Series comparison

These three patches build on the lazy-accept patch series

"Introduce Lazy-accept for Tdx guest"

by adding SEV-SNP support for the MemoryAccept protocol, and
importantly making eager memory acceptance the default behavior.

For unaccepted memory to be enabled, we must know that the booted image
supports the unaccepted memory type. We add a trivial protocol that sets
a dynamic Pcd to true when called in order for the booted image to
signal its support for unaccepted memory. This does not need to be an
OsIndications bit because it does not need to be persisted.

We use the Pcd to disable a new ExitBootServices notification that
accepts all unaccepted memory, removes the unaccepted memory entries in
the memory space map, and then add the same memory ranges back as
conventional memory.

All images that support unaccepted memory must now locate and call this
new ENABLE_UNACCEPTED_MEMORY_PROTOCOL.

Cc: Ard Biescheuvel <ardb@kernel.org>
Cc: "Min M. Xu" <min.m.xu@intel.org>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Tom Lendacky <Thomas.Lendacky@amd.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Erdem Aktas <erdemaktas@google.com>

Signed-off-by: Dionna Glaze <dionnaglaze@google.com>

Dionna Glaze (3):
  OvmfPkg: Realize EfiMemoryAcceptProtocol in AmdSevDxe
  DxeMain accepts all memory at EBS if needed
  MdeModulePkg: add EnableUnacceptedMemoryProtocol

-- 
2.37.3.998.g577e59143f-goog

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94134): https://edk2.groups.io/g/devel/message/94134
Mute This Topic: https://groups.io/mt/93857638/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

From: Sophia Wolf <phiawolf@google.com>

When a guest OS does not support unaccepted memory, the unaccepted
memory must be accepted before returning a memory map to the caller.

EfiMemoryAcceptProtocol is defined in MdePkg and is implementated /
Installed in AmdSevDxe for AMD SEV-SNP memory acceptance.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>

Signed-off-by: Sophia Wolf <phiawolf@google.com>
---
 OvmfPkg/AmdSevDxe/AmdSevDxe.c | 27 ++++++++++++++
 OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 3 ++
 OvmfPkg/Include/Library/MemEncryptSevLib.h | 14 ++++++++
 .../Ia32/MemEncryptSevLib.c | 17 +++++++++
 .../X64/DxeSnpSystemRamValidate.c | 35 +++++++++++++++++++
 .../X64/PeiSnpSystemRamValidate.c | 17 +++++++++
 .../X64/SecSnpSystemRamValidate.c | 18 ++++++++++
 7 files changed, 131 insertions(+)

diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c
+++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
@@ -XXX,XX +XXX,XX @@
 #include <Library/UefiBootServicesTableLib.h>
 #include <Guid/ConfidentialComputingSevSnpBlob.h>
 #include <Library/PcdLib.h>
+#include <Protocol/MemoryAccept.h>
 
 STATIC CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION mSnpBootDxeTable = {
 SIGNATURE_32 ('A', 'M', 'D', 'E'),
@@ -XXX,XX +XXX,XX @@ STATIC CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION mSnpBootDxeTable = {
 FixedPcdGet32 (PcdOvmfCpuidSize),
 };
 
+EFI_HANDLE mAmdSevDxeHandle = NULL;
+
+EFI_STATUS
+EFIAPI
+AmdSevMemoryAccept (
+ IN EFI_MEMORY_ACCEPT_PROTOCOL *This,
+ IN EFI_PHYSICAL_ADDRESS StartAddress,
+ IN UINTN Size
+)
+{
+ MemEncryptSnpAcceptPages (StartAddress, Size / SIZE_4KB);
+
+ return EFI_SUCCESS;
+}
+
+EFI_MEMORY_ACCEPT_PROTOCOL mMemoryAcceptProtocol = {
+ AmdSevMemoryAccept
+};
+
 EFI_STATUS
 EFIAPI
 AmdSevDxeEntryPoint (
@@ -XXX,XX +XXX,XX @@ AmdSevDxeEntryPoint (
 }
 }
 
+ Status = gBS->InstallProtocolInterface (&mAmdSevDxeHandle,
+ &gEfiMemoryAcceptProtocolGuid, EFI_NATIVE_INTERFACE,
+ &mMemoryAcceptProtocol);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Install EfiMemoryAcceptProtocol failed.\n"));
+ }
+
 //
 // If its SEV-SNP active guest then install the CONFIDENTIAL_COMPUTING_SEV_SNP_BLOB.
 // It contains the location for both the Secrets and CPUID page.
diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
@@ -XXX,XX +XXX,XX @@
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase
 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize
 
+[Protocols]
+ gEfiMemoryAcceptProtocolGuid
+
 [Guids]
 gConfidentialComputingSevSnpBlobGuid
 
diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/Include/Library/MemEncryptSevLib.h
+++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h
@@ -XXX,XX +XXX,XX @@ MemEncryptSevSnpPreValidateSystemRam (
 IN UINTN NumPages
 );
 
+/**
+ Accept pages system RAM when SEV-SNP is enabled in the guest VM.
+
+ @param[in] BaseAddress Base address
+ @param[in] NumPages Number of pages starting from the base address
+
+**/
+VOID
+EFIAPI
+MemEncryptSnpAcceptPages (
+ IN PHYSICAL_ADDRESS BaseAddress,
+ IN UINTN NumPages
+ );
+
 #endif // _MEM_ENCRYPT_SEV_LIB_H_
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c b/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/Ia32/MemEncryptSevLib.c
@@ -XXX,XX +XXX,XX @@ MemEncryptSevSnpPreValidateSystemRam (
 {
 ASSERT (FALSE);
 }
+
+/**
+ Accept pages system RAM when SEV-SNP is enabled in the guest VM.
+
+ @param[in] BaseAddress Base address
+ @param[in] NumPages Number of pages starting from the base address
+
+**/
+VOID
+EFIAPI
+MemEncryptSnpAcceptPages (
+ IN PHYSICAL_ADDRESS BaseAddress,
+ IN UINTN NumPages
+ )
+{
+ ASSERT (FALSE);
+}
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c
@@ -XXX,XX +XXX,XX @@
 #include <Library/MemEncryptSevLib.h>
 
 #include "SnpPageStateChange.h"
+#include "VirtualMemory.h"
 
 /**
 Pre-validate the system RAM when SEV-SNP is enabled in the guest VM.
@@ -XXX,XX +XXX,XX @@ MemEncryptSevSnpPreValidateSystemRam (
 //
 ASSERT (FALSE);
 }
+
+/**
+ Accept pages system RAM when SEV-SNP is enabled in the guest VM.
+
+ @param[in] BaseAddress Base address
+ @param[in] NumPages Number of pages starting from the base address
+
+**/
+VOID
+EFIAPI
+MemEncryptSnpAcceptPages (
+ IN PHYSICAL_ADDRESS BaseAddress,
+ IN UINTN NumPages
+ )
+{
+ EFI_STATUS Status;
+
+ if (!MemEncryptSevSnpIsEnabled ()) {
+ return;
+ }
+ if (BaseAddress >= SIZE_4GB) {
+ Status = InternalMemEncryptSevCreateIdentityMap1G (
+ 0,
+ BaseAddress,
+ EFI_PAGES_TO_SIZE (NumPages)
+ );
+ if (EFI_ERROR (Status)) {
+ ASSERT (FALSE);
+ CpuDeadLoop ();
+ }
+ }
+
+ InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE);
+}
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c
@@ -XXX,XX +XXX,XX @@ MemEncryptSevSnpPreValidateSystemRam (
 BaseAddress = EndAddress;
 }
 }
+
+/**
+ Accept pages system RAM when SEV-SNP is enabled in the guest VM.
+
+ @param[in] BaseAddress Base address
+ @param[in] NumPages Number of pages starting from the base address
+
+**/
+VOID
+EFIAPI
+MemEncryptSnpAcceptPages (
+ IN PHYSICAL_ADDRESS BaseAddress,
+ IN UINTN NumPages
+ )
+{
+ ASSERT (FALSE);
+}
diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c
+++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c
@@ -XXX,XX +XXX,XX @@
 
