From nobody Mon Apr 29 06:13:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78668+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78668+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1628108419422876.7025083864937; Wed, 4 Aug 2021 13:20:19 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id w8arYY1788612xs5SlzcSGhh; Wed, 04 Aug 2021 13:20:19 -0700 X-Received: from NAM10-DM6-obe.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com [40.107.93.88]) by mx.groups.io with SMTP id smtpd.web08.14578.1628108417304796494 for ; Wed, 04 Aug 2021 13:20:18 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LiK6tnZjpzG7njEFCjd0OwhkHB9IpgW4CNtk3DWCU4XFskBCzdVhmO5abnReKUGthvvwAiE4nJI7L145ZKk1mMWMnZXDd1SPW26wPeqcfvJLK6UFYHuy999nFKl98uMWLhvdszZCs600ItNdzLKej36H95pUsoBIMI447BtKwJFrzKmFQUHPARDcA2OPIXFbxeeg7MCIiLfFhaRY1KY+genDJ6hxJPwOvEBzCVm4A3Xl52idE4S2jvvcefHv4I6OKXyvVbIw4iXhWITQWsfTPqn10h7X+U8LXQIENH45ZXhAnArqZlp8BtcnbaS8AmZV2HJxshC9ncchyM8UWjIu/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8eDtOM51bhx0PhJNPgt/3Sb5kNDLHLvRRIZ5KEAe83o=; b=KsVECb6NstDLW6H5npuyMEAJOqzxGGSRhXEu8BYh9O1slOk6rMQvX+AkC8ZoZZfF98r426u0g+aeGmtnR03iFBDG698BnpXjOElNm75OWVH3/dw1pT50t8yGJd/mwVZmH3HlX6pqiqRgQzgAZg4gDiPFaXXS0yuHqywYZq8hBSJsdmhrb2RPaYAHQLYfPi0eqnKcycYKlW3VUW+Gze2MQZSLaChkjxCadN9ofX2WYhEe8GJqDkmY4YL51tGJWpUPr5rk1vQtatI8CWi/2FOaM3Gd+WLtnSj2cuzQkUsWLdqOUfMJfVQCZJncxPHQqg25RacaR+VZeNzwEEByJ0UfcQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4432.namprd12.prod.outlook.com (2603:10b6:806:98::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.21; Wed, 4 Aug 2021 20:20:16 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa%3]) with mapi id 15.20.4394.017; Wed, 4 Aug 2021 20:20:16 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Brijesh Singh Subject: [edk2-devel] [PATCH 1/3] OvmfPkg: introduce a common work area Date: Wed, 4 Aug 2021 15:20:01 -0500 Message-ID: <20210804202003.17543-2-brijesh.singh@amd.com> In-Reply-To: <20210804202003.17543-1-brijesh.singh@amd.com> References: <20210804202003.17543-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9PR13CA0153.namprd13.prod.outlook.com (2603:10b6:806:28::8) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR13CA0153.namprd13.prod.outlook.com (2603:10b6:806:28::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.12 via Frontend Transport; Wed, 4 Aug 2021 20:20:16 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 12eacaf5-f573-43ac-4e34-08d9578545d4 X-MS-TrafficTypeDiagnostic: SA0PR12MB4432: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: r8jAEHuRI5TSrm/QkoK2vN+bVpH8o0dsiA062RRFOlmNpK6FO6yZP4JDsDxLvLz1ukNrwdue7fIFEz8C0QQldI46EXpJwBtCoFwAuhxBk5+HZnO8QCuZk/gUUxM8YVutNEHjem+tStQOxEYlM5P7ZJewJ1B+QMeVleML/Ctsvi9HCYhSDGVV8uu3v5kLjXYOtXPbtI3t8V6t+PN94CRnnIwYyMe6FsDzdmQDpCTCH+PoeYmhILRHCil+za89YpeNjf9U30cIWmF+UBFMgMLGIaE36bywwqsupmCZLeQnfES9iDWZZQBbTNnYWKtujsGbrc3HDtLE3Q35kgxqqan70Bzx/N5GnoS2b2AfMOk6aUlcF/sjXK2amidRmCgtApVnKLGWrrdBwQqfJWp/b+K+5gMeOOap2og6IfO7mbR0eNiT1APRJ0ksjLz4A4TVP5NKfEM78muAhizZCoqnvF500g/+DLzWZiFCD+vkxwLsPRjeQ54+lsZj8s13dUYirgwrzOPdiELcFdb5rGqMvk9V/Bj0qoPiY+WMRn0HmI8y5hnGfZZcZWnLT95aSFWceJe1fCifns/tu6VxvK40b/mRp7iOhuH5uSJVMCCMNTeEGuzFfYrPfNRNEMWSwhrt5eACEMzIo9tg9PaPTIxPwQgqQ1Xe3taevDkGPuh5XQKzsy13Fp/u915PXxn7hxjLJ3yzRcapXdjvYQ4irmyB6TB/z/mcZvi9XwCkH794zQki9M/lz01tsgC6Jm+HcHVLBJ5w36NYxYpc5qa43N9uy2l/Ej1P/Hy2sC9VIP6HEJkWW5g= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?f153O+Ox0SclA8GdWYBYEr0gu0hTxuuw0h1Pe5j0ojMoYq6vg8wocE4C6Rz0?= =?us-ascii?Q?Q8vptQnHjoZSNBB8BAO5ByvFJsVJ3dnxOy+JY2cP9O8Id9NjUa1Eezf0gvIa?= =?us-ascii?Q?OjhbJLKI7DaK8jaMyIcdRACWuSq2b496VkkbGyf5GM9xiOJiFlWQEmiVIHki?= =?us-ascii?Q?nHZBF6q1ybhY7E1KU98z4vryfdVFTgUK7rrfN7trk1yEQHEvPuwcdAGYtgmY?= =?us-ascii?Q?82lbu4GtwP3WEMHpkAYsCrDouINgeo3614rSY+9cDBch2tX7s3EOK5ZVz3Md?= =?us-ascii?Q?9pOFNeNLI8D3zoBuQyTEXnX/tU4EqBfzG7XkGa/p/dro42Pj/lJFkzqd327p?= =?us-ascii?Q?LdgP6zkZ2FQYfyLrnQRVdTt8lBao5Vj8R7s+XpKl1E4YGX5TxSFpHQP67L/o?= =?us-ascii?Q?O6EF6oike46vnTU8iYhuVZLscaaUUJ2yrBYVTljtM6OPW4oRPq7AaCXtLp8z?= =?us-ascii?Q?Xi38CTdNiS+RkROkkTd2bnysodG6xbNFi3cv7NNBZia4XVyUxXVXnutk/F4y?= =?us-ascii?Q?WmOPBgDA2KuuaSj/hLFvLyKd4jw6JWmXxUfZov98wq6S2aSMabDTRl5wrCV8?= =?us-ascii?Q?V4FDG27WY8ue5/4xe7UXEkEveWC5wSERdaDD7W3TT2t6Nc/5HgeuD6TYOP0R?= =?us-ascii?Q?Nj2v98EdnMDsDMiRvvJwRIj4sNdtUycDF+yDldWzRFE65LlEVfJqcWDb3dqU?= =?us-ascii?Q?Xelht/v3Xqgc54X+/dfFY8S+dsld43GUz6Ccbvj0cgpkklnAhAJ17hWUlkIv?= =?us-ascii?Q?u+l6hgqKFPowzvxO6bExwVxJXAuXPrkHxryA6Y6DNrCRDy46+Dl0avVT5TCN?= =?us-ascii?Q?Swz5MbASXkhmksKPWnnfgzPdp8UqfBxhL3TBsr8FlC2XrCAguvPrzZv8AqkB?