From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80581+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80581+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557203418863.7187622512043; Mon, 13 Sep 2021 11:20:03 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id CEG1YY1788612xQXdnMlwoHI; Mon, 13 Sep 2021 11:20:03 -0700 X-Received: from NAM10-DM6-obe.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com [40.107.93.77]) by mx.groups.io with SMTP id smtpd.web11.850.1631557201895459211 for ; Mon, 13 Sep 2021 11:20:02 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OiF1lM15MmlpM+dEAik2cfg1NTMfU6KeL+IQoV3Y25Fr1qA9q/IuMC0e7Gb/XXBhsmTJiZI5114aTpRwU1eE5hkBBKND8a2PX97eIYHzLKRYyKsKsFPUkTscamUiL/tQvNFthR/E6+S1FfCWwzVo3YCqLtfRZ5GDFzepKhIQ7hBX5jEYShA0q3eXOLDVBegrNUp7DdKx7jwtlks3GbB9DJ+wcSCuwmuNSl2Oz3NpTDXEyQU2w+xnfyzZhR/LZbtXNGB9rrbmP0ZKvnzVr1IR454na+VPq+fkHFk8rjIP2FjPzf31SGfUQqcJGQHTpi/jv4JymaDlzaNxSUf7uOy2LQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=+7a3MGZWoQCErxY+GlFeS882vc2uHmC6K2xj2LLFwFU=; b=Angb1iUsPRrrnI7aqxlY9ChpbIvomRh1nhYrS5ocMqU8smh0FtpaIbRt4Iydbnj4SB2/yO7i8oZY99hNXtZnf4UodR2h9RT51g/yDRfpEkOqX3r4fWnGdU66jCx2mu05e4BhyqnHM8dTPcI110/8jIsRH0ID59XyTBoFZNi1Wut+sa3PCnvoYtWKgpIjODS9v23vhhSaU4qusLfhe0RUKf5Gd8RwRsakmgeHYoD7LbBQfUNz5h07bGnGj562hEZQXhFNYsft+35kgZgiDMF4h41KgkT6LGIfoybUXi7cuzTcs8CY5VQdYuqLecvK6NhXdiYgaNwLaZX3MXHPwQZ45Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4557.namprd12.prod.outlook.com (2603:10b6:806:9d::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.17; Mon, 13 Sep 2021 18:19:59 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:19:59 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 01/31] OvmfPkg/SecMain: move SEV specific routines in AmdSev.c Date: Mon, 13 Sep 2021 13:19:11 -0500 Message-ID: <20210913181941.23405-2-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:19:57 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 99705c14-606f-4e26-ee81-08d976e3180b X-MS-TrafficTypeDiagnostic: SA0PR12MB4557: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: IQH1cgQKyV1KepSUq8BjZBGl3uZc6496hN5gJ7+r+bNApYE9zwyVjKPtg8ayQmZE6rDlF2oEVvps9C+fD2/SDqUjkqbLGZtB3L+Hpr0J/rtqLwnkh94h7JQyZndxrooNtM4f3OSpAknuMDs3Xi4PK8dGABDLpOGdOQHZLikABvtNB/po3dgf02iqGM4Fav9X1R+JtmOjQN0SEXWoPSOn2BxjxmYLGhp9XZkwzX9BJ8vdwJodx0G/JjXhPDDQeNyI4b8sZ56vqAlUf7JPccG9K6ri/zY+Fc+BI2N/I6WWDtp/sREF92bZvXaqP78NeqpgwCOZaz1ilO/2KfIA+/1pSqBpfFRWTd+2cDs+qDs0fiaVuF9ITpNsH7LnUSJT7sJeVtyrAATgHzOji+XW+JvtQZWXGRLxIShhA5t0hdjKk8vghoJCNzfGrsdDYOODulZg9TFfVado1LXINmm/4Gcyh6oVSQTseZJfpcZv+P/tZR92YlTsP2NCjcxB2WfqsGnGih0c2Rjf45pYkHsxIWDS2oJ6yfLCWDBdlkMsfTok/nR2LCngY9oiemg62PqvWF8DHjFVhKF9cfHxAs+1+dqJCDKN0vKK+ORhCA5GTCbTNt8rc8KGq2l9+M+XdS+wR2P4dJBfYPuLHJsJVbkI+9MynWyPALCVCwFwI8wsuLvDVMwMHsZCnzdldULMjrnZe9nMfcy6TYTmbGMksXmq/4llWUHEGoMp7uH3rtCi2KlGyUxENg+AbmVGCvzG9FXf4cuikMHRZ31NFl7FaKk70k1wqF6jucCZ7omBhlHJ1eRMJ+4= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?GBvLXap3aTt9IOOOjiUFcfISDnvTzOpMqeyDTrh8tvShcA1P5KRiOnSknGGr?= =?us-ascii?Q?3AXOhvhDPRrvUW4lqmmVMnkLkUAzaY9DVFGjYyBBZ9JsNlw0PRYFbWiJw7/5?= =?us-ascii?Q?uDzgMBh+YHx30i6rpjPTRjauxbFZzXGBdwsnYbz3q2gDsde6twH61Y4JEj/h?= =?us-ascii?Q?LcThq4o9Hx6Gt3CsrZNGm3A34WFA1X7lnpg3Q/dBOUgG/X9Z4yqJGxHZHdu/?= =?us-ascii?Q?tNAj+85k3inaouaiIiwke93DKVmHQ5oTizTSo6ibSDabYMtIZ6JFDEPnwf1d?= =?us-ascii?Q?uOy1KOC2ZLzQxWbpb6MwbhGI6vbYEJcs9SzSRUAWVuKzO0dPaVCaKMS+thOX?= =?us-ascii?Q?nudCYeS4RFIc767UJPlro6vzB0vYm3fQnLruPZhlw4IK8Zwvooy0zl6JeVmt?= =?us-ascii?Q?SEMCs/erdjWKUVGFG/l2T75XoAq0a5en8ofBeglzogAACBv3hVNvcS7pFXQy?= =?us-ascii?Q?A69kgbBENLJWFxgUFPRQSo+1iDyKKzmGF/BJIKsBmPmN6ynzmv1eZuvJUuLS?= =?us-ascii?Q?HHNjs6RhEVBCnTU8NmLHl/x/AwhiANqP8Ro1VYyimGd/HZIJ33E6ISA1FqTM?= =?us-ascii?Q?wVfmA4TvioDFFhApZcCYPk8nOh1C7jwbRRg1g4bKd2hWxTLjPmmrNmWHrhZt?= =?us-ascii?Q?XgOwRU8+xjxhfUUlqEvGY1haeVL7jdoXiNJDhNkIyGf/zRoFv/BXLmUKO3rY?= =?us-ascii?Q?3OqK2lhLED+XuOVbQwfYEFsOi0OEXAdl9ddPCyN9LYxXcsUKp7phxHdgQOVU?= =?us-ascii?Q?ZA+4IyfV1jbq1XGs/cneuYWyUlRpkxZZEk9r4e4RfO+hXMhF/9aqBBn6lOUX?= =?us-ascii?Q?w/XaaQajmCrZA5Wv5ybGPjK9RlScaJSy6xmI4NI80sOXJgydXNY32UZjH3Zc?= =?us-ascii?Q?j49zgmpPnskW7kIFcu90yQRrejVcHAR/znHTRWxbo2w3ApzCty1qlEtYRNx8?= =?us-ascii?Q?PEYkM9C0oRcSLuOuB1JUSApCk0gl4tVZtv12aZxGjg4kHzloVnJ67Ieqmz9K?= =?us-ascii?Q?obT3Bn1t+2pCDJxZ088QqLJbekYPqKryBUQ5seHbvLI6YrUsHcUSUbhmisLU?= =?us-ascii?Q?CcsDbqqjHl3DiUdzmi/DO4vQERlnlooMulXlJW5xqhjqh7Z7cZkuQ1bJR89L?= =?us-ascii?Q?BWmoIqrlYOfgc5oqNruzRRIUqrM2EcEAec04xGq8fNjdGTkg3HJ41ZhUnLen?= =?us-ascii?Q?KK+QTGtW0DpFX5hV99tISSWg5Ks79qI543Tubpxi5Rl3lrKKKfuOp2e6aKiQ?= =?us-ascii?Q?qGKZ6mRwCvqGUKAXggs5MVPPUjN/wi6pg4m/D6c+3HQbZA/+1yVB6DsK3DL7?= =?us-ascii?Q?9XVsDPbhtgeHoXkUN3KrK4V2?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 99705c14-606f-4e26-ee81-08d976e3180b X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:19:59.0550 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Z1Aw6tjOv3ejv+audY/3qVv15vofEmy24lWrQCjXXvg+VGT+H7I+t6Ko5KEtRktE7s0LIyuLSGtbA0GUTXamCg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4557 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: 3asFOH7G1j3vYtGx5oJQqOEBx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557203; bh=oLc1vczoSW/LYz3jGwJVZthzfnpLwgJnlQ7vzidZ75w=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=NpKmDufZK3furkK52Wzw5feeoSzpR+AuV3ywvguj5dFAYvsnFhD/yf+FeLGvFyggRfe mzJiBOqBop+DJpw1fOVrC9/4JMSwHe15H6wGgOz/44ggIef1hjlf9T8n8nUlqsz/hAygW B6xcKAIww7bdq6PMCtls2/DIJ8nJw8DSmmk= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631558106954100001 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Move all the SEV specific function in AmdSev.c. No functional change intended. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/Sec/SecMain.inf | 1 + OvmfPkg/Sec/AmdSev.h | 72 ++++++++++++++++++ OvmfPkg/Sec/AmdSev.c | 161 ++++++++++++++++++++++++++++++++++++++++ OvmfPkg/Sec/SecMain.c | 153 +------------------------------------- 4 files changed, 236 insertions(+), 151 deletions(-) create mode 100644 OvmfPkg/Sec/AmdSev.h create mode 100644 OvmfPkg/Sec/AmdSev.c diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf index ea4b9611f52d..9523a8ea6c8f 100644 --- a/OvmfPkg/Sec/SecMain.inf +++ b/OvmfPkg/Sec/SecMain.inf @@ -23,6 +23,7 @@ [Defines] =20 [Sources] SecMain.c + AmdSev.c =20 [Sources.IA32] Ia32/SecEntry.nasm diff --git a/OvmfPkg/Sec/AmdSev.h b/OvmfPkg/Sec/AmdSev.h new file mode 100644 index 000000000000..adad96d23189 --- /dev/null +++ b/OvmfPkg/Sec/AmdSev.h @@ -0,0 +1,72 @@ +/** @file + File defines the Sec routines for the AMD SEV + + Copyright (c) 2021, Advanced Micro Devices, Inc. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef _AMD_SEV_SEC_INTERNAL_H__ +#define _AMD_SEV_SEC_INTERNAL_H__ + +/** + Handle an SEV-ES/GHCB protocol check failure. + + Notify the hypervisor using the VMGEXIT instruction that the SEV-ES guest + wishes to be terminated. + + @param[in] ReasonCode Reason code to provide to the hypervisor for the + termination request. + +**/ +VOID +SevEsProtocolFailure ( + IN UINT8 ReasonCode + ); + + +/** + Validate the SEV-ES/GHCB protocol level. + + Verify that the level of SEV-ES/GHCB protocol supported by the hypervisor + and the guest intersect. If they don't intersect, request termination. + +**/ +VOID +SevEsProtocolCheck ( + VOID + ); + +/** + Determine if the SEV is active. + + During the early booting, GuestType is set in the work area. Verify that = it + is an SEV guest. + + @retval TRUE SEV is enabled + @retval FALSE SEV is not enabled + +**/ +BOOLEAN +IsSevGuest ( + VOID + ); + +/** + Determine if SEV-ES is active. + + During early booting, SEV-ES support code will set a flag to indicate th= at + SEV-ES is enabled. Return the value of this flag as an indicator that SE= V-ES + is enabled. + + @retval TRUE SEV-ES is enabled + @retval FALSE SEV-ES is not enabled + +**/ +BOOLEAN +SevEsIsEnabled ( + VOID + ); + +#endif diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c new file mode 100644 index 000000000000..3b4adaae32c7 --- /dev/null +++ b/OvmfPkg/Sec/AmdSev.c @@ -0,0 +1,161 @@ +/** @file + File defines the Sec routines for the AMD SEV + + Copyright (c) 2021, Advanced Micro Devices, Inc. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include + +#include "AmdSev.h" + +/** + Handle an SEV-ES/GHCB protocol check failure. + + Notify the hypervisor using the VMGEXIT instruction that the SEV-ES guest + wishes to be terminated. + + @param[in] ReasonCode Reason code to provide to the hypervisor for the + termination request. + +**/ +VOID +SevEsProtocolFailure ( + IN UINT8 ReasonCode + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + + // + // Use the GHCB MSR Protocol to request termination by the hypervisor + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbTerminate.Function =3D GHCB_INFO_TERMINATE_REQUEST; + Msr.GhcbTerminate.ReasonCodeSet =3D GHCB_TERMINATE_GHCB; + Msr.GhcbTerminate.ReasonCode =3D ReasonCode; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + ASSERT (FALSE); + CpuDeadLoop (); +} + +/** + Validate the SEV-ES/GHCB protocol level. + + Verify that the level of SEV-ES/GHCB protocol supported by the hypervisor + and the guest intersect. If they don't intersect, request termination. + +**/ +VOID +SevEsProtocolCheck ( + VOID + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + GHCB *Ghcb; + + // + // Use the GHCB MSR Protocol to obtain the GHCB SEV-ES Information for + // protocol checking + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbInfo.Function =3D GHCB_INFO_SEV_INFO_GET; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + if (Msr.GhcbInfo.Function !=3D GHCB_INFO_SEV_INFO) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + if (Msr.GhcbProtocol.SevEsProtocolMin > Msr.GhcbProtocol.SevEsProtocolMa= x) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); + } + + if ((Msr.GhcbProtocol.SevEsProtocolMin > GHCB_VERSION_MAX) || + (Msr.GhcbProtocol.SevEsProtocolMax < GHCB_VERSION_MIN)) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); + } + + // + // SEV-ES protocol checking succeeded, set the initial GHCB address + // + Msr.GhcbPhysicalAddress =3D FixedPcdGet32 (PcdOvmfSecGhcbBase); + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + Ghcb =3D Msr.Ghcb; + SetMem (Ghcb, sizeof (*Ghcb), 0); + + // + // Set the version to the maximum that can be supported + // + Ghcb->ProtocolVersion =3D MIN (Msr.GhcbProtocol.SevEsProtocolMax, GHCB_V= ERSION_MAX); + Ghcb->GhcbUsage =3D GHCB_STANDARD_USAGE; +} + +/** + Determine if the SEV is active. + + During the early booting, GuestType is set in the work area. Verify that = it + is an SEV guest. + + @retval TRUE SEV is enabled + @retval FALSE SEV is not enabled + +**/ +BOOLEAN +IsSevGuest ( + VOID + ) +{ + OVMF_WORK_AREA *WorkArea; + + // + // Ensure that the size of the Confidential Computing work area header + // is same as what is provided through a fixed PCD. + // + ASSERT ((UINTN) FixedPcdGet32 (PcdOvmfConfidentialComputingWorkAreaHeade= r) =3D=3D + sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER)); + + WorkArea =3D (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase); + + return ((WorkArea !=3D NULL) && (WorkArea->Header.GuestType =3D=3D GUEST= _TYPE_AMD_SEV)); +} + +/** + Determine if SEV-ES is active. + + During early booting, SEV-ES support code will set a flag to indicate th= at + SEV-ES is enabled. Return the value of this flag as an indicator that SE= V-ES + is enabled. + + @retval TRUE SEV-ES is enabled + @retval FALSE SEV-ES is not enabled + +**/ +BOOLEAN +SevEsIsEnabled ( + VOID + ) +{ + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + + if (!IsSevGuest()) { + return FALSE; + } + + SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAr= eaBase); + + return (SevEsWorkArea->SevEsEnabled !=3D 0); +} diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 707b0d4bbff4..406e3a25d0cd 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -26,12 +26,11 @@ #include #include #include -#include -#include -#include =20 #include =20 +#include "AmdSev.h" + #define SEC_IDT_ENTRY_COUNT 34 =20 typedef struct _SEC_IDT_TABLE { @@ -717,154 +716,6 @@ FindAndReportEntryPoints ( return; } =20 -/** - Handle an SEV-ES/GHCB protocol check failure. - - Notify the hypervisor using the VMGEXIT instruction that the SEV-ES guest - wishes to be terminated. - - @param[in] ReasonCode Reason code to provide to the hypervisor for the - termination request. - -**/ -STATIC -VOID -SevEsProtocolFailure ( - IN UINT8 ReasonCode - ) -{ - MSR_SEV_ES_GHCB_REGISTER Msr; - - // - // Use the GHCB MSR Protocol to request termination by the hypervisor - // - Msr.GhcbPhysicalAddress =3D 0; - Msr.GhcbTerminate.Function =3D GHCB_INFO_TERMINATE_REQUEST; - Msr.GhcbTerminate.ReasonCodeSet =3D GHCB_TERMINATE_GHCB; - Msr.GhcbTerminate.ReasonCode =3D ReasonCode; - AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); - - AsmVmgExit (); - - ASSERT (FALSE); - CpuDeadLoop (); -} - -/** - Validate the SEV-ES/GHCB protocol level. - - Verify that the level of SEV-ES/GHCB protocol supported by the hypervisor - and the guest intersect. If they don't intersect, request termination. - -**/ -STATIC -VOID -SevEsProtocolCheck ( - VOID - ) -{ - MSR_SEV_ES_GHCB_REGISTER Msr; - GHCB *Ghcb; - - // - // Use the GHCB MSR Protocol to obtain the GHCB SEV-ES Information for - // protocol checking - // - Msr.GhcbPhysicalAddress =3D 0; - Msr.GhcbInfo.Function =3D GHCB_INFO_SEV_INFO_GET; - AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); - - AsmVmgExit (); - - Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); - - if (Msr.GhcbInfo.Function !=3D GHCB_INFO_SEV_INFO) { - SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); - } - - if (Msr.GhcbProtocol.SevEsProtocolMin > Msr.GhcbProtocol.SevEsProtocolMa= x) { - SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); - } - - if ((Msr.GhcbProtocol.SevEsProtocolMin > GHCB_VERSION_MAX) || - (Msr.GhcbProtocol.SevEsProtocolMax < GHCB_VERSION_MIN)) { - SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); - } - - // - // SEV-ES protocol checking succeeded, set the initial GHCB address - // - Msr.GhcbPhysicalAddress =3D FixedPcdGet32 (PcdOvmfSecGhcbBase); - AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); - - Ghcb =3D Msr.Ghcb; - SetMem (Ghcb, sizeof (*Ghcb), 0); - - // - // Set the version to the maximum that can be supported - // - Ghcb->ProtocolVersion =3D MIN (Msr.GhcbProtocol.SevEsProtocolMax, GHCB_V= ERSION_MAX); - Ghcb->GhcbUsage =3D GHCB_STANDARD_USAGE; -} - -/** - Determine if the SEV is active. - - During the early booting, GuestType is set in the work area. Verify that = it - is an SEV guest. - - @retval TRUE SEV is enabled - @retval FALSE SEV is not enabled - -**/ -STATIC -BOOLEAN -IsSevGuest ( - VOID - ) -{ - OVMF_WORK_AREA *WorkArea; - - // - // Ensure that the size of the Confidential Computing work area header - // is same as what is provided through a fixed PCD. - // - ASSERT ((UINTN) FixedPcdGet32 (PcdOvmfConfidentialComputingWorkAreaHeade= r) =3D=3D - sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER)); - - WorkArea =3D (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase); - - return ((WorkArea !=3D NULL) && (WorkArea->Header.GuestType =3D=3D GUEST= _TYPE_AMD_SEV)); -} - -/** - Determine if SEV-ES is active. - - During early booting, SEV-ES support code will set a flag to indicate th= at - SEV-ES is enabled. Return the value of this flag as an indicator that SE= V-ES - is enabled. - - @retval TRUE SEV-ES is enabled - @retval FALSE SEV-ES is not enabled - -**/ -STATIC -BOOLEAN -SevEsIsEnabled ( - VOID - ) -{ - SEC_SEV_ES_WORK_AREA *SevEsWorkArea; - - if (!IsSevGuest()) { - return FALSE; - } - - SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAr= eaBase); - - return (SevEsWorkArea->SevEsEnabled !=3D 0); -} - VOID EFIAPI SecCoreStartupWithStack ( --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80581): https://edk2.groups.io/g/devel/message/80581 Mute This Topic: https://groups.io/mt/85582687/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80582+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80582+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 163155720383113.843623091143172; Mon, 13 Sep 2021 11:20:03 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id tRvoYY1788612xlG4r74Tlkr; Mon, 13 Sep 2021 11:20:03 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.79]) by mx.groups.io with SMTP id smtpd.web10.874.1631557202199811456 for ; Mon, 13 Sep 2021 11:20:02 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MjSf6oR5oq8+73vXWXp3Bn+3rl8tQ1L0HJTnj4/bAbfoX8he7YQIkDf7O55b1fN6nkOUoqBiVCydv4wnYtp3UZWbkQmuAlDzAVRAQweytn0JU5Z/rI6mTsISlurQ4oNx4/mMIChTFgTEpzEHX8asoPNct+8iU730pvVx37lnLIa2+D4W6YHnVFXtGFWCxwAI7S9H6I67zHJcW6NusTbjKIb1aThKy/bSsqFVa+86GZNRYyNVlB9edZR/6CYAVIdBhsJTPVJqxqBfcJGcRLxid+KUe2bg9QhR89SZsu+QZR6FVRXQORUPl2qx8fuKiD77N0e+Qu80kiEA05VkGb3zcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=DCEYceYwqAFO1rCw3X6ZakFAAVqTMjKJYTSGXGJEPAo=; b=j7afLRBPciE7Db2vwdCswP/glYZl0Swwke+ntznqoYrUcaWiAfMtvvaO/TYEPWslPEjVT8JqKF3ma8EgpUMRLg0ZCnm5K2WAlcDU8YHR3OOFmZ1JwS5f5C0xHDmrO1S4uTxzt+oRT4XEPv4ZxnJdmG3LeyJZB6W+FtBbAinOvUPIQdawo81TEuKhMJ/PSWGWHoWVEe3KAgQ/VFnsnXp5XZtf5xGhHFaROZ02QvdTxKRWt2pK0y/09Fqlzrdy58eDlP0NrkYRHFwNX7DpXU9IbaOot3mPw1xfMsDCxl3UkhJ3Cm2DdvzbL0egkwUiPOZS7He8STb8OUqxUEbFxKYYlw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:00 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:00 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 02/31] OvmfPkg/ResetVector: move clearing GHCB in SecMain Date: Mon, 13 Sep 2021 13:19:12 -0500 Message-ID: <20210913181941.23405-3-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:19:59 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5beb2a1c-9db0-4eaa-3a25-08d976e318e7 X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: hyced+hy9bH/TQEI2FPBDMyun25WUYFQJWe+/vzb+jwMh9KMF7YhVPAAsOjjyD0FbPYt+SJDgBBodSK+xyolMUTuNBU3lZbtxdl2/uBRCfmSNWhA1UevvNaxjfhuyspyTixvqSpFQFnz2zXcfVOvhOD3MFd3jOzORGQDxnHklTcPEoWv4jlgFAGNoBFQOCrG+JF9xSsBtVWlGgaf+5i1iPvW6glOdl0BvqdXOCH+NDCzrkPP/NBA1Ph2QaORMqY144Ea/p9ftggSTtsjbMSsdy7YQvvFM9REOs3JTDEplDKI35ifgWgHQ3TllCSMRLfNNipmxwS6R3fWXAq8ww7CU1AOE3llRXsdZjswfDVXRtgukR53pHSHvHQm09byHztiCInAGTXWBcl9LtqAWMqhumGc67MhYiXlFbfa97ElAjONp3yw26XSW2D65dLUpQaA3BAIVdHptnUX8ihVGshEd6SiN56kg72b2qbAlc9HeqCrJaDTLoCNlI3yNiX9Argzm8hW2cp+K9T1OyqjbEIQAv/+k0kafL12881z9ZioLQUXk+9Qil7iZwW6V7H88Ddbcjoax9FKscXcMEJ9T+m4+zCELYYHTksZGyOSIHstrKKXWwixMK+EvH80LphZZP/ASzoCuXNCl64q58WDhCPx07XyOo5qYLGTwB2vEJoisXs8gNQfSOCJ8nJA3wz3qobcLBhpG5si/8DhIQNhxX19fOm69C4DBhohzGlbutR2Vy4yRNuNe4IH9M0WPfqV9Euj9KpopIxFqMG06JUXMFBdF22T0rbBg2NfRDEzWarirm0= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?XWaPft50XVWiwVGYIbDv0Oo3C2WuF0FV/sSI38WXFYmOQ1tSimYUu67IDWqA?= =?us-ascii?Q?gzEyA9+/FNxB22nE0jsxF8HI01QN+y2EsVcwRCFegbsLBTeHIYNt15XHezvl?= =?us-ascii?Q?D5SSHvznDTPNUqqOCGsGcLQ2S+gUp4yN7w+7aGxxm+BS1L1J7DxppvQAOM2O?= =?us-ascii?Q?yVa8YPrGVvQhP5x5SEhf/ouQfIsPx1NkZoIDfHLPmrExa3oEnLOhUea+CabZ?= =?us-ascii?Q?hoLb5+Z+rsPCKXfPHdrDZYRcZHzlsIhuQzESSw0wV1cind3qniCJOU+mdegp?= =?us-ascii?Q?EKY/kyza4Ntao1VoizsSKg5Rr7nc78hYIXFSA3TZCTFPwe41+JUYe1bGFfsi?= =?us-ascii?Q?DKhopN3aMFcF7UZgHc8FmRelij6XtzGqt0cL8Y6fmnxH9Ck5DSsK+Src0FSp?= =?us-ascii?Q?Kt1gZTXtp+PraBp6QPb32WcKZ9aK4m/NGzMf0OXN9LJ4TJn0mYy3bSnI5PWt?= =?us-ascii?Q?I09VRy+KzTIO654TXunJKG3uhembQOaHJ/f/lr4RR8gKNzZr/O4xGc2V1bVZ?= =?us-ascii?Q?4k4bnTGjIHbQUpqP1AJOSuLqgraJpRbs+fbZfP1yk3mQt8iprr9ZBaUR+wKK?= =?us-ascii?Q?aozcFzOprJzF/k+GlYzuZYVXPPMzvWKPyQf9em+idhJ5J1LkUITIRyzpwNjR?= =?us-ascii?Q?HcUeVO892UbecpRMAv7IfgKLDZ2oljUjEvMfOSAb/ywWcpuOEBraTBnw0wwz?= =?us-ascii?Q?Pblnjos4LxxNRzczZYh9EPZD545vKaWKgBvKV54SHeB0m8txIxX3GCp4kyJm?= =?us-ascii?Q?KHqmv4Hfh4P7cwETjo+rmowLfxo3Gh1KoCw4a0sTui/D+t6/2kr2qYjjJeyy?= =?us-ascii?Q?OYNc1VoxRtQfQ1hBfiMERpoH8boonakLf6D1FnVmzOP96wINEtRhYnNwMZAp?= =?us-ascii?Q?q/baV3Yn79EGgn41ALEJTSZhOatLzMSM2UUcYX3/FyDFXs5bCBh+mAE6X7Zz?= =?us-ascii?Q?A5tVruNKrYJRt/4eBMDCxVhtSqcnIjpuYYD/eupJWxzAgChT5EhEMqCy35cz?= =?us-ascii?Q?2aWedb3gBZB13cz14EVNkqObh+qzNBDEheWnjOm5XMXkDEgWhqQU0dA8VoAJ?= =?us-ascii?Q?2dGa6q6WPU83aVmOZBCu+Pwn5y9cHMVrAml5juNZr9KpLmoajybNZSKM/L+/?= =?us-ascii?Q?JIJ0lKFpyP7thbnHZ6nvSbWYlJUEPac0VIoouuwZ/LvLGPxs19j67whajK2k?= =?us-ascii?Q?kV1eDKv+Tx5mydgmC52dm0kH47Ns/MOhQ315Uh0VvdnZf7xVVMHtjzKAl8Y3?= =?us-ascii?Q?hOQmy7sm/uliyhJB06ZR3HIM0NOhkwFs3z07UIn/+aJBOwVXAy8A/BZMJzXU?= =?us-ascii?Q?BSt+RgZLtg5VRZtD8NKpytxO?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5beb2a1c-9db0-4eaa-3a25-08d976e318e7 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:19:59.8945 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Xhf59thfgXGv6P5LckXB7CslEb+A5WQLDxpUw08mgSdGSOLednusq6WeVwvFS+UEokWS25qPyOsaLNm/P3y9fg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: bejvNFQ4uaxh5Di26chkJxJKx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557203; bh=1BrmE3WjOTghIkHQl86Ag2QgQE7WHf8vcrvuqG70bW0=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=bO5Q+VxXXeUf53E7+m0BOGiUuPCsPFxU3iEhkfS7Zvgedi02n8wg0+zuBs0PePskVx7 sDqUfJsBiIOiez1vTzfmCV0xPyVJxXEgELRzXkZypY57RMWUyamUjTVXG0gNRBU3LybSd DMI+CHZmY/XO6dQ+7uR4SwsUYDmAg57cm4U= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557204248100001 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 In preparation for SEV-SNP support move clearing of the GHCB memory from the ResetVector/AmdSev.asm to SecMain/AmdSev.c. The GHCB page is not accessed until SevEsProtocolCheck() switch to full GHCB. So, the move does not make any changes in the code flow or logic. The move will simplify the SEV-SNP support. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/Sec/AmdSev.c | 2 +- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 6 ------ 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c index 3b4adaae32c7..7f74e8bfe88e 100644 --- a/OvmfPkg/Sec/AmdSev.c +++ b/OvmfPkg/Sec/AmdSev.c @@ -95,7 +95,7 @@ SevEsProtocolCheck ( AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); =20 Ghcb =3D Msr.Ghcb; - SetMem (Ghcb, sizeof (*Ghcb), 0); + SetMem (Ghcb, FixedPcdGet32 (PcdOvmfSecGhcbSize), 0); =20 // // Set the version to the maximum that can be supported diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32= /AmdSev.asm index 250ac8d8b180..48d9178168b0 100644 --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm @@ -177,12 +177,6 @@ pageTableEntries4kLoop: mov ecx, (GHCB_BASE & 0x1F_FFFF) >> 12 mov [ecx * 8 + GHCB_PT_ADDR + 4], strict dword 0 =20 - mov ecx, GHCB_SIZE / 4 - xor eax, eax -clearGhcbMemoryLoop: - mov dword[ecx * 4 + GHCB_BASE - 4], eax - loop clearGhcbMemoryLoop - SevClearPageEncMaskForGhcbPageExit: OneTimeCallRet SevClearPageEncMaskForGhcbPage =20 --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80582): https://edk2.groups.io/g/devel/message/80582 Mute This Topic: https://groups.io/mt/85582688/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80583+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80583+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557204505763.8677507163762; Mon, 13 Sep 2021 11:20:04 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id DTBwYY1788612xM31ka6IYz8; Mon, 13 Sep 2021 11:20:04 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.79]) by mx.groups.io with SMTP id smtpd.web10.874.1631557202199811456 for ; Mon, 13 Sep 2021 11:20:03 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dvfKHZtYlXafjzjZXi20LwaO5lz1FxjlwZEZ/qt8W7420vb9/pxIC1PqmE+ynfyYGzoB7DrJXSsJ+qerKdg4CBxXUhuLTmDYC+V0t6TRu/IxdRqhiUYCVIzzf3IQGwCk3HsiCC7ld6tSlDE8iQdQBB3ZyUaL0XC29WXvF0ry16mIEPOiSnfkOBZn+T83KZtfijRzlwVQVI6YFsJ6RhHSVfK64+wLB4p2Sq8Jey45EO1P6o+tL5PkBsd2DrWyhUKUbvrocpAtwt8OodUQ0hXlWYG7TYrt71ZgIR2pdZU9bxt4y72K0VAgJX6FOVx/+4lG+wOX20u2WFar5owxdbpCgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1jq5l7G88SN2JAF+bE5aAmWyCMze1id5BI4sMXQRvfs=; b=SNNofd5Qr8me68sdCJVCsLjgVzDgofKv14YdRZHcw8lm91b3WpWIPQPhvXTaATLyGQ9Iy6DcVqLUrW0sLLQt0XYr/2+UUO9wqUdTBqoqLrlTAsbrNDcanwinxQGdsc+yEOWoF0yYPsZpRTZO1mG3O1MeeKSbXituNVAURFwm5PKB7+IPo/VhuT7rI2pxRZFiWhpzpcSjR8OCjdoJe3xGORkFRKHKrLKAwwwcfWvwQHDCYTpMaCU6eWF90IstWXfGxe9YPemSy6rMbe1vs1PMzQSTZEW8MmslrKAwx7CFup+MIeNLkyTSFqiTedymy+G4emVv8gl6G5ecsG0S8ipmPw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:00 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:00 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 03/31] OvmfPkg/ResetVector: introduce metadata descriptor for VMM use Date: Mon, 13 Sep 2021 13:19:13 -0500 Message-ID: <20210913181941.23405-4-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:00 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: cd75280c-0a6a-4e91-a1e7-08d976e31967 X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5797; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: HtcIjtz+cGbLbg4O8/6CHxpLBvtSvOpb6CMTxfkiQkWilOPk3PJFH6U/GvUYoMfhSX2tL+78qwm9XwAgyWjTjv4zEoeRnsgyh9LwL4XZ7OrscWpOJTRb1cCN2t/zl4xPn7zeC4kvSHyTA15/ZQgDwapwbrnLnziiBEFF0YwryXNFuWVfGyPI32L5Efj/rV+EuW8HnVXc+LbR+byNDItv6JW9CYs8N06dwgHBC6arX6SqibMutfL7dU5VsbIi0s1afX+Ks4vfyDiRbdXTxtBi91xxhFBrj6c55BLfoSnhE5Dmw/KL4QEKuaNgCzNtY5dTZFrsHBvT3/hwm2c+Fde31C+k8s82WP8xDn+xtgqGfnD6cwSCWxaJfqSZFk7IXPWGsKFnWjLo6UbG/m+ZYjNSu2ZYVkx/wzYDbMkcJGFD4cS9uDRr3jyvadXZhX428Ed6/ELOyIGhcNfDJQ5SuotJypSBdvSu8UKgxga4CIuFJWLocyERBpUVYdooPxcsSqraBWgJI6SIYitmHxhjybTU5VELLVf2uU6smiQfnrp4MMV4rfdXhVuqJMguYvcMg+iKNuzlS9JCzy4NI8U8rrxttHHFiv4Z03hzKMhzw2uiTtn5VomUHHfr4nMwrfxodKpAOpFcbcNxeqCSQhUqfoc9ZHriM9ti3B/eROUVkBW0SalMs0TooWSSZ3qIOUAisGKlS9ecBFYq5I7zPgeDcp4ZvbR55oVDp0XXtBMEGZOWn6+77nPMC7gIbfU2BDN3pPinObBNiY3/6LICD7TyirfVKg== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?heYzyCQ2N/XouYQIN1Bed0MGX9o6S/2qqgQnoA4dcvWSGiuYQTQitJl07yrC?= =?us-ascii?Q?hEPkpSmURtDFIgI3fOUuJnI3bQZRQSWOTJF40C78KU2FjTUyE+PCBkSsKmsg?= =?us-ascii?Q?i+D+0+od72nwds2yb2oNjqykZcOmFGl3f5jnwa2zNXiTPgb7KSGsGnC7oRUS?= =?us-ascii?Q?sKRvvD2MLa4H3zTtu1kVtPXbggCT4q9lrah6nNs1cv4Z+lYBeTIwsPAFpWqi?= =?us-ascii?Q?kjb+v2V5TQzTCdoUT+7bbg5sK4ClX1epwj/lT6lEGJzPbpNA0hD26J3aYmbC?= =?us-ascii?Q?fiIKpqxstWF4+S2BrNuQZIjtrs37yWjccU0kAcBW1aBSq06oelA/DTDyVatu?= =?us-ascii?Q?Ct77+cgGr03EwOPCWUgvU21Wswo2Iswo9JFRscoVNKC8214rb1qOviNVK9Lr?= =?us-ascii?Q?xk0S+tLe70WNV29cMsVqyGJxxGnfJycef28P/szKZ+BQRkmSZnit+ObuCGjP?= =?us-ascii?Q?yfDRXEzi8qNzHxlBodsYBE7mE/m1ojqqOBYKfbzv1wld2Ip3k8JWpDmme7tU?= =?us-ascii?Q?0UG93TRE4wkWKVSDDvsqAkaatxJ9H1H58BhjDYYfR/Y39Kn8lcZFD18VbEqT?= =?us-ascii?Q?/c+6sctLad8aOeXNqAna/mN/6L8mwbmNlP4gRmtqUJ/xFEvKIvRY0HWtbZf+?= =?us-ascii?Q?Y3cYAYOvDM6RS64Q04D5BfmgGSuN0HfWTb9TF7nhZ+iCQ6bRXhcDUJV2k73g?= =?us-ascii?Q?TlEPniN03WyUWmxTAYyYzJGcNUQQqtYT0cHS2ua8DYfXh/Vg49qaHGgKTQVA?= =?us-ascii?Q?vdUfSe59I3NKiwF/pWuQFyc35KMKygmMnsmv2PzyrT/1QIvrvsP90y2QbtBX?= =?us-ascii?Q?w2nn3wg7evzZ15lMHFoxWVtLaax/S9YIj2JpePS2y+j1vPlp08eayShJnj57?= =?us-ascii?Q?l9wHexK4YprGat0pnlcrnCaOTQ2v5iwxlR2Hbx6YxKzQfV/7Rx/4PtPifeCz?= =?us-ascii?Q?X8lB1tIxdS95Jkt5EzMG6volClcp5Byysz/9TZSKpJxlEltfIqbXZkCr9pLq?= =?us-ascii?Q?mq7XL3R9zVh3lGiAu8yBq24Zg3Pm8wWqRA6WK4NuCl/NfaY5n+SPB9zQR71v?= =?us-ascii?Q?wRsszcyl0FSLWwhl41MyZbB/anRNpNvyHIgA+i9L+jdDSiPw1hF+1kwskqqj?= =?us-ascii?Q?Frh/FWniCW4HN093NikBleEV3grdgBWTixCY1Q/tMeEuvY5xNuhDgtyath5D?= =?us-ascii?Q?YENmpCgOObbd3ch836lgw6Do2OGz7sgsN7bJh4dBUUzTIxzp3nwsFGY8wPMS?= =?us-ascii?Q?RMlUareGPrN9JtUKu1ru2YS/VxVeRePkfv6r3NIsOHGEHWx1WatB/7bAYPCk?= =?us-ascii?Q?4zn23mXEw5D0b6lzP/sATLiT?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: cd75280c-0a6a-4e91-a1e7-08d976e31967 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:00.6910 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 31YqgyJNj5OVSNN9a3gGQSfThFgVaNRwE0Bi82dhtfjieym8780WgxWpUAO6PNg9C7K0wA7iSsqwrZUMHT8/UA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: CPUSFhqx5VsJAiDFftEgzJknx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557204; bh=Lc3rLojp/kYTL5cl2HGIe67DKp28J1nUbEyLY86fSzo=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=WbBMUUsNO0aE4rBUasIyBDge91xe5CIT17pIFM1tM+SR4aSWBPBYjqomdpadKEGz5I0 cjtzMjHuVCBokEg91TEB2YHoclF9otSbTH6USOtUb5Z4ytBRpRe46gydoJEU6WgrGl5dC 2H9eYBSdaA6aA1FJ2zGKJXvjn07qJIq9wOw= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557206379100013 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The OvmfPkgX86 build reserves memory regions in MEMFD. The memory regions get accessed in the SEC phase. Both Intel TDX and AMD SEV-SNP require that the guest's private memory be accepted or validated before access. Introduce a Guided metadata structure that describes the reserved memory regions. The VMM can locate the metadata structure by iterating through the reset vector guid and process the areas based on the platform specific requirements. Min Xu introduced the metadata structure conceptin the TDX patch series [1]. [1] https://www.mail-archive.com/devel@edk2.groups.io/msg33605.html Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Suggested-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 17 ++++++++ OvmfPkg/ResetVector/ResetVector.nasmb | 1 + OvmfPkg/ResetVector/X64/OvmfMetadata.asm | 45 ++++++++++++++++++++ 3 files changed, 63 insertions(+) create mode 100644 OvmfPkg/ResetVector/X64/OvmfMetadata.asm diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVe= ctor/Ia16/ResetVectorVtf0.asm index 7ec3c6e980c3..f0e509d0672e 100644 --- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm +++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm @@ -47,6 +47,23 @@ TIMES (15 - ((guidedStructureEnd - guidedStructureStart = + 15) % 16)) DB 0 ; guidedStructureStart: =20 +%ifdef ARCH_X64 +; +; OVMF metadata descriptor for the TDX and SEV-SNP +; +; Provide the start offset of the metadata blob within the OVMF binary. + +; GUID : e47a6535-984a-4798-865e-4685a7bf8ec2 +; +OvmfMetadataOffsetStart: + DD (fourGigabytes - OvmfMetadataGuid - 16) + DW OvmfMetadataOffsetEnd - OvmfMetadataOffsetStart + DB 0x35, 0x65, 0x7a, 0xe4, 0x4a, 0x98, 0x98, 0x47 + DB 0x86, 0x5e, 0x46, 0x85, 0xa7, 0xbf, 0x8e, 0xc2 +OvmfMetadataOffsetEnd: + +%endif + ; SEV Hash Table Block ; ; This describes the guest ram area where the hypervisor should diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index d1d800c56745..bc61b1d05a24 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -80,6 +80,7 @@ %include "Ia32/Flat32ToFlat64.asm" %include "Ia32/AmdSev.asm" %include "Ia32/PageTables64.asm" +%include "X64/OvmfMetadata.asm" %endif =20 %include "Ia16/Real16ToFlat32.asm" diff --git a/OvmfPkg/ResetVector/X64/OvmfMetadata.asm b/OvmfPkg/ResetVector= /X64/OvmfMetadata.asm new file mode 100644 index 000000000000..a1260a1ed029 --- /dev/null +++ b/OvmfPkg/ResetVector/X64/OvmfMetadata.asm @@ -0,0 +1,45 @@ +;-------------------------------------------------------------------------= ---- +; @file +; OVMF metadata for the confidential computing guests (TDX and SEV-SNP) +; +; Copyright (c) 2021, Intel Corporation. All rights reserved.
+; Copyright (c) 2021, AMD Inc. All rights reserved.
+; +; SPDX-License-Identifier: BSD-2-Clause-Patent +;-------------------------------------------------------------------------= ---- + +BITS 64 + +%define OVMF_METADATA_VERSION 1 + +%define OVMF_SECTION_TYPE_UNDEFINED 0 + +;The section contains the code +%define OVMF_SECTION_TYPE_CODE 0x100 + +; The section contains the varaibles +%define OVMF_SECTION_TYPE_VARS 0x101 + +; The section must be accepted or validated by the VMM before the boot +%define OVMF_SECTION_TYPE_SEC_MEM 0x102 + +ALIGN 16 + +TIMES (15 - ((OvmfGuidedStructureEnd - OvmfGuidedStructureStart + 15) % 16= )) DB 0 + +OvmfGuidedStructureStart: +; +; Ovmf metadata descriptor +; +OvmfMetadataGuid: + DB 0xf3, 0xf9, 0xea, 0xe9, 0x8e, 0x16, 0xd5, 0x44 + DB 0xa8, 0xeb, 0x7f, 0x4d, 0x87, 0x38, 0xf6, 0xae + +_Descriptor: + DB 'O','V','M','F' ; Signature + DD OvmfGuidedStructureEnd - _Descriptor ; Length + DD OVMF_METADATA_VERSION ; Version + DD (OvmfGuidedStructureEnd - _Descriptor - 16) / 12 ; Number of sections + +OvmfGuidedStructureEnd: + ALIGN 16 --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80583): https://edk2.groups.io/g/devel/message/80583 Mute This Topic: https://groups.io/mt/85582689/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80584+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80584+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557204893626.1865781534409; Mon, 13 Sep 2021 11:20:04 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id lU2bYY1788612xnYjkzduurH; Mon, 13 Sep 2021 11:20:04 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.79]) by mx.groups.io with SMTP id smtpd.web10.874.1631557202199811456 for ; Mon, 13 Sep 2021 11:20:03 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l9MiWlILLGCbodHHivwXqvBss/diIulFFZ7J6UkwAWv8i0hF+2mamcXfMFzAWNbFgPboVlwsF13icy1qmjLwRA9UZVdYwB27dDmtBMxwQ3zZbTWh+uumGhSQHnmABz7bvwya/IwvpBEky+KtBkhHLj8TIGbLg+HgyBuufFK2nMVtvUIHdXYOkcX3psgJPqJLggr0Cx9AKfsZDrmxZsJCdn+Tq0ByOPFA7+QDWFXAgvSqtQYVbKNaWlbF0buESbtVmCzG0/eEjy4laJO+awdMvzPGPoLGkqrikfEl3zQPDbErDN6V8EGjBYujskWVnfb/8hR7WuH8XKWRbY+1DPZNFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=uUu5V9AjFOFkAJFojyTCEPwNFx12ICdxFdSjUYEu0BQ=; b=ajP3XVtkaml6Ecst1ZsAcA6tJ+D1FGpg7i/QtlUvKuh33zrT/T8aMMJVHhMs0xexx7Ftm4PQX/SBgk7husQ2uQKdrGqTFIGNmR8AppM6uZ+anjNSXG31P/9hN2Lztzxl0AaB0D9aTlwOhDIp4MazYCOHPY/npBgS3yQbYvbu/crjQuCSaWRRw2cGQqZ77GlG2aAhesA18MVjy3Zpi+e8DYuIQISqsgh+C5eHJoDijHD1iHee7ZQtzc58otYxtMe6N6C2wJJLVZOc7wtdjPik02xcaYsbIbtF7n3JQrIo2YJzWRO3lttu2bW0I26eXgtNwKPIlCgXjN51Iov35LRiFA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:01 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:01 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 04/31] OvmfPkg: reserve SNP secrets page Date: Mon, 13 Sep 2021 13:19:14 -0500 Message-ID: <20210913181941.23405-5-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:00 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6250a73f-e400-48c5-cec1-08d976e319cd X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4941; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: L9aTzSA+R/Dx2lBU4cqgVMR040DkmSQxmtjM1Tk/jOP9ZMNdGiFwI/ZNxbiBC7wxBfftjjm5Uwn6SFgDhyO7SB+fXlm4+EN6qC1keeXey3KxVkFMjXnH9xyLeckkgRCt7zGtnpHEb/84HyzMwL10WVVxxX9Ky+QvClflVMy7N6Ab+qvrC5z0KhF5jn3DHkfNR1hksqROkzxu5/WawAEgNVWfSAsB1Kd2HY9zY7NYpA42F/1Mz6crpmuw7YC8a8rvkkjrELJVuF/xhZpVpVkBujcuKA+UDB2oP6oAGxsEXHYs0w4JqKuF8hOwhgfFQWcHA4/KARhAlW7Y1mGLhzjuEfhE8r0D5xnPE3xtIzSK68QsIKzsCOI1jU5bpDtEWofJGu1E5MdNF3Mj+Y4y9nShK2CjZ0qb2C4N4fFZ/enK2WmGzuK3dPAStRb0QXwnlel8BCk0jlrQD8cZS49P0Ll6yIFm40GIDzjJ5o0hqhckOLYiwucYsNGl+Q8o9wsI1xYDN3XQwQlrTTItw9oZ4NOD6qcLnhsZ7piPqtwcpD3kSRdMHcqm3YbBBmuZUIvAe1qO5nPDHH44Z2g/fzikTe60Tx+SvwZ3JkLYdZaQC4HoTsnajpkUEyZM+/B7X7Jd8JWiSXmnOVFtVuq/KRLYw1irl2aiyiVm8LUH9u3GOWK+Ojo6HVUyZMj57CO4KiMAup0llbTsQ6sNIvS3jYhXuoZu4E7WTbJYsYaJLqWijCBtWVqmYUM1gzcQUmOdzf+87Pi1rjdYmqvRNA/h/pp7qdV02qYwtWGw8ALhZJDhvAsSRtU= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?1SpYqWTmTqiYMKCQjXDChe64CFnGpF8tK88ppa4bqhLuUN+HNWwsM0XfMxpH?= =?us-ascii?Q?AXJhaZ0q9XbhJSiQNhHvVzqtL9XEGLjfITdMw2HVWOdVIA6uHTXRFYR2jBXl?= =?us-ascii?Q?6uP6AYpDr6NRCB2L5VGDD3XYYZWeIdwQtaX0k54twoSTgatI9a1l8z7NSUGn?= =?us-ascii?Q?1L9t4hO9WlQ4JNCY/WT8ngbjBjZF014Yq4X1AsB7XRDxiKRM80hH+BS80tC/?= =?us-ascii?Q?Elz/jfoxSyiLEvC9Z/U4XpnWdk5Ea+sObt8Wx/C9PMNwuNgOgJsm79yji0nP?= =?us-ascii?Q?cwWr2pF2SaPmHC2suphjSC69ST3Ah1fQpvearEGsFzkg9oJRBaExlfDZK3W8?= =?us-ascii?Q?8ESno5QZ83rbq5UOvyNH1YwlfOa+xt8OLDtlH3DRNdAHKqrnF8otprZtpfiD?= =?us-ascii?Q?YUKXmBCrbUQsjJZ0fwRgJy3ABtveWM2GGcBwLRiT/Bb18qAamV4x5Js0YN2j?= =?us-ascii?Q?hYGkfvY7LzI1ouh0wMdlQMe+PQfoEHqDaVv//lrx2vGOdk7jDv121EiqDXjv?= =?us-ascii?Q?mZCxnVmE8Ommqa8f5Vy8exxMowCDHGHqwIxLKgy6sLJA/UB7ttmLWewsTrKS?= =?us-ascii?Q?IuU11Nceofww9FIKFs/Z4eBO6hA2kwhyhpt1sNSuAwKqfdoUt+ZtIOsuas8m?= =?us-ascii?Q?zKKU0G6jfe2x6WhncPW5ZIWOSbvFdcsVQXmXFc+S76ysXe3GWlGjzcaPWQC8?= =?us-ascii?Q?GnlHTtbbzT/BXgPJC8i32RZADJuw0GD8WoWgHvtm0mSSMtfF+BqnjT3LcraF?= =?us-ascii?Q?adYm5I539zaMNYxXffmAFahT7ORYz2xoIz3YEK2YoTLiEPCVGVNgeoFxjJFs?= =?us-ascii?Q?3idPnVEJ1OQY2TAVW0UFcEyfEAX3upePkjiqClIX/4+52ZSjlbB2XArTpoHQ?= =?us-ascii?Q?IZu5+xOs8UadX5W2u4N7sMLYsUfPXfAXYezni3ibn1WaWiwcokWUbBNdxBBR?= =?us-ascii?Q?WYnsHt3r+fDXFJY73E/oBwqGJKvWq9EQaGNCxi1rUhxNbKPuTJJgcUxQltFd?= =?us-ascii?Q?N1xgy2KI2KRYMjrCqL39OJR1J1rDM9zYXMEVxRv/1pDvEsejKs/STYcqkvOS?= =?us-ascii?Q?Byor5xr4UmuLHq3LvHtL9K2YlG1DRHegC1HgUoSXxKexUK2W4qvWn9bVAp4z?= =?us-ascii?Q?vUwoxfJDkpgyPXBmYz/FKG7168A/L9EnqFNi0aCYTYpQ4S6jJgCKx6hyqvbh?= =?us-ascii?Q?oeTd2baWjD1J1FcFcc+Hb/1ThwFFZo91aLt2KSfL+rx1chLzEuygpVRQCJp7?= =?us-ascii?Q?MydFUmrWOpo+60TwTFr3g3wHrmWnzd/K9EULJuRlqy8cLT81+hadQwGqyLHl?= =?us-ascii?Q?wfH6eYIJaSqADD10Ti9w/bQS?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6250a73f-e400-48c5-cec1-08d976e319cd X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:01.3876 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: A30LlfmUGzaFALd9ZQIbswPX969FCgaOF0DMpvCzYMHKSc6kd6kDkZYEmOa7/KBLi0jtgDrn5Z9mMrNUBD1yQw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: sPWfrTdRCO4TkV6SvR6c8THvx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557204; bh=IXWkN6U/gqKV3hdJvE/cvszsr7y0jX3/D6EPb0PDKyY=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=cf31emFbVROOVE8mO0N2yvnzjOmHvObXr7ay7Bdi2mVbBbGuaU5MK6fZg5oCHotxRhb ZjaDLyW4PCYuWQJ64CHZEBrVAjILjluv4sWV7lnDVZ50MN0xIGMf7AxLQu0kF1T+yyHbu sOIATjhtS2r3uHJrai8/7t5ViG9Fkd57h/k= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557206355100009 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 During the SNP guest launch sequence, a special secrets page needs to be inserted by the VMM. The PSP will populate the page; it will contain the VM Platform Communication Key (VMPCKs) used by the guest to send and receive secure messages to the PSP. The purpose of the secrets page in the SEV-SNP is different from the one used in SEV guests. In SEV, the secrets page contains the guest owner's private data after the remote attestation. Add a new section for the secrets page in the OVMF metadata structure so that hypervisor can locate it. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 6 ++++++ OvmfPkg/OvmfPkgX64.fdf | 3 +++ OvmfPkg/ResetVector/ResetVector.inf | 2 ++ OvmfPkg/ResetVector/ResetVector.nasmb | 3 +++ OvmfPkg/ResetVector/X64/OvmfMetadata.asm | 9 +++++++++ 5 files changed, 23 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index c37dafad49bb..6266fdef6054 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -340,6 +340,12 @@ [PcdsFixedAtBuild] # header definition. gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader|0|= UINT32|0x51 =20 + ## The base address and size of the SEV-SNP Secrets Area that contains + # the VM platform communication key used to send and recieve the + # messages to the PSP. If this is set in the .fdf, the platform + # is responsible to reserve this area from DXE phase overwrites. + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|0|UINT32|0x52 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize|0|UINT32|0x53 =20 [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 23936242e74a..5b871db20ab2 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -88,6 +88,9 @@ [FD.MEMFD] 0x00C000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecGhcbBackupSize =20 +0x00D000|0x001000 +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|gUefiOvmfPkgTokenSpaceGui= d.PcdOvmfSnpSecretsSize + 0x010000|0x010000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecPeiTempRamSize =20 diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese= tVector.inf index a2520dde5508..09454d0797e6 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -50,3 +50,5 @@ [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index bc61b1d05a24..f7d09acd33ed 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -77,6 +77,9 @@ %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + = 8) %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) = + 16) %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)= + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) + %define SEV_SNP_SECRETS_BASE (FixedPcdGet32 (PcdOvmfSnpSecretsBase)) + %define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize)) + %include "Ia32/Flat32ToFlat64.asm" %include "Ia32/AmdSev.asm" %include "Ia32/PageTables64.asm" diff --git a/OvmfPkg/ResetVector/X64/OvmfMetadata.asm b/OvmfPkg/ResetVector= /X64/OvmfMetadata.asm index a1260a1ed029..bb348e1c6a79 100644 --- a/OvmfPkg/ResetVector/X64/OvmfMetadata.asm +++ b/OvmfPkg/ResetVector/X64/OvmfMetadata.asm @@ -23,6 +23,9 @@ BITS 64 ; The section must be accepted or validated by the VMM before the boot %define OVMF_SECTION_TYPE_SEC_MEM 0x102 =20 +; AMD SEV-SNP specific sections +%define OVMF_SECTION_TYPE_SNP_SECRETS 0x200 + ALIGN 16 =20 TIMES (15 - ((OvmfGuidedStructureEnd - OvmfGuidedStructureStart + 15) % 16= )) DB 0 @@ -41,5 +44,11 @@ _Descriptor: DD OVMF_METADATA_VERSION ; Version DD (OvmfGuidedStructureEnd - _Descriptor - 16) / 12 ; Number of sections =20 +; SEV-SNP Secrets page +SevSnpSecrets: + DD SEV_SNP_SECRETS_BASE + DD SEV_SNP_SECRETS_SIZE + DD OVMF_SECTION_TYPE_SNP_SECRETS + OvmfGuidedStructureEnd: ALIGN 16 --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80584): https://edk2.groups.io/g/devel/message/80584 Mute This Topic: https://groups.io/mt/85582691/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80585+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80585+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557205330517.4374123001795; Mon, 13 Sep 2021 11:20:05 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id sW99YY1788612xiF54zPOuTa; Mon, 13 Sep 2021 11:20:05 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.79]) by mx.groups.io with SMTP id smtpd.web10.874.1631557202199811456 for ; Mon, 13 Sep 2021 11:20:04 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UI0DZDQehvs9Nx9I3lzc/7vzZdswSGBSD/8IRlnt9HXnnyUZmONJFP/6cy0bndRXCMOuCiU7Iz3e4pAoIzWkt60NCDzB3eu0EzxWLsTSubIZvvohdzkhcMdRIQJq1sxAmINHwM4JgrPyJKb14hi7USjHyWCYeH2xR4HjTdJX9pKH57KpTgLneDXexxVeordf4AGIy3O+PKB0QUlWl2gGg3UAiBUdUs1G2pwJqZqfE/cnGJ1VFH8+GCwkdjkM/0/KdK6RHn8g+TPL46dficL1EvqFZYx/NYucQ6yFNoD4wF3CtWgLXdvOu+U/eVocjsp31igzet8SPoDcg/kYMO88Ww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=M34uBi4z9OTM1s2NduA2WzfG4s6WkRBSWucZU2AH/Sk=; b=bLsopgscInTAnHji1rkDT/BBZZZMCOP02YySdq8Vnx3z0rTvxJ7NKEuhsoj3Bet1gR143KToB6CVpO5s2oZRapoAYF4ik8kRWE32PoPse22pd1ojIGz7qR9n0rEqTv9uTeV5+D+ADcBIb7NVfyIN6xyY7b1+BHZZM+Ctg1nhbx17Z9k9ikes6RXxbv8z3YU9+dbPDWzjpicgVbYmm1+NRATCP3oxPWuHnkKdcj/Mw8hq3EGxpScpYPo2E9r/QZiUsHs0lu8YNB1gVr+G7uAavq0h7PstSRhuLNuFpkKchQ5d7trQtNAT6ReI4sZP0MKM/Am4oOIEU48s7QCMIsApqg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:02 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:02 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 05/31] OvmfPkg: reserve CPUID page Date: Mon, 13 Sep 2021 13:19:15 -0500 Message-ID: <20210913181941.23405-6-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:01 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 027c4c8e-f57f-4ac8-bd83-08d976e31a46 X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5516; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: o0OmOI2W0gsrtH17D1bZJP7HhBkxqtFKE3d+9MLZeKP4ua74aITGouSF6v+ii0Xo8xfNFlK8Jh2Hfk5d9sg8Y7pvzmKVgh68mkSUOszuY4nOhwFjMYBX/crHzT+lQe3CY89richfp6cQAkk1o/Egm7CKaQFjguKv5XL/bxygFjzZjMPKBp2FDnZBukrHmtOMELV4hkxBNDPCCKlSRMTgWp7LamhKBff0I4nslg4XRJn3w/BliBjBRIb6ronHISMpL8mM21dY/f4HFtvnjOjcroq7+Awe0IY+KlXbS3yAO+zg0Rvzb5yQIreuD9DWh8qymBiauuqesOVOsLp/3uUcRE86numGME2k5sDMktIN03JEWPxCvD0xxb80Pftg1XskhZkJ0BXJ5as73xrzWpVCPc1gwWmBlQX3EuqnsFQIc4i5aT5h8bafqZNuDN86fNCk0MXqkWF0r0COnsA31phLljLRi4+omjyBOV46FqyTPgU6r3dZYvat6ctRml91M/IZ/se6IpKFEGHQGoFDRP7sB33+qY5ctqhsogcinqz5Ag2dZfrsgcmuhC6k/wA5OhUo2zhQAN36ICnsq0BqYnFWjhRKeUrroIPql+XwCS6W3ZcHXEJ0IBBCEH40HUk8eTB33ra2+earDSeWay9zQy0zzjOI7yoc3BZKwfGQOw+rCYvC+wrFb8F2DUsOyLXVv+7vbLP3Zwdh9U+8MrP98ccM2/E91QccMb1I9crTwewud6moG6BSQd6oLAwlsy7ET8eV3GI8B9YWEdUmRM2KNs3ssd5Won/BtAHrfMdBd3GMWEI= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?dnpV9oztef3E38usOEqTeGxmdUxen4AH01zkyv9IstJoKRZxyZO7MKK7H2Hk?