From nobody Thu May 9 23:49:16 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+86830+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1645455580206447.50402052978745; Mon, 21 Feb 2022 06:59:40 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id ZhDxYY1788612xG92dv3HVvf; Mon, 21 Feb 2022 06:59:39 -0800 X-Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.62]) by mx.groups.io with SMTP id smtpd.web09.11498.1645455578818405399 for ; Mon, 21 Feb 2022 06:59:39 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=f1OCWOuuryl/B7Qa+kk47dbEEB0tC1smlG5HkFHrjxq9Bp62WB4JJpYX0FD7cVELuNvhpiAnFuRElNVbrm752an3Cn1if3/2oUlhgkY+3uNKs9Bpn12EVVVBv/z/ulpOYGzIBki5v+ItJ3qxNoFQw1xt3RoGdl5DHNuhimRQeJZ3ncXG4qHoQ37CITg8SSNrV5IKx6JGXxJB11JZrRyU1WVtZU1ToCNqj6q0bGcdju6uMWcj7j62PkwAELf4YW/lnFmEfshxk9pEV15svN5+4f+f5/+WKfBGy1j6NVYZSeTdLfFANsgR1SgxuDs2GQj9tLsnCwxjVgpQGzs44alpIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IFIhqNfVwHRdvJfgatRdkzbvRfOl2PBYEFhqcZIjkt0=; b=kYVfjsj0JXS0UOQPPnHHR2ZI6LijdNfEoxYhgsgip7JbHUr7aX1SLGRLRFICEySU5Nb2DIwsiB6ge00CHSOjUxjsxwKwuASm46O5TTyU+Aq+v2amzThoUyod5YOkKd+HZYndNznuDTeNUzVbGv1WmfGCkPwhHUHyeHjUuwzTZEuncB4VJWVvmIemhB1mBQKnC0fKv6NNrwXce1Ts4CljC2+Sh1Yt+Lw9sQYOIoPTd+s4801jYpCDvLB7GpEeAZqhGYcRT/MvN8gW/tFUsT1BYsf+X33y1ATdtobGTFlodxa4GrR9697ChQW72avbvsr+v19nG8LmIxsT/sj9Gmei7Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none X-Received: from DM5PR21CA0044.namprd21.prod.outlook.com (2603:10b6:3:ed::30) by CH0PR12MB5060.namprd12.prod.outlook.com (2603:10b6:610:e3::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4995.16; Mon, 21 Feb 2022 14:59:36 +0000 X-Received: from DM6NAM11FT059.eop-nam11.prod.protection.outlook.com (2603:10b6:3:ed:cafe::90) by DM5PR21CA0044.outlook.office365.com (2603:10b6:3:ed::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5038.6 via Frontend Transport; Mon, 21 Feb 2022 14:59:36 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+86830+1787277+3901457@groups.io; helo=mail02.groups.io; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; X-Received: from SATLEXMB04.amd.com (165.204.84.17) by DM6NAM11FT059.mail.protection.outlook.com (10.13.172.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.4995.15 via Frontend Transport; Mon, 21 Feb 2022 14:59:36 +0000 X-Received: from sbrijesh-desktop.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.18; Mon, 21 Feb 2022 08:59:35 -0600 From: "Brijesh Singh via groups.io" To: CC: James Bottomley , Min Xu , "Jiewen Yao" , Tom Lendacky , "Jordan Justen" , Ard Biesheuvel , Erdem Aktas , "Michael Roth" , Gerd Hoffmann , , Brijesh Singh Subject: [edk2-devel] [PATCH v2 1/2] OvmfPkg/ResetVector: cache the SEV status MSR value in workarea Date: Mon, 21 Feb 2022 08:59:13 -0600 Message-ID: <20220221145914.1972322-2-brijesh.singh@amd.com> In-Reply-To: <20220221145914.1972322-1-brijesh.singh@amd.com> References: <20220221145914.1972322-1-brijesh.singh@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b91878a2-2f1c-4260-809f-08d9f54ac717 X-MS-TrafficTypeDiagnostic: CH0PR12MB5060:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: gE0fVOu3HxSo3Mwmq0PCN0nx7tMLNIHYc+mO5eujWiZfLfzQv7cjOvhfDFVhRfeljV6arsJlTIP5tATIf3QVS6ibagMnyFFVsb/29lqagQxaYD/4/nAn6nAKdvS7b5qofN3C/TV97hIIxAwTCMez+Mu4STjFkCEP/tTocajIKIapkY+MaFQJgmsH37ieBZvWy9o7OlkvlnR53LnsmI0jDCFm/XsyQtq7KyiRlXqBG4HfqEwtbCKlykaJ7Dc48LJ4N8oRXhvGJB0K1hxmgPeT0N8VhfIbvXV/Y/CaX1GFEuFCYOviC5REae7fhrN3xIoMqw5y9+Z4ATeEdbQaSdWZ2DLagJpLUtZu3wImpp6PupfxnXN3pndnLQ3/IbgiqhfD4kULRIizYl3jJKKUZQkMgIMmacXCZ3Y6Xsizi+AQ0t0I/faM6VFCuQJcjSl9BUkKm0+aXcq0wBlO1brIANOTqyb4wtz7e+nGMPXJUUBsywMsxAJEpQ3/oxy89vZ1CpmeczsiP5hsyrihQN6o5PWFDOYbDOPoYQ8fgtnEQnwE+w/cgCvfEJJ/eSIq0VObT4xFMXWXlRGXKNhP/5ISuRj+gtOpwNRzKx+dDWJB7is+aua6Ril5OMWd2xSasWeiJP3sxiuGSFrQSmmWbxIdvivWXm+CUSb0NUjKmzJOjexS3FPDLSbLVM9jyO3RHptJ2yFjhejd2iaIfRq4ruCtQHIoT4OMOQ7/+Memi5oJa+MaeMELzS266cwpyUJrjLD+NHfGLXFbQUdI7RIn1Fvh+JhCK2crbWvyo9m61dBXvwwD/TE= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Feb 2022 14:59:36.5133 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: b91878a2-2f1c-4260-809f-08d9f54ac717 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT059.