From nobody Mon Sep 16 19:09:19 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+101519+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101519+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1679443024; cv=none; d=zohomail.com; s=zohoarc; b=M4ZH0XOYX7dEiz90ArjcJ7O8jV+db13hfVj6poTzbx57ROjXXYuP6YH8NMbpv4DBBnQDfV4xLd0cZ8IqFD85fkjosD2FRGTRDVZRfF3XI8MJ02SaIRpkH8jd+N1g9ABs/6zZaU1SNHClO1rjE84s7OWLTHMF1L/vqokKc4TcXMk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1679443024; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=YAtN06aw3ztv5Eg6N9MkS7EUjwCeBlrtyjvObGGJms0=; b=YH0TJ34No16cxroPPlZRdhcFXMgVNRdUNqGdhhl3Q3hRfWWObHyX+0uIr1HvN/7Jp/qsYSzBBIByfC9BVzVvH67K1SuA0r0nbfaVVFmZHWMuicZhdFl2BIFV6i9+07oUPdaWaQKujMO/2HFDkYr3NqBaSeEKfEjovBsgmLqEuKc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101519+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 16794430244501019.3491538756157; Tue, 21 Mar 2023 16:57:04 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id BrQGYY1788612xlFvFWAdo6K; Tue, 21 Mar 2023 16:57:04 -0700 X-Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web10.30789.1679443023007772831 for ; Tue, 21 Mar 2023 16:57:03 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10656"; a="341441496" X-IronPort-AV: E=Sophos;i="5.98,280,1673942400"; d="scan'208";a="341441496" X-Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Mar 2023 16:56:56 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10656"; a="805627723" X-IronPort-AV: E=Sophos;i="5.98,280,1673942400"; d="scan'208";a="805627723" X-Received: from shwdeopenlab706.ccr.corp.intel.com ([10.239.55.95]) by orsmga004.jf.intel.com with ESMTP; 21 Mar 2023 16:56:55 -0700 From: "Ni, Ray" To: devel@edk2.groups.io Cc: Michael D Kinney , Liming Gao , Zhiguang Liu Subject: [edk2-devel] [PATCH 1/6] MdePkg: Add TME-MK related CPUID and MSR definitions Date: Wed, 22 Mar 2023 07:56:45 +0800 Message-Id: <20230321235650.675-2-ray.ni@intel.com> In-Reply-To: <20230321235650.675-1-ray.ni@intel.com> References: <20230321235650.675-1-ray.ni@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ray.ni@intel.com X-Gm-Message-State: Dvtd6mtlbtFHJcu3aTiSzzO4x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1679443024; bh=BGvCha8X15X/QpjX1XCEX4eCTdJshv8ZLpw7iNiiA9g=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=Q7NqtPvtysKIIu8SYZl/hoH3CXBKYH+XxE6SOjCtRC9ma/tZjvrNIj1+EIK/Xb3eS1N RH7+mdfBhZroIH9xZJfUqwmnHbXDIc+O5IO9XbqSUnHE9yRA3uA6Kq8YWzCseE8eQ8uuT 4ELetJP5A2ma+zrGbpgsgNrh+98tdhrdXD4= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1679443024951100002 Content-Type: text/plain; charset="utf-8" TME (Total Memory Encryption) is the capability to encrypt the entirety of physical memory of a system. TME-MK (Total Memory Encryption-Multi-Key) builds on TME and adds support for multiple encryption keys. The patch adds some necessary CPUID/MSR definitions for TME-MK. Signed-off-by: Ray Ni Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Reviewed-by: Michael D Kinney --- .../Include/Register/Intel/ArchitecturalMsr.h | 106 +++++++++++++++++- MdePkg/Include/Register/Intel/Cpuid.h | 9 +- 2 files changed, 112 insertions(+), 3 deletions(-) diff --git a/MdePkg/Include/Register/Intel/ArchitecturalMsr.h b/MdePkg/Incl= ude/Register/Intel/ArchitecturalMsr.h index 071a8c689c..76d80660da 100644 --- a/MdePkg/Include/Register/Intel/ArchitecturalMsr.h +++ b/MdePkg/Include/Register/Intel/ArchitecturalMsr.h @@ -6,7 +6,7 @@ returned is a single 32-bit or 64-bit value, then a data structure is not provided for that MSR. =20 - Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.