= =?us-ascii?Q?eK4KxYyzlzyijW40562rb7/f5hF7K4ONyd+uf0liCrGlCopGUxmWrcMHuMSb?= =?us-ascii?Q?jXaWTS9kGApaeRX8UxK48tHsKqISyUCcPN6CGILYIN3RM/hajLsQoXsZnNZy?= =?us-ascii?Q?e+rNRhYZlHNta5U5Ty9Mx/yJ0Ytl59MGiULWM+3xU6sTl2/OHQVQi1KdQbAH?= =?us-ascii?Q?XIiyKgNf/jUkeQe8fbNButT3t0q+TvRAIMTmWo5BYNo0hAWobbrXWhqjDTW3?= =?us-ascii?Q?5sc4A4Drt+Rirue4QJhWNTC7kSJjvTN0m6pkli1J7SzthC0LxGWs9hqVk6IE?= =?us-ascii?Q?RgpOkuultCY/NRG9zC2c4KNRTRO8cPanUp+1e6Or0XqIyb8mF2OxN0yqiRNZ?= =?us-ascii?Q?5Tb64/ULQI6+ngSTdBSXp3N8WdZpS0BmzEDXTC7QTs/nos1pslXsEpueZwyo?= =?us-ascii?Q?9+Lf0N8gB7lbweRCextugPqp?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 12eacaf5-f573-43ac-4e34-08d9578545d4 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Aug 2021 20:20:16.4883 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: nXqyEk0ry3ve3nvNg/CbVczvodqA6NDl7ywwWdiMxA5XCfsCBz3kobfN5IxLC+NVbwMUNhl2/JILmazvwLkCSA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4432 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: N4Kdog5Cap7lYf66oPxLBpmmx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1628108419; bh=E7lvSXBN5dO18XFVyi98BOUXi0wHu0kB6/1nhCxkvgg=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=F0vRPARqUru2QqTMmwKQN1ByScvToCvULFf8oB9n6HpQEf5JLLKkHOYkPtYOh5A82kX pmQ3qjTira6OfdHOfLYgubskZhmPNl8kYsEoRUcoUue5a69lpO9xDaxdwBOvcNjkIaN1B +TFFrY0NGyR5GBm96euxsLl7OY6019nurPY= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1628108421787100007 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3429 Both the TDX and SEV support needs to reserve a page in MEMFD as a work area. The page will contain meta data specific to the guest type. Currently, the SEV-ES support reserves a page in MEMFD (PcdSevEsWorkArea) for the work area. This page can be reused as a TDX work area when Intel TDX is enabled. Based on the discussion [1], it was agreed to rename the SevEsWorkArea to the OvmfWorkArea, and add a header that can be used to indicate the work area type. [1] https://edk2.groups.io/g/devel/message/78262?p=3D,,,20,0,0,0::\ created,0,SNP,20,2,0,84476064 Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 6 +++ OvmfPkg/OvmfPkgX64.fdf | 9 +++- OvmfPkg/PlatformPei/PlatformPei.inf | 4 +- OvmfPkg/Include/Library/MemEncryptSevLib.h | 21 +-------- OvmfPkg/Include/WorkArea.h | 53 ++++++++++++++++++++++ OvmfPkg/PlatformPei/MemDetect.c | 32 ++++++------- 6 files changed, 85 insertions(+), 40 deletions(-) create mode 100644 OvmfPkg/Include/WorkArea.h diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 2ab27f0c73c2..9d31ec45c78a 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -330,6 +330,12 @@ [PcdsFixedAtBuild] gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase|0x0|UINT32|0x47 gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize|0x0|UINT32|0x48 =20 + ## The base address and size of the work area used during the SEC + # phase by the SEV and TDX supports. + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase|0|UINT32|0x49 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize|0|UINT32|0x50 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaHeaderSize|4|UINT32|0x51 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 5fa8c0895808..418e0ea5add4 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -83,7 +83,7 @@ [FD.MEMFD] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase|gUefiOvmfPkgTokenSpaceGuid.P= cdOvmfSecGhcbSize =20 0x00B000|0x001000 -gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase|gUefiCpuPkgTokenSpaceGuid.P= cdSevEsWorkAreaSize +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase|gUefiOvmfPkgTokenSpaceGuid.= PcdOvmfWorkAreaSize =20 0x00C000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecGhcbBackupSize @@ -99,6 +99,13 @@ [FD.MEMFD] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.= PcdOvmfDxeMemFvSize FV =3D DXEFV =20 +##########################################################################= ################ +# SEV specific PCD settings +SET gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaHeaderSize =3D 0x4 +SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase =3D $(MEMFD_BASE_ADDRES= S) + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpa= ceGuid.PcdOvmfWorkAreaHeaderSize +SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize =3D gUefiOvmfPkgTokenSp= aceGuid.PcdOvmfWorkAreaSize - gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaHea= derSize +##########################################################################= ################ + ##########################################################################= ###### =20 [FV.SECFV] diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/Plat= formPei.inf index 89d1f7636870..67eb7aa7166b 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -116,8 +116,8 @@ [FixedPcd] gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesData gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize - gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase - gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize =20 [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/L= ibrary/MemEncryptSevLib.h index 76d06c206c8b..adc490e466ec 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -12,6 +12,7 @@ #define _MEM_ENCRYPT_SEV_LIB_H_ =20 #include +#include =20 // // Define the maximum number of #VCs allowed (e.g. the level of nesting @@ -36,26 +37,6 @@ typedef struct { VOID *GhcbBackupPages; } SEV_ES_PER_CPU_DATA; =20 -// -// Internal structure for holding SEV-ES information needed during SEC pha= se -// and valid only during SEC phase and early PEI during platform -// initialization. -// -// This structure is also used by assembler files: -// OvmfPkg/ResetVector/ResetVector.nasmb -// OvmfPkg/ResetVector/Ia32/PageTables64.asm -// OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm -// any changes must stay in sync with its usage. -// -typedef struct _SEC_SEV_ES_WORK_AREA { - UINT8 SevEsEnabled; - UINT8 Reserved1[7]; - - UINT64 RandomData; - - UINT64 EncryptionMask; -} SEC_SEV_ES_WORK_AREA; - // // Memory encryption address range states. // diff --git a/OvmfPkg/Include/WorkArea.h b/OvmfPkg/Include/WorkArea.h new file mode 100644 index 000000000000..0aaad7e1da67 --- /dev/null +++ b/OvmfPkg/Include/WorkArea.h @@ -0,0 +1,53 @@ +/** @file + + Work Area structure definition + + Copyright (c) 2021, AMD Inc. + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#ifndef __OVMF_WORK_AREA_H__ +#define __OVMF_WORK_AREA_H__ + +// +// Internal structure for holding SEV-ES information needed during SEC pha= se +// and valid only during SEC phase and early PEI during platform +// initialization. +// +// This structure is also used by assembler files: +// OvmfPkg/ResetVector/ResetVector.nasmb +// OvmfPkg/ResetVector/Ia32/PageTables64.asm +// OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm +// any changes must stay in sync with its usage. +// +typedef struct _SEC_SEV_ES_WORK_AREA { + UINT8 SevEsEnabled; + UINT8 Reserved1[7]; + + UINT64 RandomData; + + UINT64 EncryptionMask; +} SEC_SEV_ES_WORK_AREA; + +// +// Guest type for the work area +// +typedef enum { + GUEST_TYPE_NON_ENCRYPTED, + GUEST_TYPE_AMD_SEV, + GUEST_TYPE_INTEL_TDX, + +} GUEST_TYPE; + +// +// The work area structure header definition. +// +typedef struct _OVMF_WORK_AREA { + UINT8 GuestType; + UINT8 Reserved1[3]; + + SEC_SEV_ES_WORK_AREA SevEsWorkArea; +} OVMF_WORK_AREA; + +#endif diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetec= t.c index 2deec128f464..4c53b0fdf2fe 100644 --- a/OvmfPkg/PlatformPei/MemDetect.c +++ b/OvmfPkg/PlatformPei/MemDetect.c @@ -939,23 +939,21 @@ InitializeRamRegions ( } =20 #ifdef MDE_CPU_X64 - if (MemEncryptSevEsIsEnabled ()) { - // - // If SEV-ES is enabled, reserve the SEV-ES work area. - // - // Since this memory range will be used by the Reset Vector on S3 - // resume, it must be reserved as ACPI NVS. - // - // If S3 is unsupported, then various drivers might still write to t= he - // work area. We ought to prevent DXE from serving allocation reques= ts - // such that they would overlap the work area. - // - BuildMemoryAllocationHob ( - (EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaBase), - (UINT64)(UINTN) FixedPcdGet32 (PcdSevEsWorkAreaSize), - mS3Supported ? EfiACPIMemoryNVS : EfiBootServicesData - ); - } + // + // Reserve the work area. + // + // Since this memory range will be used by the Reset Vector on S3 + // resume, it must be reserved as ACPI NVS. + // + // If S3 is unsupported, then various drivers might still write to the + // work area. We ought to prevent DXE from serving allocation requests + // such that they would overlap the work area. + // + BuildMemoryAllocationHob ( + (EFI_PHYSICAL_ADDRESS)(UINTN) FixedPcdGet32 (PcdOvmfWorkAreaBase), + (UINT64)(UINTN) FixedPcdGet32 (PcdOvmfWorkAreaSize), + mS3Supported ? EfiACPIMemoryNVS : EfiBootServicesData + ); #endif } } --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78668): https://edk2.groups.io/g/devel/message/78668 Mute This Topic: https://groups.io/mt/84670984/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Mon Apr 29 06:13:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78669+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78669+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1628108420013601.050385343147; Wed, 4 Aug 2021 13:20:20 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id cBN5YY1788612xRxDyVUUJrR; Wed, 04 Aug 2021 13:20:19 -0700 X-Received: from NAM10-DM6-obe.