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR12MB5060 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: p4UsX6rXXMtVu6FtCzvD6sF0x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1645455579; bh=BNu+NRpige9zAoNfywgHEK6v5XQ1x8LFoTmtZRzztIg=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=J8hU9mIgPH7snedOgbQUYYv7xs5RwvNOpxfiUmQBjfk4NQATmy4SuTxQsrLYXfVraTM 0LaePWlwuuvKE1Fhu9gq5fPCHBzzAexEC4oUEl2agxn7Hh+aqtktGRqdzRVL6lrgqsSvi 0wvvWGW1F8AOQKyiTZwe5uV9W5FF3kUSrj0= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1645455582223100004 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3582 In order to probe the SEV feature the BaseMemEncryptLib and Reset vector reads the SEV_STATUS MSR. Cache the value on the first read in the workarea. In the next patches the value saved in the workarea will be used by the BaseMemEncryptLib. This not only eliminates the extra MSR reads it also helps cleaning up the code in BaseMemEncryptLib. Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh Acked-by: Jiewen Yao --- OvmfPkg/Include/WorkArea.h | 12 +++++-- OvmfPkg/Sec/AmdSev.c | 2 +- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 38 +++++++++++++-------- OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm | 3 +- OvmfPkg/ResetVector/ResetVector.nasmb | 3 ++ 5 files changed, 39 insertions(+), 19 deletions(-) diff --git a/OvmfPkg/Include/WorkArea.h b/OvmfPkg/Include/WorkArea.h index ce60d97aa886..d982e026def7 100644 --- a/OvmfPkg/Include/WorkArea.h +++ b/OvmfPkg/Include/WorkArea.h @@ -46,12 +46,20 @@ typedef struct _CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER= { // any changes must stay in sync with its usage. // typedef struct _SEC_SEV_ES_WORK_AREA { - UINT8 SevEsEnabled; - UINT8 Reserved1[7]; + // + // Hold the SevStatus MSR value read by OvmfPkg/ResetVector/Ia32/AmdSev.c + // + UINT64 SevStatusMsrValue; =20 UINT64 RandomData; =20 UINT64 EncryptionMask; + + // + // Indicator that the VC handler is called. It is used during the SevFea= ture + // detection in OvmfPkg/ResetVector/Ia32/AmdSev.c + // + UINT8 ReceivedVc; } SEC_SEV_ES_WORK_AREA; =20 // diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c index 499d0c27d8fa..d8fd35650d7d 100644 --- a/OvmfPkg/Sec/AmdSev.c +++ b/OvmfPkg/Sec/AmdSev.c @@ -278,7 +278,7 @@ SevEsIsEnabled ( =20 SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAre= aBase); =20 - return (SevEsWorkArea->SevEsEnabled !=3D 0); + return ((SevEsWorkArea->SevStatusMsrValue & BIT1) !=3D 0); } =20 /** diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32= /AmdSev.asm index 1f827da3b929..864d68385342 100644 --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm @@ -157,8 +157,9 @@ SevClearPageEncMaskForGhcbPage: jnz SevClearPageEncMaskForGhcbPageExit =20 ; Check if SEV-ES is enabled - cmp byte[SEV_ES_WORK_AREA], 1 - jnz SevClearPageEncMaskForGhcbPageExit + mov ecx, 1 + bt [SEV_ES_WORK_AREA_STATUS_MSR], ecx + jnc SevClearPageEncMaskForGhcbPageExit =20 ; ; The initial GHCB will live at GHCB_BASE and needs to be un-encrypted. @@ -219,12 +220,16 @@ GetSevCBitMaskAbove31Exit: ; If SEV is disabled then EAX will