 #include <Uefi/UefiBaseType.h>
 #include <Library/BaseLib.h>
+#include <Library/DebugLib.h>
 #include <Library/MemEncryptSevLib.h>
 
 #include "SnpPageStateChange.h"
@@ -XXX,XX +XXX,XX @@ MemEncryptSevSnpPreValidateSystemRam (
 
 InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE);
 }
+
+/**
+ Accept pages system RAM when SEV-SNP is enabled in the guest VM.
+
+ @param[in] BaseAddress Base address
+ @param[in] NumPages Number of pages starting from the base address
+
+**/
+VOID
+EFIAPI
+MemEncryptSnpAcceptPages (
+ IN PHYSICAL_ADDRESS BaseAddress,
+ IN UINTN NumPages
+ )
+{
+ ASSERT(FALSE);
+}
-- 
2.37.3.998.g577e59143f-goog

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94135): https://edk2.groups.io/g/devel/message/94135
Mute This Topic: https://groups.io/mt/93857642/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

With the addition of the EfiUnacceptedMemory memory type, it is possible
the EFI-enlightened guests do not themselves support the new memory
type. This commit adds a dynamic Pcd that can be set to enable
unaccepted memory support before ExitBootServices is called.

The expected usage is to set the new Pcd with a protocol that is usable
by bootloaders and directly-booted OSes when they can determine that the
OS does indeed support unaccepted memory.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Ard Biesheuvel <ardb@kernel.org>

Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
---
 MdeModulePkg/Core/Dxe/DxeMain.h | 10 +++
 MdeModulePkg/Core/Dxe/DxeMain.inf | 2 +
 MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c | 14 +++-
 MdeModulePkg/Core/Dxe/Mem/Page.c | 87 +++++++++++++++++++++++++
 MdeModulePkg/MdeModulePkg.dec | 6 ++
 MdeModulePkg/MdeModulePkg.uni | 6 ++
 OvmfPkg/AmdSev/AmdSevX64.dsc | 1 +
 OvmfPkg/Bhyve/BhyveX64.dsc | 2 +
 OvmfPkg/CloudHv/CloudHvX64.dsc | 2 +
 OvmfPkg/IntelTdx/IntelTdxX64.dsc | 2 +
 OvmfPkg/OvmfPkgIa32X64.dsc | 2 +
 OvmfPkg/OvmfPkgX64.dsc | 2 +
 OvmfPkg/OvmfXen.dsc | 2 +
 13 files changed, 137 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Core/Dxe/DxeMain.h b/MdeModulePkg/Core/Dxe/DxeMain.h
index XXXXXXX..XXXXXXX 100644
--- a/MdeModulePkg/Core/Dxe/DxeMain.h
+++ b/MdeModulePkg/Core/Dxe/DxeMain.h
@@ -XXX,XX +XXX,XX @@ CoreInitializeMemoryProtection (
 VOID
 );
 
+/**
+ Accept and convert unaccepted memory to conventional memory if unaccepted
+ memory is not enabled and there is an implementation of MemoryAcceptProtocol
+ installed.
+ **/
+EFI_STATUS
+CoreResolveUnacceptedMemory (
+ VOID
+ );
+
 /**
 Install MemoryAttributesTable on memory allocation.
 
diff --git a/MdeModulePkg/Core/Dxe/DxeMain.inf b/MdeModulePkg/Core/Dxe/DxeMain.inf
index XXXXXXX..XXXXXXX 100644
--- a/MdeModulePkg/Core/Dxe/DxeMain.inf
+++ b/MdeModulePkg/Core/Dxe/DxeMain.inf
@@ -XXX,XX +XXX,XX @@
 gEfiHiiPackageListProtocolGuid ## SOMETIMES_PRODUCES
 gEfiSmmBase2ProtocolGuid ## SOMETIMES_CONSUMES
 gEdkiiPeCoffImageEmulatorProtocolGuid ## SOMETIMES_CONSUMES
+ gEfiMemoryAcceptProtocolGuid ## SOMETIMES_CONSUMES
 
 # Arch Protocols
 gEfiBdsArchProtocolGuid ## CONSUMES
@@ -XXX,XX +XXX,XX @@
 gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPropertyMask ## CONSUMES
 gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## CONSUMES
 gEfiMdeModulePkgTokenSpaceGuid.PcdFwVolDxeMaxEncapsulationDepth ## CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory ## CONSUMES
 
 # [Hob]
 # RESOURCE_DESCRIPTOR ## CONSUMES
diff --git a/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c b/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c
index XXXXXXX..XXXXXXX 100644
--- a/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c
+++ b/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c
@@ -XXX,XX +XXX,XX @@ CoreExitBootServices (
 //
 gTimer->SetTimerPeriod (gTimer, 0);
 
+ //
+ // Accept all memory if unaccepted memory isn't enabled.
+ //
+ Status = CoreResolveUnacceptedMemory();
+ if (EFI_ERROR (Status)) {
+ //
+ // Notify other drivers that ExitBootServices failed
+ //
+ CoreNotifySignalList (&gEventExitBootServicesFailedGuid);
+ return Status;
+ }
+
 //
 // Terminate memory services if the MapKey matches
 //
 Status = CoreTerminateMemoryMap (MapKey);
 if (EFI_ERROR (Status)) {
 //
- // Notify other drivers that ExitBootServices fail
+ // Notify other drivers that ExitBootServices failed
 //
 CoreNotifySignalList (&gEventExitBootServicesFailedGuid);
 return Status;
diff --git a/MdeModulePkg/Core/Dxe/Mem/Page.c b/MdeModulePkg/Core/Dxe/Mem/Page.c
index XXXXXXX..XXXXXXX 100644
--- a/MdeModulePkg/Core/Dxe/Mem/Page.c
+++ b/MdeModulePkg/Core/Dxe/Mem/Page.c
@@ -XXX,XX +XXX,XX @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include "DxeMain.h"
 #include "Imem.h"
 #include "HeapGuard.h"
+#include <Library/PcdLib.h>
+#include <Protocol/MemoryAccept.h>
 
 //
 // Entry for tracking the memory regions for each memory type to coalesce similar memory types
@@ -XXX,XX +XXX,XX @@ CoreFreePoolPages (
 CoreConvertPages (Memory, NumberOfPages, EfiConventionalMemory);
 }
 
