From nobody Mon Feb 9 23:39:13 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+80894+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+80894+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=pass(p=none dis=none) header.from=groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1632163590146231.3445713809009; Mon, 20 Sep 2021 11:46:30 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id YGXsYY1788612xBymmd4lxn5; Mon, 20 Sep 2021 11:46:29 -0700 X-Received: from NAM12-MW2-obe.outbound.protection.outlook.com (NAM12-MW2-obe.outbound.protection.outlook.com [40.107.244.65]) by mx.groups.io with SMTP id smtpd.web11.1340.1632163588616147408 for ; Mon, 20 Sep 2021 11:46:28 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jeXCRCbMdjw7gVpFfkzIZ+AU1oMQaingV+rb37qT95Zz+uyuS+Jw462TtFPIe4g4HZM5V8zyGzdTAgQAOgSuhlmYk8lPlkRE56YSwHGFz5zG/7lOxrSvOtlTge5Y1jAcU0jJvDzIXN42cMg76DqPaq3OXbw++blowRAErqBZrR4iSFT3yjz97lChEKBTKaNvn5ZZZca+2ArCLOeaXDr4X6upsMrMlpOhzF3+XoVtQwEEbDEeHbH+L6WksRlCU9f9+K4wqBI8pieO1KzATcHPMK1J3/FLPV3ICw8e5YsVB5Y0+2VtD1DaKwyr1EF7LDWWYbq+S6zsH+ysVkS3Hx864Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=HF2W9/+B9SXNSLgA1UL2ZD5ts2exPEOIUKLe7KETuMA=; b=cZHflS8jKHmTDja0Aa0o+DnJ4+BnT15h6ouHUFWuvqLLoOupwGM3N7ASPgV0e0PyQAVDywYB9aYlnyuhTtU1IR2EokTEWZWGukL6GOxYpX2ytFiJ+xRr6JSALE+tk0/NsWm+d0bm6N7RFUyMJ8AcozZRPvOElEQuFux1n47ZlEeICUNiTYpshBt/OYeKnzpsnJlJs+PrPIULooktPJU4i9GOJoakjuQmULvcUc3xRFmR5lIotmaTNXkjseYxGSMuVg6JG3mmj6NY1/Tz3GvAgiN7PTmqXBAsX4sqcHLbHxIQBGtkWt/RKExTufEOs1EDtPPh12uLCwEVP7PlwCpqGA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB2768.namprd12.prod.outlook.com (2603:10b6:805:72::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4523.14; Mon, 20 Sep 2021 18:46:26 +0000 X-Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4523.018; Mon, 20 Sep 2021 18:46:26 +0000 From: "Brijesh Singh via groups.io" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth , Jiewen Yao Subject: [edk2-devel] [PATCH v8 10/32] OvmfPkg/SecMain: register GHCB gpa for the SEV-SNP guest Date: Mon, 20 Sep 2021 13:45:42 -0500 Message-ID: <20210920184604.31590-11-brijesh.singh@amd.com> In-Reply-To: <20210920184604.31590-1-brijesh.singh@amd.com> References: <20210920184604.31590-1-brijesh.singh@amd.com> X-ClientProxiedBy: SN4PR0201CA0034.namprd02.prod.outlook.com (2603:10b6:803:2e::20) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) MIME-Version: 1.0 X-Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SN4PR0201CA0034.namprd02.prod.outlook.com (2603:10b6:803:2e::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4523.14 via Frontend Transport; Mon, 20 Sep 2021 18:46:26 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 38984df4-af96-4b5f-b708-08d97c66f3ae X-MS-TrafficTypeDiagnostic: SN6PR12MB2768: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: