From nobody Tue Feb 10 13:16:22 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+83714+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one); dmarc=pass(p=none dis=none) header.from=groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1636738834379541.1246545842401; Fri, 12 Nov 2021 09:40:34 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id OdjyYY1788612xAka19XNfH0; Fri, 12 Nov 2021 09:40:34 -0800 X-Received: from NAM12-MW2-obe.outbound.protection.outlook.com (NAM12-MW2-obe.outbound.protection.outlook.com [40.107.244.42]) by mx.groups.io with SMTP id smtpd.web08.391.1636738832018831766 for ; Fri, 12 Nov 2021 09:40:32 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IP4IG/3zjEcO+Asz9pZth+Uk+0m6ivIeTqhU/H3Nhi/DS0IHfZ4lTHhgx4mHyN7WFmPv+XWWjuDjFlznzJvYvKZG5HcHuVx4V9eIlqjsDuTbMcyIeG1sAf/du4bGyDnwX36vl1zbTG6cWvzkiXf6P7y7J19NjpuaYPCrBiMMj+y2EXuejHs1gt+3nvAC405lUeeQjMgpmY0GF6p/9psKyC2i2Zz8uVOnsyUYOPpUIXMkDIyDLVRv4m8BWvhxgQNMvlvYm2+Pp1S1IZVM+5dlPND3nxX0IiXQ0lfyVSaDahS3E8i3k82PuOyvtMrUVkHJkVi+7dUABzPcmotUGSc57g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bMqzMpHGTRGBDWtYLicLCZ8c92fCQmBUuOqJdRIj8JM=; b=hBT+MTuDGJWZ/N4zME4c+ShXwjvgC5X514t30giD4dYy7/PYhJVLt8uvy57hYVMavJUYXAPu6xIX9j4oCXCJQWAhXDqBn2qEiX0i8XRw/VKz4NTEsGRBHYcVvU7zZoNGlEQ//xsF3nUUNMYXavbP6DxweSRhwLhhRueXTphBWrJkNNNgw8ImP32ri6Kq48jszOCzpxCKKbkNULxECKsuP99GKp5SA/ENslorJq7s2FHB7JhFZVOxUBOehX4n6CJUNp5sK+WC0aimFPgJBNurNDKzZr6jeI3ZQTpZzGculRcKyxnM6+d7Ui6CD6yCKEMqk/jo1hWp8FtguUGFrzOGLA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none X-Received: from BN0PR04CA0204.namprd04.prod.outlook.com (2603:10b6:408:e9::29) by BL0PR12MB4932.namprd12.prod.outlook.com (2603:10b6:208:1c2::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.16; Fri, 12 Nov 2021 17:40:27 +0000 X-Received: from BN8NAM11FT014.eop-nam11.prod.protection.outlook.com (2603:10b6:408:e9:cafe::3b) by BN0PR04CA0204.outlook.office365.com (2603:10b6:408:e9::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.16 via Frontend Transport; Fri, 12 Nov 2021 17:40:27 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+83714+1787277+3901457@groups.io; helo=mail02.groups.io; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; X-Received: from SATLEXMB04.amd.com (165.204.84.17) by BN8NAM11FT014.mail.protection.outlook.com (10.13.177.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.4690.15 via Frontend Transport; Fri, 12 Nov 2021 17:40:26 +0000 X-Received: from sbrijesh-desktop.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.17; Fri, 12 Nov 2021 11:40:24 -0600 From: "Brijesh Singh via groups.io" To: CC: James Bottomley , Min Xu , "Jiewen Yao" , Tom Lendacky , "Jordan Justen" , Ard Biesheuvel , Erdem Aktas , "Michael Roth" , Gerd Hoffmann , "Michael D Kinney" , Liming Gao , Zhiguang Liu , Ray Ni , Rahul Kumar , Eric Dong , Brijesh Singh , Michael Roth , Jiewen Yao Subject: [edk2-devel] [PATCH v13 10/32] OvmfPkg/SecMain: register GHCB gpa for the SEV-SNP guest Date: Fri, 12 Nov 2021 11:39:37 -0600 Message-ID: <20211112173959.2505972-11-brijesh.singh@amd.com> In-Reply-To: <20211112173959.2505972-1-brijesh.singh@amd.com> References: <20211112173959.2505972-1-brijesh.singh@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3a5b6851-2905-458d-ac6e-08d9a603836f X-MS-TrafficTypeDiagnostic: BL0PR12MB4932: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: fb3jMG079BTeJXXZEj7Y9LxwJT5dxzVExY1Y764otF+g6NyxL60JYo6H6pGfHnSnCV518C9NSu/zhZ4kwVWCj0UuHlUHZsilPApeNtkXSTs312p64iB9uH6MFQbB6nqOflNijjt29kxCKwTlNXlOonmVQvFdVXlvl0RbZO6wJW79y/p9JK6IpWbLntn1EdQkZhdvJPPG4CeU7yoexVfNoWExq3PdF5AVY7fQGyLwRICFZZVOXe+WiP5zgk5YeJEjzgIMdZ2SFR8JHcIcnImZLkzqopgUE/TmnidK7qtQO1KkvhQc68UffKCrGyFD2u0qNTKcHG3SZPvBSNriYO9c0UzMJ+CWGwzfBcnZHMxG5ldOn3SNHthJ2EnjCVnJw1R8uccgPxl/I/rd36DPYEhpKLLicz+1aER0LLwX7BmZk/g8V4bp6LoIeO0Giaap+KvvXnIJLQIyNhdUBXiIjYmyLa0Am8WfaR9ucbYJgz7sw0rvpWJuuJak3BMLp20lACTRGuck5IgsTrC0qCY1haCU6Z1GJLSzPWppj9f4pDHtheLOvJH3Eu1yCwfG8kOKW9Xjl1JWJ3GmrUWs6DNk0ItmF89/Py8dFEAuHLEKMjzwN0G0ldZ0Sl9++QNKgXeOYutSQATFveJlsNyVtMl1thQBLn8FJ6EkZnBvV/HJH+KxHjzHuXPk5OGR31Wngv4N54ALDyML3YvB+NYb+EOGh8fk9IBnDfKSPU9QzXSlhdwO78tPP8Ak26tc464zhdB6C8DAjjGHKk4s80NBPesJTfZkLNymRMHIYhZ4y5aYrftGEgvu1cEgaxe0gxRr35i9neYH X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Nov 2021 17:40:26.9452 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 3a5b6851-2905-458d-ac6e-08d9a603836f X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT014.