= =?us-ascii?Q?QC0RfRlfK8YSI/CzBwLj3iQvLnWQuU5+Kk/UYUihPOnkpqX7lHONAKnJAgOE?= =?us-ascii?Q?NCw8Ayg6uDekDgRIexLC9Urir3n7BqV75AGUnXiIpk4gcZrJxL9ragYoH2CQ?= =?us-ascii?Q?ru6/BIlpvkPG7H8wrHVO25l9v1wW4zsuF9OfI9hsu9ci1sFOXde3ejnfHhdz?= =?us-ascii?Q?vibo4rZ8aRzIH9alCJLzONq8JI1+EXREMgdh/p2jMpbmWFaORdd6s1aBIg4x?= =?us-ascii?Q?du0aTO7vr30vr8llxwtnVEfH/f0XUG2EGFyUwm8oByCLzX6EBjsva7s6jzan?= =?us-ascii?Q?3MBVFnU2dFsEsGyoWbucU1ogi5jj6iuQM1XSsXUqvb/kJ+w03m/Fh4hOKHFz?= =?us-ascii?Q?47YdMEHXek9KDkgeQVO/T5PvJnDeDsJBpfbh19HB7bF7s47M+L8yG7J4zyuA?= =?us-ascii?Q?QsOivxcg/lvCbovRM/GByDJufAzn1yvOkPCmLj/mu9ticMvlPDYUngmnAoJ3?= =?us-ascii?Q?YW6JhCqiaLfVZQ9W6R+4ffEslHuSltMyD7Cb2nITNw0r1lpoA3hLKN3e70Yb?= =?us-ascii?Q?zuBOvUvMqrVks8/NRIsCVf6fFFf/bJ1m4byDIB3j+qMZwrq9oXQUhSSXlV86?= =?us-ascii?Q?2UbhoHyw3ruz38Xl+lL2E2B+zBH4Xl+CWIUvbsZFzpMrJyVeqlac1Wf9PpeK?= =?us-ascii?Q?sy4GpSWC6pVNSKg1I7wdbby2kyHtVlDRr4NOHcWR75zSmp+h571VrS9+y1T5?= =?us-ascii?Q?BVLjC6WvSBMHgdG/hupVSf940eztFgMgd+ZoFI6/uEM7A+F4wSJ5jnmcU4/D?= =?us-ascii?Q?T88e8N3dyfg+iFnuDw9oJQsygxUBNGiAFziD/bF6nZKA0XRrts1PeCOTUelE?= =?us-ascii?Q?bXDserTpqMxQ3JpFe2r4myQtuUDuHr62xhv4AMAyoPpNyno+4toP2gGyYnF/?= =?us-ascii?Q?v7ABhHkacXF7NCT/zNxOhdYJyHvZa3rE2EO/lYOxT4wZ4NZJDB8awSXjvnJ5?= =?us-ascii?Q?G/R4sA12PQETlF824Jq8nDmtxKasayQ1no0eqZxiK1oNsBDDRsqoK0fF4+mA?= =?us-ascii?Q?l+YbzN+92yoRFNMdHJtYUFVm0zI1QQz0nWc/Ps4+CA2IcAy8TKBtYUmU3vkX?= =?us-ascii?Q?8IwEU7PapoP2h5YMkm0/8TClbvcZMv4OiUhAB1aHZFEY5Rx7EcycEZ/gL2kg?= =?us-ascii?Q?h+tV6DqFjrAkqehilT2i4EDqcUV9qUd56HUWP4kxo3ULdC499fTN0jVwYpUC?= =?us-ascii?Q?AdOU1sfiQjTWeNpmmxThKd5jyBOgjNkjAcyq2QE0msfnhcQg6Mbr3LNtlpAs?= =?us-ascii?Q?RjFPqGUC0IpmnZMIrhltwnE1?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 027c4c8e-f57f-4ac8-bd83-08d976e31a46 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:02.2272 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: bW+0tCLifHT3PoQsdS5IPcwZiGTx7FFQAbVrFbk+GriyR3Yw46dN74WSU8aBN44JylEFC6MJWsL3kUFDFnidHQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: QH3AYVSJdmnRSVKzufNGxmE7x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557205; bh=sTqcPIwKV3W/yYx03BdqTUUEzBMsuPLFjMS5UlLf+jQ=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=QmC7DK2O5Prs7+cjqcaG6/u4wjZkBzH3JGgqbRrzBu+hnYFeufple41AQ9WOdeeCrcS DW03AYkQ4S6IhO+A1+nokUkvNKpnEvPkS46C3WGUwc2byOPHY3cO46Cc2GlTPi8h3Smr4 uVtSkCg9rp2ZlGWM7hedF2EHXGHD8A+ngQE= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557206360100011 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Platform features and capabilities are traditionally discovered via the CPUID instruction. Hypervisors typically trap and emulate the CPUID instruction for a variety of reasons. There are some cases where incorrect CPUID information can potentially lead to a security issue. The SEV-SNP firmware provides a feature to filter the CPUID results through the PSP. The filtered CPUID values are saved on a special page for the guest to consume. Reserve a page in MEMFD that will contain the results of filtered CPUID values. Add a new section in Ovmf metadata structure so that hypervisor can locate and populate the CPUID values before the boot. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 7 +++++++ OvmfPkg/OvmfPkgX64.fdf | 3 +++ OvmfPkg/ResetVector/ResetVector.inf | 2 ++ OvmfPkg/ResetVector/ResetVector.nasmb | 2 ++ OvmfPkg/ResetVector/X64/OvmfMetadata.asm | 11 +++++++++++ 5 files changed, 25 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 6266fdef6054..efa0de6d0600 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -347,6 +347,13 @@ [PcdsFixedAtBuild] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|0|UINT32|0x52 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize|0|UINT32|0x53 =20 + ## The base address and size of a CPUID Area that contains the hypervisor + # provided CPUID results. In the case of SEV-SNP, the CPUID results are + # filtered by the SEV-SNP firmware. If this is set in the .fdf, the + # platform is responsible to reserve this area from DXE phase overwrite= s. + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|0|UINT32|0x54 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize|0|UINT32|0x55 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 5b871db20ab2..b38c123b8341 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -91,6 +91,9 @@ [FD.MEMFD] 0x00D000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|gUefiOvmfPkgTokenSpaceGui= d.PcdOvmfSnpSecretsSize =20 +0x00E000|0x001000 +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.Pcd= OvmfCpuidSize + 0x010000|0x010000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecPeiTempRamSize =20 diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese= tVector.inf index 09454d0797e6..4cb81a3233f0 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -46,6 +46,8 @@ [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase =20 [FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index f7d09acd33ed..84cb5ae81b66 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -79,6 +79,8 @@ %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)= + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) %define SEV_SNP_SECRETS_BASE (FixedPcdGet32 (PcdOvmfSnpSecretsBase)) %define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize)) + %define CPUID_BASE (FixedPcdGet32 (PcdOvmfCpuidBase)) + %define CPUID_SIZE (FixedPcdGet32 (PcdOvmfCpuidSize)) =20 %include "Ia32/Flat32ToFlat64.asm" %include "Ia32/AmdSev.asm" diff --git a/OvmfPkg/ResetVector/X64/OvmfMetadata.asm b/OvmfPkg/ResetVector= /X64/OvmfMetadata.asm index bb348e1c6a79..95bac86a3b95 100644 --- a/OvmfPkg/ResetVector/X64/OvmfMetadata.asm +++ b/OvmfPkg/ResetVector/X64/OvmfMetadata.asm @@ -23,6 +23,11 @@ BITS 64 ; The section must be accepted or validated by the VMM before the boot %define OVMF_SECTION_TYPE_SEC_MEM 0x102 =20 +; The section contains the hypervisor pre-populated CPUID values. In the +; case of SEV-SNP, the CPUID values are filtered and measured by the SEV-S= NP +; firmware. +%define OVMF_SECTION_TYPE_CPUID 0x103 + ; AMD SEV-SNP specific sections %define OVMF_SECTION_TYPE_SNP_SECRETS 0x200 =20 @@ -50,5 +55,11 @@ SevSnpSecrets: DD SEV_SNP_SECRETS_SIZE DD OVMF_SECTION_TYPE_SNP_SECRETS =20 +; CPUID values +CpuidSec: + DD CPUID_BASE + DD CPUID_SIZE + DD OVMF_SECTION_TYPE_CPUID + OvmfGuidedStructureEnd: ALIGN 16 --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80585): https://edk2.groups.io/g/devel/message/80585 Mute This Topic: https://groups.io/mt/85582692/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80586+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80586+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557206243968.5641801743086; Mon, 13 Sep 2021 11:20:06 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id sdLFYY1788612xwtesofOD7Q; Mon, 13 Sep 2021 11:20:05 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.79]) by mx.groups.io with SMTP id smtpd.web10.874.1631557202199811456 for ; Mon, 13 Sep 2021 11:20:04 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Un+fjoRQNAoBx6g2BtvttrDIMHbFHeCFEfNDnpt8uFtRqabEgI2Xyo121gzS6hFdaSPSHCbPFR3otXzQdC83L1n2C+FFL+6aArmloa0LF0ze3WJDpyW7BeuRXkFS+JOluXrdJp87Rkka95+rp8ddharW7NJUWrBzER4yEVaoKCxoUdSJ13ejrTe/tFStu8R1AXYtk81izWegF02tVbnY4hcJGFRnTk8qEfcbs91YcgtxdF+ru0mgmzQRptIou3NNPZ882yR3NJxWDFAtRY1ImDMgA+LWlswNnzgCC+hiaVNoB2wVDwqyOUHzsq5vHHQgfNjxVkKUYVD6hAOmE5dqcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=eaGSfAN7Ef44FsTt6F0mg+KnUYXA2hoN7zglFnaSTiw=; b=TisPLIBGhgkBNtmKgbaNrgER/SilvpgSvF/dDIvldM7UJ5q48gjmbXRYwbRKnvy2sLb1rfSxAORMqZgnXyr5X0gMM3li1YICp0/SHALORyHSaIGK2ASRs88DPTDncKysPh0znbOvT4gItpfuVyJvvWlY8wcUSAQH4MwrtHr/b4EwPupR8zC5D5QQ72Er2g2F+4AGhxpBlrNDfzeJAgpmup26ovPfeMsWy57MZ7OBs3saoJeszydEiA1IPLhXLMIPvcbyxvpvQcMfcb5Z4pzG033h94xuaKbVh2PRNW6gC4ScSf/Spvr4ag5E6VJi6iSf5CdO/4TJlh7t011nhFp7tw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:03 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:03 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 06/31] OvmfPkg/ResetVector: pre-validate the data pages used in SEC phase Date: Mon, 13 Sep 2021 13:19:16 -0500 Message-ID: <20210913181941.23405-7-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:02 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ce6a87df-005f-4891-4c4d-08d976e31ac7 X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: dy3uStDh8yhD4Fm8aYvMsFtkO6WzEUhFVa/VPTLRUAbexkx4UtI5sbOlltZ4JDScE5TtEKM3BD174a154olKORIYPBEd/JRpdntnKM4kfnmxZm/pTq33vc5ipmUBkScnx3fFM1H30cvf1fvbfxRFgXKHksxnmfOQrE+OnP3IY6WevrBoyk+ie1hlkh3e5nO0lHn8aBFktaSfqA4OUpUlrUBVpbvrfsCeVZoo3CzM3hsjQ2E0HAsqEd31wX7SOxMq7Oc+1f6FX8R8zPhucpwXb3BCm8iWvEctowFR6bfIeX0AEJvMKK0vSDZTPR7phHieU5Zhdv1mhmP5nfOTmnoGMCKMWwBwJ3bYWWwVsZZPzXsV1G+v4cXxz3KaRud3YvSOuEqVhyMmK3N9oqYudX+GR8Zip2Qt70uZIYhl67+G02cML8xqFumFtQKO9yCHsFCgNa9tqe+XDraldjek4eVzn7K5jlJ4XByfoeZMXMW8Ao2Jk7vc4DmrF169dRW12zJDTc6OdOOaPeucvK1I4dZzq+m4kO/FnsloFsGyT8fbQCBPV//Zv76eYtiQHv9Q3bTeNE7wI++izysADe+QrIJM8Xo2vyldWt17sd7HztXbnLVOsrsEPk5XfkemBg8oZrrxUM+Bl+zSHHZwx3bGRchK7AmzYfGw0Y+5ffeR/qaIkhAJrivKBeI378J2ptGe58klcl+bRVmsdSwOT8V8hXKVxnMSDIlvFpEZcHb4BpBnhjABfnmdogJqIuI9pu31slln5NxF+lHP+6TdioivlyK3gu5tfEPJh6WzIMM6jC+bmWg= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?bmqE2b1xBIroTYuzIq30b56FVxYBDsE4BElqSTohS6LT0WWh+7ZmT0R9wqPV?= =?us-ascii?Q?xpdVpufJ3dlbgXhveqdCfTd2OUYGKg/2cmdJChGm6kkKPyOVwMvKPIpiT2/7?= =?us-ascii?Q?NQDpGKV7d+0YQGsa1ETNg2hPsIeN27jhwh1i3BTvio6AxpGofOzfpMPL9m5Y?= =?us-ascii?Q?uUftxejO96SnfXETho0os7pjyY3hSuUwSv9dNv7hjUkfVcGam+B78FnEqugx?= =?us-ascii?Q?mL8HV46pl8jZmZUwYgp5immtpLXZrcZz5Wwn0Cx8ZGfuYXqUP2S+BLmpSykK?= =?us-ascii?Q?Qzr/rXyeS3RrGGuRq/MIU/4efVk18NSX1ivBUjCPPkjpBL1qmeAhQszuaMYv?= =?us-ascii?Q?B4KkmcQI99iv7PMtqbNWByGWMiSRB8RCtb7KnrkY0qAXeZVFtnJE4x+JhuLO?= =?us-ascii?Q?XM5RwYCIJ8psB0bIdVCy4D6l+Xko+9PJBN/kvPT8xr1wUVbGsbTA+0siOsuM?= =?us-ascii?Q?PEPy0+6ts/nCBxZyTe99P8+fd6FK2ikrPa8uYZ9PdJfgNSBQkHmKKAKku9/b?= =?us-ascii?Q?hKKdEAwr8B90MLobADV0YitbYVGEXaCijdUdYsgcmiRvGcYCr3gt/6DJYpGK?= =?us-ascii?Q?WyrR3bmyH6KfYPaKuO4nKqQSrWEJdIua90XDP9ZMilfM3+dCwitS5OiETfli?= =?us-ascii?Q?48fO3nLb1UHiJ1DwOAPMsIA/AFctILZg2mzCjTVjA17oHU1331iv+Sj4w4Ti?= =?us-ascii?Q?+OIrji2X2iJd8T1TBYqNZOlAaVwjxffuhewomttdWc9VwNDJVOR64Ixz8P8l?= =?us-ascii?Q?U/Vk5ryGwJCTmx2MWgFVB4kYDOKpvTAV4Ofi7kgSofuLr37ZGh5U3KRDiNFA?= =?us-ascii?Q?XjVvLEKJn5FG8mLLXjUTiW99//ywKs3M9E0C2TTxauO8pLohuBBG3HdFK0ZR?= =?us-ascii?Q?ZPb5x14LLwb7ssaQwwx6RwaMOg1HKWuBA56jo9hk4eoSQa9OXXY28RyzUeXc?= =?us-ascii?Q?0TxV5aRw0mC3M9xWCBpz1GqWiXuK//rXHvb2EvetS8k5PhdKAYSmPl2pzli1?= =?us-ascii?Q?S7kO9WFlcVLTLD6lhaqGubYsnSaXVXwflRjv7nnFpZI+APALWBWM/zypJlvO?= =?us-ascii?Q?l03IQpBX9ptoEobLzbxkfMt/jAJUvE81Rm/ZbT2Yl/d+dqS/vBP/2Fog6nQb?= =?us-ascii?Q?Qw5jZXPBqhkh+GhM7/cn+sHI+JvI/0AZ3qj4i5iSZEbhQIwwXrf2gLSOljmK?= =?us-ascii?Q?o64VrBFWZZfJD+YOk2MCVPs+WC1B7bDAD1O3/3QW/R2S0iZvbFu2RUlhFVes?= =?us-ascii?Q?i/MNPrGIujUg3jdy9xaEl0AE5FrCVBhYngfJe5e01NnwofTz2J85eOaGptlo?= =?us-ascii?Q?kyjjSC+TJNSLbr716X3DGN0U?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: ce6a87df-005f-4891-4c4d-08d976e31ac7 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:03.0397 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: TOJ4fjDovDnpF0eLZ6N9sP8+6j8DdIsrOFGdiS7KWqvF0cPmZVhanwzOeWMdr1nk9UI70K6Bt33jtFlkAW2NAg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: XOEZ8mfxiM3Zmrm4i4yd3spmx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557205; bh=2W0JYXr1viLkEmW5RwRxV4WuticI0xnhmjdP7IAJ4mw=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=AsXRUDF4j3XQmlPjdI5ucaWqU150gRr+TCvW1OhM5vEYl7Rj0cgPX5uUgLADQCDD01O CgZetWn7IRAPAfG3hXkZ5sABx4qtBVwJaGZfr9Bp/T90kq2f3ZWazwkHovWLi8PJNc1AU O4dKLvwMM4OU7ZkiLnv8Y9ALvlEFNy5tN/Q= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557208411100024 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 An SEV-SNP guest requires that private memory (aka pages mapped encrypted) must be validated before being accessed. The validation process consist of the following sequence: 1) Set the memory encryption attribute in the page table (aka C-bit). Note: If the processor is in non-PAE mode, then all the memory accesses are considered private. 2) Add the memory range as private in the RMP table. This can be performed using the Page State Change VMGEXIT defined in the GHCB specification. 3) Use the PVALIDATE instruction to set the Validated Bit in the RMP table. During the guest creation time, the VMM encrypts the OVMF_CODE.fd using the SEV-SNP firmware provided LAUNCH_UPDATE_DATA command. In addition to encrypting the content, the command also validates the memory region. This allows us to execute the code without going through the validation sequence. During execution, the reset vector need to access some data pages (such as page tables, SevESWorkarea, Sec stack). The data pages are accessed as private memory. The data pages are not part of the OVMF_CODE.fd, so they were not validated during the guest creation. There are two approaches we can take to validate the data pages before the access: a) Enhance the OVMF reset vector code to validate the pages as described above (go through step 2 - 3). OR b) Validate the pages during the guest creation time. The SEV firmware provides a command which can be used by the VMM to validate the pages without affecting the measurement of the launch. Approach #b seems much simpler; it does not require any changes to the OVMF reset vector code. Update the OVMF metadata with the list of regions that must be pre-validated by the VMM before the boot. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/ResetVector/ResetVector.inf | 7 ++++ OvmfPkg/ResetVector/ResetVector.nasmb | 29 ++++++++++++++ OvmfPkg/ResetVector/X64/OvmfMetadata.asm | 48 ++++++++++++++++++++++++ 3 files changed, 84 insertions(+) diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese= tVector.inf index 4cb81a3233f0..af3cf610a2cd 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -37,6 +37,8 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase @@ -44,6 +46,11 @@ [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfLockBoxStorageBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfLockBoxStorageSize + gEfiMdePkgTokenSpaceGuid.PcdGuidedExtractHandlerTableAddress + gUefiOvmfPkgTokenSpaceGuid.PcdGuidedExtractHandlerTableSize =20 [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index 84cb5ae81b66..e05e202def1e 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -70,6 +70,7 @@ %define PT_ADDR(Offset) (FixedPcdGet32 (PcdOvmfSecPageTablesBase) + (Off= set)) =20 %define GHCB_PT_ADDR (FixedPcdGet32 (PcdOvmfSecGhcbPageTableBase)) + %define GHCB_PT_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbPageTableSize)) %define GHCB_BASE (FixedPcdGet32 (PcdOvmfSecGhcbBase)) %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize)) %define WORK_AREA_GUEST_TYPE (FixedPcdGet32 (PcdOvmfWorkAreaBase)) @@ -81,6 +82,34 @@ %define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize)) %define CPUID_BASE (FixedPcdGet32 (PcdOvmfCpuidBase)) %define CPUID_SIZE (FixedPcdGet32 (PcdOvmfCpuidSize)) + %define SEC_PAGE_TABLE_BASE (FixedPcdGet32 (PcdOvmfSecPageTablesBase)) + %define SEC_PAGE_TABLE_SIZE (FixedPcdGet32 (PcdOvmfSecPageTablesSize)) + %define LOCK_BOX_STORAGE_BASE (FixedPcdGet32 (PcdOvmfLockBoxStorageBase)) + %define LOCK_BOX_STORAGE_SIZE (FixedPcdGet32 (PcdOvmfLockBoxStorageSize)) + ; + ; The PcdGuidedExtractHandlerTableAddress is a 64-bit PCD. The FixedPcdG= et64() returns + ; a number suffix with 'ULL' (e.g 0x1111ULL). NASM does not like the con= stant ending + ; with anything other than 'h'. So, instead of using the FixedPcdGet64()= , calculate + ; the base address of GuidedExtractHandlerTableBase + ; + %define GUID_EXTRACT_HANDLER_TABLE_BASE (LOCK_BOX_STORAGE_BASE + LOCK_BO= X_STORAGE_SIZE) + %define GUID_EXTRACT_HANDLER_TABLE_SIZE (FixedPcdGet32 (PcdGuidedExtract= HandlerTableSize)) + %define WORK_AREA_BASE (FixedPcdGet32 (PcdOvmfWorkAreaBase)) + %define WORK_AREA_SIZE (FixedPcdGet32 (PcdOvmfWorkAreaSize)) + %define SEC_PEI_TEMP_RAM_BASE (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)) + %define SEC_PEI_TEMP_RAM_SIZE (FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) + + ; + ; The PcdOvmfSecGhcbBase reserves two GHCB pages. The first page is used + ; as GHCB shared page and second is used for booking to support the + ; nested GHCB in SEC phase. The booking page is mapped private. The VMM + ; does not need to validate the shared page but it need to validate the + ; booking page + ; + %define GHCB_SEC_BACKUP_BASE (FixedPcdGet32 (PcdOvmfSecGhcbBackupBase)) + %define GHCB_SEC_BACKUP_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbBackupSize)) + %define GHCB_BOOKKEEPING_BASE (GHCB_BASE + 0x1000) + %define GHCB_BOOKKEEPING_SIZE (GHCB_SIZE - 0x1000) =20 %include "Ia32/Flat32ToFlat64.asm" %include "Ia32/AmdSev.asm" diff --git a/OvmfPkg/ResetVector/X64/OvmfMetadata.asm b/OvmfPkg/ResetVector= /X64/OvmfMetadata.asm index 95bac86a3b95..657d6c298d4e 100644 --- a/OvmfPkg/ResetVector/X64/OvmfMetadata.asm +++ b/OvmfPkg/ResetVector/X64/OvmfMetadata.asm @@ -49,6 +49,48 @@ _Descriptor: DD OVMF_METADATA_VERSION ; Version DD (OvmfGuidedStructureEnd - _Descriptor - 16) / 12 ; Number of sections =20 +; Page table used during SEC +SecPageTable: + DD SEC_PAGE_TABLE_BASE + DD SEC_PAGE_TABLE_SIZE + DD OVMF_SECTION_TYPE_SEC_MEM + +; Lockbox storage +LockBoxStorage: + DD LOCK_BOX_STORAGE_BASE + DD LOCK_BOX_STORAGE_SIZE + DD OVMF_SECTION_TYPE_SEC_MEM + +; Guided Extract Handler Table +ExtractHandlerTable: + DD GUID_EXTRACT_HANDLER_TABLE_BASE + DD GUID_EXTRACT_HANDLER_TABLE_SIZE + DD OVMF_SECTION_TYPE_SEC_MEM + +; GHCB page table +GhcbPageTable: + DD GHCB_PT_ADDR + DD GHCB_PT_SIZE + DD OVMF_SECTION_TYPE_SEC_MEM + +; GHCB bookkeeping page used in SEC phase +GhcbBookkeeping: + DD GHCB_BOOKKEEPING_BASE + DD GHCB_BOOKKEEPING_SIZE + DD OVMF_SECTION_TYPE_SEC_MEM + +; Confidential computing work area +WorkArea: + DD WORK_AREA_BASE + DD WORK_AREA_SIZE + DD OVMF_SECTION_TYPE_SEC_MEM + +; GHCB backup page used in SEC +GhcbBackup: + DD GHCB_SEC_BACKUP_BASE + DD GHCB_SEC_BACKUP_SIZE + DD OVMF_SECTION_TYPE_SEC_MEM + ; SEV-SNP Secrets page SevSnpSecrets: DD SEV_SNP_SECRETS_BASE @@ -61,5 +103,11 @@ CpuidSec: DD CPUID_SIZE DD OVMF_SECTION_TYPE_CPUID =20 +; Temporary RAM used in SEC phase +SecPeiTempRam: + DD SEC_PEI_TEMP_RAM_BASE + DD SEC_PEI_TEMP_RAM_SIZE + DD OVMF_SECTION_TYPE_SEC_MEM + OvmfGuidedStructureEnd: ALIGN 16 --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80586): https://edk2.groups.io/g/devel/message/80586 Mute This Topic: https://groups.io/mt/85582693/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80587+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80587+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557206669602.0663851267885; Mon, 13 Sep 2021 11:20:06 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id E6TKYY1788612xJUNpGnOzEt; Mon, 13 Sep 2021 11:20:06 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.79]) by mx.groups.io with SMTP id smtpd.web10.874.1631557202199811456 for ; Mon, 13 Sep 2021 11:20:05 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LXMoeydVgCfNr4GlnVlPXzQd1xbAOytz45F57q4ZBlr5PpKyH9crnDjLewe+Hza/qmpaBXBaZOmdIEXeSde8mRbYJjSWSyPUPajOaZed4nQhYx7/gSvToLcnaPaXE1IM3LXy1ody/MdxB8UTWc6ApaBWwvYvFjuVRPxDpePcYTRUMMnXy7Gy3OUb7dmElXt8XoizajUX/CLx2edniBKgZhrUQbPpM7XWujJFWlDe/7SBGVqIjI4Ru4yKL7vl148urlo0MqgqF6XhNtD1jKoYJ3lVS+mXmx2PIsQppDw9Euf5wUqubZ15+yFokRj641CG+GllpF/6FsY2+6LT5QpF+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=oasV08bOdgyecrTNvdSjgFTEer2cC4coNNM/y41ovoY=; b=eLBs4AJjq5S8ueGCyntaoUwdbct0UaUKXeOzY9gsqgZ5lgXqqMt5sF7H70V57i04vnVyI3xw52+5bSG0iGZ83L072OO4kEBVIMRbnEAnl6qjNVatPUICl9Jsysw61MBb/kezp590OQ/pXhBvakoZ0igu4YsOI3rArl2hEGWQ7ICw4tDJ5lLhn/NviM07IY2NvNoE7SDMkHCDLN2NPeJ7qVN4o9xs/RwQWtXXKotGCemBeYa1Blm+EO2ZzGD/aFNEh5buKAFEr4D8Vmcj+mfYFufcdq7nXrQf8V3eU1+6hv+qk3HFkFeR+Pagj1pKInL0KaiRnRpXcrUIWlhcKWOSMg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:04 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:03 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Michael Roth , Brijesh Singh Subject: [edk2-devel] [PATCH v7 07/31] OvmfPkg/ResetVector: use SEV-SNP-validated CPUID values Date: Mon, 13 Sep 2021 13:19:17 -0500 Message-ID: <20210913181941.23405-8-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:03 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 74fd3f44-c8ef-4ffa-5cfe-08d976e31b4b X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: LR5+QB6S/GQasChgLJgKpJyJHjvhcge1g35LiaomBdvXkRbcAkWbPQnTu7QVc3B1LXhaqFDL1oHbReH4cGskOdKtxRlpKLSJXYtnyZVsq85EzQLj8DlvBT9yubXHIzadmTYs6GCeUx0UeYHg2qNigcOTkEarXHU9qesvZEx7yS/xjnWAZNPY5fKEdPiasZUJNg864WgUDwb8DAchF2kYUHFbDfvtTjm3uCfsLEy5ot/+gnrnkMy3vSnJ9/LVFhAtBWZ1R1VWN1c4WicQDMK1rebdMQ09Vmq36WJgsLuLqf5MVWihWetYiaygvELK64dD/wRef0EdmUjKbBmlw5O6dl7ulsIhgR0T1FNC/eXwqGxGtS96JTQFiqCsIqc3SBRKt3rLnKKJLIvz4tE3sBqmlRjgHwfW9Byxy21UNzCe57ZO1/HMhTo0u/zKnR6qEdKPZXFGAnK/V52clrvlapTzMOzDLlwtNH5mrPTtnsDCv4NkNeLut/BU8hJ3bUs2VgNn/LB0MudcYO0WV9yjtfdh0fVPQHsGBDE+ztJm5eVodYQgHhbYQT3+ODehLzKs5hgdSnsbzYmzUEsAuUJBfRHeCN1mfwekHYsh7VgiY17HgEEscEmZQn+6ShM9DFwiBYvsgH+ykfPALdNTsbW8Npiiux/t1f7ziZQd1lTmZa2/DTfti1qQwAA5mKBPOz7hGy1JtCK4ZHUDXQOql2Cx6z+IMg== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?Fy7OsZR9Drv1w1m0VVteRatIGDvRjfukiuR6EQrSMH4HaisK6tGEh8VfvClM?= =?us-ascii?Q?wmhSNN777W0ZS9tWl99R7F3XU2BDvTSMloufnSfcwIdXcTI0iu6whNkQDIS3?= =?us-ascii?Q?hWvxcaNZ0puA1ThFM6G8I1i2Oez04QSAlVxoIUIUYCWl5cxQe/HMKdyEN6+3?= =?us-ascii?Q?ve3IJF0YYE9UzS9AQA28RDU/B3YnaoR/mDgAPWEzapPvMAhP1Kb2YFJpkvqV?= =?us-ascii?Q?lxLzcmn7UL9c/94kU1HIxsNZxnIKWZ8+HYGfBY2pd6jM7aPV6TQw6a2bHu3o?= =?us-ascii?Q?VS98NFFxaQ9P5eC7ScP3W0imvZWBKIgiOagj0S2LusO6DtY4rujTxbtKjoaA?= =?us-ascii?Q?tKeGgFFARnOWVetyngQ87gVZZiXP3w/s0XiBStDrMyQwL/U0v8cjSjminPPf?= =?us-ascii?Q?G72gFgXC+WZHxhRZQaiyq2qybt5vJ+FSlXyTXZfDv+Mfrl48jUQ3aNYf6pDl?= =?us-ascii?Q?6+xV0upMtFoCZdGm6+AcTbEg+q+ljn+g9dCGiKfCElAuj/VmHzdp+CTCYUVI?= =?us-ascii?Q?/W98WF0OvcADQ72R7/KL5bcl3u839AuKA33r+B/TJaBkhyifpiJRzMawy4dP?= =?us-ascii?Q?hzIunrZqmB3LmiXC2/VEx5bh6ahMCsDin5Aru639Ml52btKOCa9K1Hlxvded?= =?us-ascii?Q?uhsedCQ/E+yEtahGANc99TyLuNMAxFEaJXkR1xvpuSZZ8Xt9gOwPrENP5pLx?= =?us-ascii?Q?VYedQBoz+JOg4P1FCLBxQCwdClW8yzI08NK5qTNwn1gNzEa+ceFpy0bTD2lU?= =?us-ascii?Q?Hv57Xyod6rW4H3jCsNHp0W2tEoeFTzzHMTAdQzwEZJE5e1Qp9SM1ju7Behgn?= =?us-ascii?Q?B5XwIsui4C8IwR5EhfkpilsMV97yuj6S25muIw3WO9PcqUrWTIP4KbWb6JO3?= =?us-ascii?Q?Kozh4z42v5mBrJRnmX7qryoH/YxUK8H9f4vyQGkIHJX46vjDACJmeCO2GFhq?= =?us-ascii?Q?WnZiZkwhMfVbtvd8xGh6qxVqWsk5Vcv1xqnaTqT78FrfnWsFBfO2oHZQWqbd?= =?us-ascii?Q?j+b0jE+ADCqgUNUGV9g/1mkttJz+3K5BkuZtYrgj91dU+XHeUcQUF64JhvBp?= =?us-ascii?Q?uw2f91zLXJ+czYhvnfuzHKvcDcuWy7RuW3KRRgyBkrhxoEA+1RzDfsR6XdO6?= =?us-ascii?Q?bvdjx2U7q78od7kfufrMfuUC3Va0Z3Hb+rBX7zun/li3fh4zR5Y5c0w/AfGn?= =?us-ascii?Q?UfUd5FmxYsYk6FWI8Rgu1E2xnHB1ZCjzXwMtQ+nD/gaANqGXwagCJwcjlV/H?= =?us-ascii?Q?uNvFRv6pxUuI4smgEJH4miiHO2a2eOkbeQYJTQUw2RH7DvB6Vziq8H9mtIsk?= =?us-ascii?Q?gVDVoGF5YoaZkEh89UhaXk4l?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 74fd3f44-c8ef-4ffa-5cfe-08d976e31b4b X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:03.8622 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: oXr1ke03WOVISq08MGUsdMS1+xI/cJi2TL52WxZYnh3IbtI/9v3KolzzqvvgAic2JU4UCfjRA6b7/CNZM9ylMw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: MpTxKhJBmPPznvcrYaEQrIjmx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557206; bh=37jGBwXfDr0iIYNzTBY35+3vXhF4AUY7aj5KJU2wRLM=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=AHSSrTMuDxPuA53Pjk27iF3LKK3r0QrHCd3xla6M8o26mNMpEgWUzr577rsGz1zts4H LyQU2wGnkqnEQKfEU+UyxTr+Tw0FF7G5aXQKr3fTgoKoT0U9bAgEcTxGc7zZTe2nts2e+ nJ6mK+CJKZw663Dyn4awligOaYvFZfZsplA= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557208560100027 Content-Type: text/plain; charset="utf-8" From: Michael Roth CPUID instructions are issued during early boot to do things like probe for SEV support. Currently these are handled by a minimal #VC handler that uses the MSR-based GHCB protocol to fetch the CPUID values from the hypervisor. When SEV-SNP is enabled, use the firmware-validated CPUID values from the CPUID page instead [1]. [1]: SEV SNP Firmware ABI Specification, Rev. 0.8, 8.13.2.6 Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Michael Roth Signed-off-by: Brijesh Singh --- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 80 +++++++++++++++++++++++++++-- 1 file changed, 75 insertions(+), 5 deletions(-) diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32= /AmdSev.asm index 48d9178168b0..1f827da3b929 100644 --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm @@ -34,6 +34,18 @@ BITS 32 %define GHCB_CPUID_REGISTER_SHIFT 30 %define CPUID_INSN_LEN 2 =20 +; #VC handler offsets/sizes for accessing SNP CPUID page +; +%define SNP_CPUID_ENTRY_SZ 48 +%define SNP_CPUID_COUNT 0 +%define SNP_CPUID_ENTRY 16 +%define SNP_CPUID_ENTRY_EAX_IN 0 +%define SNP_CPUID_ENTRY_ECX_IN 4 +%define SNP_CPUID_ENTRY_EAX 24 +%define SNP_CPUID_ENTRY_EBX 28 +%define SNP_CPUID_ENTRY_ECX 32 +%define SNP_CPUID_ENTRY_EDX 36 + =20 %define SEV_GHCB_MSR 0xc0010130 %define SEV_STATUS_MSR 0xc0010131 @@ -335,11 +347,61 @@ SevEsIdtNotCpuid: TerminateVmgExit TERM_VC_NOT_CPUID iret =20 - ; - ; Total stack usage for the #VC handler is 44 bytes: - ; - 12 bytes for the exception IRET (after popping error code) - ; - 32 bytes for the local variables. - ; +; Use the SNP CPUID page to handle the cpuid lookup +; +; Modified: EAX, EBX, ECX, EDX +; +; Relies on the stack setup/usage in #VC handler: +; +; On entry, +; [esp + VC_CPUID_FUNCTION] contains EAX input to cpuid instruction +; +; On return, stores corresponding results of CPUID lookup in: +; [esp + VC_CPUID_RESULT_EAX] +; [esp + VC_CPUID_RESULT_EBX] +; [esp + VC_CPUID_RESULT_ECX] +; [esp + VC_CPUID_RESULT_EDX] +; +SnpCpuidLookup: + mov eax, [esp + VC_CPUID_FUNCTION] + mov ebx, [CPUID_BASE + SNP_CPUID_COUNT] + mov ecx, CPUID_BASE + SNP_CPUID_ENTRY + ; Zero these out now so we can simply return if lookup fails + mov dword[esp + VC_CPUID_RESULT_EAX], 0 + mov dword[esp + VC_CPUID_RESULT_EBX], 0 + mov dword[esp + VC_CPUID_RESULT_ECX], 0 + mov dword[esp + VC_CPUID_RESULT_EDX], 0 + +SnpCpuidCheckEntry: + cmp ebx, 0 + je VmmDoneSnpCpuid + cmp dword[ecx + SNP_CPUID_ENTRY_EAX_IN], eax + jne SnpCpuidCheckEntryNext + ; As with SEV-ES handler we assume requested CPUID sub-leaf/index is 0 + cmp dword[ecx + SNP_CPUID_ENTRY_ECX_IN], 0 + je SnpCpuidEntryFound + +SnpCpuidCheckEntryNext: + dec ebx + add ecx, SNP_CPUID_ENTRY_SZ + jmp SnpCpuidCheckEntry + +SnpCpuidEntryFound: + mov eax, [ecx + SNP_CPUID_ENTRY_EAX] + mov [esp + VC_CPUID_RESULT_EAX], eax + mov eax, [ecx + SNP_CPUID_ENTRY_EBX] + mov [esp + VC_CPUID_RESULT_EBX], eax + mov eax, [ecx + SNP_CPUID_ENTRY_EDX] + mov [esp + VC_CPUID_RESULT_ECX], eax + mov eax, [ecx + SNP_CPUID_ENTRY_ECX] + mov [esp + VC_CPUID_RESULT_EDX], eax + jmp VmmDoneSnpCpuid + +; +; Total stack usage for the #VC handler is 44 bytes: +; - 12 bytes for the exception IRET (after popping error code) +; - 32 bytes for the local variables. +; SevEsIdtVmmComm: ; ; If we're here, then we are an SEV-ES guest and this @@ -367,6 +429,13 @@ SevEsIdtVmmComm: ; Save the CPUID function being requested mov [esp + VC_CPUID_FUNCTION], eax =20 + ; If SEV-SNP is enabled, use the CPUID page to handle the CPUID + ; instruction. + mov ecx, SEV_STATUS_MSR + rdmsr + bt eax, 2 + jc SnpCpuidLookup + ; The GHCB CPUID protocol uses the following mapping to request ; a specific register: ; 0 =3D> EAX, 1 =3D> EBX, 2 =3D> ECX, 3 =3D> EDX @@ -424,6 +493,7 @@ VmmDone: mov ecx, SEV_GHCB_MSR wrmsr =20 +VmmDoneSnpCpuid: mov eax, [esp + VC_CPUID_RESULT_EAX] mov ebx, [esp + VC_CPUID_RESULT_EBX] mov ecx, [esp + VC_CPUID_RESULT_ECX] --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80587): https://edk2.groups.io/g/devel/message/80587 Mute This Topic: https://groups.io/mt/85582694/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80588+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80588+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557207512644.3010626449135; Mon, 13 Sep 2021 11:20:07 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 6GM5YY1788612xMCZe2WgJpP; Mon, 13 Sep 2021 11:20:07 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.65]) by mx.groups.io with SMTP id smtpd.web12.850.1631557206541372964 for ; Mon, 13 Sep 2021 11:20:06 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FrAcXW2CSlNnoxYZi+nvJpNhcTb1ZShsE4TgqZEnt7RKtm8oIMulXcVRtjDpCUc3mFl7DF6OT4NmVHjJR4OoC6vzXemBp0bMKOHjU6UTfqJukj+RzJ2flwEP1kJTkc95T9RCvdFT2wDSJ8eB0S3w60IMF8gc6fQ6MWFPTSNB2bzVhsER2avbzvdaA6BZjs643RiKyIP1mVQGD7HLNiw4EqrjjPekWUzhOZQgfJzT0GGCK74MPoVl8vJroSmuOJck4Mv3JQjo/edwIJO86lPmCXYFuWm27kXEm5tbfmHfp5kAsAbYb5iqP3OZmwsAx3NFuwkViXXbvLI8mgjwVWzp4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=o4tbl00vITYJmWfGlBb80EF2TSkT/aON41DMM6a2xVo=; b=cesHmb98LBxlM53cG7e4/vr/SzReO08PHbdgr1keQO19p4MhnS+P/IEDh76pTN5Y5sZAhqEjcB3HFVZ4IrLVbzCFBhRGC+LhgOdCBPSBmf/cubLZjef+vCJ1IpH7NH+6RreUFU1UnWyrLg/SKWxxapgRk5pC3EmeiayazDELbdConMt9QWei6Am1Vv4sfSEFSGlEL1II441deAaXaEK4qew260YP6qsfJYKUFWXIOre7g91JzBysjSERyEIDoy9mvrK4fwaQ0IKvgD55TlvWb2NtdYRGVgMHkTmB1lSuEplxIoRmAdFk94BN/1wnY4XOBKfNvfToD00t1ArivIID6A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:05 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:05 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 08/31] OvmfPkg/MemEncryptSevLib: add MemEncryptSevSnpEnabled() Date: Mon, 13 Sep 2021 13:19:18 -0500 Message-ID: <20210913181941.23405-9-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:04 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 285b21d6-a4d4-4fad-693b-08d976e31bd1 X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:196; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: lYDDi1t9+oHkyrewIs+tIrn+eCiOPbO0QcEG5WHvkDycb3GPv4BiLxhZrH0s3L5pUpGHoFwwAe9BY1BcDugj3IzgFN63wAU3oshgjW4ixtCNqPMcXzgZBXosnSp4XCCfR/oCJuAR0t4DcGiHWa6TJ5AEeJQu8mLoc0NbBnWJL043YdCaJW9JkmzaQth743PF//C+EcUZojTLcdw2MkS2ix8WsqrTw0yyDVI3WuSqgGlGXYzWA7BBbEhki+iiUC3BDTID5kcf7CoQOL6oEeYL5ldZ5YiGKgWzj8s+EDejSQhxpyEIE0Wd3SbgB0xEKs4QV61LWErg3WtIUYnQ4SGZLrPH/2OO0NCRm5bVTPFxzTnuyvjBWn+9EvzsDUcWq9sNozS1hFYtDoppMAk+4T0Pt10MFuL/ArWFVCGzgat5p9rh1m47F/3bdl/qzzkzKMi4za4JB8gdCozQsmqU3IJUZbxuIUsuQH2cHi0N4W+7AMDh2JsDIxIqwQl31kT/nHBHF82PW4Wmd98AdDxNrGR44GCGS5azC8aWPCu+fXmKVoxPc4bXHSrljCfOAgB9eFXAObIVcRZTD1s5AfqxD5p/yVnwoCJHziG/Cg+F1pAPM93mpV0BmmLphH8E6eoMbU1RXBdpqEV/5PMIerxRZjoMTufhHsMrE+5rPcVxmNybSYyPOPukMDdiKh7bWucA6o3qQW5P6xqwkUlcEI6xxJJAiD1NHH9rP5z+6XDltrQYZEVd54Gsw4a+fqvdwLqcKnvqjt6kBwN5IV8zuuy3N1fdxOhjgxN8np39dWmt8rNNHdZlW467WCq4omrfh41Tu/Km X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?6PoRdq4Gfer0wBhQ1YSNifuxeY0SRZ5X2sbPJgmYasJWWFnrdoYb6l+dSzZO?= =?us-ascii?Q?7xm1Ni1wdMxx8DV/fYYdDsEVNE7teZ6KobVbeHKMoFeTg6obRXCaG0EuoGxl?= =?us-ascii?Q?p4cq2xko0UBttBzunI8vvVVniZzxOKETnbZZx+xKvVNno1+GtOJivGGmkyyU?= =?us-ascii?Q?SADgrT/rr8Y6IhjWQmFrY8lY3ILf33K3e44CC5Rt/8Lpym9z+SmMsjYpQtYx?= =?us-ascii?Q?jaINdeA22tdBWgrxOov/9JHsHZIBm2o002i1i7MYxGkaWqmLC0mw3O/9llSy?= =?us-ascii?Q?iW71TgmbG6ldvThZoVSe9EP19ieqi9j/DsrCjkjok1hyA2ZoLRi5zCrJNZZD?= =?us-ascii?Q?BksDh5RQRf3pEg7gBWYdbTYUa508O3GnXAHS7prkVy1elNuEUHi5wajrqB8e?= =?us-ascii?Q?iYIvFIMJbmmJlg5nGp52GZ2AfYgYNEiXa5drUxyiXUboaXdimScOFzp/CIJO?= =?us-ascii?Q?we9tQBUD69zprV8seCDH80WJisX/o9Pqwc8Q3tlLBN8qfThHRewFEq7JEQif?= =?us-ascii?Q?rmzH87eRpfGenDMrKZsbXC17RkEAT6n6KYxB7VtbwoydFAYQldgli1HOFPj7?= =?us-ascii?Q?by9hxyen6buQKpsisD50/v0vKHOcb+REgCPzEJVKK+5xAQcngQ98NIGmqA3N?= =?us-ascii?Q?BZDw8d4KRbmcvAMpcIsjtq22iw9afeaAZSsh7sAwilbELGobxDATvF5gMb9Y?= =?us-ascii?Q?z2+Ra6rh226JdQiixU9OgzTJNoVTWb4xFH0vU7xBQLMV8oaRMljsPuXNqPXw?= =?us-ascii?Q?dYK+1cBzYtcZ11JZJ117rRYc8GFfgpSlsUAebQbiJaQK9WL0Pt/wX64ka0oF?= =?us-ascii?Q?lmvFvO8wOZrOQi2JJuvHZ/wA5oyqqXja6fm25OZDL5Eas604WmL2yEveU6XX?= =?us-ascii?Q?/hYJ8XY44JtyAmsDXj98i8xlf/HLrN6aeVhbOUyb0Jq51BnW4JLhzvqq039C?= =?us-ascii?Q?LL1xKDoCh1tan6QIznc5OFRBuB6H7+p7n440pJRxNXffG0D6n/gZ7hnp3sGK?= =?us-ascii?Q?jLCOyUTF6QmLrcTEKVFuWwIE1VsXdByeg0ud/UHjXurfPRrYmf1psS/ktI2L?= =?us-ascii?Q?CAKBUpAWu8eBIpKCoU7u0DqcXDVU5kxZE7ICAKBlQX3Dq2lQ8OYNiAqEsu5p?= =?us-ascii?Q?IVejMutVWz7OGQ9QmyfymA/GvAuVA2m5VFsyK6qTZNBXohCdIXX54BRcHXWd?= =?us-ascii?Q?3xxLr6SN8NhOLbtANw0HnD4EB3SRL3w3VKlCloi13FIkOXGnfBTi7RUhU3Cf?= =?us-ascii?Q?mNS52Mmh57Fc22iGlx8favip+HiK6lwzO90OruIQr0O1ppbhtcFxjMso9H9j?= =?us-ascii?Q?FT0d34VM5CpGXVrD3SAdRXED?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 285b21d6-a4d4-4fad-693b-08d976e31bd1 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:04.8197 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: +3Cl8oBVMadv9q/OsyDMEziormTUtHDSrP+aOxxtX+S67+TpbeOe3kOCMMrjO0gukauF+r6IwDmFhxs8U85kUQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: bVnQQyi0HIRPNE92C1F4sZFJx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557207; bh=OuHHtIuHwrhQGYukvlBiEJ2ZfD1gwsk0vbuj0WSh4sI=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=iEwlZHmCsdeQsbT18XPba3sf7AKP1HOyf5OPHK+74fH+3agingBL6PcWQtM3cSuNZDS pYycZb5NN07UYDsBXlrLmA0cLhFGXaKXrHl0x2hhY77mkpijLZnQUXHD5G44TlH83H60r FmK5H8MvtVF0k9vrXPxKDlG//THdfrmtZSg= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557208867100030 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Create a function that can be used to determine if VM is running as an SEV-SNP guest. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/Include/Library/MemEncryptSevLib.h | 12 +++++++++ .../DxeMemEncryptSevLibInternal.c | 27 +++++++++++++++++++ .../PeiMemEncryptSevLibInternal.c | 27 +++++++++++++++++++ .../SecMemEncryptSevLibInternal.c | 19 +++++++++++++ 4 files changed, 85 insertions(+) diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/L= ibrary/MemEncryptSevLib.h index adc490e466ec..796de62ec2f8 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -47,6 +47,18 @@ typedef enum { MemEncryptSevAddressRangeError, } MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE; =20 +/** + Returns a boolean to indicate whether SEV-SNP is enabled + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ); + /** Returns a boolean to indicate whether SEV-ES is enabled. =20 diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c index 2816f859a0c4..057129723824 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c @@ -19,6 +19,7 @@ =20 STATIC BOOLEAN mSevStatus =3D FALSE; STATIC BOOLEAN mSevEsStatus =3D FALSE; +STATIC BOOLEAN mSevSnpStatus =3D FALSE; STATIC BOOLEAN mSevStatusChecked =3D FALSE; =20 STATIC UINT64 mSevEncryptionMask =3D 0; @@ -82,11 +83,37 @@ InternalMemEncryptSevStatus ( if (Msr.Bits.SevEsBit) { mSevEsStatus =3D TRUE; } + + // + // Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) + // + if (Msr.Bits.SevSnpBit) { + mSevSnpStatus =3D TRUE; + } } =20 mSevStatusChecked =3D TRUE; } =20 +/** + Returns a boolean to indicate whether SEV-SNP is enabled. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ) +{ + if (!mSevStatusChecked) { + InternalMemEncryptSevStatus (); + } + + return mSevSnpStatus; +} + /** Returns a boolean to indicate whether SEV-ES is enabled. =20 diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c index e2fd109d120f..b561f211f577 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c @@ -19,6 +19,7 @@ =20 STATIC BOOLEAN mSevStatus =3D FALSE; STATIC BOOLEAN mSevEsStatus =3D FALSE; +STATIC BOOLEAN mSevSnpStatus =3D FALSE; STATIC BOOLEAN mSevStatusChecked =3D FALSE; =20 STATIC UINT64 mSevEncryptionMask =3D 0; @@ -82,11 +83,37 @@ InternalMemEncryptSevStatus ( if (Msr.Bits.SevEsBit) { mSevEsStatus =3D TRUE; } + + // + // Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) + // + if (Msr.Bits.SevSnpBit) { + mSevSnpStatus =3D TRUE; + } } =20 mSevStatusChecked =3D TRUE; } =20 +/** + Returns a boolean to indicate whether SEV-SNP is enabled. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ) +{ + if (!mSevStatusChecked) { + InternalMemEncryptSevStatus (); + } + + return mSevSnpStatus; +} + /** Returns a boolean to indicate whether SEV-ES is enabled. =20 diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c index 56d8f3f3183f..69852779e2ff 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c @@ -62,6 +62,25 @@ InternalMemEncryptSevStatus ( return ReadSevMsr ? AsmReadMsr32 (MSR_SEV_STATUS) : 0; } =20 +/** + Returns a boolean to indicate whether SEV-SNP is enabled. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ) +{ + MSR_SEV_STATUS_REGISTER Msr; + + Msr.Uint32 =3D InternalMemEncryptSevStatus (); + + return Msr.Bits.SevSnpBit ? TRUE : FALSE; +} + /** Returns a boolean to indicate whether SEV-ES is enabled. =20 --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80588): https://edk2.groups.io/g/devel/message/80588 Mute This Topic: https://groups.io/mt/85582695/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80589+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80589+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557208047150.4661987262815; Mon, 13 Sep 2021 11:20:08 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 4RHbYY1788612xz12pcVvVMH; Mon, 13 Sep 2021 11:20:07 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.65]) by mx.groups.io with SMTP id smtpd.web12.850.1631557206541372964 for ; Mon, 13 Sep 2021 11:20:07 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=D+8nYnt4bJstL2flAxaZABByEwaBYzxn6QUU9Fp68NvUKF4ZHXYpaM3qjpaS+yJli3TO3omZKp1Y4tLnPbRxEejpys49X/Lb3gWCd3N8NR4iODcyjUR1k1l+jB7nlUyN6vw2Azx8Xq7RJaaYZs4pPbKvbSXMqCKqtWblavBLA9NbidGscvOUZ6ADW7Ub4KrsbRcSeZ9vbWLQbFlHHVIv3tb3gFLb+D5EhDXVPBHn6A2zsF73AMlf8f0od3KjONo7JiW8WKS00W3e1zdaHIGsJCGWpFx05aFYTehTIXum+34Yt8YXiQeHGznWy46o2KdqeO8GgoD2Tu++ma8cOdQjmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=e0yTdgHy/6t7S3UaIcgNa9kmjCoziI5MdyJBVBWSttQ=; b=aoj9SjQyNkA9Vh7VrsRbNjqL5NkzCvB++xpoFHrUvkGvgaoHgQQd3gMf08wSR7obLuQ0XVhW5nwPk33nmcyDb/gYYjiK54d9+av92pZrP/UcA5pYIksfvYNc5z4tCZcx6nz7eGzLqvz5Xxd0IAUQCr2mnbhtLzQqQDgCq+61w2KPBzEacncUUVzC07hSn6+udv6r/8u/pF4XI5RTqBNsVPJxwwt3Mz/kQl6YjsSNp+REDgTdw/hME7rldSeze6ekUt1SppUG8hlKdxXwnvTJj9tYAd38TyDtTDah6K8VcorTPMbg8Tp2BoaymhFZXQVpmulhX4yqXgZVrTZpaLtl8g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:05 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:05 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 09/31] OvmfPkg/SecMain: register GHCB gpa for the SEV-SNP guest Date: Mon, 13 Sep 2021 13:19:19 -0500 Message-ID: <20210913181941.23405-10-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:05 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 0f5b374f-a5b2-4f68-642e-08d976e31c56 X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: a/ZV/fDdS5s0jaCc9JGCxsX7Wf7HGHa01Ttkc9NNSu2+brvGAUgheNIaFTCK8fT2voSVoQC87hn2pJ9WnpkdGHZ3qfHGCNgOfv9fhrQQfyrDroo449dWClFOk1AjMUbLzBos9ghtGch1Y+EijPjEx3Zpgsph2+W2Xl6FoPYbK5C/eBEOqPSj2Wj7Z/F9brK3HUtFntHMHS4Wb5NKgwtUcbkkEUcCxnodGfzmihwABvyRrvXCF73+kMCZ2gGJypvJCNqcdAbWv9WXb93VG/bw3nEbbznHZMvBVpGsWPcIPRRPwhcUaZzyeqm4AB2zGjCV1lFeo2JxXdF+JmG64sHXnx/zmeHBnDAItntlSgiHrMd3yV7R0Sd5AUYw7i16O4DkhM24UagJerWg2CXDnPdCMTFDUiFiKVdmsptHjuic+AY1Fbug/Hp0ohiJI2HG24L5BcYvKJ6ofq8pB6FAAhWmRe2txJvVeeq1Wk9+n4lusCAYgowTr8gtQp17rxrMRN/SaGKBInsTmTiL6uE3AUNlVDkKJ2i2ZL0wsl8jNOrUpkmpVMRvFqqx9KbtgYyEmw9mZNVC6CX/2Vmvy63e5EBtwN11hVcJgRSASCDB+VyQa4KO1eTxmL/jiKHYeMIoJIrmFxP7ZCCMYtIEy+WaZ/nUSaxUQvaiJlofsAlfblefyth4XkRlR1U30yZSBqWuldXlMu1odlE7fjIVApp6bd9BzToeNo7e7ZzHXeVT+M8JtouyWWWsRm806b9BisnS5qGT/nCyMeQdQoDgBx2M2wEaCx/q0S8YmeE4nwT5JVhit1w= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?d7KNbJqsMBfdeOxqkWR3VO6Cwm7IpjGIKjnUnfPCIGMcwThAJQIi1yz/hfbX?