence. During execution, the reset vector need to access some data pages (such as page tables, SevESWorkarea, Sec stack). The data pages are accessed as private memory. The data pages are not part of the OVMF_CODE.fd, so they were not validated during the guest creation. There are two approaches we can take to validate the data pages before the access: a) Enhance the OVMF reset vector code to validate the pages as described above (go through step 2 - 3). OR b) Validate the pages during the guest creation time. The SEV firmware provides a command which can be used by the VMM to validate the pages without affecting the measurement of the launch. Approach #b seems much simpler; it does not require any changes to the OVMF reset vector code. Extend the SnpBootBlock to provide the range that can be pre-validated using the SEV-SNP firmware command during the guest creation time. At the end of the guest creation the pre-validated range looks like this: 0x800000 0x801000 (CPUID Page [Validated + Measured]) 0x801000 0x802000 (Secrets Page [Validated + Measured]) 0x802000 0x820000 (Data Pages for the SEC phase [Validated + unmeasure= d]) Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 4 ++++ OvmfPkg/OvmfPkgX64.fdf | 9 ++++++++- OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 5 +++++ OvmfPkg/ResetVector/ResetVector.inf | 1 + OvmfPkg/ResetVector/ResetVector.nasmb | 2 ++ 5 files changed, 20 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 062926772d..6fb70e2c10 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -325,6 +325,10 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|0|UINT32|0x50 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize|0|UINT32|0x51 =20 + ## The range of memory pre-validated through the SEV-SNP launch sequence + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpLaunchValidatedStart|0|UINT32|0x52 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpLaunchValidatedEnd|0|UINT32|0x53 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index ea214600be..16383453f1 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -105,7 +105,14 @@ FV =3D PEIFV gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.= PcdOvmfDxeMemFvSize FV =3D DXEFV =20 -##########################################################################= ###### +##########################################################################= #### +# +# The range of the pages validated through the SEV-SNP launch sequence. +# +SET gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpLaunchValidatedStart =3D $(MEMFD_= BASE_ADDRESS) +SET gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpLaunchValidatedEnd =3D gUefiOvmfP= kgTokenSpaceGuid.PcdOvmfPeiMemFvBase + +##########################################################################= ##### =20 [FV.SECFV] FvNameGuid =3D 763BED0D-DE9F-48F5-81F1-3E90E1B1A015 diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVe= ctor/Ia16/ResetVectorVtf0.asm index 5456f02924..9be887c4fc 100644 --- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm +++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm @@ -56,11 +56,16 @@ guidedStructureStart: ; and SEV_SNP_CPUID_PAGE. A VMM will locate this information using the ; SEV-SNP boot block. ; +; In addition to Secret and CPUID page, the SEV-SNP boot block also cont= ain +; the range of memory that must be pre-validated by the VMM before the e= xecution. +; ; GUID (SEV-SNP boot block): bd39c0c2-2f8e-4243-83e8-1b74cebcb7d9 ; sevSnpBootBlockStart: DD SEV_SNP_SECRETS_PAGE DD SEV_SNP_CPUID_PAGE + DD SEV_SNP_LAUNCH_VALIDATED_START + DD SEV_SNP_LAUNCH_VALIDATED_END DW sevSnpBootBlockEnd - sevSnpBootBlockStart DB 0xC2, 0xC0, 0x39, 0xBD, 0x8e, 0x2F, 0x43, 0x42 DB 0x83, 0xE8, 0x1B, 0x74, 0xCE, 0xBC, 0xB7, 0xD9 diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese= tVector.inf index d890bb6b29..49a527c0b1 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -47,6 +47,7 @@ gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase =20 [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index 2c194958f4..6d399c4739 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -77,6 +77,8 @@ %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) = + 16) %define SEV_SNP_SECRETS_PAGE FixedPcdGet32 (PcdOvmfSnpSecretsBase) %define SEV_SNP_CPUID_PAGE FixedPcdGet32 (PcdOvmfSnpCpuidBase) + %define SEV_SNP_LAUNCH_VALIDATED_START FixedPcdGet32 (PcdOvmfSecPageTabl= esBase) + %define SEV_SNP_LAUNCH_VALIDATED_END FixedPcdGet32 (PcdOvmfPeiMemFvBase) %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)= + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) %include "Ia32/Flat32ToFlat64.asm" %include "Ia32/PageTables64.asm" --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73218): https://edk2.groups.io/g/devel/message/73218 Mute This Topic: https://groups.io/mt/81584578/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73219+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73219+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611747570163.5758258951879; Wed, 24 Mar 2021 11:49:07 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 0KZUYY1788612xFSxiUAZIUS; Wed, 24 Mar 2021 11:49:07 -0700 X-Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web12.25.1616599950939575559 for ; Wed, 24 Mar 2021 08:32:32 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=msxwFv87ZUeUTnCw/yD3OfQ86wJdfzLNXtR6J2r2APGyNEIxsZ9WN79d3SCyRYkKa7Pq69tZoSeF88m+T2TecbxIQKEOsN80gPVCzYs5oLfW6i78VwQ1muoQrXoaY/xX8t1UkrJWkvJ7p2dhNy69TAIC79tTVZ4YjMU4VwnqeQE2SihEa6r29988chKypXlgYUE8CXjqtK7idarGQymh99Crt1+e8hgTtaVsdLLM+GYRlYNExN2nODoG9CiBvHYC3DMORp0R4oPaVpwf/kqSaHrU4ytxJzF3uQMIFB5ghMIEyGfMzywAuoJAaE2c/PcBn5UoP4o8ut6KSAzFpOin4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cVJv453nPhhBfYczlrDPwxdNl+T+17TTiNPp4xaunxs=; b=SkH8jH6BlH78VL/Sglt0A89VU0K8H0D8oTk4wmKINSCd5rJ0hOk55BlMuzw2hA8ADPVDem11TbYNy/1yz3I3sOqPtzUDf99IJfIDWQLS1gcPbvgvo9flCh2iSGWYZSiKSw1pzGD8x+TragKtkRJjMZ1uHBhvH4x/1IlAD6XTuujs9PAlZ6jPhq941jMeVP2bqUZqLrpg8AkXhCqHrTZ8RnaD8B/LV1tcSJLNJd7ueIA2cUV2EdbObPk7ur1t1ppvX3pd+pfzYtG6P/oDmfglkQapCzNksZRew3LmHdGZGxuqPOblduT0eHqcBGYZ1gTPjqvEdXRji7TKwnhY8OW7Yg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2541.namprd12.prod.outlook.com (2603:10b6:802:24::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:30 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:30 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 03/19] MdePkg: Expand the SEV MSR to include the SNP definition Date: Wed, 24 Mar 2021 10:31:59 -0500 Message-Id: <20210324153215.17971-4-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:29 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: ef79643d-25a1-4d10-8ad3-08d8eeda096e X-MS-TrafficTypeDiagnostic: SN1PR12MB2541: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:813; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: z4rKdpBrvIo+5DmDFV2IqAYkgOcYa98rJ+JlUMWBdjhWv166oRjP3FJohZjhS+Szfr6OzHwTOtvOXEIJXmP9CAQX50f+mD/ZK5Gn3e67/EdFS3K7UfN6BEG/3LqKSxQIxgln/hL/saQzABmqITSQfYeYbeZQG92nF2Fe/zZXVvFlYYPq19VCkcOb2NhghXPCrsZb1Dd3lyxTioxT5Ts+xXBEKMzvl4PfVFh3/4YziPV9MBpjQIXhIizyMZqPqWqmURGrm0Gb/3yK/r8b42iZE+96w4dSt9kajystqRCRiuRhF5PV6FjOAZRM9qdcKWeSWlRVKxDoHVbUaaXr1iYomlxFzAJs84jZQMxKhlW4sYv2W90yaBk2Bmu0/kfbqKZmaXWnouNH5R5nr0l4nDQzRd+4Nl2vTXxdeke75oruEOkUnXM/ruaY83zCFH2iokMJBy8tdqZfflj+DCPXT5BXdKUGBiC3K7v1Ecwy82Il/DjuRL7lL8DvMf/78hwm/QTQuUOqRm6t+VTQlox2TJ1OoKQMo7F5qIcCvF91fM1R5ICwAU1ZbdV4XzwNDhxyzo0pclqHZNPBaS8UGD5TZxjke8l4P+0Hb6DVfFMv8iiQJU/8e+rJDOzAsmT5vP4LmTdwZpB6u/CNPEHyv5+dkAJPX9enit6ZNpADTvkkFQANq3Q7x/xy29wQalexKgxDw6lN2+/JcBoJw0/otfTmkz3Q0zAeO9rvg6jZ+iCcVX4bWN2cCPM53CfABlGY5L0ELvNR X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?Ot+Bx0/WFQH8Utqmxb7qQcYA8x6MbFZ7TEuu/OaTZ3UxEc7uEp79OF3c/Hll?= =?us-ascii?Q?R8zQtKKfD23lxI23PxHDzjlAHZeJpNOEkqQhBgf0iBFFWlI5xGmITguac2oC?= =?us-ascii?Q?0hsliyrR7ZLkMmu6+BvTyvZXJu2NLnCttjsBKHEgX47gqfwXc/rnKqzCKMjg?= =?us-ascii?Q?PCc8tzAnhwpSrdnWPW02SAoyNaZpJ7zTAdn9XfeKkQWsXLtlOjIHdS6J2TB0?= =?us-ascii?Q?+kVGWKZOLuGWxnrxS4aa6TCqamE49qP3E6tWTbe1b/nzViAX0OTfO6hlz0uX?= =?us-ascii?Q?+1yl9DRI22iyL+r6oIOXm5Bexl/PozBojzYlhFVoyXZOW1L/IVeNt30//bDm?= =?us-ascii?Q?BStO9hg3mR4oMARpPIPkTMaAwuju6ZlpoU6PHkVHva4/RxUSHQueuSh+3DzC?= =?us-ascii?Q?0+obZCzoUCWWEowmmRzj58zgtFNt3ECP11DVh5Z+BspJJQJ05H+NZnklP8+k?= =?us-ascii?Q?SVqaUI4ipYDVJU6mFXw6nsL9YmtqiTwHPr6rIbEfc1GlB86dKG8pN4BWnuG5?= =?us-ascii?Q?ZYGGGb6wOcnpG6rQgW6gWg5R7wnQJ7B1f8SuwRxfOqp6wMZ8sDFsX+ekH/dw?= =?us-ascii?Q?gY4W1qPWjO0LMER66jXpCQJqAx6HAX87mLaZ/stvyKm05ljkner8iJnRo1/l?= =?us-ascii?Q?HMdSBdr5DsoLUFDXOvtzSZ3enwUp0nwoPghmreqFhssbBNe0eWa73e16I3wG?= =?us-ascii?Q?Gk5Zh/4s3Zd1bm7UU3ICw0FnSOqB3LPGcfpa6NXNIOzdRM8J2pn/zhCOi5WP?= =?us-ascii?Q?4/EdzB5d7xltDfb72O0NIoPvibAk+MDAzl3dDdybRDYupEMskJiXp6aJjJQE?= =?us-ascii?Q?kQtoTLVs4avT+Q7+1qxZ7++O98EgZhCUOXbpK+DZsOcJuIa62bDkfsxJ2vCc?= =?us-ascii?Q?NWGXr1mXGtAPPcSwAdWOHMizv3e1PHLZLmgR0yN/nOWc01U+8TggdDVWTyWI?= =?us-ascii?Q?HAIH1Xu1vGpii64qMYezcJaKqd5/WAOyxjYZx+HuTrnvUctbeIAH9ANTCGL2?= =?us-ascii?Q?Tqo4K1zNEwsK9gHdiBzRiapDjxJsTLKQHWtGxeU5DkN2Fg3NCGT9kguO8lJl?= =?us-ascii?Q?Z9dBXkmh9JC21AZ/5v9jHpaXBVxtrDp2vMhBXiRDLaEELrdmTC81vhbTclZ2?= =?us-ascii?Q?DCY1yB7b8AMMSVQj1dvDB28xvzpOnh8Z/Ji98+TWytEHfsJ2rog/c+vhGOJU?= =?us-ascii?Q?qLM2sPCDq5GSFTeV9McnSD1npZpI+Blkx0p8eXcWaAcoCOjer42QUDMHsc5l?= =?us-ascii?Q?bU+V5dBMAxsZL7/Fw3k8wUOddDqvoz3h7X5vtkQf+cy277ZMlRcqhaYpe1zN?= =?us-ascii?Q?B1l227ky2NyH8ju0dCb+ibkj?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: ef79643d-25a1-4d10-8ad3-08d8eeda096e X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:30.3244 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 5YMHR3A7kvIDfjUq2/WsSiPzweR3YBxbEndg4wpVZvISjnP2CT9eVYrAoA/UiVPgPnod3x/lUl2QoRaMdqDshw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2541 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: s14COwAC4gkEvFBwVn54XWksx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611747; bh=Fl7TC9jm6rKsK5nu8jWTa00HWy6cQm+OSGVTXXejZiA=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=HERpMf+T5fsA66yZwVIkqd+DNxlkKKtCr0nNs+OoEN0UWNYvHz6ca8BmtkZdxWLYsFz 406+DZfSBrbW1ras0PE1fst74QWaeR4lTUgzeScWfNPuk/7fjjO8a55rg3lLCCyaAOecj VQVYDl24GWxOYYvis8crT6otw/hUxB14n4Q= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Define the SEV-SNP MSR bits. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- MdePkg/Include/Register/Amd/Fam17Msr.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/MdePkg/Include/Register/Amd/Fam17Msr.h b/MdePkg/Include/Regist= er/Amd/Fam17Msr.h index e4db09c518..4d33bef220 100644 --- a/MdePkg/Include/Register/Amd/Fam17Msr.h +++ b/MdePkg/Include/Register/Amd/Fam17Msr.h @@ -87,7 +87,12 @@ typedef union { /// UINT32 SevEsBit:1; =20 - UINT32 Reserved:30; + /// + /// [Bit 2] Secure Nested Paging (SevSnp) is enabled + /// + UINT32 SevSnpBit:1; + + UINT32 Reserved:29; } Bits; /// /// All bit fields as a 32-bit value --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73219): https://edk2.groups.io/g/devel/message/73219 Mute This Topic: https://groups.io/mt/81584579/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73220+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73220+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611748895305.8435622881807; Wed, 24 Mar 2021 11:49:08 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id cLu5YY1788612xAFpf3acs4s; Wed, 24 Mar 2021 11:49:08 -0700 X-Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web12.25.1616599950939575559 for ; Wed, 24 Mar 2021 08:32:33 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SslMmiQsiHKr+n1Ab0rmpd4hCgn4khcV6ICCwbvhL8yBMYK/XB6/xGwA9Hc8gmiJmQzAK9sqyNNpM4RbwQ6hOK1ut4wskZk0f66G4+5nEPdQQAR+UTWo0GtUTDnv6qFXdgO0/HmytcPRmSoBrnW6PMAMiHrYseYVrIc1NuPyJN4cgh0rQfU9Fb62ljjJaNJu8ZE5/wdMXx03avxT+SvTXzhD2BgiqZ9pe7W6uHenYTNftH3Yvq0fN4oSjeURMh/gtOcyarPVJBw2kK4SN4gejVlAuXWU0HOIhfXAlW9/Ggax49eewgoWtFGO9mD91IUdworptWueGePbV27u0wL/Qg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pgeagfPKaXMWYKM50qwEi1JiOBr8sPiJZcMTMZmkhGU=; b=RHCgJqGGpwB6xrFkIVAHUEwgnqrWhxdetgZCtoVDiAzPc4olysD+nu1cG63kfy6m06ZkSqNdwPeYYDOf6BEm/y26emeRKDYj+es5k/SWh9K8DAMWolMZJ3qnc+CS6ZPLWGE+zX8qCEJCaT0qcqp9i+9GKf1ByJ9nt4C120STKvCv8zSwKPIlOy3bdOh+cDYGs65tH4zRbMuQ2B+MEdAdq40xk95APxCjJpkw8Tne8QdZgIt+dVzsztb+1YfdbJtrFmMBgQprBfBYZNooiqskC4ujCBEJSQy1eIVqwb0uQBprP2dgbRpEY0Lp4ZMWHsr1Jsv1FJmwlvgP11Cor5sr1g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2541.namprd12.prod.outlook.com (2603:10b6:802:24::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:31 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:31 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 04/19] OvmfPkg/MemEncryptSevLib: add MemEncryptSevSnpEnabled() Date: Wed, 24 Mar 2021 10:32:00 -0500 Message-Id: <20210324153215.17971-5-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:30 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 4e2bcc3d-3755-4aaf-88f6-08d8eeda09c6 X-MS-TrafficTypeDiagnostic: SN1PR12MB2541: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:183; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: LWA2z5h/Kb+WdhWYj14qMgX9IHabPHJlUIryY/cl53LfgcKLM4VbNYlOTFnGwy6mAh6/l0vq1zVeiWTdQ7JeXkOy73WsR5Wx9rJTqnxUNcECYvLNUjFL2zKOzKQCGbBXl93BzGfNmauouOg0WInDr75Bjw0gdE4FWhN/YsbmbyvrZBgTqIwANJexwIxvackWPKGLplTc9ELcKSphoJVmt6s3DjPV8R+8evnYteefxMBsvBcnvIdLxzno+aM1cVZyj1VySTe3OfZSle1qkLzF2IoGKFiRhVCvjV6xewFgN5XUYRabmXMD5Y3aQpRj/+aFkyCZK3M8zPuI2aHpke4rWSx5/I5E4VJr/lw8VplQPpjjxNp5Gez0/10mnfNdQLlmFWmdY0iVUAbMFfylPMVyavPQo3Q6AZ/vV4SqysTbYhr2IuJap52Ygcn9MHE9xTI8XMr5V8IZYe0Krjif3idxa8e7vK07zibRMwepbuf+v/iysU8qJVROyITJ/5t2e8AFZE+GF86Jc+sJ0suSh0Q/OJ4N5x91QA9IHTgDID42ggRjd2Oj9Zr4L8LfE062qPZZ8sKCyD6AvJ3eoJOKIZAX0+XIQ+MJIYapHjQcUbT8dnGxNJ2fSGcJjELPJm1fT+TcTBx9mHfMU9V/KDJ/98y6ToUqgdpGBHkkbXDbbS/wIZqYezMoKdPdyR9TFKKXHYUMAWZ/WkxYUdY/Ys77nHXkZpCgWrniasokFSLq/uQCWs8e3FaryiXexWM7tWyLC4CqM2hSSTgOfqryRimI1wBmzg== X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?gXMkKJwia5eQ33y/GY9Al4cwmKcV2ySHMvOIQTw0To/s7/xsuMPnNK+DbffC?= =?us-ascii?Q?c2cs1vYBfTzttO81ucvVxOFVwxLwMJ2ehmN66wg5c8Bp8dZN7srUNGpJwPi/?= =?us-ascii?Q?YNJL0fd8d6sv31MIQLUf7QYaFo/A60CHPbIJ6+mIBL6LjesVMzyTmrmaGtW6?= =?us-ascii?Q?E+HW5tJ5EXp2rqfII8ZAVXggGkan0OicLLN2m+/k71I6RgQGkwOU/f/0ZC73?= =?us-ascii?Q?WM4Z8ZwN/oCruvIQ3gN3yBJtTTrm6i0vJZuy7JsZenhNDZZFRtBHHMm7wSXd?= =?us-ascii?Q?rz3lUXoL2z11PA5xWDOvLlh0ID2CU5kYaMrcLM3J1lQ0JPFyhZEh2d4LA3FM?= =?us-ascii?Q?5gft5Ar8fzg7YFu3+scrA9MJtrRwexck9hQIYtnu6PPJMlyy4tfZZCj3xj7s?= =?us-ascii?Q?cJPKvfsdERyS0Q5mdvXzeZitElbvfFq7975rgKUNZA5kyX2KmS+qp0AtSfZ8?= =?us-ascii?Q?I+QeMdPlQEB6LsM6JGS/NHFd1cpE8STM+Uen4ZT7k0/VeuSpa75O3rPV/v01?= =?us-ascii?Q?vZm3BQXxQ+zwyy/7RQcbp57SBlgEsbMj6rl+I2RwVVw6GIv5eAQx1VHjDUCC?= =?us-ascii?Q?BDZPVl3CKABEmsgDcge6cpefnF2mY9uwHxbR6gw1sxSaZWLfmM8/X+6I5tqV?= =?us-ascii?Q?knaksmkdFQWlZ8L/mbjKFxNLB1Urc8XWzrtDJAekX7T6wHksaH5Qu7o3tX/k?= =?us-ascii?Q?aCTphaNiKj6jszvC9VzTcHs2tti32TBzWQMv2RcVnaWTl993EZtfYqMS57Xn?= =?us-ascii?Q?+sYaC/QUgCPqFDfZ4ahlqBGF9NHAr1iBq2u/AHZ03+AJVf56oMgODZm35TZD?= =?us-ascii?Q?5kX0/2iIYOaI9LZ/TiywpXJx2ANRvSh0V4DZDUyLRjhdMHMh9Ss98LesLD8e?= =?us-ascii?Q?FhYiR37YGCuSVpzGWHsBBrfkmvT14QMYSM/6Qe2tFP9ULuKv2no0KvrhMv4g?= =?us-ascii?Q?XKsdPEKOU040nsfDkGpAM5IfNm1NqhiiniRqihR8w5ILGdkG4vhl1Uqa0OA0?= =?us-ascii?Q?iGSsvQy2iX5foltPxuicVRHzDHks2t+s6TXYFwPGbpIpt/QOPYaTnaXB0mxb?= =?us-ascii?Q?un3eBgMC3dCM05lUe1P1L057+99U2ySyn5HO3ZJ8FJUP94yBZCi0ES6mXKix?= =?us-ascii?Q?5/VWoL4DzEURZKfKa0P/TNQiSMQlQTnE78vfmE7gyfxLmfvIGLF0PZyi1iNw?= =?us-ascii?Q?o/PomekEQCB0dpF2RgtQnCdUF+ZZ72sagNiOOT6A1MhWOQEeEWs1LMAWnjzw?= =?us-ascii?Q?/GN/7scBbbQKOGHkmJQ4lI1/Xc7eD0ILMrprh/w3dEX5nnS6359O2qUL/gCK?= =?us-ascii?Q?bI5xWwYnFTZ0xF0kBrB+IBYE?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4e2bcc3d-3755-4aaf-88f6-08d8eeda09c6 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:30.8791 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: VcVgSip3ZW1rFOwGIV2F504zX8BaTl3QMJBPbM+LlcMHbBUGvyfZJq3lxc2PZy9f7jZ0DVKluh3WfpzZQrCpsw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2541 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: X9GZa3RhTWuj4Lc8yIHykkRmx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611748; bh=jqeuKX/vDl+c/jjNf/YsD9MYoDpMj7Jp/g22rSrfGcs=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=UzGE74aUmSh+kkrxP9IOptgQcm7PEVXvCDhXHmF2wgv8kx70k0UghjOMN8xVDgj8Dt8 Q9eqiO822jsuENUtBYS6GRIDb5SJ9FKbAQHOI7+d94PZvbgcYpwfWFVq61ltV2iQHORfE 2Ih9tSH2zO92fbxzMhDh1nYBJ7HUKo5H+24= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Create a function can be used to determine if VM is running as an SEV-SNP guest. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/Include/Library/MemEncryptSevLib.h | 12 ++= +++++++ OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | 27 ++= ++++++++++++++++++ OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | 27 ++= ++++++++++++++++++ OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 19 ++= ++++++++++++ 4 files changed, 85 insertions(+) diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/L= ibrary/MemEncryptSevLib.h index 99f15a7d12..03d9eda392 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -66,6 +66,18 @@ typedef enum { MemEncryptSevAddressRangeError, } MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE; =20 +/** + Returns a boolean to indicate whether SEV-SNP is enabled + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ); + /** Returns a boolean to indicate whether SEV-ES is enabled. =20 diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c index 2816f859a0..0571297238 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c @@ -19,6 +19,7 @@ =20 STATIC BOOLEAN mSevStatus =3D FALSE; STATIC BOOLEAN mSevEsStatus =3D FALSE; +STATIC BOOLEAN mSevSnpStatus =3D FALSE; STATIC BOOLEAN mSevStatusChecked =3D FALSE; =20 STATIC UINT64 mSevEncryptionMask =3D 0; @@ -82,11 +83,37 @@ InternalMemEncryptSevStatus ( if (Msr.Bits.SevEsBit) { mSevEsStatus =3D TRUE; } + + // + // Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) + // + if (Msr.Bits.SevSnpBit) { + mSevSnpStatus =3D TRUE; + } } =20 mSevStatusChecked =3D TRUE; } =20 +/** + Returns a boolean to indicate whether SEV-SNP is enabled. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ) +{ + if (!mSevStatusChecked) { + InternalMemEncryptSevStatus (); + } + + return mSevSnpStatus; +} + /** Returns a boolean to indicate whether SEV-ES is enabled. =20 diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c index e2fd109d12..b561f211f5 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c @@ -19,6 +19,7 @@ =20 STATIC BOOLEAN mSevStatus =3D FALSE; STATIC BOOLEAN mSevEsStatus =3D FALSE; +STATIC BOOLEAN mSevSnpStatus =3D FALSE; STATIC BOOLEAN mSevStatusChecked =3D FALSE; =20 STATIC UINT64 mSevEncryptionMask =3D 0; @@ -82,11 +83,37 @@ InternalMemEncryptSevStatus ( if (Msr.Bits.SevEsBit) { mSevEsStatus =3D TRUE; } + + // + // Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) + // + if (Msr.Bits.SevSnpBit) { + mSevSnpStatus =3D TRUE; + } } =20 mSevStatusChecked =3D TRUE; } =20 +/** + Returns a boolean to indicate whether SEV-SNP is enabled. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ) +{ + if (!mSevStatusChecked) { + InternalMemEncryptSevStatus (); + } + + return mSevSnpStatus; +} + /** Returns a boolean to indicate whether SEV-ES is enabled. =20 diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c index 56d8f3f318..69852779e2 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c @@ -62,6 +62,25 @@ InternalMemEncryptSevStatus ( return ReadSevMsr ? AsmReadMsr32 (MSR_SEV_STATUS) : 0; } =20 +/** + Returns a boolean to indicate whether SEV-SNP is enabled. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ) +{ + MSR_SEV_STATUS_REGISTER Msr; + + Msr.Uint32 =3D InternalMemEncryptSevStatus (); + + return Msr.Bits.SevSnpBit ? TRUE : FALSE; +} + /** Returns a boolean to indicate whether SEV-ES is enabled. =20 --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73220): https://edk2.groups.io/g/devel/message/73220 Mute This Topic: https://groups.io/mt/81584580/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73221+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73221+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611749255559.3825493081513; Wed, 24 Mar 2021 11:49:09 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id falLYY1788612xs9906JZeGo; Wed, 24 Mar 2021 11:49:08 -0700 X-Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web12.25.1616599950939575559 for ; Wed, 24 Mar 2021 08:32:33 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aLoh52Ubf77ZUTLUTkp/HWE3O/1mm/ERT3yEaMzsAE2ukFEpCIszLEhu1p2U38jz0hBTeEGUuBGq88qs7XMcRBn4dEuu24drNNBbUDca8qPQacFzN+hL/Gya7ZXw3BA7sb6c/MJ2mvf8Az5ndHSwGoG502xV6l0SJjWFYHQ2E9qWRZyo4VS7PwcrhpJqXGUWYs8mdtEqUxm9Dven2+/uG10ncDqvlMAQOg++CfVknSBOhW6zpSZRkRhfDcgGdxMdoQkk15plDnlhlps1UJ1gpZwqOLjLYH+tQkVhTRQgTPPuTzRpr/1gYCmxtE2iQDsfKLFn7yBGzen0wk3/p7gtew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L6UjXOYdIXDzy0BUeeOdeThuFw5EhOsdfFSBriT31O0=; b=gM3/lZUCjPGgI6B7PKzCKUfHKNEC7lNokNVKaTF7r+lkHRcPRo4Aw9yfTN991bDPfOHlbUA5O4aaGdvw+Y1/cIJ7nCyA5gZ21sTbtY1uZPUlhyh5sj8Pu4XywgiyTN1QkfQmwYNNzthXTj3Q5hoWaWJunTlVYV4OBuruZXaA7BrJwKM5mn3B+RaVdwLaMd4rUImAnNdiYwI+i4VDhpcw/98HEyaXMrGwChEyOvv275fCx1h2EJtEi8acON3RRccFUdBejnVgZ1C+faphh3h6dL0rCyGBzr8n8FBnchgFFSbpUnvqRU8wLxOIV85dDanxz++AZLWJWozKwpuwQ5PT1g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2541.namprd12.prod.outlook.com (2603:10b6:802:24::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:31 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:31 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 05/19] MdePkg: Define the GHCB GPA structure Date: Wed, 24 Mar 2021 10:32:01 -0500 Message-Id: <20210324153215.17971-6-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:31 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: d32d879c-2c44-454e-c7c3-08d8eeda0a24 X-MS-TrafficTypeDiagnostic: SN1PR12MB2541: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: J1DdaQgr3TDOWtvsqr+84nzHoE3eBCGxC+FcP37z5Y/ZYNQU+ATLQdkLvcUeonGRgXJXYDHic5XZ9FAXuZNQCs7moc10SWVRXEUibkeL5l0fUUxp1kfvX+nwRwKbkDI7Q9RLtbDqpB6ONMBhubGCP//tLRKgi3bfY3v3yRovUPcfD7xtgT3H4uHAk1ApSW6KdDF5zeVirCsR1pxNI1k2bebtjp/QATtboZEHrUh0Q2/epXjjcJLSUVuuI+Fk7GZWyqs6uZP5mFLBlc2MyZ1zPovc5K8qa0Bs6SXraNJEICeByg+0vKWNPT0KlzVPjt9atqJ1DdbQO9SnXdC+wpl2b5v1QUGdqIh4Vo8q8gGhH1Na5GZaTv+kj5puSQJaa12/LL8TCmmuwU+LwjJNZJ289PneVDva74aKKQCX6ZNMw+5J62HryNtnwf1Vvnvo3NGIkUqg1FYj0nkchAsK/nLa+MmyMi28fJrN7Tqi5/A8PXlVsXrFEr8EA3rNGyx75BRjVoSawJlKTl9BJec2BbXVM/C4ID+kclQaNxEExaz7vBCS4FQWyPRgbM0hHjawslbGs6j1P9wWjipHhjzLb7xXQStRRmaDtiOClWntU3shkkuTGuZDhxajxTTvPhL53KRuVGo/0T83jHBLwZrt/43GQpCDqmbp66Z7hhDxEOa4wCcSlEorr270zqNq0yJ9PX6zNLkgS+zWY1SfP4svn+XW9n4KutpVwAyWFCaDBZSYtHibKf795l7evNdpKysw13je X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?1wzPt3NX/wX5U7oeG6a1cru+KIdzcVasNkyn5+V4WuegqUO92r+yR5usOZqY?