be zero. ; CheckSevFeatures: - ; Set the first byte of the workarea to zero to communicate to the SEC - ; phase that SEV-ES is not enabled. If SEV-ES is enabled, the CPUID - ; instruction will trigger a #VC exception where the first byte of the - ; workarea will be set to one or, if CPUID is not being intercepted, - ; the MSR check below will set the first byte of the workarea to one. - mov byte[SEV_ES_WORK_AREA], 0 + ; + ; Clear the workarea, if SEV is enabled then later part of routine + ; will populate the workarea fields. + ; + mov ecx, SEV_ES_WORK_AREA_SIZE + mov eax, SEV_ES_WORK_AREA +ClearSevEsWorkArea: + mov byte [eax], 0 + inc eax + loop ClearSevEsWorkArea =20 ; ; Set up exception handlers to check for SEV-ES @@ -265,6 +270,10 @@ CheckSevFeatures: ; Set the work area header to indicate that the SEV is enabled mov byte[WORK_AREA_GUEST_TYPE], 1 =20 + ; Save the SevStatus MSR value in the workarea + mov [SEV_ES_WORK_AREA_STATUS_MSR], eax + mov [SEV_ES_WORK_AREA_STATUS_MSR + 4], edx + ; Check for SEV-ES memory encryption feature: ; CPUID Fn8000_001F[EAX] - Bit 3 ; CPUID raises a #VC exception if running as an SEV-ES guest @@ -280,10 +289,6 @@ CheckSevFeatures: bt eax, 1 jnc GetSevEncBit =20 - ; Set the first byte of the workarea to one to communicate to the SEC - ; phase that SEV-ES is enabled. - mov byte[SEV_ES_WORK_AREA], 1 - GetSevEncBit: ; Get pte bit position to enable memory encryption ; CPUID Fn8000_001F[EBX] - Bits 5:0 @@ -313,7 +318,10 @@ NoSev: ; ; Perform an SEV-ES sanity check by seeing if a #VC exception occurred. ; - cmp byte[SEV_ES_WORK_AREA], 0 + ; If SEV-ES is enabled, the CPUID instruction will trigger a #VC excep= tion + ; where the RECEIVED_VC offset in the workarea will be set to one. + ; + cmp byte[SEV_ES_WORK_AREA_RECEIVED_VC], 0 jz NoSevPass =20 ; @@ -407,9 +415,9 @@ SevEsIdtVmmComm: ; If we're here, then we are an SEV-ES guest and this ; was triggered by a CPUID instruction ; - ; Set the first byte of the workarea to one to communicate that + ; Set the recievedVc field in the workarea to communicate that ; a #VC was taken. - mov byte[SEV_ES_WORK_AREA], 1 + mov byte[SEV_ES_WORK_AREA_RECEIVED_VC], 1 =20 pop ecx ; Error code cmp ecx, 0x72 ; Be sure it was CPUID diff --git a/OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm b/OvmfPkg/ResetVec= tor/Ia32/Flat32ToFlat64.asm index eb3546668ef8..c5c683ebed3e 100644 --- a/OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm +++ b/OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm @@ -42,7 +42,8 @@ Transition32FlatTo64Flat: ; xor ebx, ebx =20 - cmp byte[SEV_ES_WORK_AREA], 0 + mov ecx, 1 + bt [SEV_ES_WORK_AREA_STATUS_MSR], ecx jz EnablePaging =20 ; diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index cc364748b592..9421f4818907 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -100,8 +100,11 @@ %define GHCB_BASE (FixedPcdGet32 (PcdOvmfSecGhcbBase)) %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize)) %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase)) + %define SEV_ES_WORK_AREA_SIZE 25 + %define SEV_ES_WORK_AREA_STATUS_MSR (FixedPcdGet32 (PcdSevEsWorkAreaBase= )) %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + = 8) %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) = + 16) + %define SEV_ES_WORK_AREA_RECEIVED_VC (FixedPcdGet32 (PcdSevEsWorkAreaBas= e) + 24) %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)= + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) %define SEV_SNP_SECRETS_BASE (FixedPcdGet32 (PcdOvmfSnpSecretsBase)) %define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize)) --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#86830): https://edk2.groups.io/g/devel/message/86830 