= =?us-ascii?Q?/fybtkAlBEJZtG+y7AADRQLc35/AlpToSoerTAngtoUR7EwubRl069Hvd6ZO?= =?us-ascii?Q?/BUbuVPWM1JDpfLHLmdKaMc/pGN4pRyR8tLDs4gIzhzM073w3r/cllzkefpC?= =?us-ascii?Q?o6btc632HTw/adocR5lNo9ZYWLH8EA8+gfuaNjwpZMbI1KkM3wkC9PiIuENg?= =?us-ascii?Q?4nb2tdh+QSWKiMW7o6LZp4NF8XY5xo/vm/5fhKwU2HZGOhvHD2WinDBhWDlJ?= =?us-ascii?Q?1+YrA0EGu4/ReP43HWhxLkytpMGQOQavJ+CX8fakRVt4tOV7poGgQJozUgi5?= =?us-ascii?Q?KR/Bg2uP5zRo0o+hsiQEWhnM5K87Tfd4o3LnJyb602bDNlVXKgLOaus6OpqW?= =?us-ascii?Q?Fzy1M0TF5L2R/IMGb1clSmzWi4tM62kxVQNB+Pb7JAY/JgJmDdfmxuEHi1SC?= =?us-ascii?Q?92ulavUn69jBhKN6wX34r+kvk9Bz4AwnRt7/cWe4/RNCd4+TSK/7yWhTXdRc?= =?us-ascii?Q?8Y8jlBe1ObMSJLCsBXVMOZ0rkOgnkITI1MCEwbuQNMQ8Dvr8/9e339tnFLTH?= =?us-ascii?Q?Pk+SGXdK/G3cwHaFvoGapWhzK8ReV4LOEAW0Rl16Evo11JOqSSKK4QzLglNR?= =?us-ascii?Q?rwTOgPSxbWdu71W4e4rapnNbxRrZqcdPL6KwnuV5z+CRY96mjOJ/UaWlZiyn?= =?us-ascii?Q?wdta47Waj/uIeNrYBJa+4dOcGMaqPaSB9DJj2lC61XHpcxcwzC7PGyAsgvvg?= =?us-ascii?Q?c6Sxp01tv/LTCwEQ3U5D1khXGDPIWT3jFUPo9s4L6vghb5w4RGe327t2wPXC?= =?us-ascii?Q?mbYs/FcfX6zJVpUkKs/TOTjA9aOzXUhZfb4HcxccAlHyW8uLSh0xL8IcG6Rr?= =?us-ascii?Q?eRHxbENNMcDhw7raEmKx5c+J1c8BdNtw9Q+NqsU11pOmURD1YwrOC4GajutI?= =?us-ascii?Q?yp8POlrpOjl0TfseuB/ElVB/eu660Jj8KyculsR4QGvF5zr9ZUN58ScZEGBD?= =?us-ascii?Q?utPIZv9iD5654IPeraFDNTqXyNv8RYVOD0g8wTP2JsraxpG5/ljILIIPXM9w?= =?us-ascii?Q?K9l9+izEwB64v2JSlqs/dXTuqbJRrkCB8UV2QvIpcv3hqnrQ7B+3MxEv1Am3?= =?us-ascii?Q?jkIYkqoUANu8jMnzynn/vmOXJnLK3oxU8Xd5AsASwdxc9ubpixIj/6bdZZzO?= =?us-ascii?Q?oRHpeu1yYVYa6ZzjwBZmCsI+t1aBytSR1BTMsl02s63Z5QsBQ7ODNTK+hYkx?= =?us-ascii?Q?Qmx+aYYG1zCAN0AuduNAb471vaTkUj5Ol64p1XKQ7rKRlHzAFqGxkMz94GTV?= =?us-ascii?Q?JWAFi5oWTXVEop9XldFSpbNt?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0f5b374f-a5b2-4f68-642e-08d976e31c56 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:05.6052 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Wr0MrtTQI6XPpzikOoOgzf8ttus67Dy/UBIANRqsEni5dM+mWHZcPJQEKm0Ri1LCxGKDhYYVDXU02trEpIde+Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: fZoS3skX9iYmC5wu1TmHGXgux1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557207; bh=7RAEMqCm4XcHhpdAnjgeBhNQ60s/Bqhq2kEUU/HsKMY=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=o+kjU4qwd2DGDz5yD1WDszFHGCiYt0ysaQKWgHCqcFU7pHDknQAQjuhJkWft8gHttN+ MMJv04jpoUGuEQ2IJRI8oN1L44uE8Ko2eP3GZ4wEYFi0pYIJDJaqTnwG5p7WnK/jS28T3 gxMkarltGcbUWUjgUsswXnMmC15S0kj9CJ0= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557208933100033 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The SEV-SNP guest requires that GHCB GPA must be registered before using. See the GHCB specification section 2.3.2 for more details. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/Sec/AmdSev.c | 137 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 137 insertions(+) diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c index 7f74e8bfe88e..7d4d7cc8a07c 100644 --- a/OvmfPkg/Sec/AmdSev.c +++ b/OvmfPkg/Sec/AmdSev.c @@ -48,6 +48,125 @@ SevEsProtocolFailure ( CpuDeadLoop (); } =20 +/** + Determine if SEV-SNP is active. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled + +**/ +STATIC +BOOLEAN +SevSnpIsEnabled ( + VOID + ) +{ + MSR_SEV_STATUS_REGISTER Msr; + + // + // Read the SEV_STATUS MSR to determine whether SEV-SNP is active. + // + Msr.Uint32 =3D AsmReadMsr32 (MSR_SEV_STATUS); + + // + // Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) + // + if (Msr.Bits.SevSnpBit) { + return TRUE; + } + + return FALSE; +} + +/** + Register the GHCB GPA + +*/ +STATIC +VOID +SevSnpGhcbRegister ( + UINTN Address + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + MSR_SEV_ES_GHCB_REGISTER CurrentMsr; + EFI_PHYSICAL_ADDRESS GuestFrameNumber; + + GuestFrameNumber =3D Address >> EFI_PAGE_SHIFT; + + // + // Save the current MSR Value + // + CurrentMsr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // Use the GHCB MSR Protocol to request to register the GPA. + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbGpaRegister.Function =3D GHCB_INFO_GHCB_GPA_REGISTER_REQUEST; + Msr.GhcbGpaRegister.GuestFrameNumber =3D GuestFrameNumber; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // If hypervisor responded with a different GPA than requested then fail. + // + if ((Msr.GhcbGpaRegister.Function !=3D GHCB_INFO_GHCB_GPA_REGISTER_RESPO= NSE) || + (Msr.GhcbGpaRegister.GuestFrameNumber !=3D GuestFrameNumber)) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + // + // Restore the MSR + // + AsmWriteMsr64 (MSR_SEV_ES_GHCB, CurrentMsr.GhcbPhysicalAddress); +} + +/** + Verify that Hypervisor supports the SNP feature. + + */ +STATIC +BOOLEAN +HypervisorSnpFeatureCheck ( + VOID + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + MSR_SEV_ES_GHCB_REGISTER CurrentMsr; + + // + // Save the current MSR Value + // + CurrentMsr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // Use the GHCB MSR Protocol to query the hypervisor capabilities + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbHypervisorFeatures.Function =3D GHCB_HYPERVISOR_FEATURES_REQUEST; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + if ((Msr.GhcbHypervisorFeatures.Function !=3D GHCB_HYPERVISOR_FEATURES_R= ESPONSE) || + (!(Msr.GhcbHypervisorFeatures.Features & GHCB_HV_FEATURES_SNP))) { + return FALSE; + } + + // + // Restore the MSR + // + AsmWriteMsr64 (MSR_SEV_ES_GHCB, CurrentMsr.GhcbPhysicalAddress); + + return TRUE; +} + /** Validate the SEV-ES/GHCB protocol level. =20 @@ -88,6 +207,24 @@ SevEsProtocolCheck ( SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); } =20 + // + // We cannot use the MemEncryptSevSnpIsEnabled () because the + // ProcessLibraryConstructorList () is not called yet. + // + if (SevSnpIsEnabled ()) { + // + // Check if hypervisor supports the SNP feature + // + if (!HypervisorSnpFeatureCheck ()) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); + } + + // + // SEV-SNP guest requires that GHCB GPA must be registered before usin= g it. + // + SevSnpGhcbRegister (FixedPcdGet32 (PcdOvmfSecGhcbBase)); + } + // // SEV-ES protocol checking succeeded, set the initial GHCB address // --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80589): https://edk2.groups.io/g/devel/message/80589 Mute This Topic: https://groups.io/mt/85582697/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80590+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80590+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557210055497.4986927365163; Mon, 13 Sep 2021 11:20:10 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 122zYY1788612x4jjQCv9KTA; Mon, 13 Sep 2021 11:20:09 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.72]) by mx.groups.io with SMTP id smtpd.web11.853.1631557208943823305 for ; Mon, 13 Sep 2021 11:20:09 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GAcUIBbgwC6qeqGizCwrLyoNirjubyW6aj99SLCllw9OvqfykNggnV1YNgxX7cJPvW25Yt8nGoWnA5pI0tDkhRTuxz9IYCwGf6ghnxDNlnczPD7RRd/96LF2Hr75eg8RYj9TkVv583SUhAf1bx7dXoMjWYC+q26Sb0YQWHYsE45qGTQRwmVQgqhOq8uCftFFIVLmRBberHrSmGWJzNdrLFk06befE7wT5PRE2kt/8zkloApRhD/28GQgTNFUosgYNqIaeVJ0CxCx5bJ73z8JENVvOCB16AWNDnz51nkqUZKQN9HTwGkYWsX3jYj+ZUcaaseNHFsYu9t3sXTgLKHZMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=VPd49yipVjMxvNKjdf3VUjJGvL2PXKUgAVEAdKzkEEk=; b=FgcVbQtG8qBEe0PeKanAXv/xJ4IwMHtTzB7G4sXYoWbcPXxEWnxsMKqlwb/kEbhOvoehv5kkPGqU93qzIRtPWlh9GQER8yxMWY5cZwbX3kRK3xQPbb1CNK8dK7B1k6xQ/KEHz6JHNZiu3GAlq2+3R7oY9iSZAYVNXw8KAnis+nqmBU9osLTwRdt4Vh39c0ra49x+YoRO9MxEytITYVoKfuc7DdutsVHoFLjFA8iwmSTMca+XWMz/PYM2JSIMSHPQQJoE7wxhCriVSeSWtAa9SmL+IJcDPo8wBeT3f/enWig/s7rYJKRGNJRbflxznxIBaXDCNPvijcIiHsNbp0LrXA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:06 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:06 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Michael Roth , Brijesh Singh Subject: [edk2-devel] [PATCH v7 10/31] OvmfPkg/VmgExitLib: use SEV-SNP-validated CPUID values Date: Mon, 13 Sep 2021 13:19:20 -0500 Message-ID: <20210913181941.23405-11-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:05 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 2e6f1206-0808-4f55-4b43-08d976e31cc1 X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: POgFxfA69j2CRyeQV0167hqsOdC/oEWWqP2NNvd2VHrhlqn8ZVpZTP9NyytERFOOJJL3hLscJNU9WH6z7KJ8/F0NjB8DzKmFeM2ge9x2muMSe+fWAdHaseWGLQHCtvS3UNXCkwVOr2Ccp/OodBA5IyfWlfagsH/HaKYeunfUbZ2oUqYW2JDCzCzBNwIukE9aPXVzarR2OnHjhV/A8K0j5fbNGFVNn2fyyKdEyyni81OhnSzYKszOTynD6Oik5EPw3h/Vr17IE+MBZT6fEzbqYFUtu1PXlG2/XBsA0laDkT9gV47Ae+cYC2tdFqi4yMd6ws9zAl0NlvO+mrRtfryp604Nj4TsfX8rzaNfW8YH8MkpGeRYmIf8BVb0lqjcjdw6NnaA1v+yxAG5gN8CQoWx/CBAlUrufKpMLk8lHFubEMbeKibh2RO0p6+03C6QfXNyYuk734tBGeb+PJHfOZ4S20DINLKP3YbK3fDrXmApPx1A14HidCY2jLvU3HY+mGqZsOogKMtsi+M7C/kfAQyWj93YMqpS79xaiISziicG96GErDs6CN0mFlwH9jTW67f7jTpgNeWK+eU+efD6iSiFFYRfyWTrtocVAUre7sn1qdIHrFKJSeeZc76xeSQsT/hxJ036j7Y9AcEa4ZdY2uiqral6VbZ8BUq2QhfVJBHtlDTAd4nsE6LDoD2SDsmZ1SuPypcZZbZz5lFevmzq+metRFhz7BcF4uGPPURtQx6lEtE= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?NGqkwXH1AAQyKvSxXs3YAVTIlxdovd2w2lU3K4A69eZfBoRXJ0lwVCjufbih?= =?us-ascii?Q?zB4YgEsqHnBhukH5liwOJUvJhbXnteK2YepBOXk/hUswaBJBcTExwjfyQIhR?= =?us-ascii?Q?99eno5SWD9bdwaD/HtgGf8JA6nPbEiUIGECGTHziBS+SJwyvj94zmBzgbZUJ?= =?us-ascii?Q?WXeO51h4nQrGc5JVkLUJ4Kg7thSItWNp8Lj3sCTiMrTe7Xpy9KBMUDor8jRk?= =?us-ascii?Q?EZEJXvHH27Y+N8qIKaoGFZXHQpvVHelWlEd3V4jmxgMD3Tf/QhbLW7tz53CI?= =?us-ascii?Q?B6VLUEXhi+JqG6zr15TiPzmygZsCY67/nN77Z3QbQ7F1dsm6hIVTLWfDkVGt?= =?us-ascii?Q?ZjydA9Nxn0n7QtObtGNcAPwKV8ZU1iKvTO9HSO2QWVVAh3HbY0kqx+xNhIhu?= =?us-ascii?Q?dYUqc8cBcU1fsM+BWuvN5hzR3n5F1/4XVd9DNf9f2yLg27vcIMMxE10Ug8LC?= =?us-ascii?Q?4Vc8Vg3ckLxqiAwwpB2/FC8L5IZsa7TbM0wz0D3YPvuYxOEktI6C+A0bVGd2?= =?us-ascii?Q?MPMIaSwPuXoksTyaUsoYucEnukL6nKU9LtstaKB9xpDurm9H40nKG958CT0i?= =?us-ascii?Q?NVjkXqw7m6yc837ajEfJBCoHsaE3pIsgC57Jpma0ieaFY1U2mgQBARXKIbE5?= =?us-ascii?Q?IFjEmRpQnqUI+v3VujhlHFcH5AIEQ8BDuUTj3YHLf9+UD1UvVHqlVPLf/UtB?= =?us-ascii?Q?8Im6Mj3fNyeZBmsjdXK8cWtIBLZ41pS0AuQ+uGyS24hKJjyxrW+gceafVNTb?= =?us-ascii?Q?5GkIZcuUF2H4rfmqneeikWn61d2T+OmzSyisqzQZ6jhxqvILnB9+pkbVB+/E?= =?us-ascii?Q?eqe/aC3gWl93VhAWdfG9O/U8FhrpYZTddMdK6P55xreWaVuK9Rutbqa12VcL?= =?us-ascii?Q?jetp/cnDh4pZijy2lwW3330nkaQcjViiUHfNCMn7Up2SvfADIytKjtRsqwi4?= =?us-ascii?Q?PyTpfnuhb+LqvhWdAF2cJezEKUMfhzKOBp5R8aN0L+MFEnvtC2fAK/kuHmsJ?= =?us-ascii?Q?v3uvEs+qtCzO6xIz8hKrUoPjn2rM2mmuYglQo8zXn8vBYkc0AcLTyhI/mGaZ?= =?us-ascii?Q?b93uQO0Br8fjCE8xR1BdLEt4L4FAFqSVgXu3vSlsolNB43equK2CvLWqi0P4?= =?us-ascii?Q?Mb1U6gVlhUDjqcNJZsTT+utRRNzoTyAgKMvp8cNm/P7vZ1IaxCWYWf1Kz+fh?= =?us-ascii?Q?ZLNZU84kVvU8ZAwptyFE+hKGGHG+fAXmf3MfWC1u6ObM0cNIG9mCYdK2J86j?= =?us-ascii?Q?dhDox+nuIZzNGJc++71stwqafLPVpihp/jQRqUj3J7fnoUnnLy6RWvzFBGCg?= =?us-ascii?Q?c/GkK2raz61K1e3gqyIhsioH?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2e6f1206-0808-4f55-4b43-08d976e31cc1 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:06.4947 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: TRoyPDZUrZwfNWo+X6i1W1ulU4nGfI8R0cW7emNQfNWsDT0pIlS5xUcZnrD+7Io6qgiYvCR3uqVbuwoe5rgqfw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: a9fcPGXCfkVj9EYkLdkqXctPx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557209; bh=5dBK13hCL2IHyqrjMMTM9UcljQUFXa8I+9ynBlBzFG0=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=qMcYrdz2Sx2XNazkzXYIYc16TWxJpv0l7aEdZhZ4zVPdLbI0wq1VJBDyZefqrZMp2dC hhjyWW015PXqNyZta/wBBgfbrGJLzmhhDRMTmYtofWXxrooeJvcsTAy05kzblS1cDB3ZY pUERV71u85cZkBcVhEaTuPydECWZ34WSzYw= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557211197100040 Content-Type: text/plain; charset="utf-8" From: Michael Roth SEV-SNP firmware allows a special guest page to be populated with guest CPUID values so that they can be validated against supported host features before being loaded into encrypted guest memory to be used instead of hypervisor-provided values [1]. Add handling for this in the CPUID #VC handler and use it whenever SEV-SNP is enabled. To do so, existing CPUID handling via VmgExit is moved to a helper, GetCpuidHyp(), and a new helper that uses the CPUID page to do the lookup, GetCpuidFw(), is used instead when SNP is enabled. For cases where SNP CPUID lookups still rely on fetching specific CPUID fields from hypervisor, GetCpuidHyp() is used there as well. [1]: SEV SNP Firmware ABI Specification, Rev. 0.8, 8.13.2.6 Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Michael Roth Signed-off-by: Brijesh Singh --- OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf | 2 + OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 3 + OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 444 ++++++++++++++++-- 3 files changed, 419 insertions(+), 30 deletions(-) diff --git a/OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf b/OvmfPkg/Library= /VmgExitLib/SecVmgExitLib.inf index e6f6ea7972fd..78207fa0f9c9 100644 --- a/OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf +++ b/OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf @@ -42,4 +42,6 @@ [LibraryClasses] [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize =20 diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf b/OvmfPkg/Library/Vm= gExitLib/VmgExitLib.inf index c66c68726cdb..7963670e7d30 100644 --- a/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf +++ b/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf @@ -38,3 +38,6 @@ [LibraryClasses] LocalApicLib MemEncryptSevLib =20 +[Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c b/OvmfPkg/Librar= y/VmgExitLib/VmgExitVcHandler.c index 41b0c8cc5312..cab4e2b230d0 100644 --- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c +++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c @@ -17,6 +17,7 @@ #include =20 #include "VmgExitVcHandler.h" +//#include =20 // // Instruction execution mode definition @@ -130,6 +131,32 @@ UINT64 SEV_ES_INSTRUCTION_DATA *InstructionData ); =20 +// +// SEV-SNP Cpuid table entry/function +// +typedef PACKED struct { + UINT32 EaxIn; + UINT32 EcxIn; + UINT64 Unused; + UINT64 Unused2; + UINT32 Eax; + UINT32 Ebx; + UINT32 Ecx; + UINT32 Edx; + UINT64 Reserved; +} SEV_SNP_CPUID_FUNCTION; + +// +// SEV-SNP Cpuid page format +// +typedef PACKED struct { + UINT32 Count; + UINT32 Reserved1; + UINT64 Reserved2; + SEV_SNP_CPUID_FUNCTION function[0]; +} SEV_SNP_CPUID_INFO; + + /** Return a pointer to the contents of the specified register. =20 @@ -1496,58 +1523,415 @@ InvdExit ( } =20 /** - Handle a CPUID event. + Fetch CPUID leaf/function via hypervisor/VMGEXIT. =20 - Use the VMGEXIT instruction to handle a CPUID event. + @param[in, out] Ghcb Pointer to the Guest-Hypervisor Communicati= on + Block + @param[in] EaxIn EAX input for cpuid instruction + @param[in] EcxIn ECX input for cpuid instruction + @param[in] Xcr0In XCR0 at time of cpuid instruction + @param[in, out] Eax Pointer to store leaf's EAX value + @param[in, out] Ebx Pointer to store leaf's EBX value + @param[in, out] Ecx Pointer to store leaf's ECX value + @param[in, out] Edx Pointer to store leaf's EDX value + @param[in, out] Status Pointer to store status from VMGEXIT (alway= s 0 + unless return value indicates failure) + @param[in, out] Unsupported Pointer to store indication of unsupported + VMGEXIT (always false unless return value + indicates failure) =20 - @param[in, out] Ghcb Pointer to the Guest-Hypervisor Communi= cation - Block - @param[in, out] Regs x64 processor context - @param[in] InstructionData Instruction parsing context - - @retval 0 Event handled successfully - @return New exception value to propagate + @retval TRUE CPUID leaf fetch successfully. + @retval FALSE Error occurred while fetching CPUID leaf. C= allers + should Status and Unsupported and handle + accordingly if they indicate a more precise + error condition. =20 **/ STATIC -UINT64 -CpuidExit ( +BOOLEAN +GetCpuidHyp ( IN OUT GHCB *Ghcb, - IN OUT EFI_SYSTEM_CONTEXT_X64 *Regs, - IN SEV_ES_INSTRUCTION_DATA *InstructionData + IN UINT32 EaxIn, + IN UINT32 EcxIn, + IN UINT64 XCr0, + IN OUT UINT32 *Eax, + IN OUT UINT32 *Ebx, + IN OUT UINT32 *Ecx, + IN OUT UINT32 *Edx, + IN OUT UINT64 *Status, + IN OUT BOOLEAN *UnsupportedExit ) { - UINT64 Status; - - Ghcb->SaveArea.Rax =3D Regs->Rax; + *UnsupportedExit =3D FALSE; + Ghcb->SaveArea.Rax =3D EaxIn; VmgSetOffsetValid (Ghcb, GhcbRax); - Ghcb->SaveArea.Rcx =3D Regs->Rcx; + Ghcb->SaveArea.Rcx =3D EcxIn; VmgSetOffsetValid (Ghcb, GhcbRcx); - if (Regs->Rax =3D=3D CPUID_EXTENDED_STATE) { - IA32_CR4 Cr4; - - Cr4.UintN =3D AsmReadCr4 (); - Ghcb->SaveArea.XCr0 =3D (Cr4.Bits.OSXSAVE =3D=3D 1) ? AsmXGetBv (0) : = 1; + if (EaxIn =3D=3D CPUID_EXTENDED_STATE) { + Ghcb->SaveArea.XCr0 =3D XCr0; VmgSetOffsetValid (Ghcb, GhcbXCr0); } =20 - Status =3D VmgExit (Ghcb, SVM_EXIT_CPUID, 0, 0); - if (Status !=3D 0) { - return Status; + *Status =3D VmgExit (Ghcb, SVM_EXIT_CPUID, 0, 0); + if (*Status !=3D 0) { + return FALSE; } =20 if (!VmgIsOffsetValid (Ghcb, GhcbRax) || !VmgIsOffsetValid (Ghcb, GhcbRbx) || !VmgIsOffsetValid (Ghcb, GhcbRcx) || !VmgIsOffsetValid (Ghcb, GhcbRdx)) { - return UnsupportedExit (Ghcb, Regs, InstructionData); + *UnsupportedExit =3D TRUE; + return FALSE; } - Regs->Rax =3D Ghcb->SaveArea.Rax; - Regs->Rbx =3D Ghcb->SaveArea.Rbx; - Regs->Rcx =3D Ghcb->SaveArea.Rcx; - Regs->Rdx =3D Ghcb->SaveArea.Rdx; + + if (Eax) { + *Eax =3D Ghcb->SaveArea.Rax; + } + if (Ebx) { + *Ebx =3D Ghcb->SaveArea.Rbx; + } + if (Ecx) { + *Ecx =3D Ghcb->SaveArea.Rcx; + } + if (Edx) { + *Edx =3D Ghcb->SaveArea.Rdx; + } + + return TRUE; +} + +/** + Check if SEV-SNP enabled. + + @retval TRUE SEV-SNP is enabled. + @retval FALSE SEV-SNP is disabled. + +**/ +STATIC +BOOLEAN +SnpEnabled (VOID) +{ + MSR_SEV_STATUS_REGISTER Msr; + + Msr.Uint32 =3D AsmReadMsr32(MSR_SEV_STATUS); + + return !!Msr.Bits.SevSnpBit; +} + +/** + Calculate the total XSAVE area size for enabled XSAVE areas + + @param[in] XFeaturesEnabled Bit-mask of enabled XSAVE features/are= as as + indicated by XCR0/MSR_IA32_XSS bits + @param[in] XSaveBaseSize Base/legacy XSAVE area size (e.g. when + XCR0 is 1) + @param[in, out] XSaveSize Pointer to storage for calculated XSAV= E area + size + @param[in] Compacted Whether or not the calculation is for = the + normal XSAVE area size (leaf 0xD,0x0,E= BX) or + compacted XSAVE area size (leaf 0xD,0x= 1,EBX) + + + @retval TRUE XSAVE size calculation was successful. + @retval FALSE XSAVE size calculation was unsuccessfu= l. +**/ +STATIC +BOOLEAN +GetCpuidXSaveSize ( + IN UINT64 XFeaturesEnabled, + IN UINT32 XSaveBaseSize, + IN OUT UINT32 *XSaveSize, + IN BOOLEAN Compacted + ) +{ + SEV_SNP_CPUID_INFO *CpuidInfo; + UINT64 XFeaturesFound =3D 0; + UINT32 Idx; + + *XSaveSize =3D XSaveBaseSize; + CpuidInfo =3D (SEV_SNP_CPUID_INFO *)(UINT64)PcdGet32(PcdOvmfCpuidBase); + + for (Idx =3D 0; Idx < CpuidInfo->Count; Idx++) { + SEV_SNP_CPUID_FUNCTION *CpuidFn =3D &CpuidInfo->function[Idx]; + + if (!(CpuidFn->EaxIn =3D=3D 0xD && + (CpuidFn->EcxIn =3D=3D 0 || CpuidFn->EcxIn =3D=3D 1))) { + continue; + } + + if (XFeaturesFound & (1UL << CpuidFn->EcxIn) || + !(XFeaturesEnabled & (1UL << CpuidFn->EcxIn))) { + continue; + } + + XFeaturesFound |=3D (1UL << CpuidFn->EcxIn); + if (Compacted) { + *XSaveSize +=3D CpuidFn->Eax; + } else { + *XSaveSize =3D MAX(*XSaveSize, CpuidFn->Eax + CpuidFn->Ebx); + } + } + + /* + * Either the guest set unsupported XCR0/XSS bits, or the corresponding + * entries in the CPUID table were not present. This is an invalid state. + */ + if (XFeaturesFound !=3D (XFeaturesEnabled & ~3UL)) { + return FALSE; + } + + return TRUE; +} + +/** + Check if a CPUID leaf/function is indexed via ECX sub-leaf/sub-function + + @param[in] EaxIn EAX input for cpuid instruction + + @retval FALSE cpuid leaf/function is not indexed by ECX i= nput + @retval TRUE cpuid leaf/function is indexed by ECX input + +**/ +STATIC +BOOLEAN +IsFunctionIndexed ( + IN UINT32 EaxIn + ) +{ + switch (EaxIn) { + case CPUID_CACHE_PARAMS: + case CPUID_STRUCTURED_EXTENDED_FEATURE_FLAGS: + case CPUID_EXTENDED_TOPOLOGY: + case CPUID_EXTENDED_STATE: + case CPUID_INTEL_RDT_MONITORING: + case CPUID_INTEL_RDT_ALLOCATION: + case CPUID_INTEL_SGX: + case CPUID_INTEL_PROCESSOR_TRACE: + case CPUID_DETERMINISTIC_ADDRESS_TRANSLATION_PARAMETERS: + case CPUID_V2_EXTENDED_TOPOLOGY: + case 0x8000001D: /* Cache Topology Information */ + return TRUE; + } + return FALSE; +} + +/** + Fetch CPUID leaf/function via SEV-SNP CPUID table. + + @param[in, out] Ghcb Pointer to the Guest-Hypervisor Communicati= on + Block + @param[in] EaxIn EAX input for cpuid instruction + @param[in] EcxIn ECX input for cpuid instruction + @param[in] Xcr0In XCR0 at time of cpuid instruction + @param[in, out] Eax Pointer to store leaf's EAX value + @param[in, out] Ebx Pointer to store leaf's EBX value + @param[in, out] Ecx Pointer to store leaf's ECX value + @param[in, out] Edx Pointer to store leaf's EDX value + @param[in, out] Status Pointer to store status from VMGEXIT (alway= s 0 + unless return value indicates failure) + @param[in, out] Unsupported Pointer to store indication of unsupported + VMGEXIT (always false unless return value + indicates failure) + + @retval TRUE CPUID leaf fetch successfully. + @retval FALSE Error occurred while fetching CPUID leaf. C= allers + should Status and Unsupported and handle + accordingly if they indicate a more precise + error condition. + +**/ +STATIC +BOOLEAN +GetCpuidFw ( + IN OUT GHCB *Ghcb, + IN UINT32 EaxIn, + IN UINT32 EcxIn, + IN UINT64 XCr0, + IN OUT UINT32 *Eax, + IN OUT UINT32 *Ebx, + IN OUT UINT32 *Ecx, + IN OUT UINT32 *Edx, + IN OUT UINT64 *Status, + IN OUT BOOLEAN *Unsupported + ) +{ + SEV_SNP_CPUID_INFO *CpuidInfo; + BOOLEAN Found; + UINT32 Idx; + + CpuidInfo =3D (SEV_SNP_CPUID_INFO *)(UINT64)PcdGet32(PcdOvmfCpuidBase); + Found =3D FALSE; + + for (Idx =3D 0; Idx < CpuidInfo->Count; Idx++) { + SEV_SNP_CPUID_FUNCTION *CpuidFn =3D &CpuidInfo->function[Idx]; + + if (CpuidFn->EaxIn !=3D EaxIn) { + continue; + } + + if (IsFunctionIndexed(CpuidFn->EaxIn) && CpuidFn->EcxIn !=3D EcxIn) { + continue; + } + + *Eax =3D CpuidFn->Eax; + *Ebx =3D CpuidFn->Ebx; + *Ecx =3D CpuidFn->Ecx; + *Edx =3D CpuidFn->Edx; + + Found =3D TRUE; + break; + } + + if (!Found) { + *Eax =3D *Ebx =3D *Ecx =3D *Edx =3D 0; + goto Out; + } + + if (EaxIn =3D=3D CPUID_VERSION_INFO) { + IA32_CR4 Cr4; + UINT32 Ebx2; + UINT32 Edx2; + + if (!GetCpuidHyp (Ghcb, EaxIn, EcxIn, XCr0, NULL, &Ebx2, NULL, &Edx2, + Status, Unsupported)) { + return FALSE; + } + + /* initial APIC ID */ + *Ebx =3D (*Ebx & 0x00FFFFFF) | (Ebx2 & 0xFF000000); + /* APIC enabled bit */ + *Edx =3D (*Edx & ~BIT9) | (Edx2 & BIT9); + /* OSXSAVE enabled bit */ + Cr4.UintN =3D AsmReadCr4 (); + *Ecx =3D (Cr4.Bits.OSXSAVE) ? (*Ecx & ~BIT27) | (*Ecx & BIT27) + : (*Ecx & ~BIT27); + } else if (EaxIn =3D=3D CPUID_STRUCTURED_EXTENDED_FEATURE_FLAGS) { + IA32_CR4 Cr4; + + Cr4.UintN =3D AsmReadCr4 (); + /* OSPKE enabled bit */ + *Ecx =3D (Cr4.Bits.PKE) ? (*Ecx | BIT4) : (*Ecx & ~BIT4); + } else if (EaxIn =3D=3D CPUID_EXTENDED_TOPOLOGY) { + if (!GetCpuidHyp (Ghcb, EaxIn, EcxIn, XCr0, NULL, NULL, NULL, Edx, + Status, Unsupported)) { + return FALSE; + } + } else if (EaxIn =3D=3D CPUID_EXTENDED_STATE && (EcxIn =3D=3D 0 || EcxIn= =3D=3D 1)) { + MSR_IA32_XSS_REGISTER XssMsr; + BOOLEAN Compacted; + UINT32 XSaveSize; + + XssMsr.Uint64 =3D 0; + if (EcxIn =3D=3D 1) { + /* + * The PPR and APM aren't clear on what size should be encoded in + * 0xD:0x1:EBX when compaction is not enabled by either XSAVEC or + * XSAVES, as these are generally fixed to 1 on real CPUs. Report + * this undefined case as an error. + */ + if (!(*Eax & (BIT3 | BIT1))) { /* (XSAVES | XSAVEC) */ + return FALSE; + } + + Compacted =3D TRUE; + XssMsr.Uint64 =3D AsmReadMsr64 (MSR_IA32_XSS); + } + + if (!GetCpuidXSaveSize (XCr0 | XssMsr.Uint64, *Ebx, &XSaveSize, + Compacted)) { + return FALSE; + } + + *Ebx =3D XSaveSize; + } else if (EaxIn =3D=3D 0x8000001E) { + UINT32 Ebx2; + UINT32 Ecx2; + + /* extended APIC ID */ + if (!GetCpuidHyp (Ghcb, EaxIn, EcxIn, XCr0, Eax, &Ebx2, &Ecx2, NULL, + Status, Unsupported)) { + return FALSE; + } + /* compute ID */ + *Ebx =3D (*Ebx & 0xFFFFFF00) | (Ebx2 & 0x000000FF); + /* node ID */ + *Ecx =3D (*Ecx & 0xFFFFFF00) | (Ecx2 & 0x000000FF); + } + +Out: + *Status =3D 0; + *Unsupported =3D FALSE; + return TRUE; +} + +/** + Handle a CPUID event. + + Use VMGEXIT instruction or CPUID table to handle a CPUID event. + + @param[in, out] Ghcb Pointer to the Guest-Hypervisor Communi= cation + Block + @param[in, out] Regs x64 processor context + @param[in] InstructionData Instruction parsing context + + @retval 0 Event handled successfully + @return New exception value to propagate + +**/ +STATIC +UINT64 +CpuidExit ( + IN OUT GHCB *Ghcb, + IN OUT EFI_SYSTEM_CONTEXT_X64 *Regs, + IN SEV_ES_INSTRUCTION_DATA *InstructionData + ) +{ + BOOLEAN Unsupported; + UINT64 Status; + UINT32 EaxIn; + UINT32 EcxIn; + UINT64 XCr0; + UINT32 Eax; + UINT32 Ebx; + UINT32 Ecx; + UINT32 Edx; + + EaxIn =3D Regs->Rax; + EcxIn =3D Regs->Rcx; + + if (EaxIn =3D=3D CPUID_EXTENDED_STATE) { + IA32_CR4 Cr4; + + Cr4.UintN =3D AsmReadCr4 (); + XCr0 =3D (Cr4.Bits.OSXSAVE =3D=3D 1) ? AsmXGetBv (0) : 1; + } + + if (SnpEnabled ()) { + if (!GetCpuidFw (Ghcb, EaxIn, EcxIn, XCr0, &Eax, &Ebx, &Ecx, &Edx, + &Status, &Unsupported)) { + goto CpuidFail; + } + } else { + if (!GetCpuidHyp (Ghcb, EaxIn, EcxIn, XCr0, &Eax, &Ebx, &Ecx, &Edx, + &Status, &Unsupported)) { + goto CpuidFail; + } + } + + Regs->Rax =3D Eax; + Regs->Rbx =3D Ebx; + Regs->Rcx =3D Ecx; + Regs->Rdx =3D Edx; =20 return 0; + +CpuidFail: + if (Unsupported) { + return UnsupportedExit (Ghcb, Regs, InstructionData); + } + + return Status; } =20 /** --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80590): https://edk2.groups.io/g/devel/message/80590 Mute This Topic: https://groups.io/mt/85582698/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80591+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80591+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557211541700.1236618755237; Mon, 13 Sep 2021 11:20:11 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id URvmYY1788612xuwNwMdcoXL; Mon, 13 Sep 2021 11:20:11 -0700 X-Received: from NAM10-DM6-obe.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com [40.107.93.40]) by mx.groups.io with SMTP id smtpd.web11.852.1631557208892704243 for ; Mon, 13 Sep 2021 11:20:09 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WOZTIlprauFKtXPrkPmHdCV7EYxk7tP3dUvfcmo6DiiautrfOlamCykzuncDdhoGFL2dub4UmL/gaRm7urULdazpF55kdbfBhxUHhTzrRPDN7iyye4hA6o7Zt/lHXx2ySZn1NKkBJy45JLz3QFMoGdN19KffyIFIZZ5fAmf8cRRYQwNeVJfXl17EtMRAxsZh5okfnh7Ge0dTJOEWrUL5bVLYosIdSSOh3WwCISQMUkRmp4prC2MXgjbql9qCkAIDbEPp9x3ouE58tRv46rIZd86PISS7PCbQzCIN78SQoF13T4Iy0JmA+xx9T4MkPqzNZ6NLskY2AsXdmqX4G8YI9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=wjdqXMKYopVhPh54KPoPE/gEV6naCF7oHuK32RiVZjc=; b=bMpWXMAAp7kHHmNPTwZWZxG+mr5U/8SlzCI2HzebxQGFshsvLiCtkPExy8QptdGU1aWanEWiqYR+yLq0qF/2AjvtLSbuCwz2xJwzj9QsfBTe9W3NCe4DAwL7jSNk7pfLvJNnRh8iCQVrVQkSNMqVAJMYNS9BNiXSURcOeVIj0vNE3F1ECfJzinUJVD9wGdDMOmy3xHZmF+VfVOfRTLlmbhiuwE5WedHfY5tHFht74kMxtwaJo6uGa9EHD5WBNYFHi5CYi+NfxJohwFv/mIjpDdsEvasar6wNWELhCVr5b96/92iHTUuwVUu0OWANKRXpP8m4UqbIV3JGspYa1m7avQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4557.namprd12.prod.outlook.com (2603:10b6:806:9d::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.17; Mon, 13 Sep 2021 18:20:07 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:07 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 11/31] OvmfPkg/PlatformPei: register GHCB gpa for the SEV-SNP guest Date: Mon, 13 Sep 2021 13:19:21 -0500 Message-ID: <20210913181941.23405-12-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:06 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 590f1748-e6e6-49f4-f263-08d976e31d59 X-MS-TrafficTypeDiagnostic: SA0PR12MB4557: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: PmtfiJcgBPiaXTA3tJhduAqS6LSwZo0DKJvtGwyn/5NF+2ZE8ig6IHtKmPg7KhEd5iqBa4QJbhzdG1g81x80DEZHgZr68hht++50Tc12xgjP+6BAYgK8h+/jV0XxiSsgJDnS+pXEo6EfiVgbUyFFVPy/T36i0T3Vpjyo+H6cyZPy//Pg8agg6S6n47U0Kqg80CVUgy1OJiXBsExrQpZlYPvk3FuFEsJm19TjyHqsrxk6a3C9twM3dk3wp2KkY0FDPrbNpBsuKS2CyDYJEYIV8bWhKlGyf1G5O9d9trs5HqW3qxJbNnw0y61uS/7mcVSYdwzIr4X+tzhVtf1QJoH5g+bKKe32fnroZJxWi/kIlHUBO6Lan3OIWvsTjJqcfYJK2BmnehFmry2wH5D3lAmNC2Aujc9NuV2Rh2hcFq/ErhECKZP/iP4nzaVFJkn35CaSKl9KulQqR4CkVcaIWMj9xyV533PUtXdR+ktr7Q+7r/r05wb8T7x/6p6FCK1JtAuVsMwV+4WJKY207eypo3cddHa5Hcve0ytCWjnueF8zpMBdmTskjlcHU4xRY0axAlGHvZo7FxeCcsQMwKjixDDl9rHLtkATG0xE5pwBrqtY+z0yBNMt+VAqmXN3dUgWZiMf0wOFWfZZtuhn6DzbGDgWGShDXB+Vjq/bbyV9SehX9/085wvP+j/ZPGIH4W8FqOk+98BIdlUzu0XrlTorXEij7tmq7mDfkScforoTxunt0IKcEedpvASkjmLXYDJQY7wfWSvEqxUvoBbG67ImIJyEERe1gAofdlioPkzqnFt4kfs= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?vTffyrAY2E9ccDQ+YIvAdyarjpjJuJ941hGbgNtonbH/eCA+de6+XRwWrHJs?= =?us-ascii?Q?adb7yOKx0Rfq8tutFj16qXvGr7naJZNToCkiq+oCdLJQqGzCNk6EaKV9KezN?= =?us-ascii?Q?l1ccx7qyFplef29M+QEkagYSz0+LIVmWoaCRn5xzLBDCn2+uxzRgbDBwVdvw?= =?us-ascii?Q?y2616A/X0SZDOk8ibSO1lUWUAPnQG39/86dyPvzAmUoQ1d5gyp7cxFubVbWA?= =?us-ascii?Q?GiXNHvnGPCuJjAl58/61kjx+RHK+BV2jBqgKp2hz4B2czMi49pnoP6mYgtYY?= =?us-ascii?Q?itkeqKqLyxPlxN7d0WsPHJcSPPiOOEV/RGZ6TZgXEhjMvniwXNy7BDOzY8MJ?= =?us-ascii?Q?cWs59PrRjBRbAuRk01mD8f2Prh4BxZItouX7RFFPnuCMcbwetzzZCyAiL7RC?= =?us-ascii?Q?YOoCg+xsRugsaDFXBtywSciPwnqZnOeZXLYxtEQL6SuSy0S8gOLPIT0qjO2K?= =?us-ascii?Q?G20XkHEmZwOGJBH9UtlAEQeLYJTQGsNdUckgQpplDY2ulqga6ZgkrjcOnHhK?= =?us-ascii?Q?n9a/82nkpaEqWnnewZD0VhMPJtTziXvyd5N++redyKQpq6DtBbkKGi0e79+O?= =?us-ascii?Q?f8tQtDfAX1ib9VldKF7tLlHro9s85OXNubw8RkebHDk52p8UwprwuOdnpAIq?= =?us-ascii?Q?SYOj/AqkH46p5bHiM4lyInTQsr6M/YkuAL6Gdt0GJBqrpxkG1Vq8AjqU0AKe?= =?us-ascii?Q?dhRp5wzjkXOD8sB7d1QyQunQBJ7VxTS/QgExFh8FnL7c6OOPLC952KB8z4kh?= =?us-ascii?Q?7Tw02vc2/aUQwTng0ppYnBBNziF6KQyzbMLRphcKvKHsZsTpSKM+VrwPBIDp?= =?us-ascii?Q?On5SShdcWd9z2byHOfhWjtlyW/EPSntXWlhAOrRvoCetDOROQ5IY8Y05yZwi?= =?us-ascii?Q?I/U+rTty1h0H5pvWS/VmQOHuLnNk7/1x8UOZJh9JbqAWumTCSb7/o5Ckk9Zl?= =?us-ascii?Q?+r4qahZX6t/puLCrfnufMFNXlfzQesk7gh+UGXkaJu1tw8J4fH+zDM1phQnD?= =?us-ascii?Q?0aPtCdOdbcMtUvIMAXyp6NjFzvDnhFlmleMVxdBWe/3m7um6nmZ9m26BsWe7?= =?us-ascii?Q?zoqV9cZ3ovPBIwIoV8Ooh0J8ddIvFnQ2r2OwJG77AnRRqz2KScUlrywO89fA?= =?us-ascii?Q?rEcrUgez01pblz8B7tewJYojAtM2hgN3N6gvdpUPwc1flcHrUZVaevDcBNST?= =?us-ascii?Q?HpA8N/IJotjXIQ+AN/zihI0UsiRe0zvDChDi6hPnCBGJ0nsLNkukajEfIv0x?= =?us-ascii?Q?oH5Gh68NaSr09gfX0VCdszdx6FRBeROrIuH9HnBjHRJ0+geMxrp5VP4esWqs?= =?us-ascii?Q?Gswqs8Wn69kaVfeJOW9jO5w1?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 590f1748-e6e6-49f4-f263-08d976e31d59 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:07.3412 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: UBp+2gE2MEAUq748iGsEEy8Xm6TNVdqNGuDoBp3cof6/8RUmOJyjYykALhNY5DdxFYr4pzCkNF22DL2OyzM2cA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4557 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: JaBW09Hy0IzQ4NjpwfXjLnvwx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557211; bh=dy8HSfg904dfFGC6tBk+tFqKtz6ad1SUVKnRta0oyMw=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=c9qM5NJRWex6Rwo45iWkZ9hJhy+eymAQPaXWJ/lSKcXs+BO9/UjsmsvoAQKgw3RZtQS neWXww29UWG6MPXvKWaRQicO26yc5+Nk8L+cEtNIK6mPnS18nI3VvRXnyXmQ0yKfVvn4t CZVMboo5F/E/hzQxQ6ntcQ2Nn5+ubTQ3pT0= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557213273100046 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The SEV-SNP guest requires that GHCB GPA must be registered before using. See the GHCB specification section 2.3.2 for more details. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/AmdSev.c | 91 ++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index a8bf610022ba..de876fdb478e 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -19,9 +19,93 @@ #include #include #include +#include =20 #include "Platform.h" =20 +/** + Handle an SEV-SNP/GHCB protocol check failure. + + Notify the hypervisor using the VMGEXIT instruction that the SEV-SNP gue= st + wishes to be terminated. + + @param[in] ReasonCode Reason code to provide to the hypervisor for the + termination request. + +**/ +STATIC +VOID +SevEsProtocolFailure ( + IN UINT8 ReasonCode + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + + // + // Use the GHCB MSR Protocol to request termination by the hypervisor + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbTerminate.Function =3D GHCB_INFO_TERMINATE_REQUEST; + Msr.GhcbTerminate.ReasonCodeSet =3D GHCB_TERMINATE_GHCB; + Msr.GhcbTerminate.ReasonCode =3D ReasonCode; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + ASSERT (FALSE); + CpuDeadLoop (); +} + +/** + + This function can be used to register the GHCB GPA. + + @param[in] Address The physical address to be registered. + +**/ +STATIC +VOID +GhcbRegister ( + IN EFI_PHYSICAL_ADDRESS Address + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + MSR_SEV_ES_GHCB_REGISTER CurrentMsr; + EFI_PHYSICAL_ADDRESS GuestFrameNumber; + + GuestFrameNumber =3D Address >> EFI_PAGE_SHIFT; + + // + // Save the current MSR Value + // + CurrentMsr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // Use the GHCB MSR Protocol to request to register the GPA. + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbGpaRegister.Function =3D GHCB_INFO_GHCB_GPA_REGISTER_REQUEST; + Msr.GhcbGpaRegister.GuestFrameNumber =3D GuestFrameNumber; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // If hypervisor responded with a different GPA than requested then fail. + // + if ((Msr.GhcbGpaRegister.Function !=3D GHCB_INFO_GHCB_GPA_REGISTER_RESPO= NSE) || + (Msr.GhcbGpaRegister.GuestFrameNumber !=3D GuestFrameNumber)) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + // + // Restore the MSR + // + AsmWriteMsr64 (MSR_SEV_ES_GHCB, CurrentMsr.GhcbPhysicalAddress); +} + /** =20 Initialize SEV-ES support if running as an SEV-ES guest. @@ -109,6 +193,13 @@ AmdSevEsInitialize ( "SEV-ES is enabled, %lu GHCB backup pages allocated starting at 0x%p\n= ", (UINT64)GhcbBackupPageCount, GhcbBackupBase)); =20 + // + // SEV-SNP guest requires that GHCB GPA must be registered before using = it. + // + if (MemEncryptSevSnpIsEnabled ()) { + GhcbRegister (GhcbBasePa); + } + AsmWriteMsr64 (MSR_SEV_ES_GHCB, GhcbBasePa); =20 // --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80591): https://edk2.groups.io/g/devel/message/80591 Mute This Topic: https://groups.io/mt/85582699/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80592+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80592+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557211093927.3866113827241; Mon, 13 Sep 2021 11:20:11 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id UwRNYY1788612xf1bVWoSeFc; Mon, 13 Sep 2021 11:20:10 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.72]) by mx.groups.io with SMTP id smtpd.web11.853.1631557208943823305 for ; Mon, 13 Sep 2021 11:20:09 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QqxkDJ2KTaMcmLhz+5NT9aLGqr1JTkHREQ4/OTX9xqKOOXk1mjpUHJQrm35P4g2mkWCZNvNaKVOcoXD0b4oNBNWmaWa2tI1QK33baoC0rJFXdeZfH68on0sOcprWXoxNoHwl5S0xWYawot95Wh2vCVNILHkxTbtbDIZYiG2ZRuTCJdNnXJ1AEvUWZMTssJ13ky+M6ONgVQAYLq3gV7rSf+qhj5xFi2bpqmm6Fk9q654t36txzBAwjOm75aVd1bxpix5ZX53PdZwwAt8Hw6PrCyNtFsXwHTghh0AX8sih05rhllbXiUC5PTvTOdI0n+v6pcj1vsQtEVcxuF+LRsqlcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=OHUYwx2IGUCMbeJ0lSKnbxGJF9o8MgnUZh5wqz+qDBo=; b=PBqaP67fMSPnP435Hv3fd91JwGtFf3HQdj0PGkIAqvcu34tGTRxdAhUvpyEnkzRw+wMWOUEdV5NWR3Y6uGixl2C+3VtRqsHJmz2QK28MhjeUuIyJdGad0KCDVpZe8QzhhNYHJcvseKELwyu9u6X5CKRURCurY72fHrlu21XxEnhz6aOtRmYXh1sjFf/aA0rmC5ygPyme7VFGxOY++PZvIwWCd8RyaWl10GRz//dbVOODt7nF+Mk1itSyFcuGoxXr2UQz4OmR1QtSGt/XoH7TkDJl4Nz9E3bMizXJaaAWdem79s0buHsRoPwItfryoRaquTVvD8iaYpKPhkivMTlyOg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:08 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:08 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 12/31] OvmfPkg/AmdSevDxe: do not use extended PCI config space Date: Mon, 13 Sep 2021 13:19:22 -0500 Message-ID: <20210913181941.23405-13-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:07 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a23250d9-d237-48f0-4502-08d976e31dd2 X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:773; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: fgRN4Koww0pTwdPsh8OyW34xP8SUExyTj6/rUsBRRClgfERo3sBIQFxyOKIzmYJlc4bkHhx8kix2D5RAfsGYb6pJjVnWhor1aEAr0Pmbez+tV+pOMcH+bhuBXMiJfER8ZE+j4cmuE5cWGZVQOb1C9eO9gWwjQ6i2kFE3ri5IrkM0y1GPSdhCpFs5gJcsWWvOqwlOYZLdzUAge15rqtxDXnjw0ZAkbAaT+e5POqQwaZYs/CULRVrFt1vuonp/UKWoXdag5UbyyHYm2qKEvmvCZKl5CaD/EB1MN4ggrt857vY1psFfEiHaWWYB24wxAPpe9y1hTCS6D08XrXvPgvQqocP6ac51glPjx0LOHeOOsalsvJdf+FKg2hIygtms34mWTOH/LvphvIXJ1GJK5dICv3XjFS/B1mjiCm9KqWt1iJk5xpE6aqAMYYJNpTJdqJoWuOLWhK4W34/2B2qJOd8Tl0YdDjaSiuU2pXkdJJ/bkc+ygyVUJx/LPhgx8uhSY6rS9g6dV8JUP5Rqi6y9jPsWL1InCM27fD9gZvF4m0cP5eedRG45Kz596SnTc0B1zdZSWt/QnPaHqI4aB8STqqb3Cc4LqfCC0PnsD+bctgyMYbVGeEyJq7sl7j4q6w7vBZwMM/cg5ojjWQPA7pApKpRHgv3ImmWD+MO+PSN3HJ7xh+WfFkbXMeh+k46+QfNv2EtTyEKbAgxoJ+Pmc8suiLGo2+VIhzMVQHoGqkR6JinHenK3LYJhG7hO39Qn25WGzn40h7mZUaFe5lCdoO46wXSi2Ce3asOJiVUJUaOMXOkzeVU= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?FLg1qb7bacM6uIWziHskwcxLjtb8gGEPfWwBAc9ptweLeFr7nsR6avYd48C1?= =?us-ascii?Q?eJNQIKDgs7NsHG/QVAMGY8U00v6VyEPw+Lwfy6WGZQVRLkuArlP+/Sr1qOnz?= =?us-ascii?Q?UAvHDv0tTevkmILGFuc1WkOPGMP6is2eN/8edKflbFXQCwKpUWw8kA3LevjG?= =?us-ascii?Q?pwV85Q//3MBKyd+dZkmKSXxvFrxuByCC4JjO/a4NylaWJaIVpLT8PiqIfmJf?= =?us-ascii?Q?+kAANut8xkDMuT6wLFHkc64seFmeU6N429R0Dfvew8WxiF3G/wGptYCd9B1f?= =?us-ascii?Q?JNrjnhoWWg/hlSdb2Fhy+oA3JN6Cw3F2IfqwA6qSTGivzm2B6F9BVGzL3Ilf?= =?us-ascii?Q?loVt+hRifVUwMraUZV3MEjdkyVUBtxBjc3Ed5yKM5aatvrsWxoHxP9WF+5iq?= =?us-ascii?Q?49eRQL+uM5e7A6vXmapMHGaXT7+5AmosMrRbGwVcvVdP1ncPQay5Dl7Q2NLr?= =?us-ascii?Q?0TltoJBOMbyGXcKdEaEXU7awtNp+MxoqQCVtOwHMIL6eDOGyudhuPvMnW9TR?= =?us-ascii?Q?4hN6+7i+jNQnAQ2kMBMwfdqu4yHX6RPglecElkFbyUQin2odHi41CJsI9rye?= =?us-ascii?Q?65NhD8IE8GFKsSql1QTzDhV33IgzQF8fUMxT2ojsRlK26bnsaMBec1/Sgwjw?= =?us-ascii?Q?xgWmCimQH8GztpARYbMwyfK/9IMhsJDarnYmWNvI+DkKAPoakkfP1Ir55G0Q?= =?us-ascii?Q?fKptqT8AoZSWZ6mIQ/ya08x01fJs4yCbLhg/Y+eoN9f2iyRd7RXWWyo8SJxS?= =?us-ascii?Q?Tsgic/QDr7aPhw98CC6R5Pp5CkrrF44a6GvWSKW9XpqlSNaE2Pk1rBNDWZ6z?= =?us-ascii?Q?u4HSuuYIGVEYPZMoIFfaSJjflOZn8iu/Snz5+1K0MMAkpDXTInhPovDjGuMa?= =?us-ascii?Q?xij/8RN50sbGV+zDGVR9BU96fmoZW8LMe8FCahOtEmCXL54CbTWxYvx4Dmfu?= =?us-ascii?Q?c9Co4eLYBavlnwl18F6+cmFUixIRxE7wf9HjKrfUVwSTuz60tfCy67Gp3kXo?= =?us-ascii?Q?4IErLpVnHohpsisTDhtTuVPlxp4x7Bu4EKlwuElojAvp9I7Gat/jm7eFKdbS?= =?us-ascii?Q?2Bv4gtGB8Aexjsm83u1gkuUgbcnVSVFQL5CTjT+U9qCUW1oJ0k9cumIl/XwZ?= =?us-ascii?Q?dLV01U+9YJpRrGGrdjk9mPB3HMbH2qA8fdGVHk2zBThfn8gpqXAKy7rDmYu1?= =?us-ascii?Q?liG1aeRRDSPFrbz0Pm97KcRO6kviUoSVmySIrf24iod/xHjbXd8VO5CBmKFG?= =?us-ascii?Q?g7kQOa3I6nqQb/fVZWtXZ/UMGFkMAf0WoxLie23hglCv3j4URVpydYOvpNrU?= =?us-ascii?Q?zHi3qjm4kgX2mXMXowI1l16I?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: a23250d9-d237-48f0-4502-08d976e31dd2 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:08.1338 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ii8GBzeNucX+ujXpXN8Sm1ZJW0KzhmpXFgeY+hZnwmKwC7hPjnmeB6cwUwYf6h7o+AoApjr5kacXt+LZ3oHLEA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: 8c9q9aWSbm7xcwbK5PdZ8Fltx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557210; bh=StBHI9DQo2Jm465Snvf0Hmc5+aNycNYwyiKvflpYZrI=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=h4lqiDeEbXqNujeQpbc+urmZvRsUPCl6dLwPhS12/sBCOdNe+8HZ1LNzCnGrspQ8nbE uj5XROA2V51tu9GGXyKw2Jug7biwkBpdc7kEWvyTT46xxkZguSG2j78V1EmO41lnWGaad zXCEEpaaDajo/8lJ4e65YcBUutWR8o/VHgo= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557213272100045 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Commit 85b8eac59b8c5bd9c7eb9afdb64357ce1aa2e803 added support to ensure that MMIO is only performed against the un-encrypted memory. If MMIO is performed against encrypted memory, a #GP is raised. The AmdSevDxe uses the functions provided by the MemEncryptSevLib to clear the memory encryption mask from the page table. If the MemEncryptSevLib is extended to include VmgExitLib then depedency chain will look like this: OvmfPkg/AmdSevDxe/AmdSevDxe.inf Acked-by: Jiewen Yao Suggested-by: Laszlo Ersek -----> MemEncryptSevLib class -----> "OvmfPkg/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf" instance -----> VmgExitLib class -----> "OvmfPkg/VmgExitLib" instance -----> LocalApicLib class -----> "UefiCpuPkg/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf" instance -----> TimerLib class -----> "OvmfPkg/AcpiTimerLib/DxeAcpiTimerLib.inf" instance -----> PciLib class -----> "OvmfPkg/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf" instance -----> PciExpressLib class -----> "MdePkg/BasePciExpressLib/BasePciExpressLib.inf" instance The LocalApicLib provides a constructor that gets called before the AmdSevDxe can clear the memory encryption mask from the MMIO regions. When running under the Q35 machine type, the call chain looks like this: AcpiTimerLibConstructor () [AcpiTimerLib] PciRead32 () [DxePciLibI440FxQ35] PciExpressRead32 () [PciExpressLib] The PciExpressRead32 () reads the MMIO region. The MMIO regions are not yet mapped un-encrypted, so the check introduced in the commit 85b8eac59b8c5bd9c7eb9afdb64357ce1aa2e803 raises a #GP. The AmdSevDxe driver does not require the access to the extended PCI config space. Accessing a normal PCI config space, via IO port should be sufficent. Use the module-scope override to make the AmdSevDxe use the BasePciLib instead of BasePciExpressLib so that PciRead32 () uses the IO ports instead of the extended config space. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Suggested-by: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/AmdSev/AmdSevX64.dsc | 5 ++++- OvmfPkg/Bhyve/BhyveX64.dsc | 5 ++++- OvmfPkg/OvmfPkgIa32X64.dsc | 5 ++++- OvmfPkg/OvmfPkgX64.dsc | 5 ++++- OvmfPkg/OvmfXen.dsc | 5 ++++- 5 files changed, 20 insertions(+), 5 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index e6cd10b75922..a8ea08a10a99 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -812,7 +812,10 @@ [Components] !endif =20 OvmfPkg/PlatformDxe/Platform.inf - OvmfPkg/AmdSevDxe/AmdSevDxe.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { + + PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + } OvmfPkg/IoMmuDxe/IoMmuDxe.inf =20 # diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc index d8fe607d1cf7..f45634996247 100644 --- a/OvmfPkg/Bhyve/BhyveX64.dsc +++ b/OvmfPkg/Bhyve/BhyveX64.dsc @@ -790,7 +790,10 @@ [Components] !endif =20 OvmfPkg/PlatformDxe/Platform.inf - OvmfPkg/AmdSevDxe/AmdSevDxe.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { + + PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + } OvmfPkg/IoMmuDxe/IoMmuDxe.inf =20 =20 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index a467ab7090fb..f42abc041c0c 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -965,7 +965,10 @@ [Components.X64] !endif =20 OvmfPkg/PlatformDxe/Platform.inf - OvmfPkg/AmdSevDxe/AmdSevDxe.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { + + PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + } OvmfPkg/IoMmuDxe/IoMmuDxe.inf =20 !if $(SMM_REQUIRE) =3D=3D TRUE diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index e56b83d95e09..19cc5d4122e2 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -963,7 +963,10 @@ [Components] !endif =20 OvmfPkg/PlatformDxe/Platform.inf - OvmfPkg/AmdSevDxe/AmdSevDxe.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { + + PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + } OvmfPkg/IoMmuDxe/IoMmuDxe.inf =20 !if $(SMM_REQUIRE) =3D=3D TRUE diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc index a31519e356b7..383cb03d2a14 100644 --- a/OvmfPkg/OvmfXen.dsc +++ b/OvmfPkg/OvmfXen.dsc @@ -729,7 +729,10 @@ [Components] } =20 OvmfPkg/PlatformDxe/Platform.inf - OvmfPkg/AmdSevDxe/AmdSevDxe.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { + + PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + } OvmfPkg/IoMmuDxe/IoMmuDxe.inf =20 # --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80592): https://edk2.groups.io/g/devel/message/80592 Mute This Topic: https://groups.io/mt/85582700/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80593+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80593+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557212587728.1254880938602; Mon, 13 Sep 2021 11:20:12 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id dJZsYY1788612xtRJqdQnGIK; Mon, 13 Sep 2021 11:20:12 -0700 X-Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.61]) by mx.groups.io with SMTP id smtpd.web12.852.1631557211439854610 for ; Mon, 13 Sep 2021 11:20:11 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IpSLUYppEckTaYwOZ/B628Kfi4fNVxHhrcb/PJT6BLrFmBywkspOjZ8XNLNwA43TW3qtwmZ8YTM4gdVThVRjWXiUWgBJbJ4S5HZc8qK+o7iHEKS2Kbb11fzTD/00sfkASwYhpfseKjWeVSBTvVXdJTU4CgGkGDPHzBmpIsoaNk/aiPVLvXp/YUhnrP0lHSZT5QbLiHOE4NDy4RstkBYUmWmYI2wfsgFfcuf4KToXl+SFFRlOUy0ElPiuCXVKMSko/z6yHkJmmem5IULrIBV+QgbXtHMzc9kodxNAMkdCrrYZU+UsnU6h80Cf+1V5Gs2KZjpzqBrMgnHyD0ZV+xXCNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Hd8U2VMybfRFJ4yD57QLHMXWyuZgVkctMd6n/wwTcs4=; b=dzwq1CijiZya+bve45ZiyQg5HV56fVJBSGlnKjqHxs+b1R8ZB0WS1y0u8VlRvAteAEv2v70gTx9BREpQ3UjCcPIBqReQ+1W5cb/SjgKwDUQ75x5Na7QpbwV59cm6+UcYflAk25mZ3cecVH4Pe+avC1FfhskXleL+8hJnPN3OOUhiB9cnto3NuJPaJwY9s29JeHFqufnUo+YXBgfpNMbVxgP1LOD1YCh8qA7AbAlImlO+1UmCphjnMICwRZF9DMxuMACiYUiHLtHntNKFQFO0XEUV+8dA36/Ek2q9xIzlncGSZatLloeAhlPCd0VagOSP0X52glVZfHsH4d3Y74bMPw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:09 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:09 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 13/31] OvmfPkg/MemEncryptSevLib: add support to validate system RAM Date: Mon, 13 Sep 2021 13:19:23 -0500 Message-ID: <20210913181941.23405-14-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:08 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3b1bf111-efc8-4119-6843-08d976e31e45 X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: +/UOqEr/WxQ3OjVVGjs+f56OZIOEl1nkvvKO4ITdC3F0zgyFEEzMBDclSju3s+8FntAp8tl7aI1DQE/Z3Tk0BRQ8hoIOEy9fG58EmbByzP6InWlrDyRH8tQ4mll1ZgfwapP2hZHy2gleUs28sX3xrq9Tzab+L5f5Z9JrCPvRn4HHdl/iPCrcBrufxlLtZy1ycnoypLZneXzDoejZlFtmQ8+vdxt5ZkIjKY39f9ooPC8DqGcaSg4ye2wKcl9F6/kVlo5FiMUejw2/QwaKRwvqYlmEHflsX1thf2SbzOMyQMm/jpiOm4lptotGlsMPQxYKKxZWAHRMu3OsGu3r1ryWqW4RPL51htqpoxECYGkzBRlxtg0noV/7IDjl0564calblpc4xiYNluxblN+GKVe/crp3jU5V4P999QpotmMEe3BLgyLWrwi7HGfpyOHWVc/EEmhorBAKCexQ22fp0yVWiMGJFDiZtkv1lWSea2fR6Gs+XC9TWpeAltpF1WS+iojUgNTeZkJLUmjom8bNJkKfzarxn3NZWuoeXSMDdDxcn62b/IoTXLsoWYhyTmUZiS00OOe0560EhVIVxC4Z45yoYifNAlKr62jodB5G0Sqj8xyx4hx1QhKb4DdgncksVSdLHDtX3ztm737YbXwb3a+TMBxoENrx/Dfl5WqIRtOkBSYHGQphLzwBvFoeGTpShX+uZ0I1acESL92Tip6OKEOeanElvDW5X9nKeoK7bhVEP4+bmV6Cz6VE24aW5K4Mt+2uGV6YiwMXzinoi4KvyiPT5Pyn0xWsH9eJxWck25HImyo= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?ijU6oMMl0/uR9d/hATwHkZak9tzYsJR6Umsl/C63fTwtB5HQ1FRyp9LoHjjB?= =?us-ascii?Q?fYLalRWSFNwx2FZu4dePvm6/csnFUGny84jRSpOLYgAflBkPmr8Od7VnswY6?= =?us-ascii?Q?tTZUSRExVADhjuQkKNisou5pJaRhy8rEd8XPaAeFclKvLMowhsNLaN27KbZa?= =?us-ascii?Q?kTEm2JRhso06KMJJpY1Q7sWUhOA+QVhRFLn+OT3RRrRrD/jVdP37IRE7P5w4?= =?us-ascii?Q?jWDzsBSUDL/H3om9cJlP/YqARX9cSMwXyOOZw9VQEyR5ngyfBcVtFHRYQnR4?= =?us-ascii?Q?Hi3g8KZHFtEZMx/zQg17y0jJr4OYfMiUsHb6B1ccymoxoKblaSOJsdlt7g8E?= =?us-ascii?Q?nBGHkNlqLEU+r5hpMBe8iF+9l38Tz74lp5ebM9xVJpGENZzO+3fgaxlIvA0L?= =?us-ascii?Q?8lbLVK8wFJh97G14oGqjc5tYVpc9DYKZfQiHEYH8tESZO0NuYAgINRdeM5H+?= =?us-ascii?Q?W5T3FQAZUZrZqn59ev3n2E/DD4fRGPlCbVA9VIe5ViYYlX4p5CljK2qArJMA?= =?us-ascii?Q?7/hC1nxm/7lYZ9BDNjOqDNuLFH7MeuRrYpuvce3zEUShtYkOYuqulNZO0a7d?= =?us-ascii?Q?3fwo/HnHZnou2e9p5tRauImPatJ10EdBv+twwl3/pzQWMqxrrcSZ9bbSDS/g?= =?us-ascii?Q?jBS8PigMrRyfnCGkWBRqPCqbEk+jrOaPNhMnJm//p3wR+9MRj5vO7fWVQocp?= =?us-ascii?Q?d2cfP6/dbkeVsxMOPNnEhtnBqDv65gp/1dbmY07AKKNmD4+R3iPmp1sROQ2v?= =?us-ascii?Q?plnJY0lwwWT5tH345C47DBfn5Th1M1SBfMAATzvQHgNuBlnC+uYPKBXsB1Wc?= =?us-ascii?Q?+N4KrheEJRr/6Uym75ihtQFq8KycUwOL4AvTJbUGNLr6yVm5kFUhXQrSZaZe?= =?us-ascii?Q?TsktkkMdp50WCNTOqDJv1eOpV3qOUFUpkH2CV11EGQguKRcyFUDUscPK/Ah/?= =?us-ascii?Q?Lq+9ggDpWOl7jmN7ZY/K+njqrNn68+AzkyRZrGY2ovC7b9WI6cP4L7AHqqBm?= =?us-ascii?Q?yLf++vlmi/U4QBCaCcdfm2fcd/nCNNcsqS0IyDImNXhXblI58xGw6q2P0zp2?= =?us-ascii?Q?aqd9M+NcWcPkEkc8u4fnP1/jfMHnAAorRTCz8IrWNfvLogilE4QI+/VpvLa1?= =?us-ascii?Q?cYbgMfFRiB1H9Sms/zRz3rkZM0ljyFvMKNfn9PZv0cBqTzqxWUd7qH5DROln?= =?us-ascii?Q?KONMiBwpzvY3z+rJEsar/2cRv1vrrlluMcUrglqPMlTPNjJkJqQKOfwRjrbB?= =?us-ascii?Q?LBgp2N7cFySEdo9yv1voyBQEKOSg+4Xf4skfycC+eqY2ZVJse3I2c9GSsCSn?= =?us-ascii?Q?xGOP1ZMsJKjO/HvsccPkImmh?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3b1bf111-efc8-4119-6843-08d976e31e45 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:08.9043 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: JU4G/rd5t35eg08tjRjx0FlevwMWIBP/BLoTdc6icU1u+OHnQPyZnhdjzZsUFewZvHLp3rYIYYBvSFWK0xZ9Nw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: euyzwGV6DT878buk6FTi6okLx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557212; bh=gSVXZGjXkE9D0T+JF6hSTITNgSRAyfTjEb2za+27I+o=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=mQWMLWhDv6udBtmYUYZCzD2zQ1L02HCn+BCvqojWJhPA+dymsjeq/G4SE+M/GW1/Ah9 8onMXJyV/kfZxPMsVuq+L/Vb4/PZP4kj1MFnB9GzyS7at//9+nlx+bryFmcR9aaWJLhop /zu1vNGAFivLDpkTFXMS/AYqu+QYtZZUcuA= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557213463100050 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Many of the integrity guarantees of SEV-SNP are enforced through the Reverse Map Table (RMP). Each RMP entry contains the GPA at which a particular page of DRAM should be mapped. The guest can request the hypervisor to add pages in the RMP table via the Page State Change VMGEXIT defined in the GHCB specification section 2.5.1 and 4.1.6. Inside each RMP entry is a Validated flag; this flag is automatically cleared to 0 by the CPU hardware when a new RMP entry is created for a guest. Each VM page can be either validated or invalidated, as indicated by the Validated flag in the RMP entry. Memory access to a private page that is not validated generates a #VC. A VM can use the PVALIDATE instruction to validate the private page before using it. During the guest creation, the boot ROM memory is pre-validated by the AMD-SEV firmware. The MemEncryptSevSnpValidateSystemRam() can be called during the SEC and PEI phase to validate the detected system RAM. One of the fields in the Page State Change NAE is the RMP page size. The page size input parameter indicates that either a 4KB or 2MB page should be used while adding the RMP entry. During the validation, when possible, the MemEncryptSevSnpValidateSystemRam() will use the 2MB entry. A hypervisor backing the memory may choose to use the different page size in the RMP entry. In those cases, the PVALIDATE instruction should return SIZEMISMATCH. If a SIZEMISMATCH is detected, then validate all 512-pages constituting a 2MB region. Upon completion, the PVALIDATE instruction sets the rFLAGS.CF to 0 if instruction changed the RMP entry and to 1 if the instruction did not change the RMP entry. The rFlags.CF will be 1 only when a memory region is already validated. We should not double validate a memory as it could lead to a security compromise. If double validation is detected, terminate the boot. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkgIa32.dsc | 1 + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + .../DxeMemEncryptSevLib.inf | 3 + .../PeiMemEncryptSevLib.inf | 3 + .../SecMemEncryptSevLib.inf | 3 + OvmfPkg/Include/Library/MemEncryptSevLib.h | 14 + .../X64/SnpPageStateChange.h | 31 ++ .../Ia32/MemEncryptSevLib.c | 17 + .../X64/DxeSnpSystemRamValidate.c | 40 +++ .../X64/PeiSnpSystemRamValidate.c | 36 +++ .../X64/SecSnpSystemRamValidate.c | 36 +++ .../X64/SnpPageStateChangeInternal.c | 295 ++++++++++++++++++ 12 files changed, 480 insertions(+) create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateCh= ange.h create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRa= mValidate.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRa= mValidate.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRa= mValidate.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateCh= angeInternal.c diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index d1d92c97bae3..626dbc15786a 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -266,6 +266,7 @@ [LibraryClasses.common.SEC] !else CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiC= puExceptionHandlerLib.inf !endif + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLi= b.inf =20 [LibraryClasses.common.PEI_CORE] HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index f42abc041c0c..58be97eb0605 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -270,6 +270,7 @@ [LibraryClasses.common.SEC] !else CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiC= puExceptionHandlerLib.inf !endif + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLi= b.inf =20 [LibraryClasses.common.PEI_CORE] HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf index f2e162d68076..f613bb314f5f 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf @@ -34,8 +34,10 @@ [Sources] PeiDxeMemEncryptSevLibInternal.c =20 [Sources.X64] + X64/DxeSnpSystemRamValidate.c X64/MemEncryptSevLib.c X64/PeiDxeVirtualMemory.c + X64/SnpPageStateChangeInternal.c X64/VirtualMemory.c X64/VirtualMemory.h =20 @@ -49,6 +51,7 @@ [LibraryClasses] DebugLib MemoryAllocationLib PcdLib + VmgExitLib =20 [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf index 03a78c32df28..0402e49a1028 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf @@ -36,6 +36,8 @@ [Sources] [Sources.X64] X64/MemEncryptSevLib.c X64/PeiDxeVirtualMemory.c + X64/PeiSnpSystemRamValidate.c + X64/SnpPageStateChangeInternal.c X64/VirtualMemory.c X64/VirtualMemory.h =20 @@ -49,6 +51,7 @@ [LibraryClasses] DebugLib MemoryAllocationLib PcdLib + VmgExitLib =20 [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf index 279c38bfbc2c..939af0a91ea4 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf @@ -35,6 +35,8 @@ [Sources] [Sources.X64] X64/MemEncryptSevLib.c X64/SecVirtualMemory.c + X64/SecSnpSystemRamValidate.c + X64/SnpPageStateChangeInternal.c X64/VirtualMemory.c X64/VirtualMemory.h =20 @@ -46,6 +48,7 @@ [LibraryClasses] CpuLib DebugLib PcdLib + VmgExitLib =20 [FixedPcd] gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/L= ibrary/MemEncryptSevLib.h index 796de62ec2f8..f708a0cdaa72 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -215,4 +215,18 @@ MemEncryptSevClearMmioPageEncMask ( IN UINTN NumPages ); =20 +/** + Pre-validate the system RAM when SEV-SNP is enabled in the guest VM. + + @param[in] BaseAddress Base address + @param[in] NumPages Number of pages starting from the ba= se address + +**/ +VOID +EFIAPI +MemEncryptSevSnpPreValidateSystemRam ( + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ); + #endif // _MEM_ENCRYPT_SEV_LIB_H_ diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h = b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h new file mode 100644 index 000000000000..8bbdf06468b9 --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h @@ -0,0 +1,31 @@ +/** @file + + SEV-SNP Page Validation functions. + + Copyright (c) 2021 AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef SNP_PAGE_STATE_INTERNAL_H_ +#define SNP_PAGE_STATE_INTERNAL_H_ + +// +// SEV-SNP Page states +// +typedef enum { + SevSnpPagePrivate, + SevSnpPageShared, + +} SEV_SNP_PAGE_STATE; + +VOID +InternalSetPageState ( + IN EFI_PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages, + IN SEV_SNP_PAGE_STATE State, + IN BOOLEAN UseLargeEntry + ); + +#endif diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c b= /OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c index be260e0d1014..df5e4d61513d 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c @@ -136,3 +136,20 @@ MemEncryptSevClearMmioPageEncMask ( // return RETURN_UNSUPPORTED; } + +/** + Pre-validate the system RAM when SEV-SNP is enabled in the guest VM. + + @param[in] BaseAddress Base address + @param[in] NumPages Number of pages starting from the ba= se address + +**/ +VOID +EFIAPI +MemEncryptSevSnpPreValidateSystemRam ( + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ) +{ + ASSERT (FALSE); +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValida= te.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c new file mode 100644 index 000000000000..ad8d8b388dc8 --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c @@ -0,0 +1,40 @@ +/** @file + + SEV-SNP Page Validation functions. + + Copyright (c) 2021 AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include + +#include "SnpPageStateChange.h" + +/** + Pre-validate the system RAM when SEV-SNP is enabled in the guest VM. + + @param[in] BaseAddress Base address + @param[in] NumPages Number of pages starting from the ba= se address + +**/ +VOID +EFIAPI +MemEncryptSevSnpPreValidateSystemRam ( + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ) +{ + if (!MemEncryptSevSnpIsEnabled ()) { + return; + } + + // + // All the pre-validation must be completed in the PEI phase. + // + ASSERT (FALSE); +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValida= te.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c new file mode 100644 index 000000000000..64aab7f45b6d --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c @@ -0,0 +1,36 @@ +/** @file + + SEV-SNP Page Validation functions. + + Copyright (c) 2021 AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include + +#include "SnpPageStateChange.h" + +/** + Pre-validate the system RAM when SEV-SNP is enabled in the guest VM. + + @param[in] BaseAddress Base address + @param[in] NumPages Number of pages starting from the ba= se address + +**/ +VOID +EFIAPI +MemEncryptSevSnpPreValidateSystemRam ( + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ) +{ + if (!MemEncryptSevSnpIsEnabled ()) { + return; + } + + InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValida= te.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c new file mode 100644 index 000000000000..64aab7f45b6d --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c @@ -0,0 +1,36 @@ +/** @file + + SEV-SNP Page Validation functions. + + Copyright (c) 2021 AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include + +#include "SnpPageStateChange.h" + +/** + Pre-validate the system RAM when SEV-SNP is enabled in the guest VM. + + @param[in] BaseAddress Base address + @param[in] NumPages Number of pages starting from the ba= se address + +**/ +VOID +EFIAPI +MemEncryptSevSnpPreValidateSystemRam ( + IN PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages + ) +{ + if (!MemEncryptSevSnpIsEnabled ()) { + return; + } + + InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); +} diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInt= ernal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeIntern= al.c new file mode 100644 index 000000000000..506df12d4e51 --- /dev/null +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c @@ -0,0 +1,295 @@ +/** @file + + SEV-SNP Page Validation functions. + + Copyright (c) 2021 AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include + +#include +#include + +#include "SnpPageStateChange.h" + +#define IS_ALIGNED(x, y) ((((x) & (y - 1)) =3D=3D 0)) +#define PAGES_PER_LARGE_ENTRY 512 + +STATIC +UINTN +MemoryStateToGhcbOp ( + IN SEV_SNP_PAGE_STATE State + ) +{ + UINTN Cmd; + + switch (State) { + case SevSnpPageShared: Cmd =3D SNP_PAGE_STATE_SHARED; break; + case SevSnpPagePrivate: Cmd =3D SNP_PAGE_STATE_PRIVATE; break; + default: ASSERT(0); + } + + return Cmd; +} + +STATIC +VOID +SnpPageStateFailureTerminate ( + VOID + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + + // + // Use the GHCB MSR Protocol to request termination by the hypervisor + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbTerminate.Function =3D GHCB_INFO_TERMINATE_REQUEST; + Msr.GhcbTerminate.ReasonCodeSet =3D GHCB_TERMINATE_GHCB; + Msr.GhcbTerminate.ReasonCode =3D GHCB_TERMINATE_GHCB_GENERAL; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + ASSERT (FALSE); + CpuDeadLoop (); +} + +/** + This function issues the PVALIDATE instruction to validate or invalidate = the memory + range specified. If PVALIDATE returns size mismatch then it retry validat= ing with + smaller page size. + + */ +STATIC +VOID +PvalidateRange ( + IN SNP_PAGE_STATE_CHANGE_INFO *Info, + IN UINTN StartIndex, + IN UINTN EndIndex, + IN BOOLEAN Validate + ) +{ + UINTN Address, RmpPageSize, Ret, i; + + for (; StartIndex <=3D EndIndex; StartIndex++) { + // + // Get the address and the page size from the Info. + // + Address =3D Info->Entry[StartIndex].GuestFrameNumber << EFI_PAGE_SHIFT; + RmpPageSize =3D Info->Entry[StartIndex].PageSize; + + Ret =3D AsmPvalidate (RmpPageSize, Validate, Address); + + // + // If we fail to validate due to size mismatch then try with the + // smaller page size. This senario will occur if the backing page in + // the RMP entry is 4K and we are validating it as a 2MB. + // + if ((Ret =3D=3D PVALIDATE_RET_SIZE_MISMATCH) && (RmpPageSize =3D=3D Pv= alidatePageSize2MB)) { + for (i =3D 0; i < PAGES_PER_LARGE_ENTRY; i++) { + Ret =3D AsmPvalidate (PvalidatePageSize4K, Validate, Address); + if (Ret) { + break; + } + + Address =3D Address + EFI_PAGE_SIZE; + } + } + + // + // If validation failed then do not continue. + // + if (Ret) { + DEBUG (( + DEBUG_ERROR, "%a:%a: Failed to %a address 0x%Lx Error code %d\n", + gEfiCallerBaseName, + __FUNCTION__, + Validate ? "Validate" : "Invalidate", + Address, + Ret + )); + SnpPageStateFailureTerminate (); + } + } +} + +STATIC +EFI_PHYSICAL_ADDRESS +BuildPageStateBuffer ( + IN EFI_PHYSICAL_ADDRESS BaseAddress, + IN EFI_PHYSICAL_ADDRESS EndAddress, + IN SEV_SNP_PAGE_STATE State, + IN BOOLEAN UseLargeEntry, + IN SNP_PAGE_STATE_CHANGE_INFO *Info + ) +{ + EFI_PHYSICAL_ADDRESS NextAddress; + UINTN i, RmpPageSize; + + // Clear the page state structure + SetMem (Info, sizeof (*Info), 0); + + i =3D 0; + NextAddress =3D EndAddress; + + // + // Populate the page state entry structure + // + while ((BaseAddress < EndAddress) && (i < SNP_PAGE_STATE_MAX_ENTRY)) { + // + // Is this a 2MB aligned page? Check if we can use the Large RMP entry. + // + if (UseLargeEntry && IS_ALIGNED (BaseAddress, SIZE_2MB) && + ((EndAddress - BaseAddress) >=3D SIZE_2MB)) { + RmpPageSize =3D PvalidatePageSize2MB; + NextAddress =3D BaseAddress + SIZE_2MB; + } else { + RmpPageSize =3D PvalidatePageSize4K; + NextAddress =3D BaseAddress + EFI_PAGE_SIZE; + } + + Info->Entry[i].GuestFrameNumber =3D BaseAddress >> EFI_PAGE_SHIFT; + Info->Entry[i].PageSize =3D RmpPageSize; + Info->Entry[i].Operation =3D MemoryStateToGhcbOp (State); + Info->Entry[i].CurrentPage =3D 0; + Info->Header.EndEntry =3D i; + + BaseAddress =3D NextAddress; + i++; + } + + return NextAddress; +} + +STATIC +VOID +PageStateChangeVmgExit ( + IN GHCB *Ghcb, + IN SNP_PAGE_STATE_CHANGE_INFO *Info + ) +{ + EFI_STATUS Status; + + // + // As per the GHCB specification, the hypervisor can resume the guest be= fore + // processing all the entries. Checks whether all the entries are proces= sed. + // + // The stragtegy here is to wait for the hypervisor to change the page + // state in the RMP table before guest access the memory pages. If the + // page state was not successful, then later memory access will result + // in the crash. + // + while (Info->Header.CurrentEntry <=3D Info->Header.EndEntry) { + Ghcb->SaveArea.SwScratch =3D (UINT64) Ghcb->SharedBuffer; + VmgSetOffsetValid (Ghcb, GhcbSwScratch); + + Status =3D VmgExit (Ghcb, SVM_EXIT_SNP_PAGE_STATE_CHANGE, 0, 0); + + // + // The Page State Change VMGEXIT can pass the failure through the + // ExitInfo2. Lets check both the return value as well as ExitInfo2. + // + if ((Status !=3D 0) || (Ghcb->SaveArea.SwExitInfo2)) { + SnpPageStateFailureTerminate (); + } + } +} + +/** + The function is used to set the page state when SEV-SNP is active. The pa= ge state + transition consist of changing the page ownership in the RMP table, and u= sing the + PVALIDATE instruction to update the Validated bit in RMP table. + + When the UseLargeEntry is set to TRUE, then function will try to use the = large RMP + entry (whevever possible). + */ +VOID +InternalSetPageState ( + IN EFI_PHYSICAL_ADDRESS BaseAddress, + IN UINTN NumPages, + IN SEV_SNP_PAGE_STATE State, + IN BOOLEAN UseLargeEntry + ) +{ + GHCB *Ghcb; + EFI_PHYSICAL_ADDRESS NextAddress, EndAddress; + MSR_SEV_ES_GHCB_REGISTER Msr; + BOOLEAN InterruptState; + SNP_PAGE_STATE_CHANGE_INFO *Info; + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + Ghcb =3D Msr.Ghcb; + + EndAddress =3D BaseAddress + EFI_PAGES_TO_SIZE (NumPages); + + DEBUG (( + DEBUG_VERBOSE, "%a:%a Address 0x%Lx - 0x%Lx State =3D %a LargeEntry = =3D %d\n", + gEfiCallerBaseName, + __FUNCTION__, + BaseAddress, + EndAddress, + State =3D=3D SevSnpPageShared ? "Shared" : "Private", + UseLargeEntry + )); + + while (BaseAddress < EndAddress) { + UINTN CurrentEntry, EndEntry; + + // + // Initialize the GHCB + // + VmgInit (Ghcb, &InterruptState); + + // + // Build the page state structure + // + Info =3D (SNP_PAGE_STATE_CHANGE_INFO *) Ghcb->SharedBuffer; + NextAddress =3D BuildPageStateBuffer (BaseAddress, + EndAddress, + State, + UseLargeEntry, + Info + ); + + // + // Save the current and end entry from the page state structure. We ne= ed + // it later. + // + CurrentEntry =3D Info->Header.CurrentEntry; + EndEntry =3D Info->Header.EndEntry; + + // + // If the caller requested to change the page state to shared then + // invalidate the pages before making the page shared in the RMP table. + // + if (State =3D=3D SevSnpPageShared) { + PvalidateRange (Info, CurrentEntry, EndEntry, FALSE); + } + + // + // Invoke the page state change VMGEXIT. + // + PageStateChangeVmgExit (Ghcb, Info); + + // + // If the caller requested to change the page state to private then + // validate the pages after it has been added in the RMP table. + // + if (State =3D=3D SevSnpPagePrivate) { + PvalidateRange (Info, CurrentEntry, EndEntry, TRUE); + } + + VmgDone (Ghcb, InterruptState); + + BaseAddress =3D NextAddress; + } +} --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80593): https://edk2.groups.io/g/devel/message/80593 Mute This Topic: https://groups.io/mt/85582701/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80594+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80594+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557213205992.5741552280856; Mon, 13 Sep 2021 11:20:13 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 8R0dYY1788612xP0onzh7ArX; Mon, 13 Sep 2021 11:20:12 -0700 X-Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.61]) by mx.groups.io with SMTP id smtpd.web12.852.1631557211439854610 for ; Mon, 13 Sep 2021 11:20:12 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WcKgRCq3gEl8yYig8OH9bTTXm9Bs0/yu13HXLbjY8RRexnqjPUQy10+mF4ipaj6cm+U/km+ufeiWZutRUFLw17IItWlki4r9eUHq6BQhi8D0WFaUauc0lbEqp3xnQNXkRKkuKZMdMul09cI2WTCkp/Yh/yVAK1zgyRoS1/YjhZPrU3TnOUkCmpr6Q6joTS/A9JypkmWLD+ySVUWrPqswCNz7FGq+qbPMTWhJNsscb8sdYQLvirq0S8pAYqmag2Uw4s5xl4kBe4qOIBltukghecWLRFBLSmF/oTZpEI4VKovO7v0Y8oHJcQjelvcqra5RBf1n4xIXw/hvlM0+X3WpLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=RY0QGL8s+FwFu5CprFJKwG6HDp706QJHBanrP3OOQ78=; b=FwgvmpZqUWGOvTuh5D9OrLwx1MssYpOK2cClnN1nJnnkZgyZf1VjdzYKtLZetbpbSQsTx7Kc4f/49+9wT7cdTr1knkphzBu1uj+KC9Ase0ti0QUAzmtOWqskVJVZwxJ1TiPQ4ltBjqu+z0PYrsV7tnzLcFL4r00TUiToWbvkFEZiiBsKWrzJbAoN+5st/TLYmsFNKlNA1GVYU8gYZmbfkq5P8zdkrRSEVsZ3qpX7m/tb2WxzVdGIc+ekCBhH7srT/JPa1wIRvHqgWsj55ZKfJDLkK+3z7aQ1CVyEXYGHEt1EVql9/lHefzFHRfN/Rb1gsL6gqZxDhGv42GjNYnoTpQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:10 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:09 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 14/31] OvmfPkg/MemEncryptSevLib: add function to check the VMPL0 Date: Mon, 13 Sep 2021 13:19:24 -0500 Message-ID: <20210913181941.23405-15-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:09 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 022a9012-698f-4b39-4523-08d976e31ec6 X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: o31HQrd5/B89bzYYq0/WiQymF+bSRZ5hWkT9Gbk71d0OrUMfNQ22HxekI595bUUm28u6/PcMOyqS3Z2IhnC1BAYLYXsBlsY9kr8vCAj4ltkRn6R8mzLzaKGlJHZWcFWM4ixLAEywDF07xFodzOky6fXMZp/LB1oEpVCWXJEx/KtIx4+go5HkEcLNH8nEhWsU3ig2z8wqysLssci0Gr/irjGTBFuDcnX08dJtO89O1vJ4EKSHIKB5DRJbQaFL9ERgEVwdcxIjQ+WE6Eyhvt0Qpt7LxEpu1y9F6W6idVCMh1IMrs5834cUZIR9vMkaCjdjHON+qBPAD4aiSNOy0urySfiAz4KE0tvWhSVYC33uPhbCxM3QpEbhHXY5ch7oWfHpi4f8YaNjCNDc4y3P+svwCYZb00hmfGU4NY92SG7jDVNeVAPQgGjFVblyOW8HptvB5C2PAV5hAPWD3ipKRfH5jlVW9ZPiaFjS715TrVDtUdFuzhIrcJ8FatovPBPxOJttJwjzSNrV6DvLYC4MtWRPjQwWRiwsda5uUJfji8zeWNNPVrXKB/nD0tsgoX0uhp3XOSVad0XY5yRK2t/hei/Y4ZjRbUaPDLcIGskDvSD+Otc0SOpClBS61rSpw/UJ6r5WXVVDmwjiCsRgt2sBfFvn0gmlJkWEAdvmtk8CCQHw7cWRsOxA7qiSj0CKyszWuyLjmOE+2EXUoDIruO8HYS+lhjpS6B7NWuS1zBxQctWlHlX5LiE+FflhRG1uOZzMtPE3QAx524DMhcxmbQ+42yu8TWvIXsWls9nyE9cIHcnRlVA= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?js+tp9UiRRbT2Impklku2LOchJed2EwMb8zTUDwGM8mNu+R3Swu1L5qNkpJ7?= =?us-ascii?Q?xngmrgllU1kdm4Rf6lqPbbXfs9ceheKvUBtRVyiXBbD6vgbAMvLyZ9gGfRMr?= =?us-ascii?Q?cSZ5DW4i0oxFZNUfzJInpGc09PiABCMpdn3TVxBq/UjA85s5hV5uwpT+cA60?= =?us-ascii?Q?imHSS/WMg3Gh+btVoZ1RJApPdz2UmqMZv+/eYT4kS1aG84sb0uYzgHCPu8vr?= =?us-ascii?Q?K9IGPKnPXhbqGd4akrk8cVz+yWRyxeBdIyvQvY6Xg1zCfgThG1NW4+ilJEr1?= =?us-ascii?Q?+faJQpuIHHREk7NsIItNmYjeD7ZFicxY4WeLN7y+n2wVgFSuduFqIzS2gO3D?= =?us-ascii?Q?OD9wfjPA6tlTp0iZ4DcCNLz8N6d7IPCPuTr4GeibgvLD41rcxzCjIJaw8ZOE?= =?us-ascii?Q?2OlshePOilN+6Gmw86cCUFaPsAO7/DmJPS0d+HY5wtUB6S7j592TlPpxhCT5?= =?us-ascii?Q?ShDIJMVIW56Un64t71d6xcY6S2tEH3kbCCMSejp3L87lCYs3/0d/dzD6+oim?= =?us-ascii?Q?S0EA4MeZh7xiQvttOEzPD+4BsYTDTljTXAIVFWA3NIuqn77rrvrTyxkEv3OH?= =?us-ascii?Q?q4V3pBZHVCtx+oxWFn24co3AhkmoN6akhZy2MJNYIFsg0C1orRbYpudEbwyC?= =?us-ascii?Q?LDej2zYVk8WbOcu0FFxugNwvL6Ofy2ye8T+1BykcXAi9r+HIj8QPHrzUX4/8?= =?us-ascii?Q?+Fe2E4ZG2QxDtBX8vdUuIos7av0tcWfZC4Gr+fOw7xgvhhOk9+OcmMr4Cffb?= =?us-ascii?Q?iYccREABdNYcFYvGtoIetJGIc6xlTFI5U1bgwvLTsQBXgb5n0+9hnzzgxKNI?= =?us-ascii?Q?s0nJxtRYC+a73loh63Wk9TLBl/bz18RnQu8K6Awkt7oVEFlUY87QEGGXhWyf?= =?us-ascii?Q?NeGe/MFAS3x7vDwdCOgOMp48Ve6tvPIu8wv9w+VMgcVHkE1GKeozzFeGmQUl?= =?us-ascii?Q?J4aav1Co1nnxiSr7EMsKuox4v3cD1FUacCwQpTlzVCNGCrz3Hw3LcmC3uAkH?= =?us-ascii?Q?jY4ueFsIE3ZLgFebHpY8k6SIa7fxg24Au82NQ20L5sNHMzL4XmKyLnWcOkpk?= =?us-ascii?Q?ReCityAOXuTgaU9ENCDMBInIT/c7UxFc1MumsERLPX4zFOPMBn+yGntUW6KR?= =?us-ascii?Q?6skMyQt0hN9+aUdt0mymdewd7zQTd7awUzDHB2dZ0ykX4GHXCPOMlj/IA+i3?= =?us-ascii?Q?5He5g4yxvFP2I3FWuJ+6GcGAcXLYvWHLp47NZl7vgJ6S9z/MmgYj/e9XhvmX?= =?us-ascii?Q?4KqcMCR0jXUS2xRgPz9IDFT1iiPVtjDdhw7uNEuJ1mJAwLBQhGqO12YeWhaV?= =?us-ascii?Q?uryNefhQG+mehq2d5xbss5UT?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 022a9012-698f-4b39-4523-08d976e31ec6 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:09.7798 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: D3hUphRagJSW6w7cGnVTktK7Olx7xKoMfNic9Lq3iBS81fFhPWyDGjhnNWQtXLOje+1e8deIR+BtwSC0+o/n3A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: zcHAzfyhgrS9YGAR3VtBSa6Cx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557212; bh=IwrmkUf2loArAZzu3gLn0eY0bxX2r/xFoKH3X6fV7ec=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=Z7ZRVn57lYjx/gWDcb+NfxsmfjXALWL+B7V7oN+vytpWFkS6EMIxF7+tjk3HqQz/r1j 4rR6UAUfOqgMsw3gUYDrtOj1QdlAo4PO4tQlIekbNbr0EQWBZSeksatBCL0W3DrT+liD7 L1HNKqoUrjHXO8ZsqdMvCZCmkAOtDcVZy3E= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557213466100052 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Virtual Machine Privilege Level (VMPL) feature in the SEV-SNP architecture allows a guest VM to divide its address space into four levels. The level can be used to provide the hardware isolated abstraction layers with a VM. The VMPL0 is the highest privilege, and VMPL3 is the least privilege. Certain operations must be done by the VMPL0 software, such as: * Validate or invalidate memory range (PVALIDATE instruction) * Allocate VMSA page (RMPADJUST instruction when VMSA=3D1) The initial SEV-SNP support assumes that the guest is running on VMPL0. Let's add function in the MemEncryptSevLib that can be used for checking whether guest is booted under the VMPL0. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Signed-off-by: Brijesh Singh --- .../X64/SnpPageStateChange.h | 5 ++ .../X64/SecSnpSystemRamValidate.c | 46 +++++++++++++++++++ .../X64/SnpPageStateChangeInternal.c | 1 - 3 files changed, 51 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h = b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h index 8bbdf06468b9..cc1318075523 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h @@ -28,4 +28,9 @@ InternalSetPageState ( IN BOOLEAN UseLargeEntry ); =20 +VOID +SnpPageStateFailureTerminate ( + VOID + ); + #endif diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValida= te.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c index 64aab7f45b6d..3394094a65e5 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c @@ -14,6 +14,43 @@ =20 #include "SnpPageStateChange.h" =20 +// +// The variable used for the VMPL check. +// +STATIC UINT8 gVmpl0Data[4096]; + +/** + The function checks whether SEV-SNP guest is booted under VMPL0. + + @retval TRUE The guest is booted under VMPL0 + @retval FALSE The guest is not booted under VMPL0 + **/ +STATIC +BOOLEAN +SevSnpIsVmpl0 ( + VOID + ) +{ + UINT64 Rdx; + EFI_STATUS Status; + + // + // There is no straightforward way to query the current VMPL level. + // The simplest method is to use the RMPADJUST instruction to change + // a page permission to a VMPL level-1, and if the guest kernel is + // launched at a level <=3D 1, then RMPADJUST instruction will return + // an error. + // + Rdx =3D 1; + + Status =3D AsmRmpAdjust ((UINT64) gVmpl0Data, 0, Rdx); + if (EFI_ERROR (Status)) { + return FALSE; + } + + return TRUE; +} + /** Pre-validate the system RAM when SEV-SNP is enabled in the guest VM. =20 @@ -32,5 +69,14 @@ MemEncryptSevSnpPreValidateSystemRam ( return; } =20 + // + // The page state change uses the PVALIDATE instruction. The instruction + // can be run on VMPL-0 only. If its not VMPL-0 guest then terminate + // the boot. + // + if (!SevSnpIsVmpl0 ()) { + SnpPageStateFailureTerminate (); + } + InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); } diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInt= ernal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeIntern= al.c index 506df12d4e51..653151d4a422 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c @@ -40,7 +40,6 @@ MemoryStateToGhcbOp ( return Cmd; } =20 -STATIC VOID SnpPageStateFailureTerminate ( VOID --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80594): https://edk2.groups.io/g/devel/message/80594 Mute This Topic: https://groups.io/mt/85582703/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80596+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80596+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557213770878.3898117691294; Mon, 13 Sep 2021 11:20:13 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id NB3uYY1788612xU8qeTnQKei; Mon, 13 Sep 2021 11:20:13 -0700 X-Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.61]) by mx.groups.io with SMTP id smtpd.web12.852.1631557211439854610 for ; Mon, 13 Sep 2021 11:20:12 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jNGRTtiV/iCEapXgMKMIPOKgE5SWM3G7g1gjjJSZwqQ3tDLBXgq+tZs7FN139Id1qrgfCPyViyD9q6vkPN539RkwbAbsfgPvy75wY6oVkZc9YRPmcXv/aeUJSIowq0xJo5g7Cyxi4p0XC/zbqRYtf6wrNMXKn+JwVKsheQHHY7OfhZsS7xf2PMheo4KeC+ckxlKlyJWFu2YPk81guTPQk6zTKzjH5Q96k1xLg/ZAlaM1PgbzG0QNCa2sysgTtoyyd0AvSypdaEBDWQX8Kd7dt0aIe3KmLnOLZrBmsxEPyqda+0LmHkpr+jgqDLDcudxyU6eaFwdHPb5GCcuUUcdiLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=qXYRP+aR4/i1z7BMbxfsNn9vdi4PDHz1KPX6notyqJQ=; b=RNXRUzLtkmkHGjHg8A7fDgb49wUP+v2tNnJn3j/HswmCxeIfR2glS9aDrXJ9NgE+LbiKPZV52xYjgG1fi6ZX9oUQ2BqgEPlTYVR+Vp6CBB+lUw3L/PUApwiqDjqGm1WfHwnLRP2Tch88StweBM8i+R0b8VUnyGKbAOofRGJfU1xqSZkICsoB/HY7vnNgwmZAUaHKeBVcwcdjI+gzlUhZdgSWjbP6d4uPLA9uWcWe8l3Nokjg5uyj1ymeB1nPEN9Fv95C6TLXLSmXaYfQg9pJeCDBa1FAKEK13cYbXmfyN8vDkucs2oG4A6oPfAEkenZJ91aXqOoW/PapZSflWKxmrg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:10 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:10 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 15/31] OvmfPkg/BaseMemEncryptSevLib: skip the pre-validated system RAM Date: Mon, 13 Sep 2021 13:19:25 -0500 Message-ID: <20210913181941.23405-16-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:10 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 695e7103-9956-4581-97c3-08d976e31f3e X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: wHMAp+xtCUqW9eW5RWcMz+KN55dvW7sQmU0laTOkhpfQyxdmLy1OzWHjtJioHhKa4Dqio+24BjJu0SefZ1SjjMm7KdaW7+nxmAJlhU94CCj3PlVMB3S9EWe97i0GaFdVXZNYu91MSozBXPtpZRIfN66bC6rx9hvtlTq7opJ4ncs+Ob2r2TSngbh3kmuR3DQZ24ucIk1BQJu6mahJ5zFbikgZW/GC3LrzPwR5v15KaeHvZyydIu9PlPVaqLpOrCHbqcmsE51tbjji1tFc97qKjZLNnLxuamVbfAT4wq93sMT7ffqMf66wzmtgeh8Lz4PRANLvpPyOofxjgb685uC8vJbz7qoQhSngmaJuiP8MrJ7IhHzqtqpTloJylRDIwC8KFsVkXJJEt/XxkVk0rbYeBDRGjjZUWhiGEoftc4rHbYjJ1m2J/AMU2X1qQ1Rkpf22IbBus2sJkkW0IF7W9gacyQtKm7zSFYr+RKS9G5aiGK7gfzrp8UCugThOhAEUn0rjWTCx4/qKjaPDFjrLgDCeVvRt0C9AL0Lv5GMmoGOMa3a7QYl/ZWbBgOaXYTWQfRpYo4MKw8P/YLDALIghjK8pi9mxCuHUQKeG/UZuwYUqL1ucCxprm4T9ad0yhMX3Yj8Qxn0qVzPxkmgcYC/KzJBMuGHAonH+Ge6/NcALIZVGVEmc93K5YvcEYvHUOlnLsWpZ737WogUz7CBsu0YN1hEM420rA1yWhhWYMwQ6ky9zv48IcsXHtf4bSzZePw8YLdaYn88AqqQ2ixwfZslLWvrSLs+/t/bD6bHYuIjm3pPpc4wqoTMJNr7Ib3eKgiXRql0q X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?DGn0xGQrDVLypJxTqq3eGIOtaVDI5Qx/sHu9CrwK6Oor0YldLrDd60A9r5U9?= =?us-ascii?Q?cLTlFqRV1+Tg9cTcbHf5G2sRAv+6Mhjm+iMcVsCvgP0XSM6n0yHYSDNwja4L?= =?us-ascii?Q?sCN0rtn2KxcuoAita4O/bPyLrwX6tllRJZ5H11ELc+K+oWVqXsNl9n1Fpeah?= =?us-ascii?Q?4cf3sr0KiYKR81IorHhH9KKjlDwEkBgZm8a/T2xiuF5Bv34hh8GnuDbhu7be?= =?us-ascii?Q?KyWhvfKrM5dUqMGXmMYv9voqvOBLVOoEgFHaSml5uIAr6h47goi7nADYCzIy?= =?us-ascii?Q?7juVrkauaX89IFh4BVnCZNIVvupl7GZkvowLePxIDwfgWDjcjaXbM0x7zrrs?= =?us-ascii?Q?mHvBK7tZhEB7/qeBJKTkJaUQF1uG8wwh67f4PXjK/e/+fQ5uS/AP0AZqzCEH?= =?us-ascii?Q?A3cHrhF8iy2B2Y4RYshY3JPTF+4W+/srgLN7Ul+3QPFOWW+txGRXiDqnyh1q?= =?us-ascii?Q?HsIsXiaD2n9qs/10YAalD7fG3WaKZ1i4rgLGNr1IDyumeHvnJhfI8xAMlJGb?= =?us-ascii?Q?W6+/PiOIjxT04v+S367AXOQu+KqSWbYq/tukpIAhtMspXPGWplntRBwSUPtV?= =?us-ascii?Q?3c+7vFghKesygyWjRZhwXENWgbHh1Nkd5komqqQUbH7jZqbaM5bSWkdiM/OF?= =?us-ascii?Q?WsWNBGl7xzm0x5JwKYefOBdXn5EIXeZMOHtgCo/SUr0cyCplq4wcSnn20SLP?= =?us-ascii?Q?6D+I/0TAjwCfEWzugf6POB5ZfodDVuGXxjHoeCrYtS9MAmL7q/BuSd8M45C7?= =?us-ascii?Q?PJOgeIFmTCrOC6Ny+W5MyCTqQZ6Fewj0bYVY/x02YMjiIjzBJOaQlsYwKp/N?= =?us-ascii?Q?Mygx3bga5Sm5bddJ2LbrgQtHMI2IlGOqJl5Su+HbR9n7kF34mAttwFkug999?= =?us-ascii?Q?C9aBhU0eYoTbsfVIbDbMg7mPC/EotcFPk/gOoz4c0F3gLFtqGV9NstXH2cPM?= =?us-ascii?Q?y3csgz7j70rZw6O6AeS3z37gs3u8GiMBHz5ReWLmJ1KGuV1hexHQYzbGfNCu?= =?us-ascii?Q?mKwuYiIoSUMJsZmBX7KtIn4MG1v1tAFryw+S9+LDimf0LkqGhjnd3+PlCyIq?= =?us-ascii?Q?om7GtJ38XTmr3dAFntdtVa1pvnKaiN8SZ2eZm5i8VRK5OlE3eGMW7nGifQ6B?= =?us-ascii?Q?H63MWjqFAROFQNsJLhsituo2hrOtxiloXU1PZKj8LTfJMYWYYYaqDXE7kw+8?= =?us-ascii?Q?Bu0RXqT1eBLfYE3vuw9w5/52lyrB6NsPhxePuYfyrWaQ64okERm6AI+xVAt3?= =?us-ascii?Q?nB1fA/0u5G7cQjMoYImmvmqDpxQv2lGcOsWPqtQ5JCrbAvrluUMUfotq7JMq?= =?us-ascii?Q?XoRh6WWmz+uq7+x5RDkkdOf3?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 695e7103-9956-4581-97c3-08d976e31f3e X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:10.5544 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: irOtvorE/oXdEmrjstUuUzlwFWrOG5OBishVB8IuV7pCX5QINMAjDtWUfRWPGqjDHxi4pJFa0Iw9Tl9+fHIWiQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: vqe56aYSp7FKaCNPdv6zB3Lhx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557213; bh=hLBBEXeYrJbs145we2r+1d62oq184No/4vGXLCiUhZU=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=HtL7sxVBKX14uto7XJb9Rr4fL8C2e3CSezEH2AWgM8dYh97YrMFwIo8JN6hI1dRUsLU QCwpVDGm0Qbr/fTcrh2V258ZPjN5ZCpIfSiGjGnXOCFFaT65BYPhG1A4UW0LJODSbrFqP +EHGbmNjSEkCPLlToZimsFKgnRl4MDoDZDg= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557215545100058 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The MemEncryptSevSnpPreValidateSystemRam() is used for pre-validating the system RAM. As the boot progress, each phase validates a fixed region of the RAM. In the PEI phase, the PlatformPei detects all the available RAM and calls to pre-validate the detected system RAM. While validating the system RAM in PEI phase, we must skip previously validated system RAM to avoid the double validation. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- .../PeiMemEncryptSevLib.inf | 20 ++++ .../X64/PeiSnpSystemRamValidate.c | 102 +++++++++++++++++- 2 files changed, 121 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf index 0402e49a1028..1cc9dd6691a2 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf @@ -57,4 +57,24 @@ [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire =20 [FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbPageTableSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfLockBoxStorageBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfLockBoxStorageSize + gEfiMdePkgTokenSpaceGuid.PcdGuidedExtractHandlerTableAddress + gUefiOvmfPkgTokenSpaceGuid.PcdGuidedExtractHandlerTableSize diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValida= te.