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com [40.107.93.88]) by mx.groups.io with SMTP id smtpd.web08.14578.1628108417304796494 for ; Wed, 04 Aug 2021 13:20:18 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=M55XTQ7/jTyebKp9SCbjI51XRGDNYTD6SvZaFf6L1LbknnHsCmclUjM7+tC48K0psWE2uR3GDBBithE+c7uQRq62GiU3MrlpnOSoJe/9eICfJP1YBg/baGP5WQ22LhgRq9ktfLhltRlhhDcDfPwai2g2q8ssUB/FuP9QuLrUgacLLSSVLcZYB7NS2ovC8WdO0SFr57FUx9lCzUN1lg1Pq6PgXMtefCFczmvZhmRsgUijgfkAQOmpwIpFjMYWyi7n0HPUxuF2H6lduTJHGjsn5ysp/Qw6E9CNcXEGdWo6O3C6p5vLymlpXoFKwl6Nm39GHb8zrm8w83noUlfizFrXqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uVYyDeargHuwnH/K6eRVxjoIg2wGkOfHIm+z0Fpv4e4=; b=VjAjNrIQLn1+6ATlV3WpZg13bo0E52e4zXd5GmnkxmBQzt+gx12oPZuDFVgxKPEC3GPGTjvVflOHaSmdZePwMhMx3xqWwjrk8uQTnsYFyO/YcTwUdsWLV2zp54+nMmU1Ip0rpH+zyWCvKGKXfb4wVK3P+L9UPkvP51Hxs3Cp5fqGdpkjs2Vpzf+DveoqKsrq2W13OFc0DYujUv4V47RhPR5dHnGey2Y6oY94e3N6nft3u/qeV6gdDHezs3cso5ZgPHnJtArcPMJjkfGVPFaa93sMWS+bXxM1NwwIvzNnGRndVZ1LLtTTYgQs9VFyOu67qgbzKDnan7KFT95KE3X1HA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4432.namprd12.prod.outlook.com (2603:10b6:806:98::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.21; Wed, 4 Aug 2021 20:20:17 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa%3]) with mapi id 15.20.4394.017; Wed, 4 Aug 2021 20:20:17 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Brijesh Singh Subject: [edk2-devel] [PATCH 2/3] OvmfPkg/ResetVector: update SEV support to use new work area format Date: Wed, 4 Aug 2021 15:20:02 -0500 Message-ID: <20210804202003.17543-3-brijesh.singh@amd.com> In-Reply-To: <20210804202003.17543-1-brijesh.singh@amd.com> References: <20210804202003.17543-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9PR13CA0153.namprd13.prod.outlook.com (2603:10b6:806:28::8) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR13CA0153.namprd13.prod.outlook.com (2603:10b6:806:28::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.12 via Frontend Transport; Wed, 4 Aug 2021 20:20:16 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 4b88741b-a24f-487c-ebb4-08d95785463c X-MS-TrafficTypeDiagnostic: SA0PR12MB4432: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7219; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: AhkmMI2mObCRI/jps+4UYHH1ey5HIgUC0PQjq712Zn2+B/onua+iaLHYSyhgtyJNtasL/CYN31BbKD70hyDdXyFbqep1IXRAyTboYGzFaQGXPP10VtkB/ChqA3nN4CxIFtRoGRZrmAwNiBNKSVp2Z0Uj0pyUhIbRfI88KqraZ/2ACc7jDIc85NIId7Bjrn9UCRnCt9fPsLiI1jNPlsYFaafP7Crhry9T59jtE040jQLj6eFLsK0R26RD+nJpHfWPIMe6KjIBdKkRGJ9xW40UGhmq3w86sP5ikLjin6RupZUYd3yR/vm4pL1v9uNej4gUlis0oL4/aBxvm3DXGhwtYpDH1Js1/vKZahheUmvwFqjM/qgZOddgYD95FlLdquA1LK/LbRNYlySgtdnc4iy03MRkOQ82ilaIOmMwc3KNjma8dV8vGm9QebIb8V2LHJWUUx+p1XVpUemiaqc9UcM6NiVDKi4c8UgqOFDn3S50riPzCrb1L7JKBBlFAAxw62ZENnDinyVxGmKKTmewMZH7wNDRTkn13GutVUgoVWFCbWakWwgiJlewb+d32HS749EAkvsMsKBgPHgEA1PG3vAD9jl7T6dkdUtSCU99i4abfnHP+AXAlFipl7V9mYtq4uZKUgXDNUpXnio/sLl9pacXvt8o6fe1Fx3VSnU6jwnSWgnaaH7y50QO4GwtCP1UqS+iemhMG+9fqiApA/Qm+Z8MNrmUTklK1xaBQKQvjVLLxYO6V1wPvmOkNcWs/ExTS0FODYdpwQaGW4ATr6mkWMSOsbdKD5NOYn/DRwhIFQBffxY= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?TqozPqd1E7UR25eLfFeOzMLh5pEfspWF7Mje9nFNzAHgJSHMmI30e+XdtpdX?= =?us-ascii?Q?TdIhnl+O9Sf8etsbpUv2NliuW3atqHFOv6lbVY/ntV9IY7Fs62ebign4SAHM?= =?us-ascii?Q?uXRIeR25tbqQAEhA4vNoS+53eySttVCu9+0pTNhv3wWBmlRpDiPrYeHKwHh/?= =?us-ascii?Q?XWxQdHts5yAQmlSpgLXTjrhTdvY6TDm4234Ug+yLJW5iV9XIKYNibDTGHU2N?= =?us-ascii?Q?4m3AJ1poDut7TA2L7nXY7OQYpEpRFamsk+qHCDDrEl00CHJexGaqShru7oPE?= =?us-ascii?Q?tER8OuojNu89RtkAyBhlL9pygh30FuXcgAlTBPMQCIPP2VXzWkpDfJDtb7LQ?= =?us-ascii?Q?C9ZF3xWuQhtkWrtJI7wQiCyHrwBz3uc2WQlY+eqerYWA4lGY9XmRUrPY9rlI?= =?us-ascii?Q?VaHC6VMU9cUu2ako6o/5IxqhbdvcXfAMXHMzDH27BvGpfX+qqWjrUmrBf8Fd?= =?us-ascii?Q?S3a/x1DG/uF9EvnHBi/mroYOGCb4/WEG45f9P0hGH4x0v2sq61J+Id3DmUU2?= =?us-ascii?Q?9Obp9bpkboZ6MmTZ1mP9O/UCiNnm6CcBlOC0DgWZKJQ41bIX4jWVYDF3VfJU?= =?us-ascii?Q?bl7R/Yf+qbipXqy9yAC5DDvkF/CgW6+N4MyYTwaiOqFel5Pqt3VDy7nDh0bu?= =?us-ascii?Q?AqWjXPhzldriBb/ZZxsvSJaqOZJkL4iE0tfJ3xWYMCmS3qRfqkTikvTbgnK1?= =?us-ascii?Q?YfP5mkvkTxkU3YHK+AthpSQL6tfOdHIvzpvOmcGBIHcq3w+QgL4LKgxDd6VU?