+EFI_EVENT gExitBootServiceEvent = NULL;
+
+STATIC
+EFI_STATUS
+AcceptAllUnacceptedMemory (
+ IN EFI_MEMORY_ACCEPT_PROTOCOL *AcceptMemory
+ )
+{
+ EFI_GCD_MEMORY_SPACE_DESCRIPTOR *AllDescMap;
+ UINTN NumEntries;
+ UINTN Index;
+ EFI_STATUS Status;
+
+ /*
+ * Get a copy of the memory space map to iterate over while
+ * changing the map.
+ */
+ Status = CoreGetMemorySpaceMap (&NumEntries, &AllDescMap);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ for (Index = 0; Index < NumEntries; Index++) {
+ CONST EFI_GCD_MEMORY_SPACE_DESCRIPTOR *Desc;
+
+ Desc = &AllDescMap[Index];
+ if (Desc->GcdMemoryType != EfiGcdMemoryTypeUnaccepted) {
+ continue;
+ }
+
+ Status = AcceptMemory->AcceptMemory (
+ AcceptMemory,
+ Desc->BaseAddress,
+ Desc->Length
+ );
+ if (EFI_ERROR(Status)) {
+ goto done;
+ }
+
+ Status = CoreRemoveMemorySpace(Desc->BaseAddress, Desc->Length);
+ if (EFI_ERROR(Status)) {
+ goto done;
+ }
+
+ Status = CoreAddMemorySpace (
+ EfiGcdMemoryTypeSystemMemory,
+ Desc->BaseAddress,
+ Desc->Length,
+ EFI_MEMORY_CPU_CRYPTO | EFI_MEMORY_XP | EFI_MEMORY_RO | EFI_MEMORY_RP
+ );
+ if (EFI_ERROR(Status)) {
+ goto done;
+ }
+ }
+
+done:
+ FreePool (AllDescMap);
+ return Status;
+}
+
+EFI_STATUS
+CoreResolveUnacceptedMemory (
+ VOID
+ )
+{
+ EFI_MEMORY_ACCEPT_PROTOCOL *AcceptMemory;
+ EFI_STATUS Status;
+
+ // No need to accept anything. Unaccepted memory is enabled.
+ if (PcdGetBool(PcdEnableUnacceptedMemory)) {
+ return EFI_SUCCESS;
+ }
+
+ Status = gBS->LocateProtocol (&gEfiMemoryAcceptProtocolGuid, NULL,
+ (VOID **)&AcceptMemory);
+ if (Status == EFI_NOT_FOUND) {
+ return EFI_SUCCESS;
+ }
+ if (Status != EFI_SUCCESS) {
+ DEBUG ((DEBUG_ERROR, "Error locating MemoryAcceptProtocol: %d\n", Status));
+ return Status;
+ }
+
+ return AcceptAllUnacceptedMemory(AcceptMemory);
+}
+
 /**
 Make sure the memory map is following all the construction rules,
 it is the last time to check memory map error before exit boot services.
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index XXXXXXX..XXXXXXX 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -XXX,XX +XXX,XX @@
 # @Prompt The shared bit mask when Intel Tdx is enabled.
 gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0|UINT64|0x10000025
 
+ ## Indicates if the memory map may include unaccepted memory after ExitBootServices(). 
+ # TRUE - The memory map may include unaccepted memory after ExitBootServices(). 
+ # FALSE - The memory map may not include unaccepted memory after ExitBootServices(). 
+ # @Prompt Support unaccepted memory type.
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE|BOOLEAN|0x10000026
+
 [PcdsPatchableInModule]
 ## Specify memory size with page number for PEI code when
 # Loading Module at Fixed Address feature is enabled.
diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni
index XXXXXXX..XXXXXXX 100644
--- a/MdeModulePkg/MdeModulePkg.uni
+++ b/MdeModulePkg/MdeModulePkg.uni
@@ -XXX,XX +XXX,XX @@
 #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdPcieResizableBarSupport_HELP #language en-US "Indicates if the PCIe Resizable BAR Capability Supported. \n"
 "TRUE - PCIe Resizable BAR Capability is supported. \n"
 "FALSE - PCIe Resizable BAR Capability is not supported. "
+
+#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdEnableUnacceptedMemory_PROMPT #language en-US "Support unaccepted memory type"
+#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdEnableUnacceptedMemory_HELP #language en-US "Indicates if the memory map may include unaccepted memory "
+ "after ExitBootServices(). \n"
+ "TRUE - The memory map may include unaccepted memory after ExitBootServices(). \n"
+ "FALSE - The memory map may not include unaccepted memory after ExitBootServices(). \n"
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -XXX,XX +XXX,XX @@
 
 # Set ConfidentialComputing defaults
 gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
 
 !include OvmfPkg/OvmfTpmPcds.dsc.inc
 
diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/Bhyve/BhyveX64.dsc
+++ b/OvmfPkg/Bhyve/BhyveX64.dsc
@@ -XXX,XX +XXX,XX @@
 # Set Tdx shared bit mask
 gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
 
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
+
 gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
 
 # MdeModulePkg resolution sets up the system display resolution
diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/CloudHv/CloudHvX64.dsc
+++ b/OvmfPkg/CloudHv/CloudHvX64.dsc
@@ -XXX,XX +XXX,XX @@
 # Set Tdx shared bit mask
 gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
 
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
+
 # Set SEV-ES defaults
 gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0
 gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@@ -XXX,XX +XXX,XX @@
 # Set Tdx shared bit mask
 gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
 
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
+
 # Set SEV-ES defaults
 gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0
 gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -XXX,XX +XXX,XX @@
 gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0
 gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
 
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
+
 # Set SEV-ES defaults
 gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0
 gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -XXX,XX +XXX,XX @@
 # Set Tdx shared bit mask
 gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
 
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
+
 # Set SEV-ES defaults
 gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0
 gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0
diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/OvmfXen.dsc
+++ b/OvmfPkg/OvmfXen.dsc
@@ -XXX,XX +XXX,XX @@
 # Set Tdx shared bit mask
 gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask|0x0
 
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory|FALSE
+
 gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00
 
 ################################################################################
-- 
2.37.3.998.g577e59143f-goog

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94137): https://edk2.groups.io/g/devel/message/94137
Mute This Topic: https://groups.io/mt/93857645/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Add a simple protocol that enables the use of the unaccepted memory
type. Must be called before ExitBootServices to be effective.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Ard Biesheuvel <ardb@kernel.org>

Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
---
 MdeModulePkg/Core/Dxe/DxeMain.h | 22 ++++++++++++++++
 MdeModulePkg/Core/Dxe/DxeMain.inf | 3 ++-
 MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c | 5 ++++
 MdeModulePkg/Core/Dxe/Mem/Page.c | 35 +++++++++++++++++++++++++
 MdeModulePkg/MdeModulePkg.dec | 3 +++
 5 files changed, 67 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Core/Dxe/DxeMain.h b/MdeModulePkg/Core/Dxe/DxeMain.h
index XXXXXXX..XXXXXXX 100644
--- a/MdeModulePkg/Core/Dxe/DxeMain.h
+++ b/MdeModulePkg/Core/Dxe/DxeMain.h
@@ -XXX,XX +XXX,XX @@ CoreResolveUnacceptedMemory (
   VOID
   );
 
+
+typedef struct _ENABLE_UNACCEPTED_MEMORY_PROTOCOL
+    ENABLE_UNACCEPTED_MEMORY_PROTOCOL;
+
+typedef EFI_STATUS (EFIAPI *ENABLE_UNACCEPTED_MEMORY)(
+  IN ENABLE_UNACCEPTED_MEMORY_PROTOCOL *
+  );
+
+struct _ENABLE_UNACCEPTED_MEMORY_PROTOCOL {
+  ENABLE_UNACCEPTED_MEMORY Enable;
+};
+
+extern EFI_GUID gEnableUnacceptedMemoryProtocolGuid;
+
+/**
+   Implement the protocol for enabling unaccepted memory.
+ **/
+VOID
+InstallEnableUnacceptedMemoryProtocol (
+  VOID
+  );
+
 /**
   Install MemoryAttributesTable on memory allocation.
 