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c index 64aab7f45b6d..eae7a31773a4 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c @@ -14,6 +14,81 @@ =20 #include "SnpPageStateChange.h" =20 +typedef struct { + UINT64 StartAddress; + UINT64 EndAddress; +} SNP_PRE_VALIDATED_RANGE; + +STATIC SNP_PRE_VALIDATED_RANGE mPreValidatedRange[] =3D { + // The below address range was part of the OVMF metadata, and range + // should be pre-validated by the Hypervisor. + { + FixedPcdGet32 (PcdOvmfSecPageTablesBase), + FixedPcdGet32 (PcdOvmfSecPageTablesBase) + FixedPcdGet32 (PcdOvmfSecPa= geTablesSize), + }, + { + FixedPcdGet32 (PcdOvmfLockBoxStorageBase), + FixedPcdGet32 (PcdOvmfLockBoxStorageBase) + FixedPcdGet32 (PcdOvmfLock= BoxStorageSize), + }, + { + FixedPcdGet64 (PcdGuidedExtractHandlerTableAddress), + FixedPcdGet64 (PcdGuidedExtractHandlerTableAddress) + FixedPcdGet32 (P= cdGuidedExtractHandlerTableSize) + }, + { + FixedPcdGet32 (PcdOvmfSecGhcbPageTableBase), + FixedPcdGet32 (PcdOvmfSecGhcbPageTableBase) + FixedPcdGet32 (PcdOvmfSe= cGhcbPageTableSize), + }, + { + FixedPcdGet32 (PcdOvmfSecGhcbBase), + FixedPcdGet32 (PcdOvmfSecGhcbBase) + FixedPcdGet32 (PcdOvmfSecGhcbSize= ), + }, + { + FixedPcdGet32 (PcdOvmfWorkAreaBase), + FixedPcdGet32 (PcdOvmfWorkAreaBase) + FixedPcdGet32 (PcdOvmfWorkAreaSi= ze), + }, + { + FixedPcdGet32 (PcdOvmfSecGhcbBackupBase), + FixedPcdGet32 (PcdOvmfSecGhcbBackupBase) + FixedPcdGet32 (PcdOvmfSecGh= cbBackupSize), + }, + { + FixedPcdGet32 (PcdOvmfSnpSecretsBase), + FixedPcdGet32 (PcdOvmfSnpSecretsBase) + FixedPcdGet32 (PcdOvmfSnpSecre= tsSize), + }, + { + FixedPcdGet32 (PcdOvmfCpuidBase), + FixedPcdGet32 (PcdOvmfCpuidBase) + FixedPcdGet32 (PcdOvmfCpuidSize), + }, + { + FixedPcdGet32 (PcdOvmfSecPeiTempRamBase), + FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPe= iTempRamSize), + }, +}; + +STATIC +BOOLEAN +DetectPreValidatedOverLap ( + IN PHYSICAL_ADDRESS StartAddress, + IN PHYSICAL_ADDRESS EndAddress, + OUT SNP_PRE_VALIDATED_RANGE *OverlapRange + ) +{ + UINTN i; + + // + // Check if the specified address range exist in pre-validated array. + // + for (i =3D 0; i < ARRAY_SIZE (mPreValidatedRange); i++) { + if ((mPreValidatedRange[i].StartAddress < EndAddress) && + (StartAddress < mPreValidatedRange[i].EndAddress)) { + OverlapRange->StartAddress =3D mPreValidatedRange[i].StartAddress; + OverlapRange->EndAddress =3D mPreValidatedRange[i].EndAddress; + return TRUE; + } + } + + return FALSE; +} + /** Pre-validate the system RAM when SEV-SNP is enabled in the guest VM. =20 @@ -28,9 +103,34 @@ MemEncryptSevSnpPreValidateSystemRam ( IN UINTN NumPages ) { + PHYSICAL_ADDRESS EndAddress; + SNP_PRE_VALIDATED_RANGE OverlapRange; + if (!MemEncryptSevSnpIsEnabled ()) { return; } =20 - InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); + EndAddress =3D BaseAddress + EFI_PAGES_TO_SIZE (NumPages); + + while (BaseAddress < EndAddress) { + // + // Check if the range overlaps with the pre-validated ranges. + // + if (DetectPreValidatedOverLap (BaseAddress, EndAddress, &OverlapRange)= ) { + // Validate the non-overlap regions. + if (BaseAddress < OverlapRange.StartAddress) { + NumPages =3D EFI_SIZE_TO_PAGES (OverlapRange.StartAddress - BaseAd= dress); + + InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TR= UE); + } + + BaseAddress =3D OverlapRange.EndAddress; + continue; + } + + // Validate the remaining pages. + NumPages =3D EFI_SIZE_TO_PAGES (EndAddress - BaseAddress); + InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); + BaseAddress =3D EndAddress; + } } --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80596): https://edk2.groups.io/g/devel/message/80596 Mute This Topic: https://groups.io/mt/85582705/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80595+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80595+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557213856985.3708852410264; Mon, 13 Sep 2021 11:20:13 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id TNTBYY1788612xptf2gPxlHf; Mon, 13 Sep 2021 11:20:13 -0700 X-Received: from NAM10-DM6-obe.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com [40.107.93.49]) by mx.groups.io with SMTP id smtpd.web11.855.1631557212637222350 for ; Mon, 13 Sep 2021 11:20:12 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SMjE/9ZIXZQFGUyQgzZDEzpvvQetrCKX/e+H3FdLic0M06lIrHIXk4dcgwfBrkC1bBdCX+nJ8njfIE/1o2PJ71S7sDz03nDQvD0LbAG/H14pgZDiPHvwuKctcy38SLAKiB6YZA1zBp9yFLkBaWQ5QWtYfPxzUHxTOpDdfpEilo/7gIBngOg2+FlynE0Dg1hls3IhnL7NYcwYf3dfhw5D6xeOjGacTqLywp8a7tN5fVmX5CdnCXJxow4aeEupzH4weobn9rUPnu3N7yyrshcOnZFh+P6RsDAL0IzJH4Hc6ITiF4Dcb+RQt6jhMzCVTXiIPqRIlp0vUQ3Za+vz+pUipg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=RqtmB4yFd7gT9bCLAvKkuYlPCviall+hyPk2dW4WE7o=; b=JoZwU/D1upg6NrNgUHHiwmZfs75Ry0RLpF8bmbgsymMU7TmS+euQcu5YUkdJHHMuoa6ongS41A7E2Ofc/Z2cG5AYVbVixQQcsqM3/s9UkCGWbpcVTruWCi374TfkBWFgdNIriM/Oos3tBrT1PpOQXkOnhSeWxrg4PaoGa+932CGewFzXpfdsqBKHJGKLRIer6qTH0GopovUD5RENqCpgqhjZkxcjX2tFT4JBgXvWAYpLeqCit/BFf1NStQUCXqY6eKMp4Y85sbTA7NEaiL0geu0NE3EUPqn8qK1qm72bXAttT+tAyuHtWASu4SF4H75yGCrtYrEoOY4cufJf/nhymw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4557.namprd12.prod.outlook.com (2603:10b6:806:9d::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.17; Mon, 13 Sep 2021 18:20:11 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:11 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 16/31] OvmfPkg/MemEncryptSevLib: add support to validate > 4GB memory in PEI phase Date: Mon, 13 Sep 2021 13:19:26 -0500 Message-ID: <20210913181941.23405-17-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:10 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 9742a162-8f5e-45e8-f7cf-08d976e31fb0 X-MS-TrafficTypeDiagnostic: SA0PR12MB4557: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: LhQrfChoybo4IbdvfJHzf7BBqICAvg7RZ+5gc2ZnDmZXBlbiS1fl7gQjlFNCUJjd/bBLLNJzr8RrXTxFoF3VrrfBHWHmo1P9YN+lEUelkDi/s4YRsI+EfUakE5EvtPO+TfZSHwZ9fNj075VGlRs1C4Te4qknWLzR15X9aIJltPBvDb0Y6FQaP4xvo06DSbfMw/K+9Dk0c1jLF6nZas1f9QoNnBUxwS/A5lvweLyyqClZTQz/MH2x683gUo32DstFQjXNZw0Tg5kLIC/QJDY407r9v0MPyyFY/IU7KqJht+6WkU3oyRRpesQXuAxKjBtYWdN9KaF5uSeWlu0DDywZxHrWRXlvbd+i/K2EBhxUJHZmIr+x+rCmpfzIawJPepvU8y9qQC/LUXUcfBhCAy7P6+VsyVXSJ7pezGtAsqBD1xFiOPeQ/uxE/opH3vyslB8pf1xA7rEsY3Qu/HPN+0RpA5aj5tkTCNjcrLlN02r6tji0KXgz1uHLcztDGEqYLSy+8PmPuap+kj3A9UBK+JGSjhf+nlWF8J1uJDD4nSgiKS/34k7vQxAExI22c8kRevU+eToIIGEEtsdLd3oeF117XUWP3CrHkh8kVxLJ42Iuy6aUivzMhKGg6asJFBIyd6abtAoz7nQD+rGCj3tNGNcGK8FGlId7jlkdu+6ka8o5gLzOXvYN+b2SmT5iN3arWnJTZdl6Bo/sz8Kb46v3JSfOrSb8ZOHM5p59cY5gosJk1ZQUa0/+uy2Vdrz/wnZXEC1y4/z7AXZaROL/+isjEMqMmuM7t106URdQuxAarVkSLFE= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?zsGeNCvPreIqVwgb+PvTbMd79WbEeLb1S74za6/VKK6UMz2yKPBNnlEkYFHC?= =?us-ascii?Q?7wt7WHxf3OAwarvtHKTGiYg9sXPR1xDGpQToXQXeuVw+mJyXPlLM8vEMgzBq?= =?us-ascii?Q?TSaTB0brpORVM8kBkOmXHnCRQyUVsUvNiaUbDI8u7XN94DiWrT1KtTHWK01r?= =?us-ascii?Q?Cdk37v+4mipnM3SV2GRQB7MmdJ4+wgNPW3C4RBwfV5oQg78HGSYOyY2mdvBo?= =?us-ascii?Q?SUph5r2EJz6ZpAxsmjMPibl+YbiFtDDwAKXRpV3LxTbwM4Un/m8G0Vgq3N/h?= =?us-ascii?Q?SmmS4Kw9fntM1wqtu3InClDTgSxVxJ4D4YPseMwQPYX7xbgmJgFzLD3UbBi9?= =?us-ascii?Q?xoNMdQa9im/4Gp6xFaFqVpBGckOtbuJIJxcUH9WJue5dgjnNUEwo2duiGy2j?= =?us-ascii?Q?ufJzYk9BurIFGrYrWFpPPRVTwxX6+yc2qQaILtn4fxFhaDdKAyBJtR5H/ew1?= =?us-ascii?Q?PZ+6NmDTJ4i0Menel1yVerWnll0W5amq4Ypxf0jPktNy4S25NgSx1llgFVer?= =?us-ascii?Q?NKCOBgFSV6QWw/KhTL5myNPt89ezbMrmjb8cHXobvX4u1FBPYofNHmFj/J3K?= =?us-ascii?Q?mk2T5GhFfDem8H1/Nn0gfx7iCDVeuxiKhBieXmJVQu2tL511ZOvlJl0gqI/+?= =?us-ascii?Q?Er5uBQahIw+QkdUVwGyLg9BT98R1RTP9oPs4yzDCgvnge1UltA7uCAG1+tRP?= =?us-ascii?Q?FMYS6CUkCLgpU5YKFsrxRs+Tdi0i9gxBQ3pZelAMB2PqsLo9Bsl6TF+wJua2?= =?us-ascii?Q?RdDOEHZNHD8LHimp6pQi6nL++GaDZzyr1oZ/TDLfUD4xALQI6unynWNNCBFx?= =?us-ascii?Q?NwppYSdhUGnNwF1a+gGlAtrQkwRTNRrrdlm8akqxXyQiCNx5AXJXwEIX4y1v?= =?us-ascii?Q?K+TCV0EgqojEkeVbxBaIA7CrX61qObjXnxh454+54AtzRefwZUC9x7xWZdE1?= =?us-ascii?Q?WtkuNrUTQWmIRGqLXP8mFFVxZwDkOBiRQb7Ee7nn5AO5bKpSoN3c5zMfv4El?= =?us-ascii?Q?V1ULT+bdU7sQgEFgTHZ+ckJC0kqgp4bYu6XVVIcjkyAw1McuvwwE9cXHMPb3?= =?us-ascii?Q?EIcrP9IfpIJQZcQUt0sKuBYPlRBk39lR5n5Kg3JYKVUyocjMifZwhm0A/D1s?= =?us-ascii?Q?MXmrzZCtXjoEUM1kUrrTFK/ogp8yqp2p19NCUPQt+fZU2HdQofCH3/4OgT6u?= =?us-ascii?Q?MWPiRwIUbYwP+F5EnPbKG0LVqglDgp5SVEaCRjwEv6gUVv+atoZatWYdTGTe?= =?us-ascii?Q?H0brGQWboSpLyF2+TMYTMouI7SwzMR0I0o3vEcarlnNsqUURcVgvryvPq28x?= =?us-ascii?Q?ye28CcNEO1hPCEBQH6lx/3qY?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9742a162-8f5e-45e8-f7cf-08d976e31fb0 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:11.2530 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: yJdpyR388PD8Xz70zNxxKAAQJ/6v4zhgmk+quCTt5oq7Cz+/7mJ6ktz+25bZaPL9nqOweXYp5IQ5mY83kX7v2w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4557 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: ZV00cxB6di50D0MX1LL2Z3o4x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557213; bh=u2s+wWWuKKrGBwDDeoYU792lN8kiaodL9UkPmg/Y0N4=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=ms2lLiwQLffMPnRRB77CGUe05pXLQphGw3BY0c4I1NOKBTUpH+KFEcwywmSXD20fodZ 7/acf8NTQnw4C1A+xQk+9CSItr0zkEMRGHYt1KWJdtMU+A/fpk1/YcPvA5gjuvRvPc4lc Ta4XetBUit2SzbhNTnI9ZWzfqprjny59iGs= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557215554100059 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The initial page built during the SEC phase is used by the MemEncryptSevSnpValidateSystemRam() for the system RAM validation. The page validation process requires using the PVALIDATE instruction; the instruction accepts a virtual address of the memory region that needs to be validated. If hardware encounters a page table walk failure (due to page-not-present) then it raises #GP. The initial page table built in SEC phase address up to 4GB. Add an internal function to extend the page table to cover > 4GB. The function builds 1GB entries in the page table for access > 4GB. This will provide the support to call PVALIDATE instruction for the virtual address > 4GB in PEI phase. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- .../BaseMemEncryptSevLib/X64/VirtualMemory.h | 19 +++ .../X64/PeiDxeVirtualMemory.c | 115 ++++++++++++++++++ .../X64/PeiSnpSystemRamValidate.c | 22 ++++ 3 files changed, 156 insertions(+) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h b/Ovm= fPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h index 21bbbd1c4f9c..aefef68c30c0 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h @@ -143,4 +143,23 @@ InternalMemEncryptSevClearMmioPageEncMask ( IN PHYSICAL_ADDRESS PhysicalAddress, IN UINTN Length ); + +/** + Create 1GB identity mapping for the specified virtual address range. + + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use + current CR3) + @param[in] VirtualAddress Virtual address + @param[in] Length Length of virtual address range + + @retval RETURN_INVALID_PARAMETER Number of pages is zero. + +**/ +RETURN_STATUS +EFIAPI +InternalMemEncryptSevCreateIdentityMap1G ( + IN PHYSICAL_ADDRESS Cr3BaseAddress, + IN PHYSICAL_ADDRESS PhysicalAddress, + IN UINTN Length + ); #endif diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c= b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c index c696745f9d26..f146f6d61cc5 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c @@ -536,6 +536,121 @@ EnableReadOnlyPageWriteProtect ( AsmWriteCr0 (AsmReadCr0() | BIT16); } =20 +RETURN_STATUS +EFIAPI +InternalMemEncryptSevCreateIdentityMap1G ( + IN PHYSICAL_ADDRESS Cr3BaseAddress, + IN PHYSICAL_ADDRESS PhysicalAddress, + IN UINTN Length + ) +{ + PAGE_MAP_AND_DIRECTORY_POINTER *PageMapLevel4Entry; + PAGE_TABLE_1G_ENTRY *PageDirectory1GEntry; + UINT64 PgTableMask; + UINT64 AddressEncMask; + BOOLEAN IsWpEnabled; + RETURN_STATUS Status; + + // + // Set PageMapLevel4Entry to suppress incorrect compiler/analyzer warnin= gs. + // + PageMapLevel4Entry =3D NULL; + + DEBUG (( + DEBUG_VERBOSE, + "%a:%a: Cr3Base=3D0x%Lx Physical=3D0x%Lx Length=3D0x%Lx\n", + gEfiCallerBaseName, + __FUNCTION__, + Cr3BaseAddress, + PhysicalAddress, + (UINT64)Length + )); + + if (Length =3D=3D 0) { + return RETURN_INVALID_PARAMETER; + } + + // + // Check if we have a valid memory encryption mask + // + AddressEncMask =3D InternalGetMemEncryptionAddressMask (); + if (!AddressEncMask) { + return RETURN_ACCESS_DENIED; + } + + PgTableMask =3D AddressEncMask | EFI_PAGE_MASK; + + + // + // Make sure that the page table is changeable. + // + IsWpEnabled =3D IsReadOnlyPageWriteProtected (); + if (IsWpEnabled) { + DisableReadOnlyPageWriteProtect (); + } + + Status =3D EFI_SUCCESS; + + while (Length) + { + // + // If Cr3BaseAddress is not specified then read the current CR3 + // + if (Cr3BaseAddress =3D=3D 0) { + Cr3BaseAddress =3D AsmReadCr3(); + } + + PageMapLevel4Entry =3D (VOID*) (Cr3BaseAddress & ~PgTableMask); + PageMapLevel4Entry +=3D PML4_OFFSET(PhysicalAddress); + if (!PageMapLevel4Entry->Bits.Present) { + DEBUG (( + DEBUG_ERROR, + "%a:%a: bad PML4 for Physical=3D0x%Lx\n", + gEfiCallerBaseName, + __FUNCTION__, + PhysicalAddress + )); + Status =3D RETURN_NO_MAPPING; + goto Done; + } + + PageDirectory1GEntry =3D (VOID *)( + (PageMapLevel4Entry->Bits.PageTableBaseAddres= s << + 12) & ~PgTableMask + ); + PageDirectory1GEntry +=3D PDP_OFFSET(PhysicalAddress); + if (!PageDirectory1GEntry->Bits.Present) { + PageDirectory1GEntry->Bits.Present =3D 1; + PageDirectory1GEntry->Bits.MustBe1 =3D 1; + PageDirectory1GEntry->Bits.MustBeZero =3D 0; + PageDirectory1GEntry->Bits.ReadWrite =3D 1; + PageDirectory1GEntry->Uint64 |=3D (UINT64)PhysicalAddress | AddressE= ncMask; + } + + if (Length <=3D BIT30) { + Length =3D 0; + } else { + Length -=3D BIT30; + } + + PhysicalAddress +=3D BIT30; + } + + // + // Flush TLB + // + CpuFlushTlb(); + +Done: + // + // Restore page table write protection, if any. + // + if (IsWpEnabled) { + EnableReadOnlyPageWriteProtect (); + } + + return Status; +} =20 /** This function either sets or clears memory encryption bit for the memory diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValida= te.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c index eae7a31773a4..a0803e1255dc 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c @@ -10,9 +10,12 @@ =20 #include #include +#include +#include #include =20 #include "SnpPageStateChange.h" +#include "VirtualMemory.h" =20 typedef struct { UINT64 StartAddress; @@ -105,6 +108,7 @@ MemEncryptSevSnpPreValidateSystemRam ( { PHYSICAL_ADDRESS EndAddress; SNP_PRE_VALIDATED_RANGE OverlapRange; + EFI_STATUS Status; =20 if (!MemEncryptSevSnpIsEnabled ()) { return; @@ -112,6 +116,24 @@ MemEncryptSevSnpPreValidateSystemRam ( =20 EndAddress =3D BaseAddress + EFI_PAGES_TO_SIZE (NumPages); =20 + // + // The page table used in PEI can address up to 4GB memory. If we are as= ked to + // validate a range above the 4GB, then create an identity mapping so th= at the + // PVALIDATE instruction can execute correctly. If the page table entry = is not + // present then PVALIDATE will #GP. + // + if (BaseAddress >=3D SIZE_4GB) { + Status =3D InternalMemEncryptSevCreateIdentityMap1G ( + 0, + BaseAddress, + EFI_PAGES_TO_SIZE (NumPages) + ); + if (EFI_ERROR (Status)) { + ASSERT (FALSE); + CpuDeadLoop (); + } + } + while (BaseAddress < EndAddress) { // // Check if the range overlaps with the pre-validated ranges. --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80595): https://edk2.groups.io/g/devel/message/80595 Mute This Topic: https://groups.io/mt/85582704/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80597+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80597+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557214906212.67317264540225; Mon, 13 Sep 2021 11:20:14 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id NHboYY1788612x6whdFKzN8U; Mon, 13 Sep 2021 11:20:14 -0700 X-Received: from NAM10-DM6-obe.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com [40.107.93.80]) by mx.groups.io with SMTP id smtpd.web09.831.1631557213711474377 for ; Mon, 13 Sep 2021 11:20:13 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OE0rwOlM4i1EUkLD6RZqwtc58jNz7VhT+MAdEkzewE22xZxKRwRBoYAAc73Rp2s6clm7jJJqWTPyc5xdL8K3O8K5GjuZ3sKhbKDx9N9nr/CbAiod0ww1IRLSABIEmOWhZPjneywpiBkWWITQv84K0gq9Hi5VgkL5Q3jnasXJGSyjaybC0Ais4G06aEEWWMja70W8LVRGFq5hX6E23iwPU6o3yH908oZuaXe5VeVmpZzga2c4m7EHlmLFXa43sGZCqk6qTV7sFkXbG9mXelwkDbqPL+rQmbTDpJiBQ6p9QrB8hgQWFHKVQNTPmtTNaGubt/MKpHeH5GXnna52z0LIHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=d6QlqwMvVA5/MpyI9WOkUO3hPCuZMkQqlO6jxIn3qTg=; b=oJL81FFOByFzAshEHa05Lug3s240IBUxgNdrdSq8TcIyaKDPfRtcBQnR/+spTbVbPC1MTImOUZ4GKLTohr3NSmEy4kL/S5CfH/9mlG4K1U9Q2JM9z2WBQ9Y2lQk+wMLn1bhQE4Yz9gRoADG9bOlNXsi6AYluajSBbrDC1HBsQdiEaaYuEczLpvHxTJfHBCYDt6IkVpgquuAjowC9IGAiEAQYbu9Gof4UgdXDxrpiTgHtAmbG2g3vMTZITKL8+ND2YaX3RUpYZ3mvgxC3/KgaPUr9HRMbV6BcSiQWGKiq0COizfmjGszlqQXa4T7W56YXcFpGC5UJHWAIlwZZ8/WtEw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4557.namprd12.prod.outlook.com (2603:10b6:806:9d::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.17; Mon, 13 Sep 2021 18:20:12 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:12 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 17/31] OvmfPkg/SecMain: pre-validate the memory used for decompressing Fv Date: Mon, 13 Sep 2021 13:19:27 -0500 Message-ID: <20210913181941.23405-18-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:11 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6f001cbe-f6e3-4d77-27dc-08d976e32027 X-MS-TrafficTypeDiagnostic: SA0PR12MB4557: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: EfrSljNn9ZFKR0XjRGt0Yvzwgrh+x7VMpsu7OU/fFobJRfSskTMFTtY6ava1U2JiONkjq6QjSOk0l5jTYUowfbAUXy35H4kzIF7WYnQsJL04Z3mFxJ9sxPrwbWSSVNT2L47UYUf5ytByY8liIILjWI+pyXrmuFUokwaLHKiMeL7gImBuAR1tbLuFR5B+uyJHPQFi4/kAgkixvJG5qPSDzgtr08c1ugR9JndY3J665pWa0DuXBbZoLdZiv8VO3c6Qs7eeQyHoYhybnCXHS55+s0iYMbh01rSMc8tuUEt/ABsoGsO8ExJoxx1ZfYBvXm2p0U3p4szpvuFqbWakpDV3lrfwW59f/YIpdEfEYmo4xiIokCd2uecL3j3REpdFwjWldLPyxmzRj67OOFGp3KwUr/xOHqOB59fB5pYL3v4rpSYWkYer7ytYfUijizX5KG9sy9CC5WsJIhnW3mnBBDFB87ACiWpZ9MSzkZ/JezuaCcIy0+b658Ki0ENNIzuPQbld4ShL09hOE6Y79fGecDyKF6ajFxyZ4Ay0qQm3Y9+j3CASmKSTMbS0FOC2i3ouYr/OP8uZkY+PoYdLcTVoK0cL5fbReR1S0cQ9E9LvIW0chOsZ4x2+lekXc3fff1ki7QiQ5fBYda+IKJbv0663sEIFbi862aJy4AJYU7IY880if6ZITLa0XRGhxEJGYAwXdb/3/yFc/bzgUiscq7E7CvxYkvi6vIcM4i2isrg9fdu2ncPoMFPpErXirSbeRaHTc8/Zz3Ohehz1MhI7aXT9BCJ9FLFwvZL3QnOILBvXHcM4rs0= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?2lfnd2aLvw3OeKmoVjuXncd1szJzzgbZ3ksGgOk2hInPNHqemGkD57E4eWIp?= =?us-ascii?Q?Wu1M0894nDLVYq1hIzV6Xa3wUvPHDLKGMz/ViSAlQFIzJgEaTxqNQJoeVU5g?= =?us-ascii?Q?/QdgPYdAkeURVH5reO2wjhrR6kXSjImKvNOuZZx2lpkl6F0FDyh70SccVoTB?= =?us-ascii?Q?qebr8WqU5nkv4q+3awcBF/wSGMh6HL6900LiXINv+73oHY69PF3fAqLC48VD?= =?us-ascii?Q?lRSQ9QxGBLQuJCDse3mve2QmDqII7IsOdN4mNAUSXUInsEr0+PJtdaPY7qAu?= =?us-ascii?Q?5mhuyQB10VEwfQd2/5mkM7uUzY/UPFccKsad/HYd8j5udegBT6Iz++0uiq3Z?= =?us-ascii?Q?Lavo/3RdhN9zbGOpTCSNTiAAq0Q3LXyFSBJa0O5bSjmbB4bxAYEVCIluNRkq?= =?us-ascii?Q?DbOtJEpR0/cDCZIqN9y+lGLsvbQQQc3ZkEWFXFI/I1I1brjUFcfB241kqO8C?= =?us-ascii?Q?89s2Xiy+lbeldhHD4gM2RyAxZ4xfrY2BFftrzjcIpwDojiSzCu6sKfb1TTuF?= =?us-ascii?Q?CUptMn4cuuvdHnNr5Xziywhc98Zzq7XohvFmQrmsinhOA8xcn6PZ7xIbSj5P?= =?us-ascii?Q?wZTVm35h1rEdt4dDXm4WFXBk2jCmYCLCTdOGSybFKBdyzv0YnwBPd7fRgvrK?= =?us-ascii?Q?T4EV+zhNUzIklNuM47oV8ch/Tubm/88njYacXoozhS6cu82rxsTctjlQiYoZ?= =?us-ascii?Q?E6hXW76SKwImDWs27ee7b5Zktwq5qGQXTJzJXN8VvZuYQgQ0GoACMXIzIIdF?= =?us-ascii?Q?Z5aMJmiDVy4YqrETTIbaiGD0PrZXGU2lzdj1cakkFpYzRdSeAWdfHoWu0suH?= =?us-ascii?Q?B0QXf4mvmtBNplq5hjnnuB+dr+tcxZBhVp0MSDqyIr87I5GgfHj7jx7BMaPM?= =?us-ascii?Q?blXSjp84j8UHRGvMUcjxiY6BORU2Jsoz/mcxEvyiq1P3c5Kaqtgi4CZIVDEK?= =?us-ascii?Q?kqZJXae5YFEdPhw0q1GkcMq+SZuFu89MzHm5HnTK0z7e31JY1zWgqB4HhSCJ?= =?us-ascii?Q?rW6pBAfNvnHtTOlUKQAEMS9/4MNNwp+Dg4SKX2ZQe7ulPqHzA5zD75Cc4mGL?= =?us-ascii?Q?Ar+7b/nsbFFt85os+ZQFy1GH7ihwkwldj8bVcwncZpZlZwaxupoL79fC7z13?= =?us-ascii?Q?s7jpCgf/jXfZje8Ui5PW4kdMkrau49rprYdhVi/LG72Kw0HGzkibceI7BkiM?= =?us-ascii?Q?h+LmAmbC6WOnLH7aChpvFRHbku3mzHKxpy80MU2rHlc9XuR6JJOkcoXQNXm3?= =?us-ascii?Q?/gPOuop2CmnvnkxIT+6AxNa6K+PzaAzWZ6q25mPr45vHWc2i5Khv3DNlpNF/?= =?us-ascii?Q?sbk7iSfHyRYnjVDmcEDhdQRn?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6f001cbe-f6e3-4d77-27dc-08d976e32027 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:12.0995 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: QDyRi07U2p4gQuVbD3XG0davqyYUW3nPpPLncjFWbi8lHjNFoqG48BPZLdRLlur14vdQm/oKhsGRyJE2KN93TA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4557 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: ISK0ddHCwCjqdSg7rcClsLbFx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557214; bh=I/ahF5aC+tLDj+osiOry2ubtTiYJ332ivTs/HNtNfkU=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=CTKI/rRNo7GE1UkrRQM/QaXIlN8wGshaj/oH0AdDOo46KXO9n1XufAsvfG7k4GPViPl OHgBOa48Y3oxH39JGB6mz9BEb1japLop5mqlJXXZCC55FSvSOKHc+9rPoH1jQlWLMTDEW HgdpK2qmX9meyQARmEJN4lmj6qpJyhkPFEM= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557215750100066 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The VMM launch sequence should have pre-validated all the data pages used in the Reset vector. The range does not cover the data pages used during the SEC phase (mainly PEI and DXE firmware volume decompression memory). When SEV-SNP is active, the memory must be pre-validated before the access. Add support to pre-validate the memory range from SnpSecPreValidatedStart to SnpSecPreValidatedEnd. This should be sufficent to enter into the PEI phase. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 5 ++++ .../PeiMemEncryptSevLib.inf | 2 ++ OvmfPkg/Sec/SecMain.inf | 3 +++ OvmfPkg/Sec/AmdSev.h | 23 +++++++++++++++++++ .../X64/PeiSnpSystemRamValidate.c | 5 ++++ OvmfPkg/Sec/AmdSev.c | 20 +++++++++++++++- OvmfPkg/Sec/SecMain.c | 7 ++++++ OvmfPkg/FvmainCompactScratchEnd.fdf.inc | 5 ++++ 8 files changed, 69 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index efa0de6d0600..e30cb6eafcb8 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -354,6 +354,11 @@ [PcdsFixedAtBuild] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|0|UINT32|0x54 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize|0|UINT32|0x55 =20 + ## The range of memory that need to be pre-validated in the SEC phase + # when SEV-SNP is active in the guest VM. + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecPreValidatedStart|0|UINT32|0x56 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecPreValidatedEnd|0|UINT32|0x57 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf index 1cc9dd6691a2..01764ab3a1a8 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf @@ -78,3 +78,5 @@ [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfLockBoxStorageSize gEfiMdePkgTokenSpaceGuid.PcdGuidedExtractHandlerTableAddress gUefiOvmfPkgTokenSpaceGuid.PcdGuidedExtractHandlerTableSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecPreValidatedEnd + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecPreValidatedStart diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf index 9523a8ea6c8f..7e2668ff2f66 100644 --- a/OvmfPkg/Sec/SecMain.inf +++ b/OvmfPkg/Sec/SecMain.inf @@ -51,6 +51,7 @@ [LibraryClasses] PeCoffExtraActionLib ExtractGuidedSectionLib LocalApicLib + MemEncryptSevLib CpuExceptionHandlerLib =20 [Ppis] @@ -73,6 +74,8 @@ [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecPreValidatedStart + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecPreValidatedEnd =20 [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire diff --git a/OvmfPkg/Sec/AmdSev.h b/OvmfPkg/Sec/AmdSev.h index adad96d23189..33af32b9925b 100644 --- a/OvmfPkg/Sec/AmdSev.h +++ b/OvmfPkg/Sec/AmdSev.h @@ -69,4 +69,27 @@ SevEsIsEnabled ( VOID ); =20 +/** + Pre-validate System RAM used for decompressing the PEI and DXE firmware v= olumes + when SEV-SNP is active. The PCDs SecPreValidatedStart and SecPreValidated= End are + set in OvmfPkg/FvmainCompactScratchEnd.fdf.inc. + +**/ +VOID +SevSnpSecPreValidateSystemRam ( + VOID + ); + +/** + Determine if SEV-SNP is active. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled + +**/ +BOOLEAN +SevSnpIsEnabled ( + VOID + ); + #endif diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValida= te.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c index a0803e1255dc..c51d565fc176 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c @@ -65,6 +65,11 @@ STATIC SNP_PRE_VALIDATED_RANGE mPreValidatedRange[] =3D { FixedPcdGet32 (PcdOvmfSecPeiTempRamBase), FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPe= iTempRamSize), }, + // The below range is pre-validated by the Sec/SecMain.c + { + FixedPcdGet32 (PcdOvmfSnpSecPreValidatedStart), + FixedPcdGet32 (PcdOvmfSnpSecPreValidatedEnd) + }, }; =20 STATIC diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c index 7d4d7cc8a07c..e54a3fa23f6a 100644 --- a/OvmfPkg/Sec/AmdSev.c +++ b/OvmfPkg/Sec/AmdSev.c @@ -55,7 +55,6 @@ SevEsProtocolFailure ( @retval FALSE SEV-SNP is not enabled =20 **/ -STATIC BOOLEAN SevSnpIsEnabled ( VOID @@ -296,3 +295,22 @@ SevEsIsEnabled ( =20 return (SevEsWorkArea->SevEsEnabled !=3D 0); } + +/** + Pre-validate System RAM used for decompressing the PEI and DXE firmware v= olumes + when SEV-SNP is active. The PCDs SecPreValidatedStart and SecPreValidated= End are + set in OvmfPkg/FvmainCompactScratchEnd.fdf.inc. + +**/ +VOID +SevSnpSecPreValidateSystemRam ( + VOID + ) +{ + PHYSICAL_ADDRESS Start, End; + + Start =3D (EFI_PHYSICAL_ADDRESS) PcdGet32 (PcdOvmfSnpSecPreValidatedStar= t); + End =3D (EFI_PHYSICAL_ADDRESS) PcdGet32 (PcdOvmfSnpSecPreValidatedEnd); + + MemEncryptSevSnpPreValidateSystemRam (Start, EFI_SIZE_TO_PAGES (End - St= art)); +} diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 406e3a25d0cd..0d80494b062c 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -847,6 +847,13 @@ SecCoreStartupWithStack ( SecCoreData.BootFirmwareVolumeBase =3D BootFv; SecCoreData.BootFirmwareVolumeSize =3D (UINTN) BootFv->FvLength; =20 + if (SevSnpIsEnabled ()) { + // + // Pre-validate the System RAM used in the SEC Phase + // + SevSnpSecPreValidateSystemRam (); + } + // // Make sure the 8259 is masked before initializing the Debug Agent and = the debug timer is enabled // diff --git a/OvmfPkg/FvmainCompactScratchEnd.fdf.inc b/OvmfPkg/FvmainCompac= tScratchEnd.fdf.inc index 46f52583297c..b560fb0b8e4f 100644 --- a/OvmfPkg/FvmainCompactScratchEnd.fdf.inc +++ b/OvmfPkg/FvmainCompactScratchEnd.fdf.inc @@ -63,3 +63,8 @@ DEFINE DECOMP_SCRATCH_BASE =3D (($(DECOMP_SCRATCH_BASE_UNALIGNED= ) + $(DECOMP_SCRATCH_BASE_ALIGNMENT)) & $(DECOMP_SCRATCH_BASE_MASK)) =20 SET gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDecompressionScratchEnd =3D $(DECOMP= _SCRATCH_BASE) + $(DECOMP_SCRATCH_SIZE) + +# +# The range of pages that should be pre-validated during the SEC phase whe= n SEV-SNP is active in the guest VM. +SET gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecPreValidatedStart =3D $(MEMFD_= BASE_ADDRESS) + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase +SET gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecPreValidatedEnd =3D $(DECOMP_S= CRATCH_BASE) + $(DECOMP_SCRATCH_SIZE) --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80597): https://edk2.groups.io/g/devel/message/80597 Mute This Topic: https://groups.io/mt/85582706/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80598+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80598+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 16315572153921006.1623034238097; Mon, 13 Sep 2021 11:20:15 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id rxVSYY1788612x23Q9Bz1Koe; Mon, 13 Sep 2021 11:20:15 -0700 X-Received: from NAM10-DM6-obe.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com [40.107.93.80]) by mx.groups.io with SMTP id smtpd.web09.831.1631557213711474377 for ; Mon, 13 Sep 2021 11:20:14 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C+4r+8aG9+mnoA/JVCkk11CMv8JnHyztpDtpnchbVNyPc18xNM+E0RE4cRFdIFAZ7PoJT5OpCgsOMNylTt8od5lUBHP+GhkMe4Wqzj4Yo3+6Eg4+f9tDOYCGHnB0od0CmEpX/La4SF53L7/bpLb5SFoWomBBs+8BialoKd6B7dOuTESebAmE8aWBtcZWHHSmE1bWLjuJFZFHuyCaVMPOdPTYF14qfri3vNRTY9/lszCKBRfdVzhqtdox+Q+wfXVca5+GvJZ28g88NScu2hd1/J7rTRyxRJvw5zGkCtKraw3+UEYD0Y+tTok6Gkb7IhleME3g6AaBC+JWIUDkiWpX8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fx5gwKRjlflPeHuKAskiqsK7OkqCNRXCbdfHDE1NIpw=; b=IX5u0OKRTM55YCTqoKLNEaUVhxKK74bhYQFv0rkoVMrAO22klI6JUPGMA1bEyEVwGIbRZnxdBJhRPzp7fUSCDUozfzEnyyk/XihoxUv/ge6K0sfnr0KgQFzs8t7oPWQ8Z8BmN+eoK8GM1bdBl3GVuI9QE9NvSVjnuNTFzdrr/lDQ8BkeyNsjF6OIKa/X/kCS+BYI/Iy0iju3USQhItKD9ZtNf5hQ+wSxledPnwhWb3dDwqX3PA2i7xNQ050iS6OYbCt95Yk9EyH1rPRFvTnVe7sf0nTYWcL3veo7dQMYntvWUBFbDzHgthxPa+dx6HWXcL9ZUeaLsqxlRZccQJCCCw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4557.namprd12.prod.outlook.com (2603:10b6:806:9d::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.17; Mon, 13 Sep 2021 18:20:13 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:13 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 18/31] OvmfPkg/PlatformPei: validate the system RAM when SNP is active Date: Mon, 13 Sep 2021 13:19:28 -0500 Message-ID: <20210913181941.23405-19-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:12 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 1b9b23f1-6966-409f-52ce-08d976e320a8 X-MS-TrafficTypeDiagnostic: SA0PR12MB4557: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: qh47hU/bDJNo8yJL22l0EPfRiESKiZIx9aaZLAhY9o96yshbIDjb+v0BLjYawEgpIq79+OX6v/qcvJsTLTuO5yfZ65YLSMQJQb5k7Pjk/XvrSIgmsC7y+CEG3H/fYcqV3z4gD9FpQsGwbJUQXYlV8IFSbw4c4em/DSHRSRSqr1DA5Hkt5rjAff7e+AplwVGf9KjOhvA8sfGFa+IDDQQHjnxT1bwRKJQoKtIXh5n86CxXWjE4K/kNCHWA7m/jnDzDEIjAwwJvoWdUinY35mlGcVr6JlxUwCbvwlQgqTF820X5TSqPFdmedo1BTMW1lsVB4WnKXeIEolriTPvYRgUXVJczb9696KZVePSOAiL68At7VY1xw9X7aP68nYdr5ztZ2RiP9bdvIIS2kT7YRueVZU3PiFfyZjF8D5gl5XYFteCP5295kFUStgu7+f9iF+IncD01V5wVFNliobXcgAUc7nh91RjJtyPXh5ttzUiYCG0xarSXqDiGE/g2uYIMdcf1Pmb9l5p1nc4/l15DAc1nYamPdelbQFm7IF5Wyq/M0myA3uzH7Ha01b341WDRG0RwCgvK0AsZdbDopGdyV8qLSH0zQNgz0zpUrYQSg4laJHjN4jDvxGCCZL3eer76Jc7x42UXBr7QTvlkBdpzj3r7d38K1S1cgnegP2Gh9AY2nw3q3LuhmdmJQgeHtT6+yjvClj6GAHozbXyV5jHUIoXKCVGV3IxpzIsyeG39ZlwsWZRBnc4tNKI0TpN08gHErvhV+kSMQ+1EUNIwpnj/xnj2iclVIO0e5VeULujWXf1nTwg= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?Mx0BhhZY+N6Zg2/f6Nrb48dNu6sCvCckBb67wxSLsxl84DkM+yE64iZDP7ly?= =?us-ascii?Q?/PsiJA+14+aHhipq70fuBqaiiKLA585F2/DPljBGedLv5XWQGAA1X5aBhAkB?= =?us-ascii?Q?uPzcRTG2sTzfxPk8youm8G5PEaf6tSLcPd/XHr31vD5e20n5IJei+zeBbwPQ?= =?us-ascii?Q?+gytpMeBlE1mxKpsNd2bUgG7txEy2ma7YcQE0Xj34c862tS8Rdp+e0d4+6nx?= =?us-ascii?Q?QSZpKN3s5XTZaSa55u92zQvJAbNkWAzS0L8TsO9UpzRwGKrgkPjZCiDclOcc?= =?us-ascii?Q?IkKHscNeeBdAaNVeG4eV2ENy3pCZSpg0AaFGqtggAutrD3EAXilTzcKtG5gw?= =?us-ascii?Q?2vZA6Y/vvhl39aHw8xeI7Ws7SWk6FcOaOBFkug+ALk7PoFw+k17h/x5ETqJR?= =?us-ascii?Q?5f8IANszUtO8gB+BefUYaFm0W8A3VY5CetUQ5FjhYezSQbH1kmFy6DEuAqB8?= =?us-ascii?Q?C9Wk8FSsMZKRr00+QY87WQJQbWZWR+1MClJs9BkRq6qwcx4Jd+2eLwHbaEsZ?= =?us-ascii?Q?wkScTakkb2efBoAnKLDFT/lZYjjvO/Vp8mFhkf8kgxRS4FmcMgklVwzAJ1Cp?= =?us-ascii?Q?XHLXwcl9tIX+/As9uZS3XKlJhQbV7p7PXzYJP2Q7FRl4qhjJhPLNHD8e8h/u?= =?us-ascii?Q?siUElKQmyq/z+/HdB/XlsJlMZ2iLDFt/mTYdRunrjgaxm5LIJFOdXnAQBOu5?= =?us-ascii?Q?5FeyBtK86rt5Y13OVc5VKKoyefUkB3VEcfUqxCXSyURP21FFmzdoKgkDtlgH?= =?us-ascii?Q?a7ns+JrnONZQqj91ldIj1dWbhht3HZUtZSlpE8fxZqDNLtY32xCRCqkJ46gx?= =?us-ascii?Q?H4quaP4jOOYy746of0RVwmYGElQXa9kelnR4eSkDXQp2y0WMsagB4+2Oatmf?= =?us-ascii?Q?ZCInej89vyD+ZwK1AcmgTYlg4Yf2lC93oKb8/WaPaLs4rUo3MLvm6DFGhWiX?= =?us-ascii?Q?YsX65TfznNNXQaDESdtjUASIo7mgaL7wtO00qCKtRfAvbyTiS4p5k1FMIDTI?= =?us-ascii?Q?Sw7SK/j+Wt+bIeaS2AW3nOVUiXHP/bc5Mf1A3XdfKteZikuxyVkn1iNpEApw?= =?us-ascii?Q?pf2z6pCO5QCGk6RVC5Rh/e0Uu5vF6QczxwgTQTD75fYerEn/WrFLWfa+AM+g?= =?us-ascii?Q?uQdDW1PcoGcRxWXjLBnxgAxWLIr7QnSf6bHwZb/2tdKswbNLflqfPUG8CLJ+?= =?us-ascii?Q?8JbZ/gHZ9iAhSSEs4SPNI+ZXhcdRLrEpydhISPjdlQq90bKAnk1v16J68LbC?= =?us-ascii?Q?gpVeLWkaYQjCBcreW8RCR9R7qkFOlh4F/dsCiga7DcAdXXPIp5lm5KRt7kBB?= =?us-ascii?Q?0wOKvCIYbtvMoTfVFRf50+K9?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1b9b23f1-6966-409f-52ce-08d976e320a8 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:12.9050 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: S9wdQ4TGwCdGNxFIk067oHfXNkJY0VPtbxEdw/Tw6eM4ainxNu3yqpnylfmfjZ7bKk463vNrPDJRsh4mXSe2mQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4557 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: aHRVor173o55GZV7kJ9N7RuTx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557215; bh=QPQJDW9ldiXyTZ+UF6R02gYjGuDn4LMA47pbNXd2r/Q=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=AeiegXbqZlP9IbLPaVVqcuNs6f04kI8Uz+yLTc6YGUwM2B+AU76/VzR6VyQ/CkEo1lv vJMkHjUSdzDB+RuZbfKxZMQvmb53D0vI0FZSrwNsC2sc89EX84p6SIQl8p0NWTZV/k7Ve eHkcyZxB3vWto1b3hAh0ny8kce1fVkZoZ9A= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557215864100069 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 When SEV-SNP is active, a memory region mapped encrypted in the page table must be validated before access. There are two approaches that can be taken to validate the system RAM detected during the PEI phase: 1) Validate on-demand OR 2) Validate before access On-demand =3D=3D=3D=3D=3D=3D=3D=3D=3D If memory is not validated before access, it will cause a #VC exception with the page-not-validated error code. The VC exception handler can perform the validation steps. The pages that have been validated will need to be tracked to avoid the double validation scenarios. The range of memory that has not been validated will need to be communicated to the OS through the recently introduced unaccepted memory type https://github.com/microsoft/mu_basecore/pull/66, so that OS can validate those ranges before using them. Validate before access =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Since the PEI phase detects all the available system RAM, use the MemEncryptSevSnpValidateSystemRam() function to pre-validate the system RAM in the PEI phase. For now, choose option 2 due to the dependency and the complexity of the on-demand validation. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/AmdSev.c | 42 ++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index de876fdb478e..391e7bbb7dbd 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -23,6 +23,40 @@ =20 #include "Platform.h" =20 +/** + Initialize SEV-SNP support if running as an SEV-SNP guest. + +**/ +STATIC +VOID +AmdSevSnpInitialize ( + VOID + ) +{ + EFI_PEI_HOB_POINTERS Hob; + EFI_HOB_RESOURCE_DESCRIPTOR *ResourceHob; + + if (!MemEncryptSevSnpIsEnabled ()) { + return; + } + + // + // Iterate through the system RAM and validate it. + // + for (Hob.Raw =3D GetHobList (); !END_OF_HOB_LIST (Hob); Hob.Raw =3D GET_= NEXT_HOB (Hob)) { + if (Hob.Raw !=3D NULL && GET_HOB_TYPE (Hob) =3D=3D EFI_HOB_TYPE_RESOUR= CE_DESCRIPTOR) { + ResourceHob =3D Hob.ResourceDescriptor; + + if (ResourceHob->ResourceType =3D=3D EFI_RESOURCE_SYSTEM_MEMORY) { + MemEncryptSevSnpPreValidateSystemRam ( + ResourceHob->PhysicalStart, + EFI_SIZE_TO_PAGES ((UINTN) ResourceHob->ResourceLength) + ); + } + } + } +} + /** Handle an SEV-SNP/GHCB protocol check failure. =20 @@ -240,6 +274,14 @@ AmdSevInitialize ( return; } =20 + // + // Check and perform SEV-SNP initialization if required. This need to be + // done before the GHCB page is made shared in the AmdSevEsInitialize().= This + // is because the system RAM must be validated before it is made shared. + // The AmdSevSnpInitialize() validates the system RAM. + // + AmdSevSnpInitialize (); + // // Set Memory Encryption Mask PCD // --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80598): https://edk2.groups.io/g/devel/message/80598 Mute This Topic: https://groups.io/mt/85582707/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80599+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80599+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557217039243.0311474811399; Mon, 13 Sep 2021 11:20:17 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id QOl7YY1788612xAR7qEAB7zI; Mon, 13 Sep 2021 11:20:16 -0700 X-Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.76]) by mx.groups.io with SMTP id smtpd.web11.857.1631557215831976873 for ; Mon, 13 Sep 2021 11:20:16 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WGYl1zbqvD9oWz3cD7tjHzcnmLbqUQHEupey5/VbhIpKq45MxhQe3jKhiYuY0gJ/Uy78Z/Qvv3BzslbHG+ImA5iss/r/7TW0AQIN9MNzjqr1UAcQYDGPF53UVykKhJ3fsX2hG77w1jg7nsHqKLG+3tBVqsfZCk7tffgBj06vvQD0dzcwXdIF/AlgX1Wc8T7ZSYi6MxFPbVvQylbT0YPti4amdQb/MknVJ5AdsGCd1ufVWEYx+R50xnNpnVdb5e9CAeiHaCw7MY0oKxgGeSHikhLCmXYO8LvH43COR8X8IF0/AKqvktH0um6YqeDB8Mxg+AYTzg7zWIsVdKrNf3XhcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=EywgK271M7ieYPGaoth59YTs6XW6DFfZybbwVQGZATM=; b=ebKpeCkxPZTUv8PBqTs+BMJANiTnt7XynxFwG43pbl9d1WQq0qE345mNgPYiQfY/18sfVZO1YyND85AU/iqVt665LXRNLmmByIHLmQse7DtxBmPhY192+t0Y6Js7jni+tpNrB4nYzbi07sPtKgpeyjF+akDSUMXVjiG0I2BoIY17IpnYcsZJQEJ6AOMgna06ax3PTQkWvFVxS+b0Dp9HFH4A3IyvrP+9+7lchOCtsnQNPK9EASb7Ffqjlg/20gSjIqwny7AmkZMBSTH+HF6h10p6yd/ldogghPWXS0BFu4M+UF1SsCW4LqAwU9oG3g1jQVGDdjgBzfJoDD+oJJKM9Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:13 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:13 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth , Ray Ni , Rahul Kumar , Eric Dong Subject: [edk2-devel] [PATCH v7 19/31] UefiCpuPkg: Define ConfidentialComputingGuestAttr Date: Mon, 13 Sep 2021 13:19:29 -0500 Message-ID: <20210913181941.23405-20-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:13 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: de8a0d3c-20e2-4e9c-f2da-08d976e32129 X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6108; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: zXofDtGaJYtbNAE709n4Asxrx//3YjZRqZellSA9rovVqWhEwXzrP3G0CnNIdIhnUArtJxzSmmbIohIjdYuesLtn9QFbEplasBd7gdyxocs/19olUje8VIfVyVsGaI8loeO1aq9JfxiiC52HsP6PdfPO4BFmRKn8LHwmCMCHmv4V2LXqaR0NgjzxaFl7XKu9kPcMWCRhZtPi1bRfZwVMhrQdDvY2TRQyDa7WhmvojM6cGMlCrb6hnLO2rlxkpKXYyy7MkofvBpZY1vkH4Ix1vuBXc4ZF383keTaW2xwomW/U+pe/VJeqjv8giJzjgEjjSrBy5v4iTkUN+2CgJBZiLFx8vNMyd8z66VuEkaLimOyvl40EcYb8A56BC6GgxLXuR9FyaGaVhefCqZy6P7OLXvnK6H3bNE4yS/aCJMes5WT1zNJJx3O2FFvWODoeg1Au4eTTkCSVhY9J7rMC142ucusvUH1SccnhaJ5qKKEvYiEok6gZA2pQ8lEHyoTXmi2xU/9d/8ND49skz72KhUicLerbiH5uoGAQ5WgX7de+L5H2w9htfkjidJs4KJmGrgdUUqLuEMmIgZa8F46ESPMzeNcgp1bF8h929YnMb5rvyyuWoYoevsBbkxQLBh+erzrlt/fEbo7Lv/KWub7rJWi7OY+FUGYuBWGbQOOv/NI2EYEKFlTQwKhadCi9+b+9wqJEJcwmiz74DkT/2Uv79TyW4Rvobh7Ett6KcOdivuQCgxWgV0z5xelaj4Krqd4hl56NMe/HG58cEVmtwUlD56Bum+AyQ+R397Ze/8HEPrJUolA= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?ETMGYW94mtwWDe9Xl3vZT0Ojgrj4hQIM/4PuOPOWHYinsWKqnUy7c4rvHYmH?= =?us-ascii?Q?a/NwsqcMg5gs2HG6WGkiqHl1F61Wf6frTjzjdFDyO9/lu8Rlyxq4Ff3+DObi?= =?us-ascii?Q?rs2G3Rk3edMQyXK8fov/tEdIMYaL8nHPDGmcPRASdrF38EjB9JdiI6w4MwcQ?= =?us-ascii?Q?ffFAsM/r9eVhOW0bCKOckswuYzCbktoqfu+uwg7h4lgWlqbvSuFqhAU/p+bS?= =?us-ascii?Q?uxrVKKw74ysbBklyrXOBxZ+MLAXor98mAR292hIBWZdCwQSHLw8n6bktnyin?= =?us-ascii?Q?7A8pNpxXYnpDMwiCUYFE9BPMicTb3D9REJBtRIWquQtY7FL/Kb+At4vqZX0n?= =?us-ascii?Q?mmDnkbrGcCIK0TYH/Z5qxOIlvZnMkW0vs91+Gtq4mILdsp3GwQF9nCpdzGaW?= =?us-ascii?Q?lYvOFkkc9RL0S+t7zblfzVU2qo5ulGTZNwJ5VEi8lq/ibAkqwdd8m0JbC6SI?= =?us-ascii?Q?S+PbRcS5GiKQu4fiI6wEKygyXk6YysUNPn+lxYZLAkRLZMO2uSQxu8csP0i1?= =?us-ascii?Q?7xPqcjoVlHnBpCZOrp3AMA4z990Nlq0WmVVloFlZ33fXpcuchwQtsbiXgwS9?= =?us-ascii?Q?esTbcEHUnhnQ9PAh8njuAf+5rHlrfNCvp60R6Au3XA0D9b9Y9WilR5w5YUpr?= =?us-ascii?Q?5L7gQ8f9m4AaZe5zAi1NBV42foXOr+DJU+uImBvEojv0j4NoYvcqVfQih+AJ?= =?us-ascii?Q?VEBzDyJdhxwWGzgPSR4Gs6nRUWS4vLVEEruCeTgVH/rxs9lX6FzDgSZizmSn?= =?us-ascii?Q?oHgex0xwsw4cUTzvkNrEV0TOwoaCPhAxES95rfZ+gUpnD+fjboqmTrmi+Dv9?= =?us-ascii?Q?AhgD/QZZDjj+NAifZ5kzOtN33uq4PbW11U+IglK/j+nA8O7Q2dATsByWPZkX?= =?us-ascii?Q?cHGJG9ynXnaRKEtfA8xpR9N68MZhTaD1BAyvnU83xfiI+cu2M52oxa+4r4Qm?= =?us-ascii?Q?VuZUWj9krhQ1dcxAuW6bcHfmMWzWw3ev6f8xy4UuKl75m3MHFjoV4TUysr7P?= =?us-ascii?Q?UMBq+WGZ6hIgHE/1Zj0+nR5TnBnnuFePTykxXcQcSXDmbLEYHeLhxb1XoThp?= =?us-ascii?Q?4rFIsvz2hVRMY1mEKW40mJYFkL94VarS3GCgRJJ9DewpFFb0KQGknyoJfPSh?= =?us-ascii?Q?v0/2GQW+7JWngT2Lt/brteO/t4k+5IAOP98Valhk0mKx/u65dnLoH+HglFZg?= =?us-ascii?Q?+KePlzmXw9+nUs9j2sle6nyDqqUUTf6cS7HiS74i9i/SMgANbMe8J7p9G0Mx?= =?us-ascii?Q?Q2LBmMUD4cMTm1viz5Yh1Iwa7BjECupu2Jc3M1BqSGWUlNXY56xfWZHizQCl?= =?us-ascii?Q?TQld5UertGyPA2xGmpZTNfSN?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: de8a0d3c-20e2-4e9c-f2da-08d976e32129 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:13.8255 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: vhzx/hEYZUV2Qd34DxQOEHGBTHhcpzfROuwd0oru6+vrpAP5y5m8G+tkKjXikrF+niCJ+d0zDztp4cgxtKuR9Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: JYgl4ju4dC1lKbTNxcZuKVsFx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557216; bh=3Kjhq7vdnI5aZGSfl5ACz8DkbmNkI8PVBg0ZTd9Y9IE=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=EPw/IXyalFsqYOakjrBgx3OnI4u+KzxtVmOoyRq0k4RSuAGo17TMoqgb9N9bDxmwKfa dJPMcFXOcum8xBQK9XDrfnW0h3btdwyJC0GXTNhwqU8BkbcUARy97ZeJsqpXbQup0wRk7 GlsAe+i2bfvdaSAhXbpPMJe+mC3yRyuRY2I= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557218085100001 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 While initializing APs, the MpInitLib may need to know whether the guest is running with active AMD SEV or Intel TDX memory encryption. Add a new ConfidentialComputingGuestAttr PCD that can be used to query the memory encryption attribute. Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Suggested-by: Jiewen Yao Signed-off-by: Brijesh Singh --- UefiCpuPkg/UefiCpuPkg.dec | 4 +++ .../Include/ConfidentialComputingGuestAttr.h | 25 +++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 UefiCpuPkg/Include/ConfidentialComputingGuestAttr.h diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec index 62acb291f309..9dbaa407c399 100644 --- a/UefiCpuPkg/UefiCpuPkg.dec +++ b/UefiCpuPkg/UefiCpuPkg.dec @@ -396,5 +396,9 @@ [PcdsDynamic, PcdsDynamicEx] # @Prompt SEV-ES Status gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled|FALSE|BOOLEAN|0x60000016 =20 + ## This dynamic PCD indicates the memory encryption attribute of the gue= st. + # @Prompt Memory encryption attribute + gUefiCpuPkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0|UINT64|0x6= 0000017 + [UserExtensions.TianoCore."ExtraFiles"] UefiCpuPkgExtra.uni diff --git a/UefiCpuPkg/Include/ConfidentialComputingGuestAttr.h b/UefiCpuP= kg/Include/ConfidentialComputingGuestAttr.h new file mode 100644 index 000000000000..495b0df0ac33 --- /dev/null +++ b/UefiCpuPkg/Include/ConfidentialComputingGuestAttr.h @@ -0,0 +1,25 @@ +/** @file +Definitions for Confidential Computing Attribute + +Copyright (c) 2021 AMD Inc. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef CONFIDENTIAL_COMPUTING_GUEST_ATTR_H_ +#define CONFIDENTIAL_COMPUTING_GUEST_ATTR_H_ + +typedef enum { + /* The guest is running with memory encryption disabled. */ + CCAttrNotEncrypted =3D 0, + + /* The guest is running with AMD SEV memory encryption enabled. */ + CCAttrAmdSev =3D 0x100, + CCAttrAmdSevEs =3D 0x101, + CCAttrAmdSevSnp =3D 0x102, + + /* The guest is running with Intel TDX memory encryption enabled. */ + CCAttrIntelTdx =3D 0x200, +} CONFIDENTIAL_COMPUTING_GUEST_ATTR; + +#endif --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80599): https://edk2.groups.io/g/devel/message/80599 Mute This Topic: https://groups.io/mt/85582709/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80600+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80600+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557218858210.71124564646004; Mon, 13 Sep 2021 11:20:18 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id GNQVYY1788612xdV93V8uVIV; Mon, 13 Sep 2021 11:20:18 -0700 X-Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.88]) by mx.groups.io with SMTP id smtpd.web09.833.1631557217593545132 for ; Mon, 13 Sep 2021 11:20:17 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HUF/fXpDdLxwzf6SRaLpilIaoztXKKkfBZZSPvMTmv/glMfPMsS9BcIpBcGNOx+Plv7wCsFSVTnvloodmixhGfcrl8LakgcMddGegVyk7IamHjrE+l2m3e6qnHeQa7+X39wvcZ1vahB1EkuMA2ajYhlVzj9om4A1lg6q3xRIiT4MyE8mLpJS2Rmb/SAOlD66ospffMy44VUcJ35/mYY+NltzK00/pXbMHJHHokBOwr9JH1tf7qPNWfvG0XEYOt3BQVr7/jSDsKNmcMxxhrxBItg9AsTHmJpcPvL6dTUqYEbzdGn6zm3mnxiGE/s+1na8x7bcqbnt8Xj2wdT5w4PO1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=OChYuEDf26fK5IeW1bsh1FZtsc/ccg3XdCOlQPftk+8=; b=GrcwaYFYQo1kKzxjFabUXVuNBoz4ME+kXjSsKlB1omD7iStg/KNfuNWQ9N3zyGmZas4qQAmMcPMrw8hjSH2Gh/kwI/8tRlTeUGJd2q+S0oXfh5qpZpMl2tjb93bE/mda8DUdRr+7XjiTvjlsKxaqZSlXoAhDz+4SSl/hSihiPpo2OkpY3ti0RPqCKyqZXGVnSaM05wMPlPM64sDY8VlcxjhxOBtJYGuyErstQpAiH10XEA+inEuxWF9Hmd4Csx+LuhyZdJRWR4syI2fYVTxL/0ngdONYrBW69HF+2xLtV+cXQR9s9SSZyz61r2QdA1ylG/7tqU5US6VI5DSL0mKmLQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN1PR12MB2512.namprd12.prod.outlook.com (2603:10b6:802:31::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:14 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:14 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth , Ray Ni , Rahul Kumar , Eric Dong Subject: [edk2-devel] [PATCH v7 20/31] OvmfPkg/PlatformPei: set PcdConfidentialComputingAttr when SEV is active Date: Mon, 13 Sep 2021 13:19:30 -0500 Message-ID: <20210913181941.23405-21-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:14 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 0dcbb983-63ed-46ad-0b43-08d976e321bc X-MS-TrafficTypeDiagnostic: SN1PR12MB2512: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5797; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: 0fjN4hw63qNVxhpP4FlaSNhhbhUWA283zxMYKJS1LNYDkMozI2RBAJv1WlOlQWFX22Kk2M0+of78ltoBYgmWCcUyXDtSCIUgM5Ag2akjimabA2YQWnvAI+pYd/YBa3kr9SmKKApLiVQNz/l0tNIf058Sxg4d5sU/1tmYrFgqR2378PHKplDozGu1DM2XeGr0mV0gmKHUgrF2Y1LvZn/+ZJ7k2+yvUukTvwNkUU2kIO9EhGwudnRk0GCFwyFurEdM0ILr5SI50WdaQ3EJCpSujY+C2oIT7qAYIaF+5BwyvRGbYVRTnFNL2+14UacpeOWU4aLVLC0TGpaE1E/ED0Y7ei1I6IEKyniEarp1p9Mop4cSNfkLI1jrEgtEGmP0wRxIGP3FnxhZIhRjs2v30RpKejxKYsqy3p6KOPvx0x+m0xlrW0jV/af3RAxC6bJdtBlkBdJi7ClBmB2jjLS2x/3Q9bA9mQXlIAE8Vp+zh01u4pJ1yfilRRGCF2Bs737lb1XXrxMwDdE5L5LKWmUbjdfV0x6CK6v3z+1zR+se7NIGR6Zb7RjuggWcrwlRSEQu8Uqe8u81xCfw1fR0od986k1WCbD8Qjyl1MNEjGeMtXpr0CMa9oKugq/55uBTaXRQ1dkpCD/R03T3cfFQiTrkUYVHy2gPNWnVVHHUz2GySxPacN+TFbPR7KSwJ33m2IQP1RtwEsqM0edyCQcqWlJuv4wmJgp8eD65Ir8JoG0O+zDUszEQxxQAVOlV8v/zW2JafbkNWVbGdJRPKH1lJx7f91Cd+f9Ps+cDz8eyzdFxuqxTCdc= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?CjGujctrlBtFCC6n0EIGMNUagXjpx0Heczn6tH9GbpVKh02NsDHen5ZjhSjW?= =?us-ascii?Q?PSIKeFAAEonpnLPu8fMFCyOMivPrZYOtv0+scL5zf+b4P8cIl56HHrE6Gk3T?= =?us-ascii?Q?NaHbXY0aTnicjg8X8odc1VIfuNINBmBpE3NZ1bWyQbq59SpOXOrKKyTdnNHD?= =?us-ascii?Q?MXzBeuQbD/8fhfhaO4BIep7JwdGBI+mVcOzAi3femtWub1sUHJivPHV3xcjz?= =?us-ascii?Q?9phcCZxTUO2vRKcLA1e+WCf4egYUGBmi5QxiW+Pdrrk9Bm71t6Mvu65Yaozl?= =?us-ascii?Q?k4Shn/ZZy9UGZBibBemHWIBLEyavNkysbY2L4/H46fZNAvTJVbo1xh/67ImI?= =?us-ascii?Q?/9EyJ08LyqPXnyWlBLRYdifnc6a00HOXjeN+0oa9dRxBXpbWt0E8uByEOuUh?= =?us-ascii?Q?XF3h35DJeGLF+3jTaOm7IwpuOiQw4e6ATdJQbsOhb0ZsTWF4FJ8M1RKW/sQv?= =?us-ascii?Q?VErkHwpdXppIZDNDKSstl7I4DiBhiGN4sEmi89jVLXicKwjXQMx/fFCIj/nA?= =?us-ascii?Q?IHH+vxEXLJUNQNwNO8z0FIdIXWVuXmnYwcALLbpoOBrvMqDJFMAPccNKkWch?= =?us-ascii?Q?5n43+8xL5zq07dCol0Xw9hCbobRH7IzHgZ9qaAeQn+EN5BfxIxiCqbBBBKTn?= =?us-ascii?Q?Q6Y9tfT2ZXEequdya9tWo3D1HlFqP9Mq5hsSOWiUfO6EyK/scazHlHlaGCP5?= =?us-ascii?Q?hb0sHQxLyj0Rth5L0XsM5wauTm+IyDH2V7MT8xiBJUZHyqwAQ1YVuLmUoNYy?= =?us-ascii?Q?UCLRnGJKLvcZZVkifcOFafHRcFY3SJB8R5YxK7P45ghih40RiaWOAHsh4OQ1?= =?us-ascii?Q?tIOEZGwN+YUae9WL4lgg8pgl5vRjpHHSdyKDu/2TDA4QSQKsf5KPR3WRfB9C?= =?us-ascii?Q?QUkNccketbjY+c6LJa1drIzVl0qlKMQOrat2S0rN5NamzYsmiXfIJegyK2SG?= =?us-ascii?Q?ATMMU8X0rT95JUk+4yJbQ90XfcGk9F9saem+M+aPR0HeRO6RTNctjtjOybn8?= =?us-ascii?Q?kXh14WOIGu3gsyT9b87LoWdSGC2rra7hf2HvrSFtjLCTWYgRFznEMWeDoLkN?= =?us-ascii?Q?4YEZp0bP2nzRUfeR6B8cDruzhF3JfAM3WHQUzLTnOTc+fZ+rZOAxf/+FiuxI?= =?us-ascii?Q?EYji6EgvZc6yxTY6nQavUVph8CGPzC2v8g4ZzSkY3Xm+Y1+cGbt6qo6GGdAl?= =?us-ascii?Q?JfitzRDMQNz9nl6774O8atDtr4p+eO8XMIMM5KIJtYoAAiELeXGqA24vfqAE?= =?us-ascii?Q?NZtfYVXOREv0exwy8YjphUGxsdO3WeTSSZdeCB2PxYprTD8Ybw2A3YIAV2wI?= =?us-ascii?Q?nhR+wPpdAyKoQySpK/JZYb4b?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0dcbb983-63ed-46ad-0b43-08d976e321bc X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:14.7370 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: GPVxUCmcmxVw9ytWxFmX17T3STqIjs7J572qC7i4mKa6f/jNFL71ZlnazB8vsltrHdb2PkGy/nVnianEY5LJWw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB2512 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: uD1DJiIW0LHuF1MiH7kCgF0Jx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557218; bh=gjE2nod6S/9r04vYvtV8pLzoQmtSnsA+O6FUDU/8jaQ=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=rW/46s6UCewRX/+hKttRVM1Q9AuTMPM+hInJ6hCcD/ipnpgwEnbk+D9pD+32KycOufC eIQjP7mriTmdlyqrktEibMuMHOdPvMcCcPMNFsY7kMF0dZKAD1omws3Osdd4EmvZteabe paCG79NZ9vliTqyQVxSjfasfC/Ho6zze4pA= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557220511100002 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The MpInitLib uses the ConfidentialComputingAttr PCD to determine whether AMD SEV is active so that it can use the VMGEXITs defined in the GHCB specification to create APs. Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Suggested-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/PlatformPei.inf | 1 + OvmfPkg/PlatformPei/AmdSev.c | 15 +++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/Plat= formPei.inf index 67eb7aa7166b..233b9494f64b 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -106,6 +106,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled + gUefiCpuPkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr =20 [FixedPcd] gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 391e7bbb7dbd..5e2c891309d4 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -20,6 +20,7 @@ #include #include #include +#include =20 #include "Platform.h" =20 @@ -342,4 +343,18 @@ AmdSevInitialize ( // Check and perform SEV-ES initialization if required. // AmdSevEsInitialize (); + + // + // Set the Confidential computing attr PCD to communicate which SEV + // technology is active. + // + if (MemEncryptSevSnpIsEnabled ()) { + PcdStatus =3D PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdS= evSnp); + } else if (MemEncryptSevEsIsEnabled ()) { + PcdStatus =3D PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdS= evEs); + } else { + PcdStatus =3D PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdS= ev); + } + ASSERT_RETURN_ERROR (PcdStatus); + } --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80600): https://edk2.groups.io/g/devel/message/80600 Mute This Topic: https://groups.io/mt/85582710/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80601+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80601+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557219330925.6866271486318; Mon, 13 Sep 2021 11:20:19 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id WZ1qYY1788612x2lCzzuosmb; Mon, 13 Sep 2021 11:20:18 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.43]) by mx.groups.io with SMTP id smtpd.web09.834.1631557217859046702 for ; Mon, 13 Sep 2021 11:20:18 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=V/Snpi4sPlTSwMlDftmuL8dWZEHeUtgO8NC7UbfjRebXpAHOpIMhn+Qed8OC4R5r7uEuEHSDHBeI4t6r9cRn59iFWfKBASbZIDke0pEEtxTR9ZCed3y8PCqNfYh32bjtMlnwDxjK/fGSt4llvpbE8HFbUPVPK1UIxM518+uVzWc+tstJYxw/7c1cTb9TiDteOjsqAmV3zH56Xa/4rDr7p2/SJO8GvcKz2gOByua+nWxSyrpNcJabKMsenpalfrf0NrbemZtmVeJakOPSRa9wdJXN4M29mw0ff8RLLo/LNcjsHnN6vRwSOye0vF0ZdB3lorcL32pgN2x+1/3NGpp0Yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=3dRb4V0fK8k9wsh5BD7cKK1hfn8YiBLvd8UblL2rvnw=; b=Cf+lq0mQJpdiTZcTL3H3d9k2owEzbcX9mD+rS4/H9YIRIrtzgPOc3zNHWHSCRFTJKg3+U10JH0rydDZi08tWWztqxMx1aaOnYxPDl9vQ0ZhN6CaZH8bvwHsJPDkoyTyXJ7jB/pa7C1Q20442Nn5ekeBkhRmdqKjBks/2e5VKt+qHLy4ZYBJtysJxPnCtPX0qbRL07UBZm8MIxpmfRFDvXyms+jyy5Gavuv7XhLxs7kcsH3UIqlv6iQxmt/5WPEoLRyTwlAs6ipBKm4LYrwDb23BCcKH/GaAhotC86cabUHD8P0rR0gOIWydG0RKp9q3mcBWWnug0LX5lBDoB8HZU+g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB2830.namprd12.prod.outlook.com (2603:10b6:805:e0::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:15 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:15 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth , Ray Ni , Rahul Kumar , Eric Dong Subject: [edk2-devel] [PATCH v7 21/31] UefiCpuPkg/MpInitLib: use PcdConfidentialComputingAttr to check SEV status Date: Mon, 13 Sep 2021 13:19:31 -0500 Message-ID: <20210913181941.23405-22-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:15 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: feac6c8d-cc8c-4233-01b5-08d976e32243 X-MS-TrafficTypeDiagnostic: SN6PR12MB2830: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1468; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: TNJOKAXXix4lLE5Z6sG+eBv91b2ZdqoBCEaFQAqn4xVD7075W5V86E3Q97+jTlxCEXWGSfIRJGPNtDdFwzdqakNwy80493CMKQH6uZSB8TRmNY9hmHG/mqVa07xKULF4VX3n2kEx12T6mDIIh5XsnItnjwrNIHKhE5RTUElv7LyIK9q/Xa+h/Lqyzr7ufacwekX4KgCGlyw7poZGHPs2jqJlfVombgFR56Vv8Ce5TcYKtWAjRhm2/J0dAXSn9ZHCs1Lf9cM6ktsVCKRptI8V/Tu2Ox/rdz4wJAmMng7gK7iuUILJ7Zj04LhN8Y6kQ2tw/3cTnK4QScNrBEZGJUqHEa4B8nLiJkYMJ7mZDlqdxoAyP8gEdzLh/sFQQHCn5ZBl3ifCmGILhFbhOYDjf/acGWIziu44h4dNypAZeTz661jF1XeGOJZBBRDsI0ymRxhdiiP6qcLaLLZO1zqKB0fe0iC2j+nub9VeQ6aU+6yXAs2W4XvhaFrbs+i2FAgRcCkFgktdfddXqQGPWoqWk5+5JBb2pPp3A8p6ZMhMOUpzqpHwCNt2R6i1lwaOpsyDA008MovvFqG7stsE0OHxrTjXuBwxkBMlZ+zd7/Rb8g5dJAKVGMGZpH4/PwrzXKswN25YnROONKgjNJHyDb/j1ALwC8bHqi9dRYSgHdAZtxbrcQ1zs6mtJl77E4qF+Kt4mZcT2z29bZfHF0G8B0PHBSh+6nIYkUyBJfdLQ2ynzxZBa6Yz6FYev//yGC/00EybhZyDlMoqcxCBqR5m50yiEC2L+w== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?fPgZj4Iwf1Z7YY4rKZe6Q6W2X2w3uYD1kC4tuBcdc1KQf1mCniIOI+6i/YI6?= =?us-ascii?Q?m6gkcOE8v4jaSaDQ2tOw52a5mkDTto/QB/XCy4vt1cPPO3GV2rZmJr0KS9xe?= =?us-ascii?Q?NR5urN8yKEclh7fd7pl2MnShfvB9cx/4YIsucKwjm6rDF4X7V2R2wyL3DyDF?= =?us-ascii?Q?TvgsKDgPHJcHvdNX1lbfzjbV2o4J2gkqaFg9UmAfUNpTXceDl8F3ir9pn2uB?= =?us-ascii?Q?vG+AkLS06lbRVERikocWftftE2/875w4Ypu8mOBuCNnHw1EpKSLTPh3S/Jc9?= =?us-ascii?Q?6fpUIkTUSXGVk2yKDh1Iwjt3yhgPQ5RZR/grB7oZFZewJNX57vBn6TCKc5qw?= =?us-ascii?Q?eKm3eUsk+34XPZ+gN/8eH/e/dPDGa/gYQXgwsgGFCd662+Jjyt/+XnmpaQu4?= =?us-ascii?Q?3O+df13dria+g6XtpLQXNgVb5dLrRLgOJGOeJn2WlmbSTtM8Sz2RXkUYPad8?= =?us-ascii?Q?Bsu/Nf7TQRBpxtsFo0pK8tSy09hK5Jy3591DRimUUyrytC2p/7+fEJ7IF23x?= =?us-ascii?Q?1myudIaxvE3MJdLgoAXSIuNdS3nQLzoJLOu1taFZf0dr1fZz9vQAPQvOqbku?= =?us-ascii?Q?WTwUOPkwx5tWaJwb4Ts5TgQ806YEp5xN99v1PR4/60lB0477rayXgLDcSxGn?= =?us-ascii?Q?nPOpS8sZUyBLZoib/jFZUFcrbmKT2PMh9DsYw+R1cOtUKAcjMNPeo1vPk29/?= =?us-ascii?Q?7c6MiNUIG5/oTfhyG3sz33wnzbi2xnyCdRwzD9fSr4vFljR/NCMbn18SrcQq?= =?us-ascii?Q?wOnNHq7348EjQtn8l7XMJl+j/9Q6518Z2nv4zRfFEe34/4i4s7Gsm3t8ua8W?= =?us-ascii?Q?Zco4VtFUARbtUL8s9cOwTyGvUqDClzfkGnKOPiOeXJD7I2yVHJ3KFDM4s9Ie?= =?us-ascii?Q?vXGS3BJEXXJeEnjNRmvxHOjP0R5ploGG3UhKmgFpRJ0GzTDLtamtaMHZkMy2?= =?us-ascii?Q?DpkesATHelzydYO6tZd9JjutSdMKs9NCr6u2IKHBYKnqoJXmrnXFt9FJ50QH?= =?us-ascii?Q?4And0uopSmBnnVGIhpLX3I4XC9Y2oMptAHV0q9Fa9lbkBgNzoDSJwXsC2GFy?= =?us-ascii?Q?EST5/m/ZlPOADKJxJMDsLfB75rYeW2IamCrdMtmb3PLYELaZxl3NXZu2HTSt?= =?us-ascii?Q?RZ0KGrPootLEWknMxYUlyLtNfjJenE+1DfeouwjDOduXoHsWhevVuUJuT+d3?= =?us-ascii?Q?3Bx6i28iJvf0qlFF1goqqjur+CaSGsBoxw5IF9P19GxgzAAE9K2mkGSlY9f9?= =?us-ascii?Q?/LHScPPv8tLZOmRegEYf6uUTXhnjQkmk1DA3kvWQLhnx8qz7Q4u78UXBEZ6U?= =?us-ascii?Q?XRnRrdBFD8jOyrIpuV33R69m?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: feac6c8d-cc8c-4233-01b5-08d976e32243 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:15.5935 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 4h6i0JaIOFmMYFvTThEVDGNzo4WlKMSysNFjiAB8kgCv/omFcLoUhk/gn+VW9+/CDIufnj4SUAhStdQpk/e7OA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2830 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: 5PB3tpnaH5RRMqspjAMsf9tix1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557218; bh=NZI8LYgoERUtN6QNB8wXOJFTnPKlmT7YpFCzE0tSuFo=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=diHqhEwAqmmETM2zJunnH4OMfbhP+9cFHyGXt1CmL0T9czrq7QO0NgLVuF8AiBvq9X5 +vhUGty3oq3MNGZX1s7o6OWeMw5jk9WRMk8JDRt4fkbkDC1RT4T9fZANaIgOQK+H3iKvM uF4HXtNPIOXqGvNK+NHxlVLa+YbvUioJ5Hk= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557220625100004 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Previous commit introduced a generic confidential computing PCD that can determine whether AMD SEV-ES is enabled. Update the MpInitLib to drop the PcdSevEsIsEnabled in favor of PcdConfidentialComputingAttr. Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Suggested-by: Jiewen Yao Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 2 +- UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 2 +- UefiCpuPkg/Library/MpInitLib/MpLib.h | 13 ++++ UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 6 +- UefiCpuPkg/Library/MpInitLib/MpLib.c | 60 ++++++++++++++++++- UefiCpuPkg/Library/MpInitLib/PeiMpLib.c | 4 +- 6 files changed, 77 insertions(+), 10 deletions(-) diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf b/UefiCpuPkg/Lib= rary/MpInitLib/DxeMpInitLib.inf index d34419c2a524..76e6aa83b3cb 100644 --- a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf @@ -72,7 +72,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ## = CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ## = SOMETIMES_CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApStatusCheckIntervalInMicroSeconds ## = CONSUMES - gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled ## = CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## = SOMETIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## = CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## = CONSUMES + gUefiCpuPkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## = CONSUMES diff --git a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf b/UefiCpuPkg/Lib= rary/MpInitLib/PeiMpInitLib.inf index 36fcb96b5852..a146bab94317 100644 --- a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf @@ -62,9 +62,9 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuMicrocodePatchRegionSize ## CONS= UMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ## CONS= UMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ## SOME= TIMES_CONSUMES - gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled ## CONS= UMES gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## SOME= TIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## CONS= UMES + gUefiCpuPkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONS= UMES =20 [Ppis] gEdkiiPeiShadowMicrocodePpiGuid ## SOMETIMES_CONSUMES diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpIn= itLib/MpLib.h index e88a5355c983..388ebef7b0dc 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -33,6 +33,7 @@ #include #include #include +#include =20 #include =20 @@ -741,5 +742,17 @@ PlatformShadowMicrocode ( IN OUT CPU_MP_DATA *CpuMpData ); =20 +/** + Check if the specified confidential computing attribute is active. + + @retval TRUE The specified Attr is active. + @retval FALSE The specified Attr is not active. +**/ +BOOLEAN +EFIAPI +ConfidentialComputingGuestHas ( + CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr + ); + #endif =20 diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c b/UefiCpuPkg/Library/M= pInitLib/DxeMpLib.c index 93fc63bf93e3..657a73dca05e 100644 --- a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c @@ -93,7 +93,7 @@ GetWakeupBuffer ( EFI_PHYSICAL_ADDRESS StartAddress; EFI_MEMORY_TYPE MemoryType; =20 - if (PcdGetBool (PcdSevEsIsEnabled)) { + if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { MemoryType =3D EfiReservedMemoryType; } else { MemoryType =3D EfiBootServicesData; @@ -107,7 +107,7 @@ GetWakeupBuffer ( // LagacyBios driver depends on CPU Arch protocol which guarantees below // allocation runs earlier than LegacyBios driver. // - if (PcdGetBool (PcdSevEsIsEnabled)) { + if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { // // SEV-ES Wakeup buffer should be under 0x88000 and under any previous= one // @@ -124,7 +124,7 @@ GetWakeupBuffer ( ASSERT_EFI_ERROR (Status); if (EFI_ERROR (Status)) { StartAddress =3D (EFI_PHYSICAL_ADDRESS) -1; - } else if (PcdGetBool (PcdSevEsIsEnabled)) { + } else if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { // // Next SEV-ES wakeup buffer allocation must be below this allocation // diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpIn= itLib/MpLib.c index b9a06747edbf..bfef1237f452 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.c +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c @@ -295,7 +295,7 @@ GetApLoopMode ( ApLoopMode =3D ApInHltLoop; } =20 - if (PcdGetBool (PcdSevEsIsEnabled)) { + if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { // // For SEV-ES, force AP in Hlt-loop mode in order to use the GHCB // protocol for starting APs @@ -1197,7 +1197,7 @@ AllocateResetVector ( // The AP reset stack is only used by SEV-ES guests. Do not allocate it // if SEV-ES is not enabled. // - if (PcdGetBool (PcdSevEsIsEnabled)) { + if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { // // Stack location is based on ProcessorNumber, so use the total numb= er // of processors for calculating the total stack area. @@ -2032,7 +2032,7 @@ MpInitLibInitialize ( CpuMpData->CpuData =3D (CPU_AP_DATA *) (CpuMpData + 1); CpuMpData->CpuInfoInHob =3D (UINT64) (UINTN) (CpuMpData->CpuData + M= axLogicalProcessorNumber); InitializeSpinLock(&CpuMpData->MpLock); - CpuMpData->SevEsIsEnabled =3D PcdGetBool (PcdSevEsIsEnabled); + CpuMpData->SevEsIsEnabled =3D ConfidentialComputingGuestHas (CCAttrAmdSe= vEs); CpuMpData->SevEsAPBuffer =3D (UINTN) -1; CpuMpData->GhcbBase =3D PcdGet64 (PcdGhcbBase); =20 @@ -2922,3 +2922,57 @@ MpInitLibStartupAllCPUs ( NULL ); } + +/** + The function check if the specified Attr is set in the CurrentAttr. + + @retval TRUE The specified Attr is set. + @retval FALSE The specified Attr is not set. + **/ +STATIC +BOOLEAN +AmdMemEncryptionAttrCheck ( + UINT64 CurrentAttr, + CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr + ) +{ + switch (Attr) { + case CCAttrAmdSev: + return CurrentAttr >=3D CCAttrAmdSev; + case CCAttrAmdSevEs: + return CurrentAttr >=3D CCAttrAmdSevEs; + case CCAttrAmdSevSnp: + return CurrentAttr =3D=3D CCAttrAmdSevSnp; + default: + return FALSE; + } +} + +/** + Check if the specified confidential computing attribute is active. + + @retval TRUE The specified Attr is active. + @retval FALSE The specified Attr is not active. +**/ +BOOLEAN +EFIAPI +ConfidentialComputingGuestHas ( + CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr + ) +{ + UINT64 CurrentAttr; + + // + // Get the current CC attribute. + // + CurrentAttr =3D PcdGet64 (PcdConfidentialComputingGuestAttr); + + // + // If attr is for the AMD group then call AMD specific checks. + // + if (((CurrentAttr >> 8) & 0xff) =3D=3D 1) { + return AmdMemEncryptionAttrCheck (CurrentAttr, Attr); + } + + return (CurrentAttr =3D=3D Attr); +} diff --git a/UefiCpuPkg/Library/MpInitLib/PeiMpLib.c b/UefiCpuPkg/Library/M= pInitLib/PeiMpLib.c index 90015c650c68..2f333a00460a 100644 --- a/UefiCpuPkg/Library/MpInitLib/PeiMpLib.c +++ b/UefiCpuPkg/Library/MpInitLib/PeiMpLib.c @@ -222,7 +222,7 @@ GetWakeupBuffer ( // Need memory under 1MB to be collected here // WakeupBufferEnd =3D Hob.ResourceDescriptor->PhysicalStart + Hob.Re= sourceDescriptor->ResourceLength; - if (PcdGetBool (PcdSevEsIsEnabled) && + if (ConfidentialComputingGuestHas (CCAttrAmdSevEs) && WakeupBufferEnd > mSevEsPeiWakeupBuffer) { // // SEV-ES Wakeup buffer should be under 1MB and under any previo= us one @@ -253,7 +253,7 @@ GetWakeupBuffer ( DEBUG ((DEBUG_INFO, "WakeupBufferStart =3D %x, WakeupBufferSize = =3D %x\n", WakeupBufferStart, WakeupBufferSize)); =20 - if (PcdGetBool (PcdSevEsIsEnabled)) { + if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { // // Next SEV-ES wakeup buffer allocation must be below this // allocation --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80601): https://edk2.groups.io/g/devel/message/80601 Mute This Topic: https://groups.io/mt/85582711/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80602+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80602+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557219749763.3782592020805; Mon, 13 Sep 2021 11:20:19 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id OJKcYY1788612x2P7n0lOrPK; Mon, 13 Sep 2021 11:20:19 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.43]) by mx.groups.io with SMTP id smtpd.web09.834.1631557217859046702 for ; Mon, 13 Sep 2021 11:20:18 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZtGm6zYfOlx0b7OUw2OwnUI7qi+/MCoILDUTdtQtAkl4GWg7mzB7eLzMJjepLo9gq3DgZkZVDlbw7W9S7H5w/OgTVpLEJGiWGcC3nKtg8UOg+/bNqj8caFb+RiraAHxKe5Z3O3+t4EgiVrP7h+iVXI51gjt3FVQTnpW4H0H/2b65JXeje1pRk97HQAd6wH+3Uf6y+rq88QTeIq+msxnkvpaOQMnzUpe81lv1aE4iiozoYwgRLsMzZjqBCTlHeult7jqY8gTcMZibglZJvAHxy7T8vfVMzEyoJ8s53UqtISNRJZm4Re04CnSouTKow7cyk4B3O6GeFcM5/6/pgDubKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ezrTtHp96KgtMU5VAAh8ZXsL9q0ZcK0Ne3QYuNkmTbk=; b=a8M7rU/O13LTnHWbrWNJouZqsczIZjQvH+AGA4xfE095K8k1btYhmW4LslTxdOL/yYxct+kIrzBkKE6flD9lZlJDDcSPqwhDQG8ObxPmBSUH479ShxpPnxnXN8sx3cSt+YdTEIusvUuEoVjkZ256rlGNZPuqZF3Uf60XPbTGJP5fYIczZlD40/f+3MT3KJwxPKYxczOJ0U/JWiVThI4db2PRk/RYb7kKcDDqIn9FKOO7iY367zxVWHs5mDyiXvy0kK9spL0eVh5kukmD+4oGAx6MJuWRgSzIIWZq7uFpWosJ5EC6WLRZFOw/9v5Q2ovIi0rFCYrK3E6np3SYR7ouhA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB2830.namprd12.prod.outlook.com (2603:10b6:805:e0::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:16 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:16 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth , Ray Ni , Rahul Kumar , Eric Dong Subject: [edk2-devel] [PATCH v7 22/31] UefiCpuPkg: add PcdGhcbHypervisorFeatures Date: Mon, 13 Sep 2021 13:19:32 -0500 Message-ID: <20210913181941.23405-23-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:15 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3eeccf92-6c58-4814-bc07-08d976e322c1 X-MS-TrafficTypeDiagnostic: SN6PR12MB2830: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: rWAS9MGKq0l+jkChy7Z6DFwD97aFI+aiarft9oN0PB/DI5VnSd6WRfj4YslIqN4U0Bs5L5ZiLIMdooKZgvVQ8lSj1zKNNs8mbGs39b3ExdKnlQHNipuGq3iWUMc9rTFD1LOz0Q/SDx0j8l1BnUlJJ6J838izZsInrEkk8NH0dH9FjvZAGFrL3PnIFuGsnqURzLrx/M6F5ZEwxCGrhRyIFdCKYKfvuzQAf5hMJFmWYYT5rfNXbJm8UD79Q0NJWPL6Pnw2TuRatR0XyJixWlmsS6imhQmvMFHXtmXIqFVcFldNLoJPI4/QoU1MYU8F1YdYAiAYTAsMB3q+ZxQrz7MaZXT+SEW+u2dc+DXpkbLq+56gwq9Ca3qnZBnca+c7VN6S4KeJN04NvRc2gqk0Nc0ZJY8tHjGtfXpw/fWh7oS6GedKiwiUIbqtYR/+y+iKqzalKD22P18prhwU+RV3WtnRaqs6dcZaRHVnbkAMorIR/UZDV851phFcg02NpA149JpC+WJjuy9u/By9m0oh2dNi9mKJ0ztLQys166czk9aeupGMJxako7THBUNkly7eNKutieHaBYZxMuvFAx2ue/9jygeXmH960CK9ezPQEW8AJs5Go1xsWr3DST8hIAXlfQifMOGgH0IB4qXKSCLtIH2vuFYOf9e/nVr+gXnCAP0377FOnJ+bWLLWwPiJ+tCKWWQFCcgy0TUfbbQpEKDd+77tbNCaJQ4+M/mlTFYugn2sysctEHRFXuafZdrwh59mbQblYv1eNgOrFpO4BIkBQHCkJixSn5NnmMdCe33MK9SoWROJKT4SvD3lija77zBf6a8R X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?h9nNG3O8Jpb3bxvwQi0AxVWcExjIN9AmQHzF9jTkjQa/o/hTsSAzZH+tbR3m?= =?us-ascii?Q?qdRTfezUxx4RrF4LEtTXq5X/BuFQo3aDTcIiBo182BuBMHznkq0JOM2XfX74?= =?us-ascii?Q?bureg5BG+O7iECAiFtcwizNKpyGPZXPjpDNCnCz4K+98uaRYJqs3pdHlflhG?= =?us-ascii?Q?AiBtRAI3Zeo++yTYP5B40YM7YeCRwEDq7eQrmtOltrUVep0giPrDy8a1QGJW?= =?us-ascii?Q?zIakuuFawYMwQ+GXlS9r2crO4F9tFgMgcQ6kn2E0J4TKOKDkply0xqBnSCX2?= =?us-ascii?Q?AV7W0Sczhib3/o8+SE2OxVQ/bBuOr/CNSc7QXK+NOK6Eh72/jhet38xZwxZ4?= =?us-ascii?Q?r5LVYGEotPmIhyg+23vkdgE5cH9mKcM7LNZiOpAwf1ZFT99aM4EnjKOoCBLA?= =?us-ascii?Q?bWNWwHfoevB2Q8BVvPfZv6Ngol2EjZT57U9hpRNwjVc3nKjdXoUXrLBQksuA?= =?us-ascii?Q?VFjzcOjtfhg1onnrscUmOUQW5KXg7tnv87gPi0uPUwYYIkJ0bE8CVJuqhcbx?= =?us-ascii?Q?qh7u+puIflND1CSnqeHJNiAdWaUP2++vPtLDEFcWtXq7SP8EhI5r+LildecU?= =?us-ascii?Q?BuT6dn8rIh1sbsBS3i3ik1xe8xOvn1ykU8Ig093ubHAQsqEE/BW+iDPURhaK?= =?us-ascii?Q?ZDsYp/EVt/zN6EmLvpc24A6qM/XVpBr1h7El9K9ZxK6YCMLw63ITdKQba74i?= =?us-ascii?Q?DVZ7KmO6bRlkn2kcbV+yjlqgN5rLN8OlE4mnrLDTgoatyT/g9dgIhF61AnpF?= =?us-ascii?Q?ODtnFSRgPjGCehc+ueQPmdN4ZCsPrIKaf8wOuNIy09IvycmwawB2hqPlWpLX?= =?us-ascii?Q?NBDdV10XN77vtLE+BAF1P+BaJo4kvFCnCx/t6emVGnN0h7n+kArjwyL4zbLu?= =?us-ascii?Q?kH4w+ABEFGpJWk5h3IxdzKpci93qH15TcHRCN5DEg3n8nwRO9MntFAtXdJSb?= =?us-ascii?Q?fDxGyeNhfTwgP6BwoxBpLw39J9+LbFBY3wd+Oaw5EDarj3Z2w0T4dbT00cIm?= =?us-ascii?Q?iDwqpYqvSHI3snRXQgZPn1Wqq6FLr/dXJXCZv40r5LkHJfiySJqP38565HT3?= =?us-ascii?Q?gbDOipldJj15pQKxYMVUYUkEb7uP4N1wE0FTBrGhkSHleKnT1r41rJaiGJSi?= =?us-ascii?Q?/17C4MPc7k0lucX+tDPzF3Z/RaRSR9d3AdM+yALwXAwBB2h2TXJH9CIf17P1?= =?us-ascii?Q?m7ZoYEafhSJFsJuyWescciRXOIKZPlofmdbKqOO2gBByAK3w7i2IITwlwnMX?= =?us-ascii?Q?dDtF78+rOTivTDfkxJ3MjaqJ+V+nsa4Ra5T0GipzaBoxx5FXjfGthDeIS/Ef?= =?us-ascii?Q?e78UBFrSEgtWoA3gUdJdYqQW?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3eeccf92-6c58-4814-bc07-08d976e322c1 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:16.4110 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 2bUeqyqWuJqRCTblFcTqkO+K5ghHTrGOOiAMFZSOCywwUqZBQOXQ1Uf7PSrX9INDGshzAIVkB5r+j3XsfOe6qw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2830 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: 07GRwcNfxmNZik1vTSFXivjLx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557219; bh=asV7eRpWWfWuJai5oUTuRX8iYY013yQtpkdmpE7tQPg=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=Oa4xsAWsm21WDGX4CjSDnK8nabRHdOosnqj+c4Rf7sYxpDERJ08ieJ+jsDRZBNQ4fBt sge8CAEiwGiiT6O51Yf77k6p21TBmXZJld6wm8hUiz7Ewp3YhBAxwKljDV+QDi59X4NkY UtDOuZj5d6kKqSNcys2eo9ZlxpSDpndtY/k= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557220642100005 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Version 2 of the GHCB specification added a new VMGEXIT that the guest could use for querying the hypervisor features. One of the immediate users for it will be an AP creation code. When SEV-SNP is enabled, the guest can use the newly added AP_CREATE VMGEXIT to create the APs. The MpInitLib will check the hypervisor feature, and if AP_CREATE is available, it will use it. See GHCB spec version 2 for more details on the VMGEXIT. Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Signed-off-by: Brijesh Singh --- UefiCpuPkg/UefiCpuPkg.dec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec index 9dbaa407c399..c979a0a90a0e 100644 --- a/UefiCpuPkg/UefiCpuPkg.dec +++ b/UefiCpuPkg/UefiCpuPkg.dec @@ -400,5 +400,10 @@ [PcdsDynamic, PcdsDynamicEx] # @Prompt Memory encryption attribute gUefiCpuPkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0|UINT64|0x6= 0000017 =20 + ## This dynamic PCD contains the hypervisor features value obtained thro= ugh the GHCB HYPERVISOR + # features VMGEXIT defined in the version 2 of GHCB spec. + # @Prompt GHCB Hypervisor Features + gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures|0x0|UINT64|0x60000018 + [UserExtensions.TianoCore."ExtraFiles"] UefiCpuPkgExtra.uni --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80602): https://edk2.groups.io/g/devel/message/80602 Mute This Topic: https://groups.io/mt/85582712/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80603+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80603+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557221435859.3716728993243; Mon, 13 Sep 2021 11:20:21 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id aTqqYY1788612xBb5iML7PW7; Mon, 13 Sep 2021 11:20:21 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.43]) by mx.groups.io with SMTP id smtpd.web09.834.1631557217859046702 for ; Mon, 13 Sep 2021 11:20:20 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VGx9g3rCoFDT1Zoe4K6LXpbik3hTnA0EqPOuv+21upQmfTO8oFsB/cxyOw7CiJC6Hn2lFl5V1mc2QDkwWnyMBfwF46C7wvyz9XGqNNOmxIOA/ZphmudTZpKDdrxEIfxdtrm2pIfoD9Itfq9EzE8s8M0EBaO5cnoQtAiR41MA1ac4TLHLNjYThZmsS9Q424hYeeqlI7hongBTZ8cqNQQC6sKFfV06cUSTklKT4KFKeTbtHu6i1apQCUwP8odvqGNdwU54jOJrJ1dPEldLRpFOg4JH/HbqJMTZC6U7F8zCMUT2DqKw9z5eU9yheBrxEd5rm1YEn8ibpeJJ7tH20EeDow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=vsOIadVNgiLnDh0xvI415DcIIdFmL0cCwQm35itIbMk=; b=k8jBbJhgC505eFyx2dElQfRSfgTobTniJC1lN2ghB1bkYdm/IpO4PvEWnJzby63tjZQellAkEGp4XiVgj33B8G0SOkvkWuxhNtejdo20c44/pcOQvq7BAMVa0QBEeOI2mlXzGpWhsB2xq1y3bPN1rG8j1bbAoYhQnbwKqXHAQlGxsqmEDFEHZOAVDBLNg1JYzW5S5AqtLch+luF3EAHJdonmWG1rTpLxbvqSR/OzYulghIGN1uuQ6KgzT/nKacCk9BTD4EkdvogKBVQKy4cbEuXnSK241rtkZ+GKVJxmXG3/qHvH9Xjmr1hBBm7rtx1ANzZOuPh3xWx8E+tGkzNvgQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB2830.namprd12.prod.outlook.com (2603:10b6:805:e0::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:17 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:17 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 23/31] OvmfPkg/PlatformPei: set the Hypervisor Features PCD Date: Mon, 13 Sep 2021 13:19:33 -0500 Message-ID: <20210913181941.23405-24-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:16 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 012f15c0-9779-466a-95a8-08d976e32332 X-MS-TrafficTypeDiagnostic: SN6PR12MB2830: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3276; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: BOT00dHFLpnL5ARHhY7Ufjbuxxn0M3dqycB6Dtvi3jvuf/afjTyT9f4iH4rlWhnkC1Lzw/FlEyAQcX0EYQxzy9sJI4DI90DEuQEGy4kPMM3PKJoDh9IdylC/A4S/5gVwQcJI7Q94bxeQbykZHOBdMfNnOwCdMJsmXWW45dP2NjBrcjWU6VLWup7WlALRnWPWhWsLTdBBtNYP9ReO6u/X27I+3l4fWthwsgPWQQiIschn/JAMy7t0/wj5FA5xoLp/mxeuRnJp1yEkmq8O0X0meFJYIGVxIxwf0oeUy7SbKPHWtmxYH2mR44s/ms/C2kkljgv6xp3niM77P49ZB0ZdwnZaWtZoddVUJ6Y4AUzz9BZWDWypMMeJ16Rg8Wrin7ywu008CcXKEXVJ8nL2JZ8tO1psaPuQ3fd2DOKBj7sqhfhYoE31/8ZbbiVcvZT9DKh8p0VnZPJtki6sO30aSBarnv7Zp17JVO4NZaS3uuTcCrdGIlanPdaQjgsVyCIQS5HQG8BoPlg8EN4iHWf6CGDd/eGUyE6cKy8A03Dxb69xFrEaer88wh8SPiSWOqhavSvArrr2g9fazY++Q+kpltSmX8PMFNbUD1BUf4yaQQJLpQUfG8PKmevAsSXfVLGDc+lCMD4qXtuJFMhMl7IpzG0cQwbCA0eVyHIKvgsKLe7EdIDP59SqIlDiyoTAtDd9+y1tUPKdPZKG9kHFQhB31ktJi8gBQGTmRO8vnybug04M84iSjQcO9HtsjO7x5W2222a6E6d3NkiKfDo+iJOQilYygg== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?Rt0ZV9jcIjnG1Pjj5ysN8fHNVS7GPoka+WvXUvgrASRqNv4Xt2++qiFy5EbB?= =?us-ascii?Q?7qSxS5dzypi9PGJ3C6vPjqLixqhaW/CgiRnwvCQ2NeOIe7iGc3h7jKYDdXkl?= =?us-ascii?Q?eyvhorOB50p0VfHox2snoRs70o85qQlb66DGwO5tKOBfMgih7DWlMPbKFwyp?= =?us-ascii?Q?hq0U3cRdj7UyCI14hEWpuIQ8F2Y+qLhqdG3Fu1HQ+dlRGSTq9O6hwD5ew1/5?= =?us-ascii?Q?OshlOftZxtEgeNRFBR8pKCo0nIbDMdpGL20uJOl+D57va6mIQZYCps9Bacur?= =?us-ascii?Q?c1G4lgqJ25QsJUaXNImPmbdXvTmvP8u8lN1xBt4M/9aVsycbmime2a72+eQv?= =?us-ascii?Q?uo2dpXNjSSwdGduPU/v8G9zwX/NGw9USdK/aj8c1jsXeFHM4GEK8MQb15I0g?= =?us-ascii?Q?samKIzSiFM2ZXbjhonl/qlrzBnTg6cN3dwomStgRbk5cBzf+fpY0SGDRNsVV?= =?us-ascii?Q?dnVxxmNT+d17EF0wL9cSVRoE1wzq2/pfvJ85wA568zCoTOcz3IMhHu4jBRmF?= =?us-ascii?Q?LFk4Q1KisL7K2QuByvvTRX71cLiIkFNw7SKlJteuwArgKj7ssMRhe2EnmSrK?= =?us-ascii?Q?ofEtO0rgVOUrAbLSBCngrRKmAfTZfdCdWVdtVPDl60/cjCBHSXpAclXUcJ4S?= =?us-ascii?Q?lYshWUpVk6bBwimRZmdEYscniQo7IdZ27S6kIWtHT2whqD+iU1znJ3fgl/ME?= =?us-ascii?Q?pSJ3r1Q2eP1JDQa1ZaKl/ps9S03vpXZgrgKxAAp63jwT6FMeRhDEMQ85Y/5P?= =?us-ascii?Q?2C8vfeAyoxpkzWD3GD1naU8dAz0l2E6BlihfkgGLDgjSiPo178NtxbQyD3gF?= =?us-ascii?Q?qj4omjL6BDPs1o1NBueig4m5GiB2rOsntw8Pc0NRxSzGOhQTKDm/5n8570OO?= =?us-ascii?Q?/9W1TJunWQr+n/6ELeZo6y+VaZ6Euu7lKi96MfYrV6z9paZLsISn3ohF3c8Q?= =?us-ascii?Q?011JKfZrsKncJSwy3J5QFzcxKCJYGwK8fltp9bWgxOWIHeRLc6ufULBl6Pvn?= =?us-ascii?Q?k7M9UXOsXO3bE2yn6v26RL6/v94KYtBmwQteJfvkVC3b2ewxvGddrLugqZeL?= =?us-ascii?Q?F2RNa70A0nD/CxD2Oe+tmyBweRMvP/8DvLFmBsCxtBvab0+ZGphRgL0Bigu+?= =?us-ascii?Q?IyCITfvrGZHSPLqcwady6mzdw14lcwci+qnKrhqYZBrDGnPi4jJzLvnH4WbL?= =?us-ascii?Q?d29hKlwAZqr21Uho9dxzb61tLvixQBc8rOnU+jagccQ4teEWsSxHHQTFeI6P?= =?us-ascii?Q?MIayQzsl+KRGB641GxPY7fK3nd4l00peBO2BTtO+GXhUJcscHrpgDzgUUeYJ?= =?us-ascii?Q?DDqjBWEh+lW5qP0G2LadWGuZ?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 012f15c0-9779-466a-95a8-08d976e32332 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:17.1626 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: CW2KoekxgT7nIW638LjPjCt+fmP+QW7DhIyBqfipPsGFCyQuFvsEsO07YdUlO4XjMCXgNdOHdm+JApVZ9/VEOg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2830 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: ngU1qyZUJkPo9CEMcfpYySrix1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557221; bh=bKIPqckFSDM/Yzrioc/nhk4rvTBWNNbfLUqJk1ssx4o=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=R8eYuTUMynBmTqYHpeWwZi54Llaod26ns4J5/xgyik+uJT8xzKvb9KLVay3MVVyVX5j hmTHYyuP/OJr52QeD3ibh7x1zh0lGmbSJejFywy0o7w+WU77XdJ6e8pE66VFu51h6nTd1 vyG5lR1GhsvmVwAQ+Ymto0uMVajwUYiRqRc= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557222950100013 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Version 2 of the GHCB specification added the support to query the hypervisor feature bitmap. The feature bitmap provide information such as whether to use the AP create VmgExit or use the AP jump table approach to create the APs. The MpInitLib will use the PcdGhcbHypervisorFeatures to determine which method to use for creating the AP. Query the hypervisor feature and set the PCD accordingly. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/PlatformPei.inf | 3 ++ OvmfPkg/PlatformPei/AmdSev.c | 56 +++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/Plat= formPei.inf index 233b9494f64b..d048b692f155 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -62,6 +62,7 @@ [LibraryClasses] MtrrLib MemEncryptSevLib PcdLib + VmgExitLib =20 [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase @@ -107,6 +108,8 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled gUefiCpuPkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr + gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures + =20 [FixedPcd] gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 5e2c891309d4..b71a4a7304f7 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -24,6 +24,12 @@ =20 #include "Platform.h" =20 +STATIC +UINT64 +GetHypervisorFeature ( + VOID + ); + /** Initialize SEV-SNP support if running as an SEV-SNP guest. =20 @@ -36,11 +42,22 @@ AmdSevSnpInitialize ( { EFI_PEI_HOB_POINTERS Hob; EFI_HOB_RESOURCE_DESCRIPTOR *ResourceHob; + UINT64 HvFeatures; + EFI_STATUS PcdStatus; =20 if (!MemEncryptSevSnpIsEnabled ()) { return; } =20 + // + // Query the hypervisor feature using the VmgExit and set the value in t= he + // hypervisor features PCD. + // + HvFeatures =3D GetHypervisorFeature (); + PcdStatus =3D PcdSet64S (PcdGhcbHypervisorFeatures, HvFeatures); + ASSERT_RETURN_ERROR (PcdStatus); + + // // Iterate through the system RAM and validate it. // @@ -91,6 +108,45 @@ SevEsProtocolFailure ( CpuDeadLoop (); } =20 +/** + Get the hypervisor features bitmap + +**/ +STATIC +UINT64 +GetHypervisorFeature ( + VOID + ) +{ + UINT64 Status; + GHCB *Ghcb; + MSR_SEV_ES_GHCB_REGISTER Msr; + BOOLEAN InterruptState; + UINT64 Features; + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + Ghcb =3D Msr.Ghcb; + + // + // Initialize the GHCB + // + VmgInit (Ghcb, &InterruptState); + + // + // Query the Hypervisor Features. + // + Status =3D VmgExit (Ghcb, SVM_EXIT_HYPERVISOR_FEATURES, 0, 0); + if ((Status !=3D 0)) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + Features =3D Ghcb->SaveArea.SwExitInfo2; + + VmgDone (Ghcb, InterruptState); + + return Features; +} + /** =20 This function can be used to register the GHCB GPA. --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80603): https://edk2.groups.io/g/devel/message/80603 Mute This Topic: https://groups.io/mt/85582713/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80604+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80604+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557222262744.6380543538266; Mon, 13 Sep 2021 11:20:22 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 4FFkYY1788612xKzFFcFvQas; Mon, 13 Sep 2021 11:20:21 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.43]) by mx.groups.io with SMTP id smtpd.web09.834.1631557217859046702 for ; Mon, 13 Sep 2021 11:20:21 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jqGQoLDepQ8EqTEv+49iBDt/C2cZK7P4CdAFLUPU4s7my94VfZP17/UZYGavPkZUC8ZPWvPkESg2Voc5S9UQpROp1hwbtCBTbqlb6PNzY7zcUmoJbB6zSWemKymzSIvt3v8Nid6hRaU/sNOYYAr1Ait1GgHo+1ZQFVeIZ9jkD5nfv1RXT2XAmlY05HsAq3fPPlYkIguvwn3/tO9zvWECcbHsrA5XJvtvWtPISl2pFhIcZV2f8w7aXs4NL0xH/Giixv22YFuqmtshZonp3uxhqiwX7OwNZRmcYTmwvmrZHf4LS82I+eZbEQ5LuWfMzE2CmxV9kvEVh3vVuqox9zD9+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=czcPNoM6Z1LT/73DatLxs0FY7D/Y66fNTkgRIOn/iZE=; b=jZARxJbTOp3g5CnTXhMg98RPOFHHhajESUtObXXG7WEl6OhyAVJ9SyFrrR0u0LAyhWYHRaimz0zOKHcwwemiqpkrJ7eyIH9HvVNw9hFx3WqSqAfxFRj+Xh3Jb0XW76Se7kkzJcl2buLPBbW1k38i3gbgGPw99W1qcUopYQWkBFT0KNJiRHC2KnQI4Uv5GBL3GvYSlSkVAsXiJHkUgGQ0StISbBOPEjcyS9mFyxRqyGRyZQ9V0TvxcEqOOp/cNdTw404MLzegrM1oUue2rqio3ptBAI//xus9ebpkq3MdiTwAscCRYFuLcx1d4HJYw7UO9N1cCzQhNFs30Orm1OtiiA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB2830.namprd12.prod.outlook.com (2603:10b6:805:e0::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:18 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:18 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth , Ray Ni , Rahul Kumar , Eric Dong Subject: [edk2-devel] [PATCH v7 24/31] MdePkg/GHCB: increase the GHCB protocol max version Date: Mon, 13 Sep 2021 13:19:34 -0500 Message-ID: <20210913181941.23405-25-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:17 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7712ad71-b8b7-4709-0a35-08d976e323b6 X-MS-TrafficTypeDiagnostic: SN6PR12MB2830: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1060; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: fkmOP5IRQXXMy/KKpmngYgRAZ0vw1mWPQPl/QNuopu9iTPY79onlKMKNmKip43Jsd0EFgC7RiIGEh/dXS4I+lPZUnnChjmgASyKolops0uQR/FEhCzEaaphHWa0ZpsP3nV7nW1qkkbHHa1v8/6IelBBi/dxxh9y9g1vV0LpstCflbJv7k9amKOYX82b/tNnoolsoNRObFfDGwjmJcVUj9rLwCw3xRFe5LWbPI9OFsDWqJklFE67pOq14b49k/itEgsP7htRlVY0yM/73xT4Xnzkrq4Dm/siD5iBzfObIRN50fB1bjrpo4P+rPBu4cn4GxsGGu5rzmpgoTNkMZAoPN5oo5Ruk7N1prFAkPlUjm7AJ7wanHPm+RfnvvSY6bfXTSlE1RNR/yiMYsDcdKF9UTAKVCjQdmT15ST12KusY2eZd6vmII4ZXNhIG2208e0vtTegzjnSHyCUkm+dtOEbLrjIraa6yD2vILRwhs6/CrUmO0QVPcTV+kHJIQUrluQgRFZIC3uiedXtxJppgFzbBRkOUvV5qgBBEQrTiDu4yHWscPduq8G5ywsldJco+BfYzHxOf4bZ0SVcXEotIN6G64KF/PjByN9s67V0R6GqIgc7n33AyFZx3Tp6Pag/FciE+foIDvu68UK+a0RIf+Bz9ByLfOBKnxapYSdyXLPQK/8HcQMfDaf+h0xRrt+g7NCThR8J7E6oBh4sfE7WNIbf5OsYK9SaBsFxtE/OhZuUKfgzrSGvBVqr18n+JNXaRG/6ICspgZ91HSXipRMIGHsytiA== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?1IUcr8wvZtiImCN86iSUDBbPmsi9YMHb9oi6DFDWWdeDoHMpQjS+oIL58qcG?= =?us-ascii?Q?rHwTjhFW9kSz57Wtsur4KYWtIyYtAaiGo3SaFY0VS0NNoSCziPZb4MPdSDsF?= =?us-ascii?Q?o4Ev2YAfO+JhzWV64+y/ApSXb4ffKf/u54mczlGD2rlmenaIYSNXuvqyvklt?= =?us-ascii?Q?kpyimyefoldQ+5n9PpCaA6e9SZiLlSo5dcZJPlK0rEgcKh3pd65kT9RSUPNs?= =?us-ascii?Q?W/wVhSOCkFAWlbyY/wfNfXaqr9cJnKfql/Ajr4if7nOjLPnBkHt/2GqQ2DFQ?