= =?us-ascii?Q?Hc7jsl2dmFprQwklg/5bo9RM/6dSRSRIn6oRm4UGRY544k7Gk44lr5LHtU3u?= =?us-ascii?Q?rbttyLQ2UvIX5W9WGAlVDihaVzmAE3ifL1LQLE4BLU4yuPSmKq5QMY83C5GO?= =?us-ascii?Q?oQgRK/l9zQYGV2CaxLDoHf+hIwYQU1jkQxhznurNNFaoktO+l8U+OgcFyyES?= =?us-ascii?Q?DFqUsipGlo/vlMXK1ohQomjbRpnJFNF6CgWH7tNbrySTBiDjOHcQqT1HZWNZ?= =?us-ascii?Q?QBe9b7eFUsLML2WojWcOWD7ZaUhxYBrEUaoOVxJ/gnS9btxShrdfBV98mdyK?= =?us-ascii?Q?/UVlGTGiC1uYsNhK+4wvuVWf2LUCVgUOB/MNIB2v5kaYFyG6AcjZVAnQ65zr?= =?us-ascii?Q?tJPD0ZTr9z2aptPfMDKPTOCpPhWzYyUkiVztEI63103yDZ+Hs5/L4Dv9EraY?= =?us-ascii?Q?NAc9fyyuI1N0E0d0y2z1enYOVpD/OPncKbRFlwy0GAiNchhDAiuWdATNRh23?= =?us-ascii?Q?tzB9n+hX5XGuM7h4cLcv1dwKyaqCDLytoa2gHkGC4VRW0znL3fRNa0AX8iih?= =?us-ascii?Q?8V7pjfRKqe+zxk9tyUCiphJabkSJNy+xLmTad5ZLQ5BGGIa+Shd2rxs2NSwo?= =?us-ascii?Q?FuStrsSHcckZEWjPX4m/ST4xpCK4uNZlNIKOFjSoC4Ospghj53n8CTPZDRM/?= =?us-ascii?Q?W5HsuSCosWyKibroEpkvJeL4Of+REnflk49bNNXJzop+TgLZY/o49DjK0N5g?= =?us-ascii?Q?ieZrKa4YBRK/CvwLkjBaoi09G4JRwxKUJGy8gV8n54b98eBHhhQ8oVLx/enT?= =?us-ascii?Q?6BxuPAaW6XXDRekrlmzbthMjiFkbwYuOLOKrsTveDWB90Bvi1xmY8eKuN532?= =?us-ascii?Q?L1pG2bPBRRna2BQFiByF/Pqui2PiEItRuL0We0fFs5OQXp1jnVYoyzdBUaBT?= =?us-ascii?Q?D0WSeGnCMbZPQn5sz8KzJHExhbxRVYFLd0u940zQDXEYY7O29OhQBZAdWh7o?= =?us-ascii?Q?lsb4Yx3aMDlnarr+LSqjK+8hUC68UQ7ZYivX9HFS21aaVkYei917mc1iWLeJ?= =?us-ascii?Q?Hhww6Kli+UTu0P6qnNLjC/2hyJdkpL9BZmQzP6L1Jr1De8srLwE0lGNmBcnn?= =?us-ascii?Q?BmwB/rUuHggiShyzRdthPITEYs2f07v2cHL9frcER1odaFyfpeU5YDfvXrN7?= =?us-ascii?Q?+QcJkjSEojYTVA3/Fs/HaUpKrcrL+vbxj8LoZ2ERxFnLh8PdnUBW93dwIviT?= =?us-ascii?Q?c8GCjPefE5X4tE30wMeYM5T41dWtMcHLwE4cYY3Fq4EAWMiamQxNivoDG8aX?= =?us-ascii?Q?gyvtyta5tC4go71jOKn5yZAe?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: d32d879c-2c44-454e-c7c3-08d8eeda0a24 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:31.5038 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: QM8HbkIyalBp+C7aamUExyZjtL/XbEM3HwktFdF6EK+tPLn5GEOorc47VJ/LBAB/BC9dX5KPZQ+8ZFwbdgELUg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2541 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: esYsC7UoYtZFT0quA5vruB8Ax1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611748; bh=6tPO4MieOz0sQm+ZLd8KiTGDblBT/P/P8pz8xVpn9Z0=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=m/fMPo3zn0JzrCje1MoI5Nv3YPqnG0pJClL4PVZNVPFSTGgYJ11OLla+BlgVBgQofCc ar9g7jTdywMFjJT5RprVPyYdAKazF3EESXszh6d2qj8imHPtECyAD6B6ZgXghxsUWUSnO YYRVyuDK7beXdsTeR412O4MIniG1Zi3cwXs= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 An SEV-SNP guest is required to perform the GHCB GPA registration. See the GHCB specification for further details. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- MdePkg/Include/Register/Amd/Fam17Msr.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/MdePkg/Include/Register/Amd/Fam17Msr.h b/MdePkg/Include/Regist= er/Amd/Fam17Msr.h index 4d33bef220..c074e871a7 100644 --- a/MdePkg/Include/Register/Amd/Fam17Msr.h +++ b/MdePkg/Include/Register/Amd/Fam17Msr.h @@ -48,6 +48,11 @@ typedef union { UINT32 Reserved2:32; } GhcbTerminate; =20 + struct { + UINT64 Function:12; + UINT64 GuestFrameNumber:52; + } GhcbGpaRegister; + VOID *Ghcb; =20 UINT64 GhcbPhysicalAddress; @@ -58,6 +63,8 @@ typedef union { #define GHCB_INFO_CPUID_REQUEST 4 #define GHCB_INFO_CPUID_RESPONSE 5 #define GHCB_INFO_TERMINATE_REQUEST 256 +#define GHCB_INFO_GHCB_GPA_REGISTER_REQUEST 18 +#define GHCB_INFO_GHCB_GPA_REGISTER_RESPONSE 19 =20 #define GHCB_TERMINATE_GHCB 0 #define GHCB_TERMINATE_GHCB_GENERAL 0 --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73221): https://edk2.groups.io/g/devel/message/73221 Mute This Topic: https://groups.io/mt/81584581/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73222+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73222+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611750207187.56953341609255; Wed, 24 Mar 2021 11:49:10 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 2wKFYY1788612xgehO6yVUAz; Wed, 24 Mar 2021 11:49:09 -0700 X-Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web12.25.1616599950939575559 for ; Wed, 24 Mar 2021 08:32:34 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ATjR5ztlbI4zb+pv8b0t9BwimVZCQvzphkvIzf8bkcVtVOqU8FT+vaVLeNhZEanV5Xp92WLM+dkbTunBjwlmYpno3yMKmXh6XZ/gTmOBVp6WfwlG7RvMCFLxmUmqycNb3BYPXAhtFYKCylMkSqEbMXo8WCmIwSFpPgXLcjjgud/udwzaB3Ql19IIHH95skMQyFxWaZqSvxWfXGuU95Uvb3nW5xpfiiNBIpoawlYwWCB633KTNd8g9ERDSXX+pQujHF0O1i3UeYYtYwp2RXzkpwBmCE935HQk/iD/9k9E2CETiobJx/kzMm1UNG3wzHvYoWns6geqIf9q7WrMQ1AmGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XeCoIZBy8h1RhmUod9cni7CvVs6pPDLsUTWT48JIKJI=; b=hooNwG0jxf9tc4h0hvl0Z5Jy+6r/x+Mo2RbIlWiXrDzJlQOchvW0mEO83cG7MVp7Rt6G8fhbjj4HjWBz7Lhu5dI63v5xd6CE9mrN8gUyZccrF0Jq94YlWfxB8Ct1r/ncJQvEvfQCRIdXHkfadsCDveci65fwXgrcqlR/1Bzk00JKWa7sB2m4MPQyk1HjZVs1+BIWRHev5LYOwLwnT25W/s8sDkUMc86ANUWeREFTWrY2WxACvb4SaqeGUQLtv6iQc7ZUipZqD0P/cs5T0JW1oV3CaQ0iHhYroGv/0x/Wniz9g1kqQHbWC2av/49/2N83bAJzIb2cnoChHqw0tE7Few== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2541.namprd12.prod.outlook.com (2603:10b6:802:24::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:32 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:32 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 06/19] UefiCpuPkg/MpLib: add support to register GHCB GPA when SEV-SNP is enabled Date: Wed, 24 Mar 2021 10:32:02 -0500 Message-Id: <20210324153215.17971-7-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:31 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 15ab8de9-1815-4759-c16f-08d8eeda0a7e X-MS-TrafficTypeDiagnostic: SN1PR12MB2541: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: qoPN5QuCnHT3ibETXgxouHJNkvlKJLyMvi7aE8V84P9y0dfbjOmAhdE02NNiyJ8yOIBzYYvGnauMDDlqU235Zsuc7SpFrd8DxVDevLGuJFzuv4Qo0WaGnZ805ZN1C0p7EigPpUbLtdQWi3HjfKg+WokZzETEWTTeapT5HjRqqVaifLkMmAMQMsvrEzp3+dP0mlcMLQzco4yjGk5rXA5hqAw7H4V6lCiqKXnDJMxPJmx4i8+Afc8klZpf+kw0eC1rJtmSEBBUFNy/wNhjmU4uDnvW2J3pO+qzrUuMwYjrRqK8teleg6W9+vbTgb5bGBpgh31SWML6mB4Z5qe22grhKWeQj3vcrdApEVX3loAsf0yFninyw2ghx9sJWogTwqFSSctsk7IS8fMN7YvO2yVKsSt+90pAtI00rlQCOZ6kbrAELiWma8hzxSBaefDi/OnhONd3xRA1Io0/CdmokCZ09GdXDNb1PmPPdLVNIzOL8qhvDINYiNXri/zqfOes0kctAin9kdxW+tcxXJRVoa7/VzwLRng21yV+/L/rhRaQo3KecMtzr4ffRi0H85x/pttSODNSgUUm+/x/o1J7BkyVh5TJctSL3HFMXmXvsYCrwuHoiW603byJGTbIdpFiDZqTGzK+gAjsSJXM+PhhNxL3+eaoDxvzuw0RVcrg643rbIgoQJD3jgLjyqp/6lmeXBQywaY0jZvxGMWmjUEJ+xC5nGDQEVY8y32uz9D7PHEpY0GjDbtfbhPorq12d24li6tb X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?Y1nhG5qFEWgXOvbwkgXUAnQiL//3MddwKzHaJDYnYxYdJ0/tWaGtnYZLLG0G?= =?us-ascii?Q?NvRNbCnkicLrkVphdjtbJF+VHbbWWvilW/GFgf65jI9t/uQwe/mA7NKlS/4f?= =?us-ascii?Q?VPR3VfiJcmPKp9fpw+WIMhHJvkLF6cUGHqm5E3BEYOPW5bIXf2Sh6PB2Vqxb?= =?us-ascii?Q?DnbATZXwMZndmeQ91PyEXzjx+zrtccPMdsDEESsdY5QJajigb2J/9vMnfyhg?= =?us-ascii?Q?vZkITZpBJ/T9YRhGHJb57gPGatKwwgU/SZ84Gu6Fqkei/blYGoVdO5H+Irmx?= =?us-ascii?Q?OQQgEFZI6JTkkiDq/CzEDbKQ0dPa+GWTVengMwIrLvbQQoMDPypsG9gD2ea5?= =?us-ascii?Q?yaq1JtqoymzevrcgRQFdD8nx8svuvKEArLU/0RQw7dEWElakhECDPMDr680H?= =?us-ascii?Q?tkyL5ghV5mu+GgT7eHokTPyMUgxYlpx9ZmxOcm98AtRhVZOZ9sr23z3qXzKp?= =?us-ascii?Q?3qkrK8y5UVolwHaUqQTt8M64hyVTufqDJ4VvGKTty2lLQaxSevZNNO1JsSFO?= =?us-ascii?Q?gTE+j9Bt+f2fily/WeHROBZgGf8JxNQExhbJdclf1w6JzzZKT6z+LQZ035ju?= =?us-ascii?Q?d4NFq/az9Dmhwx8+F8L4kVnA+iVmR8BPStOXjMg9Mr2oDbmAVUi4scYNyzpM?= =?us-ascii?Q?oEidPbu3ztemnpmkK+S7mo+9d0D4IWNU4KBsY5ryHmF54CIBNqdGUgbgILxK?= =?us-ascii?Q?sGHog6tcvp9Obz73PnHs0DgPTWIj+hrtyQjkFKXC7f6MLIojqTRgrsiAWK1O?= =?us-ascii?Q?aGioq1v+CvwRUbipIv2hxf9idgXqrA39IHzr9Z6TCI5rcJwBmQEsuwgGmI2H?= =?us-ascii?Q?el4FvqutMHKSfndldQP11ax5idSlK8vznQCXl1zPvMIrXkayVNlo61yhWRdj?= =?us-ascii?Q?eTvsJEGcjnK7u0KlG2m+PD+unTM7+pY7+9NR6TECeEgbw2f/YhjjoxtXs05p?= =?us-ascii?Q?wDpb3TQoGfuc/IerKWqCOQ9uM50O1vE/XSHKIiMuYbh9Zvqwc3Ooj5hDkxe8?= =?us-ascii?Q?3n7PqSFWThiiAmdSurFMaf5eObHkH+0Lq9XblR8ztd1YL2fc7Q4rqSyoYrb0?= =?us-ascii?Q?7XlIWJx3JnYvegGDFbvVamEven4d2Y9zWmwg+MLWArnXsgALb4YhaVOolqYS?= =?us-ascii?Q?vkI0SrWnAgQUpPZBDhDUSyhCh9kqgaGWjnCRhoFRQ2wLXN4K8DDDJUWxQUE+?= =?us-ascii?Q?NYoEogVNnIxEZ4NjLIswrkGIQ8e39lVumFfT2tg+BvO8wVZGMsSdTI9TOhWy?= =?us-ascii?Q?8ajyrcQAf8J0dRrlFXjz0iL+auiarlx9p9dwsIQl8AlgzF9Sj8U4uyoIACGi?= =?us-ascii?Q?YPAwKRWGWS1MUAXG54XbNtRn?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 15ab8de9-1815-4759-c16f-08d8eeda0a7e X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:32.0794 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: pyIlMYgfgN07GbwFAUQX56YQ2xWgKfhrcJ9dKAemh3pJL2pm1S8/j1yJMNvdO11nLyeyirduIDQsaJPFL5dUYw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2541 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: PNl9kApmoOs0hP9gKKKhNmiGx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611749; bh=MTZRcOU8bmU/i61RJPBWNeL2DKoIuc0Mhq4rdWnlsQk=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=LkOKTcoUm8OVJblVyrzCE4n+q4lAH3xhhrPYnqdPX/4JtcDubDbRcqLz4zb9jotNkrv wk3yH7qewcBDSZFF1T8BtnmDRN7rk+YvwTa59ISrQfnNfUHAQgdHCCTr+KmEKdiCKdniq /KXIKNj+ioDFlsQ5mtGenvFWncKhH8Mw1As= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 An SEV-SNP guest requires that the physical address of the GHCB must be registered with the hypervisor before using it. See the GHCB specificati= on for the futher detail. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 1 + UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 1 + UefiCpuPkg/Library/MpInitLib/MpLib.c | 2 + UefiCpuPkg/Library/MpInitLib/MpLib.h | 2 + UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 1 + UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 51 ++++++++++++++++++++ UefiCpuPkg/UefiCpuPkg.dec | 6 +++ 7 files changed, 64 insertions(+) diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf b/UefiCpuPkg/Lib= rary/MpInitLib/DxeMpInitLib.inf index 860a9750e2..9a366ca5b1 100644 --- a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf @@ -75,3 +75,4 @@ gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## = SOMETIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## = CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## = CONSUMES + gUefiCpuPkgTokenSpaceGuid.PcdSevSnpIsEnabled ## = CONSUMES diff --git a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc b/UefiCpuPkg/Library/Mp= InitLib/MpEqu.inc index 2e9368a374..01668638f2 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc +++ b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc @@ -92,6 +92,7 @@ struc MP_CPU_EXCHANGE_INFO .ModeHighSegment: CTYPE_UINT16 1 .Enable5LevelPaging: CTYPE_BOOLEAN 1 .SevEsIsEnabled: CTYPE_BOOLEAN 1 + .SevSnpIsEnabled CTYPE_BOOLEAN 1 .GhcbBase: CTYPE_UINTN 1 endstruc =20 diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpIn= itLib/MpLib.c index 5040053dad..da6fbbc1cc 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.c +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c @@ -1040,6 +1040,7 @@ FillExchangeInfoData ( DEBUG ((DEBUG_INFO, "%a: 5-Level Paging =3D %d\n", gEfiCallerBaseName, E= xchangeInfo->Enable5LevelPaging)); =20 ExchangeInfo->SevEsIsEnabled =3D CpuMpData->SevEsIsEnabled; + ExchangeInfo->SevSnpIsEnabled =3D CpuMpData->SevSnpIsEnabled; ExchangeInfo->GhcbBase =3D (UINTN) CpuMpData->GhcbBase; =20 // @@ -2016,6 +2017,7 @@ MpInitLibInitialize ( CpuMpData->CpuInfoInHob =3D (UINT64) (UINTN) (CpuMpData->CpuData + M= axLogicalProcessorNumber); InitializeSpinLock(&CpuMpData->MpLock); CpuMpData->SevEsIsEnabled =3D PcdGetBool (PcdSevEsIsEnabled); + CpuMpData->SevSnpIsEnabled =3D PcdGetBool (PcdSevSnpIsEnabled); CpuMpData->SevEsAPBuffer =3D (UINTN) -1; CpuMpData->GhcbBase =3D PcdGet64 (PcdGhcbBase); =20 diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpIn= itLib/MpLib.h index 0bd60388b1..7d3ce61d63 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -216,6 +216,7 @@ typedef struct { // BOOLEAN Enable5LevelPaging; BOOLEAN SevEsIsEnabled; + BOOLEAN SevSnpIsEnabled; UINTN GhcbBase; } MP_CPU_EXCHANGE_INFO; =20 @@ -285,6 +286,7 @@ struct _CPU_MP_DATA { BOOLEAN WakeUpByInitSipiSipi; =20 BOOLEAN SevEsIsEnabled; + BOOLEAN SevSnpIsEnabled; UINTN SevEsAPBuffer; UINTN SevEsAPResetStackStart; CPU_MP_DATA *NewCpuMpData; diff --git a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf b/UefiCpuPkg/Lib= rary/MpInitLib/PeiMpInitLib.inf index 49b0ffe8be..4477dd1b9f 100644 --- a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf @@ -64,6 +64,7 @@ gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled ## CONS= UMES gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## SOME= TIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## CONS= UMES + gUefiCpuPkgTokenSpaceGuid.PcdSevSnpIsEnabled ## CONS= UMES =20 [Ppis] gEdkiiPeiShadowMicrocodePpiGuid ## SOMETIMES_CONSUMES diff --git a/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm b/UefiCpuPkg/Lib= rary/MpInitLib/X64/MpFuncs.nasm index 50df802d1f..19939c093d 100644 --- a/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm +++ b/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm @@ -194,9 +194,60 @@ LongModeStart: mov rdx, rax shr rdx, 32 mov rcx, 0xc0010130 + + ; + ; Register GHCB GPA when SEV-SNP is enabled + ; + lea edi, [esi + MP_CPU_EXCHANGE_INFO_FIELD (SevSnpIsEnabled)] + cmp byte [edi], 1 ; SevSnpIsEnabled + jne SetGhcbAddress + + ; Save the rdi and rsi to used for later comparison + push rdi + push rsi + mov edi, eax + mov esi, edx + or eax, 18 ; Ghcb registration request + wrmsr + rep vmmcall + rdmsr + mov r12, rax + and r12, 0fffh + cmp r12, 19 ; Ghcb registration response + jne GhcbGpaRegisterFailure + + ; Verify that GPA is not changed + and eax, 0fffff000h + cmp edi, eax + jne GhcbGpaRegisterFailure + cmp esi, edx + jne GhcbGpaRegisterFailure + pop rsi + pop rdi + + ; + ; Program GHCB + ; +SetGhcbAddress: wrmsr jmp CProcedureInvoke =20 + ; + ; Request the guest termination + ; +GhcbGpaRegisterFailure: + xor edx, edx + mov eax, 256 ; GHCB terminate + wrmsr + rep vmmcall + + ; We should not return from the above terminate request, but if we do + ; then enter into the hlt loop. +DoHltLoop: + cli + hlt + jmp DoHltLoop + GetApicId: lea edi, [esi + MP_CPU_EXCHANGE_INFO_FIELD (SevEsIsEnabled)] cmp byte [edi], 1 ; SevEsIsEnabled diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec index a639ce5412..51bd7a6fe2 100644 --- a/UefiCpuPkg/UefiCpuPkg.dec +++ b/UefiCpuPkg/UefiCpuPkg.dec @@ -393,5 +393,11 @@ # @Prompt SEV-ES Status gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled|FALSE|BOOLEAN|0x60000016 =20 + ## This dynamic PCD indicates whether SEV-SNP is enabled + # TRUE - SEV-SNP is enabled + # FALSE - SEV-SNP is not enabled + # @Prompt SEV-SNP Status + gUefiCpuPkgTokenSpaceGuid.PcdSevSnpIsEnabled|FALSE|BOOLEAN|0x60000017 + [UserExtensions.TianoCore."ExtraFiles"] UefiCpuPkgExtra.uni --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73222): https://edk2.groups.io/g/devel/message/73222 Mute This Topic: https://groups.io/mt/81584582/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73223+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73223+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611750814649.1616242483252; Wed, 24 Mar 2021 11:49:10 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id b2O5YY1788612x4N4jydvNM6; Wed, 24 Mar 2021 11:49:10 -0700 X-Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web12.25.1616599950939575559 for ; Wed, 24 Mar 2021 08:32:34 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NF3T0Y6FjwMsxMX7Rd8gLTxgLLdqGsGx0Rr15Lg10ZKdcNd2D7M4YlqKgfLL1Q8UnJH3/+CRn7Q8rHZ74xI7fLR9dTPtrs9V8mEWVCghXyRG78AHx8Obd4k204fyIevEXz0s6XmRugo7/q3FOhFO0FZrxXB1vjs+AQY3KTpZ/yFnqjcv0PjFQWy/hWhQSwjAff0SYvYzQ7hGKtkSrrGp0ib93Qdzy6rjx+ITiSR3oUj51Yc1EO0e5fuu4IoSq8rCYDChhk4KAL6Cg63HVk6rV6kEvuR/saL7MgiSYa1tfZHQqOvjtx6dMsr9kyRIg70kw7Xo5Bd0EFUVPsezWCrWCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sLguSbeuPPWOB/At1OtnPWjxAXaWOyd8m/+/keDtK98=; b=QQMemoIUaju8q4JRQOEKcgUMmuNtmkEP0TPGLEtwVihQ2xLjeNVyPeb8VnoAq9gGJ0XN4SPVMgTkfGGQprm2VuEMuDc1Mxwlsa0ROzOKyrMqxa4RaFQmOEHZnHGOQCQXyHQviQ3E074NLqT9DAjeS48O0wwup0nQs4j2lV+FP2/GgxXFCX3RSPzz5eO/+FH26c5YSzbR8N2gEofZxXEzbQo13DuRcPl61xagOiqn/7aokvVq5UOY0WmmravLR3rdPdjx6bNqPWGCm8OQBSG72cdU3nFjR4CzOt+VWh3uuda82q+nWwPgmmn0D0AR2QfLCs9MmQjCCMzlXP/ZbX9K5w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2541.namprd12.prod.outlook.com (2603:10b6:802:24::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:32 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:32 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 07/19] OvmfPkg: Add a library to support registering GHCB GPA Date: Wed, 24 Mar 2021 10:32:03 -0500 Message-Id: <20210324153215.17971-8-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:32 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 5cae0f06-8c8c-4761-bb14-08d8eeda0ad8 X-MS-TrafficTypeDiagnostic: SN1PR12MB2541: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: KPZN7ehDiAUAi52h6/uNAmv2og3h/tbYvzvnVVbKf70U+rof+Z6zVfWidqjbF7wzMBpCkIH74inYufj/PrzK51CSOAeagpfmI5UOEZzgYgNcX5rZ5z6yiJj3nNIoMlIY/1nPeWTyByf3yeu71rKidrt4ap1bvmtiayiC0/1rh7j/MS38IPuIIiLlsOn/e8WRKoRMkf7iL0cWu+wV/AFAm4ivkanPZdyYIuBLKbpPHxyfuyK7ttjBOFEUHwa9HaRpg2+W1eGCxUKxy8iZHS8LAD+mzU0rff9B+llxpFHKGDGP9sqwpiE+PyJhf3/fS0CHYfT7MSYcTSZXDcQtdOsEjGcc8JJb+jJywNsYdE3f3b1uE6+Vcaj4tAhcYVII4xCu2iXjo5nlcXCT+nY46a4Sc0F4l51T8PNXTuj2cG2+1wpWy9RmsCZixHTJ75C5cIc4pncbvBaE4vKi5RqLrouaQA6EYierq4rgjkK8clQns0bxk7S1VMEdbc80kNzcD9KMPjIQlhG9fNyjroET70JsKsdHWn35F41iH5PM5TCDQO2XmfLXYYDEx00BANz8/5Iyc4eREEoVRJUh/IuUg+BGAox89QMfTOGUhpuRjwY1jpy/fDMvij/zwe+6sSpMAL4bAZfC3w7JGeh1hf7wjZSfVoUbt116Khdd3GFkrGzxD2z+RRjHt3JnF53YvfyDOf/dexbTUZg7tcNRaHRDR+BI2DHnzQo+MPd4rdH1LAxiQm7euLgkb1ewHlMv4qVQ/dnU X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?3LZl9iE4Ps2Xg01O8uDrmdBTIlJE+YF9BOvVNSo9jfVpziIeJ4Wsvei5Qo8I?= =?us-ascii?Q?Qn9kRyDolCcWcxIp4OeBOPxxyo38G1EbGj5m2e5uBv0tWlomJbP+8MKQpU1L?= =?us-ascii?Q?PoLLsdZ9VQ2hWHnQ4s7jDA7tojgev0qNnMYsxPXpSMyXWNreee9faB9VBUdz?= =?us-ascii?Q?Rorbr1iuGrw/SRAHKkALNfe9UzJxv0RnD6XcdOAVfoNhOA0K3Q/nbH4Ku6HY?= =?us-ascii?Q?UGMnwS/1rrX5xICoceebyg4f6rxTdMBM55POSSBwZhu+atzTR+D4ZQWfjXKM?= =?us-ascii?Q?MTtcX2MOxoW+I73G9+MoM8NEhbh+SK4/NK5Q3Nfjxb0uldnYn+Koa1urN/fa?= =?us-ascii?Q?zjCqgeqJqNf1+sdI8dkWSdftfrsD6MZobt9AnZaZ/t1VZvFaSXUTTAngi+KI?= =?us-ascii?Q?EQsAAwodjS2GjVt+LDVaQ+zTZb9nAy4ORD/MoBT3IUiUUjqjPw4ERJkFO272?= =?us-ascii?Q?CpLD0nircrefUQ0BwgMpBKgVfS9cbNnbs9jJbhd+/2v6fPyL1ZydjU2MWB5R?= =?us-ascii?Q?/cL+iU2t+r1EFPVK6H1at0zvu4JVLLKQhvA0RhuPFpexCwj+ow9qW/XSTWHa?= =?us-ascii?Q?/Knoht9MudPZkL8pXUUCq/6MGVUOpfeXgdH9iXrg6LC8dLDWxLP5BviYII6E?= =?us-ascii?Q?RTH6QUCKKbP7tcjriQuzqG0jt52p7J/CIdUKRqAo4nUiGRRMgnBhZOnkEFmb?= =?us-ascii?Q?INzW/ZXulumgUw7q7kvLDDEg9tWa3mMQewKcnzU1MvO5NXpQ2aH49s5KR/HM?= =?us-ascii?Q?lmDXUkoW/zZWHpX7OeSnPln6RFtyoa+zvyUJSMoLMEfz656cORv7WCWTU6YD?= =?us-ascii?Q?d5+EVkU6xm4/Pv6ITrEwfs72sKNYvxNghBN3kmHZsvsQRd6VCkKthqE97Znq?= =?us-ascii?Q?6RlfX6mL4spwDIMUCb68iLejcKCG0lvHavdIu89xkOsxbHBmbesIPs1jQcXH?= =?us-ascii?Q?QSz04Ao8yxecQieuewWp0ZjLc6YECClAIaMIeVDnsOQj8t8cO1LWigEa2mOu?= =?us-ascii?Q?7u+fjuCz0Nwj7zp2QVwG78ZLTgt6hHeBZ26XAdAe9w59j290DGUmYjbIPC5X?= =?us-ascii?Q?le7dHRrBxm2oBoNC9hwQ08wv/bPwFR+4lFdP9xa/9lLNRIlA5b9WQ1zVEGHQ?= =?us-ascii?Q?vwokVvZW4T7IvP15VnQXvf3SyhNXtmoLKAZD6Wm9+Png3tRE3e1f4b4tUmBr?= =?us-ascii?Q?jxtpkhORhrzWjT46GET1W35jNFteYiI2+ktAi9nXIJQCwEENb4k75aAo62G8?= =?us-ascii?Q?eVxdrZFamAH6GZADas3fCDWhxR+bHAj5wSnoZEXE8TqIRlzgllLVInPAtFp2?= =?us-ascii?Q?Ycpy6PKNgfB2TLTwl//3R+MI?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5cae0f06-8c8c-4761-bb14-08d8eeda0ad8 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:32.7840 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: DbJLj9pOuguGbHxsUbftqRHOYElZT2XXxUnRk7+1gzRzzgbdwEVnDN9/tbsjhpL8Aq5LKZENy47xI8AXkaH33A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2541 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: 2olZt11YWK5wZwBWOmTthwmSx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611750; bh=eWYTkJ/DMQnX+40KRQEszPzlWuK/2d4WZt4luJG4CKk=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=J86o0Vudp2SqKZoNtp+pN7sIKOBDm1dCicu7eIi3NbjrmVKbYPSjikD+NQnZ+BdHIJ8 QKGVGx0a0ID3Jq4J2s2MdW+BTGhywppL0VRw8GJTSEOe53l6x/hoDTHDsaS5cjAL/quYN MTWXJX5FrGwxiHWTgWdeISy/vBYSOvXUL0U= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 An SEV-SNP guest us required to perform GHCB GPA registration before using a GHCB. See the GHCB spec section 2.5.2 for more details. Add a library that can be called to perform the GHCB GPA registration. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/Include/Library/GhcbRegisterLib.h | 27 ++++++ OvmfPkg/Library/GhcbRegisterLib/GhcbRegisterLib.c | 97 +++++++++++++++++= +++ OvmfPkg/Library/GhcbRegisterLib/GhcbRegisterLib.inf | 33 +++++++ OvmfPkg/OvmfPkgX64.dsc | 1 + 4 files changed, 158 insertions(+) diff --git a/OvmfPkg/Include/Library/GhcbRegisterLib.h b/OvmfPkg/Include/Li= brary/GhcbRegisterLib.h new file mode 100644 index 0000000000..7d98b6eb36 --- /dev/null +++ b/OvmfPkg/Include/Library/GhcbRegisterLib.h @@ -0,0 +1,27 @@ +/** @file + + Declarations of utility functions used for GHCB GPA registration. + + Copyright (C) 2021, AMD Inc, All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef _GHCB_REGISTER_LIB_H_ +#define _GHCB_REGISTER_LIB_H_ + +/** + + This function can be used to register the GHCB GPA. + + @param[in] Address The physical address to registered. + +**/ +VOID +EFIAPI +GhcbRegister ( + IN EFI_PHYSICAL_ADDRESS Address + ); + +#endif // _GHCB_REGISTER_LIB_H_ diff --git a/OvmfPkg/Library/GhcbRegisterLib/GhcbRegisterLib.c b/OvmfPkg/Li= brary/GhcbRegisterLib/GhcbRegisterLib.c new file mode 100644 index 0000000000..7fe0aad75a --- /dev/null +++ b/OvmfPkg/Library/GhcbRegisterLib/GhcbRegisterLib.c @@ -0,0 +1,97 @@ +/** @file + GHCBRegister Support Library. + + Copyright (C) 2021, Advanced Micro Devices, Inc. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include + +/** + Handle an SEV-SNP/GHCB protocol check failure. + + Notify the hypervisor using the VMGEXIT instruction that the SEV-SNP gue= st + wishes to be terminated. + + @param[in] ReasonCode Reason code to provide to the hypervisor for the + termination request. + +**/ +STATIC +VOID +SevEsProtocolFailure ( + IN UINT8 ReasonCode + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + + // + // Use the GHCB MSR Protocol to request termination by the hypervisor + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbTerminate.Function =3D GHCB_INFO_TERMINATE_REQUEST; + Msr.GhcbTerminate.ReasonCodeSet =3D GHCB_TERMINATE_GHCB; + Msr.GhcbTerminate.ReasonCode =3D ReasonCode; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + ASSERT (FALSE); + CpuDeadLoop (); +} + +/** + + This function can be used to register the GHCB GPA. + + @param[in] Address The physical address to be registered. + +**/ +VOID +EFIAPI +GhcbRegister ( + IN EFI_PHYSICAL_ADDRESS Address + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + MSR_SEV_ES_GHCB_REGISTER CurrentMsr; + EFI_PHYSICAL_ADDRESS GuestFrameNumber; + + GuestFrameNumber =3D Address >> EFI_PAGE_SHIFT; + + // + // Save the current MSR Value + // + CurrentMsr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // Use the GHCB MSR Protocol to request to register the GPA. + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbGpaRegister.Function =3D GHCB_INFO_GHCB_GPA_REGISTER_REQUEST; + Msr.GhcbGpaRegister.GuestFrameNumber =3D GuestFrameNumber; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // If hypervisor responded with a different GPA than requested then fail. + // + if ((Msr.GhcbGpaRegister.Function !=3D GHCB_INFO_GHCB_GPA_REGISTER_RESPO= NSE) || + (Msr.GhcbGpaRegister.GuestFrameNumber !=3D GuestFrameNumber)) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + // + // Restore the MSR + // + AsmWriteMsr64 (MSR_SEV_ES_GHCB, CurrentMsr.GhcbPhysicalAddress); +} diff --git a/OvmfPkg/Library/GhcbRegisterLib/GhcbRegisterLib.inf b/OvmfPkg/= Library/GhcbRegisterLib/GhcbRegisterLib.inf new file mode 100644 index 0000000000..8cc39ef715 --- /dev/null +++ b/OvmfPkg/Library/GhcbRegisterLib/GhcbRegisterLib.inf @@ -0,0 +1,33 @@ +## @file +# GHCBRegisterLib Support Library. +# +# Copyright (C) 2021, Advanced Micro Devices, Inc. All rights reserved. +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D GhcbRegisterLib + FILE_GUID =3D 0e913c15-12cd-430b-8714-ffe85672a77b + MODULE_TYPE =3D BASE + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D GhcbRegisterLib + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D X64 +# + +[Sources.common] + GhcbRegisterLib.c + +[Packages] + MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec + UefiCpuPkg/UefiCpuPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index d4d601b444..aa81bf9c66 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -242,6 +242,7 @@ [LibraryClasses.common] BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf VmgExitLib|OvmfPkg/Library/VmgExitLib/VmgExitLib.inf + GhcbRegisterLib|OvmfPkg/Library/GhcbRegisterLib/GhcbRegisterLib.inf =20 [LibraryClasses.common.SEC] TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73223): https://edk2.groups.io/g/devel/message/73223 Mute This Topic: https://groups.io/mt/81584583/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73224+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73224+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611750874811.6072403284111; Wed, 24 Mar 2021 11:49:10 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id b4PPYY1788612xGVTA3CNBT8; Wed, 24 Mar 2021 11:49:10 -0700 X-Received: from NAM04-DM6-obe.outbound.protection.outlook.com (NAM04-DM6-obe.outbound.protection.outlook.com [40.107.102.57]) by mx.groups.io with SMTP id smtpd.web09.26.1616599956611292901 for ; Wed, 24 Mar 2021 08:32:36 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iVI4Tb28D4MTYmZ/jrO8tXMPfObl4r9psKEwqVJXoRG2WeibiyL56ahjAMTSsDgDliqFZVw4DP3iXgdSNF7s/IfkjMxfg2sIccWGqhaPfeyF6bVyqzGC8HVIuxIpQFzwqnVReF981AxcideFnKP9KdfKRXMio+R2VqiTQ4/MbFVngWYzyPbS52TKN6sDSV3aQ2rWrCX52hSTPkFgSVukiR+AikMKidf09iGHuqwBeTqcpyd8Qyohx2IVuKQe+dqO6nwYA18LiRc1Ko7Hl0chiQ/ChVAea4iVoAYLaEVim5hB7vQinvqG3QeJTI9+4dC62fit1ygkLkN7uKX1AVTnyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wvd13ULbTjXJ6PyQ2dKOPWyS6dzODAIlELrslMVuUTc=; b=OANWcTkx9xRvDxq8yJxYazaKhek2WeFm9bOtUI/jN/v3dQoPzoWVt5kJVEn0oXTFxtI2rlJRCANBv6/5VshjyGPFdrtaDh44FeFDTGBKJgg3tC3rOz0r/lsaFBPN8dKbbVOMThp32YNTm1m7D+t85oCy+mkOWXGndkv2Dc1FMR4GKUGZLY6gdZc3ly+PPL8NeAJA/xHpZ5W9VcsRKSM9QI4muW0QtU1MyeWYdVr6oUunZc1UDN2AsSVI4Sctk3/LoSuEpbC92Fqi5vpz3rfl+9unXJSpniVmVE+uV18S8ptzMvEpQT56o1Soqk15/VytaBL5UgzdTuGmqsE5TB5H5A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4430.namprd12.prod.outlook.com (2603:10b6:806:70::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:33 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:33 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 08/19] OvmfPkg: register GHCB gpa for the SEV-SNP guest Date: Wed, 24 Mar 2021 10:32:04 -0500 Message-Id: <20210324153215.17971-9-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:33 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 359cca0b-5a26-4ca5-c04a-08d8eeda0b47 X-MS-TrafficTypeDiagnostic: SA0PR12MB4430: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: 4Liui1K23BPuw+h2bd3FnOAPKzvnMxkOMLZ3QBwZTFnttNk/y3oVVwJWWQOECBH1rDFE9rdQEupEw0gYLY0qwP4xmk/JQgrdWu7CJ5WaM7UA8Kb/TqU2y02QTUoMSV4/GhAum7gXmLANjZ7YDdfAMufc3WP2hc6cgXpqgHskPU+SMfxCnZ9KU55XqEJgZRt8vDD+zVOEFwxycm79moc4xX7dWgpPteL6wrybqUEaG2LOiAco9Uh69W04J4MWIh8ivrmYWtMW52ahP/IRVxDPXzpxOeQFYB4Y8y4GJ1vdkeqfsMZG8YV3PQghg2Wg2F94HhH6l4PIMbR5C2qpeaCUpcxga5RXbbEO4361QyrzftAZyjUfeJ/n1EXBjiRalwr3A7ajuk/eASjxla/LKhwLFr9+Vgy7GjK2Fz3jLMLX/btG5XFQolEOR9DRfr7tME8faHN7huSr8pOvumT3OrZrZBbHU/gVIfTVhN8U8x0Le2RLrwuYqEOPFAZbajqZpSk2SYFdJa3BwSaKOdDPWC8Z5d/+h1d0z/CKQvtM7NxkgwsH7WkveYoyBeNLtPoNpjJo5BBVmFKIIxdwt7u2i15pzXse0UOsG6c22kbl6dI0MNkP7DsCTScMfu4nUiHY7noOUuEc3fTfuEabThLiVm78CJDGvZZrcxmeIJ30IKybuH0HZxkzCNTpd4ldlMtnB6Mn70PvBcdR2nLmfAcAwc0CddV9OHgPyIZp4dpUkEs3/vkxD1CELpkgfMaaSJQCguRj X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?xXh0mG2PqqCOIfUFCKrsbWkEHHK+8L+vneuqwTG5lKvEn81hPR91eurCQJNL?= =?us-ascii?Q?eGlNaAZXHyeuZUgZ59zEifjCr1g6Jo25HusLBLlh3klf8Iw3kIc47BYDzJnx?= =?us-ascii?Q?KbfgWd3Ke41ND49LOvWZdLxXTlUzBdMyksgwAUVxKJM+qXbdo4600plmAXCb?= =?us-ascii?Q?s+veM2xOIFBgKBbrhSydL6IO0zyIdEm8PbN33wVSvcu7Cxh+csCjhRQ24vO9?= =?us-ascii?Q?aJ/te4NWne62QCzZaNQI99ldcJSWZATCVbzyAhHyq6Y1XyrKrvuTqmS1cbxL?= =?us-ascii?Q?7OdaVn2CgwQC7cdOKgZfzRuY1n+fXautwWxk97hZiJ0wPPGVo4irU145DaFB?= =?us-ascii?Q?TzzLkkue/IxKM1+yGoizDp4ciN3y4zPCv56lJDEbOEIFZJ3jn025RJUjDjWr?= =?us-ascii?Q?Zln4+dQGCNsHbvAIXNOti0Od6JND0+5IZFt9gF1PIcicl3w0jBX6c5bqgJ65?= =?us-ascii?Q?jGUbRKdUs+4wzFImDQz9IkSGgi048Hp3KdYvaiC81qtTb8QvILVyHt4Amsmw?= =?us-ascii?Q?yMqz6t/fyMEbSkHmlsntE0e085mPgdPHVtR24s76Sl0cPYZrLdOSd+cBZJJb?= =?us-ascii?Q?sAkJKG+W/fvtBYAa4D/BrM6tlXTVI2QoEFSfQlp2mSVUTFvEtJ4XllKS+Zd4?= =?us-ascii?Q?rJvXn42mtWE3nIukwCwFpkHmJ4pmjS3PsGcpo9HMqthLBImgbKHDXZXp7W0e?= =?us-ascii?Q?3RWC/o6jOKhPYe4slV9zKjO7wFgnjVSxuANVM0VEkhH8WXdMWsjK96gtkboI?= =?us-ascii?Q?fLVFc0KYuIydjNXybbtEnFZS0EyOxJCIvrEcuYpHP/FuItTcTJr6DS/u3L+o?= =?us-ascii?Q?Zv2ueAm84N2+gt1chEs6UCzHs9mZhchv3EeAathmkujtE4vWQmzi7QLPV+Mq?= =?us-ascii?Q?8s+UcHIxc+6ilqf+9piJvzWfBUmrFklqrpYgSbB6FnV19SlzeEx96WXkMswi?= =?us-ascii?Q?3GE4cAhNUxlKBufSYsIOKBX86eLIWC6gdSJ+7PWS2omYTHzxrfEW+w843ekD?= =?us-ascii?Q?BL9R2rYeMDhty8IhWK6uUcvzsdyA1wKhSn5rFlZuZ8an7ElGWJB/+ELptIEJ?= =?us-ascii?Q?THsvDxOpOjqaAzKDgWwrDHTHeK5p4cGVxwGpGw6LDu+lCfJdqH8S9s1iXvG6?= =?us-ascii?Q?0fLT2+FKwmB6LluxSMpPcfvEmUs6OlFpzoF6a1RImpVVqGtJK+X++0Mfl+Cn?= =?us-ascii?Q?cePdSouJskkFLM9Q38GMgHyr4Stkoq0IMAg6Tx+Kjc1hAsL74Si/B2RhkSjB?= =?us-ascii?Q?xRvofy1oH/rLaiGRfyfBr0GANdvmB15o2I8y7eM3OFFmvZrP5rr6oUq4pth6?= =?us-ascii?Q?MmMf4/c84w4WIyJGesaCe71Q?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 359cca0b-5a26-4ca5-c04a-08d8eeda0b47 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:33.4496 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 7xrWq/1oYWM1K9wZMNwzys8sK2tuW9ZXS0Szbe73XFNxChgonwXCShbqGjGZ518Bq+FTLAE8m8NQHnqC1l9SnQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4430 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: 9XVNllNfx7IPUW39T0Q10b05x1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611750; bh=98qHIIv6pV/kXhpG4zbGuDfOIjsz3H2ra0FPDfmCLEY=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=EVV6wY86XFvtP0dmlBhpAO5eM6sDmL2J2QRoE8WgAh+Ge6pmGHt7nj6zVSv3b0QaBqF 9/4PSeDigaMCRUqv+DTEYRhyh2t4KnGRB18KbW4jn43I1NgoXja1K/VLjK7AWYfwxhQoq yJygxaELrew0TWNfxwQhVymN/KdCQLB9q1c= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The SEV-SNP guest requires that GHCB GPA must be registered before using. The GHCB GPA can be registred using the GhcbGPARegister(). Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/AmdSev.c | 11 +++ OvmfPkg/PlatformPei/PlatformPei.inf | 2 + OvmfPkg/Sec/SecMain.c | 76 ++++++++++++++++++++ 3 files changed, 89 insertions(+) diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index dddffdebda..95c5ad235f 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -110,6 +111,16 @@ AmdSevEsInitialize ( "SEV-ES is enabled, %lu GHCB backup pages allocated starting at 0x%p\n= ", (UINT64)GhcbBackupPageCount, GhcbBackupBase)); =20 + if (MemEncryptSevSnpIsEnabled ()) { + // + // SEV-SNP guest requires that GHCB GPA must be registered before usin= g it. + // + GhcbRegister (GhcbBasePa); + + PcdStatus =3D PcdSetBoolS (PcdSevSnpIsEnabled, TRUE); + ASSERT_RETURN_ERROR (PcdStatus); + } + AsmWriteMsr64 (MSR_SEV_ES_GHCB, GhcbBasePa); =20 // diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/Plat= formPei.inf index 6ef77ba7bb..cb6f5ac091 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -52,6 +52,7 @@ BaseLib CacheMaintenanceLib DebugLib + GhcbRegisterLib HobLib IoLib PciLib @@ -110,6 +111,7 @@ gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled + gUefiCpuPkgTokenSpaceGuid.PcdSevSnpIsEnabled =20 [FixedPcd] gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 9db67e17b2..df6722b546 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -750,6 +750,76 @@ SevEsProtocolFailure ( CpuDeadLoop (); } =20 +/** + Determine if SEV-SNP is active. There is a MemEncryptIsSnpEnabled() in M= emEncryptSevLib + but we can not use it because the SEV-SNP check need to be done before t= he + ProcessLibraryConstructorList() is called. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled + +**/ +STATIC +BOOLEAN +SevSnpIsEnabled ( + VOID + ) +{ + MSR_SEV_STATUS_REGISTER Msr; + + Msr.Uint32 =3D AsmReadMsr32 (MSR_SEV_STATUS); + + return Msr.Bits.SevSnpBit ? TRUE : FALSE; +} + +/** + The GHCB GPA registeration need to be done before the ProcessLibraryConst= ructorList() + is called. So use a local implementation instead of including the GhcbReg= isterLib. + + */ +STATIC +VOID +SevSnpGhcbRegister ( + UINTN Address + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + MSR_SEV_ES_GHCB_REGISTER CurrentMsr; + EFI_PHYSICAL_ADDRESS GuestFrameNumber; + + GuestFrameNumber =3D Address >> EFI_PAGE_SHIFT; + + // + // Save the current MSR Value + // + CurrentMsr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // Use the GHCB MSR Protocol to request to register the GPA. + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbGpaRegister.Function =3D GHCB_INFO_GHCB_GPA_REGISTER_REQUEST; + Msr.GhcbGpaRegister.GuestFrameNumber =3D GuestFrameNumber; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // If hypervisor responded with a different GPA than requested then fail. + // + if ((Msr.GhcbGpaRegister.Function !=3D GHCB_INFO_GHCB_GPA_REGISTER_RESPO= NSE) || + (Msr.GhcbGpaRegister.GuestFrameNumber !=3D GuestFrameNumber)) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + // + // Restore the MSR + // + AsmWriteMsr64 (MSR_SEV_ES_GHCB, CurrentMsr.GhcbPhysicalAddress); +} + /** Validate the SEV-ES/GHCB protocol level. =20 @@ -791,6 +861,12 @@ SevEsProtocolCheck ( SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); } =20 + if (SevSnpIsEnabled ()) { + // + // SEV-SNP guest requires that GHCB GPA must be registered before usin= g it. + // + SevSnpGhcbRegister (FixedPcdGet32 (PcdOvmfSecGhcbBase)); + } // // SEV-ES protocol checking succeeded, set the initial GHCB address // --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73224): https://edk2.groups.io/g/devel/message/73224 Mute This Topic: https://groups.io/mt/81584584/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73225+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73225+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611751299956.8916084351249; Wed, 24 Mar 2021 11:49:11 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id sWuPYY1788612x6U9uFPioqA; Wed, 24 Mar 2021 11:49:10 -0700 X-Received: from NAM04-DM6-obe.outbound.protection.outlook.com (NAM04-DM6-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web09.26.1616599956611292901 for ; Wed, 24 Mar 2021 08:32:37 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fDHOMgm7BpkkH6g95mKe1RfJ+jHqp5hLJYWJpM4giZFfmSc7yg/1RTP/KlKv1dH6PI9LnDrqVsMVcT71KzSfTlQshVeSm/2aJrAwOmRTO+oG0xWK4CvfyYuq0A/xsSkoOl/I9mpEInN48USNbWT0+ymC4PoxyyJgkoA30jyJZbQ4s8DOU82b2nrLqORP/vLsSy9fFIdTRPEU8H2guH30/9iQV3SsfygLGXwn3qdsZDoVshztV0b/Lh4o2Sr0Ngq7u+NeKgBl17e60U4brU7Nl+PkghEX7oTJ81cOzBdLK8htyw69z1q4gUSk186t5aIhSwXEDAXqqah0pnTIhFmYjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mN0lrHh2N9o37YePojLbLWj8qG+CAxopK1MWUl59e6U=; b=RnknDqj9WEyA6eJyUyl3tP5GohLTiHjl5zrPhOBddFeWXnr2QhADaMYjNelAewhfuJIpvoSc05VryR6Oib4UagT6wHuKWXAG9AnT1oo+jvMm6G3KwFoOLG1TM+S38nG2GtcRODlY4WAEcStuuFvLq1df3R2Gyt6vTVYQwwiy5fusS6Q5kPXnTMXWxd3icDQrBv+nHczuMUuWykjvfO182DO/1VNGp/z95m0paO9XWPy4MgOZeAg8YlyLvmNwe5xrrDwcqzaz5a+3mdg7lVkH+CYFvG/yF9Z0O/jd4tgpK+eB/W+UbzlTcXIT1EEaEIfmkawCAPgUNwyQVWmrZdKB6Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4430.namprd12.prod.outlook.com (2603:10b6:806:70::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:35 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:35 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 09/19] MdePkg: Add AsmPvalidate() support Date: Wed, 24 Mar 2021 10:32:05 -0500 Message-Id: <20210324153215.17971-10-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:33 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 5a0c77db-9ffa-4e16-324d-08d8eeda0bb2 X-MS-TrafficTypeDiagnostic: SA0PR12MB4430: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5236; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: IanKcUvuMCXuWzljWom5AVntL6NFC3FiRSetLiJ6nrrpi1EBmockbgxTZJrpOM9BE208crwPRNHo6SqbkkzuxvM+aBYqFX9nWtBbrtnaboa8tRmA1u6z/sr+ml3lcM3fX/BK0tZ8o1Pi4kXmNnGUuba51cAFFGgNJW6iTF9qjIJ9xvK590gPy8pMadFf0YrJkLQbuTGFk2ODwc+8IYCmwUZnZfi8GYDapOIc/7ro6wLGYWrDWudJQWOuZmmwN/0sZguQ4IMDEGGOvy93ipjEMVYG5ObURuIce+oksMs+9bJCoAa9FHFULXOtqv5JekTzr6R1vXzp+CBBp/L66hhymaqCYGQWT+xZm81UmslVm7BWPCq7r+brFRZXkdllDfQUvrUlhM7vCXAINsx2bZJ7j3FaJuuiz5C1wwcvyN6QjL+oTVZSkx9b4kb7sb2CGcHo76PTmaD86qvMZqRk+RJ47ftkCuUNtCasCP1efm6WeW8sbtc2GLJ7BKx51KK1pjATNArbMYIFgp/TEDLe812Ah8BSmJE21tXIbvWDwrqz0afjTwoHqz4G7gJKUIA1OqRn5NRn/hqu9UnQ9PK2IS1yzKBiyj+rmLV9tJ80UiWfu+VJO41SQptWx9zlt4uVSPQ01B54IOcM9XFdtzxW8mmeoD4MeJfeT9Fms05fjJ8Vy+FscKujbA3XI0TLuONM+Hrz8dyfVAp5zXG6qrSgfri73Fg3PEcTUi4yPBWRBgvyCNx2P2R5Y8VyQrpa+vu+kruV X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?P03d82hJkAdRcOAi3Q60NXMbn0zsAP7VGZ4fYY2RpzyeexCdrsNxFzvHP0UI?= =?us-ascii?Q?DbipPgLehwXqRftQwW7Q8Z+pCqNvxqX2dubm9NxdunUvp06dCxDOV8CUm2kj?= =?us-ascii?Q?psoL1Yr4k03e82Wr6ht4polu+K74NRrK66kNRFq6CJIBORe98cvAjuwmPgOO?= =?us-ascii?Q?ckeXVp+GhZhPT38kaAbZjBL8MytVO0Jsjsb3QqvZ6nRxubRV5PF4QV8FpaGs?= =?us-ascii?Q?dKZq6wNkxYeNAjCfRpwN63Jigir8HhfXTAE3znNLYgwflYsiGG4ygX9/d7m2?= =?us-ascii?Q?qitQasBxzH2vltDqQJT/h41h2CnLQtM9pnXMg0tWLm3zHvYBMPtgsg8YWf24?= =?us-ascii?Q?TznSvuRXn+Z3EALoiVB+VaRcbx+UqQRfT91f05SbAE2hdi0WBJeN2BgGFvOY?= =?us-ascii?Q?PUk1YaOoc6m5TdFOQ6jykxS6aY3KBmpUc7buZ1exoFRxctm0w1W3h1a2fhXA?= =?us-ascii?Q?QOAE9u6gaOu3OQzMfZCnFF3hDwYeFmaa9aavqRIaAJ+vrDU1Sl2XsnWmLZt0?= =?us-ascii?Q?uDbqSWijkwG0CVZ0y1ZeHFz9OPAaSsMX9qV/380PgIaBYQnUL2knSLY3D+1N?= =?us-ascii?Q?QEc7C+HISAsDwfowvpD8uidw2cJ0OmOScEigyOLfZ5b3O18JZVbb2KnWs6cu?= =?us-ascii?Q?GMnOOYjVWwMDknYWewqCmkATKWO96rxq3fGC/LdymbCj3fDe07D1XtGMZLuu?= =?us-ascii?Q?2hIHl3J4HAQjWgGKUiWghF1555A0QOo8zHvuYx0fwg8CYivHix6oUxQOa386?= =?us-ascii?Q?eiVo7cLDCL2+ohoKlyg6JpmPmiG2tp2eA6BvSnM2vwKQbpMjLwkzC3rn2p1S?= =?us-ascii?Q?Yh4R/MR4rLlHcDTcCAFoRW2yx40xiKZ2GjfL42tbZy/Rx4vaK8z+5Z8SE8Wm?= =?us-ascii?Q?2PpZ3enRIu1OcLY1DQVcwn71uEuN4y37O8qDgq6B1zyF5T/9PKYojAYkMnPb?= =?us-ascii?Q?WGmeTCuG9MvOECjzA70+WqPT/RCsk3WG6qy5baUGjRSNurmlmrST0tdWA+AI?= =?us-ascii?Q?/czeQl+yr+I2l8eL2QXeVzZiTd1OAg+uVSKQ0OTFc7FwW+/kUksh28uwkZGu?= =?us-ascii?Q?TWaeOYPt6fWoHZExSxG9jKcAaV0pWLhrLGp1o5VO2IVpkL0dqf77qCMv9D9X?= =?us-ascii?Q?wi1mLW7nxYddEX6KuGvJzy2LLVX2BQbms5kmDdNWPDtTOZkO4OlkC4UyQz+P?= =?us-ascii?Q?eDc8qNscjVR56NHvzq6B0xM/TVt88yDK373ZFLOUAA+iwoWMe9HE9wwJcvsf?= =?us-ascii?Q?19crKanKNUsFPWHXJeZgN53apOhCd8m8dVj7tJwTNfhxMPHno8yJF1b26ipj?= =?us-ascii?Q?tKE5GPMMcdlseg5X7KbmaLzl?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5a0c77db-9ffa-4e16-324d-08d8eeda0bb2 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:34.0763 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: voKzd4A8wN9Quj2mqloHXc7mmJ6MZybLOxQaBSGRHZ5VsUu4fOu/TWLjvGLFOu8YoVxElfnmM5PIah+IuJJUVA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4430 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: qM1cdYAU3YnecElzp8DkbdkPx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611750; bh=uiRnIVF1C0ytr0LHizZ0ycmj2TQnpDlXLLcvZS9tn7M=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=jMvWA8yDgfA8WngwC5F/TiTQJCfucBTiAvDW3UtzblvjG4TSylO5woMgGrw0O6ZhO+f TaJ5rbOw4XbVG5qY195AuN/jew8AquiUqSxfMGVH+Dbr4815VbjdI9YUGu7kBbrzcSiJ+ fwwqICxddpKErTk1PtJLwmvqTgCm+lu4t04= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The PVALIDATE instruction validates or rescinds validation of a guest page RMP entry. Upon completion, a return code is stored in EAX, rFLAGS bits OF, ZF, AF, PF and SF are set based on this return code. If the instruction completed succesfully, the rFLAGS bit CF indicates if the contents of the RMP entry were changed or not. For more information about the instruction see AMD APM volume 3. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- MdePkg/Include/Library/BaseLib.h | 37 +++++++++++++++++ MdePkg/Library/BaseLib/BaseLib.inf | 1 + MdePkg/Library/BaseLib/X64/Pvalidate.nasm | 43 ++++++++++++++++++++ 3 files changed, 81 insertions(+) diff --git a/MdePkg/Include/Library/BaseLib.h b/MdePkg/Include/Library/Base= Lib.h index 1171a0ffb5..fee27e9a1b 100644 --- a/MdePkg/Include/Library/BaseLib.h +++ b/MdePkg/Include/Library/BaseLib.h @@ -7495,5 +7495,42 @@ PatchInstructionX86 ( IN UINTN ValueSize ); =20 +/** + Execute a PVALIDATE instruction to validate or rescnids validation of a g= uest + page's RMP entry. + + Upon completion, in addition to the return value the instruction also upd= ates + the eFlags. A caller must check both the return code as well as eFlags to + determine if the RMP entry has been updated. + + The function is available on x64. + + @param[in] Address The guest virtual address to validate. + @param[in] PageSize The page size to use. + @param[i] Validate Validate or rescinds. + @param[out] Eflags The value of Eflags after PVALIDATE completi= on. + + @retval PvalidateRetValue The return value from the PVALIDATE inst= ruction. +**/ +typedef enum { + PVALIDATE_PAGE_SIZE_4K =3D 0, + PVALIDATE_PAGE_SIZE_2M, +} PvalidatePageSize; + +typedef enum { + PVALIDATE_RET_SUCCESS =3D 0, + PVALIDATE_RET_FAIL_INPUT =3D 1, + PVALIDATE_RET_FAIL_SIZEMISMATCH =3D 6, +} PvalidateRetValue; + +PvalidateRetValue +EFIAPI +AsmPvalidate ( + IN PvalidatePageSize PageSize, + IN BOOLEAN Validate, + IN UINTN Address, + OUT IA32_EFLAGS32 *Eflags + ); + #endif // defined (MDE_CPU_IA32) || defined (MDE_CPU_X64) #endif // !defined (__BASE_LIB__) diff --git a/MdePkg/Library/BaseLib/BaseLib.inf b/MdePkg/Library/BaseLib/Ba= seLib.inf index 3b85c56c3c..01aa5cc7a4 100644 --- a/MdePkg/Library/BaseLib/BaseLib.inf +++ b/MdePkg/Library/BaseLib/BaseLib.inf @@ -319,6 +319,7 @@ X64/RdRand.nasm X64/XGetBv.nasm X64/VmgExit.nasm + X64/Pvalidate.nasm ChkStkGcc.c | GCC =20 [Sources.EBC] diff --git a/MdePkg/Library/BaseLib/X64/Pvalidate.nasm b/MdePkg/Library/Bas= eLib/X64/Pvalidate.nasm new file mode 100644 index 0000000000..f2aba114ac --- /dev/null +++ b/MdePkg/Library/BaseLib/X64/Pvalidate.nasm @@ -0,0 +1,43 @@ +;-------------------------------------------------------------------------= ---- +; +; Copyright (c) 2020-2021, AMD. All rights reserved.