diff --git a/MdeModulePkg/Core/Dxe/DxeMain.inf b/MdeModulePkg/Core/Dxe/DxeMain.inf
index XXXXXXX..XXXXXXX 100644
--- a/MdeModulePkg/Core/Dxe/DxeMain.inf
+++ b/MdeModulePkg/Core/Dxe/DxeMain.inf
@@ -XXX,XX +XXX,XX @@
   gEfiMemoryAttributesTableGuid                 ## SOMETIMES_PRODUCES   ## SystemTable
   gEfiEndOfDxeEventGroupGuid                    ## SOMETIMES_CONSUMES   ## Event
   gEfiHobMemoryAllocStackGuid                   ## SOMETIMES_CONSUMES   ## SystemTable
+  gEnableUnacceptedMemoryProtocolGuid           ## PRODUCES             ## GUID # Install protocol
 
 [Ppis]
   gEfiVectorHandoffInfoPpiGuid                  ## UNDEFINED # HOB
@@ -XXX,XX +XXX,XX @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPropertyMask                   ## CONSUMES
   gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard                           ## CONSUMES
   gEfiMdeModulePkgTokenSpaceGuid.PcdFwVolDxeMaxEncapsulationDepth           ## CONSUMES
-  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory                  ## CONSUMES
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableUnacceptedMemory                  ## CONSUMES ## SOMETIMES_PRODUCES
 
 # [Hob]
 # RESOURCE_DESCRIPTOR   ## CONSUMES
diff --git a/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c b/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c
index XXXXXXX..XXXXXXX 100644
--- a/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c
+++ b/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c
@@ -XXX,XX +XXX,XX @@ DxeMain (
   Status = CoreInstallConfigurationTable (&gEfiMemoryTypeInformationGuid, &gMemoryTypeInformation);
   ASSERT_EFI_ERROR (Status);
 
+  //
+  // Install unaccepted memory configuration protocol
+  //
+  InstallEnableUnacceptedMemoryProtocol();
+
   //
   // If Loading modules At fixed address feature is enabled, install Load moduels at fixed address
   // Configuration Table so that user could easily to retrieve the top address to load Dxe and PEI
diff --git a/MdeModulePkg/Core/Dxe/Mem/Page.c b/MdeModulePkg/Core/Dxe/Mem/Page.c
index XXXXXXX..XXXXXXX 100644
--- a/MdeModulePkg/Core/Dxe/Mem/Page.c
+++ b/MdeModulePkg/Core/Dxe/Mem/Page.c
@@ -XXX,XX +XXX,XX @@ EFI_MEMORY_TYPE_INFORMATION  gMemoryTypeInformation[EfiMaxMemoryType + 1] = {
 //
 GLOBAL_REMOVE_IF_UNREFERENCED   BOOLEAN  gLoadFixedAddressCodeMemoryReady = FALSE;
 
+EFI_STATUS EFIAPI CoreEnableUnacceptedMemory(IN ENABLE_UNACCEPTED_MEMORY_PROTOCOL *);
+
+struct {
+  ENABLE_UNACCEPTED_MEMORY enable;
+} mEnableUnacceptedMemoryProtocol = {
+  CoreEnableUnacceptedMemory,
+};
+
 /**
   Enter critical section by gaining lock on gMemoryLock.
 
@@ -XXX,XX +XXX,XX @@ CoreResolveUnacceptedMemory (
   return AcceptAllUnacceptedMemory(AcceptMemory);
 }
 
+EFI_STATUS
+EFIAPI
+CoreEnableUnacceptedMemory (
+  IN ENABLE_UNACCEPTED_MEMORY_PROTOCOL *This
+  )
+{
+  return PcdSetBoolS(PcdEnableUnacceptedMemory, TRUE);
+}
+
+VOID
+InstallEnableUnacceptedMemoryProtocol (
+  VOID
+  )
+{
+  EFI_HANDLE  Handle;
+  EFI_STATUS  Status;
+
+  Handle = NULL;
+  Status = CoreInstallMultipleProtocolInterfaces (
+             &Handle,
+             &gEnableUnacceptedMemoryProtocolGuid,
+             &mEnableUnacceptedMemoryProtocol,
+             NULL
+             );
+  ASSERT_EFI_ERROR (Status);
+}
+
 /**
   Make sure the memory map is following all the construction rules,
   it is the last time to check memory map error before exit boot services.
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index XXXXXXX..XXXXXXX 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -XXX,XX +XXX,XX @@
   gEdkiiPerformanceMeasurementProtocolGuid      = { 0xc85d06be, 0x5f75, 0x48ce, { 0xa8, 0x0f, 0x12, 0x36, 0xba, 0x3b, 0x87, 0xb1 } }
   gEdkiiSmmPerformanceMeasurementProtocolGuid   = { 0xd56b6d73, 0x1a7b, 0x4015, { 0x9b, 0xb4, 0x7b, 0x07, 0x17, 0x29, 0xed, 0x24 } }
 
+  ## Bootloader protocol Guid for enabling unaccepted memory support.
+  gEnableUnacceptedMemoryProtocolGuid = { 0xc5a010fe, 0x38a7, 0x4531, { 0x8a, 0x4a, 0x05, 0x00, 0xd2, 0xfd, 0x16, 0x49 } }
+
   ## Guid is defined for CRC32 encapsulation scheme.
   #  Include/Guid/Crc32GuidedSectionExtraction.h
   gEfiCrc32GuidedSectionExtractionGuid = { 0xFC1BCDB0, 0x7D31, 0x49aa, {0x93, 0x6A, 0xA4, 0x60, 0x0D, 0x9D, 0xD0, 0x83 } }
-- 
2.37.3.998.g577e59143f-goog

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94141): https://edk2.groups.io/g/devel/message/94141
Mute This Topic: https://groups.io/mt/93857649/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

These seven patches build on the lazy-accept patch series

"Introduce Lazy-accept for Tdx guest"

by adding SEV-SNP support for the MemoryAccept protocol, and
importantly making eager memory acceptance the default behavior.

We add a new protocol, ExitBootServicesCallbackProtocol, with a single
interface: TerminateMemoryMapPrehook(). We invoke all prehooks in
CoreExitBootServices after disabling the timer and before
TerminateMemoryMap. This gives hooks the chance to change the memory
map and cause ExitBootServices to fail with EFI_INVALID_PARAMETER.
The failure is specified to require the caller to update their view
of the MemoryMap and call ExitBootServices again.

To make use of this new protocol, we add a new driver that is meant to
carry behavior that is needed for all confidential compute technologies,
not just specific platforms, CocoDxe. In CocoDxe we implement the
default safe behavior to accept all unaccepted memory and invalidate
the MemoryMap on ExitBootServices.

To allow the OS loader to prevent the eager acceptance, add another
protocol, up for standardization, AcceptAllUnacceptedMemoryProtocol.
This protocol has one interface, Disable(). The OS loader can inform the
UEFI that it supports the unaccepted memory type and accepts the
responsibility to accept it.

All images that support unaccepted memory must now locate and call this
new BZ3987_ACCEPT_ALL_UNACCEPTED_MEMORY_PROTOCOL and call the Disable
function.

Changes since v4:
 - Commit message wording
 - Replaced direct change to DxeMain with a more generic callback
   protocol.
 - Implemented the direct change as an instance of the callback protocol
   from a new CocoDxe driver.
 - Replaced "enable" protocol with a "disable" protocol, since the name
   was confusing. The AcceptAllUnacceptedMemory protocol directly names
   the behavior that is disabling.

Changes since v3:
 - "DxeMain accepts all memory" patch split into 3 to make each patch
   affect only one package at a time.

Changes since v2:
 - Removed the redundant memory accept interface and added the accept
   behavior to the DXE implementation of
   MemEncryptSevSnpPreValidateSystemRam.
 - Fixed missing #include in >=4GB patch.

Changes since v1:
 - Added a patch to classify SEV-SNP memory above 4GB unaccepted.
 - Fixed style problems in EfiMemoryAcceptProtocol implementation.