= =?us-ascii?Q?VVk58+nGLjJXWQb4uXir3uvzpapGnhv0Jvf+zSGGdVzYM6QUHFHuNHv6MfTd?= =?us-ascii?Q?jlr4ogtB9UfcMXhDHQud/nud3f4mgKgVbjeatTiEJ7zHXBfHM4u7vFiW79F+?= =?us-ascii?Q?LsrxrOmtl00367j7/kUWrRmIi9iMgFXGxG5ScM8EEDmlNBuMET45GVcuQgE6?= =?us-ascii?Q?4WEjv09HX77ax8QQvwmungKRpy7D5WhIWyP+WYbELKebbyNoWATdS/5V7X/9?= =?us-ascii?Q?JtnGHMT9BtTmzf030sY5onWP6WMRnbiy0/vdituP5mW0NWKFIvbXgp9gYeqM?= =?us-ascii?Q?9KrWTPKavu7vu5NleRGxk2dzCcoaXmfqAlfoTvT4ec53Tk/B0frSAHISBBET?= =?us-ascii?Q?0u7qzpUn/ZrXNQfltJIcUn/fM6v4931ic67+mF7941yuGT5cVXFXCcQBQTwR?= =?us-ascii?Q?wtZwIsK0i3O1VTvIYc7Gql+37Ronse4sFHx6lUZmChnVMdZrVGZFi/7fRf0s?= =?us-ascii?Q?QU69MrOzBNU/MMcCEa70TugI5BG6jXgxN0aXLdmPY6O0GsFwD+lcVHJFszzK?= =?us-ascii?Q?qZLg6XpvtGwREDwvc/UouuZFyP+rDgySjaCRjP67hQqpeMEf9HTzHcMnoWJS?= =?us-ascii?Q?ZsCEHMUYubgunph2Dpt4hFwCX0TUh+XsNGMKT+838TKF0osUXpiFO+CcZt/E?= =?us-ascii?Q?x9mwQYhzBU5Rf6j6SjhrVqD1LPED90WTY/s1UzVV+CleJgOMv++FaOhy9GYl?= =?us-ascii?Q?4bm3EfpVyfHY+TKfI9eWBE9scgfS8pWgz2CFpXa2IyrBeSnV1JER3HMXkcQQ?= =?us-ascii?Q?abWgBBLZhvEKlQaoCrjgpps7fC4qnkb5hHORqKpV3Y3hMz/lcPSSC005DXdw?= =?us-ascii?Q?6qlcqRHNl8qpLrpBa2VbMlnX7Z+FqQ/xl4XYWxW5T46DXfXG0Yyt0BXdIcTR?= =?us-ascii?Q?+2W2n+ag5a+jhEAF5kkCqJgBm5cMns/Xd5CRAzaiFw0Y7uZUJaZvcwqA9qKj?= =?us-ascii?Q?fNY5YYDHMlbeRZVVXbZ6triNKdrZXX87f6Dq0TesWN/AxigIzl1p8f1NJ6am?= =?us-ascii?Q?MtWJpD0PY4aWQyGL4eAl96GI?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7712ad71-b8b7-4709-0a35-08d976e323b6 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:17.9811 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: xZPhda6WSCqgWA/XQ1FGsYFvDX0Mr5824cybVEjUIebNKLtZmqDQTnkCfMiBaJbB0IUoPFxwFUXTXe39lV1k2A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2830 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: uXaLl8dMBtSetgdYNGYbwZIbx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557221; bh=Pt4tP20AZoq5EvrMo7lGE3M2TeeAjUzML0zco3u1oNA=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=UOfUO5R2wjLaqWNIyww+C27qCTK6H9Elo6DWL6nfCsbBzmQJ9uaZgCy4R8+GXgRTbqq doFFA4tQaRwU2sKqCF2NfU97w4nKjiOqIZgqUpLVXbLevy5a37kp1fmcBbR+tBtnpJeoU 4okb7UbzhXtogbXYA4ffGMIreZ3BcN+o7Es= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557223106100016 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Now that OvmfPkg supports version 2 of the GHCB specification, bump the protocol version. Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- MdePkg/Include/Register/Amd/Ghcb.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MdePkg/Include/Register/Amd/Ghcb.h b/MdePkg/Include/Register/A= md/Ghcb.h index 8c5f46e4bb53..071aae0c9e09 100644 --- a/MdePkg/Include/Register/Amd/Ghcb.h +++ b/MdePkg/Include/Register/Amd/Ghcb.h @@ -24,7 +24,7 @@ #define VC_EXCEPTION 29 =20 #define GHCB_VERSION_MIN 1 -#define GHCB_VERSION_MAX 1 +#define GHCB_VERSION_MAX 2 =20 #define GHCB_STANDARD_USAGE 0 =20 --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80604): https://edk2.groups.io/g/devel/message/80604 Mute This Topic: https://groups.io/mt/85582714/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80605+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80605+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557223629676.4475733106701; Mon, 13 Sep 2021 11:20:23 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id is9jYY1788612xQXqV7V3JDB; Mon, 13 Sep 2021 11:20:23 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.49]) by mx.groups.io with SMTP id smtpd.web11.861.1631557222462732596 for ; Mon, 13 Sep 2021 11:20:22 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=i7w24MIj+0CVXuaAZxIxjoFkPuJbRdpA2ClUSO9b0mUleoZisJFvdEtLoxDFysVJP33gT/8XOVNkwvk2iKdxPqefEzcHogLRwqUHZOX6mZ4G/i/RUuBCNtkW3c1Vy+z6S8CaJfmJrEXtFfYfXJ00rTS0vuy1Lvpolpw0I2/pLh8mXQuhdoyJBJCS8TfDM1D90LS9VjIzE5jvz+qPDYpkpWXQY7WNzIDwOYBwNT/w32umjJrgMp03boANDjIJuVNegJMiOGPFF/R1GxvYSB8fioff5jqTei1rA4i8tdzWnoUMX4ZxI/G35PdUsA2ZrS9rUnDDdphWyJhSbsKa3/lqIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=3js2XRwqaNi76bzerlp8IMIEH1UCduULd0q0U2Slh7c=; b=nwcsT7iZD8RYu11RxqBu/7+uA5xbDlDEsnkabw+B1Kxtd7CDmR2dM4nIiL6sZSF3tZU07y84z39NHu+2d25hpfFS6kmuPAPE4VBN+s+ToPCrY4qP8V1nIvJARVR/CnrKqgAutFxtjzf/jPyykLbBcAtohTAqkshAcANaGADYI5js7yxkZ4yOsX4jfYL7Vdr3+b4GoIcBMgBcS1P1N6ftaW5bUilg6MAWOLzLlto6HzizCufB9bMCiMZfwO17USLJlKyDgdlFjqBebU6WrH8AmxRF7NADg28TlErqsdq5kPk7ayT044Af6JWO4C0yGcRrWbRuRLlELrtQ97q7ld/liw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB2830.namprd12.prod.outlook.com (2603:10b6:805:e0::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:18 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:18 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth , Eric Dong , Ray Ni , Rahul Kumar Subject: [edk2-devel] [PATCH v7 25/31] UefiCpuPkg/MpLib: add support to register GHCB GPA when SEV-SNP is enabled Date: Mon, 13 Sep 2021 13:19:35 -0500 Message-ID: <20210913181941.23405-26-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:18 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c487ace8-e1e5-4b29-8cd3-08d976e3242a X-MS-TrafficTypeDiagnostic: SN6PR12MB2830: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: AFzy7xyLioJrfsdZsGL3ah5pTibwzf7MJWItjiL9kDNdriOS7WctgwTRzgSrXLWCPwKTZI6gzxwg2cB/RRI4fx8j2rMb3qe7Tr7/Yu6d6yfld8QiR8ymg57GsrT2G0Op1f/A7bI7yv/f2JJv7a0OgGvSbAGgzMtAM/ySoe3KPPiecdZVVUwesueQItw11lfXcF7tevq+CxCKUiQkku9TcnPrfDuTYnYilmeWYsTu63GKZEWLdb8Zu8gjwz621vZjgXQygsX0fWihPSqIt+8OB3btuZT1qijfj8HvGXbVuxYSa/+1l1FpN3t+cCtZwpqEnfiUDTwtaENvZVgEuiRwRQniMN2Z49+M0u8JDFJtMtg9RbyAVkWrCvFZs5loYYR75/nbdDQU9UPe2pyYM5VlSEP4JNA6YAqxUDVktDA4D11WQxPutzFsDrb3cllzneM1PFDgDySW3JNPrAaRWfzSAwzIQDIGZZC8nut5z3TrMcRPXIMsvyE5ZPwGtkgZTdXlXkSbHYPnODg8oM5Tx48KLXJMLScoS+T9AXIz4Ly7xWvlwTjey34IaVHfxBwB5Z/pN/dNi6BPjly0TnwMqEvk44C9Ld+uhGmruHTfBWxvbcJHB70FZkqAckyrcas/TX/LNTJH9HGTibHOKn+RBVJ3qnGkq1Z/uOJhFWXH9n6drMlDYvyo/m0xz8QiDp0HznCvx/EoivYxQOhw6e23SZsDmiffZ5em2K+z1o9Dm+a+jRJy/j4F1FKa2/bNIQ3imCT6yR/Ws2qBqlUc2rKjgjHHgg== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?s8gGLAoEid3oDORKM3MnVbm0/mYngNyG5+0a/2xXw59d8AARXqCvorsX4+4j?= =?us-ascii?Q?dIrJjZVrEtOgSV9gEYuD0TsBzUbhGMba+tnxEE+gHmbcXEfSIgIrFPgrYebR?= =?us-ascii?Q?mAI41Skxfl1GgzSFnLdUY2QHOgLGl6326pu2CDxk1yCgdnQbb0JouiLa9TsR?= =?us-ascii?Q?sihJGedg+hBNnDaOr+MMP6tLLYdmqn9jLCuzwByO2e6+fYFm+zSdkVcnn4l8?= =?us-ascii?Q?sQG01TtfDgENDHn9PejUJo65ii0r0iZOpEDf5zRB1rVUNs8MXi52L3/0DWGX?= =?us-ascii?Q?EDB/EoMhRKO5mkPx4w4UAzJ5LERQAfN1VGTeu13MALIrXMWTiL+SLaBN7Oxn?= =?us-ascii?Q?SD3S6wofj0FdIirfmCP2c+a85YRMycziprSWe+x0B6pm8BH4DUUFlyBAvXoy?= =?us-ascii?Q?payUw8mclwsBNUB+YTdkVvcssYQ9UzZmQwIZzyF/WiX0bUPjwr2JW8Eubuy4?= =?us-ascii?Q?GDEtrx3Evfu2O0mVWFqFnpI8LN+B8LLeXJ9anBNDPSfrmiFxn++6hcRo5VEj?= =?us-ascii?Q?RPe3xxjXK7GQ8125fboO0E0QTYGRZVaqxllwEu0OZlHo8SCAUqxLZM0QZAkw?= =?us-ascii?Q?3uSonrLyk5ee8pCNDjKA8Ako5ecTJBPY+I4tQ+5tbkYAe0uHqbDFphWJbhKn?= =?us-ascii?Q?0o23FAAyEpXOifvGtkV1i6xEf2P6Ezn5u33Y46QBk5S+9HAfD14fiZ2IPGJS?= =?us-ascii?Q?4PhE1Qr2oNqjUbWYo58ACzyO/37pFjSVuLxgyo64CPhuX9hNvZTCTyzzWmHy?= =?us-ascii?Q?OGCh27QmSbtdzftkrUFBEs+xI/wfGRxRRf51tIMfufIj3crWt1B596+YjOOR?= =?us-ascii?Q?5UgmQu0eyqwNEG/ET8taYd/vulGOPbrLsRbPTU736jxIxp8PcwYCZb+6Jleo?= =?us-ascii?Q?zifP4LBbV1jNPphin52CFQgNjVRGjLR/U31Oym11DC8OKOn5JS2w5yYOHtQm?= =?us-ascii?Q?pcxqvRd5OqtrLbaF8b2GKSwtOhZjMdRwClvt1kcQWe+ekFxbjRTh1CyPV9GF?= =?us-ascii?Q?4iFdGx8L96/bNqELRbKEB83+6gKF9iOAf8/7A1Epi5GAKEi1V+YWvCBP8kLl?= =?us-ascii?Q?R6owirPBxP0XlZI9uEifCQHGVZ4oymJRhPPPSw2uljIPc65ITpDj8QsmwnIw?= =?us-ascii?Q?BPnGQKNwhtcmj6MAG6tIZbK/sjM2z5sH0+HtJDYQ64j+/oS0SxpuFaGQn0JN?= =?us-ascii?Q?4fuFy4nJw4Ld6f4aCDkvOGNSpT8P+cjKOVMyDr6iczO75wLpsjgoMGgg2xac?= =?us-ascii?Q?NZ9wuImH2j5ubAovYY5UO0wJjTUJ2mrlq32zUwnzGYznpH3ww4lvjtL/J40/?= =?us-ascii?Q?2bXdRbFMA+Drh2lx2IdLo3wP?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: c487ace8-e1e5-4b29-8cd3-08d976e3242a X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:18.7307 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Qe0hQiNY6PqSJ/0Asps9xwbcUrN6EPw5TP1TrXQIbIxRHi1pBg13NwCRD+q3DNBm51g+GMOUQ0qmodyz7DyU/g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2830 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: 6Q5d5W8I4NxaYDMQipskQjHWx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557223; bh=9m1XO5S8BnC2CPELUkzlQEP2A90s/wbQe3KOQ4jpdEQ=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=aKdAC8E1Hy+WHulu3+TDHAXoigr3pkrz7Zkdi5iocTRN2BTlcOTVVsReHKN6TEkZ3gg Q5PPHsRlnY6/bJCw01rVL51ZTyzy1eNebmwW7WFvkK8UZeqALQddcFI1z3pFgjz7GJYYz uCy8vtqqUGJPX7GbmFt3uIWcj0rtZJRFrp0= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557225338100021 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 An SEV-SNP guest requires that the physical address of the GHCB must be registered with the hypervisor before using it. See the GHCB specification section 2.3.2 for more details. Cc: Michael Roth Cc: Eric Dong Cc: Ray Ni Cc: Rahul Kumar Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/MpLib.h | 2 + UefiCpuPkg/Library/MpInitLib/MpLib.c | 2 + UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 1 + UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 53 +++++++++++++++++++ 4 files changed, 58 insertions(+) diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpIn= itLib/MpLib.h index 388ebef7b0dc..56d6d703d8b0 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -219,6 +219,7 @@ typedef struct { // BOOLEAN Enable5LevelPaging; BOOLEAN SevEsIsEnabled; + BOOLEAN SevSnpIsEnabled; UINTN GhcbBase; } MP_CPU_EXCHANGE_INFO; =20 @@ -288,6 +289,7 @@ struct _CPU_MP_DATA { BOOLEAN WakeUpByInitSipiSipi; =20 BOOLEAN SevEsIsEnabled; + BOOLEAN SevSnpIsEnabled; UINTN SevEsAPBuffer; UINTN SevEsAPResetStackStart; CPU_MP_DATA *NewCpuMpData; diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpIn= itLib/MpLib.c index bfef1237f452..365c0ff24ebe 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.c +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c @@ -1040,6 +1040,7 @@ FillExchangeInfoData ( DEBUG ((DEBUG_INFO, "%a: 5-Level Paging =3D %d\n", gEfiCallerBaseName, E= xchangeInfo->Enable5LevelPaging)); =20 ExchangeInfo->SevEsIsEnabled =3D CpuMpData->SevEsIsEnabled; + ExchangeInfo->SevSnpIsEnabled =3D CpuMpData->SevSnpIsEnabled; ExchangeInfo->GhcbBase =3D (UINTN) CpuMpData->GhcbBase; =20 // @@ -2033,6 +2034,7 @@ MpInitLibInitialize ( CpuMpData->CpuInfoInHob =3D (UINT64) (UINTN) (CpuMpData->CpuData + M= axLogicalProcessorNumber); InitializeSpinLock(&CpuMpData->MpLock); CpuMpData->SevEsIsEnabled =3D ConfidentialComputingGuestHas (CCAttrAmdSe= vEs); + CpuMpData->SevSnpIsEnabled =3D ConfidentialComputingGuestHas (CCAttrAmdS= evSnp); CpuMpData->SevEsAPBuffer =3D (UINTN) -1; CpuMpData->GhcbBase =3D PcdGet64 (PcdGhcbBase); =20 diff --git a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc b/UefiCpuPkg/Library/Mp= InitLib/MpEqu.inc index 2e9368a374a4..01668638f245 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc +++ b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc @@ -92,6 +92,7 @@ struc MP_CPU_EXCHANGE_INFO .ModeHighSegment: CTYPE_UINT16 1 .Enable5LevelPaging: CTYPE_BOOLEAN 1 .SevEsIsEnabled: CTYPE_BOOLEAN 1 + .SevSnpIsEnabled CTYPE_BOOLEAN 1 .GhcbBase: CTYPE_UINTN 1 endstruc =20 diff --git a/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm b/UefiCpuPkg/Lib= rary/MpInitLib/X64/MpFuncs.nasm index 50df802d1fca..018ebe74bf5f 100644 --- a/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm +++ b/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm @@ -194,6 +194,59 @@ LongModeStart: mov rdx, rax shr rdx, 32 mov rcx, 0xc0010130 + + ; + ; If its an SEV-SNP guest then register the GHCB GPA + ; +RegisterGhcbGpa: + ; + ; Register GHCB GPA when SEV-SNP is enabled + ; + lea edi, [esi + MP_CPU_EXCHANGE_INFO_FIELD (SevSnpIsEnabled)] + cmp byte [edi], 1 ; SevSnpIsEnabled + jne RegisterGhcbGpaDone + + ; Save the rdi and rsi to used for later comparison + push rdi + push rsi + mov edi, eax + mov esi, edx + or eax, 18 ; Ghcb registration request + wrmsr + rep vmmcall + rdmsr + mov r12, rax + and r12, 0fffh + cmp r12, 19 ; Ghcb registration response + jne GhcbGpaRegisterFailure + + ; Verify that GPA is not changed + and eax, 0fffff000h + cmp edi, eax + jne GhcbGpaRegisterFailure + cmp esi, edx + jne GhcbGpaRegisterFailure + pop rsi + pop rdi + jmp RegisterGhcbGpaDone + + ; + ; Request the guest termination + ; +GhcbGpaRegisterFailure: + xor edx, edx + mov eax, 256 ; GHCB terminate + wrmsr + rep vmmcall + + ; We should not return from the above terminate request, but if we do + ; then enter into the hlt loop. +DoHltLoop: + cli + hlt + jmp DoHltLoop + +RegisterGhcbGpaDone: wrmsr jmp CProcedureInvoke =20 --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80605): https://edk2.groups.io/g/devel/message/80605 Mute This Topic: https://groups.io/mt/85582715/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80606+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80606+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557224268895.7086574682791; Mon, 13 Sep 2021 11:20:24 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id tQVrYY1788612xgZdBFGCJj4; Mon, 13 Sep 2021 11:20:23 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.49]) by mx.groups.io with SMTP id smtpd.web11.861.1631557222462732596 for ; Mon, 13 Sep 2021 11:20:23 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X3ohLwPU2AdIrtRr0ZXcRA+9F05YqO+b6HNI1pQ0XbQtRm3rAXUNiBSNSVY8Wz8k/uKTOjeAOLBCNjzSvQOunwsUG7kAUSsLUpQBRkBTa6sCi4CnySn88ct+cs4BU1X+y62lbEklYVtUgaKKHYNaPZ/UD3TxpjKkLJrURbiUNeBQDZ0ZFCzQxq9jBsTA1rxx/l7tduVW8BCO3PcpDisC/MVOYEBIMYnj+ZQot1ZIXTT2tpL3ydRna4YyQEIBtJ8c1mmBr04qu2H4LXH0UtboB1LpLvjfbun0hO1bRoqFlnq7cuSyNWXh4uiKHHnT+9yXqJw1twDnVijfYjqPqRBLrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=m7w3H7odRC16eDYVA6s665ZrssqRU3O1b2G+bKyieX0=; b=ktDPCEGo3NC9U1Y5CYYJWyJqB7aKBBWVKUDLaSkkK3QAoL79E1YKjCQvVYKtMv/o65g8RtZcFYGjrAJGkJ+s5N6g4A8sUI9z5seOGJc8HZZWU1gOZoSc5lHy0Bss5owaKvbE8UMDG/xsmn/W1Koq0SvanBGpSPTLW0+Dlg6/tnt+ZoYq05O+vJCWZXSF0pjVuMvn1rgFFxcbQJaGb4pxp64wdaLYEQvU5S4ybK2RBc+6uA/pPdRkNkBjwZkHU7Md9/eapVv0IWIZtK9A+VgVlKGK23kv0NpeNktX0L9KpJtWtSUXa1TmD0Vx1SLqZirjpjZD7kU7hmQ6i1lVorKMPg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB2830.namprd12.prod.outlook.com (2603:10b6:805:e0::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:20 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:20 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Michael Roth , Eric Dong , Ray Ni , Rahul Kumar , Brijesh Singh Subject: [edk2-devel] [PATCH v7 26/31] UefiCpuPkg/MpInitLib: use BSP to do extended topology check Date: Mon, 13 Sep 2021 13:19:36 -0500 Message-ID: <20210913181941.23405-27-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:19 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 733b7cfc-dcaf-4a84-0201-08d976e324a5 X-MS-TrafficTypeDiagnostic: SN6PR12MB2830: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: KI8ktarcY4YiuXR+5GbuILde+oO7MNU519UtVZJuFxKCjs8GkMZjl4V/YYA1eqys3oDSZNHhDX/Wo0Evx1YRaQhWQEAhggSI4U9J184h04SLLDlmJ92xKkswf+Y4HHx4MEWXk0HFuXL7aZiv8K8Fshd7xEZS5Pwq6ia45ipcSodRdo+I0Aw8erjaWHMcXHHKdFyimF8dBFrAyD9RejhbAD7JElasTdY1jNlxRJONTDQdgiBEWbAUeEPp1rlnrRua3aaY8gXVVqxcHRfJIY+sXmGpqXIcvFTsi4QhcYJLCXVLI16imzc+wL220u8uU1qSpIwPiD6bkNb2wiNXfSY8dXtz6hMPWZt7tVOvzzLHK3qnLZmsbvX5QZjYSNwdJoe47SqAj1rK9TU+LDijZ6sE8e5FW5qAnH3+ikAn1/GbR27a2RqtDTWjL0Nsac+ev3OGYonos054lQKVqsENi30y8oljqDjowYMUu4x/Pc0htX+eNZqHgONlNiZi5BRw0QJkmXx9kzS9ZwITE6tzJ8m6Bgx0GqeoKvEJdTWTtp+dubW75JM+Al+wqB4Kws5W3Uw9XGrAJsDLn9Y1WpsKGLMbkgPj1nRzwhQHzEGTBBOhenGelxyy7RlgDKAe+KXB8JBmw/5lKaZDqdtmTw6Kg21at63jptgxQZI+aUMGGJ3C5KgBRvl94SNd/UT7cuAIF5xKPDv186Sin0CkZdMCouESC+mWiykcI3gktHoR1rO8qQo= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?kEVDq6V+i+h/hKhpaXrlBfNnZOg6siY8tpbE9FtbcTbjtDtRWcj9Y/lFufTo?= =?us-ascii?Q?JqwVhHJBcMvkO11tlcR1YcSabbSgZ+5WE2paYx1mejwK80aYGNNSAzxulCB+?= =?us-ascii?Q?8WQAZukDslfHeM8bunmXfY2VnIErCo1w3iFKxDpO37zwD28mPjP7zebCVelR?= =?us-ascii?Q?cUXa9Wgy6hdvkF1MrPAGmy3nMKwbplU7PuHU8bpQrKGDmyU8OPdVABeswfA4?= =?us-ascii?Q?vlISv0aYoHgNEDGLtvorN5kJ6G7BQxwFlQybzH7p96cIXsGJqj9T/Zn3X3xZ?= =?us-ascii?Q?yZHOXUeW/dgMGRU2PXssSduVWUXLXD25X+jvj1UAlz/lR5YbsdAt8sWrYgwJ?= =?us-ascii?Q?i3ICtc6JWAHCTutfRaWjbohXHO9d5m9XwJ6PTXB6aRCHTSK1Wd66jMIQjrFw?= =?us-ascii?Q?NIZqd3XNZJfCgxJdF79FYmy5ty8eBIl+LPYNyIoP2EMq9PyiHTOv6Za/O8bL?= =?us-ascii?Q?VNMuGYVapM414HYrcT2isELArGtLC44OrrgfggHy6AS0SOyvs0F4HxwVxEd4?= =?us-ascii?Q?I0EAZ1rit6qZ4E5SmJiG+NSv0mHgglIwlVTsp8ht+6ECx/8cQoLNr5VBhUg/?= =?us-ascii?Q?2JkxRrHnBnUtTLsFfTjzvpN2K1RRk4JUrwS0xm+QELyiCUvumNnPaZ7wZ0ip?= =?us-ascii?Q?3P0oDpLMu0SZVB2sR7GFIYIH/v54yVqGET5ynNC2TbtlyDy0bHJ5+Ux0NR1j?= =?us-ascii?Q?jded7IgNyI9OBHfTUM5yDAw+ZwftWYgi3k5wIRuVSCJhelRJULwf6QYUkwzI?= =?us-ascii?Q?xZQjxT/Q7sBEdyvZnUC6go3UI6U8H/vQV7VVNoiZF8muzdddcJ4g6JGUMX50?= =?us-ascii?Q?3Q/xerenfowvf9K57WPV5vukO80/IGp1Zk6CTao5yN2eV+2xNBQ9s9DszYKx?= =?us-ascii?Q?nqUp6+5PGSUgh6tTbm3WUh1Myx4mq9y+fgCLmlwMIKbfbW6YjR6eH/I2qP51?= =?us-ascii?Q?ojdGAmwVp1QdoDGkaoFk/QIvkSJNHyfOTJ3s45ZiWMk/Kw/B7fd9zVFgccx8?= =?us-ascii?Q?MGuWGdQW5dt3+C9yRj2fGLyFjDd30nlbbFJ2sUHxIzhjXw7NklUcYLJuBwuX?= =?us-ascii?Q?J6oDvbggf4MT8nztjxOOWrq4ll/PpZ9zlhG0JRAD9CG6PQ7ZMgiOgqUmkl9I?= =?us-ascii?Q?GoyXNttb9FkbzbZWHyqFsadzV+Q8qSUtINJli23RrmjO87oKa+oLeD7T81Af?= =?us-ascii?Q?KeCCtPxR+O20xilOO8q+URV4Hzgv+3l+1IYxZ69jURGV6YCjnwt1mkNgplbH?= =?us-ascii?Q?OfutA6bWkOTvFmCMXH8FA9qQvAsLcR+3k2uSYO4UNiQ7A3jO52HXkkDU/ZU0?= =?us-ascii?Q?JXUIh58n4fzIT5YH5nI8ekCo?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 733b7cfc-dcaf-4a84-0201-08d976e324a5 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:19.5432 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: IfWZt0H/QR+eJBHJRlUtH9EvI4S8skS43SwqoOGPeswFsIudwZnxwXXVUgdVQXKySWAz/RhBvBy4qQWsQ5VoNQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2830 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: jDaxL9S4K38UU3tuzUyJ8wqCx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557223; bh=4TYDECYXDYLHoWeqMJQqO7s5YAkRcDFifLl9UYCTLNQ=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=ODEPVwXN73vEHprRh/2nf0HmYEhw6EBdwMiOcqn007g8abq21clzsah6Jy/QgO4Jqte 5tQ+HJ+JLIE3ELTS5qg9KuJgaP3JLzH6k8tZJEksVKpK3zF5qJVdFEIBSFE9u1uZm24r2 GxKAgw1s175wbWNTq2M7rx9MpxGvWt2SQ+0= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557225419100025 Content-Type: text/plain; charset="utf-8" From: Michael Roth During AP bringup, just after switching to long mode, APs will do some cpuid calls to verify that the extended topology leaf (0xB) is available so they can fetch their x2 APIC IDs from it. In the case of SEV-ES, these cpuid instructions must be handled by direct use of the GHCB MSR protocol to fetch the values from the hypervisor, since a #VC handler is not yet available due to the AP's stack not being set up yet. For SEV-SNP, rather than relying on the GHCB MSR protocol, it is expected that these values would be obtained from the SEV-SNP CPUID table instead. The actual x2 APIC ID (and 8-bit APIC IDs) would still be fetched from hypervisor using the GHCB MSR protocol however, so introducing support for the SEV-SNP CPUID table in that part of the AP bring-up code would only be to handle the checks/validation of the extended topology leaf. Rather than introducing all the added complexity needed to handle these checks via the CPUID table, instead let the BSP do the check in advance, since it can make use of the #VC handler to avoid the need to scan the SNP CPUID table directly, and add a flag in ExchangeInfo to communicate the result of this check to APs. Cc: Eric Dong Cc: Ray Ni Cc: Rahul Kumar Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Suggested-by: Brijesh Singh Signed-off-by: Michael Roth Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/MpLib.h | 1 + UefiCpuPkg/Library/MpInitLib/MpLib.c | 11 ++++++++ UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 1 + UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 27 +++++++++++++++++++ 4 files changed, 40 insertions(+) diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpIn= itLib/MpLib.h index 56d6d703d8b0..94bd71408384 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -221,6 +221,7 @@ typedef struct { BOOLEAN SevEsIsEnabled; BOOLEAN SevSnpIsEnabled; UINTN GhcbBase; + BOOLEAN ExtTopoAvail; } MP_CPU_EXCHANGE_INFO; =20 #pragma pack() diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpIn= itLib/MpLib.c index 365c0ff24ebe..12fe3ecb27a7 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.c +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c @@ -1004,6 +1004,7 @@ FillExchangeInfoData ( UINTN Size; IA32_SEGMENT_DESCRIPTOR *Selector; IA32_CR4 Cr4; + UINT32 StdRangeMax; =20 ExchangeInfo =3D CpuMpData->MpCpuExchangeInfo; ExchangeInfo->StackStart =3D CpuMpData->Buffer; @@ -1043,6 +1044,16 @@ FillExchangeInfoData ( ExchangeInfo->SevSnpIsEnabled =3D CpuMpData->SevSnpIsEnabled; ExchangeInfo->GhcbBase =3D (UINTN) CpuMpData->GhcbBase; =20 + if (ExchangeInfo->SevSnpIsEnabled) { + AsmCpuid (CPUID_SIGNATURE, &StdRangeMax, NULL, NULL, NULL); + if (StdRangeMax >=3D CPUID_EXTENDED_TOPOLOGY) { + CPUID_EXTENDED_TOPOLOGY_EBX ExtTopoEbx; + + AsmCpuid (CPUID_EXTENDED_TOPOLOGY, NULL, &ExtTopoEbx.Uint32, NULL, N= ULL); + ExchangeInfo->ExtTopoAvail =3D !!ExtTopoEbx.Bits.LogicalProcessors; + } + } + // // Get the BSP's data of GDT and IDT // diff --git a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc b/UefiCpuPkg/Library/Mp= InitLib/MpEqu.inc index 01668638f245..aba53f57201c 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc +++ b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc @@ -94,6 +94,7 @@ struc MP_CPU_EXCHANGE_INFO .SevEsIsEnabled: CTYPE_BOOLEAN 1 .SevSnpIsEnabled CTYPE_BOOLEAN 1 .GhcbBase: CTYPE_UINTN 1 + .ExtTopoAvail: CTYPE_BOOLEAN 1 endstruc =20 MP_CPU_EXCHANGE_INFO_OFFSET equ (SwitchToRealProcEnd - RendezvousFunnelPro= cStart) diff --git a/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm b/UefiCpuPkg/Lib= rary/MpInitLib/X64/MpFuncs.nasm index 018ebe74bf5f..91ffe4567a41 100644 --- a/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm +++ b/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm @@ -266,6 +266,32 @@ GetApicId: or rax, rdx mov rdi, rax ; RDI now holds the original GHCB GPA =20 + ; + ; For SEV-SNP, the recommended handling for getting the x2APIC ID + ; would be to use the SNP CPUID table to fetch CPUID.00H:EAX and + ; CPUID:0BH:EBX[15:0] instead of the GHCB MSR protocol vmgexits + ; below. + ; + ; To avoid the unecessary ugliness to accomplish that here, the BSP + ; has performed these checks in advance (where #VC handler handles + ; the CPUID table lookups automatically) and cached them in a flag + ; so those checks can be skipped here. + ; + mov eax, [esi + MP_CPU_EXCHANGE_INFO_FIELD (SevSnpIsEnabled)] + cmp al, 1 + jne CheckExtTopoAvail + + ; + ; Even with SEV-SNP, the actual x2APIC ID in CPUID.0BH:EDX + ; fetched from the hypervisor the same way SEV-ES does it. + ; + mov eax, [esi + MP_CPU_EXCHANGE_INFO_FIELD (ExtTopoAvail)] + cmp al, 1 + je GetApicIdSevEs + ; The 8-bit APIC ID fallback is also the same as with SEV-ES + jmp NoX2ApicSevEs + +CheckExtTopoAvail: mov rdx, 0 ; CPUID function 0 mov rax, 0 ; RAX register requested or rax, 4 @@ -284,6 +310,7 @@ GetApicId: test edx, 0ffffh jz NoX2ApicSevEs ; CPUID.0BH:EBX[15:0] is zero =20 +GetApicIdSevEs: mov rdx, 0bh ; CPUID function 0x0b mov rax, 0c0000000h ; RDX register requested or rax, 4 --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80606): https://edk2.groups.io/g/devel/message/80606 Mute This Topic: https://groups.io/mt/85582716/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80607+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80607+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557224678492.23924584217707; Mon, 13 Sep 2021 11:20:24 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id FDeJYY1788612xg2AE5eUrBN; Mon, 13 Sep 2021 11:20:24 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.49]) by mx.groups.io with SMTP id smtpd.web11.861.1631557222462732596 for ; Mon, 13 Sep 2021 11:20:23 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XMkwNlwKZLChcDzSgGJY1SHU/CkY5KPpVNaK8b8oLVk1snqQ/zvRXYC+uOkBPGQH+wE9kTAFHhV/ex+RavHTzwH0YnaJpkD6zULB2B7DRcWufTNY882+U+VhurXg7kmC9FpPPUosPbFqryzpI51j2yxg0jTh7/v4nuAG/v4NsB8QwnjcRTzytJSNQTXi6KNAZEvFkfP7DjW2w77/ICWJ59PeiOEKYU75kWv8pURniCrjIRofPVELGh53FTiwjJKaDHq1ophkZI6uM6aDpyMcrCsyAZRF0UPwP17eYaupwSd5R1nSJ1LRu4eGyS4nwMvfbkmFnz04b5DPdoXmC76ivw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=+eVMhvvLwWwbEq/R0XntdiqkpFr2+d6VcbLQLl/qvdw=; b=c1fbOGnGeMLk5Le0UfCXd0xn1gQD6VRg79AbLTefx9tmJLkkLz4J7YqG5Z9HujPGOjvaZ44DsM5EOIdUiRoPbZbdHUfHXccEBuS0vhknA8YsdjImj/FjCUkxmtLcOJp8TRrjw2CgorwwwjXuAPQVSRd4lcdxT7nmmeiQMsuhLZ6bWq9TD/0PclapBsfFymvLEmPGURhtO5n3PnZYdtxFW2z11j4Gib1NFcf0ASFbpmrAYwYxASQYSz5QtqUq91i0XddvMsn9UV6mLQPLK1AJ6PfJ9tSlDZTKpcCbmgsYyMWytAmqDj+BBJkjnrVFqj7VzMfo5sIgBVIaTW78ynyjPQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB2830.namprd12.prod.outlook.com (2603:10b6:805:e0::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:21 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:21 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 27/31] OvmfPkg/MemEncryptSevLib: change the page state in the RMP table Date: Mon, 13 Sep 2021 13:19:37 -0500 Message-ID: <20210913181941.23405-28-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:19 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 9ed2b22e-0d2e-421c-8d94-08d976e32515 X-MS-TrafficTypeDiagnostic: SN6PR12MB2830: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: FCkPqnj3HE2/whu98kb9Ho4EMjBcshoRNCGdNSbURbgwg+meo73nB0r0fz5X322/qgbvPiWOxICdfZUvHy/pD+83B5lTSr7J5TeIQ6TIgfMhHVsDQYGptG7hrIqfAYYGunRUtVojz3KwjTDdrrdZL44p+1bHnS8mkBYGnQkDAjam8Jcnf/bZ9muYqtEKbIAIYCHarCoEnBEQLSWPkPqDEdSVXUBk8X489CF4iZDsPjzil1iI3wviPEBr4IYJpKUw6DP+bvKXejxPKA4IMSBnnrIxq7pnhAg5bof2bAZbAyinkzwSB9af7h9RPqMht+5jIndbT3kKWI21Aig5IC+8gyxrvVO1uFU1tGM9Wt4PX/0mrsIwo3XmRXyI1koowb9JBRm8JTF6jqLzBDmRMQCU7WTiv5J0Kq0diCwNX0GglRDBKwNLC0NorFP5ASu0dEUGDw+I06zik3RjFHCF94Lkm2aOCl86pfckcvYXaDkvPvTm/XP+i159DdlPeyPIlAmCq17CY6odhKQQvOIeix4oiNrc7c51v22pib8pN0bBeuRL0MPYZ4JAjl1eGN/YjPfZgWp0hwb3DXx3FngvRybD7lJh+fbsgVkKcCaP0j/cJIg/F+pfhhfepSnsNX6s3KgG/oK/oXBxclIcRklpvGnGyhkzcCEGxmFO5nwFENuVm41CdwZnW/J44b6Y3c4ssCcRR6n2Dcl1itudGplu15Ghc3YrXHmUrfUAUCn+Aho+A3ZNibKHcB6eIvPmM0JsdRZx6rApCRE4LP5exG7JvewwBA== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?pqZBDDvZpyC7Mwu2yKwXtEO0/4j3ZOH0A4mEapsSswJOW6Gjr9oT07PC4k07?= =?us-ascii?Q?a0AIuDE7rQHyoRV39KtbPT5c8gBAwr4W3zltSrUMUNPWf4W964E3h3fXnvcE?= =?us-ascii?Q?u7uOESBHMHHzsdjIsqLpoNCteGbgdMrWWmfH8hjejkcjDqAsixSw2tQ1shxa?= =?us-ascii?Q?bCywbZ3CehFj8gMS/Mpp6/CvqIO+8fglbPVihrLCMRn6+Le1UKE7Wvuho/go?= =?us-ascii?Q?DOLMcsTIBv6vU5Rx7fqdrw8jHpcgyatidsEd2rIptJVQ7HfuImtL67PdxHYz?= =?us-ascii?Q?RTvqynglzt3YuPWp7yJyfdxFqcn5wIlqE0w/TvjQTq5/sLveOGKoK+njWUjy?= =?us-ascii?Q?0EUxE1xrraxZagX3/dr94RqBDhWrUzMj/71kgcMyAjrvXdlboPUzkicCy8gz?= =?us-ascii?Q?hufYSqcqZYKj+9l+DIqwLEJi9w0LGXTCOl8zs4Lr+ejLmnqB0p0kTrRDRntA?= =?us-ascii?Q?5wcphAHbHLk9BRlb07+Dq6FRPIKX5seI3EgXRBP6+p3717i6atXtw+r4a3a2?= =?us-ascii?Q?4VZdfUPCD0XFcbJkNF5TlFVnVVw6laFonj4UZKvldviYrvkXb+IZ/LXKotTK?= =?us-ascii?Q?nAFckQ12kZ6Irq5zXoudNlHMyn/F9dn4L05DVxd7PZoFjR6GAn3uqqnSnw2u?= =?us-ascii?Q?zpk4fdQs6ca4hsVGzeH9LyLfkc8LqURhNKgLNdQhf2KIEaWGTXGWVGFRDlC4?= =?us-ascii?Q?i2iGcFAiVHap3pf0bXwoF+zSLRZD81dE7i2EJDB8eHPvtw27FKxRKO+X7nt8?= =?us-ascii?Q?iKDPBkb9jeg/Gi7ndIP7pqJnTtUUNYDwYtiWVbQEan182zPVrF6UBmMBQcVt?= =?us-ascii?Q?7333WccWOxYbkIgRUDA4LHkj2ZHaVQoCqzjtVvCj54rqk6bxUQjSzDCftzHV?= =?us-ascii?Q?4fmf/UFw5epP/fdrhGq93NtnTBxNPwlWc5TLS910NUurBLMhUKOtZuhm5tkQ?= =?us-ascii?Q?P+YUv2ozt2plBmEGkxprSbmaDT0Ja5hQUDaKRI66U9K/me3RLv5zxa3ByNDa?= =?us-ascii?Q?IIuIRpEen2pb8zEzgxKxR8Yzp4Tr4UgJlxAU/LicdUoGKm/YHXFbEEH5Irrn?= =?us-ascii?Q?bevycAbCgnx1Y11Ct+c8LMFM5bgtdkAIaLmtH/c3UVXk3jF+bO7LgIUEH+KO?= =?us-ascii?Q?9AmMnCu/xH67ARdm0HX90mTqW5HtdFPWEz6LD6+VCXCTWaXE2gbe6uyyjNhC?= =?us-ascii?Q?Zm1HFs5q0XurNvd6Ag3kQ32/3QrTjNO+KpSlKEaynH+rTnfFovwHIUYU0LWo?= =?us-ascii?Q?RgIoAfSOQkhDF7AKjATE9tKhSFlMf31KUbUIHuhG6dhII3IZpJxZ1BcfjQg+?= =?us-ascii?Q?fGnmGuEVz9PluCyATua2IOi/?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9ed2b22e-0d2e-421c-8d94-08d976e32515 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:20.3328 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 2sBxlKQXwzI+F3b2TobwwS8tptk6PxXh/FiCz5cq7bvaGlP+T2YNhjW7wFQJP3bxbm0J8vk/mMIk+iZh/YLKTA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2830 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: mbsXLDm3elLbWz1ORXcUy4v3x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557224; bh=B5dQBZSeoLpudIGE4Eev0meEUoj6si0l7D4CVq4L3Xk=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=IjssbgzkZusk7RzZiZe02gvf1+B5J/HsRd9syI+v7hA0OwlaYSjqUI20Vq2QZDtlxSi 4FeCq24X09skQY5G5lUfnJQpBBcAPOU/jrwj026RKwo0oZfZgGG4K0PuJrJmwWlbDxGYZ WeZBFUSjTUTI93upWO8YUMw2larCE71FJuQ= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557225409100023 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The MemEncryptSev{Set,Clear}PageEncMask() functions are used to set or clear the memory encryption attribute in the page table. When SEV-SNP is active, we also need to change the page state in the RMP table so that it is in sync with the memory encryption attribute change. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- .../X64/PeiDxeVirtualMemory.c | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c= b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c index f146f6d61cc5..56db1e4b6ecf 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c @@ -17,6 +17,7 @@ #include =20 #include "VirtualMemory.h" +#include "SnpPageStateChange.h" =20 STATIC BOOLEAN mAddressEncMaskChecked =3D FALSE; STATIC UINT64 mAddressEncMask; @@ -695,10 +696,12 @@ SetMemoryEncDec ( PAGE_MAP_AND_DIRECTORY_POINTER *PageDirectoryPointerEntry; PAGE_TABLE_1G_ENTRY *PageDirectory1GEntry; PAGE_TABLE_ENTRY *PageDirectory2MEntry; + PHYSICAL_ADDRESS OrigPhysicalAddress; PAGE_TABLE_4K_ENTRY *PageTableEntry; UINT64 PgTableMask; UINT64 AddressEncMask; BOOLEAN IsWpEnabled; + UINTN OrigLength; RETURN_STATUS Status; =20 // @@ -751,6 +754,22 @@ SetMemoryEncDec ( =20 Status =3D EFI_SUCCESS; =20 + // + // To maintain the security gurantees we must set the page to shared in = the RMP + // table before clearing the memory encryption mask from the current pag= e table. + // + // The InternalSetPageState() is used for setting the page state in the = RMP table. + // + if ((Mode =3D=3D ClearCBit) && MemEncryptSevSnpIsEnabled ()) { + InternalSetPageState (PhysicalAddress, EFI_SIZE_TO_PAGES (Length), Sev= SnpPageShared, FALSE); + } + + // + // Save the specified length and physical address (we need it later). + // + OrigLength =3D Length; + OrigPhysicalAddress =3D PhysicalAddress; + while (Length !=3D 0) { // @@ -923,6 +942,21 @@ SetMemoryEncDec ( // CpuFlushTlb(); =20 + // + // SEV-SNP requires that all the private pages (i.e pages mapped encrypt= ed) must be + // added in the RMP table before the access. + // + // The InternalSetPageState() is used for setting the page state in the = RMP table. + // + if ((Mode =3D=3D SetCBit) && MemEncryptSevSnpIsEnabled ()) { + InternalSetPageState ( + OrigPhysicalAddress, + EFI_SIZE_TO_PAGES (OrigLength), + SevSnpPagePrivate, + FALSE + ); + } + Done: // // Restore page table write protection, if any. --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80607): https://edk2.groups.io/g/devel/message/80607 Mute This Topic: https://groups.io/mt/85582717/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80608+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80608+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557225087973.8058493309688; Mon, 13 Sep 2021 11:20:25 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id GywMYY1788612xgOhlmwKfx1; Mon, 13 Sep 2021 11:20:24 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.49]) by mx.groups.io with SMTP id smtpd.web11.861.1631557222462732596 for ; Mon, 13 Sep 2021 11:20:24 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K3OMoloY2jPDXhdYAHaNIhr/OwTryouSoiG9owuV0kus2Hk/Q1Rt7dEjH0JVfed6/A741Uk1QANOtGfMOIiGZttggwQqOSZ2mxiFjgpYnMlEvLFJveZe7eoALHYqlbtm6/Z695JjHrQ72PR6P+ZFcll47OWFBJiXrI/YcLba83Yem0ejK6MLClPYk8ky1/VUOG+YrzD4FdYi6PVyJR2Zo6Mv7imWSAWukQoAg1IyP/ZTZMCh3orADcfUvcAysjm+xK/YlwdpLGxMU3D5asPk4XznXbLMJ5sZTM5sfNcpaJenKaQOZuNhFAMLif7DQt0zv1LOF81qW1qgm7XaP0Y9PQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=PYylhL3Jbb5VwbocO9nzuFw0rZXHakw5Q0ioFRbUa+Y=; b=E2jD58QGaaT7zy2YqcGUKz3T2mxcHITpthmnD42iBO+pnBLMzvcbAVnKXHMbYq6nhQtgyt7/fuH8lcJYpSDh+aFL1ROAHBkK6rntumzZ+0SAodETzmgiRA5D7cn2/3YGgrPP7Ev3YRx3C4PNXSdqIxfVwIFw+kq6YGb5hX6HODftdXIyKVr/l0OCbJLy4w+kAbIEr0+F2kBNcetijPKSFJ1HM94cXUbRKEzA+vXBYpnoxei4i2XjOJTOENIZ2mm01d7EOUf0qnOsSe2k5hAo6ey52ma0Y/dFn5R5otEeR3fUPmcmPFTX4VlZIsUcHMJ54gYaBuqvo1n4rMhZ5vnIZw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB2830.namprd12.prod.outlook.com (2603:10b6:805:e0::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:21 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:21 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 28/31] OvmfPkg/MemEncryptSevLib: skip page state change for Mmio address Date: Mon, 13 Sep 2021 13:19:38 -0500 Message-ID: <20210913181941.23405-29-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:20 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 0ebae0c8-81ed-4de8-02c3-08d976e32590 X-MS-TrafficTypeDiagnostic: SN6PR12MB2830: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4502; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: 8G9c0O8Gu47VQpLsvr1EFJ2wUtF6RvU1vKxRS+QFdj6yEJWK/KtpO3QMnH0VAmx0kZOWax/zxRAGUDMUuVTo79N0kbbGcyVnxioGx92FlV7JaLF9aWtq7tTECGOG/tuiX4w0Ipvi0UJXl2qfxrCPnXYhHnP70NLVsjQbqj6pB9B+NVZ9cSmbNjY1dcPK4HGF5DcJFb55UdDgf56GuDJMMXhdUb5rBE/6cV4Gbl+3jeoLhBb6gmq+Q4UkgKv4DgBZZ8je/u+seTz8zsTO8zZYOUqsAi039gH5/cCQTD0uBxl4XH9zUf9NyiBKx+wVcx05aAwS4mck6ZEgLMo4BF3yegVDZHkxqgWDHW7kj0jNHISR2hxUiCgKL4zMS+dhbAyH09ZJgYDim10/N05GFgNYb6g3A79oS1+U4UEiyzhJ4EnAk5uFZx5eAqwKPBu9xGiVUkM3+7U/CRAlOPJ3SyXWjZ95k7u8Yqqz68jSkqJISWwvDVyMdQtEWdfl77CIX8kVASak+7zNXF7vgKqczICcN0EEAzyXBL48FuYtBEs/TRsBpxrdfXCVCkq/P1skq95uBs8Cv65HBsooAKwm+tdnOB9IpCVwDtV22XYSUByphlr/pz1oMHv0UarMFnxUt5bRoqNmpKS+up1KbIXYsPR0E0uUzBLBY/GMF+P9QDtp7xDTrkFSpAbpbb9uoI/6dALpATS0ozNiu4l47qcRBmzitA== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?YdvUgOtyQ5Q1RpsvfZUymG2fLz0m0z8o5ycvGAGijuZlKn72OTIWYvVFY2KI?= =?us-ascii?Q?mUoFVQDwuYX7pp2ji0FiZGWvmI9+Rl1kDDzYI0AjauKOM4qHzxpZy2DomMAZ?= =?us-ascii?Q?qVQM+OP7ihS7ZnXWBqTliaxe+yVms6fASVf2mmOgfNPRfM8SkfTQLebraCqq?= =?us-ascii?Q?oxnjgm8VFaMqpgTNuyIF5iut6QC6mb0mNKaDQGPUIUk9iat39r5uGtNWcuwD?= =?us-ascii?Q?pauQeS9b2p7BO5sl3YlZf4JB1Elmb0lIN2vUy8TiIIuhWV0BkHLPZVw1qI4K?= =?us-ascii?Q?zPH5IMhAlpmm9BuEJGk/WyMm6RVH4bnMeo5PWuAnaNM8fm4Glop4btf2ltPX?= =?us-ascii?Q?f2yPKE6P9ZjN3uEI5CcBvA+XDepcyTObq/q4Q8B7WCixOudpzXPRMhaMTfZR?= =?us-ascii?Q?119DeFYip7+yBbs1nWuS6qls0g6T3CjLZN+GR3srqrhabeEbhKi9TI1EOmGI?= =?us-ascii?Q?wUT2ga6T2nzPT/rEacQkXUoUHinz9zIzvlFUZC3oWquTtsZBV69O9nf9mgnD?= =?us-ascii?Q?p8N0Ht3AbrxnLwnrnxQMgXZCyXNyfFo/OKLXHt1DTTz/HL6Dol0FtRMxPR2y?= =?us-ascii?Q?6TfYeMNTvXy8g7LG4hv92to1HVV9MeYpNzxaroCEvdNEis8CClGjENTsi+7G?= =?us-ascii?Q?UB4glNkBEIQp6L6RS3dNnBuPWH4AZlVzPgqHcqOZTRHnT1/1p0+j1zjrUpSL?= =?us-ascii?Q?ajEnxom0/iJDRqEE4Vh4musFLKoQqKeBjYZKL0EeFWnoVm+Y+91uNaK6j8rU?= =?us-ascii?Q?B6dH9X6GBr01lgLOztb4a2oMbw8b1zXLhr4aH0GeyyTyKZI63lUau6iNeTtJ?= =?us-ascii?Q?pynN0CuRHhisLLr+RYuDuARgnY4CWhih9sLps+t8W9VmuCusengvlVGHVh+P?= =?us-ascii?Q?PYvtXyqFcPU1C1qqHUu8ZaaoQKSK1AM1ywbEoC5QAIP5s+op9Ha9Hx6nFjh+?= =?us-ascii?Q?Tx0wxSbbiJN19vulGchK/C5c/3g8jBVP6HxQiD3MkHloch4ttKl5nwvpo6SU?= =?us-ascii?Q?rcAIgcQQMCJSgliLoa+5YLWF5EQgYpEuu5jp/lg9it43DVqBmMMDXYn7N5Qg?= =?us-ascii?Q?pYjaoNGoreXJk+rUNWKmYlHPpSz01DlL8b4QpBAXCLvon0sb48bgB3KSVeak?= =?us-ascii?Q?Fm4LbZG4+JJTznQFeuIAv1VFJnbAtX4bT7YCFPFt6lX7/67TcPn+jCSY0twk?= =?us-ascii?Q?dUtWPpXsYavWDbvPdtAJzCboczOfrJ9fIcKCC+vniX17D3s5VBKl+hfiEc/E?= =?us-ascii?Q?JZG80PcD02s/0GsIcYzLwQ/DrF8/oKgVfYTC382Ul/1UPLV0JHnXW6dhc4O1?= =?us-ascii?Q?xywVaOOoAH++jSf2+FHFPJxa?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0ebae0c8-81ed-4de8-02c3-08d976e32590 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:21.2122 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: SXZKOzTOJVjc72Jswy+eqdPsQznZ4PuYLPVCq6vn5yc+QfAidwk+EvkHU9hsQGyeIBWG/bA1QJJEhYrpKMZWeg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2830 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: Ggx4e9ksySpbiZqKR4DVLpmbx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557224; bh=5TIcJ3euuq39t04rDABslKTKTnXDbMpP+DpVPnFViQY=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=cjyxP0zsKCti1ykNHKIsomTfAbPej/tksnCYvAYo+cpHmO7kSKCUBaRqYB2jnrC6EQF gDSnScOD8MyKX6j4iyqFAZ1V1XKOlyd6W3QJosMe3oqCAEK3F9wIkWQCDmO6O3l2CBtfY 1AUgXfCuxjk7j1EpNCXkzM9V+XOzP1GDMDQ= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557225433100028 Content-Type: text/plain; charset="utf-8" The SetMemoryEncDec() is used by the higher level routines to set or clear the page encryption mask for system RAM and Mmio address. When SEV-SNP is active, in addition to set/clear page mask it also updates the RMP table. The RMP table updates are required for the system RAM address and not the Mmio address. Add a new parameter in SetMemoryEncDec() to tell whether the specified address is Mmio. If its Mmio then skip the page state change in the RMP table. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- .../X64/PeiDxeVirtualMemory.c | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c= b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c index 56db1e4b6ecf..0bb86d768017 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c @@ -673,6 +673,7 @@ InternalMemEncryptSevCreateIdentityMap1G ( @param[in] Mode Set or Clear mode @param[in] CacheFlush Flush the caches before applying the encryption mask + @param[in] Mmio The physical address specified is Mm= io =20 @retval RETURN_SUCCESS The attributes were cleared for the memory region. @@ -688,7 +689,8 @@ SetMemoryEncDec ( IN PHYSICAL_ADDRESS PhysicalAddress, IN UINTN Length, IN MAP_RANGE_MODE Mode, - IN BOOLEAN CacheFlush + IN BOOLEAN CacheFlush, + IN BOOLEAN Mmio ) { PAGE_MAP_AND_DIRECTORY_POINTER *PageMapLevel4Entry; @@ -711,14 +713,15 @@ SetMemoryEncDec ( =20 DEBUG (( DEBUG_VERBOSE, - "%a:%a: Cr3Base=3D0x%Lx Physical=3D0x%Lx Length=3D0x%Lx Mode=3D%a Cach= eFlush=3D%u\n", + "%a:%a: Cr3Base=3D0x%Lx Physical=3D0x%Lx Length=3D0x%Lx Mode=3D%a Cach= eFlush=3D%u Mmio=3D%u\n", gEfiCallerBaseName, __FUNCTION__, Cr3BaseAddress, PhysicalAddress, (UINT64)Length, (Mode =3D=3D SetCBit) ? "Encrypt" : "Decrypt", - (UINT32)CacheFlush + (UINT32)CacheFlush, + (UINT32)Mmio )); =20 // @@ -760,7 +763,7 @@ SetMemoryEncDec ( // // The InternalSetPageState() is used for setting the page state in the = RMP table. // - if ((Mode =3D=3D ClearCBit) && MemEncryptSevSnpIsEnabled ()) { + if (!Mmio && (Mode =3D=3D ClearCBit) && MemEncryptSevSnpIsEnabled ()) { InternalSetPageState (PhysicalAddress, EFI_SIZE_TO_PAGES (Length), Sev= SnpPageShared, FALSE); } =20 @@ -998,7 +1001,8 @@ InternalMemEncryptSevSetMemoryDecrypted ( PhysicalAddress, Length, ClearCBit, - TRUE + TRUE, + FALSE ); } =20 @@ -1031,7 +1035,8 @@ InternalMemEncryptSevSetMemoryEncrypted ( PhysicalAddress, Length, SetCBit, - TRUE + TRUE, + FALSE ); } =20 @@ -1064,6 +1069,7 @@ InternalMemEncryptSevClearMmioPageEncMask ( PhysicalAddress, Length, ClearCBit, - FALSE + FALSE, + TRUE ); } --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80608): https://edk2.groups.io/g/devel/message/80608 Mute This Topic: https://groups.io/mt/85582720/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80609+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80609+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557225512811.1204799838753; Mon, 13 Sep 2021 11:20:25 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id r3d9YY1788612xU7n88TCPSf; Mon, 13 Sep 2021 11:20:25 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.49]) by mx.groups.io with SMTP id smtpd.web11.861.1631557222462732596 for ; Mon, 13 Sep 2021 11:20:24 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HLAS1zuRkJZ1uFUKnKXviiAuct4Hi3ZDHg/KC8AUm1RUS2zoGiMB6u0+mDJTv+XQvzYM5uAgnIunT5878kidIiWsBtSfCUy1w84IeT42lppB4zKwkdtD+gTiCZqW8ds4m5xu7Edo68ndhy6vn0nEWfq5i/ETrkXX/qaHj1LGm77xCxwTcZ4hbiyqn8jGEsre93MnmskOG2urdLW53vnxjk9ztq9t5L5A5q40s2ElW5G+GkQV6NsUUs8j5ecyifkMGZUiAgY0jPYSMnyxEJyQa8imOc/dL3htQ3Hpk07EMLilZ/pVIB57oI80j1wKqfNF0jIGOn/83dxwxNroS1FupQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=pwpi8MIvNwBm9Pg1DHPEmiNjZlZPBCjDGkzbyqzmg20=; b=e94Me02sujGPPu+EES3wzlVwNcUfemiVZ5Bp3EYR52B6CXLHCj2tuitVVUSOeRBNg8b+aizta0+xkn65LRG/idzZj/o61SsdssOfWUagk6tFueMxsFkzpWls/3yARpT7PTlDBhQXvLpRjtqzc3EhNufB65ma+s8vIhyPnQ/oj+RH4m6ZPt32frL8X8/oGn0JxkSU9ypy2Byb5J6Y/kQBGO+sibI6bxm9q4gDkozzjeYLBYBv9mDsCrg7K2hcmKbn1bLvInIbVxdZnxY+0ppnTDltIJP12wlJl/tNkdpcprr4clmxDBToLBtw7uqyl+RrGBNpNdbQ594znzoLw5bhew== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB2830.namprd12.prod.outlook.com (2603:10b6:805:e0::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14; Mon, 13 Sep 2021 18:20:22 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:22 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 29/31] OvmfPkg/PlatformPei: mark cpuid and secrets memory reserved in EFI map Date: Mon, 13 Sep 2021 13:19:39 -0500 Message-ID: <20210913181941.23405-30-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:21 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: dc39b36f-1b0e-468c-2045-08d976e32617 X-MS-TrafficTypeDiagnostic: SN6PR12MB2830: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7219; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: yk3IDdvjMyvQk2Iz3LZ6coDw+jY8ZHyWdzwMBF9b/u4c0U+gyx570cUn2beyfOG8vxnKEzqvrqbee0oE9/dTPQifFWuXLaAbknRGkRogfvxxhh2QLjdMt4g4zM/mdkhziPdqm+k3X7BRQmnUmJKmJcEgSLNn2k4vTwNb4pgguruFw62RJF8LJAxBKd6SKUWUpxivVT5of1TUhxKi3pqQx547Ccg8DGfYbXNeXqfcHDBoJAe1jv7WLPwqEbTqTudH9wASzViNNa92KpvJUDwig7m+BdOB4w5czWme/x0Hsfirmoz8KoqEF8DGPePU8ffOZtyLtmuF3hyDc4maVBQCeuyjZGEfuN8/7xgwOVQAVA5O6KPxdSJsZ4Odi8D2gUg1kDJxS2iLm8pkZ7TKqogtLYKyuARWdxaUUkCshQb+2rlU5fI2quEDOezsmdUdTM0UsVi4EgdTWwaKQmcqsXdFepEmDnnZTnywrCsUH4N/IRIDxSFScrJAMnWQQ7sQXDQfz7tVK9RcXlNcjUR6VUH+IxNCp/qgSXDz/xQYcFQQdvUw0+jR4B8d21nyijQ6ofKNpCC2kpySHWUvZQKDHAlwaEXnk80yOuBBnMrUDMZxkOXzRISq2Vs4VxfWaFbX7JI1ZkhMGI8mCADx0GGPN3pFFQCNOalRoziZd6cyKmZ/fF1me4PUvpRqJkIT2BDnh3xB23D8kpk1Jr51uKRnMbEA8g== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?67EyRxoowdcsxa15AMLLFL37LZwPQy5JXX6NFMyUELAufBbgn/eTT/y3fXyt?