+; SPDX-License-Identifier: BSD-2-Clause-Patent +; +; Module Name: +; +; Pvalidate.Asm +; +; Abstract: +; +; AsmPvalidate function +; +; Notes: +; +;-------------------------------------------------------------------------= ---- + + SECTION .text + +;-------------------------------------------------------------------------= ---- +; PvalidateRetValue +; EFIAPI +; AsmPvalidate ( +; IN UINT32 RmpPageSize +; IN UINT32 Validate, +; IN UINTN Address, +; OUT UINTN *Eflags, +; ) +;-------------------------------------------------------------------------= ---- +global ASM_PFX(AsmPvalidate) +ASM_PFX(AsmPvalidate): + mov rax, r8 + + ; PVALIDATE instruction opcode + DB 0xF2, 0x0F, 0x01, 0xFF + + ; Read the Eflags + pushfq + pop r8 + mov [r9], r8 + + ; The PVALIDATE instruction returns the status in rax register. + ret --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73225): https://edk2.groups.io/g/devel/message/73225 Mute This Topic: https://groups.io/mt/81584585/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73226+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73226+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 161661175202576.14405189629667; Wed, 24 Mar 2021 11:49:12 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id Cg3MYY1788612xj6N03IzTDm; Wed, 24 Mar 2021 11:49:11 -0700 X-Received: from NAM04-DM6-obe.outbound.protection.outlook.com (NAM04-DM6-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web09.26.1616599956611292901 for ; Wed, 24 Mar 2021 08:32:37 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bjlZ4wAu/csQYWn7It6BSAUPe808y3z4y8+zNgBZ9VCQHLu+tR/5PBM+cHJBZ9Ne/OyzQYKuTM9xM70VheJwRpebJ06qxLA2gnDwn2SXG12EpQuNriE7mBhR04KCGf7mk78+f4A0XLIsc8YbFaQTb1yS2JTMhzvEQUW0Bozp56M3T3GsAYnP+LyFiNy2pwXYmx1bKKYklAp7igyuJewXYBcbIqhsq8Q4fmxZvhTIe1Py1Kq03vvHhFjnbd4XbeZnLZjbfhTu6zq/yekQAO3KafXV3x6RNDe7vI5Q/WzrqonIEEuAyNtVTYRckbXkE9wBGrj+efDA3ltEsLkyROT+vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qJphL8lax2byb2ECbn+UEXIL4c+3c7klq+og4a0928w=; b=KSGqPd3+E9A5jlZ3OgbilsOjdl5V4mlFJmnCjNdvLM0GkGwe+ABtJEKzoZpeCo7LCYDvZjVaMAijfHUmzW578M1nQPvNTn6EW2KeKkLeBvSoB+D9YSgfcQDYq/Ro03ziY1gBG/pmaNwtbO8KjvlSci110CpsHSE50sCRJlNIQM7q8wQ69+7WJ3XqnKpDdmc08W20z1DV7miq5nNL+/9RI7vF3VMs0JCmINcgKYVQLSyCHdrm/s8RoWtjeViVcx7e6qQbWqrPuvF3dO2v6Ek2rIFWw736SnqNyjXnjxV9tZtaWWgvckzCITKhbq3dOrCtj0y3xbaQGHcmC1srPL5Q+Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4430.namprd12.prod.outlook.com (2603:10b6:806:70::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:35 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:35 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 10/19] OvmfPkg: Define the Page State Change VMGEXIT structures Date: Wed, 24 Mar 2021 10:32:06 -0500 Message-Id: <20210324153215.17971-11-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:34 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 8b2c9bc5-8049-49fe-d111-08d8eeda0c08 X-MS-TrafficTypeDiagnostic: SA0PR12MB4430: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: pyd8lmnQ+HiWFYj6Ah9u9uleS3snjHKQnA0WizvytzewJP1tUo+A/i+lw/WnOSzFpGka7yk+VVjkBz7inkksWZ/ovwluwaBQiQCxtrZX79H4xW3sKAipDke5NNplXpD9E5MaH+gqPML+Xt2UUkTyHZXx/P7e9WhV797iNH6DyhPAdaMqnHqx47A18IyG0VIUJlmGX8zDZrgMMrHqAx/Wo7bRT9AzQXWYTm6yef8kyuxhMfGByU+aCsu6SfGOYqocMJYjpGic+2gC+P5AXlXiWqW5AVsqcSoOP7p+0Y+Qqd3aTervl4s3Up10OpxR8vn7hTMFAAAGtUiEPq9hK7EGjsmJzH0NlAIXDqwumEPXQqH9ZIAxZDlN8UZYpVEHCnREImwQMVE7ayG+N+fr3kvBcCsFd7qiidAPzk/6GcpUIU9jSB4K4XdcnEWG0emPaGj9+JqWAYQZqVRmlf1hS6BaHt0CEITXIR6OSoPnzmQwUZWEQrpcOHGKSTyoy8GQmtrABQGKD5C9PE9dpxLYjBGzkahiPJfPlhjjpOzIOJ6u0MhQCHJ8r0N8sKVGAjldTuCfGv+5cG3ksp/8MTtYCfHwtWPyINX0E2wfPmtfv8OT9XcphEbtm0Gu/vvZbr3UM/Yv96ZtchUfdxWPk4S4YvkMQrGndIeMyGAmlpWHYdrx5CrVFzbivas3GxuyLZURd9TR54gxtmjbduGMDkV8miADRuqgiQnPA2CVGhf/0sBPMbkg0DHjbY20vEhEsrbegTL/ X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?2+y11+Ia2z5T8bp0srhbVk/hxmjUo/JB0CBOQ1biqNqn4u2eoKYkz6WcuzC5?= =?us-ascii?Q?F3PdZIaW16fp1dRov0Kb36LkIuCmwWuJfyzBYFZkHKd9a1RLM5dXu6yuBWLf?= =?us-ascii?Q?mGBjm5bTJYL+5ZHC20rJGz7Wwg1WQPr1Y+IMgJLIZulF83ZiNW1dLqlHJ96S?= =?us-ascii?Q?QkSXZvjt65qRaUfniXrYtig29/MCkQ5ys3ad6yCrNpfoxErIuGobZ2RmMO0F?= =?us-ascii?Q?KpKS4No6CYOcBWdriN5xhQVel/zNt6Md0CfFqdLJ3XgA2He+jBQfDa9AWbcS?= =?us-ascii?Q?Lv2p2gR/VD9hJFmrciMielKO8p4VFxIOI0hYTyj/AzDcjwg6rKWtAbZV3U5n?= =?us-ascii?Q?Js50indi3GxZP998mZ13qjj0Q22X0N/qoYq1g8zeSe2DTqc/i7tI+6ZQN0fq?= =?us-ascii?Q?nLf4Xvwqs8GJxOTdP+94db6KW9epi1B4hdhoHWeV2gADR44eD2rUTipIXHgK?= =?us-ascii?Q?bNA5fV9sCDbWonhS2KwumaO3j0WLCciac5IbAWBui8ZR71ey0Hfrr/NXodum?= =?us-ascii?Q?sTBUrBLuZ9g3ByAdnNaAAZnFNZq0/CdTM3ilTnDW+N58swMlusoHoUROFojo?= =?us-ascii?Q?9fx5S2QUZngJbn4OqLSTA+42Ten8hAhlXqsRs161cxTd7esPf0pallx/Rscg?= =?us-ascii?Q?el8etc5a6touVKZ/UyoQt3SpI0AHm9FZNo3cErBK9szjSeyi0b0uAKr/0TAy?= =?us-ascii?Q?D1hJhsg0C6uOrXT/Qw0sQ4Y+EiO3nuhwt62Sa5APWTkG48LiipVlu2C847B7?= =?us-ascii?Q?lw7q9N6aFnx9dt042368OhPS2jZCP17Asa3DCcpi65OgGB/+f1zZ57ZTOvT2?= =?us-ascii?Q?DJAh717o1gJf7SiazNXrIK5diMlhyRe3AV8Gdqp3rZa0GAJX2aA7KxQCeFxV?= =?us-ascii?Q?BumI4zMKpoRfqGIsP2KHkuFCXJSBVAN6gJrlmY3lAlADZUp6bXfwGoKXa4D3?= =?us-ascii?Q?8hBBBqrrmi60cqMB6WqJXBqanD8Tp6Eszqth0dJHWrRe54JvOpfqaId300s1?= =?us-ascii?Q?nFFMuYEDtSJ/abAUoyV0DZEMVMGVp2Fu96CL17/C1qEYdTtZ2viY9hA5sbhr?= =?us-ascii?Q?aDob6kXNcppgeu8hnJ+J5WYJ+hpfC8B8ZXVZ36Ls+KVJZ+8Nf70g5g8jEXsT?= =?us-ascii?Q?5r0FmIXvvX88EVBl0AfxxBxB2hnkWLv5/gpQdWVbk/0QawAhcJY9eTWoMxNv?= =?us-ascii?Q?q7ACCv1QIr60MRIriKohT6ciiDzRf3a32P5AH5PuvAygLgJx9SYmnhpa3Ncs?= =?us-ascii?Q?R/jQr1/SOghO+b7GzYolvLT55BzrCwWCOALFjIM/y7tAKTHR3L55K6yrzTav?= =?us-ascii?Q?MpG6pI5RdTZDiX3ml4768cIi?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8b2c9bc5-8049-49fe-d111-08d8eeda0c08 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:34.6539 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: roJUTQ5/iM4vrgD9V1U+f/z08SrklXjsCusLLpl+Dfr+dzNVrR6EpRHs36VFPvGUtdzdnif0w4bKUcuWNOjASw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4430 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: 58lK6iNKuGbYsXwdFzLQxW7ox1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611751; bh=U+yLcJiOhMB3AKp6w2BWGBt+vs3eYLUT+PLzkEnmghU=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=QrBvAM2JpEDbS6HQeEkvJ09L6USOChokb4YtEwO3ba/Gpthcrp1ALttKkp50kdEWVwQ yXe60i49f0C5Q02MWUl5C/ucMi1iHk3navNAiuF+0F90vuPBDEIhSAmmwHLx9tSvOyV0M MUS9gyXfNxx8IsDfSAYe5EaOL3rThzXOiOw= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The Page State Change NAE exit will be used by the SEV-SNP guest to request a page state change using the GHCB protocol. See the GHCB spec section 4.1.6 and 2.3.1 for more detail on the structure definitions. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- MdePkg/Include/Register/Amd/Fam17Msr.h | 17 +++++++++ MdePkg/Include/Register/Amd/Ghcb.h | 39 +++++++++++++++++--- 2 files changed, 50 insertions(+), 6 deletions(-) diff --git a/MdePkg/Include/Register/Amd/Fam17Msr.h b/MdePkg/Include/Regist= er/Amd/Fam17Msr.h index c074e871a7..084e7fb63a 100644 --- a/MdePkg/Include/Register/Amd/Fam17Msr.h +++ b/MdePkg/Include/Register/Amd/Fam17Msr.h @@ -53,6 +53,19 @@ typedef union { UINT64 GuestFrameNumber:52; } GhcbGpaRegister; =20 + struct { + UINT64 Function:12; + UINT64 GuestFrameNumber:40; + UINT64 Operation:4; + UINT64 Reserved:8; + } SnpPageStateChangeRequest; + + struct { + UINT32 Function:12; + UINT32 Reserved:20; + UINT32 ErrorCode; + } SnpPageStateChangeResponse; + VOID *Ghcb; =20 UINT64 GhcbPhysicalAddress; @@ -65,6 +78,10 @@ typedef union { #define GHCB_INFO_TERMINATE_REQUEST 256 #define GHCB_INFO_GHCB_GPA_REGISTER_REQUEST 18 #define GHCB_INFO_GHCB_GPA_REGISTER_RESPONSE 19 +#define GHCB_INFO_SNP_PAGE_STATE_CHANGE_REQUEST 20 +#define GHCB_INFO_SNP_PAGE_STATE_CHANGE_RESPONSE 21 +#define SNP_PAGE_STATE_PRIVATE 1 +#define SNP_PAGE_STATE_SHARED 2 =20 #define GHCB_TERMINATE_GHCB 0 #define GHCB_TERMINATE_GHCB_GENERAL 0 diff --git a/MdePkg/Include/Register/Amd/Ghcb.h b/MdePkg/Include/Register/A= md/Ghcb.h index ccdb662af7..f3c719e70e 100644 --- a/MdePkg/Include/Register/Amd/Ghcb.h +++ b/MdePkg/Include/Register/Amd/Ghcb.h @@ -49,12 +49,13 @@ // // VMG Special Exit Codes // -#define SVM_EXIT_MMIO_READ 0x80000001ULL -#define SVM_EXIT_MMIO_WRITE 0x80000002ULL -#define SVM_EXIT_NMI_COMPLETE 0x80000003ULL -#define SVM_EXIT_AP_RESET_HOLD 0x80000004ULL -#define SVM_EXIT_AP_JUMP_TABLE 0x80000005ULL -#define SVM_EXIT_UNSUPPORTED 0x8000FFFFULL +#define SVM_EXIT_MMIO_READ 0x80000001ULL +#define SVM_EXIT_MMIO_WRITE 0x80000002ULL +#define SVM_EXIT_NMI_COMPLETE 0x80000003ULL +#define SVM_EXIT_AP_RESET_HOLD 0x80000004ULL +#define SVM_EXIT_AP_JUMP_TABLE 0x80000005ULL +#define SVM_EXIT_SNP_PAGE_STATE_CHANGE 0x80000010ULL +#define SVM_EXIT_UNSUPPORTED 0x8000FFFFULL =20 // // IOIO Exit Information @@ -154,4 +155,30 @@ typedef union { #define GHCB_EVENT_INJECTION_TYPE_EXCEPTION 3 #define GHCB_EVENT_INJECTION_TYPE_SOFT_INT 4 =20 +#define SNP_PAGE_STATE_MAX_NPAGES 4095 +#define SNP_PAGE_STATE_MAX_ENTRY 253 +#define SNP_PAGE_STATE_PRIVATE 1 +#define SNP_PAGE_STATE_SHARED 2 +#define SNP_PAGE_STATE_PSMASH 3 +#define SNP_PAGE_STATE_UNSMASH 4 + +typedef PACKED struct { + UINT64 CurrentPage:12; + UINT64 GuestFrameNumber:40; + UINT64 Op:4; + UINT64 PageSize:1; + UINT64 Rsvd: 7; +} SNP_PAGE_STATE_ENTRY; + +typedef PACKED struct { + UINT16 CurrentEntry; + UINT16 EndEntry; + UINT32 Rsvd; +} SNP_PAGE_STATE_HEADER; + +typedef struct { + SNP_PAGE_STATE_HEADER Header; + SNP_PAGE_STATE_ENTRY Entry[SNP_PAGE_STATE_MAX_ENTRY]; +} SNP_PAGE_STATE_CHANGE_INFO; + #endif --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73226): https://edk2.groups.io/g/devel/message/73226 Mute This Topic: https://groups.io/mt/81584587/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73227+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73227+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611753120817.9069560449981; Wed, 24 Mar 2021 11:49:13 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id smCNYY1788612xmvynzINB4r; Wed, 24 Mar 2021 11:49:12 -0700 X-Received: from NAM04-DM6-obe.outbound.protection.outlook.com (NAM04-DM6-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web09.26.1616599956611292901 for ; Wed, 24 Mar 2021 08:32:38 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VhKRCS8tarrozDgPwIW5eFbPPZaTbLXadHmrJmxORSwIDfkBzeq792VBOjhaTQ/hA00uh7r5r1yJgzbaq0td/4tT4wc7JL6A2dW3u2wwmZ1gyYHrFiejdhA/RrffNA3pgKVdVWcJy1BkkvO7js619WxzsIx6fjVedl9tPCtYBwmq6AjwSXcuvt70LOi6IZbMsfNF8rWGh2sMLHAUcztoLJK6dy48+m1cGPM0y3ngY48l5z2sxmmscjk/u7apW+80C42ZlAXN3EDwsvtWsenKIw64deTJohNrhx0gujU3rJ0t3azUdeztonNQIM3aGxWlNzR8kpIOLtDc8SLgpZiG7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XlKaFkgLxZJDo3Ld8/F1Jp0UShJWsng4/krEnbVyjPk=; b=aenut+79nfxUyURE6hs3UaKHGbylasbe/neKlwVp8fJI6xMFGbX3ma3Tp0xDwEoOmItz86BTQ73YipxkZJ+VjFIzLuFvSToYgGEqCFDvTrOBpL3wmRVQfvC9UXjP6v/9j/x1daUSVwbKTi13Uhs0zgjliXU589ygvAoXRp3Hdyhb9vWPzV9gj/i1simmKNv1bNrTX8iarp2b67qJ9P22toyf1Un/MigT07ktKivKve8lPZcGdRtiphxKX912/EUtK3Cw2mssLQf6A2uDrNGUGPV6zmgdDlTXSukhXNuduWLTbkBcVF0ZxsE67ByZ64zUIHGCE3OqWhm1WNN5bZtxjw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4430.namprd12.prod.outlook.com (2603:10b6:806:70::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:35 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:35 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 11/19] OvmfPkg/ResetVector: Invalidate the GHCB page Date: Wed, 24 Mar 2021 10:32:07 -0500 Message-Id: <20210324153215.17971-12-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:34 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: c1879f18-67c4-498d-6315-08d8eeda0c5c X-MS-TrafficTypeDiagnostic: SA0PR12MB4430: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: gllrGrcur9wjy6OuEM1AzIzoQea5J8lBxdfUf8qNh97JX/GplxNQGGOzDQrCZTs8Pp0KHsTBdxsMtgqtbLkdXCV031XxwauOdoCYYotIwFu2zbN83UroXIk2e6XMRwENy+55JJLfONrl4+2/jfGW/q1SeRBaJ6qgZVKQkTBGZqfBgyjgwphOqVwAXHJXepQ6Mz2rmdPRqcWdyKVVx9wzpA5XcBlNEnrvnappZh+387WoGI0FX6JzQ3SJ4nQv2f1aC6vwulXggBfpse2P2NU6oYUWODtCPTOmXooKSbppDCz28cAqld9vdsGzlmR93e723/abR0uXXoKoV3rdd96T1csnMVGfsYxb5SpAp15hLsIcCHU75EnNHWCxAHLC1gtqdDf8FU6zOw3hgE2UkiLxsaUFu7RtoLzZgFsGeXZZu/nkU76gHRFYlYGWS0A/bBPEL69SwElTrR3yx1w3WSNdvf7Y0WiOKYqZ3WOeg6STMPXR1KsRZI7Cy50zvBv8wQ944CnrMi7y1S5FtkM5ezCYVxVevPF1q8nw3kUcmTsVXCYoKyLpjFHRlTqF2e2Cv7yTOhkJZc7m4YGTb7FJyU7l+dbAPxYYXmeMuJ30gHLNneEsDc7i9hi8KmVvwrlaRvF0oLbq2Qieia19rigBybBQcOjXoeSaaM4FypLNX109TljMzu6OHKxzFXJ27KH0Rodocofkw/4GKWX7jtdJBT7yvGtKQc4jFc3YMwQLPsgtO70K6SjbRtzzRda+USIO5eRK X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?jSTo9+iIkxpYTUsQNj0yFOAQpOrN/TJZ27/Z9TGU42fuMhA9uz38y2yjvgfd?= =?us-ascii?Q?/AeoYfwUGqr3+0ekPbVnJ+i5tDO8cR1KHcBQVJtguVo4G4USGVTnTu5ycnTP?= =?us-ascii?Q?Y6lPPZIkF9Gbby8Iyj8e2tYn2/5KNqQeUIfCAVNXIh8k6TrhcEctomRrP31q?= =?us-ascii?Q?w0JtoxHpoIgzt61HoiHQ9X3VecU0rdusBiYK47P4m4Ct9c6XRt6kTgNYFrSE?= =?us-ascii?Q?2FVex8DuKre/0gxG2oUFOHZ5urXIBMLVyX7OwSgMnI472cX/5xIozhdiaJLk?= =?us-ascii?Q?Hz0BvVRe5Jb+hTeaBD9BQPtpesha5NlAeGHLfP+wnk2N0Hv7nAtFCLVcQfWo?= =?us-ascii?Q?jblmHrUFTTHRs7DzOBzLKk4dkQJKkpPgNl1lb/ushBk5E09AeBSn13DlJVr+?= =?us-ascii?Q?QJwyfYZyN89MY90X9KAVP0nhjo4NIGqNiS9eAZhwMN3Y6Op9oONUidLFmWd6?= =?us-ascii?Q?cKusdNDrlAqqvRfsicSkHzR8EzNpb7dFZS9M6eqlW/W2sKKyVSSnEGGoRC3x?= =?us-ascii?Q?9kfXjn3ndwhXrXhCRfKUHIQXWSgGdSiZTL0ExPJ7o4C6ELMQVhkM8Detivle?= =?us-ascii?Q?npjxeLJLTo7VVZQ994IU3uuT1s07EF+1q0mT5iQO3bAyuz5HTZWYy+6sulv5?= =?us-ascii?Q?+xHHixn1ANfMWg8uZFxTslbK4/wIhzNjSsmYPLa/7KO+Yr3ud6iVud7CCiLh?= =?us-ascii?Q?jP7VFMdbRq9juA+eOSRjZdlud/+hznKif2VGG89RF8u+FO578kr8HHh4SJcH?= =?us-ascii?Q?XFemciKYpCnhnMuTOqviiDT/8HCF7wUjVGT/I2DenVTxoVKMSErCv1Srv4UJ?= =?us-ascii?Q?wUe8RvsOLbchFAzz+XPrZ7WbGG5QHTJzF137iLFp4fROZxoulPb/AE7c/V1u?= =?us-ascii?Q?QeJeY5tqY21vUNJu9POnNx92OpuoXxys6jaisdqn3X/uAbMoDbhEmvdM+cAo?= =?us-ascii?Q?Si79U3R8XzkAIJ57SGqv9s36jcEN6B6IXtzF0eoSZYbp7c8YamuyHtRKwU4d?= =?us-ascii?Q?C+zElFDudOuUoZFC6dg3yaLI2qZEcLICFEdyrsQmdB5mvuKesiDZYWd/AWob?= =?us-ascii?Q?Vm3mpsDybwNQfgl8RBqyek1Uiagir8peRJgWDXxFV1BxtCjYQu3+P24oxIfy?= =?us-ascii?Q?L9nuo311GyQLSLaTEBzSNO2TPH8u1lnjX5OjXv0h9vTahqQSiMxXaeb2K/p4?= =?us-ascii?Q?PmXFLNTpRiPhGwxZYT0X/wewXq35pdsk1waPZnnIUhZCZYEYbV54y8Lx5cM+?= =?us-ascii?Q?GBDh1uUBaPRIIZ2nY7jmx0Iq2WAdAS8FDjbbcnhYlRRdufFaXvQyRi0bI5Em?= =?us-ascii?Q?tINKVki0GVjcCre1Y43iYTqh?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: c1879f18-67c4-498d-6315-08d8eeda0c5c X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:35.2666 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: KTkPqbNfuo9Alb9XM75PNzXea7eTNMUYa5gGXfYJXCYaEUul2ZMzoN+m5yQDdEvWMorcKGfd5HGWDyAYHapSmQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4430 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: 9Knjcb4uqstzRVDWnp7FqszCx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611752; bh=YkJFKlrIdruRvdu5MPhpU2MRy/Q4RZ6tr9LNtzUCIyc=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=KvapgKc/+ZqALeBOH1gu1GznDLZi7tm8tB34kfXWXuXoUa6kZECTiXNtnkefTFDw3fF 3a67UckY2RRVNNsFTNOMrIFSBak9ke0ztrK8HyaOYsyOLZvz5almn8Lv2is4YFfopFYl6 1ygH/dxutl/KpbMfXxPnn+acfHzzPQc4qjg= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 When SEV-SNP is active, the GHCB page is mapped un-encrypted in the initial page table built by the reset vector code. Just clearing the encryption attribute from the page table is not enough. The page also needs to be added as shared in the RMP table. The GHCB page was part of the pre-validated memory range specified through the SnpBootBlock GUID. To maintain the security guarantees, we must invalidate the GHCB page before clearing the encryption attribute from the page table, and add the page shared in the RMP table. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/ResetVector/Ia32/PageTables64.asm | 106 ++++++++++++++++++++ 1 file changed, 106 insertions(+) diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVecto= r/Ia32/PageTables64.asm index 5fae8986d9..63b864bcf2 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -62,6 +62,99 @@ BITS 32 %define GHCB_CPUID_REGISTER_SHIFT 30 %define CPUID_INSN_LEN 2 =20 +; GHCB Page Invalidate request and response protocol values +; +%define GHCB_PAGE_STATE_CHANGE_REQUEST 20 +%define GHCB_PAGE_STATE_CHANGE_RESPONSE 21 +%define GHCB_PAGE_STATE_SHARED 2 + +; GHCB request to terminate protocol values +%define GHCB_GENERAL_TERMINATE_REQUEST 255 + +; +; If SEV-SNP is enabled, invalidate the GHCB page +InvalidateGHCBPage: + ; Read the SEV_STATUS MSR to check whether SEV-SNP is enabled. + ; MSR_0xC0010131 - Bit 2 (SEV-SNP enabled) + mov ecx, 0xc0010131 + rdmsr + bt eax, 2 + jnc InvalidateGHCBPageDone + + ; Use PVALIDATE instruction to invalidate the page + mov eax, GHCB_BASE + mov ecx, 0 + mov edx, 0 + DB 0xF2, 0x0F, 0x01, 0xFF + cmp eax, 0 + jnz ValidationFailure + + ; Ask hypervisor to change the page state to shared using the + ; Page State Change VMGEXIT. + ; + ; Setup GHCB MSR + ; GHCB_MSR[55:52] =3D Page Operation + ; GHCB_MSR[51:12] =3D Guest Physical Frame Number + ; GHCB_MSR[11:0] =3D Page State Change Request + ; + mov eax, (GHCB_BASE >> 12) + shl eax, 12 + or eax, GHCB_PAGE_STATE_CHANGE_REQUEST + mov edx, (GHCB_PAGE_STATE_SHARED << 20) + mov ecx, 0xc0010130 + wrmsr + + ; + ; Issue VMGEXIT - NASM doesn't support the vmmcall instruction in 32-b= it + ; mode, so work around this by temporarily switching to 64-bit mode. + ; +BITS 64 + rep vmmcall +BITS 32 + + ; + ; Response GHCB MSR + ; GHCB_MSR[51:12] =3D Guest Physical Frame Number + ; GHCB_MSR[11:0] =3D Page State Change Response + ; + mov ecx, 0xc0010130 + rdmsr + and eax, 0xfff + cmp eax, GHCB_PAGE_STATE_CHANGE_RESPONSE + jnz ValidationFailure + cmp edx, 0 + jnz ValidationFailure + + jmp InvalidateGHCBPageDone + +ValidationFailure: + ; + ; Setup GHCB MSR + ; GHCB_MSR[23:16] =3D 0 + ; GHCB_MSR[15:12] =3D 0 + ; GHCB_MSR[11:0] =3D Terminate Request + ; + mov edx, 0 + mov eax, GHCB_GENERAL_TERMINATE_REQUEST + mov ecx, 0xc0010130 + wrmsr + + ; + ; Issue VMGEXIT - NASM doesn't support the vmmcall instruction in 32-b= it + ; mode, so work around this by temporarily switching to 64-bit mode. + ; +BITS 64 + rep vmmcall +BITS 32 + +SnpPageStateFailureHlt: + cli + hlt + jmp SnpPageStateFailureHlt + +InvalidateGHCBPageDone: + OneTimeCallRet InvalidateGHCBPage + =20 ; Check if Secure Encrypted Virtualization (SEV) features are enabled. ; @@ -316,6 +409,19 @@ clearGhcbMemoryLoop: mov dword[ecx * 4 + GHCB_BASE - 4], eax loop clearGhcbMemoryLoop =20 + ; + ; The page table built above cleared the memory encryption mask from t= he + ; GHCB_BASE (aka made it shared). When SEV-SNP is enabled, to maintain + ; the security guarantees, the page state transition from private to + ; shared must go through the page invalidation steps. Invalidate the + ; memory range before loading the page table below. + ; + ; NOTE: the invalidation must happen after zeroing the GHCB memory. Th= is + ; is because, in the 32-bit mode all the access are considered p= rivate. + ; The invalidation before the zero'ing will cause a #VC. + ; + OneTimeCall InvalidateGHCBPage + SetCr3: ; ; Set CR3 now that the paging structures are available --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73227): https://edk2.groups.io/g/devel/message/73227 Mute This Topic: https://groups.io/mt/81584588/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73228+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73228+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611754271274.8486301465408; Wed, 24 Mar 2021 11:49:14 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id WYqEYY1788612xXVPgg0zfzg; Wed, 24 Mar 2021 11:49:13 -0700 X-Received: from NAM04-DM6-obe.outbound.protection.outlook.com (NAM04-DM6-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web09.26.1616599956611292901 for ; Wed, 24 Mar 2021 08:32:38 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Tyjx8Vl4CunvQLHStEWYh8t1Tity02i5/Xkh+XGxrlup6bdnfLprXof15S9YCcsU03eqkPV72U6Frn0EHtbiiRc1xOGkYJZiuvrTTgbw8uqOlwc9ED99w2BPI3PEm5UtZr8WsdSn7UC+cUs73clYUyYlVvQZI6dNrFhj/Hwz5+owuRuj/Pl9uqNi2uNmCJo/1YInjOsuOiDATQ6VStey1QOxV1zuLFiPFlQ9JvR98yv1G1q7p4iFelTYIgcIxJeNBoS+bO0Cx0KB7xjMVlKca1beWrplM1BsOR2L9KH5nozoskiTzfqJfqxz/ktc54BMoXcKsBTFdyIPSdCuxmckrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3LYDfNyea+/UUCeVXjkEVAQ1xVj6Nd4/veyDvmYraiw=; b=mjuklVPeLdZYRD8bF17INbsSiG6x1gBpZkZYIviLvfivMotLkkmzy8iOaYT0z2JaXT9APS0M3jtfNEyYPXH4w+PHtz1DNEqSDkxJ99wMmF+mG1C0e7muSPYRdpu/HmprwVYH9lzJlmfI9xm33EpXtkAx2ax/88tQO0+zyJ2LFgU5+9QfTAZysqK7sMSeuBtavEzEq4LGEpgwHye+axvn93J9li9qMI2h+CxZz+4tKh1iW/poiBapXn8iviP5kQoF237WicvdYGIhNOMxZmeyrU4hkzgl2M8ApYGECiQtOcniD9Q7KTTjM0e5foyqT6+CUQL9h9E/VTIuMOfipwszZA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4430.namprd12.prod.outlook.com (2603:10b6:806:70::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:36 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:36 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 12/19] OvmfPkg/MemEncryptSevLib: Add support to validate system RAM Date: Wed, 24 Mar 2021 10:32:08 -0500 Message-Id: <20210324153215.17971-13-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:35 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: fc762277-d7de-467c-583a-08d8eeda0cb8 X-MS-TrafficTypeDiagnostic: SA0PR12MB4430: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: SgH3BkxI6nJO0pVJTq18rCLeKBtwt4qav37PJDC/lQGSDVI4YfQ+TbYaEKqlZ/0Ekk1RQi1k3gTifWpl0Tdp0MzTTi3R4nI2BPCPzZtsqIssOwPSVO0ONd+/GEh1Rii3LxbVGFXRhRDaSKuIaUWqIGVk9fJz9Fd4sAcOhFOHM9Gb4pcdcQzo5GP5gwFU8H6vnI46ptkLaxuSexmMqoByizviTcAMd6wU97WEmt3TyKVlh7XjFoVnvqkvcDVDgSxhf92E2yae0MFNcmNdfMHplX7dgKqJuZGhxdsrOZNw/MjSdYmoub/rjYYLSd8PrNM7oUpQAPkka8VLVjh5awlNqGExrHieY94ndfl2LNT4sxnDYVoi/4R1T42NH6GQi2AmdFewiimtsGmloLzpbtvO4HcaG4W+kC75aNqBxHeDNR8aJ67ReRLGyIBakCHw25KeQkHRaiTFqvBs5sZPOsKOnCcI05OWKHh2/zDUGBe/GGhSB3CvKhYLOpyDYoHPDjK31litRdoTVKSQYjvRGcoPdFbku4fXrsRJ/x2U5yLJrTdoT+HQHvgFvjPCi5usZP9h+MqjEQgJdhiWC0eUdc2fdT/hCKUJr5uuxdshl0kddp452WZdqwSmlIHhcoDhc83SGQzDSH4+e4gYIsTGQxEYjfUe8T/KxM+5dUPidUShzhuWgfWFagfSdLFwcjOBhuqZ+1fZNF6MXAzstv8qH97oTUbj76B0e7HQOOPjhpO3mmSKwscRuuvFu8yTbd+PEfMX X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?6BgmXue9UkWf0FqpMZ6HTdfLxZeK/8m8mcbyVNX7KCjYv8CdB8xEO1kc2IiC?= =?us-ascii?Q?UrFnmmEhqs2RnNZBcRiBNQCgeGkHoRUYF4HehB22Y8ulKghmai4f//+osaiP?= =?us-ascii?Q?e8MjJlKdfl8Z1/jekXkku+c/Sv8fRrwiFVf7bWfLP3HPwQ/0nVXjvVkFNDss?= =?us-ascii?Q?eLE56mgXaNCZ7mMmWE9yCkidr/XzVOwho+cYVF9KOc/IM3oHgQSV+MGwwerv?= =?us-ascii?Q?MT5Csj6I9LpUL2bfAd5bwJuHKt+b9DeN1ku9Ef2XdDLd7c6zT3Ul+OXcul+z?= =?us-ascii?Q?83fIpAPSBHA0y0QxtiYhCgch7tlfhxrQiVqrrB608nWIH8gok1y23bHXISiw?= =?us-ascii?Q?2+2SN1Um+J4GsHxqHGnHIvI0xPLGCB6Wel9jrgU69EgkXMLcPjze2suraHCb?= =?us-ascii?Q?2Aby7yv64N7QxgiP3ytUFmyiZuqKUvk1++0M5QpUXqbcPAXJgZnlT+pJUKtr?= =?us-ascii?Q?D8IMdhvtgjAn89YCa8ZlgqonDw01k4pvvMde3HttUC0e0dGqbViQzeUSC4D+?= =?us-ascii?Q?O2v2jc+4J1IwDJb1pE6mgo+owpDVcihzjOYS4qwuYZr++BCh+bAARBefKJm/?= =?us-ascii?Q?2L5YwijIzGkl8kty6wGi7fUcs/oyQgRERYWRCpiWg93Y66EdsIs3SGQgbhjK?= =?us-ascii?Q?6VM7XYCVWrzLmrc7V7TqJEidHNSjGwxg5V5pQ2cPW6/nVJC35H+B0XEBXxh6?= =?us-ascii?Q?M4qGVEA0xYLPr6LJrP/bfB/aDqAb0IA1eOifU+AphDyQ0GY1HoDXlpWHwgOb?= =?us-ascii?Q?P3ZuEyegCPdy0YCIPax5ythMJJKVmD3bPJA4Gk5upgQOULG5CcuUC967YSlW?= =?us-ascii?Q?dLxHlliprN5oEFj+VSoQbzmq51R3T1ncy+3mVQ6V13UheUAn5LD8785mxgvz?= =?us-ascii?Q?QyRDigpzMj7+n4g3mRSuWNly9sqwEVNMPJEeo6j7O8a4HA8sT7pHwOXJweV3?= =?us-ascii?Q?Y63RDhX3EfpKhbQaaStoV/pZ0FGhYow6+IgYuCx8xBrV8zJTPcQj4bKSmIXv?= =?us-ascii?Q?V9vuKkot2zzD3/5sld1ko4450KRwM0j1wvgLSx2sE0FNYTgFR0adH4alh8na?= =?us-ascii?Q?vg+PhyL1/B7I67kBRj7uAQmW6Id2vlr/ueknGQOo1L/uyfbKLd5L3km/3HzM?= =?us-ascii?Q?m0kP3gQdwC+6aEV1+vceO9ve0DqX4dCneajwddZBbTZrAsmmwcIYHC0VrMeM?= =?us-ascii?Q?IavhpBs/A0lQi4zGWdI/BhaogJQq+6/D+5CqWwi8W5wOh2JmfsAbj1ECz4iQ?= =?us-ascii?Q?cR1dmBYngPbDgeIaSLqsshtj9sHJ3jDtDXzZmhTa5q+7WSNSX1IerFlcDJxX?= =?us-ascii?Q?HE1eV09Nzose/wnm6SiKsnCb?