Cc: Ard Biescheuvel <ardb@kernel.org>
Cc: "Min M. Xu" <min.m.xu@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Tom Lendacky <Thomas.Lendacky@amd.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Andrew Fish <afish@apple.com>
Cc: "Michael D. Kinney" <michael.d.kinney@intel.com>

Dionna Glaze (7):
  OvmfPkg: Realize EfiMemoryAcceptProtocol in AmdSevDxe
  MdePkg: Introduce ExitBootServicesCallbackProtocol
  MdeModulePkg: Invoke all ExitBootServicesCallback instances at
    ExitBootServices
  OvmfPkg: Introduce CocoDxe driver
  MdePkg: Introduce the AcceptAllUnacceptedMemory protocol
  OvmfPkg: Implement AcceptAllUnacceptedMemory in CocoDxe
  OvmfPkg/PlatformPei: SEV-SNP make >=4GB unaccepted

MdeModulePkg/Core/Dxe/DxeMain.inf                                  |   1 +
 MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c                            |  62 +++++++
 MdePkg/Include/Protocol/AcceptAllUnacceptedMemory.h                |  40 +++++
 MdePkg/Include/Protocol/ExitBootServicesCallback.h                 |  38 +++++
 MdePkg/MdePkg.dec                                                  |   6 +
 OvmfPkg/AmdSev/AmdSevX64.dsc                                       |   1 +
 OvmfPkg/AmdSev/AmdSevX64.fdf                                       |   1 +
 OvmfPkg/AmdSevDxe/AmdSevDxe.c                                      |  57 ++++++-
 OvmfPkg/AmdSevDxe/AmdSevDxe.inf                                    |   3 +
 OvmfPkg/CocoDxe/CocoDxe.c                                          | 174 ++++++++++++++++++++
 OvmfPkg/CocoDxe/CocoDxe.inf                                        |  44 +++++
 OvmfPkg/IntelTdx/IntelTdxX64.dsc                                   |   1 +
 OvmfPkg/IntelTdx/IntelTdxX64.fdf                                   |   1 +
 OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c |  24 ++-
 OvmfPkg/OvmfPkgIa32X64.dsc                                         |   1 +
 OvmfPkg/OvmfPkgIa32X64.fdf                                         |   1 +
 OvmfPkg/OvmfPkgX64.dsc                                             |   1 +
 OvmfPkg/OvmfPkgX64.fdf                                             |   1 +
 OvmfPkg/PlatformPei/AmdSev.c                                       |   5 +
 19 files changed, 454 insertions(+), 8 deletions(-)
 create mode 100644 MdePkg/Include/Protocol/AcceptAllUnacceptedMemory.h
 create mode 100644 MdePkg/Include/Protocol/ExitBootServicesCallback.h
 create mode 100644 OvmfPkg/CocoDxe/CocoDxe.c
 create mode 100644 OvmfPkg/CocoDxe/CocoDxe.inf

-- 
2.38.0.rc1.362.ged0d419d3c-goog

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94600): https://edk2.groups.io/g/devel/message/94600
Mute This Topic: https://groups.io/mt/94028457/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

From: Sophia Wolf <phiawolf@google.com>

When a guest OS does not support unaccepted memory, the unaccepted
memory must be accepted before returning a memory map to the caller.

EfiMemoryAcceptProtocol is defined in MdePkg and is implemented /
Installed in AmdSevDxe for AMD SEV-SNP memory acceptance.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
---
 OvmfPkg/AmdSevDxe/AmdSevDxe.c | 57 ++++++++++++++++++--
 OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 3 ++
 OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c | 24 +++++++--
 3 files changed, 76 insertions(+), 8 deletions(-)

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94601): https://edk2.groups.io/g/devel/message/94601
Mute This Topic: https://groups.io/mt/94028458/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

This introduces a callback after the time that the timer is disabled and before
the MemoryMap is finalized.

This callback is useful to make final changes to the memory map due to protocols
initiated (or not initiated) by the OS loader.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: "Min M. Xu" <min.m.xu@intel.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Andrew Fish <afish@apple.com>
Cc: "Michael D. Kinney" <michael.d.kinney@intel.com>

Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
---
 MdePkg/Include/Protocol/ExitBootServicesCallback.h | 38 ++++++++++++++++++++
 MdePkg/MdePkg.dec | 3 ++
 2 files changed, 41 insertions(+)

diff --git a/MdePkg/Include/Protocol/ExitBootServicesCallback.h b/MdePkg/Include/Protocol/ExitBootServicesCallback.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/MdePkg/Include/Protocol/ExitBootServicesCallback.h
@@ -XXX,XX +XXX,XX @@
+/** @file
+ The file provides the protocol that allows callbacks in ExitBootServices
+ immediately before TerminateMemoryMap.
+
+ Copyright (c) 2022, Google LLC. All rights reserved. 
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#ifndef EXIT_BOOT_SERVICES_CALLBACK_H_
+#define EXIT_BOOT_SERVICES_CALLBACK_H_
+
+/* This protocol is internal to EDK2 only */
+
+#define EDKII_EXIT_BOOT_SERVICES_CALLBACK_PROTOCOL_GUID {0xf5684799, 0x9a33, 0x40f7, {0xa1, 0x5c, 0x10, 0x8e, 0x0e, 0x6b, 0x45, 0x25}}
+
+typedef struct _EDKII_EXIT_BOOT_SERVICES_CALLBACK_PROTOCOL
+ EDKII_EXIT_BOOT_SERVICES_CALLBACK_PROTOCOL;
+
+/**
+ @param This A pointer to a EDKII_EXIT_BOOT_SERVICES_CALLBACK_PROTOCOL.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EDKII_TERMINATE_MEMORY_MAP_PREHOOK)(
+ IN EDKII_EXIT_BOOT_SERVICES_CALLBACK_PROTOCOL *This
+ );
+
+///
+/// The EDKII_EXIT_BOOT_SERVICES_CALLBACK_PROTOCOL allows callbacks in
+/// ExitBootServices immediately before TerminateMemoryMap.
+///
+struct _EDKII_EXIT_BOOT_SERVICES_CALLBACK_PROTOCOL {
+ EDKII_TERMINATE_MEMORY_MAP_PREHOOK TerminateMemoryMapPrehook;
+ BOOLEAN Disabled;
+};
+
+extern EFI_GUID gEdkiiExitBootServicesCallbackProtocolGuid;
+
+#endif
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index XXXXXXX..XXXXXXX 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -XXX,XX +XXX,XX @@
 gEfiPeiDelayedDispatchPpiGuid = { 0x869c711d, 0x649c, 0x44fe, { 0x8b, 0x9e, 0x2c, 0xbb, 0x29, 0x11, 0xc3, 0xe6 }}
 
 [Protocols]
+ ## Include/Protocol/ExitBootServicesCallback.h
+ gEdkiiExitBootServicesCallbackProtocolGuid = { 0xf5684799, 0x9a33, 0x40f7, {0xa1, 0x5c, 0x10, 0x8e, 0x0e, 0x6b, 0x45, 0x25 }}
+
 ## Include/Protocol/MemoryAccept.h
 gEfiMemoryAcceptProtocolGuid = { 0x38c74800, 0x5590, 0x4db4, { 0xa0, 0xf3, 0x67, 0x5d, 0x9b, 0x8e, 0x80, 0x26 }}
 
-- 
2.38.0.rc1.362.ged0d419d3c-goog

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94602): https://edk2.groups.io/g/devel/message/94602
Mute This Topic: https://groups.io/mt/94028459/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