Mute This Topic: https://groups.io/mt/89295065/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Thu May 9 23:49:16 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+86831+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1645455579777856.6038430864469; Mon, 21 Feb 2022 06:59:39 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id 3uBxYY1788612x0xBiyrAzFf; Mon, 21 Feb 2022 06:59:40 -0800 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.61]) by mx.groups.io with SMTP id smtpd.web09.11499.1645455580071351595 for ; Mon, 21 Feb 2022 06:59:40 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T1qJU92q/f361iSf5Or3kQtRZIjRYVCxrYkKyybxaOY0MuWhWbRPE2gSe4Wq/XwEEevn+kZvwHRtJfDP5yIaDoXexPgBJy2MMIxL+thg9vNB5ZEMZa04oBfcWlCj1ZVpKMbnrM9Do6Qy7JWJEWvY6chKXPD7F1V8s3ei15yxwVUxFyIqBulmJY8r8fPstn4tLX21kTrZoFJD+JaAfAO6ofh6gQtvdcnGJGIlu4epk89pQjgP3dGE3mmp9z6L6u4ETMvdVlaDTqICvHUpBLHX1/KR3k8Yo2ddUJN0vA/wpM2xmV0WnC4IGLFP/65neByo72IOCLZFZU+j58fCKSAB6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HEJ/LWeunTEKbItAK+UvlNBf9idPAB0VkrJfFGXN+Kk=; b=I4sg1pUTHBMkiy6HWcRV5ES/xkesqQxgXqlkPmZxWWB652wy25fqXoOzBBSvL9O1iDPOV45QM0ch9ENGkjuMgBA2FI5Un/2z7ThChYUlOQmfjYyI4ujnpJ+r+UHmyJr4D4gyHU9Uo+jnZThiGfYGnqXVVOh74VWtn9cOMiMtJ683mxQKRCFk8y/GTlela2yqxdYVWL+Nre6bZt+f4xL9jg2MpKgCwKpa0BlwJY90oQw+kYbTY5YjH9CizTX4Vsabl0wuSzo9h617O+LhsU7YFBV/8pYUGgamyyRPlb7Ks0mVQzhgedk4vnxKaVALGR4Zp8Z/Nbl6NjDsXMexPuQQZA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none X-Received: from DM5PR07CA0104.namprd07.prod.outlook.com (2603:10b6:4:ae::33) by SJ0PR12MB5504.namprd12.prod.outlook.com (2603:10b6:a03:3ad::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4995.16; Mon, 21 Feb 2022 14:59:37 +0000 X-Received: from DM6NAM11FT063.eop-nam11.prod.protection.outlook.com (2603:10b6:4:ae:cafe::fe) by DM5PR07CA0104.outlook.office365.com (2603:10b6:4:ae::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4995.14 via Frontend Transport; Mon, 21 Feb 2022 14:59:37 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+86831+1787277+3901457@groups.io; helo=mail02.groups.io; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; X-Received: from SATLEXMB04.amd.com (165.204.84.17) by DM6NAM11FT063.mail.protection.outlook.com (10.13.172.219) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.4995.15 via Frontend Transport; Mon, 21 Feb 2022 14:59:37 +0000 X-Received: from sbrijesh-desktop.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.18; Mon, 21 Feb 2022 08:59:35 -0600 From: "Brijesh Singh via groups.io" To: CC: James Bottomley , Min Xu , "Jiewen Yao" , Tom Lendacky , "Jordan Justen" , Ard Biesheuvel , Erdem Aktas , "Michael Roth" , Gerd Hoffmann , , Brijesh Singh Subject: [edk2-devel] [PATCH v2 2/2] OvmfPkg/BaseMemEncryptLib: use the SEV_STATUS MSR value from workarea Date: Mon, 21 Feb 2022 08:59:14 -0600 Message-ID: <20220221145914.1972322-3-brijesh.singh@amd.com> In-Reply-To: <20220221145914.1972322-1-brijesh.singh@amd.com> References: <20220221145914.1972322-1-brijesh.singh@amd.com> MIME-Version: 1.0 X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e9c951e1-488d-476e-28c3-08d9f54ac7a1 X-MS-TrafficTypeDiagnostic: SJ0PR12MB5504:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: 