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: fc762277-d7de-467c-583a-08d8eeda0cb8 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:35.8063 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: CfFtDcpg/5ofY3UKyfXWWSTVG6eGwY6SMmMkHqGg2FBdH06Qayz+N1k4ybdX/vaIZtWasHDioCsfqoBmdgpDKw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4430 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: Nq80opSTwD0tMcWg8VDGjtaax1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611753; bh=mvIIjv2+gT06PvyzLcm2frEL3U3MgWElpmH14y3PNvg=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=BaYInc3ZYjjB/N2GxDuYpMzgCBK+In2pPNzj6KLd/Zyb0Ozn7sLEaux5wr8cbLGImy8 IFR0IWH6YKOzjaRqoI35F9zlrgnrZJNOnldaSodmTFWbddGGpMceSUzXDV4M97wF50OPh nA1vX8d5W2KeHKVdx0CgicBzYau/RJcmvyQ= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Many of the integrity guarantees of SEV-SNP are enforced through the Reverse Map Table (RMP). Each RMP entry contains the GPA at which a particular page of DRAM should be mapped. The guest can request the hypervisor to add pages in the RMP table via the Page State Change VMGEXIT defined in the GHCB specification section 2.5.1 and 4.1.6. Inside each RMP entry is a Validated flag; this flag is automatically cleared to 0 by the CPU hardware when a new RMP entry is created for a guest. Each VM page can be either validated or invalidated, as indicated by the Validated flag in the RMP entry. Memory access to a private page that is not validated generates a #VC. A VM can use the PVALIDATE instruction to validate the private page before using it. During the guest creation, the boot ROM memory is pre-validated by the AMD-SEV firmware. The MemEncryptSevSnpValidateSystemRam() can be called during the SEC and PEI phase to validate the detected system RAM. One of the fields in the Page State Change NAE is the RMP page size. The page size input parameter indicates that either a 4KB or 2MB page should be used while adding the RMP entry. During the validation, when possible, the MemEncryptSevSnpValidateSystemRam() will use the 2MB entry. A hypervisor backing the memory may choose to use the different page size in the RMP entry. In those cases, the PVALIDATE instruction should return SIZEMISMATCH. If a SIZEMISMATCH is detected, then validate all 512-pages constituting a 2MB region. Upon completion, the PVALIDATE instruction sets the rFLAGS.CF to 0 if instruction changed the RMP entry and to 1 if the instruction did not change the RMP entry. The rFlags.CF will be 1 only when a memory region is already validated. We should not double validate a memory as it could lead to a security compromise. If double validation is detected, terminate the boot. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/Include/Library/MemEncryptSevLib.h | 1= 5 ++ OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/SnpPageStateChange.c | 1= 7 ++ OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf | = 4 + OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 2= 0 ++ OvmfPkg/Library/BaseMemEncryptSevLib/SnpPageStateChange.h | 3= 7 +++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c | 2= 3 ++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c | 25= 4 ++++++++++++++++++++ 7 files changed, 370 insertions(+) diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/L= ibrary/MemEncryptSevLib.h index 03d9eda392..47d6802b61 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -215,4 +215,19 @@ MemEncryptSevGetAddressRangeState ( IN UINTN Length ); =20 +/** + If SEV-SNP is active then set the page state of the specified virtual + address range. This should be called in SEC and PEI phases only. + + @param[in] BaseAddress Base address + @param[in] NumPages Number of pages starting from the ba= se address + +**/ +VOID +EFIAPI +MemEncryptSevSnpValidateSystemRam ( + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ); + #endif // _MEM_ENCRYPT_SEV_LIB_H_ diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/SnpPageStateChange.c= b/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/SnpPageStateChange.c new file mode 100644 index 0000000000..dace5c0bcf --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/SnpPageStateChange.c @@ -0,0 +1,17 @@ +#include + +#include "../SnpPageStateChange.h" + +/** + The function is used to set the page state when SEV-SNP is active. The pa= ge state + transition consist of changing the page ownership in the RMP table, and u= sing the + PVALIDATE instruction to update the Validated bit in RMP table. + + */ +VOID +SevSnpValidateSystemRamInternal ( + IN EFI_PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ) +{ +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf index 279c38bfbc..8595e244c2 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf @@ -31,15 +31,19 @@ =20 [Sources] SecMemEncryptSevLibInternal.c + SnpPageStateChange.h =20 [Sources.X64] X64/MemEncryptSevLib.c X64/SecVirtualMemory.c + X64/SecSnpSystemRamValidate.c + X64/SnpPageStateChangeInternal.c X64/VirtualMemory.c X64/VirtualMemory.h =20 [Sources.IA32] Ia32/MemEncryptSevLib.c + Ia32/SnpPageStateChange.c =20 [LibraryClasses] BaseLib diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c index 69852779e2..35a222e75e 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c @@ -17,6 +17,8 @@ #include #include =20 +#include "SnpPageStateChange.h" + /** Reads and sets the status of SEV features. =20 @@ -172,3 +174,21 @@ MemEncryptSevLocateInitialSmramSaveStateMapPages ( { return RETURN_UNSUPPORTED; } + +/** + If SEV-SNP is active then set the page state of the specified virtual + address range. This should be called in SEC and PEI phases only. + + @param[in] BaseAddress Base address + @param[in] NumPages Number of pages starting from the ba= se address + +**/ +VOID +EFIAPI +MemEncryptSevSnpValidateSystemRam ( + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ) +{ + SevSnpValidateSystemRam (BaseAddress, NumPages); +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SnpPageStateChange.h b/Ov= mfPkg/Library/BaseMemEncryptSevLib/SnpPageStateChange.h new file mode 100644 index 0000000000..3040930999 --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SnpPageStateChange.h @@ -0,0 +1,37 @@ +/** @file + + SEV-SNP Page Validation functions. + + Copyright (c) 2020 - 2021, AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef SNP_PAGE_STATE_INTERNAL_H_ +#define SNP_PAGE_STATE_INTERNAL_H_ + +// +// SEV-SNP Page states +// +typedef enum { + SevSnpPagePrivate, + SevSnpPageShared, + +} SEV_SNP_PAGE_STATE; + +VOID +SevSnpValidateSystemRam ( + IN EFI_PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ); + +VOID +SetPageStateInternal ( + IN EFI_PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages, + IN SEV_SNP_PAGE_STATE State, + IN BOOLEAN UseLargeEntry + ); + +#endif diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValida= te.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c new file mode 100644 index 0000000000..915706aad0 --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c @@ -0,0 +1,23 @@ +/** @file + + SEV-SNP Page Validation functions. + + Copyright (c) 2020 - 2021, AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include + +#include "../SnpPageStateChange.h" + +VOID +SevSnpValidateSystemRam ( + IN EFI_PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ) +{ + SetPageStateInternal (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInt= ernal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeIntern= al.c new file mode 100644 index 0000000000..5a34db33fe --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c @@ -0,0 +1,254 @@ +/** @file + + SEV-SNP Page Validation functions. + + Copyright (c) 2020 - 2021, AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include + +#include +#include + +#include "../SnpPageStateChange.h" + +#define IS_ALIGNED(x, y) ((((x) & (y - 1)) =3D=3D 0)) +#define PAGES_PER_LARGE_ENTRY 512 +#define EFI_LARGE_PAGE (EFI_PAGE_SIZE * PAGES_PER_LARGE_ENTRY) + +STATIC +UINTN +MemoryStateToGhcbOp ( + IN SEV_SNP_PAGE_STATE State + ) +{ + UINTN Cmd; + + switch (State) { + case SevSnpPageShared: Cmd =3D SNP_PAGE_STATE_SHARED; break; + case SevSnpPagePrivate: Cmd =3D SNP_PAGE_STATE_PRIVATE; break; + default: ASSERT(0); + } + + return Cmd; +} + +STATIC +VOID +SnpPageStateFailureTerminate ( + VOID + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + + // + // Use the GHCB MSR Protocol to request termination by the hypervisor + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbTerminate.Function =3D GHCB_INFO_TERMINATE_REQUEST; + Msr.GhcbTerminate.ReasonCodeSet =3D GHCB_TERMINATE_GHCB; + Msr.GhcbTerminate.ReasonCode =3D GHCB_TERMINATE_GHCB_GENERAL; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + ASSERT (FALSE); + CpuDeadLoop (); +} + +STATIC +UINTN +IssuePvalidate ( + IN UINTN Address, + IN UINTN RmpPageSize, + IN BOOLEAN Validate + ) +{ + IA32_EFLAGS32 EFlags; + UINTN Ret; + + Ret =3D AsmPvalidate (RmpPageSize, Validate, Address, &EFlags); + + // + // Check the rFlags.CF to verify that PVALIDATE updated the RMP + // entry. If there was a no change in the RMP entry then we are + // either double validating or invalidating the memory. This can + // lead to a security compromise. + // + if (EFlags.Bits.CF) { + DEBUG ((DEBUG_ERROR, "%a:%a: Double %a detected for address 0x%Lx\n", + gEfiCallerBaseName, + __FUNCTION__, + Validate ? "Validate" : "Invalidate", + Address)); + SnpPageStateFailureTerminate (); + } + + return Ret; +} + +/** + This function issues the PVALIDATE instruction to validate or invalidate = the memory + range specified. If PVALIDATE returns size mismatch then it tries validat= ing with + smaller page size. + + */ +STATIC +VOID +PvalidateRange ( + IN SNP_PAGE_STATE_CHANGE_INFO *Info, + IN UINTN StartIndex, + IN UINTN EndIndex, + IN BOOLEAN Validate + ) +{ + UINTN Address, RmpPageSize, Ret, i; + + for (; StartIndex < EndIndex; StartIndex++) { + Address =3D Info->Entry[StartIndex].GuestFrameNumber << EFI_PAGE_SHIFT; + RmpPageSize =3D Info->Entry[StartIndex].PageSize; + + Ret =3D IssuePvalidate (Address, RmpPageSize, Validate); + + // + // If we fail to validate due to size mismatch then try with the + // smaller page size. This senario will occur if the backing page in + // the RMP entry is 4K and we are validating it as a 2MB. + // + if ((Ret =3D=3D PVALIDATE_RET_FAIL_SIZEMISMATCH) && + (RmpPageSize =3D=3D PVALIDATE_PAGE_SIZE_2M)) { + for (i =3D 0; i < PAGES_PER_LARGE_ENTRY; i++) { + + Ret =3D IssuePvalidate (Address, PVALIDATE_PAGE_SIZE_4K, Validate); + if (Ret) { + break; + } + + Address =3D Address + EFI_PAGE_SIZE; + } + } + + if (Ret) { + DEBUG ((DEBUG_ERROR, "%a:%a: Failed to %a address 0x%Lx Error code %d\= n", + gEfiCallerBaseName, + __FUNCTION__, + Validate ? "Validate" : "Invalidate", + Address, + Ret)); + SnpPageStateFailureTerminate (); + } + } +} + +/** + The function is used to set the page state when SEV-SNP is active. The pa= ge state + transition consist of changing the page ownership in the RMP table, and u= sing the + PVALIDATE instruction to update the Validated bit in RMP table. + + When the UseLargeEntry is set to TRUE, then use the large RMP entry. + */ +VOID +SetPageStateInternal ( + IN EFI_PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages, + IN SEV_SNP_PAGE_STATE State, + IN BOOLEAN UseLargeEntry + ) +{ + EFI_STATUS Status; + GHCB *Ghcb; + EFI_PHYSICAL_ADDRESS NextAddress, EndAddress; + MSR_SEV_ES_GHCB_REGISTER Msr; + BOOLEAN InterruptState; + SNP_PAGE_STATE_CHANGE_INFO *Info; + UINTN i, RmpPageSize; + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + Ghcb =3D Msr.Ghcb; + + EndAddress =3D BaseAddress + EFI_PAGES_TO_SIZE (NumPages); + + DEBUG ((DEBUG_VERBOSE, "%a:%a Address 0x%Lx - 0x%Lx State =3D %a LargeEn= try =3D %d\n", + gEfiCallerBaseName, + __FUNCTION__, + BaseAddress, + EndAddress, + State =3D=3D SevSnpPageShared ? "Shared" : "Private", + UseLargeEntry)); + + for (; BaseAddress < EndAddress; BaseAddress =3D NextAddress) { + + // + // Initialize the GHCB and setup scratch sw to point to shared buffer. + // + VmgInit (Ghcb, &InterruptState); + Info =3D (SNP_PAGE_STATE_CHANGE_INFO *) Ghcb->SharedBuffer; + + SetMem (Info, sizeof (*Info), 0); + + // + // Build page state change buffer + // + for (i =3D 0; (EndAddress > BaseAddress) && i < SNP_PAGE_STATE_MAX_ENT= RY; + BaseAddress =3D NextAddress, i++) { + // + // Is this a 2MB aligned page? Check if we can use the Large RMP ent= ry. + // + if (UseLargeEntry && + IS_ALIGNED (BaseAddress, EFI_LARGE_PAGE) && + ((EndAddress - BaseAddress) >> EFI_PAGE_SHIFT) >=3D PAGES_PER_LA= RGE_ENTRY) { + RmpPageSize =3D PVALIDATE_PAGE_SIZE_2M; + NextAddress =3D BaseAddress + EFI_LARGE_PAGE; + } else { + RmpPageSize =3D PVALIDATE_PAGE_SIZE_4K; + NextAddress =3D BaseAddress + EFI_PAGE_SIZE; + } + + Info->Entry[i].GuestFrameNumber =3D BaseAddress >> EFI_PAGE_SHIFT; + Info->Entry[i].PageSize =3D RmpPageSize; + Info->Entry[i].Op =3D MemoryStateToGhcbOp (State); + Info->Entry[i].CurrentPage =3D 0; + } + + Info->Header.CurrentEntry =3D 0; + Info->Header.EndEntry =3D i - 1; + + // + // If the request page state change is shared then invalidate the page= s before + // adding the page in the RMP table. + // + if (State =3D=3D SevSnpPageShared) { + PvalidateRange (Info, 0, i, FALSE); + } + + // + // Issue the VMGEXIT and retry if hypervisor failed to process all the= entries. + // + Ghcb->SaveArea.SwScratch =3D (UINT64) Ghcb->SharedBuffer; + VmgSetOffsetValid (Ghcb, GhcbSwScratch); + while (Info->Header.CurrentEntry <=3D Info->Header.EndEntry) { + Status =3D VmgExit (Ghcb, SVM_EXIT_SNP_PAGE_STATE_CHANGE, 0, 0); + if (EFI_ERROR (Status)) { + SnpPageStateFailureTerminate (); + } + } + + // + // If the request page state change is shared then invalidate the page= s before + // adding the page in the RMP table. + // + if (State =3D=3D SevSnpPagePrivate) { + PvalidateRange (Info, 0, i, TRUE); + } + + VmgDone (Ghcb, InterruptState); + } +} --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73228): https://edk2.groups.io/g/devel/message/73228 Mute This Topic: https://groups.io/mt/81584589/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73229+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73229+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611754766821.1324859642094; Wed, 24 Mar 2021 11:49:14 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id mv0kYY1788612xm9MRZlklzB; Wed, 24 Mar 2021 11:49:14 -0700 X-Received: from NAM04-DM6-obe.outbound.protection.outlook.com (NAM04-DM6-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web09.26.1616599956611292901 for ; Wed, 24 Mar 2021 08:32:39 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d+G2G/pH7uWx/nD95/jxB+50FGmcjq5R7mSQ0Wd+rCofM85ob4AX/3RgJQs7m5sStzluegvhWhxNW4jzcDv1w2EMs7ioQ/QGaWsvSnnWe4hdsEKlcNrzxf4H2lCbOf74TcLQJTPdpxIWrKrNdYBZZcrkIlEoct3kM829Qn0LPjoX2d9odz/RodUiMK6CV8Do4XIYiGzfsv44DQ0t+9PxKG9OORd8GfPqNBK6z+A+c+nVutZ/1xrmzzAQDPHnjP/Q59tFfKvLLOJiN7q/cZ1NNg2fTp8Aka9Z1MpW4ATjA1YbAYcjRIsnPb9zOBTHmub/4FYSctXLpDXoEZaqfRHBSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9w+quKcbyaJYyx14nk1caj7O6QJgAIicTP7slw5V1sg=; b=IS3EnlxBfrIT35BxiunGLI04Zp91qBmyfVCIsTLWjbP70AP42DfSRZIttIS9I3OBX26Lc+WlIxZ5TcSr3/JOoSAaMK4jatKl/xCSjW5QA+q7sKmGLxvdqwKAuTf1pXDn4oUzo/IvRin4C6dj+a6HZZFktPGKNNupUe8kiGUEeRjftVBxxLUftT4ipa+xaPIt/G5d33JEWZ8WQ7GWZbmqdhZxE4etCrzAwIXi9pLprjcZYBx9hKYgRAgCHPydFaRmZMzCYOJIwF7OSNDJ1TdP9+sj0K/nFxmOpD1Vwp5jOI7pYjM9qiDRHGOmorRfYKMtzsie9MAbcrBzNE8e1ZpASA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4430.namprd12.prod.outlook.com (2603:10b6:806:70::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:36 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:36 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 13/19] OvmfPkg/SecMain: Validate the data/code pages used for the PEI phase Date: Wed, 24 Mar 2021 10:32:09 -0500 Message-Id: <20210324153215.17971-14-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:36 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: a19296f0-1a7f-44c1-632a-08d8eeda0d13 X-MS-TrafficTypeDiagnostic: SA0PR12MB4430: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: 1MRUNB0N2lr3Dz52zmCG4Y7V0dSKiHKAsypeOnXXMWYMSvd79DBck1YlkY9AO4zjU0ZaU0zXsC+9GXeC3qkVVwhDWClvjKxFZdxoBiqB25eqqlcK+kn8d0D6Z42ZFiOfYwbedbKK+DFRBBAu2ZHtJb+HQ5cMmZFfXWyLkO3LqTlSdUGohuTZU6a1hUQL1HcuuoFA5P2aHrWFqhOPL8MUrmn2ZWn4NDpyNVQ92xbDja6Nl7PewXTuFbmG/9oGuiJBGN1irEQMacoKg1pyST4W25qDsavXLqsftz5XNASn5pwgAmk1TLRayRGvTCYlk6Edg5jA/GVUWsWzN7AVwbV1B+5L/eq/FWds600+A9c0HYyFZKa5HeFXsGKN2rOuKn7f8VoYFYLyqBph1+nc5q3X88EY/jMfwxowlTrUhMu8RvyTVOZEKgMyD4bsyB+XB5xgPYKWuXLnumR1M+gmwKFIUvEA4/FMgVuKFlhINAYM0fJGdH/FlbLTtYRm0uo9rQGXGI2285ufd+Cj4nl8Gh2LK9roNZ1GHwabIdL5LdgaRM+/jqPkC6JkMa0maXYgHfg1EyKMLlKLITtxUVAA/ijyNYe56eptkORWhi0A2UaJETo8vXEc8Ryp4zIdO+AMNd52UFBVW5p665qErbZ+E12PXK6uhfHpnobsFwHh1Gi0oESmlV9eKFH5lPTkq+O8GaJbPAcW4efRERO1Kn2DJGq4VJRh8sETAUv2S4R20jDBft0AqUWTPdCYPQPjCei4YmXRJetZE+IEk+MHem8hqcF4VA== X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?T+9e/uWgU+HQYJZ/JwNU0U+q0RN5H+MU7Rvy6D5of4+giJQVsxe+AICH3Sa2?= =?us-ascii?Q?qrFjGtkYel1l9sj14dR3DZcKvwD0E1DYb4DZFskn+pFz5Fd6eN6XiZ8/wwjV?= =?us-ascii?Q?MCyylq6mv7JrPf72Kcx903k4RmA3JX826pkcK+7knrefue1QZEPJehv/wpL7?= =?us-ascii?Q?5VjH4necLqwRNnzWPvLwTZumhtp7SVcXlv0da2+cE91VTffRyktSagSdtmyB?= =?us-ascii?Q?vQLRxoIhb1CSRfmEtnCHnuChP1iqoP6zhOwCPdCyOUwQq/VUnZkAnUNaF15T?= =?us-ascii?Q?yKIW284eHPPFLGOaSVZTMYC48H2OJ90jrxKcNS08E3G7Wa02EmviewhK9PeB?= =?us-ascii?Q?VtwCxMiWcKsqJ5ZYhbuAtFNDHRzRGL6LW4zrwuNXGJrJHX+t6okglWjwQYKj?= =?us-ascii?Q?67qH3QzStF8OmQBEPtHDB+bpf3YKFQqyvDDphFTTWfhDA4LXRFHVGsVhb66k?= =?us-ascii?Q?w5sNijKw21qKIT+uHZa00ki0yyMAyy3uQul0gt9++LdjZP4Wxs49bOhGhF+T?= =?us-ascii?Q?eY5i/xWEEZe7u4G2eRmt+fuyvVqs/AlcHzQaK39z5sMaBFQTkCloQmyyNkm2?= =?us-ascii?Q?5MPi5P486ELvoWBRTo5UiPwAUjQF2hxoOQBeX+ecM08yEsx+aCNKoIydD/4h?= =?us-ascii?Q?Uj62YsNPXRd10FOyo74MPUwuf9tK4gAwE4vKbkI1rIgq//oQ40CK9PxPkARG?= =?us-ascii?Q?KI3RyGgMExypt4A5bn7ZfBCBlXh457znvTQNA2snvcL/SlmRcrT47ogm1WCr?= =?us-ascii?Q?qoaGSGIkBFWYfDVYWPVzI8JLuhHTjcUG1AttrPju75C/RzReazbaT5xfFlZU?= =?us-ascii?Q?4wwUyl+nCBjAIG4P44s6yJtgSZBojoGkYaxQt+6gO2oKVwPQ8PxhOFg82U+K?= =?us-ascii?Q?zYdBhtkaJaZ61f55d/rVNU5PK3IDTA/ZA0f5y08fS15N38EcSWK9Sobx+XoY?= =?us-ascii?Q?J04eiH+26yVVGEcZaVdiGNjr/0F+aJbh96Q6ZXMYhQh5M+KHm4tz1FMpJ4vB?= =?us-ascii?Q?NI/H52I0j7torDmXRkPJRXFhZro13tlQ/fmqPE66YZzD5v3IPQNhDNFmTkJ/?= =?us-ascii?Q?v8Aid6CEtIrD92xGs2zqZgSgb8B45c4IBpLktmwPFg5Ifrxp84xb871dDnLD?= =?us-ascii?Q?dfYWmcQihw3Ko3cIRmtWZNKlrADd3+LnFk0PyMG87LuZIAN7RpybhRgf7UHf?= =?us-ascii?Q?sGEgVO4658S1tGOfwyC16Sl1QdWfrUgqdx7iXTHc5T+Js11Dimp11qG8kkcD?= =?us-ascii?Q?XHEvo8G172hZTpOZjaBDNVkkFj1ctXTiucDutdQ/NWl+Lzht2DM7roGzbCP/?= =?us-ascii?Q?icTkXugpnygl5WDBAW1vjPah?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: a19296f0-1a7f-44c1-632a-08d8eeda0d13 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:36.4339 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: KixgzCuud57B3t7nAugswArKWJrt9/y/nnH6dH3c6yxtLJH4Y2D8+l2ayp2xrkz9aCFyrCJ81N85B1cPrA2B1g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4430 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: V41UAchPvUTO8lhOVuTJwv6Ex1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611754; bh=92x8dNoH5D3OvsW02rUzWppbYB+Jxi71RZEU7tQwCG4=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=CW/vQFnWex1pCucPq8h/0fuTmuFN1JBUX1Y7ddiKPwDXm0Po4MikNSdTzwEQdTZNFMc V6o5t8dDiHsvCD2m2+2Gswv33dbmmnMaKwm5OGyl7jGtH6cd8l/qNe1Wy8pLO7dw+7kCj G7Bk4RvyF9rTElJPcXT6iApvz7uUettUrYI= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The VMM launch sequence should have validated all the data pages used in the SEC phase. Before decompressing the firmware volume, validate the data/code pages used during the decompression steps, and any other pages used during the PEI phase entry. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/Sec/SecMain.c | 26 ++++++++++++++++++++ OvmfPkg/Sec/SecMain.inf | 2 ++ 2 files changed, 28 insertions(+) diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index df6722b546..b491810376 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -351,6 +351,32 @@ DecompressMemFvs ( return Status; } =20 + if (MemEncryptSevSnpIsEnabled ()) { + EFI_PHYSICAL_ADDRESS LaunchValidatedBase, LaunchValidatedEnd; + UINTN Size; + + // + // The VMM launch sequence should have validated the memory range from + // MEMFD_BASE_ADDRESS to PcdOvmfPeiMemFvBase. The PCD values are also + // accessible through PcdOvmfSnpLaunchValidatedStart, and PcdOvmfSnpLa= unchValidatedEnd. + // The pre-validation was sufficent to access the data pages used in t= he SEC + // phase. + // + // Now that we are getting ready to decompress firmware volumes, and e= nter + // to PEI phase. Lets validate the code/data pages used for entering t= o the + // PEI phase. + // + // See FvmainCompactScratchEnd.fdf.inc for more detail. + // + LaunchValidatedBase =3D + (EFI_PHYSICAL_ADDRESS)(UINTN) PcdGet32 (PcdOvmfSnpLaunchValidatedS= tart); + LaunchValidatedEnd =3D LaunchValidatedBase + + (EFI_PHYSICAL_ADDRESS)(UINTN) PcdGet32 (PcdOvmfSnpLaunchValidatedE= nd); + Size =3D PcdGet32 (PcdOvmfDecompressionScratchEnd) - LaunchValidatedEn= d; + + MemEncryptSevSnpValidateSystemRam (LaunchValidatedEnd, EFI_SIZE_TO_PAG= ES (Size)); + } + Status =3D ExtractGuidedSectionGetInfo ( Section, &OutputBufferSize, diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf index 7f78dcee27..207accb53c 100644 --- a/OvmfPkg/Sec/SecMain.inf +++ b/OvmfPkg/Sec/SecMain.inf @@ -70,6 +70,8 @@ gUefiOvmfPkgTokenSpaceGuid.PcdGuidedExtractHandlerTableSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDecompressionScratchEnd gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpLaunchValidatedStart + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpLaunchValidatedEnd =20 [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73229): https://edk2.groups.io/g/devel/message/73229 Mute This Topic: https://groups.io/mt/81584590/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73230+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73230+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611758817435.5240549301442; Wed, 24 Mar 2021 11:49:18 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id CPt4YY1788612xmGylYr6LLz; Wed, 24 Mar 2021 11:49:18 -0700 X-Received: from NAM04-DM6-obe.outbound.protection.outlook.com (NAM04-DM6-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web09.26.1616599956611292901 for ; Wed, 24 Mar 2021 08:32:39 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P+2FciMIBDazYPduTXxdLdcQwr1aif0xlq9JQ1nb1B+xECEZBuFcCazXsW4jnY342UpIiFRJsqfyWI7VXExqVNpytg0egZFtWHxLTSlnq+pUXR6mlr+pprTUbQvoxztheaRCo6WdEiZgdZ81zmOxyp74wWvLN22lGahjaEXTflyNEBV2CD/sr7Qa6M5Iq7OrhGEQ4VwKjECJLJaYj1ICQ84LCjgy4nYnSQHZDqBXusdCmlZRDDPAzc+DdqdSg6NmJWQTkLb2GjskIzm/zd45q9tyrgvaStKU6LVKnYUGwMRbpUCYHCAxDIZrt5R0i+JbBaPOFHNlO72TUNyNhl4paA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6RUajI9WyJPb0IYKTkAHf21k6UmYRa5M+ANt7DGwT3s=; b=gqKsf1n+AQ9XFDnDPOq+AjnxJMJAnw1Th/ZLdyJ1VepjyskSUGjdris8dnNJI2veOQ9PcWcEXXMe7dy/GYFtf2YJR19Er0p7Snh/NOIlf+yL6Lxra1jNCOquyoJtSMzlz0gm9QQmVIyflyCxkU5dKIAG/SQIMv8alF429uTIupr7ohCos+d1OMXUODMlFirEQaL2C1R0kOBdGIdu5Jq3vDxu9aGR8+x7pps8xikLhVKnh7O2ryRHp/KZM8vEVUD6CWyVeixVEqh7Qn4dkBi9tD4UwJ4ZQ1QSvd5fHFUYlKzybikW6PPC4A1iO6jqV9qdU6idSWEtHrs28f3ZsRyZyQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4430.namprd12.prod.outlook.com (2603:10b6:806:70::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:37 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:37 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 14/19] OvmfPkg/MemEncryptSevLib: Add support to validate RAM in PEI phase Date: Wed, 24 Mar 2021 10:32:10 -0500 Message-Id: <20210324153215.17971-15-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:36 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: c3c74531-3aa2-4a02-69a3-08d8eeda0d70 X-MS-TrafficTypeDiagnostic: SA0PR12MB4430: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: +YxjdCPxcpox6o3WQAcWQUHovIovanjP5LU1r6glOLNiXVt8pzn9ZC4k69KOzggsaUkmewAY/8sRZiCjNEOVU7xu0H/ZNk3vub2AmK4BIbPBO4KV05Mua8eGduzu0k38KXjbhEDCU6dwTPptGb5RM0zbWVJZBrLlMQPIW24iuN7FhCNNdwpdcPPKqJyR+cBBzhDaTMJ9SmSbLqCkFAuziJSYag9KCME3egOIMWLpj4ElzKDWVwCINKBrQQZtvXyQiwX2yZDAiWPE/HjJlK1eNZFTVuo83plqXh5780erHTrxccQRbwFi+xWXQ17IJ8dpYSRDUoNy5QHZJh4Geav5Rtoau1oD/PM92nbl7Rpz5/YbayYcxI7aY3ddUPYi8l3Wrm7lsyrDPsm9oKHSrnWPmFwlSmqqczVp/qPy5IPM4WjhFnsOo+lZ6lHgUo9oCayNN3dk0+riDcP+97vfYH+qxoKY5+am3jzhGcawzxI6xoQrHIei6RZcCiKGdpwwPbFSo9xt3PMARvAIjjm045GN+TA2tjPzFOdCO5sInBXdnS//MAQcNi+vmYpzndH2A+ghMBL371D/o4fRcw54/Pn7eodSGOj7P7c1tHkfv7HKRPdaf/og58NqzlQ0u3NZoeroaSmtg0iQgIQBFkfxZyoGfoIbguRuSbtwHcl6uPOv4EcBUUAr2t22HF7xU1axkWKPoDGmTBFu7YZCcIdB8j1U+UEcJGIQpgs8hFrgaWbV1eIUibTUFBMGnfbvtOcy6Eh5 X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?Yw0lceQU+GMO9kLiQ0xjBAqVt6obEcFPRoB2JufyLt+eAxN5pbqOvhAUrC1g?