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR12MB4932 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: b1WjaVAohW0YIET16M0BQir1x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1636738834; bh=v2fELYYXzb3bYeyCYIg7qv1iEX190fsVMFFEbPfmUWY=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=UtkjrkDBRU3lmYQnCrt1zjecfkaIIGc+uHFSAHJX24q7kcb6E751qK2VLPsER/ttuLA JKM4LF8f/D+tedAYel6OdOUt/G/pXYCtAUWpAMwxU8l7QC2FzyB2hMqd0nrwJZJ75K5TW wYPNroY21awCeDefqZdzpQNB2wdqL1GLnjw= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1636738835463100007 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The SEV-SNP guest requires that GHCB GPA must be registered before using. See the GHCB specification section 2.3.2 for more details. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/Sec/AmdSev.c | 117 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c index 7f74e8bfe88e..58f054ea4418 100644 --- a/OvmfPkg/Sec/AmdSev.c +++ b/OvmfPkg/Sec/AmdSev.c @@ -48,6 +48,102 @@ SevEsProtocolFailure ( CpuDeadLoop (); } =20 +/** + Determine if SEV-SNP is active. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled + +**/ +STATIC +BOOLEAN +SevSnpIsEnabled ( + VOID + ) +{ + MSR_SEV_STATUS_REGISTER Msr; + + // + // Read the SEV_STATUS MSR to determine whether SEV-SNP is active. + // + Msr.Uint32 =3D AsmReadMsr32 (MSR_SEV_STATUS); + + // + // Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) + // + if (Msr.Bits.SevSnpBit) { + return TRUE; + } + + return FALSE; +} + +/** + Register the GHCB GPA + +*/ +STATIC +VOID +SevSnpGhcbRegister ( + EFI_PHYSICAL_ADDRESS Address + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + + // + // Use the GHCB MSR Protocol to request to register the GPA. + // + Msr.GhcbPhysicalAddress =3D Address & ~EFI_PAGE_MASK; + Msr.GhcbGpaRegister.Function =3D GHCB_INFO_GHCB_GPA_REGISTER_REQUEST; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // If hypervisor responded with a different GPA than requested then fail. + // + if ((Msr.GhcbGpaRegister.Function !=3D GHCB_INFO_GHCB_GPA_REGISTER_RESPO= NSE) || + ((Msr.GhcbPhysicalAddress & ~EFI_PAGE_MASK) !=3D Address)) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } +} + +/** + Verify that Hypervisor supports the SNP feature. + + */ +STATIC +BOOLEAN +HypervisorSnpFeatureCheck ( + VOID + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + UINT64 Features; + + // + // Use the GHCB MSR Protocol to query the hypervisor capabilities + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbHypervisorFeatures.Function =3D GHCB_HYPERVISOR_FEATURES_REQUEST; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + Features =3D RShiftU64 (Msr.GhcbPhysicalAddress, 12); + + if ((Msr.GhcbHypervisorFeatures.Function !=3D GHCB_HYPERVISOR_FEATURES_R= ESPONSE) || + (!(Features & GHCB_HV_FEATURES_SNP))) { + return FALSE; + } + + return TRUE; +} + /** Validate the SEV-ES/GHCB protocol level. =20 @@ -88,6 +184,27 @@ SevEsProtocolCheck ( SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); } =20 + // + // We cannot use the MemEncryptSevSnpIsEnabled () because the + // ProcessLibraryConstructorList () is not called yet. + // + if (SevSnpIsEnabled ()) { + // + // Check if hypervisor supports the SNP feature + // + if (!HypervisorSnpFeatureCheck ()) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); + } + + // + // Unlike the SEV-ES guest, the SNP requires that GHCB GPA must be + // registered with the Hypervisor before the use. This can be done + // using the new VMGEXIT defined in the GHCB v2. Register the GPA + // before it is used. + // + SevSnpGhcbRegister ((EFI_PHYSICAL_ADDRESS) (UINTN) FixedPcdGet32 (PcdO= vmfSecGhcbBase)); + } + // // SEV-ES protocol checking succeeded, set the initial GHCB address // --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83714): https://edk2.groups.io/g/devel/message/83714 Mute This Topic: https://groups.io/mt/87011883/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-