9qODMR/BHTeHguyHwiJT0Yv689mXyJpWqbiQ5JQLCuFOsZwRIiVXcngE9BQ9KYqAbagFpuwW3yAtxHRK75lpsL66yjx/BvRA8HwnpdSYR+UQnnd2ErGW1TCyJ3sYy5jJXLhLRZtTntAxwJjELbHo4wHQdKRSoWtI3E8sBIexHtWs5RcAcmsHH/VfZscVb1WXi+uUCZdJdMTYa2Tyi4JlyOF5z24uLskrCxmMGkCDpr/XxfBf5UPyMUD4Zwub7gt7cLQs6Dd5jJeye/zm0E7DQv0luG/7a+1Ha+QgzQ3KBm73qCqGBOUJkZPUxX3mbKPVDXEwucTbryD7CfJfIQ4IzYAakiWX8gMdkRc8rsVLdVL/ckP4GUSZkRs1t6gNW95qXHoxou4umQtfxvfo3E9cNpgYIiDhZl393l+rRdLu5GKIG2BmOd8gfG6VZoDYQnYp/zvL1+xJggo8SqEwCS2YUKqRp5xrtbDtcApfiG31ODtqo6+w/T9ZLdeIJ02Cc78TTc6kBWaQOMiVE0ldJf8MUjav4KbB29+WBIJhsQkTa17GyWHEIwlOFO+TO8Ak1+6dbTzO37fcyfJ8LOyxs41kGcgdPGEGm3pjjwqinvNONGabdNEva2BuSgyolSlPD+RR2Kv6Cg0jOo9CKsYGpotGjUqNZItUWaQtZTdEKpdVk0uL8LTZH8RunR+hyHugnq7EdTmhFdadh8F61X9FSLDizROIHdzOn+azeectancEu6k0xwKOt7m53wx18gcAGSOI7uLR0unv2cJFXOuIhI4B/2Q0irD/K07PN5GcJ5pZ/uM= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Feb 2022 14:59:37.4154 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e9c951e1-488d-476e-28c3-08d9f54ac7a1 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT063.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR12MB5504 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,brijesh.singh@amd.com X-Gm-Message-State: qfDDGbb0a6Coi2B92KK91YQdx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1645455580; bh=LKgYn8KHN18NaA2oo2NjcqTCZUYL+ymFFt0b/zB0HpU=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=fT7fzVU4jGARNyCRz5FrXqjXqiv3B15xy2kw/2oWFrK7MVJemJiY7JZvhjY1v3ZNRUK mlb75d1nBc3GCBETs3cUlSn4Tpv6X5EwmMKX4ztE1ULcr7bd2fcG9L5e6qiy7w376Pk6D J56zJGdMKBs9xqJDyD8JLL+kaBPo66BL/vM= X-ZohoMail-DKIM: fail (Signature date is -1 seconds in the future.) X-ZM-MESSAGEID: 1645455595884100001 Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3582 Improve the MemEncryptSev{Es,Snp}IsEnabled() to use the SEV_STATUS MSR value saved in the workarea. Since workarea is valid until the PEI phase, so, for the Dxe phase use the PcdConfidentialComputingGuestAttr to determine which SEV technology is enabled. Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh Acked-by: Jiewen Yao --- .../DxeMemEncryptSevLib.inf | 1 + .../PeiMemEncryptSevLib.inf | 1 + .../SecMemEncryptSevLib.inf | 1 + .../DxeMemEncryptSevLibInternal.c | 145 ++++++++---------- .../PeiMemEncryptSevLibInternal.c | 139 ++++++----------- .../SecMemEncryptSevLibInternal.c | 80 +++++----- 6 files changed, 155 insertions(+), 212 deletions(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf index f613bb314f5f..35b7d519d938 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf @@ -58,3 +58,4 @@ [FeaturePcd] =20 [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf index 50c83859d7e7..714da3323765 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf @@ -58,6 +58,7 @@ [FeaturePcd] =20 [FixedPcd] gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf b= /OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf index 939af0a91ea4..284e5acc1177 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf @@ -52,3 +52,4 @@ [LibraryClasses] =20 [FixedPcd] gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c index 15fcd5529587..4aba0075b9e2 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c @@ -16,83 +16,84 @@ #include #include #include +#include =20 -STATIC BOOLEAN mSevStatus =3D FALSE; -STATIC BOOLEAN mSevEsStatus =3D FALSE; -STATIC BOOLEAN mSevSnpStatus =3D FALSE; -STATIC BOOLEAN mSevStatusChecked =3D FALSE; - +STATIC UINT64 mCurrentAttr =3D 0; +STATIC BOOLEAN mCurrentAttrRead =3D FALSE; STATIC UINT64 mSevEncryptionMask =3D 0; STATIC BOOLEAN mSevEncryptionMaskSaved =3D FALSE; =20 /** - Reads and sets the status of SEV features. + The function check if the specified Attr is set. =20 - **/ + @param[in] CurrentAttr The current attribute. + @param[in] Attr The attribute to check. + + @retval TRUE The specified Attr is set. + @retval FALSE The specified Attr is not set. + +**/ +STATIC +BOOLEAN +AmdMemEncryptionAttrCheck ( + IN UINT64 CurrentAttr, + IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr + ) +{ + switch (Attr) { + case CCAttrAmdSev: + // + // SEV is automatically enabled if SEV-ES or SEV-SNP is active. + // + return CurrentAttr >=3D CCAttrAmdSev; + case CCAttrAmdSevEs: + // + // SEV-ES is automatically enabled if SEV-SNP is active. + // + return CurrentAttr >=3D CCAttrAmdSevEs; + case CCAttrAmdSevSnp: + return CurrentAttr =3D=3D CCAttrAmdSevSnp; + default: + return FALSE; + } +} + +/** + Check if the specified confidential computing attribute is active. + + @param[in] Attr The attribute to check. + + @retval TRUE The specified Attr is active. + @retval FALSE The specified Attr is not active. + +**/ STATIC -VOID +BOOLEAN EFIAPI -InternalMemEncryptSevStatus ( - VOID +ConfidentialComputingGuestHas ( + IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr ) { - UINT32 RegEax; - MSR_SEV_STATUS_REGISTER Msr; - CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax; - BOOLEAN ReadSevMsr; - UINT64 EncryptionMask; - - ReadSevMsr =3D FALSE; - - EncryptionMask =3D PcdGet64 (PcdPteMemoryEncryptionAddressOrMask); - if (EncryptionMask !=3D 0) { - // - // The MSR has been read before, so it is safe to read it again and av= oid - // having to validate the CPUID information. - // - ReadSevMsr =3D TRUE; - } else { - // - // Check if memory encryption leaf exist - // - AsmCpuid (CPUID_EXTENDED_FUNCTION, &RegEax, NULL, NULL, NULL); - if (RegEax >=3D CPUID_MEMORY_ENCRYPTION_INFO) { - // - // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported) - // - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, &Eax.Uint32, NULL, NULL, NUL= L); - - if (Eax.Bits.SevBit) { - ReadSevMsr =3D TRUE; - } - } + // + // Get the current CC attribute. + // + // We avoid reading the PCD on every check because this routine could be= indirectly + // called during the virtual pointer conversion. And its not safe to acc= ess the + // PCDs during the virtual pointer conversion. + // + if (!mCurrentAttrRead) { + mCurrentAttr =3D PcdGet64 (PcdConfidentialComputingGuestAttr); + mCurrentAttrRead =3D TRUE; } =20 - if (ReadSevMsr) { - // - // Check MSR_0xC0010131 Bit 0 (Sev Enabled) - // - Msr.Uint32 =3D AsmReadMsr32 (MSR_SEV_STATUS); - if (Msr.Bits.SevBit) { - mSevStatus =3D TRUE; - } - - // - // Check MSR_0xC0010131 Bit 1 (Sev-Es Enabled) - // - if (Msr.Bits.SevEsBit) { - mSevEsStatus =3D TRUE; - } - - // - // Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) - // - if (Msr.Bits.SevSnpBit) { - mSevSnpStatus =3D TRUE; - } + // + // If attr is for the AMD group then call AMD specific checks. + // + if (((RShiftU64 (mCurrentAttr, 8)) & 0xff) =3D=3D 1) { + return AmdMemEncryptionAttrCheck (mCurrentAttr, Attr); } =20 - mSevStatusChecked =3D TRUE; + return (mCurrentAttr =3D=3D Attr); } =20 /** @@ -107,11 +108,7 @@ MemEncryptSevSnpIsEnabled ( VOID ) { - if (!mSevStatusChecked) { - InternalMemEncryptSevStatus (); - } - - return mSevSnpStatus; + return ConfidentialComputingGuestHas (CCAttrAmdSevSnp); } =20 /** @@ -126,11 +123,7 @@ MemEncryptSevEsIsEnabled ( VOID ) { - if (!mSevStatusChecked) { - InternalMemEncryptSevStatus (); - } - - return mSevEsStatus; + return ConfidentialComputingGuestHas (CCAttrAmdSevEs); } =20 /** @@ -145,11 +138,7 @@ MemEncryptSevIsEnabled ( VOID ) { - if (!mSevStatusChecked) { - InternalMemEncryptSevStatus (); - } - - return mSevStatus; + return ConfidentialComputingGuestHas (CCAttrAmdSev); } =20 /** diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c index d68ff08c3ea6..3f8f91a5da12 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c @@ -17,82 +17,51 @@ #include #include =20 -STATIC BOOLEAN mSevStatus =3D FALSE; -STATIC