= =?us-ascii?Q?sez0VHLlTmXI+TPLtoWNsCwKICXUerDln7/9SmCkoPP6l8njNgjHxv6F97lQ?= =?us-ascii?Q?Ly29BVHgQshv5+U/TSRdFZk3gV3Y6mLyXQxhhWFD+Qbrq/Ziq+l6pvyRp2nn?= =?us-ascii?Q?Hy1VWUZGrUkCW8ew4zAYakSxeJqnTJsB51k190d6HbZDcRrV5I6kpx1c+nbt?= =?us-ascii?Q?lhusTmzdmoCUWroLgkNAC7onCOfor6jgc7gCtGPDIr6CbVax9OP5wsgVzMQG?= =?us-ascii?Q?kHFiFeI4YM6D/ykc+D67BHRc/SlTNwfxrMmGQwZdCr1lt5Ofll24RCqg+M/g?= =?us-ascii?Q?YhWgDJq4U8cqewrHlKFiHii6TKocZqDMKKhUDfKSzupYaYash7khdmNxkgng?= =?us-ascii?Q?YjBfMquRYVD5y7iyP4H8NG0rbieLOAGC1934g1rcRT+/Y08iVseSmFS7h1s0?= =?us-ascii?Q?4NxST9ulwei51Ob/Vsd8EGHRZXSaJNOvXEK7nqff3pdpsRgcbw3Sy+lhgCEV?= =?us-ascii?Q?g4Kc/0OIg3EOQz6EVML2+8yJqvGSAViVmjQCV0a5YT2sFqkR8lZ8FXyucZcM?= =?us-ascii?Q?brTWdmtEwxArsddTHEXXDkGIAxhm7+DMnmZnmwZ+mkG3nWsmzqj0epc3eUVe?= =?us-ascii?Q?S/DWsFrajJL5wWgyz9QjzIWH7dyv8x8QRfzS24tHCrfVOjEsdJqyQG50h06H?= =?us-ascii?Q?lfT86Vhr0RnVX13hHUKdM937AUDXR3QG5JrBu+dJo/4vUStfohEnKfzi7/sd?= =?us-ascii?Q?oijxwt/J3lNaCXGqY6eQDJJIz48EZGmO0o60VbnsBO1nJlRYffJd1Il0Fkwv?= =?us-ascii?Q?XAjq0M51Z1CHig8xLRhp9ycsBXnOUMb3sFttqy0F5k//Mh6myxNrLUUq93iZ?= =?us-ascii?Q?B6qqZvLwEVzI4jPC/lZYSppbEf9oQtZEiE30GMLBJAg5FcQ8vu/AkmD1oj/y?= =?us-ascii?Q?bxBcSBv7WLKuXWsT815KM5fIaTaA9hzql8u51mBZGYZdZ8tnVjgPNCrbDyh3?= =?us-ascii?Q?jRj8/JQy1dGBjkbBjtB8BoXB2U6+WvQwfERzmQiu3SxTv/J1PDYPV5uAZUcr?= =?us-ascii?Q?bPAI8gFFXx6CgvgV5eYsSAIwfFtudxNQ2LpZc1xX2UBU8IPNPJCo7nL7qDXv?= =?us-ascii?Q?r7TmOSUUXj30Id5yGkmXgMX9zNLzaCK3H9col0BIAlgc5z4FpotGYGqSQgUq?= =?us-ascii?Q?Aaoa6r45UEnxSbtknd2BlZFiqDzOERpZXNuwwAxnM6JK+hT9NI4LdyNAiujN?= =?us-ascii?Q?ziY6xS+OUTL7T8auQD4uqhmUifoqd4aJ4qudBt6ai8JMFkcTSWhXDQQx3CvI?= =?us-ascii?Q?TeWY8Z0GoYgG5wzZQeTrnyss?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: c3c74531-3aa2-4a02-69a3-08d8eeda0d70 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:37.1685 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: oxwl4t29xXaAKPOGxCpKhi50HGlY116wELPgB1WjoQsR+u6kGjcqhtBt5+CerRpE0m/XvYURiNUv0mxBSb6b/A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4430 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: ldDAic4ziDsM6VVvMf8QryIsx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611758; bh=qIpRcbzxqNBmfv0d0EOxMVYZgsOy2LZh7KiKUdXu/z4=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=GCk/VqcksgFpIimPfsA4c/YTJ3VWbKYcFSSpmf9h6xdJll3xd7OzN5eLBJp3Rkv+t+V t4HoDzMerNof3ne1ICmWKt6MIojLPelPW7xLtmBWRTIqjpvZOG230XMNj6liVcKcM4spl bvQkuGD4IpbPpIfxEniKZWWoD9GN498L3Kg= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 MemEncryptSevSnpValidateSystemRam() is used for validating the system RAM. During the validation process, we must avoid double validation cases. The double validation can lead to security issues. Extend the MemEncryptSevSnpValidateSystemRam() to use the interval search tree to keep track of the validated range; if the requested range is already validated, then do nothing. If the requested range overlaps with the previous validation, then validate only non-overlapped ranges. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf | 8 ++ OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | 20 += +++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c | 105 += ++++++++++++++++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateTrack.c | 119 += +++++++++++++++++++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateTrack.h | 36 += +++++ 5 files changed, 288 insertions(+) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf index 03a78c32df..cb9dd2bb21 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf @@ -32,10 +32,15 @@ [Sources] PeiDxeMemEncryptSevLibInternal.c PeiMemEncryptSevLibInternal.c + SnpPageStateChange.h =20 [Sources.X64] X64/MemEncryptSevLib.c X64/PeiDxeVirtualMemory.c + X64/PeiSnpSystemRamValidate.c + X64/SnpPageStateTrack.c + X64/SnpPageStateChangeInternal.c + X64/SnpPageStateTrack.h X64/VirtualMemory.c X64/VirtualMemory.h =20 @@ -49,9 +54,12 @@ DebugLib MemoryAllocationLib PcdLib + VmgExitLib =20 [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire =20 [FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDecompressionScratchEnd gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c index b561f211f5..9863722e9d 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c @@ -17,6 +17,8 @@ #include #include =20 +#include "SnpPageStateChange.h" + STATIC BOOLEAN mSevStatus =3D FALSE; STATIC BOOLEAN mSevEsStatus =3D FALSE; STATIC BOOLEAN mSevSnpStatus =3D FALSE; @@ -184,3 +186,21 @@ MemEncryptSevGetEncryptionMask ( =20 return mSevEncryptionMask; } + +/** + If SEV-SNP is active then set the page state of the specified virtual + address range. This should be called in SEC and PEI phases only. + + @param[in] BaseAddress Base address + @param[in] NumPages Number of pages starting from the ba= se address + +**/ +VOID +EFIAPI +MemEncryptSevSnpValidateSystemRam ( + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ) +{ + SevSnpValidateSystemRam (BaseAddress, NumPages); +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValida= te.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c new file mode 100644 index 0000000000..ce8a05bb1f --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c @@ -0,0 +1,105 @@ +/** @file + + SEV-SNP Page Validation functions. + + Copyright (c) 2020 - 2021, AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include + +#include "../SnpPageStateChange.h" +#include "SnpPageStateTrack.h" + +STATIC SNP_VALIDATED_RANGE *mRootNode; + +STATIC +SNP_VALIDATED_RANGE * +SetPageStateChangeInitialize ( + VOID + ) +{ + UINTN StartAddress, EndAddress; + SNP_VALIDATED_RANGE *RootNode; + + // + // The memory range from PcdOvmfSnpCpuidBase to PcdOvmfDecompressionScra= tchEnd is + // prevalidated before we enter into the Pei phase. The pre-validation b= reakdown + // looks like this: + // + // SnpCpuidBase (VMM) + // SnpSecretBase (VMM) + // SnpLaunchValidatedStart - SnpLaunchValidatedEnd (VMM) + // SnpLaunchValidatedEnd - DecompressionScratchEnd (SecMain) + // + // Add the range in system ram region tracker interval tree. The interva= l tree will + // used to check whether there is an overlap with the pre-validated regi= on. We will + // skip validating the pre-validated region. + // + StartAddress =3D (UINTN) PcdGet32 (PcdOvmfSnpCpuidBase); + EndAddress =3D (UINTN) PcdGet32 (PcdOvmfDecompressionScratchEnd); + + RootNode =3D AddRangeToIntervalTree (NULL, StartAddress, EndAddress); + if (RootNode =3D=3D NULL) { + DEBUG ((DEBUG_ERROR, "Failed to add range to interval tree\n")); + ASSERT (FALSE); + } + + return RootNode; +} + +VOID +SevSnpValidateSystemRam ( + IN UINTN BaseAddress, + IN UINTN NumPages + ) +{ + UINTN EndAddress; + SNP_VALIDATED_RANGE *Range; + + EndAddress =3D BaseAddress + EFI_PAGES_TO_SIZE (NumPages); + + // + // If the Root is NULL then its the first call. Lets initialize the List= before + // we process the request. + // + if (mRootNode =3D=3D NULL) { + mRootNode =3D SetPageStateChangeInitialize (); + } + + // + // Check if the range is already validated + // + EndAddress =3D BaseAddress + EFI_PAGES_TO_SIZE(NumPages); + Range =3D FindOverlapRange (mRootNode, BaseAddress, EndAddress); + + // + // Range is not validated + if (Range =3D=3D NULL) { + SetPageStateInternal (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); + AddRangeToIntervalTree (mRootNode, BaseAddress, EndAddress); + return; + } + + // + // The input range overlaps with the pre-validated range. Calculate the = non-overlap + // region and validate them. + // + if (BaseAddress < Range->StartAddress) { + NumPages =3D EFI_SIZE_TO_PAGES (Range->StartAddress - BaseAddress); + SetPageStateInternal (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); + AddRangeToIntervalTree (mRootNode, BaseAddress, Range->StartAddress); + } + + if (EndAddress > Range->EndAddress) { + NumPages =3D EFI_SIZE_TO_PAGES (EndAddress - Range->EndAddress); + SetPageStateInternal (Range->EndAddress, NumPages, SevSnpPagePrivate, = TRUE); + AddRangeToIntervalTree (mRootNode, Range->StartAddress, EndAddress); + } +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateTrack.c b= /OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateTrack.c new file mode 100644 index 0000000000..91b4fc8db4 --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateTrack.c @@ -0,0 +1,119 @@ +/** @file + + Provides a simple interval search tree implementation that will be used + by the SnpValidateSystemRam() to keep track of the memory range validated + during the SEC/PEI phases. + + Copyright (c) 2020 - 2021, AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include + +#include "SnpPageStateTrack.h" + +STATIC +SNP_VALIDATED_RANGE * +AllocNewNode ( + IN UINTN StartAddress, + IN UINTN EndAddress + ) +{ + SNP_VALIDATED_RANGE *Node; + + Node =3D AllocatePool (sizeof (SNP_VALIDATED_RANGE)); + if (Node =3D=3D NULL) { + return NULL; + } + + Node->StartAddress =3D StartAddress; + Node->EndAddress =3D EndAddress; + Node->MaxAddress =3D Node->EndAddress; + Node->Left =3D Node->Right =3D NULL; + + return Node; +} + +STATIC +BOOLEAN +RangeIsOverlap ( + IN SNP_VALIDATED_RANGE *Node, + IN UINTN StartAddress, + IN UINTN EndAddress + ) +{ + if (Node->StartAddress < EndAddress && StartAddress < Node->EndAddress) { + return TRUE; + } + + return FALSE; +} + + +/** + Function to find the overlapping range within the interval tree. If range= is not + found then NULL is returned. + + */ +SNP_VALIDATED_RANGE * +FindOverlapRange ( + IN SNP_VALIDATED_RANGE *RootNode, + IN UINTN StartAddress, + IN UINTN EndAddress + ) +{ + // Tree is empty or no overlap found + if (RootNode =3D=3D NULL) { + return NULL; + } + + // Check with the range exist in the root node + if (RangeIsOverlap(RootNode, StartAddress, EndAddress)) { + return RootNode; + } + + // + // If the left child of root is present and the max of the left child is + // greater than or equal to a given range then requested range will over= lap + // with left subtree + // + if (RootNode->Left !=3D NULL && (RootNode->Left->MaxAddress >=3D StartAd= dress)) { + return FindOverlapRange (RootNode->Left, StartAddress, EndAddress); + } + + // The range can only overlap with the right subtree + return FindOverlapRange (RootNode->Right, StartAddress, EndAddress); +} + +/** + Function to insert the validated range in the interval search tree. + + */ +SNP_VALIDATED_RANGE * +AddRangeToIntervalTree ( + IN SNP_VALIDATED_RANGE *RootNode, + IN UINTN StartAddress, + IN UINTN EndAddress + ) +{ + // Tree is empty or we reached to the leaf + if (RootNode =3D=3D NULL) { + return AllocNewNode (StartAddress, EndAddress); + } + + // If the StartAddress is smaller then the BaseAddress then go to the le= ft in the tree. + if (StartAddress < RootNode->StartAddress) { + RootNode->Left =3D AddRangeToIntervalTree (RootNode->Left, StartAddres= s, EndAddress); + } else { + RootNode->Right =3D AddRangeToIntervalTree (RootNode->Right, StartAddr= ess, EndAddress); + } + + // Update the max value of the ancestor if needed + if (RootNode->MaxAddress < EndAddress) { + RootNode->MaxAddress =3D EndAddress; + } + + return RootNode; +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateTrack.h b= /OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateTrack.h new file mode 100644 index 0000000000..106c3411f0 --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateTrack.h @@ -0,0 +1,36 @@ +/** @file + + + Copyright (c) 2020 - 2021, AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef SNP_PAGE_STATE_TRACK_INTERNAL_H_ +#define SNP_PAGE_STATE_TRACK_INTERNAL_H_ + +#include + +typedef struct SNP_VALIDATED_RANGE { + UINT64 StartAddress, EndAddress; + UINT64 MaxAddress; + + struct SNP_VALIDATED_RANGE *Left, *Right; +} SNP_VALIDATED_RANGE; + +SNP_VALIDATED_RANGE * +FindOverlapRange ( + IN SNP_VALIDATED_RANGE *RootNode, + IN UINTN StartAddress, + IN UINTN EndAddress + ); + +SNP_VALIDATED_RANGE * +AddRangeToIntervalTree ( + IN SNP_VALIDATED_RANGE *RootNode, + IN UINTN StartAddress, + IN UINTN EndAddress + ); + +#endif --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73230): https://edk2.groups.io/g/devel/message/73230 Mute This Topic: https://groups.io/mt/81584591/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73231+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73231+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611759487417.59125342293396; Wed, 24 Mar 2021 11:49:19 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id ioy1YY1788612xNT9PqOCqEI; Wed, 24 Mar 2021 11:49:19 -0700 X-Received: from NAM04-DM6-obe.outbound.protection.outlook.com (NAM04-DM6-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web09.26.1616599956611292901 for ; Wed, 24 Mar 2021 08:32:40 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=A7gMhpF7AauJ4xW06pXIaw64AYqUcuW2V4fjUMRFEnp7Exwgzg8RI0unNbdZ5+numCs/0ZEI2MkiUgEFsYAzOgsTd/juPnUFnj2iALZzwEHsI/3bPO/vOCBues+zhdvpMyiaGnWqW1ZyvhsfrV+XMi1ewEaIH4i9U9+Ui53CKS2K8uXnU+SlSUMVMHU9ip4/JxnzOoQfBUqj6Gqpf40WLkzxZNV8EWeiohISe9t1P6y890l5JL5j96X4AZZU/osuSEfmiI8Mz4Eeh2azix87BK5LrJMYxlt54EzY0nSVGP+W+z43AamkJznW2xpFn8H98TUy1tQlNpwoRVR1jnpUVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4Qg73KW0EWuopAVqep+xoY/+mCLOJShZs3VZeN0zSVc=; b=IJS4+NcMx0d1+S4fGivt3TDqISi+ry87bgE3kKRSL8chl5EWpVqxX3ldJZPiqw+qKImMWbOjdNezb7xqmj0DUEEjvgWAjHruEMX7/6U79SWSo6IVhbNPjSDBIiMx95SVjRwQEQtm0KNQGLOowcSP4lM4jW6wqSPCFBtOm4kXgya4LFlTdh8e0o+f+ngfd3MCmfzEDovvpwwJOJEuFiy9X0FHAXMIdG39ziBOrVUGTBU624PXOA4jnsPzHmdJ6s885+Lfcq2BDX+YBu8sfs2ROQRYxTUnlsjgKbW8ZG3sFXpYf5FsHdKbIqF9xjq6S8HXc5J+rKWrDBSnyHK6v6cw8g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4430.namprd12.prod.outlook.com (2603:10b6:806:70::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:38 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:38 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 15/19] OvmfPkg/PlatformPei: Validate the system RAM when SNP is active Date: Wed, 24 Mar 2021 10:32:11 -0500 Message-Id: <20210324153215.17971-16-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:37 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 9e7f7fa1-73a3-46fe-b870-08d8eeda0de1 X-MS-TrafficTypeDiagnostic: SA0PR12MB4430: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: vA/4WvO3IhA76I60mVlhr5DhRMeuDhQhV3tvvV/968qIvVto+uFS5RV4BkZPzOQ4l6P/mqEYTjlrabmrbd9yZ+17p2lRoljJUNa/63YCSMOrhbNic5wYyQNHkGkx7QkLHnXmaZiMU9bmhuI0bDXm7fFTARaJNyqaQm6zvb3PngqeA4CigeTXhL2DEAnv+iwIPt/qpQmeAR/cqIDtoyZs31FDQPIcWW60gyA8Zbs7YTlRMSKRAJPH7ZWQqSQcKRKHAzk//K1IiFhE3+YohqvQFcm4j4Huvyq6BiaDTaIU5iETCSo8xXlUl3iERDy2L83ZQLGGc8z9ijuqPRpIhCHqwGT/qWmJye/o+70wm/suXj+M6hlqAu8iSQZcQyhd7gfn35zeJEyHKvwV1GGks8g6y84Chh7eyNzEiWS93y16t8O5Fo/Rclnv4D9ty34VpF97v+rNMAiHmNTOkD1fAJghjsTu3xyXGHj3Q9njZSIVjwRomXtwWsAOaBn5ZIfN0+U+Lhuexx6rQnzrcnF2B423ioA3hQXYaSNtRRMPqLZhQmHvJLxcShy8xlvWgrNDtQFu4nGwVgP9TEt/GDADhsz2mpJr+JOdeHWN64Q2WkqPMwah/E0fTpgBJFiPVN/b7Tl9FaP77/M2ynQXWGrD0BIDhD4N1GEFSTzRULu4bkXaJIaq1ojqA3WswPPYoRcDr48xIiTYnZPud4kO6CSwSNW95JbHXn8QXsd6TBZBHsb6jeqvZNSjWaveDi0NdQoqlBV0 X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?Wok7adkMkRSCo0JJ3/MtW390vildrHs5l0553+3EimJV/P8x2ojQd/FkfTnE?= =?us-ascii?Q?hN8MBvmbKbeil40J8y+8VP1mxb+WJEX/H1iT7A7Ia3KILcPS4ust3UrTzqsE?= =?us-ascii?Q?dLCzOInw9IXoPcyS1D8QYNtMgwvSumkSMZ3+AeHPOkEe3yuEufRuswmL67TR?= =?us-ascii?Q?bRiLGRwU6nSioAOhDPZHfpKCvLKD+JmYYElpdha9+1oftOiblakcwpiJljrb?= =?us-ascii?Q?HUwcXo0YALnwDr0xnIh6PyV2mKB2wFttvD/V0D6K8fRuoWB+e1WxrHQglN4k?= =?us-ascii?Q?8qkQ+lDDxYxg30thAIto1Vc82tsCA8A3w4iaDlqRZb1CzigPyWFXtDAsmnkq?= =?us-ascii?Q?ok1TwmuI+wJpEBGuCDbHl0oVZW3lz/0vsgeMP2Ik4gCRte5hSRyLZS3XfVid?= =?us-ascii?Q?NjDQlgd3t9g4GSL4RqLXUhvuTdE3nsVmvBRyk9ruIIKUFeGii8a32MqgWBs2?= =?us-ascii?Q?WhIOxYctwWebkIG/8sjzBqXlAOM1urvcg511VUM3EUf3cwSE2zGmJhtyU9at?= =?us-ascii?Q?IvEFhd6rrXy3NTlxxfrhmyMvJ+mbGoRaduRgAB57nev0nKUKdVkwPIeJUdwD?= =?us-ascii?Q?yj7lWIw6byDnkaDB17OY8PxWaugVJp6EYRKV+8yYmRSXnqfEvFJDOhVGMy5e?= =?us-ascii?Q?Phkn0OWjp28m6QJQviAA1jDELWzy9zz+n1VXnl7xKs3mux6JgSR1hvdp5jis?= =?us-ascii?Q?Bu0/Eaod5d4bdOyOkOAf8BZEWRRHEB3ZoNP0jeP9mW8NVeOQARPtGZE8VXcw?= =?us-ascii?Q?0YOwYFrGPmdntsHhmDyxQMozOU5EcBcMhoj10BRtfxZ+z80NFgQInA5zErCc?= =?us-ascii?Q?x/8N4sdGoUxbUwqR1Ip5+lYDWgPwY2fqY4ckcHWZ/PHKMhMxYVb4/KQ7bz+G?= =?us-ascii?Q?qFUR1nzBm+zsCKjo6r13uTh/wcWqqofsIobQjWpSZ1xCL7ehum/mcmbgygBX?= =?us-ascii?Q?/HxI9xVYL78b/xV+1ucKH7dvqbETSJvQd+kZ2a+48R9vRtX9ya22JiKXFox4?= =?us-ascii?Q?L8j4A7VG57DEdS+QbUHvT86Yr/3PtJ3SyqOQQbCnjHnz++8TI7pKpS7MgsRm?= =?us-ascii?Q?yXNn0+TcuS2Ilp780n0/PeWRUxyGZ/z3qfEJTCnlXGBg0Rb6n8GmhhsxPHX3?= =?us-ascii?Q?uuXOErmAS0Xa7bJ2ug9SqnGTPsRPxfao1Kb6VBxXeJIfYYEYEhQM/Ra9VOv3?= =?us-ascii?Q?COCSUCgLKHecBrdnu0O35nigvptjYyCLcYn2fXqYUNYQKS5QbniRVYDgmrO7?= =?us-ascii?Q?MagNqbBg/l3COgkEeFSke5M1CJ7UyfR7QkKs5OnKY92UXe49jhzdkYOiBYYo?= =?us-ascii?Q?GmTijsL33t9v8IgMO4IM3tZk?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9e7f7fa1-73a3-46fe-b870-08d8eeda0de1 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:38.0220 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: GTHwEISky9tn7OkkjSjF8nEezN0am+AQZxCT+7UCobKIJsjnBCfiyFv1L238FiN4FKqmw2aYvIiEwYTFHKvr7Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4430 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: RNPTTTfta46sWVK4kPsjy7z5x1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611759; bh=rtRyeHSO/fPgkcSOw1ebU/LhdG2PPrWqPJDhPIgrEmk=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=ZSqLegaMU3zuz61qMnRjQNnzUbmNheRDbm6+wfigMZLm2vWzqZfWiy5pQ1V04PL+GTF b/Uso3Kvf4APRsDpOlSHjHCruLXlDUMnwKii+T70Gwy/V4G7H0V6fMxaAwoGrq0AZ6FBx 3hMC+CAhjnUsXHcZjyQN8nH9dVIEcRn+Atc= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 When SEV-SNP is active, a memory region mapped encrypted in the page table must be validated before access. There are two approaches that can be taken to validate the system RAM detected during the PEI phase: 1) Validate on-demand OR 2) Validate before access On-demand =3D=3D=3D=3D=3D=3D=3D=3D=3D If memory is not validated before access, it will cause a #VC exception with the page-not-validated error code. The VC exception handler can perform the validation steps. The pages that have been validated will need to be tracked to avoid the double validation scenarios. The range of memory that has not been validated will need to be communicated to the OS through the recently introduced unaccepted memory type https://github.com/microsoft/mu_basecore/pull/66, so that OS can validate those ranges before using them. Validate before access =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Since the PEI phase detects all the available system RAM, use the MemEncryptSevSnpValidateSystemRam() function to pre-validate the system RAM in the PEI phase. For now, we have chosen option 2 due to the dependency and the complexity of the on-demand validation. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/AmdSev.c | 41 ++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 95c5ad235f..abbbef54c1 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -140,6 +140,42 @@ AmdSevEsInitialize ( AsmWriteGdtr (&Gdtr); } =20 +/** + + Initialize SEV-SNP support if running as an SEV-SNP guest. + + **/ +STATIC +VOID +AmdSevSnpInitialize ( + VOID + ) +{ + EFI_PEI_HOB_POINTERS Hob; + EFI_HOB_RESOURCE_DESCRIPTOR *ResourceHob; + + if (!MemEncryptSevSnpIsEnabled ()) { + return; + } + + DEBUG ((EFI_D_INFO, "SEV-SNP is enabled.\n")); + + // + // Iterate through the system RAM and validate it. + // + for (Hob.Raw =3D GetHobList (); !END_OF_HOB_LIST (Hob); Hob.Raw =3D GET_= NEXT_HOB (Hob)) { + if (Hob.Raw !