= =?us-ascii?Q?J4qqbeafuMqV+XUVFGSfQZRkDZfNMkV7jHqJmwEcer7dGoWyj8jl/eVkOaCb?= =?us-ascii?Q?HSgJSP5jXjf601FXWkRHi0F2+4Olto4yihJaTdcr1L4wgRfIVv6B8IjX7mdO?= =?us-ascii?Q?HwsA6UrnSM0Cp0iANXTT65ZtGkuUTyF8Ne9Kr4vGN5CM9aCmCGtHkMUn1Gyo?= =?us-ascii?Q?wh/PX92Y90Og1egnbXRpmtPB/YC64jNw5bIxbP7uHxLSKExlcogb2g5YO12S?= =?us-ascii?Q?j3OZ7Y0RWY+jH3Hp6szoEfo/c2fDnczN+lgkfoU4tJX0v/Yn9UghM9tT4S+h?= =?us-ascii?Q?AMWJ5t0Ud1yjk3Oe8395xYWa9ThbPrNWSxZKXft1kiLwDPP8fjaIYj82x93P?= =?us-ascii?Q?iLSzmkPqOtwgDBBshSQG65y7yVyRbCxiXDpzjQU73kkEqTGF0xVcQmcZRerd?= =?us-ascii?Q?88bMqFWvHqLFGt7RwFD+4Uu0yeKDJSo31QSAn7BWh6gj8Bx5W5/M0c9SbrH9?= =?us-ascii?Q?wNDgFsGhehcudhKtukxUlv3HysSBWJ6xKCbIBQsIdHF/paTO1SFYp47ClWNm?= =?us-ascii?Q?Uz9Htr+Y9Ucx8I4ytg86dc+c?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4b88741b-a24f-487c-ebb4-08d95785463c X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Aug 2021 20:20:17.2459 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 2V4TtqaomNHfbR8f2go9R1QhelqgTm4VpqH0UYwc3gMxcx846bS6E7sicaWxbCECoIOZpP2ASdW6C1dwlTCsUA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4432 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: zbuArE3KmHAvBUdMCGi9kS5yx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1628108419; bh=Zn32RcZyiO14i5IBs76NHoDqqTBnqG1iV3uTtgg7HXk=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=l3XCn+qECCY4uZ6//1ZDF0ALbm60kWPbJOTddqArF5K98Q1zEWu9U2r7lQgfMoJiBgz VrpWXBVTLTADgV/VE/Mh3P8y2Z5l3RmUoAd/thiFB9WrDb4T0kbcvf9j4nM7ZQXLZ7m9N +0kQ7sy0+GgSx3XIjTdG5SxWH1couEkdHSY= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1628109323766100001 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3429 Update the SEV support to switch to using the newer work area format. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Signed-off-by: Brijesh Singh --- OvmfPkg/ResetVector/ResetVector.inf | 1 + OvmfPkg/Sec/SecMain.inf | 1 + OvmfPkg/Sec/SecMain.c | 25 ++++++++++++++++++++++- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 8 ++++++++ OvmfPkg/ResetVector/Ia32/PageTables64.asm | 4 ++++ OvmfPkg/ResetVector/ResetVector.nasmb | 1 + 6 files changed, 39 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese= tVector.inf index d028c92d8cfa..6ec9cca40c3a 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -34,6 +34,7 @@ [BuildOptions] *_*_X64_NASMB_FLAGS =3D -I$(WORKSPACE)/UefiCpuPkg/ResetVector/Vtf0/ =20 [Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf index 7f78dcee2772..82910dcbd5c2 100644 --- a/OvmfPkg/Sec/SecMain.inf +++ b/OvmfPkg/Sec/SecMain.inf @@ -56,6 +56,7 @@ [Ppis] gEfiTemporaryRamSupportPpiGuid # PPI ALWAYS_PRODUCED =20 [Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 9db67e17b2aa..dda572c7ad7d 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -807,6 +807,29 @@ SevEsProtocolCheck ( Ghcb->GhcbUsage =3D GHCB_STANDARD_USAGE; } =20 +/** + Determine if the SEV is active. + + During the early booting, GuestType is set in the work area. Verify that = it + is an SEV guest. + + @retval TRUE SEV is enabled + @retval FALSE SEV is not enabled + +**/ +STATIC +BOOLEAN +IsSevGuest ( + VOID + ) +{ + OVMF_WORK_AREA *WorkArea; + + WorkArea =3D (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase); + + return ((WorkArea !=3D NULL) && (WorkArea->GuestType =3D=3D GUEST_TYPE_A= MD_SEV)); +} + /** Determine if SEV-ES is active. =20 @@ -828,7 +851,7 @@ SevEsIsEnabled ( =20 SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAr= eaBase); =20 - return ((SevEsWorkArea !=3D NULL) && (SevEsWorkArea->SevEsEnabled !=3D 0= )); + return (((IsSevGuest()) && SevEsWorkArea !=3D NULL) && (SevEsWorkArea->S= evEsEnabled !=3D 0)); } =20 VOID diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32= /AmdSev.asm index aa95d06eaddb..87d81b01e263 100644 --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm @@ -171,6 +171,9 @@ CheckSevFeatures: bt eax, 0 jnc NoSev =20 + ; Set the work area header to indicate that the SEV is enabled + mov byte[WORK_AREA_GUEST_TYPE], 1 + ; Check for SEV-ES memory encryption feature: ; CPUID Fn8000_001F[EAX] - Bit 3 ; CPUID raises a #VC exception if running as an SEV-ES guest @@ -257,6 +260,11 @@ SevExit: IsSevEsEnabled: xor eax, eax =20 + ; During CheckSevFeatures, the WORK_AREA_GUEST_TYPE is set + ; to 1 if SEV is enabled. + cmp byte[WORK_AREA_GUEST_TYPE], 1 + jne SevEsDisabled + ; During CheckSevFeatures, the SEV_ES_WORK_AREA was set to 1 if ; SEV-ES is enabled. cmp byte[SEV_ES_WORK_AREA], 1 diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVecto= r/Ia32/PageTables64.asm index eacdb69ddb9f..f688909f1c7d 