The protocol's intent is to allow drivers to install callbacks that can
modify the memory map at ExitBootServices time, so that any changes will
lead to the EFI_INVALID_PARAMETER error. This error is specified to require
the EBS caller to call GetMemoryMap again if it already had.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: "Min M. Xu" <min.m.xu@intel.com>
Cc: Andrew Fish <afish@apple.com>
Cc: "Michael D. Kinney" <michael.d.kinney@intel.com>

Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
---
 MdeModulePkg/Core/Dxe/DxeMain.inf | 1 +
 MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c | 62 ++++++++++++++++++++
 2 files changed, 63 insertions(+)

diff --git a/MdeModulePkg/Core/Dxe/DxeMain.inf b/MdeModulePkg/Core/Dxe/DxeMain.inf
index XXXXXXX..XXXXXXX 100644
--- a/MdeModulePkg/Core/Dxe/DxeMain.inf
+++ b/MdeModulePkg/Core/Dxe/DxeMain.inf
@@ -XXX,XX +XXX,XX @@
 gEfiHiiPackageListProtocolGuid ## SOMETIMES_PRODUCES
 gEfiSmmBase2ProtocolGuid ## SOMETIMES_CONSUMES
 gEdkiiPeCoffImageEmulatorProtocolGuid ## SOMETIMES_CONSUMES
+ gEdkiiExitBootServicesCallbackProtocolGuid ## CONSUMES
 
 # Arch Protocols
 gEfiBdsArchProtocolGuid ## CONSUMES
diff --git a/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c b/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c
index XXXXXXX..XXXXXXX 100644
--- a/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c
+++ b/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c
@@ -XXX,XX +XXX,XX @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
 
+#include <Protocol/ExitBootServicesCallback.h>
 #include "DxeMain.h"
 
 //
@@ -XXX,XX +XXX,XX @@ CalculateEfiHdrCrc (
 Hdr->CRC32 = Crc;
 }
 
+/**
+ Invokes TerminateMemoryMapPrehook from every instance of the
+ EdkiiExitBootServicesProtocol.
+**/
+STATIC
+EFI_STATUS
+InvokeTerminateMemoryMapPrehooks (
+ VOID
+ )
+{
+ UINTN NoHandles;
+ UINTN Index;
+ EFI_HANDLE *HandleBuffer;
+ EFI_STATUS Status;
+ EDKII_EXIT_BOOT_SERVICES_CALLBACK_PROTOCOL *Callback;
+
+ Status = gBS->LocateHandleBuffer (
+ ByProtocol,
+ &gEdkiiExitBootServicesCallbackProtocolGuid,
+ NULL,
+ &NoHandles,
+ &HandleBuffer
+ );
+ if (EFI_ERROR (Status) && NoHandles == 0) {
+ return Status;
+ }
+
+ for (Index = 0; Index < NoHandles; Index++) {
+ Status = gBS->HandleProtocol (
+ HandleBuffer[Index],
+ &gEdkiiExitBootServicesCallbackProtocolGuid,
+ (VOID **)&Callback
+ );
+ if (EFI_ERROR (Status)) {
+ continue;
+ }
+
+ Status = Callback->TerminateMemoryMapPrehook(Callback);
+ if (EFI_ERROR (Status) || Status == EFI_WARN_STALE_DATA) {
+ goto done;
+ }
+ }
+
+done:
+ FreePool(HandleBuffer);
+ return Status;
+}
+
 /**
 Terminates all boot services.
 
@@ -XXX,XX +XXX,XX @@ CoreExitBootServices (
 //
 gTimer->SetTimerPeriod (gTimer, 0);
 
+ //
+ // Invoke all protocols installed for ExitBootServices prior to
+ // CoreTerminateMemoryMap.
+ //
+ Status = InvokeTerminateMemoryMapPrehooks();
+ if (EFI_ERROR (Status)) {
+ //
+ // Notify other drivers that ExitBootServices failed
+ //
+ CoreNotifySignalList (&gEventExitBootServicesFailedGuid);
+ return Status;
+ }
+
 //
 // Terminate memory services if the MapKey matches
 //
-- 
2.38.0.rc1.362.ged0d419d3c-goog

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94603): https://edk2.groups.io/g/devel/message/94603
Mute This Topic: https://groups.io/mt/94028462/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

This driver is meant as a join point for all Confidential Compute
technologies to put shared behavior that doesn't belong anywhere else.

The first behavior added here is to accept all unaccepted memory at
ExitBootServices if the protocol is not disabled. This allows safe
upgrades for OS loaders to affirm their support for the unaccepted
memory type.

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -XXX,XX +XXX,XX @@
 <LibraryClasses>
 PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf
 }
+ OvmfPkg/CocoDxe/CocoDxe.inf
 OvmfPkg/IoMmuDxe/IoMmuDxe.inf
 
 #
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -XXX,XX +XXX,XX @@ INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
 INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 INF OvmfPkg/PlatformDxe/Platform.inf
 INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+INF OvmfPkg/CocoDxe/CocoDxe.inf
 INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
 