=3D NULL && GET_HOB_TYPE (Hob) =3D=3D EFI_HOB_TYPE_RESOUR= CE_DESCRIPTOR) { + ResourceHob =3D Hob.ResourceDescriptor; + + if (ResourceHob->ResourceType =3D=3D EFI_RESOURCE_SYSTEM_MEMORY) { + MemEncryptSevSnpValidateSystemRam (ResourceHob->PhysicalStart, + EFI_SIZE_TO_PAGES (ResourceHob-= >ResourceLength) + ); + } + } + } +} + /** =20 Function checks if SEV support is available, if present then it sets @@ -217,6 +253,11 @@ AmdSevInitialize ( } } =20 + // + // Check and perform SEV-SNP initialization if required. + // + AmdSevSnpInitialize (); + // // Check and perform SEV-ES initialization if required. // --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73231): https://edk2.groups.io/g/devel/message/73231 Mute This Topic: https://groups.io/mt/81584592/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73232+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73232+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611756286819.4010705728132; Wed, 24 Mar 2021 11:49:16 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id PFl4YY1788612xGhIHjZyaPq; Wed, 24 Mar 2021 11:49:15 -0700 X-Received: from NAM04-DM6-obe.outbound.protection.outlook.com (NAM04-DM6-obe.outbound.protection.outlook.com [40.107.102.72]) by mx.groups.io with SMTP id smtpd.web11.37.1616599960815499093 for ; Wed, 24 Mar 2021 08:32:41 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dZCynGqvNKdjrvMCyUwBMvfERgCV8+XGb+rjB+KMl+0U5mlViNg9OA6RcPDG3ijEX0AcKqIym/ON3+4BTPTiKpaiBAfWUFWZfm5QVGKZIKENLQ92dQnQMbNCIZSFOv5CJ+daqieWdrpe40YCjjLMrapDagPl8HhZzrh5YbrgNOMyCcye3NUdy1nWJYchCYv5OdQ9yR8ZjFjzPNXgX/InTkzk2qMwyEIz3HoyVnyKYk+JvRYMTNLzFgRlo/gszNsdb3oxpxxxHpGTSLC+xH72C6ayJKLsBrRdA1l9wb83VsKFX5UMBO/R4REXOV1WezkoNDZhrcjpoQpQUjDNfrZ+kQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JxKo4fWiK5f+dT2xW4yvj9XOa9amCCb9V5ASX+hi5a8=; b=SUpnZ5qZ65B9RpzvHPPZPMaQDBBWsGer0h3oiBEhPUhdL+5vXkEHZ+fSjC9t9ulRXlIe9MB/cRv98H18v84CdLf2NDi4p33/jEYdLcAMS3rqpS8tLagIHLssGRQBUu5wwe6i9aLzh0k1B2L9yFthIahjEPSpiXZu3YpLUgRfo+ZOqhtp66CHWglto+aHr2HxqTBkvFq4puPW21knIgSZBWGfRFBX8F+87m4roBu7jJxPXYZ19I9MZupQCout5WeKhOrw0toCLIBVWYNizBaTzITziD3b4aQ5wUosO15P8viX5SwbiGxl36nvQh+JbdChSzyJ6u1EXLdu5Mi2ucgrtg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4430.namprd12.prod.outlook.com (2603:10b6:806:70::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:39 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:39 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 16/19] OvmfPkg/MemEncryptSevLib: Add support to validate > 4GB memory in PEI phase Date: Wed, 24 Mar 2021 10:32:12 -0500 Message-Id: <20210324153215.17971-17-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:38 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 3e2df773-70ec-42d5-dc76-08d8eeda0ec5 X-MS-TrafficTypeDiagnostic: SA0PR12MB4430: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: mway/qBG0U86eEzhy5ubAG+E8qq0nm6rxoqoZCVCj0CMrgydktxTKhwqbL0Pa4mzB9lp50pIvSUJXQvn4P7NmUFSSgQ4GGHDJZEX1L8KEUly0fSweHI/tjnP2lBcGLK0rZD+f2ZXPCAFvK6egrWXFX7XxYXIyqDWXySxsB6RBopUUyRtdsexD5d9F4SOVVBjgfjUoHkm6Na+8tudThzW+BkNI9GlwOmlKwp76wUKdQ9K62qswwEFQD5kgPzFZqEm8ApcyTEj6ezWIlzmVx/S4+FrwCdFmrHwllHG68MCJGmxZqzBN2xdjJziYLLV7W7hF012t07jVo30LMnpJ6IjRf9vd0d8hMaZ1oW3Hh9+QqeJXhjLSO+OElcDD06POWMk5DDzFhwBX8BldfM6+oDg4da/KS+XBcBgYavqQnthLREIiur5orXcFjBPpIOVPPRBrTVw6CNHJ9+S1fUdin5EUrP7I7vg7d/2hig/M3krtqWJRCCJU9qZZY+c1AostBylJhfMotBvUUJSuSvw94gN8Z1QO8xymHGDyY3LvD733MH/Ogox8oAl0Kbcy7YqszRM6jJa8mtvrQ0cq2DkGPiACDXh8LroryY35VgMtg0YsjeDI9sDJM97+jzcILRa3hmvLkmbMhwKg45UM7pRTA9fhpg8lX9ufl38QToVGVIl4Zel5K/bT2M0AtJStW7fl8jmnmF62A3sNYeQ3qHOGO25Eecr1En9JhGYwl2IWd0jT0g= X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?59WSLA6Rti1wDTUhQ2rNp+ggUIQE/CwGgzfbSfqnQNGh5svWY8YpMBXPWtd3?= =?us-ascii?Q?cbUxtyr+qDp49DoPLLKDLfpOc/r1FDUX5C1Ibtt7cRKXYkIulVgSRA/Ns072?= =?us-ascii?Q?QjShV9an/urwxXABNq8fSjClpL+hFNnvARBhW3zCExeyfPCd2UVjBzzEeNCM?= =?us-ascii?Q?p1bBNgWVmko4rFDK2MLjAMdG1iYOi1sebDoISw4Euh5Dun8SpjQlqtA4v4B0?= =?us-ascii?Q?ZZynP7zlktnePuevEwa5HW3KWHtCN2g1Jf3sMq6TfEogMSB/QMSUB8/teU4W?= =?us-ascii?Q?/tiUjT9d6ZL/WAi+Awp9z+FvSn7MrbWtIsTUQBwz8cRbFucD7gpYr7fBhByK?= =?us-ascii?Q?3lSSvG8oD2kM8UlDB4qN1WDThK8o8yiUAAaNaaFssQjdZm4fz8BGF7fmzVt6?= =?us-ascii?Q?lA750tGGYxV05FUoWpSAGQRQLNkkXnV3MCr2WuVjOBL+eawunCmnHQ0UznM/?= =?us-ascii?Q?lslesQDq60yHx+0mzaWvCFWM/FSkZH92Pphib0aevE8tDADQl9CQMsHZMySA?= =?us-ascii?Q?bBbOVGnwx2KvfdibG2IZ+bw2WZnBIxfkdyjQuYoYMd7K0a2M0LEO0Vay/sPx?= =?us-ascii?Q?Z2xODLZNVf/rDGCe2iIn5gthUYdoko8UIiMDfcAo1zX4SAnHYu55FNUxHpKg?= =?us-ascii?Q?WtxJ0S2x3BAisd5ogTDF/6+Ky1nfUyqxKx4GD6haWc4F2dZy6GDEr9uaOJlZ?= =?us-ascii?Q?goTTd4e+IdOxBeB5A7DOskldZOCUQJhGlEQ7mJYihJdZsCBgepZCt8hl78LN?= =?us-ascii?Q?h2+0h/aKHVIra67oQ7P/fFaAOv9HwHsGom9CO1pwGvHyORiBnXXhapgmy2OC?= =?us-ascii?Q?RnOymYajFGVDdNzFewInSMcPf2ShzijwZpm8OvTiyO1gk2VQRus+JndMQ0Gv?= =?us-ascii?Q?DVoHLsJ2UELaXX9+81RwGE9owUIsCwb2nj9GbwAG0BxL/nmVlUQy6fccniCC?= =?us-ascii?Q?1ONT9cp9dTxNrCMq5yn8EnumWIHwmsp/DTea29xwjsdaVE+Iq8sP3RmeGA1a?= =?us-ascii?Q?tDQvPf9sLpV1lIOpO1ux8rGHzx8NBLVnaTrpS711tYcghXKTyY9KdWS5/V3Z?= =?us-ascii?Q?7lrfnWY9g5BPJzRV3JTTqRYC0P5nZ/HwW8PbT81FpxJqmjCxEuzVuBE4I+k4?= =?us-ascii?Q?duDULqqnsQpvZG0IHvzjzGkgMm1H8sCiKfZ+JtNh4aDi+1jaj1e3af0dRYft?= =?us-ascii?Q?zwZ9b+uEyEEEL7Kr+AL8mi20JigAK0mjBaa9hlipDpLqU1HZEAgSxin5b1wl?= =?us-ascii?Q?qvVaI6P3QSSRWcCjRZpm6k8mXRTlM8YwsXUiDRgRBtSjtMYr9QzvRPYJibTR?= =?us-ascii?Q?zVTwPE+wJNQHZt/Xi0Jjrn1W?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3e2df773-70ec-42d5-dc76-08d8eeda0ec5 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:39.4892 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: fVBiZjWf7Y/SEVmG6fGqM8aCzOwhND/mjqXNG8hhY9m07ecFY5x2i06NwMUjwFaffj0guLqLyYDnsXSsoZvjQA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4430 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: sG1YwhYdXsbJ89qMhsbiaHJZx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611755; bh=PQcGdmuSLNZoaXff9z44bZcGHG0bPrUkv+DWLoknBrg=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=R7xrMqVjADce50uBolCjEs/eDizL1LD6yz1pnPWrcNMaYaeXoCkQCpxlV+yenKcuMRq K3dXEDdoWo+Yf4YVGfmPXA7sP2/Qw6X9BNHLBWKltkhCfJ6eSV7kT6zrpbjDa4j+2H5of BVlOIxkt5dl3iH7+hwzb1MhzasiZWeLfuZk= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The initial page built during the SEC phase is used by the MemEncryptSevSnpValidateSystemRam() for the system RAM validation. The page validation process requires using the PVALIDATE instruction; the instruction accepts a virtual address of the memory region that needs to be validated. If hardware encounters a page table walk failure (due to page-not-present) then it raises #GP. The initial page table built in SEC phase address up to 4GB. Add an internal function to extend the page table to cover > 4GB. The function builds 1GB entries in the page table for access > 4GB. This will provide the support to call PVALIDATE instruction for the virtual address > 4GB in PEI phase. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c | 115 += +++++++++++++++++++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c | 16 += ++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h | 19 += +++ 3 files changed, 150 insertions(+) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c= b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c index d3455e812b..33d9bafe9f 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c @@ -536,6 +536,121 @@ EnableReadOnlyPageWriteProtect ( AsmWriteCr0 (AsmReadCr0() | BIT16); } =20 +RETURN_STATUS +EFIAPI +InternalMemEncryptSevCreateIdentityMap1G ( + IN PHYSICAL_ADDRESS Cr3BaseAddress, + IN PHYSICAL_ADDRESS PhysicalAddress, + IN UINTN Length + ) +{ + PAGE_MAP_AND_DIRECTORY_POINTER *PageMapLevel4Entry; + PAGE_TABLE_1G_ENTRY *PageDirectory1GEntry; + UINT64 PgTableMask; + UINT64 AddressEncMask; + BOOLEAN IsWpEnabled; + RETURN_STATUS Status; + + // + // Set PageMapLevel4Entry to suppress incorrect compiler/analyzer warnin= gs. + // + PageMapLevel4Entry =3D NULL; + + DEBUG (( + DEBUG_VERBOSE, + "%a:%a: Cr3Base=3D0x%Lx Physical=3D0x%Lx Length=3D0x%Lx\n", + gEfiCallerBaseName, + __FUNCTION__, + Cr3BaseAddress, + PhysicalAddress, + (UINT64)Length + )); + + if (Length =3D=3D 0) { + return RETURN_INVALID_PARAMETER; + } + + // + // Check if we have a valid memory encryption mask + // + AddressEncMask =3D InternalGetMemEncryptionAddressMask (); + if (!AddressEncMask) { + return RETURN_ACCESS_DENIED; + } + + PgTableMask =3D AddressEncMask | EFI_PAGE_MASK; + + + // + // Make sure that the page table is changeable. + // + IsWpEnabled =3D IsReadOnlyPageWriteProtected (); + if (IsWpEnabled) { + DisableReadOnlyPageWriteProtect (); + } + + Status =3D EFI_SUCCESS; + + while (Length) + { + // + // If Cr3BaseAddress is not specified then read the current CR3 + // + if (Cr3BaseAddress =3D=3D 0) { + Cr3BaseAddress =3D AsmReadCr3(); + } + + PageMapLevel4Entry =3D (VOID*) (Cr3BaseAddress & ~PgTableMask); + PageMapLevel4Entry +=3D PML4_OFFSET(PhysicalAddress); + if (!PageMapLevel4Entry->Bits.Present) { + DEBUG (( + DEBUG_ERROR, + "%a:%a: bad PML4 for Physical=3D0x%Lx\n", + gEfiCallerBaseName, + __FUNCTION__, + PhysicalAddress + )); + Status =3D RETURN_NO_MAPPING; + goto Done; + } + + PageDirectory1GEntry =3D (VOID *)( + (PageMapLevel4Entry->Bits.PageTableBaseAddres= s << + 12) & ~PgTableMask + ); + PageDirectory1GEntry +=3D PDP_OFFSET(PhysicalAddress); + if (!PageDirectory1GEntry->Bits.Present) { + PageDirectory1GEntry->Bits.Present =3D 1; + PageDirectory1GEntry->Bits.MustBe1 =3D 1; + PageDirectory1GEntry->Bits.MustBeZero =3D 0; + PageDirectory1GEntry->Bits.ReadWrite =3D 1; + PageDirectory1GEntry->Uint64 |=3D (UINT64)PhysicalAddress | AddressE= ncMask; + } + + if (Length <=3D BIT30) { + Length =3D 0; + } else { + Length -=3D BIT30; + } + + PhysicalAddress +=3D BIT30; + } + + // + // Flush TLB + // + CpuFlushTlb(); + +Done: + // + // Restore page table write protection, if any. + // + if (IsWpEnabled) { + EnableReadOnlyPageWriteProtect (); + } + + return Status; +} =20 /** This function either sets or clears memory encryption bit for the memory diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValida= te.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c index ce8a05bb1f..41bf301efe 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c @@ -16,6 +16,7 @@ =20 #include "../SnpPageStateChange.h" #include "SnpPageStateTrack.h" +#include "VirtualMemory.h" =20 STATIC SNP_VALIDATED_RANGE *mRootNode; =20 @@ -62,9 +63,24 @@ SevSnpValidateSystemRam ( { UINTN EndAddress; SNP_VALIDATED_RANGE *Range; + EFI_STATUS Status; =20 EndAddress =3D BaseAddress + EFI_PAGES_TO_SIZE (NumPages); =20 + // + // The page table used in PEI can address up to 4GB memory. If we are as= ked to validate + // a range above the 4GB, then create an identity mapping so that the PV= ALIDATE instruction + // can execute correctly. If the page table entry is not present then PV= ALIDATE will + // cause the #GP. + // + if (BaseAddress >=3D SIZE_4GB) { + Status =3D InternalMemEncryptSevCreateIdentityMap1G (0, BaseAddress, + EFI_PAGES_TO_SIZE (NumPages)); + if (EFI_ERROR (Status)) { + ASSERT (FALSE); + } + } + // // If the Root is NULL then its the first call. Lets initialize the List= before // we process the request. diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h b/Ovm= fPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h index 996f94f07e..829dc96a1d 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h @@ -267,4 +267,23 @@ InternalMemEncryptSevGetAddressRangeState ( IN UINTN Length ); =20 +/** + Create 1GB identity mapping for the specified virtual address range. + + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use + current CR3) + @param[in] VirtualAddress Virtual address to check + @param[in] Length Length of virtual address range + + @retval RETURN_INVALID_PARAMETER Number of pages is zero. + +**/ +RETURN_STATUS +EFIAPI +InternalMemEncryptSevCreateIdentityMap1G ( + IN PHYSICAL_ADDRESS Cr3BaseAddress, + IN PHYSICAL_ADDRESS PhysicalAddress, + IN UINTN Length + ); + #endif --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73232): https://edk2.groups.io/g/devel/message/73232 Mute This Topic: https://groups.io/mt/81584593/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73233+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73233+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611757313571.1804623587993; Wed, 24 Mar 2021 11:49:17 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id CdxbYY1788612xsnzRg844RW; Wed, 24 Mar 2021 11:49:16 -0700 X-Received: from NAM04-DM6-obe.outbound.protection.outlook.com (NAM04-DM6-obe.outbound.protection.outlook.com [40.107.102.54]) by mx.groups.io with SMTP id smtpd.web08.27.1616599961841997394 for ; Wed, 24 Mar 2021 08:32:42 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Tcr+7EVsY3JgJ7Ovaf7pkyPEHd7ER8ywXJaICXyP4jTTfREBRP4hzUMZ+K5nzrs0I6GlPMDBjHjW2lctrIB6ea+QADYfV7ok7amK4PzybAQ52Gs1IZf004VScdfyPTs5Ht904PET+k4wkFp7ETwEsJkypB2SN1WXdZnEPmViWHuLLAbdcN1qKuqzmU98TTUbfXdOUXgutQuPdbk2taGcIkaPXOO+AyV7nhsnWNr91Dp+w3SjAi0jVeh9nIQy2yXuaGRZC/ocfqyM569RCNJRcjG7UVu5M5NF1WOtOdPYEWRvbS4XJdSydfW8Za3m/rGGqzvLB15zvpGpEl2a1BsXBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6hOTdSZ1k1P37ocmxWGsaa/nh8MmFoauyPep6DozYkI=; b=bUQSVQkmICLgKkB95+quogryGpb8HPpTATLzFMmX431jHON3xsE03kWuaFlk8O4nA00xwVCdCMPSeINWNYWoJMebMwOeCBhmVTlh0lkVpU3heeZz5WsPTRtz7+pTjCtqJ8F82fAKe/0wV8MHrehQ/hYi95ettsN+Yk9nMhMmLkQWBP+XYzLAZfQ8C1jahjbNLt244FE6N9Eufjf6SYAEeSCnDOHreVFqQH5xnhIXjdO9dwY1/ld6/PVyDwXrv8B0z06/S4bX9GndXO2R/6sPZnPzUWdnzoWrf++m8oWzUh8lv51ZzVaAfs1q6dCTpp6i1tAbajSeFFB/gwQq2kRCGg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4430.namprd12.prod.outlook.com (2603:10b6:806:70::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:40 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:40 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 17/19] OvmfPkg/VmgExitLib: Allow PMBASE register access in Dxe phase Date: Wed, 24 Mar 2021 10:32:13 -0500 Message-Id: <20210324153215.17971-18-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:39 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 100c0940-06c4-4b3b-c6c9-08d8eeda0f40 X-MS-TrafficTypeDiagnostic: SA0PR12MB4430: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: T+uMCUYnddDrVGtSaAsrwyKi7kecKwUZirhelANJIhlkI9lqr7N9F2gCGbnsTHhX8GkDLnfpFpJb3AFHUuLz3ZX5j50l8DIJWYWqQNocECmyRP2nJpG5NAfzIS0Ex549sp2iY9iSepoDqnvZVE08LjcGDQ95jxjneeU4Vj0XWC3TMLdRdxFxUY6kSgbeS9ZhE1DqXzlT1s23l5lmV7tcXRI+pFrWPzDHAb4vmrkGtqgBttfs7CWuYub5cPpPA1KE9PAWAhHWQJMjdoFtmqXx7+bOkPRIWtaSHUXJKDMVgrCWLdpKlu192qEYO8gqaEkqvzV0hqCsQPGeULQsYdLHMRCSVz47u2oqAEZZL9+lCB2z/wkezX5GLuIKIHeGl9jg5qJC2Oc3oHK7CzIqcrfiTJC6zYQ/opkgf6EjslK7vsXwHaVTgfZdZ14/+bcZ07x8efSdVXE2n/Wzc7cH0f9thqfuVJbjjavwuPhvz60BH6v7OxXmkDnMsw42+9k8ymAUE6Fmyc08TVpdo6GT7We5LxvlQCcjHNlmUOIrRdNW/baP5coq7/0F1IF4WYzFXcb+QFSlIpa5+3KjUbESm7WDtjyBGB+8CzT729O5QVz+rT0cpR60OrcyxWoW04bIr4zcTc5tYFT03OFgRmfZmwSY5X4vv6Bb4eIYt25T31+a1Z6/jU4kkasc/3r7mkUPdqkZcZ4rnijnK+7CYD0kvXbF/ulwOuDndbG8k26EBmjoICU= X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?g1DNswFTZTs46qGriGwhdAYrH3TfqAf2J3kHZaf/3qBxThRbvrwKPA1Ji3Cf?= =?us-ascii?Q?U0/Rx1slB55e6E3KxF43HchV/6rqsnBd2kVmV7SJoMm1gjlYbY68dmoIuJ4i?= =?us-ascii?Q?+J0LLyeTZawr8NmZY4e15pvUkzt5jhKDQ0DN6fZQR7Iai4qyVk25Em//f6Ib?= =?us-ascii?Q?b22c9panzt3KhDe1bPROEuj8Q4LuaE5B9zujEFqdkuPwAnOvfHQtciDOrcpC?= =?us-ascii?Q?jgKo/QxBS+Ya4CL7+idEg9NMYg2tGLJZeAlXlAPCz0VEVSWHdg/3aVBmuQbp?= =?us-ascii?Q?9dMk9zoI9ikmYdf6KgvodPET/+zduhqUSEDoQ7lkZTI2zhA5RyyEu5HYKeV7?= =?us-ascii?Q?1EALliE2T0mRaWnp19b4oe9UHIOhITxeR5gXpq1mdUM4Bmbl1k859lClOiw5?= =?us-ascii?Q?gJJajdhA43QWnxUoy1k4lSx4X91wB8ICH4ixt1nrik3EWLLJG3ipG4kBGorz?= =?us-ascii?Q?cup8JdFSAL+dKqnvKn5gChIv6+7V/Yxr8av90utPfu5ocqkrJDtYlgr9henp?= =?us-ascii?Q?Oe8qBnOMbL+KAqDsQj0cKGkgqjvMwj4LjtD++qy+CtK7k0LS5rJFJFnaXNg4?= =?us-ascii?Q?n+EdgAUipaXGP3iIND1pUU/4mY7nF7mURjXdCMw4KyQLFrP8GkuSjNGbOqtT?= =?us-ascii?Q?KnCHn/piCgbIXGPshbh3kzk7bAOZX1qfQwGCC/WUe6jPymMrO9i4xoevINtq?= =?us-ascii?Q?/xxIulMg0tAxAjn1iv7egKXtuo1xlu6mVs9sTBgBi9X+vC0aLx3/J9oh3/UQ?= =?us-ascii?Q?R+RE3fFbe9/v300gHI6U+hgCb68V4DTb+Qd5CsnnoyefmJjJPNqqPY50/lzB?= =?us-ascii?Q?93ZNMI/YWWNg/y0XU1fvaDHohJfB8QEKauaVm++hbPP6Z74iRFxUJwjtnAy3?= =?us-ascii?Q?UFysBQem6YTi5Wyr4mD/okJYtnnzoza63dAR0Z/H+5nnpfNC9C+Lr4tzkgsP?= =?us-ascii?Q?M7jMuTXpCcCzj4VLfL3e6i3TMGXhAOzurtmHXWxwfVGr2JJVVWJTSOXPa1cj?= =?us-ascii?Q?WfDWQIAhStLGtPh3OR46p9XaWN05L6SAYUpVWO0A+SEq8O2JWjV7ni2NO0P6?= =?us-ascii?Q?8z1jQSoU7eqSyUr99SUmX2HfjEj2UlPGQr5VrV2hhjFu6ZRZLFsS6abmnZKl?= =?us-ascii?Q?gzK+qd1WvBimOp/S5TSmxtcxM7l6raYuWAau96uY5+Kw/ZQWuuwd4PXH6H+/?= =?us-ascii?Q?4HTNRNO+dTpwqs05eswMnkX5PD+Q5Ce33WXi1zrZtmtqcmcqKup8fdNvc9MM?= =?us-ascii?Q?+lwLUIWEXI7qOYV2q3jBYdB3sPv00AFqf5WRYEDF/ONW2FJlCyFTHcJLlhBk?= =?us-ascii?Q?ZEnGmA1hJ5kQMBmfcodR3OPq?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 100c0940-06c4-4b3b-c6c9-08d8eeda0f40 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:40.0199 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 4nVbtd56GjyBnD8HuB7SWueNdUIsmbft9ru8NP2Q0enXg9R+AaXj5HgUJ08Qq88QHNz4J62ehw2SACUaK57cEw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4430 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: E3ODSP7haRbVDDsdkwGza9Cox1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611756; bh=kMiHMGPhxX3xwBCU914eMJKq4D9PCvnuhAw26tiGUYc=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=MMbfUOBZ2+vggoa3FluQkZ8LMMQBLsuZjBqg8vori6zzCIVvicG3zVJd/J6K3bbz+// PNF2fOSNzOV6J8vhv+uCuKUkU1znB+pJuNySBvKQQyrF0dhtyo1p6f8ufHfe3LKLGEgsO nBPzjlBE7nmwf8twJFB7nL2I2HI2+yaNKZg= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Commit 85b8eac59b8c5bd9c7eb9afdb64357ce1aa2e803 added support to ensure that MMIO is only performed against the un-encrypted memory. If MMIO is performed against encrypted memory, a #GP is raised. The VmgExitLib library depends on ApicTimerLib to get the APIC base address so that it can exclude the APIC range from the un-encrypted check. The OvmfPkg provides ApicTimerLib for the DXE phase. The constructor AcpiTimerLibConstructor() used in the ApicTimerLib uses the PciRead to get the PMBASE register. The PciRead() will cause an MMIO access. The AmdSevDxe driver clears the memory encryption attribute from the MMIO ranges. However, if VmgExitLib is linked to AmdSevDxe driver then the AcpiTimerLibConstructor() will be called before AmdSevDxe driver can clear the encryption attributes for the MMIO regions. Exclude the PMBASE register from the encrypted check so that we can link VmgExitLib to the MemEncryptSevLib; which gets linked to AmdSevDxe driver. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf | 4 ++ OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 7 +++ OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 45 ++++++++++++++++++++ 3 files changed, 56 insertions(+) diff --git a/OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf b/OvmfPkg/Library= /VmgExitLib/SecVmgExitLib.inf index e6f6ea7972..22435a0590 100644 --- a/OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf +++ b/OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf @@ -27,6 +27,7 @@ SecVmgExitVcHandler.c =20 [Packages] + MdeModulePkg/MdeModulePkg.dec MdePkg/MdePkg.dec OvmfPkg/OvmfPkg.dec UefiCpuPkg/UefiCpuPkg.dec @@ -42,4 +43,7 @@ [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize + gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress =20 +[Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf b/OvmfPkg/Library/Vm= gExitLib/VmgExitLib.inf index c66c68726c..d3175c260e 100644 --- a/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf +++ b/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf @@ -27,6 +27,7 @@ PeiDxeVmgExitVcHandler.c =20 [Packages] + MdeModulePkg/MdeModulePkg.dec MdePkg/MdePkg.dec OvmfPkg/OvmfPkg.dec UefiCpuPkg/UefiCpuPkg.dec @@ -37,4 +38,10 @@ DebugLib LocalApicLib MemEncryptSevLib + PcdLib =20 +[FixedPcd] + gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress + +[Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c b/OvmfPkg/Librar= y/VmgExitLib/VmgExitVcHandler.c index 24259060fd..01ac5d8c19 100644 --- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c +++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c @@ -14,7 +14,10 @@ #include #include #include +#include +#include #include +#include =20 #include "VmgExitVcHandler.h" =20 @@ -596,6 +599,40 @@ UnsupportedExit ( return Status; } =20 +STATIC +BOOLEAN +IsPmbaBaseAddress ( + IN UINTN Address + ) +{ + UINT16 HostBridgeDevId; + UINTN Pmba; + + // + // Query Host Bridge DID to determine platform type + // + HostBridgeDevId =3D PcdGet16 (PcdOvmfHostBridgePciDevId); + switch (HostBridgeDevId) { + case INTEL_82441_DEVICE_ID: + Pmba =3D POWER_MGMT_REGISTER_PIIX4 (PIIX4_PMBA); + break; + case INTEL_Q35_MCH_DEVICE_ID: + Pmba =3D POWER_MGMT_REGISTER_Q35 (ICH9_PMBASE); + // + // Add the MMCONFIG base address to get the Pmba base access address + // + Pmba +=3D FixedPcdGet64 (PcdPciExpressBaseAddress); + break; + default: + return FALSE; + } + + // Round up the offset to page size + Pmba =3D Pmba & ~(SIZE_4KB - 1); + + return (Address =3D=3D Pmba); +} + /** Validate that the MMIO memory access is not to encrypted memory. =20 @@ -640,6 +677,14 @@ ValidateMmioMemory ( return 0; } =20 + // + // Allow PMBASE accesses (which will have the encryption bit set before + // AmdSevDxe runs in the DXE phase) + // + if (IsPmbaBaseAddress (Address)) { + return 0; + } + // // Any state other than unencrypted is an error, issue a #GP. // --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73233): https://edk2.groups.io/g/devel/message/73233 Mute This Topic: https://groups.io/mt/81584594/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73234+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73234+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611760935786.9828385698519; Wed, 24 Mar 2021 11:49:20 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id HEnLYY1788612xfOdJOd4dAy; Wed, 24 Mar 2021 11:49:20 -0700 X-Received: from NAM04-DM6-obe.outbound.protection.outlook.com (NAM04-DM6-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web08.27.1616599961841997394 for ; Wed, 24 Mar 2021 08:32:42 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h3ijvSav+0K/VqcyHZ78eMY99axw1Q8vZQKGeAB45xLPMWHYpzTkhSmI56OTbSGYqZG7dNxtKXmpfbOsBtd7wUULM4MwYW2EidMfdN6h1rSelvrvMWcokQg/8xybITnHHIncIYq+7B8iLVrGHZ8fUvuj66rjyaKlk4/VS7THDR2jbK4Gd7+yfJIgTyMV2x5hADGOdugungOgxRjUUtdjITy3FHMirKDaTTJMLHsRezXLfUPQwHI3NnWEP8qOKSKVzBgM+PItzWYveSuy4vX1PTAMW56ZeIpsB7LfBMuD9tMVhqMpEsMCngPbxTYfBPovLogG8pjBDpTYbj8d7RgcWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6F6xqtUvD5aKBKTRD49fjpHIm7MAlZx0ZNQOr9/UsSY=; b=hwx4Kkna4QjEhxP0YMOm5K3MQ13kKuyhEvob7RYd5h784GnMYJ2dYBgxCjGNgD7ZlLTslsgSIqau4KzSEXRgIbLtdqI1d+v/V7MiEzDirhAwgwFwJ9KrYGI+AMxF1iYOpbfE3FExSdPDBbxCfsnu6f3ve5JA9DMHVEvENBpFpxj2xZlZgNwXRJDuj+oZfcusSCMcI4IyMnG6csc2TYz8ytkN1nelhA1zIoL7oH43JoilOACVcCkOw3MVUBnsuwQ6U14ocTVLAGfsfTVv8F3w9P40cYemEUV1FNcwKiYmVw3Juma1AxUHuA5llI8CFiX0lBiH+0hkxjceraEiqVzYzA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4430.namprd12.prod.outlook.com (2603:10b6:806:70::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:40 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:40 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 18/19] OvmfPkg/MemEncryptSevLib: Validate the memory during set or clear enc attribute Date: Wed, 24 Mar 2021 10:32:14 -0500 Message-Id: <20210324153215.17971-19-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:40 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 8d851e7b-abdf-48eb-91be-08d8eeda0f8c X-MS-TrafficTypeDiagnostic: SA0PR12MB4430: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7219; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: Y+7bvsY9YkVcWnxO4RcHoAH+JGvP6RQvEn0vWPmHK9cjVifC8Oxx+eTO9e7qRWjJX+wWqzsXkYfe9RE7Wk3BEF7RczOMbZ2v/wb9C4Eei1dysNe1DaL5VUZpkHkGmAdYqzqSjbcrEgZSaqZpq8ZegiNNBUbMg7jILcLe1u0Oy+7McZp13/W4Y41JxuQdYrOh+FAOMRSNEmhqMu1ALw34Vub89QXpyzGK7ZqZMn5sywVXkK62K6Dn889sdu1svDIaDJz572aIUkKitAEMggLj6vfX3hO99IC3GqzEXQes2F69tCpBnekpEnbNFWEPGOA2d+Tsl7O8d6kleyQQh+A1lHQS7L9W8J+42J7+5QjqWLv63ZGZxwmCFodMhLqwSkELSeCKY+BNZZbtb6THiZv0oinT0VKawBuucFVUFqyKKdjy12JFdbWP38biZF7MTUqf4kt+LM9Y+aNav8uzZCDOEfiiHqz8y2KzuYHA5PIskUCJ5hVBwupsAHNX8cMH46vmt5all/vuMLalX/DOh8xNJglgeyk7aR+7CovG8jaPB0/V7yhjX6pjD+QTjjl/PM6WLxhgm02MGMJk81L1h8HinyIUS4U5NUjpE0veUlws2+2go8rPyDHf4EYQGbPkQi20FF1YhrrFj3x/ST6KBeQeVXwy7ws/YXhoB4Sj8gpTVCCPpKoo551iypu8PIulUidcj/hbSaudM1iAkojzf/kxVLLjHGpChnoRlsH02nRdMACsdLME4E4MAWVL1cQcNbGJ X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?psFdAIy25mNFDKjv4O/7vpelSMsm0AufoXxFXN2m0WVsG1JXUUUIXTMmhrt7?