= =?us-ascii?Q?UdWCoiHF0uYTf3psQuoCwVhmOzTfQYN2yLYJA2KxiUOVgCKSNREC5lnYDj2u?= =?us-ascii?Q?lG1EzcVc1mW4eKKvH2ny9BYEHEiRJ0SCXdDRrxj8qdbdrNm+R3oqT7wQ/SNc?= =?us-ascii?Q?Dq5em0gf0IJ7lu+1wq7B2e6SZA+KzfV4p6s1Ja8YriFDPHgDShv+sJOPl/Jp?= =?us-ascii?Q?FIcbiFRR2CfELc6jIiOP1Em5MH7yLG8EWTRWXJDmJdaZfUYkD0fhcxxs5zTZ?= =?us-ascii?Q?abB6+Kte58XrX2V3UDgYhagyRd1CoyUSRZLigsLkE0WNeVt0h+s6QlVDe3Ws?= =?us-ascii?Q?D5IWg3ZxXtAXluDlm3w4jKa3LhnRYCdO7F+v6NV5izE15+ngybKKMpFX525E?= =?us-ascii?Q?vBx2xZU9euB8R4pfkkQt5qKtvSvC+4A8gESJyk0vxMojV4hh5+hmf6xe65xQ?= =?us-ascii?Q?jhg91iYmlRIDfqdnP9LxtISfaA85YB8F0dlWwe4RVVeNUINyqT6KVIGfHMkU?= =?us-ascii?Q?G2GQ6wKOFP/uqVunzAmTtcALBffT1itblXrMaxpSp+0rHkoOiXHDC1GCOn8P?= =?us-ascii?Q?QGqp+esHf1p8RJ94+l73jXP4c2WZQo7tPEWgEmG/1cIgeIeTKGg/S9xcZYxD?= =?us-ascii?Q?2kTtXug7isvUL+4U2KmEywkWdtruzHSgbJQZ7XoZPhilBo4yFPu8xkNK3AvK?= =?us-ascii?Q?wEugMKhQQcGyKfK4vHj0Khk5owrrD4w7ZxlmUKNWioPHy8UZbydSLAuqN7pE?= =?us-ascii?Q?6VgA9ERNRMFNF2ixE8k+lZLnqTtVmEf213z9LrfYNbyNasUQLV/XNyJIJS44?= =?us-ascii?Q?u8SYhM3M0ypqt+tYeIXe+jBd+bA2TE732R0TD4UrNdhHTAZgvtChH3znyL46?= =?us-ascii?Q?ox2kKKEYv38pMm48UN2EneddQucEAyjvuP9YSk9xdY+lpYVX3KVoimFpUzFX?= =?us-ascii?Q?rdzX0XucVtxRK/QXw1k+ZSdyuYfTfoOm7aslMYrdV429gyx8AN8/7GRHKnmh?= =?us-ascii?Q?Ta72lfb1dN3s7iry0JBxbzjGFlnh2KL0FFyNexymNIga821fO3dO9nfdoJMt?= =?us-ascii?Q?0kF4qsxt7UXXVl9MQl8IEgBFzNClijO+u/0KLITBu5tgzIMNwqqH1yJMZ+Sz?= =?us-ascii?Q?WPg0svBqLjo+e0SYN55Mdz9ymlCMvvZ0zKheGqlTJ0ehWzVYYOMnuHtnow1j?= =?us-ascii?Q?lUNur5K/Gg8Z4vQjd4R7w5Arj5Snvem6TXAQ0NB+MLC0C/P3BsNdSuI/9L6Z?= =?us-ascii?Q?lERieseToPMY3CYOjK7MKPKcac1I8V2kmpvN14KcmPAIRLTf+CGc9i6IIt4F?= =?us-ascii?Q?Eyous9wSZ47rmv0X+bMVw4Fa?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: dc39b36f-1b0e-468c-2045-08d976e32617 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:22.2107 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: z7GysI4BoqGU5Hu4gtWTrZu+LFi8gComDqOYy4b76lk+efeptWxkr+kNxRLU97jUml6hUxOYCqatlO1wmDjHLQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2830 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: hdlLRB3uXcY5VVPduvUmyR0Jx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557225; bh=W3bETt7KBP942LzzRSvtheMbzXLm9UtlwwuNB4D88uY=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=WFjih/JSCWKyR3EJsNG0n/hmda3eDCC6NeuuPfshHg9FpqAZZt+9L+lfSGSZ1y7eYzr c6g/mWrx3RBRAoMyo6nhDBp5kG1bkN/GXc5d+QI+u9AvL3a8DaUWPbbYwQ46TFa2B5OfG rRHP7c2CfNxVsFqGwMpXdIjjWjrj1BtJovo= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557227442100038 Content-Type: text/plain; charset="utf-8" When SEV-SNP is active, the CPUID and Secrets memory range contains the information that is used during the VM boot. The content need to be persist across the kexec boot. Mark the memory range as Reserved in the EFI map so that guest OS or firmware does not use the range as a system RAM. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/PlatformPei.inf | 4 ++++ OvmfPkg/PlatformPei/Platform.h | 5 +++++ OvmfPkg/PlatformPei/AmdSev.c | 31 +++++++++++++++++++++++++++++ OvmfPkg/PlatformPei/MemDetect.c | 2 ++ 4 files changed, 42 insertions(+) diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/Plat= formPei.inf index d048b692f155..0a89e1a0760e 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -112,6 +112,8 @@ [Pcd] =20 =20 [FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIMemoryNVS gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIReclaimMemory @@ -122,6 +124,8 @@ [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize =20 [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable diff --git a/OvmfPkg/PlatformPei/Platform.h b/OvmfPkg/PlatformPei/Platform.h index 8b1d270c2b0b..4169019b4c07 100644 --- a/OvmfPkg/PlatformPei/Platform.h +++ b/OvmfPkg/PlatformPei/Platform.h @@ -102,6 +102,11 @@ AmdSevInitialize ( VOID ); =20 +VOID +SevInitializeRam ( + VOID + ); + extern EFI_BOOT_MODE mBootMode; =20 extern BOOLEAN mS3Supported; diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index b71a4a7304f7..133382407bc5 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -414,3 +414,34 @@ AmdSevInitialize ( ASSERT_RETURN_ERROR (PcdStatus); =20 } + +/** + The function performs SEV specific region initialization. + + **/ +VOID +SevInitializeRam ( + VOID + ) +{ + if (MemEncryptSevSnpIsEnabled ()) { + // + // If SEV-SNP is enabled, reserve the Secrets and CPUID memory area. + // + // This memory range is given to the PSP by the hypervisor to populate + // the information used during the SNP VM boots, and it need to persist + // across the kexec boots. Mark it as EfiReservedMemoryType so that + // the guest firmware and OS does not use it as a system memory. + // + BuildMemoryAllocationHob ( + (EFI_PHYSICAL_ADDRESS)(UINTN) PcdGet32 (PcdOvmfSnpSecretsBase), + (UINT64)(UINTN) PcdGet32 (PcdOvmfSnpSecretsSize), + EfiReservedMemoryType + ); + BuildMemoryAllocationHob ( + (EFI_PHYSICAL_ADDRESS)(UINTN) PcdGet32 (PcdOvmfCpuidBase), + (UINT64)(UINTN) PcdGet32 (PcdOvmfCpuidSize), + EfiReservedMemoryType + ); + } +} diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetec= t.c index 2c2c4641ec8a..96487b810014 100644 --- a/OvmfPkg/PlatformPei/MemDetect.c +++ b/OvmfPkg/PlatformPei/MemDetect.c @@ -817,6 +817,8 @@ InitializeRamRegions ( { QemuInitializeRam (); =20 + SevInitializeRam (); + if (mS3Supported && mBootMode !=3D BOOT_ON_S3_RESUME) { // // This is the memory range that will be used for PEI on S3 resume --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80609): https://edk2.groups.io/g/devel/message/80609 Mute This Topic: https://groups.io/mt/85582723/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80610+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80610+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557256242554.448800157829; Mon, 13 Sep 2021 11:20:56 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id ra4bYY1788612xMGnQOJIcdM; Mon, 13 Sep 2021 11:20:55 -0700 X-Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.66]) by mx.groups.io with SMTP id smtpd.web08.882.1631557255055665870 for ; Mon, 13 Sep 2021 11:20:55 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=B2HoaBl9+uqndZVReBn/BG3Doc+9Dfrrrht4pNVGn18o8216T6tkX5C0GdqxAo8H2D8VGYVCE9YvQtA7qs3sgHWDbkc8dMzCi3Ggfcnkok+1Qkni7Gc+kKdFtOW7TlsWnZ1HaaTffjtnKx2S73wNEcjy5e5XJgj4s0hV1VzF8xeAVSCpN9ItUpRcC8nd28zHssCFXIucYt67WF7xHltaw2QNtMznUb6uZlY2uCFnjr7R70PV9CuBXrwLVOQxnmYbrCT8NF/ojg0HMv4fzNvDkTYRx9SR+w9N9gK91tc3igWN1XI59CElo7QNw+JWiGGyDCDNP0IazSPg2JKnxDCfMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Cdehb7hXH2moiCfbWYbOZszjbfzlq6BL/XNyAy/BWeM=; b=kWTlPp4GtC+BmmIWs79Q84TMsTOlcGR2teeorYVzI3hOyXOWhX+t0uv49Z+5X1MPH0BF2oPi3Ipm477bv4NMaRGVCYIGwqZBXYUy6xgMDIye0G3+oeDvgI9GjUTXofMvmzdN1riKvgDJegVO9ZN9XzAu2WEsLi8X2dmhZdNuXbIGeP+GuDGE3dxIAFbYZ7olyaFOX3A6yI6XBo2pHF+mlxxpv9ZGL42t6ARLbRfQ3byDaT/2/5YmQdYwZapmbn6gJNztbRkifUZovVZlsOTR5IJtPcwA2iD+0PpvYyVoI7/o2LiG9/wZTWOsWLxxJOEedpmsHoGsyF6VI6UZ6p0mgw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4575.namprd12.prod.outlook.com (2603:10b6:806:73::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.15; Mon, 13 Sep 2021 18:20:53 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:53 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [edk2-devel] [PATCH v7 30/31] OvmfPkg/AmdSev: expose the SNP reserved pages through configuration table Date: Mon, 13 Sep 2021 13:19:40 -0500 Message-ID: <20210913181941.23405-31-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:22 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 954245bb-6dda-4ebb-a801-08d976e326bd X-MS-TrafficTypeDiagnostic: SA0PR12MB4575: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5516; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: 1pxilUgDFVor9yn2I8iw1zrSwNwe8XYtuyqWyw/SFc/sCVe9KRs/UNMufJpb/6ZxSAOl0T0LaoltIo8Z3s5Me4+3SzXtlqABndPsCb8IdKbT0nszUQG/QKkXYrkbjXDkaeMtNhJXrYFkkXlFQ1NfqzkqlzuywXt3ylxROgGBxgXPHS/nX/YeMa3tvil+qc2IAkNQBtMRJS0I+gbXI6iITq09000pUqaM9NEGajVizYuyFcDBYLlmqyXNUPX+xargfYeq4FZR3Xg3wKviojSnlF334Cbu1eI7vUaPMXgxMXmA93zHIZGvPz1QBXfMu+lwrBKwdC2IHgACdsiRiU0uQAj35MRI3i1C3TswNxp5qYnQWn2eSzVLBQLt7/DxKd3wIaswf7kBoxx6Hg9+SwT7dpWkX6xzx9S1g/R+fRbpdDU54E7Me/AXh31UtnmEJdGYAUycSE3egHmUkeya7NvU4nXFRYIODdbik73skTOFIj7dvIST6tTfHO6Cg5xBZanNKyxA0FpDUtYhpR22j9VVbZr8SWeqs2zrZBIKHVNki9JRMU1FoDaxumBv4uDC0RR47SuweiTndbK+FrvWOJLHmFgNV+szCzl5ZBLNflTZbOtcgMxinQ6Tx2oEd97XHxAfsxS4QIiffxMM1HGgv8IZjdJwVJlC9m9xFQ4miDQ3d4Xmezm+sHuJIGQ2TsBQ6kg57nsm1LSg8wHVC49WqubPdyRStFkpf9uHoKy+0UhsQfMc5RFWIung52Z8fDYe5teX7YVMu7mOLKchNBemA/Yxjg== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?lR7rGEFOvNTUI2+FM2R0LsGHrbbgRhLFp0qpokYSR7brXaKZNzLupvjOMCDC?= =?us-ascii?Q?61ndSW9cBTz/XWhRJxmsQvmuzIiXvhJrr8kOqxBUxqkQDn5e+z/Jb8w/kuRg?= =?us-ascii?Q?WMin8A1Gfooh0OhjW7RosouL3Ivh4mTHSAfq5C45RIsIqgfqTeVwnimJPv74?= =?us-ascii?Q?k/QtJtN8f3Dblwa66heyZy8+hj1/tSrLeDjcsii1yiLXjfpc+/VB00T9i+YD?= =?us-ascii?Q?y+bBta95gmqdZLtUhutk7Oa1XM0020rU/NFEQKa1BX1qmbUQpn3ZQGi/RsF3?= =?us-ascii?Q?zCOsEI3HFgxa1vunXjJoFasmpadGMYz/FtKLt0t6eZDKYQzOMtp9xDUJUr+Z?= =?us-ascii?Q?3hh0rBvXYlmjwJjEmazeaZ2RxHhzRPoWgfY7w1z8O5xJYkUWTsr1FVjMuMXD?= =?us-ascii?Q?CmTStNfk6DiTsZhG3HPLkVu9jIwrLiyr1kKMpce5SlVim/x7cmCgsKzJLcSp?= =?us-ascii?Q?TVkt9V7f764L6VUVneFPls3YUdCfYaoGqzVxFwHIrQbGd1n3ZuPqamNWA9wC?= =?us-ascii?Q?9KgQ0pfEF89dZUJQSkR5yHTMwbcY0g3k5aoX6ILTNKv9RinW8Rf2FiDxP1Cn?= =?us-ascii?Q?IH54qJ02pEkFSOhnoby3hS3PDN/nAT3je0Tdq4JnXdFcHKN2/zB9DEHSoB0Y?= =?us-ascii?Q?RoyB3rVBlIEPgdsrhoBZ1UMuaZiYnLxgybIPTIdWY0C40nyeE0lQqphreedk?= =?us-ascii?Q?AIDbs+mawXI3mPYPFXvoKD3+WAvXO8dMbsNdMryd9NVm9//Q210v/IbN8kQG?= =?us-ascii?Q?vdMn6fvPm8WsJ5SiNAh3ieKGA9+fFckTGo4tuNkjIWb2X3hNwKkLRwD0OG5/?= =?us-ascii?Q?5E4cW/VHYRHktu0NrnUwLabwQRwLs97ztLUDYyrAS4Y9bRMTEZktb26otaEE?= =?us-ascii?Q?h+wEKSIVpSOmHYAumgxSutHBRBhzMueuyyoPqthRGmZ0UPA1ylt7fjLNCL8i?= =?us-ascii?Q?iHROf+/WSvuNsThdZwE3huct15sNyYymd4R1g6P6x2TbH8KAhbecff3DfRS4?= =?us-ascii?Q?qNmjwoRVVNwdfFkKxFyATLN+0czJpSSJni+53xSfEuSJ/i0uZf+65obZtokp?= =?us-ascii?Q?nGOnYRO7p7iuDeX5NIkAwm8eoul2do1D1+lzCdj3OCMBAncjcKT9OHwNt2N7?= =?us-ascii?Q?FoV+72vjB2K53pJpGUJeDJLHYMK0yotxN+D9e/lpXg5f9BHCqJvJgGL02v3t?= =?us-ascii?Q?dEZhRlELDZnhHUinionWU0tmuJZWl3I2/ZWyv1wQnSvQM/eLKrUeIa3B4+CA?= =?us-ascii?Q?hj3rIA7iebx7OR82zGKxrSVFNXdGlZE3YMqaCJVd2057lWdo2ETCjhc23vly?= =?us-ascii?Q?hv9ROuPKUGbQim21fZE2cNWL?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 954245bb-6dda-4ebb-a801-08d976e326bd X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:23.1621 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: xx51tduJeDb9p2VV2ePG2uHH8XqHa03P4IYUbQLkftl7LEd+icEgAvl2gRfiwHv++cS9lqRDpFbblFAsOGKauQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4575 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: 4dkSGJBMNKIUtOKiV2upCn8Hx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557255; bh=R55qJNJ4H3rGSA6dCkKxjZN7zZTE5K4gpnVJBXxk0VE=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=DbyVQKcag9FEoBW4PGCn7wGlctpOVc9V8bR37hI42HrXVHdOEgVjdgTpSJH4JiMbDkU GWMJbxZuI4g6SdS9LbX4yANv/pd/a3hpp+szL/OKxDWkxg3wUtmX97dHgApTxliINbqqn 9o0Z37UVOKfTjiPUKKJx1DowG0dv7grmX/s= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557258226100002 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Now that both the secrets and cpuid pages are reserved in the HOB, extract the location details through fixed PCD and make it available to the guest OS through the configuration table. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 1 + OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 7 ++++ .../Guid/ConfidentialComputingSevSnpBlob.h | 33 +++++++++++++++++++ OvmfPkg/AmdSevDxe/AmdSevDxe.c | 23 +++++++++++++ 4 files changed, 64 insertions(+) create mode 100644 OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index e30cb6eafcb8..c2fbd26ed925 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -124,6 +124,7 @@ [Guids] gQemuKernelLoaderFsMediaGuid =3D {0x1428f772, 0xb64a, 0x441e, {= 0xb8, 0xc3, 0x9e, 0xbd, 0xd7, 0xf8, 0x93, 0xc7}} gGrubFileGuid =3D {0xb5ae312c, 0xbc8a, 0x43b1, {= 0x9c, 0x62, 0xeb, 0xb8, 0x26, 0xdd, 0x5d, 0x07}} gConfidentialComputingSecretGuid =3D {0xadf956ad, 0xe98c, 0x484c, {= 0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47}} + gConfidentialComputingSevSnpBlobGuid =3D {0x067b1f5f, 0xcf26, 0x44c5, {= 0x85, 0x54, 0x93, 0xd7, 0x77, 0x91, 0x2d, 0x42}} =20 [Ppis] # PPI whose presence in the PPI database signals that the TPM base addre= ss diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.= inf index 0676fcc5b6a4..9acf860cf25e 100644 --- a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf +++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf @@ -42,6 +42,13 @@ [FeaturePcd] =20 [FixedPcd] gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize + +[Guids] + gConfidentialComputingSevSnpBlobGuid =20 [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId diff --git a/OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h b/OvmfP= kg/Include/Guid/ConfidentialComputingSevSnpBlob.h new file mode 100644 index 000000000000..c98e7a1dcccd --- /dev/null +++ b/OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h @@ -0,0 +1,33 @@ + /** @file + UEFI Configuration Table for exposing the SEV-SNP launch blob. + + Copyright (c) 2021, Advanced Micro Devices Inc. All right reserved. + + SPDX-License-Identifier: BSD-2-Clause-Patent + **/ + +#ifndef CONFIDENTIAL_COMPUTING_SEV_SNP_BLOB_H_ +#define CONFIDENTIAL_COMPUTING_SEV_SNP_BLOB_H_ + +#include + +#define CONFIDENTIAL_COMPUTING_SNP_BLOB_GUID \ + { 0x067b1f5f, \ + 0xcf26, \ + 0x44c5, \ + { 0x85, 0x54, 0x93, 0xd7, 0x77, 0x91, 0x2d, 0x42 }, \ + } + +typedef struct { + UINT32 Header; + UINT16 Version; + UINT16 Reserved1; + UINT64 SecretsPhysicalAddress; + UINT32 SecretsSize; + UINT64 CpuidPhysicalAddress; + UINT32 CpuidLSize; +} CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION; + +extern EFI_GUID gConfidentialComputingSevSnpBlobGuid; + +#endif diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c index c66c4e9b9272..6e1ba35e02b8 100644 --- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c +++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c @@ -17,8 +17,20 @@ #include #include #include +#include +#include #include =20 +STATIC CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION mSnpBootDxeTable =3D { + SIGNATURE_32('A','M','D','E'), + 1, + 0, + (UINT64)(UINTN) FixedPcdGet32 (PcdOvmfSnpSecretsBase), + FixedPcdGet32 (PcdOvmfSnpSecretsSize), + (UINT64)(UINTN) FixedPcdGet32 (PcdOvmfCpuidBase), + FixedPcdGet32 (PcdOvmfCpuidSize), +}; + EFI_STATUS EFIAPI AmdSevDxeEntryPoint ( @@ -130,5 +142,16 @@ AmdSevDxeEntryPoint ( } } =20 + // + // If its SEV-SNP active guest then install the CONFIDENTIAL_COMPUTING_S= EV_SNP_BLOB. + // It contains the location for both the Secrets and CPUID page. + // + if (MemEncryptSevSnpIsEnabled ()) { + return gBS->InstallConfigurationTable ( + &gConfidentialComputingSevSnpBlobGuid, + &mSnpBootDxeTable + ); + } + return EFI_SUCCESS; } --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80610): https://edk2.groups.io/g/devel/message/80610 Mute This Topic: https://groups.io/mt/85582733/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:34:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80611+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80611+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1631557256787699.1442208600249; Mon, 13 Sep 2021 11:20:56 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 7Ue6YY1788612xk2jfLfQ68x; Mon, 13 Sep 2021 11:20:56 -0700 X-Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.66]) by mx.groups.io with SMTP id smtpd.web08.882.1631557255055665870 for ; Mon, 13 Sep 2021 11:20:56 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RfD6tOr4CYdG/DXsfvMxBiV9N22PzS7yzSSTcax0Bmhf/A7kGj5Ynmer0ywNj5O/RuzUreluNs/9Kbmn9n+AuGeAR2VNDurUsfz9ItcQh1Ii12U938xJU/33Sr7PrDN4G0+QQjCrBkHUYogjhVQlXl7rEkzJshrpPJOKPJtBH32EochxlE9mWkrPhzlQ8F0FmlYTEnOtRvPeQRNA8zeHYKflNU7NpOHpjvggvDYQTiimcAgCUm8R6PrcEd92g+xe/7cGL0CZW0ESFwoEbDxh6De5JYIT1XULrIapf8zSHc2TsL2m9jsV5HiDCJUf9O6BmH6RXGqnXijWgIotCxCyXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=NVZHfsbi5CL5hqqBDJYLdpKvspNtRAF44j2WhBvRLhk=; b=XyZMAhmPxxUO8BRllx2E6weCTd6ju+OrjECvxe4TkdTgLRFs4JNuxIeXWpGOIC/7Ue/3B2Ibsq8V24j+7yL/G0mjqkWWK4HBQJ77DgjJBRteC/vPb3xDRfsSDTq+xGK6vlIHdpEchgTbsdiECEu3F0VoTiYISWHrWcyQE08G4xfaNXOuXvn4U0EJyfIliAjSIeYNFHn6PABLMhoB8Fc0ax91ZYGvwM1HG6WC7Np8kAmIHbZHgqV5Q1ZkTxXdrvFNteEUYhi0As63dg7FRy7oFRIF/3NDn1GEdb4HU1OaPvJYee3DSbywbm+iXi7lyRZkxieacYR1OWuqP6QwKiKM8Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4575.namprd12.prod.outlook.com (2603:10b6:806:73::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.15; Mon, 13 Sep 2021 18:20:53 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:20:53 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Michael Roth , Eric Dong , Ray Ni , Rahul Kumar , Brijesh Singh Subject: [edk2-devel] [PATCH v7 31/31] UefiCpuPkg/MpInitLib: Use SEV-SNP AP Creation NAE event to launch APs Date: Mon, 13 Sep 2021 13:19:41 -0500 Message-ID: <20210913181941.23405-32-brijesh.singh@amd.com> In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:20:23 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: aee4c769-d921-4598-1253-08d976e32757 X-MS-TrafficTypeDiagnostic: SA0PR12MB4575: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: 0lwlHYcoo8IxlyuYPKE4BPr1143DhWRRazH/7SRRR6nbWhsIIhBOe59xXTK+ieETCRp2wcSoj38G0FcA7qsJUBQIssAnaudbr0IeGgNhYuoF3FtUvsB2LqeTZRMT8blk8+nMt4cdLUjlhbHGf0MM9eZSBJoUpKlwrawb+jNJz+05+OQBChyddOGQ1TK/GJzfvmwLlCwSTMsTRfZm/G9njCkBDabdO3MQC4/1unb9I+rbXWllO5Txruhj3fWPT/F8mUmc3fr9tJYrlUJi9GHfjlYNEAvctfmUwt6BxwUMJsKkUapRLmQe8W4bBI7e+jbODEywz7QVNzdM5Hla2C52VYudx5ksHxKaUOkM7yjzg1Rc1ZwCVfprcz19o4PC7f1HJDHSEnDZXpy5VgKJuvyrysSKn364s0431UGlDQOUnUmbubDC42TeOntVU0eI1wh4C0/J9XnqMUOcl03AM7w3j8DdWmwCHKk6izOlGoMMfCYpGPTn8JsB3/vRSh4p++OdVBmuOh30ZFOJOMDACn5xEkZwUH1Lu0TJBvkjlM+0p2WwosX3A9sjqEAH9CxmhRU8BFq5nFopOTESKoRjyevUfkXzvxEkMHBSXDlfn7kBqG3U0B2Puz6tORlCYoSLYjBfdFWgS4mxN91reIO36ZVwAR0GhpTJUCq9sKXfTo2SPIrpqaUkDUzLp6blvGHbPAn3GoAQX/fSLKevgViB7yVP1njfe4HiP3kiaSwkt/l3BidDeA8Oxj/76B/2SO8d9u2fETdiLx+aQX9PlWT7NNH4Cg== X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?iezwFOibIrvAtbROBptNyxI0+2yx572xQtvTTp004ONh7FuD7AWRItUGsE2v?= =?us-ascii?Q?4+VuG7tC8vKSAUCnl8YU2jRq6VGwx5aqNzG9tu5Esar26w4YcshEOlw8J5Fc?= =?us-ascii?Q?KdInw0JJbGGug5CXsrC+mzWKg7cPaw1sVCRPuWP6uYl3tgVdM4oNBqiD0cu/?= =?us-ascii?Q?oxZ1zqcXHgH1NKxYuQ10SXmUF74uv+6jm7q5DdiW8YCqCaPCvDLU3cPlxm1T?= =?us-ascii?Q?aNDziICqpCPUQLDQDdqrX5ms/f8mQ1B85DvH44bnPvYTySkRrDJcTrdjBqeY?= =?us-ascii?Q?SMASC8oxF6elHFzd0r0FanVBOah1mVKyKtXyyH7MWI0FXfdVvHZDoIcoIHe/?= =?us-ascii?Q?mkVYhBforJi6T4w7WQtih7rB9PQrly5cSVDiIXo4Jc0dg4E4tJ2DT91r/Aeq?= =?us-ascii?Q?lkYpLGP5BA+0/csouYD46qvxGAzumkODiXg8rn4HYyYgSA1aa7RrWAudJawa?= =?us-ascii?Q?20chY/U0XXwKmSK1rdgMh8eYn9B6pVlqaScmNJxxqXGEOvTo8YMM1NvoOFTg?= =?us-ascii?Q?eaeAxnR9qe6+0LPp+ulWSzNmLUCc92/idONJ7WCqJolCpw5YHk8ZYiuOkiz2?= =?us-ascii?Q?CiFZ6S1MGKZvdoS8viEpqOIDgPgfZswPlzYDEkKjg5PDE7QICuBbcvA+Ipg6?= =?us-ascii?Q?7mgbhl6K0T2EAc1Zgrf+JYagBuTEEaDD3v129ni+M2J9LIPBQXWJ8fuegz/5?= =?us-ascii?Q?xJkULpDj+HTXhK8FpfW/RG7124/6ndug0rXxE0QIEuZqxQ9vOELOxVgryGAp?= =?us-ascii?Q?Ie1zBpUepC2BQ2otBeUw/8dYGySwsqASxvq9tACVS0Ja0cSswTpO5A6ojWQ3?= =?us-ascii?Q?7EfO36XYt/qbhGaNYGsWow9YYk3VInVUSK7RhEpbLfIAgKI/txv1aKrCgB0b?= =?us-ascii?Q?FPRhNezZt76Ox2c5hmUch0wxNGyPVYyWHksRvJjvwNIcsV+qNi7U+adI5Azj?= =?us-ascii?Q?AFjGKcLszZ2tt4zYiFy2o3PWsaSXUjVgPEWC9KN5F3eJ571w+ykDuB+XR36u?= =?us-ascii?Q?QStJpKJDghR1ZZd8rTb6dpx/5BUNWcc0v5ARmakglO/kCRkKvJM8DVfkr0bY?= =?us-ascii?Q?7GLtrloDUfLekS9u+N/MyR6328CaVpzmpArwm7EBYOUk5bCytTc9I+p4x2az?= =?us-ascii?Q?OkTff9hBLZjmqAPxNuahwYaSRBXBo6PJHeGP7PHSF1G5wF3FUkpSBvkkZshs?= =?us-ascii?Q?ZFFHhF08JQLGHslvQcIJDsYWRnECYsD4sp/hROqcENxUsuwPKFenJGqHcXNY?= =?us-ascii?Q?6IbWz83Q8j/j6ggl+bwOU/7JBJsHFXsDFRuL77A9GenLKAaiJ3bhZlt6HnaH?= =?us-ascii?Q?/KgAAzl4AGbCBl3yG93WwfDP?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: aee4c769-d921-4598-1253-08d976e32757 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:20:24.1646 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: LkVxo2tTGA1+kPR4XLd+I408RGGIA7OOfEbwEhsadGnwzGU242ZMVQzUd6jAVPgUEuJixvTYdIMwGCDhSLe2HQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4575 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: 4L3Ek80rdir56KMGSxZ2RcXLx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1631557256; bh=byhbKKp4Rl2DzR0YEdV+BNoZxsigIoC3e19JHGvmYyA=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=SJkNw2X87wfN7dk+VPVyyMnNDY2E19zyMTMpgMXMXcRO4OylicFwLsTPhoOKMj/v9UP Z5i8umXjTJycxB01XauqC+z+Igi/gx0b/07ZJfEZEcAAxPRxQ0O2IngSfhv5cfh0sIrn7 F7yaviE0IS7EqgthZQjtziUJuyI1Iqn80xA= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1631557258255100003 Content-Type: text/plain; charset="utf-8" From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Use the SEV-SNP AP Creation NAE event to create and launch APs under SEV-SNP. This capability will be advertised in the SEV Hypervisor Feature Support PCD (PcdSevEsHypervisorFeatures). Cc: Michael Roth Cc: Eric Dong Cc: Ray Ni Cc: Rahul Kumar Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Signed-off-by: Tom Lendacky Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 3 + UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 3 + UefiCpuPkg/Library/MpInitLib/MpLib.h | 44 +++ UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 12 +- UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c | 70 +++++ UefiCpuPkg/Library/MpInitLib/MpLib.c | 53 ++-- UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c | 261 ++++++++++++++++++ 7 files changed, 426 insertions(+), 20 deletions(-) create mode 100644 UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c create mode 100644 UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf b/UefiCpuPkg/Lib= rary/MpInitLib/DxeMpInitLib.inf index 76e6aa83b3cb..684d94e8c029 100644 --- a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf @@ -22,9 +22,11 @@ [Defines] # =20 [Sources.IA32] + Ia32/AmdSev.c Ia32/MpFuncs.nasm =20 [Sources.X64] + X64/AmdSev.c X64/MpFuncs.nasm =20 [Sources.common] @@ -72,6 +74,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ## = CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ## = SOMETIMES_CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApStatusCheckIntervalInMicroSeconds ## = CONSUMES + gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures ## = CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## = SOMETIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## = CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## = CONSUMES diff --git a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf b/UefiCpuPkg/Lib= rary/MpInitLib/PeiMpInitLib.inf index a146bab94317..1132606b3379 100644 --- a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf @@ -22,9 +22,11 @@ [Defines] # =20 [Sources.IA32] + Ia32/AmdSev.c Ia32/MpFuncs.nasm =20 [Sources.X64] + X64/AmdSev.c X64/MpFuncs.nasm =20 [Sources.common] @@ -63,6 +65,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ## CONS= UMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ## SOME= TIMES_CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## SOME= TIMES_CONSUMES + gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures ## CONS= UMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## CONS= UMES gUefiCpuPkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONS= UMES =20 diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpIn= itLib/MpLib.h index 94bd71408384..36d8c6eac9d0 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -15,6 +15,7 @@ =20 #include #include +#include #include #include #include @@ -147,6 +148,7 @@ typedef struct { UINT8 PlatformId; UINT64 MicrocodeEntryAddr; UINT32 MicrocodeRevision; + SEV_ES_SAVE_AREA *SevEsSaveArea; } CPU_AP_DATA; =20 // @@ -291,6 +293,7 @@ struct _CPU_MP_DATA { =20 BOOLEAN SevEsIsEnabled; BOOLEAN SevSnpIsEnabled; + BOOLEAN UseSevEsAPMethod; UINTN SevEsAPBuffer; UINTN SevEsAPResetStackStart; CPU_MP_DATA *NewCpuMpData; @@ -757,5 +760,46 @@ ConfidentialComputingGuestHas ( CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr ); =20 +/** + Issue RMPADJUST to adjust the VMSA attribute of an SEV-SNP page. + + @param[in] PageAddress + @param[in] VmsaPage + + @return RMPADJUST return value +**/ +UINT32 +SevSnpRmpAdjust ( + IN EFI_PHYSICAL_ADDRESS PageAddress, + IN BOOLEAN VmsaPage + ); + +/** + Create an SEV-SNP AP save area (VMSA) for use in running the vCPU. + + @param[in] CpuMpData Pointer to CPU MP Data + @param[in] CpuData Pointer to CPU AP Data + @param[in] ApicId APIC ID of the vCPU +**/ +VOID +SevSnpCreateSaveArea ( + IN CPU_MP_DATA *CpuMpData, + IN CPU_AP_DATA *CpuData, + UINT32 ApicId + ); + +/** + Create SEV-SNP APs. + + @param[in] CpuMpData Pointer to CPU MP Data + @param[in] ProcessorNumber The handle number of specified processor + (-1 for all APs) +**/ +VOID +SevSnpCreateAP ( + IN CPU_MP_DATA *CpuMpData, + IN INTN ProcessorNumber + ); + #endif =20 diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c b/UefiCpuPkg/Library/M= pInitLib/DxeMpLib.c index 657a73dca05e..7a3ef0015a31 100644 --- a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c @@ -93,7 +93,13 @@ GetWakeupBuffer ( EFI_PHYSICAL_ADDRESS StartAddress; EFI_MEMORY_TYPE MemoryType; =20 - if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { + if (ConfidentialComputingGuestHas (CCAttrAmdSevEs) && + !ConfidentialComputingGuestHas (CCAttrAmdSevSnp)) { + // + // An SEV-ES-only guest requires the memory to be reserved. SEV-SNP, whi= ch + // is also considered SEV-ES, uses a different AP startup method, though, + // which does not have the same requirement. + // MemoryType =3D EfiReservedMemoryType; } else { MemoryType =3D EfiBootServicesData; @@ -373,7 +379,7 @@ RelocateApLoop ( MpInitLibWhoAmI (&ProcessorNumber); CpuMpData =3D GetCpuMpData (); MwaitSupport =3D IsMwaitSupport (); - if (CpuMpData->SevEsIsEnabled) { + if (CpuMpData->UseSevEsAPMethod) { StackStart =3D CpuMpData->SevEsAPResetStackStart; } else { StackStart =3D mReservedTopOfApStack; @@ -422,7 +428,7 @@ MpInitChangeApLoopCallback ( CpuPause (); } =20 - if (CpuMpData->SevEsIsEnabled && (CpuMpData->WakeupBuffer !=3D (UINTN) -= 1)) { + if (CpuMpData->UseSevEsAPMethod && (CpuMpData->WakeupBuffer !=3D (UINTN)= -1)) { // // There are APs present. Re-use reserved memory area below 1MB from // WakeupBuffer as the area to be used for transitioning to 16-bit mode diff --git a/UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c b/UefiCpuPkg/Librar= y/MpInitLib/Ia32/AmdSev.c new file mode 100644 index 000000000000..a4702e298d98 --- /dev/null +++ b/UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c @@ -0,0 +1,70 @@ +/** @file + + AMD SEV helper function. + + Copyright (c) 2021, AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "MpLib.h" + +/** + Create an SEV-SNP AP save area (VMSA) for use in running the vCPU. + + @param[in] CpuMpData Pointer to CPU MP Data + @param[in] CpuData Pointer to CPU AP Data + @param[in] ApicId APIC ID of the vCPU +**/ +VOID +SevSnpCreateSaveArea ( + IN CPU_MP_DATA *CpuMpData, + IN CPU_AP_DATA *CpuData, + UINT32 ApicId + ) +{ + // + // SEV-SNP is not support on 32-bit build. + // + ASSERT (FALSE); +} + +/** + Create SEV-SNP APs. + + @param[in] CpuMpData Pointer to CPU MP Data + @param[in] ProcessorNumber The handle number of specified processor + (-1 for all APs) +**/ +VOID +SevSnpCreateAP ( + IN CPU_MP_DATA *CpuMpData, + IN INTN ProcessorNumber + ) +{ + // + // SEV-SNP is not support on 32-bit build. + // + ASSERT (FALSE); +} + +/** + Issue RMPADJUST to adjust the VMSA attribute of an SEV-SNP page. + + @param[in] PageAddress + @param[in] VmsaPage + + @return RMPADJUST return value +**/ +UINT32 +SevSnpRmpAdjust ( + IN EFI_PHYSICAL_ADDRESS PageAddress, + IN BOOLEAN VmsaPage + ) +{ + // + // RMPADJUST is not supported in 32-bit mode + // + return RETURN_UNSUPPORTED; +} diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpIn= itLib/MpLib.c index 12fe3ecb27a7..8ecc2d283364 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.c +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c @@ -295,10 +295,11 @@ GetApLoopMode ( ApLoopMode =3D ApInHltLoop; } =20 - if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { + if (ConfidentialComputingGuestHas (CCAttrAmdSevEs) && + !ConfidentialComputingGuestHas (CCAttrAmdSevSnp)) { // - // For SEV-ES, force AP in Hlt-loop mode in order to use the GHCB - // protocol for starting APs + // For SEV-ES (SEV-SNP is also considered SEV-ES), force AP in Hlt-l= oop + // mode in order to use the GHCB protocol for starting APs // ApLoopMode =3D ApInHltLoop; } @@ -869,7 +870,7 @@ ApWakeupFunction ( // to allow the APs to issue an AP_RESET_HOLD before the BSP possibly // performs another INIT-SIPI-SIPI sequence. // - if (!CpuMpData->SevEsIsEnabled) { + if (!CpuMpData->UseSevEsAPMethod) { InterlockedDecrement ((UINT32 *) &CpuMpData->MpCpuExchangeInfo->Nu= mApsExecuting); } } @@ -883,7 +884,7 @@ ApWakeupFunction ( // while (TRUE) { DisableInterrupts (); - if (CpuMpData->SevEsIsEnabled) { + if (CpuMpData->UseSevEsAPMethod) { MSR_SEV_ES_GHCB_REGISTER Msr; GHCB *Ghcb; UINT64 Status; @@ -1207,9 +1208,12 @@ AllocateResetVector ( ); // // The AP reset stack is only used by SEV-ES guests. Do not allocate it - // if SEV-ES is not enabled. + // if SEV-ES is not enabled. An SEV-SNP guest is also considered + // an SEV-ES guest, but uses a different method of AP startup, elimina= ting + // the need for the allocation. // - if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { + if (ConfidentialComputingGuestHas (CCAttrAmdSevEs) && + !ConfidentialComputingGuestHas (CCAttrAmdSevSnp)) { // // Stack location is based on ProcessorNumber, so use the total numb= er // of processors for calculating the total stack area. @@ -1259,7 +1263,7 @@ FreeResetVector ( // perform the restore as this will overwrite memory which has data // needed by SEV-ES. // - if (!CpuMpData->SevEsIsEnabled) { + if (!CpuMpData->UseSevEsAPMethod) { RestoreWakeupBuffer (CpuMpData); } } @@ -1276,7 +1280,7 @@ AllocateSevEsAPMemory ( { if (CpuMpData->SevEsAPBuffer =3D=3D (UINTN) -1) { CpuMpData->SevEsAPBuffer =3D - CpuMpData->SevEsIsEnabled ? GetSevEsAPMemory () : 0; + CpuMpData->UseSevEsAPMethod ? GetSevEsAPMemory () : 0; } } =20 @@ -1360,7 +1364,7 @@ WakeUpAP ( ResetVectorRequired =3D FALSE; =20 if (CpuMpData->WakeUpByInitSipiSipi || - CpuMpData->InitFlag !=3D ApInitDone) { + CpuMpData->InitFlag !=3D ApInitDone) { ResetVectorRequired =3D TRUE; AllocateResetVector (CpuMpData); AllocateSevEsAPMemory (CpuMpData); @@ -1401,7 +1405,7 @@ WakeUpAP ( } if (ResetVectorRequired) { // - // For SEV-ES, the initial AP boot address will be defined by + // For SEV-ES and SEV-SNP, the initial AP boot address will be defin= ed by // PcdSevEsWorkAreaBase. The Segment/Rip must be the jump address // from the original INIT-SIPI-SIPI. // @@ -1411,8 +1415,14 @@ WakeUpAP ( =20 // // Wakeup all APs + // Must use the INIT-SIPI-SIPI method for initial configuration in + // order to obtain the APIC ID. // - SendInitSipiSipiAllExcludingSelf ((UINT32) ExchangeInfo->BufferStart= ); + if (CpuMpData->SevSnpIsEnabled && CpuMpData->InitFlag !=3D ApInitCon= fig) { + SevSnpCreateAP (CpuMpData, -1); + } else { + SendInitSipiSipiAllExcludingSelf ((UINT32) ExchangeInfo->BufferSta= rt); + } } if (CpuMpData->InitFlag =3D=3D ApInitConfig) { if (PcdGet32 (PcdCpuBootLogicalProcessorNumber) > 0) { @@ -1502,7 +1512,7 @@ WakeUpAP ( CpuInfoInHob =3D (CPU_INFO_IN_HOB *) (UINTN) CpuMpData->CpuInfoInHob; =20 // - // For SEV-ES, the initial AP boot address will be defined by + // For SEV-ES and SEV-SNP, the initial AP boot address will be defin= ed by // PcdSevEsWorkAreaBase. The Segment/Rip must be the jump address // from the original INIT-SIPI-SIPI. // @@ -1510,10 +1520,14 @@ WakeUpAP ( SetSevEsJumpTable (ExchangeInfo->BufferStart); } =20 - SendInitSipiSipi ( - CpuInfoInHob[ProcessorNumber].ApicId, - (UINT32) ExchangeInfo->BufferStart - ); + if (CpuMpData->SevSnpIsEnabled && CpuMpData->InitFlag !=3D ApInitCon= fig) { + SevSnpCreateAP (CpuMpData, (INTN) ProcessorNumber); + } else { + SendInitSipiSipi ( + CpuInfoInHob[ProcessorNumber].ApicId, + (UINT32) ExchangeInfo->BufferStart + ); + } } // // Wait specified AP waken up @@ -2048,6 +2062,11 @@ MpInitLibInitialize ( CpuMpData->SevSnpIsEnabled =3D ConfidentialComputingGuestHas (CCAttrAmdS= evSnp); CpuMpData->SevEsAPBuffer =3D (UINTN) -1; CpuMpData->GhcbBase =3D PcdGet64 (PcdGhcbBase); + CpuMpData->UseSevEsAPMethod =3D CpuMpData->SevEsIsEnabled && !CpuMpData-= >SevSnpIsEnabled; + + if (CpuMpData->SevSnpIsEnabled) { + ASSERT ((PcdGet64 (PcdGhcbHypervisorFeatures) & GHCB_HV_FEATURES_SNP_A= P_CREATE) =3D=3D GHCB_HV_FEATURES_SNP_AP_CREATE); + } =20 // // Make sure no memory usage outside of the allocated buffer. diff --git a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c b/UefiCpuPkg/Library= /MpInitLib/X64/AmdSev.c new file mode 100644 index 000000000000..303271abdaad --- /dev/null +++ b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c @@ -0,0 +1,261 @@ +/** @file + + AMD SEV helper function. + + Copyright (c) 2021, AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "MpLib.h" +#include +#include +#include + +/** + Create an SEV-SNP AP save area (VMSA) for use in running the vCPU. + + @param[in] CpuMpData Pointer to CPU MP Data + @param[in] CpuData Pointer to CPU AP Data + @param[in] ApicId APIC ID of the vCPU +**/ +VOID +SevSnpCreateSaveArea ( + IN CPU_MP_DATA *CpuMpData, + IN CPU_AP_DATA *CpuData, + UINT32 ApicId + ) +{ + SEV_ES_SAVE_AREA *SaveArea; + IA32_CR0 ApCr0; + IA32_CR0 ResetCr0; + IA32_CR4 ApCr4; + IA32_CR4 ResetCr4; + UINTN StartIp; + UINT8 SipiVector; + UINT32 RmpAdjustStatus; + UINT64 VmgExitStatus; + MSR_SEV_ES_GHCB_REGISTER Msr; + GHCB *Ghcb; + BOOLEAN InterruptState; + UINT64 ExitInfo1; + UINT64 ExitInfo2; + + // + // Allocate a single page for the SEV-ES Save Area and initialize it. + // + SaveArea =3D AllocateReservedPages (1); + if (!SaveArea) { + return; + } + ZeroMem (SaveArea, EFI_PAGE_SIZE); + + // + // Propogate the CR0.NW and CR0.CD setting to the AP + // + ResetCr0.UintN =3D 0x00000010; + ApCr0.UintN =3D CpuData->VolatileRegisters.Cr0; + if (ApCr0.Bits.NW) { + ResetCr0.Bits.NW =3D 1; + } + if (ApCr0.Bits.CD) { + ResetCr0.Bits.CD =3D 1; + } + + // + // Propagate the CR4.MCE setting to the AP + // + ResetCr4.UintN =3D 0; + ApCr4.UintN =3D CpuData->VolatileRegisters.Cr4; + if (ApCr4.Bits.MCE) { + ResetCr4.Bits.MCE =3D 1; + } + + // + // Convert the start IP into a SIPI Vector + // + StartIp =3D CpuMpData->MpCpuExchangeInfo->BufferStart; + SipiVector =3D (UINT8) (StartIp >> 12); + + // + // Set the CS:RIP value based on the start IP + // + SaveArea->Cs.Base =3D SipiVector << 12; + SaveArea->Cs.Selector =3D SipiVector << 8; + SaveArea->Cs.Limit =3D 0xFFFF; + SaveArea->Cs.Attributes.Bits.Present =3D 1; + SaveArea->Cs.Attributes.Bits.Sbit =3D 1; + SaveArea->Cs.Attributes.Bits.Type =3D SEV_ES_RESET_CODE_SEGMENT_TYPE; + SaveArea->Rip =3D StartIp & 0xFFF; + + // + // Set the remaining values as defined in APM for INIT + // + SaveArea->Ds.Limit =3D 0xFFFF; + SaveArea->Ds.Attributes.Bits.Present =3D 1; + SaveArea->Ds.Attributes.Bits.Sbit =3D 1; + SaveArea->Ds.Attributes.Bits.Type =3D SEV_ES_RESET_DATA_SEGMENT_TYPE; + SaveArea->Es =3D SaveArea->Ds; + SaveArea->Fs =3D SaveArea->Ds; + SaveArea->Gs =3D SaveArea->Ds; + SaveArea->Ss =3D SaveArea->Ds; + + SaveArea->Gdtr.Limit =3D 0xFFFF; + SaveArea->Ldtr.Limit =3D 0xFFFF; + SaveArea->Ldtr.Attributes.Bits.Present =3D 1; + SaveArea->Ldtr.Attributes.Bits.Type =3D SEV_ES_RESET_LDT_TYPE; + SaveArea->Idtr.Limit =3D 0xFFFF; + SaveArea->Tr.Limit =3D 0xFFFF; + SaveArea->Ldtr.Attributes.Bits.Present =3D 1; + SaveArea->Ldtr.Attributes.Bits.Type =3D SEV_ES_RESET_TSS_TYPE; + + SaveArea->Efer =3D 0x1000; + SaveArea->Cr4 =3D ResetCr4.UintN; + SaveArea->Cr0 =3D ResetCr0.UintN; + SaveArea->Dr7 =3D 0x0400; + SaveArea->Dr6 =3D 0xFFFF0FF0; + SaveArea->Rflags =3D 0x0002; + SaveArea->GPat =3D 0x0007040600070406ULL; + SaveArea->XCr0 =3D 0x0001; + SaveArea->Mxcsr =3D 0x1F80; + SaveArea->X87Ftw =3D 0x5555; + SaveArea->X87Fcw =3D 0x0040; + + // + // Set the SEV-SNP specific fields for the save area: + // VMPL - always VMPL0 + // SEV_FEATURES - equivalent to the SEV_STATUS MSR right shifted 2 bits + // + SaveArea->Vmpl =3D 0; + SaveArea->SevFeatures =3D AsmReadMsr64 (MSR_SEV_STATUS) >> 2; + + // + // To turn the page into a recognized VMSA page, issue RMPADJUST: + // Target VMPL but numerically higher than current VMPL + // Target PermissionMask is not used + // + RmpAdjustStatus =3D SevSnpRmpAdjust ( + (EFI_PHYSICAL_ADDRESS) (UINTN) SaveArea, + TRUE + ); + ASSERT (RmpAdjustStatus =3D=3D 0); + + ExitInfo1 =3D (UINT64) ApicId << 32; + ExitInfo1 |=3D SVM_VMGEXIT_SNP_AP_CREATE; + ExitInfo2 =3D (UINT64) (UINTN) SaveArea; + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + Ghcb =3D Msr.Ghcb; + + VmgInit (Ghcb, &InterruptState); + Ghcb->SaveArea.Rax =3D SaveArea->SevFeatures; + VmgSetOffsetValid (Ghcb, GhcbRax); + VmgExitStatus =3D VmgExit ( + Ghcb, + SVM_EXIT_SNP_AP_CREATION, + ExitInfo1, + ExitInfo2 + ); + VmgDone (Ghcb, InterruptState); + + ASSERT (VmgExitStatus =3D=3D 0); + if (VmgExitStatus !=3D 0) { + RmpAdjustStatus =3D SevSnpRmpAdjust ( + (EFI_PHYSICAL_ADDRESS) (UINTN) SaveArea, + FALSE + ); + if (RmpAdjustStatus =3D=3D 0) { + FreePages (SaveArea, 1); + } else { + DEBUG ((DEBUG_INFO, "SEV-SNP: RMPADJUST failed, leaking VMSA page\n"= )); + } + + SaveArea =3D NULL; + } + + if (CpuData->SevEsSaveArea) { + RmpAdjustStatus =3D SevSnpRmpAdjust ( + (EFI_PHYSICAL_ADDRESS) (UINTN) CpuData->SevEsSaveA= rea, + FALSE + ); + if (RmpAdjustStatus =3D=3D 0) { + FreePages (CpuData->SevEsSaveArea, 1); + } else { + DEBUG ((DEBUG_INFO, "SEV-SNP: RMPADJUST failed, leaking VMSA page\n"= )); + } + } + + CpuData->SevEsSaveArea =3D SaveArea; +} + +/** + Create SEV-SNP APs. + + @param[in] CpuMpData Pointer to CPU MP Data + @param[in] ProcessorNumber The handle number of specified processor + (-1 for all APs) +**/ +VOID +SevSnpCreateAP ( + IN CPU_MP_DATA *CpuMpData, + IN INTN ProcessorNumber + ) +{ + CPU_INFO_IN_HOB *CpuInfoInHob; + CPU_AP_DATA *CpuData; + UINTN Index; + UINT32 ApicId; + + ASSERT (CpuMpData->MpCpuExchangeInfo->BufferStart < 0x100000); + + CpuInfoInHob =3D (CPU_INFO_IN_HOB *) (UINTN) CpuMpData->CpuInfoInHob; + + if (ProcessorNumber < 0) { + for (Index =3D 0; Index < CpuMpData->CpuCount; Index++) { + if (Index !=3D CpuMpData->BspNumber) { + CpuData =3D &CpuMpData->CpuData[Index]; + ApicId =3D CpuInfoInHob[Index].ApicId, + SevSnpCreateSaveArea (CpuMpData, CpuData, ApicId); + } + } + } else { + Index =3D (UINTN) ProcessorNumber; + CpuData =3D &CpuMpData->CpuData[Index]; + ApicId =3D CpuInfoInHob[ProcessorNumber].ApicId, + SevSnpCreateSaveArea (CpuMpData, CpuData, ApicId); + } +} + +/** + Issue RMPADJUST to adjust the VMSA attribute of an SEV-SNP page. + + @param[in] PageAddress + @param[in] VmsaPage + + @return RMPADJUST return value +**/ +UINT32 +SevSnpRmpAdjust ( + IN EFI_PHYSICAL_ADDRESS PageAddress, + IN BOOLEAN VmsaPage + ) +{ + UINT64 Rdx; + + // + // The RMPADJUST instruction is used to set or clear the VMSA bit for a + // page. The VMSA change is only made when running at VMPL0 and is ignor= ed + // otherwise. If too low a target VMPL is specified, the instruction can + // succeed without changing the VMSA bit when not running at VMPL0. Usin= g a + // target VMPL level of 1, RMPADJUST will return a FAIL_PERMISSION error= if + // not running at VMPL0, thus ensuring that the VMSA bit is set appropri= ately + // when no error is returned. + // + Rdx =3D 1; + if (VmsaPage) { + Rdx |=3D RMPADJUST_VMSA_PAGE_BIT; + } + + return AsmRmpAdjust ((UINT64) PageAddress, 0, Rdx); +} --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80611): https://edk2.groups.io/g/devel/message/80611 Mute This Topic: https://groups.io/mt/85582734/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-