 
diff --git a/OvmfPkg/CocoDxe/CocoDxe.c b/OvmfPkg/CocoDxe/CocoDxe.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/OvmfPkg/CocoDxe/CocoDxe.c
@@ -XXX,XX +XXX,XX @@
+/** @file
+
+ Confidential Compute Dxe driver. This driver installs protocols that are
+ generic over confidential compute techonology.
+
+ Copyright (c) 2022, Google LLC. All rights reserved. 
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/DxeServicesTableLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/MemEncryptSevLib.h>
+#include <Library/MemEncryptTdxLib.h>
+#include <Protocol/ExitBootServicesCallback.h>
+#include <Protocol/MemoryAccept.h>
+
+STATIC EFI_HANDLE mCocoDxeHandle = NULL;
+
+STATIC
+EFI_STATUS
+AcceptAllUnacceptedMemory (
+ IN EFI_MEMORY_ACCEPT_PROTOCOL *AcceptMemory
+ )
+{
+ EFI_GCD_MEMORY_SPACE_DESCRIPTOR *AllDescMap;
+ UINTN NumEntries;
+ UINTN Index;
+ EFI_STATUS Status;
+ BOOLEAN AcceptedAny;
+
+ DEBUG ((DEBUG_INFO, "Accepting all memory\n"));
+ AcceptedAny = FALSE;
+ /*
+ * Get a copy of the memory space map to iterate over while
+ * changing the map.
+ */
+ Status = gDS->GetMemorySpaceMap (&NumEntries, &AllDescMap);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ for (Index = 0; Index < NumEntries; Index++) {
+ CONST EFI_GCD_MEMORY_SPACE_DESCRIPTOR *Desc;
+
+ Desc = &AllDescMap[Index];
+ if (Desc->GcdMemoryType != EfiGcdMemoryTypeUnaccepted) {
+ continue;
+ }
+
+ Status = AcceptMemory->AcceptMemory (
+ AcceptMemory,
+ Desc->BaseAddress,
+ Desc->Length
+ );
+ if (EFI_ERROR(Status)) {
+ goto done;
+ }
+
+ Status = gDS->RemoveMemorySpace(Desc->BaseAddress, Desc->Length);
+ if (EFI_ERROR(Status)) {
+ goto done;
+ }
+
+ Status = gDS->AddMemorySpace (
+ EfiGcdMemoryTypeSystemMemory,
+ Desc->BaseAddress,
+ Desc->Length,
+ EFI_MEMORY_CPU_CRYPTO | EFI_MEMORY_XP | EFI_MEMORY_RO | EFI_MEMORY_RP
+ );
+ if (EFI_ERROR(Status)) {
+ goto done;
+ }
+
+ AcceptedAny = TRUE;
+ }
+
+ // If any memory is accepted, cause ExitBootServices to fail with
+ // EFI_INVALID_PARAMETER in order to force the caller to refresh
+ // their view of the MemoryMap.
+ if (AcceptedAny) {
+ Status = EFI_INVALID_PARAMETER;
+ }
+
+done:
+ gBS->FreePool (AllDescMap);
+ return Status;
+}
+
+EFI_STATUS
+EFIAPI
+ResolveUnacceptedMemory (
+ IN EDKII_EXIT_BOOT_SERVICES_CALLBACK_PROTOCOL *This
+ )
+{
+ EFI_MEMORY_ACCEPT_PROTOCOL *AcceptMemory;
+ EFI_STATUS Status;
+
+ if (This->Disabled) {
+ return EFI_SUCCESS;
+ }
+
+ Status = gBS->LocateProtocol (&gEfiMemoryAcceptProtocolGuid, NULL,
+ (VOID **)&AcceptMemory);
+ if (Status == EFI_NOT_FOUND) {
+ return EFI_SUCCESS;
+ }
+ ASSERT_EFI_ERROR (Status);
+
+ return AcceptAllUnacceptedMemory(AcceptMemory);
+}
+
+STATIC EDKII_EXIT_BOOT_SERVICES_CALLBACK_PROTOCOL mExitBootServicesCallbackProcotol = {
+ ResolveUnacceptedMemory,
+ FALSE,
+};
+
+EFI_STATUS
+EFIAPI
+CocoDxeEntryPoint (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_STATUS Status;
+
+ //
+ // Do nothing when confidential compute technologies that require memory
+ // acceptance are not enabled.
+ //
+ if (!MemEncryptSevSnpIsEnabled () &&
+ !MemEncryptTdxIsEnabled ()) {
+ return EFI_UNSUPPORTED;
+ }
+
+ Status = gBS->InstallProtocolInterface (&mCocoDxeHandle,
+ &gEdkiiExitBootServicesCallbackProtocolGuid,
+ EFI_NATIVE_INTERFACE,
+ &mExitBootServicesCallbackProcotol
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Install EdkiiExitBootServicesCallbackProtocol failed.\n"));
+ }
+
+ return EFI_SUCCESS;
+}
diff --git a/OvmfPkg/CocoDxe/CocoDxe.inf b/OvmfPkg/CocoDxe/CocoDxe.inf
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/OvmfPkg/CocoDxe/CocoDxe.inf
@@ -XXX,XX +XXX,XX @@
+#/** @file
+#
+# Driver installs shared protocols needed for confidential compute
+# technologies.
+#
+# Copyright (c) 2022, Google LLC. All rights reserved. 
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+#**/
+
+[Defines]
+ INF_VERSION = 1.25
+ BASE_NAME = CocoDxe
+ FILE_GUID = 08162f1e-5147-4d3e-b5a9-fa48c9808419
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ ENTRY_POINT = CocoDxeEntryPoint
+
+[Sources]
+ CocoDxe.c
+
+[Packages]
+ MdeModulePkg/MdeModulePkg.dec
+ MdePkg/MdePkg.dec
+ OvmfPkg/OvmfPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ DxeServicesTableLib
+ MemEncryptSevLib
+ MemEncryptTdxLib
+ MemoryAllocationLib
+ UefiDriverEntryPoint
+
+[Depex]
+ TRUE
+
+[Protocols]
+ gEdkiiExitBootServicesCallbackProtocolGuid
+ gEfiMemoryAcceptProtocolGuid
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
@@ -XXX,XX +XXX,XX @@
 OvmfPkg/IoMmuDxe/IoMmuDxe.inf
 
 OvmfPkg/TdxDxe/TdxDxe.inf
+ OvmfPkg/CocoDxe/CocoDxe.inf
 
 #
 # Variable driver stack (non-SMM)
diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.fdf b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/IntelTdx/IntelTdxX64.fdf
+++ b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
@@ -XXX,XX +XXX,XX @@ INF ShellPkg/Application/Shell/Shell.inf
 INF MdeModulePkg/Logo/LogoDxe.inf
 
 INF OvmfPkg/TdxDxe/TdxDxe.inf
+INF OvmfPkg/CocoDxe/CocoDxe.inf
 
 #
 # Usb Support
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -XXX,XX +XXX,XX @@
 <LibraryClasses>
 PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf
 }
+ OvmfPkg/CocoDxe/CocoDxe.inf
 OvmfPkg/IoMmuDxe/IoMmuDxe.inf
 
 !if $(SMM_REQUIRE) == TRUE
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -XXX,XX +XXX,XX @@ INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
 INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 INF OvmfPkg/PlatformDxe/Platform.inf
 INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+INF OvmfPkg/CocoDxe/CocoDxe.inf
 INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
 
 !if $(SMM_REQUIRE) == TRUE
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -XXX,XX +XXX,XX @@
 OvmfPkg/IoMmuDxe/IoMmuDxe.inf
 
 OvmfPkg/TdxDxe/TdxDxe.inf
+ OvmfPkg/CocoDxe/CocoDxe.inf
 
 !if $(SMM_REQUIRE) == TRUE
 OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -XXX,XX +XXX,XX @@ INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
 INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 INF OvmfPkg/PlatformDxe/Platform.inf
 INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+INF OvmfPkg/CocoDxe/CocoDxe.inf
 INF OvmfPkg/IoMmuDxe/IoMmuDxe.inf
 
 !if $(SMM_REQUIRE) == TRUE
-- 
2.38.0.rc1.362.ged0d419d3c-goog

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94604): https://edk2.groups.io/g/devel/message/94604
Mute This Topic: https://groups.io/mt/94028463/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

The default behavior for unaccepted memory is to accept all memory
when ExitBootServices is called. An OS loader can use this protocol to
Disable this behavior to assume responsibility for memory acceptance and
to affirm that the OS can handle the unaccepted memory type.

This is a candidate for standardization.

Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
---
 MdePkg/Include/Protocol/AcceptAllUnacceptedMemory.h | 40 ++++++++++++++++++++
 MdePkg/MdePkg.dec | 5 ++-
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/MdePkg/Include/Protocol/AcceptAllUnacceptedMemory.h b/MdePkg/Include/Protocol/AcceptAllUnacceptedMemory.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/MdePkg/Include/Protocol/AcceptAllUnacceptedMemory.h
@@ -XXX,XX +XXX,XX @@
+/** @file
+ The file provides the protocol that disables the behavior that all memory
+ gets accepted at ExitBootServices(). This protocol is only meant to be called
+ by the OS loader, and not EDK2 itself.
+
+ Copyright (c) 2022, Google LLC. All rights reserved. 
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#ifndef _ACCEPT_ALL_UNACCEPTED_MEMORY_H_
+#define _ACCEPT_ALL_UNACCEPTED_MEMORY_H_
+
+#define BZ3987_ACCEPT_ALL_UNACCEPTED_MEMORY_PROTOCOL_GUID \
+ {0xc5a010fe, \
+ 0x38a7, \
+ 0x4531, \
+ {0x8a, 0x4a, 0x05, 0x00, 0xd2, 0xfd, 0x16, 0x49}}
+
+typedef struct _BZ3987_ACCEPT_ALL_UNACCEPTED_MEMORY_PROTOCOL
+ BZ3987_ACCEPT_ALL_UNACCEPTED_MEMORY_PROTOCOL;
+
+/**
+ @param This A pointer to a BZ3987_ACCEPT_ALL_UNACCEPTED_MEMORY_PROTOCOL.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *BZ3987_DISABLE_ACCEPT_ALL_UNACCEPTED_MEMORY)(
+ IN BZ3987_ACCEPT_ALL_UNACCEPTED_MEMORY_PROTOCOL *This
+ );
+
+///
+/// The BZ3987_ACCEPT_ALL_UNACCEPTED_MEMORY_PROTOCOL allows the OS loader to
+/// indicate to EDK2 that ExitBootServices should not accept all memory.
+///
+struct _BZ3987_ACCEPT_ALL_UNACCEPTED_MEMORY_PROTOCOL {
+ BZ3987_DISABLE_ACCEPT_ALL_UNACCEPTED_MEMORY Disable;
+};
+
+extern EFI_GUID gBz3987AcceptAllUnacceptedMemoryProtocolGuid;
+
+#endif
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index XXXXXXX..XXXXXXX 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -XXX,XX +XXX,XX @@
 gEfiPeiDelayedDispatchPpiGuid = { 0x869c711d, 0x649c, 0x44fe, { 0x8b, 0x9e, 0x2c, 0xbb, 0x29, 0x11, 0xc3, 0xe6 }}
 