qSCNKdRKcxkcAvV5XBb9IrQWuY4XS42/7N5zF0z5NPG97pGdpM08B0dz1QB2yx/tKx8Axj/e7CaptbZInhIF3/CeL+gaEzEftyOf02tnlyH4au33kWeD76QOUMY6GqWLrEilp9YsvD3K8WSI0BqpRrZbJiFcIvhOO0yl9tG/Y/3xe/z/bC7+vLdtMeW936I7vcGBh4OjfXTgbXcQg7bRuKzmTLMfSh1zuEvJLIl/GQ07is+JTDRKSyOe2z3I5mWJQhRTxXvcsKTwSEpSiC7c6mswOfIuik3yDGfvvblpF5EoZgYv7QCpowMj1bn6f0bmc4Rvw2fpLuN/uIcedv3BeqASHdHPSxMaDr0QrN9p6SnbQRCmprM4oGU+Bort00/JEgCdyok+iASt5RPbv4gI/+H2PZBHrvThydwJk4bXn7gegnLN+dgMcMJIhH4YFBzHbvxDyA3py2USG4/tqSwfvaIbKtXBt3TExv0aYFjpyE7wHh+hlUhk+fVLn9mNNJbUCYRAY9SXv+3KvgI38Z3XIYBMDEgCDxBCOcUdz0fD+6SZVQwt1Yl9JhNpeizKclt0uazVxqXXyyHMCvAOVfAAMH3RrcgSbRd2Hfr6yVhR054IMoLZ/7ygYV3yqjeTgP6xdpxjuFsxczQ/WG3Puy5HOfakQ1Y0OUblpZMzcVj0KWPvshlljMt/nEdr8vEVyEC/7iuASiEL0FUwVgx4Gz3vD+29q6Xi4I1xM8iFBNcHs1NtQIkyVY15OLo9YqPtWKsTYMmse80XZGXe0jmi8pO+732dQiMhwWTtDKHoIq7zzlM= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?BbOldWFK6mqvkpwQSiznqwmBE//g9cdRJ7oyR5zQGBkLjMHsjf/WCBO61Zmb?= =?us-ascii?Q?ufewMn4yMkbLksVPVEYUzT1taR2FpN6kDQW+lYz8GJP1mtfdBwQ47LtBcMnY?= =?us-ascii?Q?/mhF4vdNSrL0RnxvBebY+2s5WxIeirsOL+GCF5+TKUVi1M/t7GlLVxtMLbDs?= =?us-ascii?Q?codbyqb3S41w/XjbR85HBurhpeDzHQZA3kpHxvOt+cBSMkS18UUjdxrbFlrs?= =?us-ascii?Q?OoSYuI/p1/AWrc9ArpbAS+9BtH/w02uzy3bI9UXePRLNSjTNHun6hOcalrsH?= =?us-ascii?Q?k6wq+D34ogv+l7S8oJ8EEl3tfKHjfDJYtx8VvHStbIrbw7EpUQQtHG8xDRaP?= =?us-ascii?Q?VUWa0oPxaNkC8NBIq4piIuihhAX82hseAki94sVqdtYIP+R0hoqcKsLo/4Zb?= =?us-ascii?Q?Kvt5YaRluLW+QO5IXuV+UickHnT1NYycpQwDatiOIRw0xbEcwReSBWKYQmZ7?= =?us-ascii?Q?t6BB7BsM30WPldpv+duy+Y+4Mft+55ALUwFDrie3pM5ggXlVbMLMO+jNLt8+?= =?us-ascii?Q?q9tTyfwOX43sKV2BAxsnQk1iaHg5kxDGt21nU04WymR0VX/SrkY77e7Ikx9o?= =?us-ascii?Q?G00stpR6CNrMb4hciaG5alnuYGFS0faPIRcLoBlc0Ofib/9e4M9JM+oD+JZz?= =?us-ascii?Q?LfLSbQ1N71h4Ei2kx/p1utGfCN5TCADa0yZwQgFx7Ei/Fn8xWxMPlhrP59eC?= =?us-ascii?Q?1jQoYDEeQSYjEJlbRAJRerx0SJWil1aho1HCEBO+LdW5Km2pvYBiJgjStjew?= =?us-ascii?Q?xrwIHZJWvdNCLR9q2/YOKBeJuA68LjNE75Wqwn5Yf057ZiVtogD5b0LYrsx/?= =?us-ascii?Q?pUWjsutZm4O+da1ZRywGnJcdbLKo1vm7m7ZoyUl3ccfpICSgZ6QsTirzSTuh?= =?us-ascii?Q?x+wUmSU9jEzTtkbWsGcqqEqFB8gElgHWRxqoIBrAwyEis8cQbsUH1anUs0Uq?= =?us-ascii?Q?pOFaC3Uj84g6HFOAa+HzVEoe/v+QknHwidmZgP5B/Tg+0gJiSt5aAr0vYcI5?= =?us-ascii?Q?p0xc0nR55KgfWuNukDgTFFtgGJPMhNsAKc++tW9asvHkb0aoxLhjxgf2YYL9?= =?us-ascii?Q?W0RN1Uae8PNgcVcVmvZYiDcQ9YS9i+DXS5fqgPmehFFV519c4nqVXL2Wu69h?= =?us-ascii?Q?r9PtNgGLQ7bexJxQiaNZWtJHirDCz3f32ejAVQiBjohJUMmMF1rMlXjx70mA?= =?us-ascii?Q?61ZMvQBSDBALOyBwnPoBoouBqyp6/4FNONFtkYHQdxlC979vIlOxkIszZ+bD?= =?us-ascii?Q?HEiaLUUdsh6NxtQyCxRy529mRlVvls4SZQpyf6Um1RpaSccfribE2qod4RgI?= =?us-ascii?Q?IvSIulJrv4ijO3Ya9NQvXByv?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 38984df4-af96-4b5f-b708-08d97c66f3ae X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Sep 2021 18:46:26.7797 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Drz3kxE+upVuTFxo9Oalm5zx+fyuzIKxTtgmZYd4Qtxf5PFc9GzORh7YqdzIRIsGf0W9DX6Hp62S1YGv5EtK4Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2768 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: g2gEXjFfHCFbNbB5fjMVOnqJx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1632163589; bh=i6LWCK2s6PrHSgjPXLZMW0E32SwaahPpDfIehRl4xZ0=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=YpcoixKkW73tU6nVHEt5FHyL+xmNuGHLUUTF3xQFDQd3oFQjoqCbccZhE6Dc61+50M4 wv4k14q3xb26A4Do5vN6jVmFibAY8aaImoszhJByEnieohkT+6K8FMED6zYw+3zS6c7KM C6sElkSz/oIWHIrh5IiMWx/WLMH/uYWoXPc= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1632163609618100011 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The SEV-SNP guest requires that GHCB GPA must be registered before using. See the GHCB specification section 2.3.2 for more details. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/Sec/AmdSev.c | 118 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c index 7f74e8bfe88e..9dd42b195785 100644 --- a/OvmfPkg/Sec/AmdSev.c +++ b/OvmfPkg/Sec/AmdSev.c @@ -48,6 +48,103 @@ SevEsProtocolFailure ( CpuDeadLoop (); } =20 +/** + Determine if SEV-SNP is active. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled + +**/ +STATIC +BOOLEAN +SevSnpIsEnabled ( + VOID + ) +{ + MSR_SEV_STATUS_REGISTER Msr; + + // + // Read the SEV_STATUS MSR to determine whether SEV-SNP is active. + // + Msr.Uint32 =3D AsmReadMsr32 (MSR_SEV_STATUS); + + // + // Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) + // + if (Msr.Bits.SevSnpBit) { + return TRUE; + } + + return FALSE; +} + +/** + Register the GHCB GPA + +*/ +STATIC +VOID +SevSnpGhcbRegister ( + UINTN Address + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + EFI_PHYSICAL_ADDRESS GuestFrameNumber; + + GuestFrameNumber =3D Address >> EFI_PAGE_SHIFT; + + // + // Use the GHCB MSR Protocol to request to register the GPA. + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbGpaRegister.Function =3D GHCB_INFO_GHCB_GPA_REGISTER_REQUEST; + Msr.GhcbGpaRegister.GuestFrameNumber =3D GuestFrameNumber; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // If hypervisor responded with a different GPA than requested then fail. + // + if ((Msr.GhcbGpaRegister.Function !=3D GHCB_INFO_GHCB_GPA_REGISTER_RESPO= NSE) || + (Msr.GhcbGpaRegister.GuestFrameNumber !=3D GuestFrameNumber)) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } +} + +/** + Verify that Hypervisor supports the SNP feature. + + */ +STATIC +BOOLEAN +HypervisorSnpFeatureCheck ( + VOID + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + + // + // Use the GHCB MSR Protocol to query the hypervisor capabilities + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbHypervisorFeatures.Function =3D GHCB_HYPERVISOR_FEATURES_REQUEST; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + if ((Msr.GhcbHypervisorFeatures.Function !=3D GHCB_HYPERVISOR_FEATURES_R= ESPONSE) || + (!(Msr.GhcbHypervisorFeatures.Features & GHCB_HV_FEATURES_SNP))) { + return FALSE; + } + + return TRUE; +} + /** Validate the SEV-ES/GHCB protocol level. =20 @@ -88,6 +185,27 @@ SevEsProtocolCheck ( SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); } =20 + // + // We cannot use the MemEncryptSevSnpIsEnabled () because the + // ProcessLibraryConstructorList () is not called yet. + // + if (SevSnpIsEnabled ()) { + // + // Check if hypervisor supports the SNP feature + // + if (!HypervisorSnpFeatureCheck ()) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); + } + + // + // Unlike the SEV-ES guest, the SNP requires that GHCB GPA must be + // registered with the Hypervisor before the use. This can be done + // using the new VMGEXIT defined in the GHCB v2. Register the GPA + // before it is used. + // + SevSnpGhcbRegister (FixedPcdGet32 (PcdOvmfSecGhcbBase)); + } + // // SEV-ES protocol checking succeeded, set the initial GHCB address // --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80894): https://edk2.groups.io/g/devel/message/80894 Mute This Topic: https://groups.io/mt/85749024/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-