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -42,6 +42,10 @@ BITS 32 ; SetCr3ForPageTables64: =20 + ; Clear the WorkArea header. The SEV probe routines will populate the + ; work area when detected. + mov byte[WORK_AREA_GUEST_TYPE], 0 + OneTimeCall CheckSevFeatures xor edx, edx test eax, eax diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index acec46a32450..d1d800c56745 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -72,6 +72,7 @@ %define GHCB_PT_ADDR (FixedPcdGet32 (PcdOvmfSecGhcbPageTableBase)) %define GHCB_BASE (FixedPcdGet32 (PcdOvmfSecGhcbBase)) %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize)) + %define WORK_AREA_GUEST_TYPE (FixedPcdGet32 (PcdOvmfWorkAreaBase)) %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase)) %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + = 8) %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) = + 16) --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78669): https://edk2.groups.io/g/devel/message/78669 Mute This Topic: https://groups.io/mt/84670985/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Mon Apr 29 06:13:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78670+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78670+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 16281084203921000.254487611779; Wed, 4 Aug 2021 13:20:20 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id L7v4YY1788612xH6SFKwNa7l; Wed, 04 Aug 2021 13:20:20 -0700 X-Received: from NAM10-DM6-obe.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com [40.107.93.88]) by mx.groups.io with SMTP id smtpd.web08.14578.1628108417304796494 for ; Wed, 04 Aug 2021 13:20:19 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=S00marPNbYbvAisPeWNaOM6TUVSv0VZCus+0PJ0r2lhb3pvJe1zhZ97x0VYtIafI/3gTrehTbkZPRQ3lD7jUb6A+jOIFdDz3SQO4jXkqVvCKJJVpZnKrp4xGkaWGSnrahCtGVwWsVgdXERLG2nINY5IlpVYdRfqtkqSiN4FJr1F+9XbVlTFTCzVDZ/DkHFhuOCHC4hMupLdCmhXsQRWPalbDaRGcHver9IET8KehEWct/U5aED977siWtv5JxMXCs3WaI6mOHyTNJVfS3nYJOoXk+FT/GfFGwxug4TwAn58yvS7TTCbHZViC3N19x2Jdjm23WKvTH622xiZsjlNypQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L04/tEw5YovWGwXGVQGEC5ZTCQ/7on91k3q8061Kx54=; b=hAja6KbOx4ssifLcgz78EFba/SuB1wNxc2+bPMLZFeU+zzQODUquPtNo95g6xd02xl60eQx+IsGFNvGtcCFsrKBRZovtSth37vLNTS8UnlipZxPbAYhiEb8OsTLkz9366gHLSwNJdLkbRD9EFzU20d9OY0v71RQNYLTbDU3+So/IWBVKy96LIRNw4fo90zPPNe8bd4XnhaPxmHowv9YiVVHhbkJp+S1nLp84MkSdtNI/Lq3ykZKEZmBAuF9e8Ni9UW6w23ZodsYI0WXwsR3yuYB2Gq7+fVnPXk0uFW8V230sZOqHQjCCgjqffbyrhq/MOd/1XrkAqvK/Ong72Rm+Og== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4432.namprd12.prod.outlook.com (2603:10b6:806:98::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.21; Wed, 4 Aug 2021 20:20:18 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa%3]) with mapi id 15.20.4394.017; Wed, 4 Aug 2021 20:20:17 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Brijesh Singh Subject: [edk2-devel] [PATCH 3/3] OvmfPkg/ResetVector: move the GHCB page setup in AmdSev.asm Date: Wed, 4 Aug 2021 15:20:03 -0500 Message-ID: <20210804202003.17543-4-brijesh.singh@amd.com> In-Reply-To: <20210804202003.17543-1-brijesh.singh@amd.com> References: <20210804202003.17543-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9PR13CA0153.namprd13.prod.outlook.com (2603:10b6:806:28::8) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR13CA0153.namprd13.prod.outlook.com (2603:10b6:806:28::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.12 via Frontend Transport; Wed, 4 Aug 2021 20:20:17 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 381c2ad9-1104-4eef-cdae-08d9578546b2 X-MS-TrafficTypeDiagnostic: SA0PR12MB4432: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4714; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: lrq5ePpSjSpVHpc/WSYVmx/JLJv4uO+KBlwdjFkBsrlMQhGjkm03MO4D3rk4q8F58CNRccWuZYMRdWrE8vXyFBdCuXS3CgsPNTpPxadcS/QlLDSZxPZbYnW5l59FkqeDA0Zwn9V5E9wJMKF8JGQwU6JFQ8sySQt094/S809/ShkezNK56S9MedrOL38ZuRtpAAZ48Ki42Qi9SrKOrDXseuelF22FdpDdGHQkzAmMxtTTIpmZ614BrMBgpor3MdqRPU5W5BqmiEfv0d+rsi4h7zgHLvo6awMzdOYn1Dixui/6OBrUqHfQkqtoGt1FjIczopkCnGLwzkJ74zMWSLg9BuYOxEqOBBPTHnctDrfy1/TgoQmGnHXy1yPGh0iIrXxlJf2Pd9ZU8/HizMw5uP8F3C9iCFNnrJyva52/5LF7N6vtDgOnuhamCz3RuJnf36gCBI2IhGyCcdmq1YrI/EeEDHWGUizy57TblKOg9eaB/XjQs03Ue13ZCknXrLf1H0yokn2cj6N9f4nK1yDOpAxwRwgNFsMgaGMdFZ2lKs9zV2piNC0nIU5oFrRLRbnSdOvX+U3nNuVbB5xphlp2wHDvRdSs79zu4cl9tQv6vEd8qnp0VKkLcE+5ek23zsn1VcLY0BwTQUaC5n2hIPyodEZic/tsQz8TXSHEdwIyR3W4o3eN9l6srZjlKwr4Gk6nSexIS18iUH55sB54XmjBpwZYTIz6qRQwZa5l9cpP5Cjze4+JhFULuTqVAztDhWolavlfDK+jDptpQvn/uPMiNnwaDW9D/DKQs+ojPuMdxhxn8fA= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?TuXFSqG/vcdHigRjnVmGR8e2zlQMso99tv6I/HmSgPAugcDdkFLH3cD2IabN?