From nobody Fri Dec 19 19:20:29 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+57861+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1587577399992261.60134206203566; Wed, 22 Apr 2020 10:43:19 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id hMWzYY1788612xXp4BJCW60d; Wed, 22 Apr 2020 10:43:19 -0700 X-Received: from NAM11-BN8-obe.outbound.protection.outlook.com (NAM11-BN8-obe.outbound.protection.outlook.com [40.107.236.55]) by mx.groups.io with SMTP id smtpd.web12.504.1587577397852627360 for ; Wed, 22 Apr 2020 10:43:18 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gEMY47UnPBWB3B9qLxD5qrAsSz5k4udXTTaun31+n4PV6hSQITd22M6Zpnb/cpiAoLvwYkNEVmIIJ2chh5Hqi1opk1H+OvRgO/v88DVeRq/wf00qmXYV5vDIWndUGlRRgRQx9BJjQT34oByCSvB+0qHfkf1PlRAMXot2fuexZe5/eoYk8W5rdTRHhfE72r/JRgUJRZY3QedfvVSgVo7OD5MSnXSX0vGjw1rqQyCUa2iJKfmyU5K+G/UiMsgjCn/UYXDQ9tgeLgGA18EfGhNI3XLs40uHz9zaUQHNg2SjVsf1jvoPb4LFVHaCXGvimV/ZQE8Y7AzMN0/40yH+IIHzAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HElzz4T+Wx6ggjMyUjKddBUmiMMN1AqTecIhbCNxNbw=; b=LXv2xKRXwUnkeISM8h9TZ+dU4iQzWL3Hp0nGY0imEhklr75PdXfo+gUrCVteEbYf7cjOKg57bgHyjOgqOxmF6kqi9ZqB1j6+yTFaEe8Mi82pnH4bB+fChsDTrXgaOUSObpnt/avhdkx3kf65g9YgDj/5voq571RKeDmdvKWvlxnwSInrSyUd/no75Z30eyn2r7JPpA4CO7FQsU1XeK6I9XCKTaiHPZeSecGS7hk6tGULS+otuBgI9X3m9IDP8RAl4OMhmg0ujQ/hdCPJkxbnwhFOTpJslbB8IQ7p4nPAGcUzMJxiKzpsOTU36uBhZWgd+73TFnyXIljSJwLXybzVMA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none X-Received: from DM6PR12MB3163.namprd12.prod.outlook.com (2603:10b6:5:15e::26) by DM6PR12MB3673.namprd12.prod.outlook.com (2603:10b6:5:1c5::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.29; Wed, 22 Apr 2020 17:43:16 +0000 X-Received: from DM6PR12MB3163.namprd12.prod.outlook.com ([fe80::9ae:cb95:c925:d5bf]) by DM6PR12MB3163.namprd12.prod.outlook.com ([fe80::9ae:cb95:c925:d5bf%4]) with mapi id 15.20.2921.030; Wed, 22 Apr 2020 17:43:16 +0000 From: "Lendacky, Thomas" To: devel@edk2.groups.io Cc: Jordan Justen , Laszlo Ersek , Ard Biesheuvel , Michael D Kinney , Liming Gao , Eric Dong , Ray Ni , Brijesh Singh Subject: [edk2-devel] [PATCH v7 30/43] OvmfPkg: Create GHCB pages for use during Pei and Dxe phase Date: Wed, 22 Apr 2020 12:41:45 -0500 Message-Id: In-Reply-To: References: X-ClientProxiedBy: DM5PR04CA0060.namprd04.prod.outlook.com (2603:10b6:3:ef::22) To DM6PR12MB3163.namprd12.prod.outlook.com (2603:10b6:5:15e::26) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-Received: from tlendack-t1.amd.com (165.204.77.1) by DM5PR04CA0060.namprd04.prod.outlook.com (2603:10b6:3:ef::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13 via Frontend Transport; Wed, 22 Apr 2020 17:42:45 +0000 X-Originating-IP: [165.204.77.1] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: bcdc4360-fbb2-4f7c-efcf-08d7e6e4916a X-MS-TrafficTypeDiagnostic: DM6PR12MB3673:|DM6PR12MB3673: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+57861+1787277+3901457@groups.io; helo=web01.groups.io; Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Message-Info: DfflVnYkTxJCzSUPgYUpY2OqLcrzRoBX4D23uXSCHk1AbzD31Bm5xZJNjoEGHd2Cgn9l+IzyMSM95bD8ypwgwfS4ZMqTUVxEqeRXBfs0sB2qeYNI7xEI/Go6TzzWOivOjApken2vhAU6AeIyN5z9mQ32d1JcTuko5oeg1/b4OXCjp4LGCHSv1ulFnt3MIkSWtXKeKRaTLAbLNvoZrVAg1j+uuJmcpMpzuUAcQ/G6wPQ5mPiJ5TAdogUZWiG7A/bYPI7LjMBe94ZJ/aT/I60WMsM47bb/FO3W4SzXe3hd9qmi9P2QERT4zxD5JWGTGt8DOnIy6bP1jywpFSuuqLViSHaQCO78JxV072xKcdUEVMMST0YVBu+0DvEs9eGHSRJzE1Uo/9f9jc+5Ss0Hj+mfLHUGtnQ+l8VaDzIBPqGO8Og15KHvqCIX1Lua4ohLMXiR3a5mK8Cr6oZutJLd/g5EAefym3tG/AgtIQ/7zmogi4Bti2JQpSa3EQDmG7w55Cvz8sfeDaw6Bqh1cA+JjNLG/scHq+Deap+HHpuKtFLB2dtvMCQ1E2bAkCH3rpSN1kA05wNOBSBlGkSes5TB1ZOX5w== X-MS-Exchange-AntiSpam-MessageData: pe/3oTI+ALkP44sS3geIRTKXV0TXD015u3RQn0Aa7DvFxQx76gE0T+DVHeSey4ctsfoQTAq3QbxdBoc5ntp4WyypLrTYRV2KOEf2shfAw32VVOn84L4F3e3hogy1pgMejQuGeyp7tEh2l8+53UKwSA== X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: bcdc4360-fbb2-4f7c-efcf-08d7e6e4916a X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Apr 2020 17:42:46.4420 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: WJs/DtwEg4dRciRg66uOhWC6LKiY0VIRKKJsn6fVlBJDNzeU/qI4Oa2T3TXlL+oHneUa3FubIueYZkJ6Js19lw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB3673 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,thomas.lendacky@amd.com X-Gm-Message-State: UMu6VeDrz2pLTGwe8r34R1yUx1787277AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1587577399; bh=jZ6+2ON84VvSK2iqaXi+IfzDMJMSnYFLBTes/rcNczs=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=DZQV1kkXZ3VD8aF2hBTKLpQ4VxWiUzGZYAp7ID9vxt0RfXBahMzreQ18YbsCt9UOqXn Kmnv6dYobAjCUkCU0kBVSta05n59wjK+1ScTt5exteGj5WjFlXBDT+VS1llZEgjSru/HH N7K4YQaZmar+L5TwDjEPKiGLBxga5h7vpQ4= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2198 Allocate memory for the GHCB pages and the per-CPU variable pages during SEV initialization for use during Pei and Dxe phases. The GHCB page(s) must be shared pages, so clear the encryption mask from the current page table entries. Upon successful allocation, set the GHCB PCDs (PcdGhcbBase and PcdGhcbSize). The per-CPU variable page needs to be unique per AP. Using the page after the GHCB ensures that it is unique per AP. Only the GHCB page is marked as shared, keeping the per-CPU variable page encyrpted. The same logic is used in DXE using CreateIdentityMappingPageTables() before switching to the DXE pagetables. The GHCB pages (one per vCPU) will be used by the PEI and DXE #VC exception handlers. The #VC exception handler will fill in the necessary fields of the GHCB and exit to the hypervisor using the VMGEXIT instruction. The hypervisor then accesses the GHCB associated with the vCPU in order to perform the requested function. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Reviewed-by: Laszlo Ersek Signed-off-by: Tom Lendacky --- OvmfPkg/OvmfPkgIa32.dsc | 2 ++ OvmfPkg/OvmfPkgIa32X64.dsc | 2 ++ OvmfPkg/OvmfPkgX64.dsc | 2 ++ OvmfPkg/PlatformPei/PlatformPei.inf | 2 ++ OvmfPkg/PlatformPei/AmdSev.c | 45 ++++++++++++++++++++++++++++- 5 files changed, 52 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 95423942101f..dfe8f0210b92 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -587,6 +587,8 @@ [PcdsDynamicDefault] gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0 =20 # Set SEV-ES defaults + gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0 + gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0 gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled|0 =20 !if $(SMM_REQUIRE) =3D=3D TRUE diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 37bbf2073494..b0ee4413581a 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -598,6 +598,8 @@ [PcdsDynamicDefault] gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0 =20 # Set SEV-ES defaults + gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0 + gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0 gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled|0 =20 !if $(SMM_REQUIRE) =3D=3D TRUE diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 5248e6fd92a8..39eceb422f42 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -597,6 +597,8 @@ [PcdsDynamicDefault] gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0 =20 # Set SEV-ES defaults + gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase|0 + gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize|0 gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled|0 =20 !if $(SMM_REQUIRE) =3D=3D TRUE diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/Plat= formPei.inf index c5b92ab4afd8..fcab78e3d20c 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -100,6 +100,8 @@ [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiS3Enable gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask + gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase + gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbSize gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy gUefiCpuPkgTokenSpaceGuid.PcdCpuLocalApicBaseAddress gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 4dc5340caa7a..4fd4534cabea 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -10,12 +10,15 @@ // The package level header files this module uses // #include +#include #include #include #include +#include #include #include #include +#include #include #include =20 @@ -32,7 +35,10 @@ AmdSevEsInitialize ( VOID ) { - RETURN_STATUS PcdStatus; + VOID *GhcbBase; + PHYSICAL_ADDRESS GhcbBasePa; + UINTN GhcbPageCount, PageCount; + RETURN_STATUS PcdStatus, DecryptStatus; =20 if (!MemEncryptSevEsIsEnabled ()) { return; @@ -40,6 +46,43 @@ AmdSevEsInitialize ( =20 PcdStatus =3D PcdSetBoolS (PcdSevEsIsEnabled, TRUE); ASSERT_RETURN_ERROR (PcdStatus); + + // + // Allocate GHCB and per-CPU variable pages. + // + GhcbPageCount =3D mMaxCpuCount * 2; + GhcbBase =3D AllocatePages (GhcbPageCount); + ASSERT (GhcbBase !=3D NULL); + + GhcbBasePa =3D (PHYSICAL_ADDRESS)(UINTN) GhcbBase; + + // + // Each vCPU gets two consecutive pages, the first is the GHCB and the + // second is the per-CPU variable page. Loop through the allocation and + // only clear the encryption mask for the GHCB pages. + // + for (PageCount =3D 0; PageCount < GhcbPageCount; PageCount +=3D 2) { + DecryptStatus =3D MemEncryptSevClearPageEncMask ( + 0, + GhcbBasePa + EFI_PAGES_TO_SIZE (PageCount), + 1, + TRUE + ); + ASSERT_RETURN_ERROR (DecryptStatus); + } + + ZeroMem (GhcbBase, EFI_PAGES_TO_SIZE (GhcbPageCount)); + + PcdStatus =3D PcdSet64S (PcdGhcbBase, GhcbBasePa); + ASSERT_RETURN_ERROR (PcdStatus); + PcdStatus =3D PcdSet64S (PcdGhcbSize, EFI_PAGES_TO_SIZE (GhcbPageCount)); + ASSERT_RETURN_ERROR (PcdStatus); + + DEBUG ((DEBUG_INFO, + "SEV-ES is enabled, %lu GHCB pages allocated starting at 0x%p\n", + (UINT64)GhcbPageCount, GhcbBase)); + + AsmWriteMsr64 (MSR_SEV_ES_GHCB, GhcbBasePa); } =20 /** --=20 2.17.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#57861): https://edk2.groups.io/g/devel/message/57861 Mute This Topic: https://groups.io/mt/73201940/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-