 [Protocols]
+ ## Include/Protocol/AcceptAllUnacceptedMemory.h
+ gBz3987AcceptAllUnacceptedMemoryProtocolGuid = { 0xc5a010fe, 0x38a7, 0x4531, {0x8a, 0x4a, 0x05, 0x00, 0xd2, 0xfd, 0x16, 0x49 }}
+
 ## Include/Protocol/ExitBootServicesCallback.h
- gEdkiiExitBootServicesCallbackProtocolGuid = { 0xf5684799, 0x9a33, 0x40f7, {0xa1, 0x5c, 0x10, 0x8e, 0x0e, 0x6b, 0x45, 0x25 }}
+ gEdkiiExitBootServicesCallbackProtocolGuid = { 0xf5684799, 0x9a33, 0x40f7, {0xa1, 0x5c, 0x10, 0x8e, 0x0e, 0x6b, 0x45, 0x25 }}
 
 ## Include/Protocol/MemoryAccept.h
 gEfiMemoryAcceptProtocolGuid = { 0x38c74800, 0x5590, 0x4db4, { 0xa0, 0xf3, 0x67, 0x5d, 0x9b, 0x8e, 0x80, 0x26 }}
-- 
2.38.0.rc1.362.ged0d419d3c-goog

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94605): https://edk2.groups.io/g/devel/message/94605
Mute This Topic: https://groups.io/mt/94028465/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

This protocol implementation disables the accept-all-memory behavior
of the ExitBootServicesCallback instance thise driver adds.

Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
---
 OvmfPkg/CocoDxe/CocoDxe.c | 25 ++++++++++++++++++++
 OvmfPkg/CocoDxe/CocoDxe.inf | 1 +
 2 files changed, 26 insertions(+)

diff --git a/OvmfPkg/CocoDxe/CocoDxe.c b/OvmfPkg/CocoDxe/CocoDxe.c
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/CocoDxe/CocoDxe.c
+++ b/OvmfPkg/CocoDxe/CocoDxe.c
@@ -XXX,XX +XXX,XX @@
 #include <Library/UefiBootServicesTableLib.h>
 #include <Library/MemEncryptSevLib.h>
 #include <Library/MemEncryptTdxLib.h>
+#include <Protocol/AcceptAllUnacceptedMemory.h>
 #include <Protocol/ExitBootServicesCallback.h>
 #include <Protocol/MemoryAccept.h>
 
@@ -XXX,XX +XXX,XX @@ STATIC EDKII_EXIT_BOOT_SERVICES_CALLBACK_PROTOCOL mExitBootServicesCallbackProco
 FALSE,
 };
 
+STATIC
+EFI_STATUS
+EFIAPI
+DisableAcceptAllUnacceptedMemory (
+ IN BZ3987_ACCEPT_ALL_UNACCEPTED_MEMORY_PROTOCOL *This
+ )
+{
+ mExitBootServicesCallbackProcotol.Disabled = TRUE;
+ return EFI_SUCCESS;
+}
+
+STATIC
+BZ3987_ACCEPT_ALL_UNACCEPTED_MEMORY_PROTOCOL
+mAcceptAllUnacceptedMemoryProtocol = {DisableAcceptAllUnacceptedMemory};
+
 EFI_STATUS
 EFIAPI
 CocoDxeEntryPoint (
@@ -XXX,XX +XXX,XX @@ CocoDxeEntryPoint (
 DEBUG ((DEBUG_ERROR, "Install EdkiiExitBootServicesCallbackProtocol failed.\n"));
 }
 
+ Status = gBS->InstallProtocolInterface (&mCocoDxeHandle,
+ &gBz3987AcceptAllUnacceptedMemoryProtocolGuid,
+ EFI_NATIVE_INTERFACE,
+ &mAcceptAllUnacceptedMemoryProtocol
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Install Bz3987AcceptAllUnacceptedMemoryProtocol failed.\n"));
+ }
+
 return EFI_SUCCESS;
 }
diff --git a/OvmfPkg/CocoDxe/CocoDxe.inf b/OvmfPkg/CocoDxe/CocoDxe.inf
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/CocoDxe/CocoDxe.inf
+++ b/OvmfPkg/CocoDxe/CocoDxe.inf
@@ -XXX,XX +XXX,XX @@
 TRUE
 
 [Protocols]
+ gBz3987AcceptAllUnacceptedMemoryProtocolGuid
 gEdkiiExitBootServicesCallbackProtocolGuid
 gEfiMemoryAcceptProtocolGuid
-- 
2.38.0.rc1.362.ged0d419d3c-goog

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94606): https://edk2.groups.io/g/devel/message/94606
Mute This Topic: https://groups.io/mt/94028466/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Instead of eagerly accepting all memory in PEI, only accept memory under
the 4GB address. This allows a loaded image to use the
ACCEPT_ALL_UNACCEPTED_MEMORY_PROTOCOL to disable the accept behavior and
indicate that it can interpret the memory type accordingly.

This classification is safe since ExitBootServices will accept and
reclassify the memory as conventional if the disable protocol is not
used.

Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
---
 OvmfPkg/PlatformPei/AmdSev.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index XXXXXXX..XXXXXXX 100644
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -XXX,XX +XXX,XX @@
 #include <Library/MemEncryptSevLib.h>
 #include <Library/MemoryAllocationLib.h>
 #include <Library/PcdLib.h>
+#include <Pi/PrePiHob.h>
 #include <PiPei.h>
 #include <Register/Amd/Msr.h>
 #include <Register/Intel/SmramSaveStateMap.h>
@@ -XXX,XX +XXX,XX @@ AmdSevSnpInitialize (
 for (Hob.Raw = GetHobList (); !END_OF_HOB_LIST (Hob); Hob.Raw = GET_NEXT_HOB (Hob)) {
 if ((Hob.Raw != NULL) && (GET_HOB_TYPE (Hob) == EFI_HOB_TYPE_RESOURCE_DESCRIPTOR)) {
 ResourceHob = Hob.ResourceDescriptor;
+ if (ResourceHob->PhysicalStart >= SIZE_4GB) {
+ ResourceHob->ResourceType = EFI_RESOURCE_MEMORY_UNACCEPTED;
+ continue;
+ }
 
 if (ResourceHob->ResourceType == EFI_RESOURCE_SYSTEM_MEMORY) {
 MemEncryptSevSnpPreValidateSystemRam (
-- 
2.38.0.rc1.362.ged0d419d3c-goog

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#94607): https://edk2.groups.io/g/devel/message/94607
Mute This Topic: https://groups.io/mt/94028467/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-