+ Copyright (c) 2016 - 2023, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 @par Specification Reference: @@ -5679,6 +5679,110 @@ typedef union { **/ #define MSR_IA32_X2APIC_SELF_IPI 0x0000083F =20 +/** + Memory Encryption Activation MSR. If CPUID.07H:ECX.[13] =3D 1. + + @param ECX MSR_IA32_TME_ACTIVATE (0x00000982) + @param EAX Lower 32-bits of MSR value. + Described by the type MSR_IA32_TME_ACTIVATE_REGISTER. + @param EDX Upper 32-bits of MSR value. + Described by the type MSR_IA32_TME_ACTIVATE_REGISTER. + + Example usage + @code + MSR_IA32_TME_ACTIVATE_REGISTER Msr; + + Msr.Uint64 =3D AsmReadMsr64 (MSR_IA32_TME_ACTIVATE); + AsmWriteMsr64 (MSR_IA32_TME_ACTIVATE, Msr.Uint64); + @endcode + @note MSR_IA32_TME_ACTIVATE is defined as IA32_TME_ACTIVATE in SDM. +**/ +#define MSR_IA32_TME_ACTIVATE 0x00000982 + +/** + MSR information returned for MSR index #MSR_IA32_TME_ACTIVATE +**/ +typedef union { + /// + /// Individual bit fields + /// + struct { + /// + /// [Bit 0] Lock R/O: Will be set upon successful WRMSR (or first SMI); + /// written value ignored.. + /// + UINT32 Lock : 1; + /// + /// [Bit 1] Hardware Encryption Enable: This bit also enables MKTME; M= KTME + /// cannot be enabled without enabling encryption hardware. + /// + UINT32 TmeEnable : 1; + /// + /// [Bit 2] Key Select: + /// 0: Create a new TME key (expected cold/warm boot). + /// 1: Restore the TME key from storage (Expected when resume from sta= ndby). + /// + UINT32 KeySelect : 1; + /// + /// [Bit 3] Save TME Key for Standby: Save key into storage to be used= when + /// resume from standby. + /// Note: This may not be supported in all processors. + /// + UINT32 SaveKeyForStandby : 1; + /// + /// [Bit 7:4] TME Policy/Encryption Algorithm: Only algorithms enumera= ted in + /// IA32_TME_CAPABILITY are allowed. + /// For example: + /// 0000 =E2=80=93 AES-XTS-128. + /// 0001 =E2=80=93 AES-XTS-128 with integrity. + /// 0010 =E2=80=93 AES-XTS-256. + /// Other values are invalid. + /// + UINT32 TmePolicy : 4; + UINT32 Reserved : 23; + /// + /// [Bit 31] TME Encryption Bypass Enable: When encryption hardware is= enabled: + /// * Total Memory Encryption is enabled using a CPU generated ephemer= al key + /// based on a hardware random number generator when this bit is set= to 0. + /// * Total Memory Encryption is bypassed (no encryption/decryption fo= r KeyID0) + /// when this bit is set to 1. + /// Software must inspect Hardware Encryption Enable (bit 1) and TME e= ncryption + /// bypass Enable (bit 31) to determine if TME encryption is enabled. + /// + UINT32 TmeBypassMode : 1; + /// + /// [Bit 35:32] MK_TME_KEYID_BITS: Reserved if MKTME is not enumerated= , otherwise: + /// The number of key identifier bits to allocate to MKTME usage. + /// Similar to enumeration, this is an encoded value. + /// Writing a value greater than MK_TME_MAX_KEYID_BITS will result in = #GP. + /// Writing a non-zero value to this field will #GP if bit 1 of EAX (H= ardware + /// Encryption Enable) is not also set to =E2=80=981, as encryption ha= rdware must be + /// enabled to use MKTME. + /// Example: To support 255 keys, this field would be set to a value o= f 8. + /// + UINT32 MkTmeKeyidBits : 4; + UINT32 Reserved2 : 12; + /// + /// [Bit 63:48] MK_TME_CRYPTO_ALGS: Reserved if MKTME is not enumerate= d, otherwise: + /// Bit 48: AES-XTS 128. + /// Bit 49: AES-XTS 128 with integrity. + /// Bit 50: AES-XTS 256. + /// Bit 63:51: Reserved (#GP) + /// Bitmask for BIOS to set which encryption algorithms are allowed fo= r MKTME, would + /// be later enforced by the key loading ISA ('1=3D allowed) + /// + UINT32 MkTmeCryptoAlgs : 16; + } Bits; + /// + /// All bit fields as a 32-bit value + /// + UINT32 Uint32; + /// + /// All bit fields as a 64-bit value + /// + UINT64 Uint64; +} MSR_IA32_TME_ACTIVATE_REGISTER; + /** Silicon Debug Feature Control (R/W). If CPUID.01H:ECX.[11] =3D 1. =20 diff --git a/MdePkg/Include/Register/Intel/Cpuid.h b/MdePkg/Include/Registe= r/Intel/Cpuid.h index 350bf60252..1fb880c85c 100644 --- a/MdePkg/Include/Register/Intel/Cpuid.h +++ b/MdePkg/Include/Register/Intel/Cpuid.h @@ -6,7 +6,7 @@ If a register returned is a single 32-bit value, then a data structure is not provided for that register. =20 - Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.
+ Copyright (c) 2015 - 2023, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 @par Specification Reference: @@ -1490,7 +1490,12 @@ typedef union { /// RDPKRU/WRPKRU instructions). /// UINT32 OSPKE : 1; - UINT32 Reserved5 : 9; + UINT32 Reserved8 : 8; + /// + /// [Bit 13] If 1, the following MSRs are supported: IA32_TME_CAPABILI= TY, IA32_TME_ACTIVATE, + /// IA32_TME_EXCLUDE_MASK, and IA32_TME_EXCLUDE_BASE. + /// + UINT32 TME_EN : 1; /// /// [Bits 14] AVX512_VPOPCNTDQ. (Intel Xeon Phi only.). /// --=20 2.39.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101519): https://edk2.groups.io/g/devel/message/101519 Mute This Topic: https://groups.io/mt/97767966/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/3901457/1787277/102458076= /xyzzy [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-