= =?us-ascii?Q?EKeEZMcW1K2P+Lhxa4rnNLZoauPSJpSYLgEsYH+yfosGpaovOnAoBKZBYcdd?= =?us-ascii?Q?Jl4+cNH4a7MYYFDJG1yWwsmS3d7XwGnhOl08snJAJ1DobdEmwYkD6VRe+UHj?= =?us-ascii?Q?hesE9OpVT8eA46w4Qv+FSnZCmfB2Ow5PPAHJxGv9XuVzZvjylvU8U+HxPPuP?= =?us-ascii?Q?EL3lRGHttMbuT6bYanuW9vGK9rZBmiAro0xYWsXk+d6/dZUdorSLOT078R4L?= =?us-ascii?Q?0rjITtyKmw883a7OF60X7SaziNJcq2R54g3TnDl2NQD+TkqgHViIU4Cl+Z++?= =?us-ascii?Q?IcHAHFIuMoUxjHhsdPtrklc39Yy34A5YwGkDk5hqd1HnJErVCJR7nb3PHZPN?= =?us-ascii?Q?NPNaNajgtbZFdrZs460+E/OFKrxeLEvaoWfQuhKWIdtjo2faRqv6lgwk66Fp?= =?us-ascii?Q?4t3Bo/P2s++Emj0M9tV8vTcsBqVRYbxcTEdb+tt04D+yVqOf+BX8YZhPKD+M?= =?us-ascii?Q?4vXcCMNGtBx2NwKPNemtEuQs6D47cgGjgGdYTHDE+8tcp+/wOdx1RXDXyga+?= =?us-ascii?Q?v95US4Hbz3XZTfbd1/P7hKE74vIyaBwBKTmdiCqKcLz0QYoImRaljVfce9XA?= =?us-ascii?Q?cn6m1sdHPUvhCz8AubCpHJ8QNYclFZDgA8EEzZrR/WpOiMdcqM7CPAy5UVcD?= =?us-ascii?Q?L8EHJwS5jnBNrJra7VCiBe7fTY/UJJvdVjWb/Fo/vE93juQ9dOLLzmGkqZdg?= =?us-ascii?Q?Yg7r8p4UYPCLclI2cWKDEwaucgsnar6o8N/zdpGV/KnCO5g6MnXLhM5CV4jj?= =?us-ascii?Q?VjrPrH2h4YbOiFe4cDuXUwTbI00idEXVohINfWWdkSb0pQqORopoTiiBWwZi?= =?us-ascii?Q?sfi6KZucVKVBcbUNNA1/Vqsis0eo2oN2ToeDPmZzW+LMQuN/F29L4OXz06xq?= =?us-ascii?Q?buKZ8ORlbxeHajno1MaPyphQ+4APgmpeVJ7Tg8DcAttJ6aIYik1BfilQUF75?= =?us-ascii?Q?AnAK1NlM7qAuIEBKreu5FCjSMHDhkid/JRgaixXTdS19BdhrRNMMiIgcJzrl?= =?us-ascii?Q?C0OZbM5FVULEapsHTdttovTlFXhz7A1CgFapAsZ/ExbymCCBU6dS5fN5MAZu?= =?us-ascii?Q?TE4ebzb0nRZ6WMJLVChvx7Cq3aTy9Cu6NaB6TNmy/Ygy3wbVIahUxMfWhNzt?= =?us-ascii?Q?IxdlA2sA13kSMWNSH7rHzAWMkJiPicCbsLtFvTCWEDMoTPZrm6uPY2zr50vQ?= =?us-ascii?Q?uYnvNhzlehIK4+RKtVgA6fEFdRAxf5cJw1KRJFXtuyliWIE2VOKDtB4KDAVR?= =?us-ascii?Q?IN38uFZBVotyj+JqE7aNCqsJ?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 381c2ad9-1104-4eef-cdae-08d9578546b2 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Aug 2021 20:20:17.9185 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: FoPSdoybxyIe3Up6fB1GqN7etMs9K4EozXD70pIWTSFLOJNLt7qjlKgzRNl5Yaza1VS6aeltA3FKLUIp2CVWzQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4432 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: eRz4FtusdMxfFWWSrElYhM39x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1628108420; bh=qRtjwy9BBr3ibOcmL8hTN7eeb35ZtOlhQsbdsknyHY8=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=ewbY+etEyUevPySYYffk5mFYQsZNcKrqdjsdmKNAkmO8fCcjRAJAJVj456LWiWp39ze Nb2qM3ga4cu6CVMl4XEZlpm1tqMV76kIUlXjj1KkACqe32qr0o+iGq2l3qbQKUB2F2d5M d050rVUfpxKziBUTogMbx35lEiY6oxQnOoU= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1628108421961100011 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3429 While build the initial page table, the SetCr3ForPageTables64 checks whether SEV-ES is enabled. If so, clear the page encryption mask from the GHCB page. Move the logic to clear the page encryption mask in the AmdSev.asm. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Signed-off-by: Brijesh Singh --- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 113 +++++++++++++++++----- OvmfPkg/ResetVector/Ia32/PageTables64.asm | 53 ++-------- 2 files changed, 94 insertions(+), 72 deletions(-) diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32= /AmdSev.asm index 87d81b01e263..fd2e6abcd4a0 100644 --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm @@ -44,6 +44,27 @@ BITS 32 ; The unexpected response code %define TERM_UNEXPECTED_RESP_CODE 2 =20 +%define PAGE_PRESENT 0x01 +%define PAGE_READ_WRITE 0x02 +%define PAGE_USER_SUPERVISOR 0x04 +%define PAGE_WRITE_THROUGH 0x08 +%define PAGE_CACHE_DISABLE 0x010 +%define PAGE_ACCESSED 0x020 +%define PAGE_DIRTY 0x040 +%define PAGE_PAT 0x080 +%define PAGE_GLOBAL 0x0100 +%define PAGE_2M_MBO 0x080 +%define PAGE_2M_PAT 0x01000 + +%define PAGE_4K_PDE_ATTR (PAGE_ACCESSED + \ + PAGE_DIRTY + \ + PAGE_READ_WRITE + \ + PAGE_PRESENT) + +%define PAGE_PDP_ATTR (PAGE_ACCESSED + \ + PAGE_READ_WRITE + \ + PAGE_PRESENT) + =20 ; Macro is used to issue the MSR protocol based VMGEXIT. The caller is ; responsible to populate values in the EDX:EAX registers. After the vmmca= ll @@ -117,6 +138,72 @@ BITS 32 SevEsUnexpectedRespTerminate: TerminateVmgExit TERM_UNEXPECTED_RESP_CODE =20 +; If SEV-ES is enabled then initialize the make the GHCB page shared +SevClearPageEncMaskFromGHCBPage: + ; Check if SEV is enabled + cmp byte[WORK_AREA_GUEST_TYPE], 1 + jnz SevClearPageEncMaskFromGHCBPageExit + + ; Check if SEV-ES is enabled + cmp byte[SEV_ES_WORK_AREA], 1 + jnz SevClearPageEncMaskFromGHCBPageExit + + ; + ; The initial GHCB will live at GHCB_BASE and needs to be un-encrypted. + ; This requires the 2MB page for this range be broken down into 512 4KB + ; pages. All will be marked encrypted, except for the GHCB. + ; + mov ecx, (GHCB_BASE >> 21) + mov eax, GHCB_PT_ADDR + PAGE_PDP_ATTR + mov [ecx * 8 + PT_ADDR (0x2000)], eax + + ; + ; Page Table Entries (512 * 4KB entries =3D> 2MB) + ; + mov ecx, 512 +pageTableEntries4kLoop: + mov eax, ecx + dec eax + shl eax, 12 + add eax, GHCB_BASE & 0xFFE0_0000 + add eax, PAGE_4K_PDE_ATTR + mov [ecx * 8 + GHCB_PT_ADDR - 8], eax + mov [(ecx * 8 + GHCB_PT_ADDR - 8) + 4], edx + loop pageTableEntries4kLoop + + ; + ; Clear the encryption bit from the GHCB entry + ; + mov ecx, (GHCB_BASE & 0x1F_FFFF) >> 12 + mov [ecx * 8 + GHCB_PT_ADDR + 4], strict dword 0 + + mov ecx, GHCB_SIZE / 4 + xor eax, eax +clearGhcbMemoryLoop: + mov dword[ecx * 4 + GHCB_BASE - 4], eax + loop clearGhcbMemoryLoop + +SevClearPageEncMaskFromGHCBPageExit: + OneTimeCallRet SevClearPageEncMaskFromGHCBPage + +; Check if SEV is enabled, and get the C-bit mask above 31. +; Modified: EDX +; +; The value is returned in the EDX +GetSevCBitMaskAbove31: + ; Check if SEV is enabled + cmp byte[WORK_AREA_GUEST_TYPE], 1 + jnz NoCbitValue + + mov edx, dword[SEV_ES_WORK_AREA_ENC_MASK + 4] + jmp GetSevCBitMaskAbove31Exit + +NoCbitValue: + xor edx, edx + +GetSevCBitMaskAbove31Exit: + OneTimeCallRet GetSevCBitMaskAbove31 + ; Check if Secure Encrypted Virtualization (SEV) features are enabled. ; ; Register usage is tight in this routine, so multiple calls for the @@ -249,32 +336,6 @@ SevExit: =20 OneTimeCallRet CheckSevFeatures =20 -; Check if Secure Encrypted Virtualization - Encrypted State (SEV-ES) feat= ure -; is enabled. -; -; Modified: EAX -; -; If SEV-ES is enabled then EAX will be non-zero. -; If SEV-ES is disabled then EAX will be zero. -; -IsSevEsEnabled: - xor eax, eax - - ; During CheckSevFeatures, the WORK_AREA_GUEST_TYPE is set - ; to 1 if SEV is enabled. - cmp byte[WORK_AREA_GUEST_TYPE], 1 - jne SevEsDisabled - - ; During CheckSevFeatures, the SEV_ES_WORK_AREA was set to 1 if - ; SEV-ES is enabled. - cmp byte[SEV_ES_WORK_AREA], 1 - jne SevEsDisabled - - mov eax, 1 - -SevEsDisabled: - OneTimeCallRet IsSevEsEnabled - ; Start of #VC exception handling routines ; =20 diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVecto= r/Ia32/PageTables64.asm index f688909f1c7d..0e8ba4dde534 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -46,16 +46,13 @@ SetCr3ForPageTables64: ; work area when detected. mov byte[WORK_AREA_GUEST_TYPE], 0 =20 + ; Check whether the SEV is active and populate the SevEsWorkArea OneTimeCall CheckSevFeatures - xor edx, edx - test eax, eax - jz SevNotActive =20 - ; If SEV is enabled, C-bit is always above 31 - sub eax, 32 - bts edx, eax - -SevNotActive: + ; If SEV is enabled, the C-bit position is always above 31. + ; The mask will be saved in the EDX and applied during the + ; the page table build below. + OneTimeCall GetSevCBitMaskAbove31 =20 ; ; For OVMF, build some initial page tables at @@ -105,44 +102,8 @@ pageTableEntriesLoop: mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx loop pageTableEntriesLoop =20 - OneTimeCall IsSevEsEnabled - test eax, eax - jz SetCr3 - - ; - ; The initial GHCB will live at GHCB_BASE and needs to be un-encrypted. - ; This requires the 2MB page for this range be broken down into 512 4KB - ; pages. All will be marked encrypted, except for the GHCB. - ; - mov ecx, (GHCB_BASE >> 21) - mov eax, GHCB_PT_ADDR + PAGE_PDP_ATTR - mov [ecx * 8 + PT_ADDR (0x2000)], eax - - ; - ; Page Table Entries (512 * 4KB entries =3D> 2MB) - ; - mov ecx, 512 -pageTableEntries4kLoop: - mov eax, ecx - dec eax - shl eax, 12 - add eax, GHCB_BASE & 0xFFE0_0000 - add eax, PAGE_4K_PDE_ATTR - mov [ecx * 8 + GHCB_PT_ADDR - 8], eax - mov [(ecx * 8 + GHCB_PT_ADDR - 8) + 4], edx - loop pageTableEntries4kLoop - - ; - ; Clear the encryption bit from the GHCB entry - ; - mov ecx, (GHCB_BASE & 0x1F_FFFF) >> 12 - mov [ecx * 8 + GHCB_PT_ADDR + 4], strict dword 0 - - mov ecx, GHCB_SIZE / 4 - xor eax, eax -clearGhcbMemoryLoop: - mov dword[ecx * 4 + GHCB_BASE - 4], eax - loop clearGhcbMemoryLoop + ; Clear the C-bit from the GHCB page if the SEV-ES is enabled. + OneTimeCall SevClearPageEncMaskFromGHCBPage =20 SetCr3: ; --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78670): https://edk2.groups.io/g/devel/message/78670 Mute This Topic: https://groups.io/mt/84670986/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-