BOOLEAN mSevEsStatus =3D FALSE; -STATIC BOOLEAN mSevSnpStatus =3D FALSE; -STATIC BOOLEAN mSevStatusChecked =3D FALSE; +/** + Read the workarea to determine whether SEV is enabled. If enabled, + then return the SevEsWorkArea pointer. + + **/ +STATIC +SEC_SEV_ES_WORK_AREA * +EFIAPI +GetSevEsWorkArea ( + VOID + ) +{ + OVMF_WORK_AREA *WorkArea; + + WorkArea =3D (OVMF_WORK_AREA *)FixedPcdGet32 (PcdOvmfWorkAreaBase); + + // + // If its not SEV guest then SevEsWorkArea is not valid. + // + if ((WorkArea =3D=3D NULL) || (WorkArea->Header.GuestType !=3D GUEST_TYP= E_AMD_SEV)) { + return NULL; + } =20 -STATIC UINT64 mSevEncryptionMask =3D 0; -STATIC BOOLEAN mSevEncryptionMaskSaved =3D FALSE; + return (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAreaBase); +} =20 /** - Reads and sets the status of SEV features. + Read the SEV Status MSR value from the workarea =20 **/ STATIC -VOID +UINT32 EFIAPI InternalMemEncryptSevStatus ( VOID ) { - UINT32 RegEax; - MSR_SEV_STATUS_REGISTER Msr; - CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax; - BOOLEAN ReadSevMsr; - SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; =20 - ReadSevMsr =3D FALSE; - - SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAre= aBase); - if ((SevEsWorkArea !=3D NULL) && (SevEsWorkArea->EncryptionMask !=3D 0))= { - // - // The MSR has been read before, so it is safe to read it again and av= oid - // having to validate the CPUID information. - // - ReadSevMsr =3D TRUE; - } else { - // - // Check if memory encryption leaf exist - // - AsmCpuid (CPUID_EXTENDED_FUNCTION, &RegEax, NULL, NULL, NULL); - if (RegEax >=3D CPUID_MEMORY_ENCRYPTION_INFO) { - // - // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported) - // - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, &Eax.Uint32, NULL, NULL, NUL= L); - - if (Eax.Bits.SevBit) { - ReadSevMsr =3D TRUE; - } - } - } - - if (ReadSevMsr) { - // - // Check MSR_0xC0010131 Bit 0 (Sev Enabled) - // - Msr.Uint32 =3D AsmReadMsr32 (MSR_SEV_STATUS); - if (Msr.Bits.SevBit) { - mSevStatus =3D TRUE; - } - - // - // Check MSR_0xC0010131 Bit 1 (Sev-Es Enabled) - // - if (Msr.Bits.SevEsBit) { - mSevEsStatus =3D TRUE; - } - - // - // Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) - // - if (Msr.Bits.SevSnpBit) { - mSevSnpStatus =3D TRUE; - } + SevEsWorkArea =3D GetSevEsWorkArea (); + if (SevEsWorkArea =3D=3D NULL) { + return 0; } =20 - mSevStatusChecked =3D TRUE; + return (UINT32)(UINTN)SevEsWorkArea->SevStatusMsrValue; } =20 /** @@ -107,11 +76,11 @@ MemEncryptSevSnpIsEnabled ( VOID ) { - if (!mSevStatusChecked) { - InternalMemEncryptSevStatus (); - } + MSR_SEV_STATUS_REGISTER Msr; =20 - return mSevSnpStatus; + Msr.Uint32 =3D InternalMemEncryptSevStatus (); + + return Msr.Bits.SevSnpBit ? TRUE : FALSE; } =20 /** @@ -126,11 +95,11 @@ MemEncryptSevEsIsEnabled ( VOID ) { - if (!mSevStatusChecked) { - InternalMemEncryptSevStatus (); - } + MSR_SEV_STATUS_REGISTER Msr; =20 - return mSevEsStatus; + Msr.Uint32 =3D InternalMemEncryptSevStatus (); + + return Msr.Bits.SevEsBit ? TRUE : FALSE; } =20 /** @@ -145,11 +114,11 @@ MemEncryptSevIsEnabled ( VOID ) { - if (!mSevStatusChecked) { - InternalMemEncryptSevStatus (); - } + MSR_SEV_STATUS_REGISTER Msr; =20 - return mSevStatus; + Msr.Uint32 =3D InternalMemEncryptSevStatus (); + + return Msr.Bits.SevBit ? TRUE : FALSE; } =20 /** @@ -163,24 +132,12 @@ MemEncryptSevGetEncryptionMask ( VOID ) { - if (!mSevEncryptionMaskSaved) { - SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; =20 - SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkA= reaBase); - if (SevEsWorkArea !