= =?us-ascii?Q?WErAWP/ilJkNIFW1frUVbiHI1IlzrM9Ne65+Y643M8DOtANU+Ro+lG8CZydX?= =?us-ascii?Q?2RKmQCqIn6mf6X87tE2MVFiPt0uOCPLKahzzjpgTsJnQr/byMlY+PEJpckw1?= =?us-ascii?Q?5eyy3p0P9obko5OVCN0nIxN+GMbwzE2DEKzBS36oijoQev//wW22r9JLMsq/?= =?us-ascii?Q?CkzB7lM200nOzAKyjWML+Pzy7op/A8mJ2IXjiL29ukxybMxZY2E62LiKq7/s?= =?us-ascii?Q?yzgvDuwZa+t+6/uZ5p7if5ZTGWDjIaWwS3j5Nt5JA2aB/XxxwMAsbWyGFmfa?= =?us-ascii?Q?F0TveWHCqYH6A7gGxTtzSvWaQArfCpwdt+91+8+sQrwXjabdCKJdTEG5+ygi?= =?us-ascii?Q?Fz1vSRz5sxjwcYd6TzZMaOyNy1k/6kcNlcE6p3rMGzGtrz0yf58UVk37xln3?= =?us-ascii?Q?kSl/CEjr+ynvgcNQx1OkvU3aPt3PoknFH6pPSwjFHjHAl6MjkOEZhUl3xawE?= =?us-ascii?Q?dAkDJntT6icl2mduM+lmJr/Eus45TJyHZ1LIK0NpAW5HWRC7M5rVNYI68tCi?= =?us-ascii?Q?rZwYmIUyqqV/S8s2nWhwS11/ilHdDiS4dvTmKcJzyGTDhDbJZOBuEwMLR0/I?= =?us-ascii?Q?Ldu3FlhK9RmdruVgvSNmtNvH/0LDNwkGoIxlMyfWG+xHh0jaSlogYG2SEJXN?= =?us-ascii?Q?owWKU829WxPjdqxzY0Jwhkk1qmL9Q3EYL4iXzd2mHXqz70x0cT3qPuRBAfo4?= =?us-ascii?Q?upWVn+IrXJ11bDBhyQ/Tyv+HubUZgZKOu7+JiyeIheIBO49joJdq+4wk1Dv/?= =?us-ascii?Q?eAYgx6BH7ccGsxGVyeSpSWMmHRv+BCSZFUjbqx3APtUw4mMA1+JeKULdSYNK?= =?us-ascii?Q?ioN3Ki58UnVlIr7U35hmTCf0JbFSAkmGNntXBoz3+Vk46RW+kDQQ9GD6UcOO?= =?us-ascii?Q?+zZVXxaTUmQmbHXHKepXSWZN4lY3OU4xIpfa4scA0fkQ+olIis1JTE9S8Pbm?= =?us-ascii?Q?ClKrxR+QIDs5dYD/Nz8IwYMZ2FhupdKhGwTtnZx7zSYbb3Eyv3FWDWsoehzc?= =?us-ascii?Q?KZBHf82CMN7R4Rzehn/m8NLHUasm2M8ioDXQ29TrUVeYqZDHZ7hhHKHeLSKZ?= =?us-ascii?Q?RVVh0T828f+xxBjNvM44v+fWvctcJ7+9CLshAntMkkPDhpQB0PHcU5MXecoi?= =?us-ascii?Q?i8bQDo/i9tbho0Pnn7MvV+3EOhxtuYRb0tBqPGJi78DcyAETaz+G3K1QxIu4?= =?us-ascii?Q?Kd8wXNLDm8kFnFRWVRF0ZJcJ9o2s3mXf7pKfw1jhsunvL7NOEuagUm8z16ww?= =?us-ascii?Q?HyRfvRgpXxmkvHBfeOLqeJ44?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8d851e7b-abdf-48eb-91be-08d8eeda0f8c X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:40.6085 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: DY3bzdvpdAkYEF7LqK1ZfP38BNGKa19UuOF1mCIapFsOCdRDFiwDML4ezVMxwoFgT4yT+xzj+R+hQNcVkw6P/w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4430 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: z3JgxebUkxtMjVMSKPTd57Sxx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611760; bh=oPsTZDUK/KVAPK82E+Gs0oeATLmWB6ppsCjorBp/rao=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=rxyYU8l+JAy8PolT45NBS3hAnkOB6zZQbKkZSdPu7wQCgmj4iH3c0Wmr7fP7Su5LKsk +6qq1P8cpBovtTgtuu3/7BkIRGCSUxGxUBuO6R5L6JP8lwePP8XOzZXFGqZDJlreQ8k/T RlFZk5KOHjkCitg++vzoMXgXEWUZ4lsyOnI= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The MemEncryptSev{Set,Clear}PageEncMask() functions are used to set or clear the memory encryption attribute in the page table. When SEV-SNP is active, we also need to validate or invalidate the pages and update the RMP entry. Before clearing the encryption attribute we need to invalidate the memory, and then make the page shared in the RMP entry. Similarly, after setting the encryption attribute in the page table, we add the memory as private in the RMP entry and validate it. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf | 3 ++ OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf | 1 + OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeSnpSetPageState.c | 32 ++++= +++++++++++++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c | 36 ++++= ++++++++++++++-- OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpSetPageState.h | 27 ++++= +++++++++++ 5 files changed, 97 insertions(+), 2 deletions(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf index f2e162d680..fa8f7719a7 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf @@ -36,6 +36,8 @@ [Sources.X64] X64/MemEncryptSevLib.c X64/PeiDxeVirtualMemory.c + X64/SnpPageStateChangeInternal.c + X64/PeiDxeSnpSetPageState.c X64/VirtualMemory.c X64/VirtualMemory.h =20 @@ -49,6 +51,7 @@ DebugLib MemoryAllocationLib PcdLib + VmgExitLib =20 [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf index cb9dd2bb21..d16ec44954 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf @@ -37,6 +37,7 @@ [Sources.X64] X64/MemEncryptSevLib.c X64/PeiDxeVirtualMemory.c + X64/PeiDxeSnpSetPageState.c X64/PeiSnpSystemRamValidate.c X64/SnpPageStateTrack.c X64/SnpPageStateChangeInternal.c diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeSnpSetPageState= .c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeSnpSetPageState.c new file mode 100644 index 0000000000..0a3d58ac22 --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeSnpSetPageState.c @@ -0,0 +1,32 @@ +/** @file + + SEV-SNP Page Validation functions. + + Copyright (c) 2020 - 2021, AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include + +#include "PeiSnpPageStateChange.h" + +VOID +SnpSetMemoryPrivate ( + IN PHYSICAL_ADDRESS PhysicalAddress, + IN UINTN Length + ) +{ + SetPageStateInternal (PhysicalAddress, EFI_SIZE_TO_PAGES (Length), SevSn= pPagePrivate, FALSE); +} + +VOID +SnpSetMemoryShared ( + IN PHYSICAL_ADDRESS PhysicalAddress, + IN UINTN Length + ) +{ + SetPageStateInternal (PhysicalAddress, EFI_SIZE_TO_PAGES (Length), SevSn= pPageShared, FALSE); +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c= b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c index 33d9bafe9f..26d363d427 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c @@ -17,6 +17,7 @@ #include =20 #include "VirtualMemory.h" +#include "SnpSetPageState.h" =20 STATIC BOOLEAN mAddressEncMaskChecked =3D FALSE; STATIC UINT64 mAddressEncMask; @@ -700,22 +701,34 @@ SetMemoryEncDec ( UINT64 AddressEncMask; BOOLEAN IsWpEnabled; RETURN_STATUS Status; + BOOLEAN NeedPageStateChange; + PHYSICAL_ADDRESS OrigPhysicalAddress; + UINTN OrigLength; =20 // // Set PageMapLevel4Entry to suppress incorrect compiler/analyzer warnin= gs. // PageMapLevel4Entry =3D NULL; =20 + // + // When SEV-SNP is active, before clearing the encryption attribute from + // the page table we also need to update the RMP entry for the memory + // region to make the region shared. And after setting the encryption + // attribute, the region must be made private in the RMP table. + // + NeedPageStateChange =3D MemEncryptSevSnpIsEnabled (); + DEBUG (( DEBUG_VERBOSE, - "%a:%a: Cr3Base=3D0x%Lx Physical=3D0x%Lx Length=3D0x%Lx Mode=3D%a Cach= eFlush=3D%u\n", + "%a:%a: Cr3Base=3D0x%Lx Physical=3D0x%Lx Length=3D0x%Lx Mode=3D%a Cach= eFlush=3D%u Rmpupdate=3D%u\n", gEfiCallerBaseName, __FUNCTION__, Cr3BaseAddress, PhysicalAddress, (UINT64)Length, (Mode =3D=3D SetCBit) ? "Encrypt" : "Decrypt", - (UINT32)CacheFlush + (UINT32)CacheFlush, + (UINT32)NeedPageStateChange )); =20 // @@ -749,6 +762,18 @@ SetMemoryEncDec ( DisableReadOnlyPageWriteProtect (); } =20 + // + // Make the RMP updates before clearing the encryption attribute in the = page table. + // + if (NeedPageStateChange && (Mode =3D=3D ClearCBit)) { + SnpSetMemoryShared (PhysicalAddress, Length); + } + + // + // Save the values, we need it later during the Page state change. + // + OrigPhysicalAddress =3D PhysicalAddress; + OrigLength =3D Length; Status =3D EFI_SUCCESS; =20 while (Length !=3D 0) @@ -923,6 +948,13 @@ SetMemoryEncDec ( // CpuFlushTlb(); =20 + // + // Make the RMP updates after setting the encryption attribute in the pa= ge table. + // + if (NeedPageStateChange && (Mode =3D=3D SetCBit)) { + SnpSetMemoryPrivate (OrigPhysicalAddress, OrigLength); + } + Done: // // Restore page table write protection, if any. diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpSetPageState.h b/O= vmfPkg/Library/BaseMemEncryptSevLib/X64/SnpSetPageState.h new file mode 100644 index 0000000000..0b29bad612 --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpSetPageState.h @@ -0,0 +1,27 @@ +/** @file + + SEV-SNP Page Validation functions. + + Copyright (c) 2020 - 2021, AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef PEI_DXE_SNP_PAGE_STATE_INTERNAL_H_ +#define PEI_DXE_SNP_PAGE_STATE_INTERNAL_H_ + +#include "../SnpPageStateChange.h" + +VOID +SnpSetMemoryPrivate ( + IN PHYSICAL_ADDRESS PhysicalAddress, + IN UINTN Length + ); + +VOID +SnpSetMemoryShared ( + IN PHYSICAL_ADDRESS PhysicalAddress, + IN UINTN Length + ); +#endif --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73234): https://edk2.groups.io/g/devel/message/73234 Mute This Topic: https://groups.io/mt/81584595/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 06:14:43 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+73235+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+73235+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=fail(p=none dis=none) header.from=amd.com Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1616611758338624.9327593949453; Wed, 24 Mar 2021 11:49:18 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id PUZEYY1788612xHthNyWyO6m; Wed, 24 Mar 2021 11:49:18 -0700 X-Received: from NAM04-DM6-obe.outbound.protection.outlook.com (NAM04-DM6-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web08.27.1616599961841997394 for ; Wed, 24 Mar 2021 08:32:42 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gUGkv/eANuZkD5Y/rRyy/05cpLWQOS15SY664x3tL4MtpTfIiXEsqAMtMy+gKBoouqp8k3sWSy+Uif7m+dtClV8kCe4OQwp05reqLbqTWmJs17TgywjMPj4oyc4gi1GXlfCWikra+Qru2G0hel2Y2XfsNtjVhspIZVjCFboCBHG/R+Eh6wFTLeBeYokIHLtKl4FT7NlkWVSC/mjeMLR86k5Bk10vQJYpP+f09lDmhptOF7ae+dRg3TF4HhABOzUm0EZs3m49uQP+mTpwrfFzkx9BCAnvw9tYjWEdNPv2x4fm+YWA9CKxgkqzQzH79wJ0Rqvr06XLBeUv/d5oQ5amHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JT/o8FrJErOCZSf1akwTxaBymohmGgPWgpCa1Vg6jy4=; b=jxXlKVUXpttm0zRCCBiuxPJ9prSaWHVNSBKt3jZfS0Yr1JVLAaMt2kzAkgs35PF0xI352McK6gONtSobuHg2IqFFheSgWTG4jVrCJpj1KqyWzQgHaensPUnI5KXtLeBQOZx6f3iKn4bIQfzbBX3nl8kTViGUB6b9Y37HoKLqfYg7SRlP/BAPGDvZvEYx7aSgZb/sX7PkHsa3QThbFTmndaDkxXzGX5E38Zt7ZNWYcOsAd23n5wtnWWMQ0jl4LmsMxDAZAPJ9uyIzfcYcKvig9ZKR589ZWKQ08qokrxlifEF87lt1HfjaH/digzPMzMFqZYwCuHI2tMNoBsH+vUu1dA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4430.namprd12.prod.outlook.com (2603:10b6:806:70::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:41 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:41 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [edk2-devel] [RFC PATCH 19/19] OvmfPkg/MemEncryptSevLib: Skip page state change for non RAM region Date: Wed, 24 Mar 2021 10:32:15 -0500 Message-Id: <20210324153215.17971-20-brijesh.singh@amd.com> In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:40 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: f7fb067c-7669-4e5b-4980-08d8eeda0ff2 X-MS-TrafficTypeDiagnostic: SA0PR12MB4430: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: a+KPPk76kBB/EyBEabwRq9zTDsW0ShxXuEuJx8MZdDdhE4cFQkgot0a+BCywThKn61mRMuQx57tr3jd/f9nJYaN0vuBHDOq00h0Bb4/yZiAsoodfVwwr+X2Bfsea1qMeH3n44WQr3AVu3B2HTi3CLyMhUJaqfShoABRBMsicnrksjm/2gorIZKGk7ct8TGa5XHSRKcvy0VbrOQQogrzEa1yIMFAcLr7JA4iGGyYDF4bsU/8+wPidXQ+2wjV5bUpCYAPAu2jcntx4pmZ+g/UeDDwLHlFgVkBGkXUMgCvzItFhCGBbcIYYyJ7USkAtVXR75oD2wouhhyE4EE+BcStn/NdtwgoKLdOIfyeq4jlYbLYnlkgL67sq9ucJmbVgf4wjb3z5ToVBMHJ8zJZdnREBypT2BrtGQb+HFFHSgbXnsofedO+CP1e3DvNxnE7ssX5hl5WyKD/qi9cji3pp6HMvN1ABS19F4t1Z0sL5N4w+fVUZ0aQAM96wIfseMMMpVB7g9D7a9N6XDIH6Ygh0bvycCSubpHigEOCEnqgaGDFUYcrjeCjTsvZS4EnYCIRs3de0Lqk0qD4G33MZJ0TUBz09f17xK6elszKoizw2tcQDaeAG7eFAitxMq2cJyoVCUa0FCG/kyULxi93UFIe6piYEA7IkSUPaDFkY7lZHPBeE0QHKkojbwuXnrNRnPjW/sLTjnX5J3fFKjCPnCHnMMCjX6IIQ04t/xMJb5fXYS1hd2RSn5BOV/fi/BNT39qrgBJLX X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?ytFAfOOWRWsQvYONX5f2rMBcjyJJuMBnqd5yw5eqkLJlbeUlFwqO3KCB36Ua?= =?us-ascii?Q?qwQbZSc6M3n94hIvMwwINUlFxKKk020qqwe8nCJanGYwwffLbzGksjAl6y9n?= =?us-ascii?Q?TbIlCADkPemPPsTyQQv7Gieqrzofa4OBN0K+HsA4JSfwqlcmRwtdYpLrWk3u?= =?us-ascii?Q?6nf3fXNEswDoEMnLaQOZVkAYRJ67fOKIQHxx9TC4VS1lilwuMz2cIPB2qjFg?= =?us-ascii?Q?uX0efEm7nuSNSKxcwT6pXwwzBnj4YJT6xQJrGQrGWsNHVI9QAh058iIJxUmI?= =?us-ascii?Q?b765mnrCMJ1KKjmC1Qw0A/bzfws0cj5qBWBA1IDetQbZXi0zexP+sZm/QeWe?= =?us-ascii?Q?LAiVo7QmBBw4jnWuz8bGZougHOfl6r5TM2LrE/yaS3fOzFQEOiVlctNkjwd6?= =?us-ascii?Q?l0pMbjc8lICgW8N4f9rVzoHhvqmkzpzffC4hIgHEQkB4RBNjnXRigEYn7zLt?= =?us-ascii?Q?uuKyON1eyS0HS3kCb4iTNkOJ6v7GxgdCN2AcP/ufmXuGr3AK/f7aLTsiAaM4?= =?us-ascii?Q?P9KHnwCSZv7WUvAti/Ee3Zt3vCodhDkQBV6ST/etCteGUMKbxCXWX1qmC4Di?= =?us-ascii?Q?vr4Bj9Ns13dPnBV9vWkWfzkhpXUSTPwsmjozB64D4T/7oyQZn59Lup4vbl1o?= =?us-ascii?Q?h1FJDIcPayjWOVMfCEJDEdpKKcgfEa494Ww5tt06uTEpeyo+Rc+kVxKfqsVV?= =?us-ascii?Q?+TXOk8brh+PTuqmu1TaDSYAygozhB4qNs8crGa4X4woJVqkDhuH8/1IN2e6i?= =?us-ascii?Q?PHiOsArvFKxF6yxM6ZlkX5V6GqTuhKj/DvSM0BVgZY94TOcgoKYGHoYR6ymg?= =?us-ascii?Q?Guwnu+wlc9CU+aI17gVrLfGiwXbBH6rYU2z+gDSw5RVynEn3j8rYPVz+gi9d?= =?us-ascii?Q?CjmEtZvSqSWoSNpRDas2kt6gNU9c0ZdzAXFoMZG+kWcNLDcpGP7e+/iYMOb5?= =?us-ascii?Q?j2mY7v3nbOUDQwKdoaQ8t7VuBMiC/bPoTsnegYfsjy9E5x/V1+rmqHijICf9?= =?us-ascii?Q?wi8jShapdiYnnurXrkV0uPDgYvsKBLNTJ1E0SZdV61ZhixmRNR3yLEqb/r9e?= =?us-ascii?Q?B6MhfVbc/3wP3UC2q6+ExGaEJISQChSjryVFBuCxcm78qNSJDzubwSu76y4N?= =?us-ascii?Q?HQ6aWrGoakOe56iMuRom+KwoFc3d2IW9yUTEFtn5xEgzGAAz59KNZ6wG09ot?= =?us-ascii?Q?+arFaV2Znx78hqcovklTMHUfwxzFLYSUsZ0l3UQGDNn9zQQJqaOXe0GQ8ssV?= =?us-ascii?Q?7tZ/hKJiYTQ8Hd5X7HGNe+de15UaXUpJMzSxB99s/vHEzXwrmOHFoXDZIFPg?= =?us-ascii?Q?hK7a3hZGIVLOpdEYmooE0dWw?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: f7fb067c-7669-4e5b-4980-08d8eeda0ff2 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:41.6319 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: shh0vHlkCnd2KqCMJYgzfxO/JhLo20M25Vr698KEpLf/gpHboC08v9hcgll4+zrS8qCI0pc75I8DSEEXxz+FVA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4430 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: Ldxc8o8fn8HHjnt5rE0xDIKzx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1616611758; bh=Lhz7ofO7YaLwf9iozJArGMA+4GN3I40HXyUF3u/OM+I=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=KLrEdgDR2IIE77W0et/QLqXvC0Etwk5QlND+RupKenMf6V6dBnJUOliQvMRoZ6af+uS FJVNTUMS0GZoHSna7PmU6TCetZlREEBAyI3BESKB+m6VTVW+Q/inBem0KPt3YyBccsWN6 gq5efciSXGvR1WWJkhNfThhjEK5tI0pjfb4= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The PEI phases uses MemEncryptSevSnpValidateSystemRam() to validate the system RAM. MemEncryptSev{Set,Clear}PageEncMask() is later used by libraries/drivers to change the page state from private to shared and vice versa. The AmdSevDxe driver calls the MemEncryptSevClearPageEncMask() to remove the encryption attribute from the reserved and non-existent memory regions. Those regions where not part of system RAM, and was not pre-validated during PEI phase, so we fail to change the page state for it. There are multiple approaches to fix it: 1) Add a new parameter to MemEncryptSevClearPageEncMask(), that should be set by the caller to indicate whether the region is RAM. OR 2) Lookup the address in the interval tree maintained by the MemEncryptSevSnpValidateSystemRam() to determine whether we validated the page in the past. OR 3) Iterate through the Memory space GCD to calculate if the address range is RAM. For now, we have chosen #2, it does not require a changes to the caller of MemEncryptSevClearPageEncMask() and lookup routine is already available. Extend the SEV-ES workarea to pass the interval tree root pointer so that we can perform the lookup later. If the specified address was not present in the tree, then do not invalidate the page as it could result in page state change failure. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/Include/Library/MemEncryptSevLib.h | 3 ++ OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf | 4 ++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeSnpSetPageState.c | 31 ++= +++++++++++++ OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c | 42 ++= ++++++++++-------- 4 files changed, 63 insertions(+), 17 deletions(-) diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/L= ibrary/MemEncryptSevLib.h index 47d6802b61..712590b64d 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -54,6 +54,9 @@ typedef struct _SEC_SEV_ES_WORK_AREA { UINT64 RandomData; =20 UINT64 EncryptionMask; + + UINT64 SnpSystemRamValidatedRootAddress; + } SEC_SEV_ES_WORK_AREA; =20 // diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf index fa8f7719a7..43b842254f 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf @@ -38,6 +38,7 @@ X64/PeiDxeVirtualMemory.c X64/SnpPageStateChangeInternal.c X64/PeiDxeSnpSetPageState.c + X64/SnpPageStateTrack.c X64/VirtualMemory.c X64/VirtualMemory.h =20 @@ -58,3 +59,6 @@ =20 [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask + +[FixedPcd] + gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeSnpSetPageState= .c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeSnpSetPageState.c index 0a3d58ac22..9fe6831368 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeSnpSetPageState.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeSnpSetPageState.c @@ -10,8 +10,12 @@ =20 #include #include +#include +#include +#include =20 #include "PeiSnpPageStateChange.h" +#include "SnpPageStateTrack.h" =20 VOID SnpSetMemoryPrivate ( @@ -28,5 +32,32 @@ SnpSetMemoryShared ( IN UINTN Length ) { + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + SNP_VALIDATED_RANGE *RootNode, *Range; + + // + // Get the Page State tracker root node. The information will be used to= lookup + // the address in the page state tracker. + // + SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAr= eaBase); + RootNode =3D (SNP_VALIDATED_RANGE *) SevEsWorkArea->SnpSystemRamValidate= dRootAddress; + + // + // Check if the region is validated during the System RAM validation pro= cess. + // If region is not validated then do nothing. This typically will happe= n if + // we are getting called to make the page state change for the MMIO regi= on. + // The MMIO regions fall within reserved memory type and does not require + // page state changes. + // + Range =3D FindOverlapRange (RootNode, PhysicalAddress, PhysicalAddress += Length); + if (Range =3D=3D NULL) { + DEBUG ((EFI_D_INFO, "%a:%a %Lx - %Lx is not RAM, skipping it.\n", + gEfiCallerBaseName, + __FUNCTION__, + PhysicalAddress, + PhysicalAddress + Length)); + return; + } + SetPageStateInternal (PhysicalAddress, EFI_SIZE_TO_PAGES (Length), SevSn= pPageShared, FALSE); } diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValida= te.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c index 41bf301efe..2e049d3df7 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c @@ -18,8 +18,6 @@ #include "SnpPageStateTrack.h" #include "VirtualMemory.h" =20 -STATIC SNP_VALIDATED_RANGE *mRootNode; - STATIC SNP_VALIDATED_RANGE * SetPageStateChangeInitialize ( @@ -64,15 +62,34 @@ SevSnpValidateSystemRam ( UINTN EndAddress; SNP_VALIDATED_RANGE *Range; EFI_STATUS Status; + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + SNP_VALIDATED_RANGE *RootNode; =20 EndAddress =3D BaseAddress + EFI_PAGES_TO_SIZE (NumPages); =20 + // The Root of SNP_VALIDATED_RANGE is saved in the EsWorkArea. + SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAr= eaBase); + RootNode =3D (SNP_VALIDATED_RANGE *) SevEsWorkArea->SnpSystemRamValidate= dRootAddress; + + // + // If the Root is NULL then its the first call. Lets initialize the List= before + // we process the request. + // + if (RootNode =3D=3D NULL) { + RootNode =3D SetPageStateChangeInitialize (); + + // + // Save the RootNode in the workarea + // + SevEsWorkArea->SnpSystemRamValidatedRootAddress =3D (UINT64) (UINTN) R= ootNode; + } + // // The page table used in PEI can address up to 4GB memory. If we are as= ked to validate // a range above the 4GB, then create an identity mapping so that the PV= ALIDATE instruction - // can execute correctly. If the page table entry is not present then PV= ALIDATE will - // cause the #GP. // + // + =20 if (BaseAddress >=3D SIZE_4GB) { Status =3D InternalMemEncryptSevCreateIdentityMap1G (0, BaseAddress, EFI_PAGES_TO_SIZE (NumPages)); @@ -81,25 +98,16 @@ SevSnpValidateSystemRam ( } } =20 - // - // If the Root is NULL then its the first call. Lets initialize the List= before - // we process the request. - // - if (mRootNode =3D=3D NULL) { - mRootNode =3D SetPageStateChangeInitialize (); - } - // // Check if the range is already validated // - EndAddress =3D BaseAddress + EFI_PAGES_TO_SIZE(NumPages); - Range =3D FindOverlapRange (mRootNode, BaseAddress, EndAddress); + Range =3D FindOverlapRange (RootNode, BaseAddress, EndAddress); =20 // // Range is not validated if (Range =3D=3D NULL) { SetPageStateInternal (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); - AddRangeToIntervalTree (mRootNode, BaseAddress, EndAddress); + AddRangeToIntervalTree (RootNode, BaseAddress, EndAddress); return; } =20 @@ -110,12 +118,12 @@ SevSnpValidateSystemRam ( if (BaseAddress < Range->StartAddress) { NumPages =3D EFI_SIZE_TO_PAGES (Range->StartAddress - BaseAddress); SetPageStateInternal (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); - AddRangeToIntervalTree (mRootNode, BaseAddress, Range->StartAddress); + AddRangeToIntervalTree (RootNode, BaseAddress, Range->StartAddress); } =20 if (EndAddress > Range->EndAddress) { NumPages =3D EFI_SIZE_TO_PAGES (EndAddress - Range->EndAddress); SetPageStateInternal (Range->EndAddress, NumPages, SevSnpPagePrivate, = TRUE); - AddRangeToIntervalTree (mRootNode, Range->StartAddress, EndAddress); + AddRangeToIntervalTree (RootNode, Range->StartAddress, EndAddress); } } --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#73235): https://edk2.groups.io/g/devel/message/73235 Mute This Topic: https://groups.io/mt/81584596/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-