=3D NULL) { - mSevEncryptionMask =3D SevEsWorkArea->EncryptionMask; - } else { - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx; - - // - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position) - // - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NUL= L); - mSevEncryptionMask =3D LShiftU64 (1, Ebx.Bits.PtePosBits); - } - - mSevEncryptionMaskSaved =3D TRUE; + SevEsWorkArea =3D GetSevEsWorkArea (); + if (SevEsWorkArea =3D=3D NULL) { + return 0; } =20 - return mSevEncryptionMask; + return SevEsWorkArea->EncryptionMask; } diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibIntern= al.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c index 5d912b2a4a5e..80aceba01bcf 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c @@ -18,7 +18,33 @@ #include =20 /** - Reads and sets the status of SEV features. + Read the workarea to determine whether SEV is enabled. If enabled, + then return the SevEsWorkArea pointer. + + **/ +STATIC +SEC_SEV_ES_WORK_AREA * +EFIAPI +GetSevEsWorkArea ( + VOID + ) +{ + OVMF_WORK_AREA *WorkArea; + + WorkArea =3D (OVMF_WORK_AREA *)FixedPcdGet32 (PcdOvmfWorkAreaBase); + + // + // If its not SEV guest then SevEsWorkArea is not valid. + // + if ((WorkArea =3D=3D NULL) || (WorkArea->Header.GuestType !=3D GUEST_TYP= E_AMD_SEV)) { + return NULL; + } + + return (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAreaBase); +} + +/** + Read the SEV Status MSR value from the workarea =20 **/ STATIC @@ -28,38 +54,14 @@ InternalMemEncryptSevStatus ( VOID ) { - UINT32 RegEax; - CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax; - BOOLEAN ReadSevMsr; - SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; =20 - ReadSevMsr =3D FALSE; - - SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAre= aBase); - if ((SevEsWorkArea !=3D NULL) && (SevEsWorkArea->EncryptionMask !=3D 0))= { - // - // The MSR has been read before, so it is safe to read it again and av= oid - // having to validate the CPUID information. - // - ReadSevMsr =3D TRUE; - } else { - // - // Check if memory encryption leaf exist - // - AsmCpuid (CPUID_EXTENDED_FUNCTION, &RegEax, NULL, NULL, NULL); - if (RegEax >=3D CPUID_MEMORY_ENCRYPTION_INFO) { - // - // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported) - // - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, &Eax.Uint32, NULL, NULL, NUL= L); - - if (Eax.Bits.SevBit) { - ReadSevMsr =3D TRUE; - } - } + SevEsWorkArea =3D GetSevEsWorkArea (); + if (SevEsWorkArea =3D=3D NULL) { + return 0; } =20 - return ReadSevMsr ? AsmReadMsr32 (MSR_SEV_STATUS) : 0; + return (UINT32)(UINTN)SevEsWorkArea->SevStatusMsrValue; } =20 /** @@ -130,22 +132,14 @@ MemEncryptSevGetEncryptionMask ( VOID ) { - CPUID_MEMORY_ENCRYPTION_INFO_EBX Ebx; - SEC_SEV_ES_WORK_AREA *SevEsWorkArea; - UINT64 EncryptionMask; + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; =20 - SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAre= aBase); - if (SevEsWorkArea !=3D NULL) { - EncryptionMask =3D SevEsWorkArea->EncryptionMask; - } else { - // - // CPUID Fn8000_001F[EBX] Bit 0:5 (memory encryption bit position) - // - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, NULL, &Ebx.Uint32, NULL, NULL); - EncryptionMask =3D LShiftU64 (1, Ebx.Bits.PtePosBits); + SevEsWorkArea =3D GetSevEsWorkArea (); + if (SevEsWorkArea =3D=3D NULL) { + return 0; } =20 - return EncryptionMask; + return SevEsWorkArea->EncryptionMask; } =20 /** --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#86831): https://edk2.groups.io/g/devel/message/86831 Mute This Topic: https://groups.io/mt/89295066/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-