From nobody Sun Feb 8 22:01:10 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+87679+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+87679+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1647564391; cv=none; d=zohomail.com; s=zohoarc; b=EEQuSduz8CBdoKBdYIA8Czwa4t4xbbqI9wzB+tu80DipYS1P8NpUI2xEepI0eSYhsfcbJe25IKY2KPGD5UHijK9Yw+ENZA9j59XRD1+LulTJhaVURNMFcpM67cwCs39IjauVLRfGZiOK0hqkLsD+93obSo+C8hMrqstiINjBdNI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1647564391; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=3fDVHTAztcJY+50jAwEJ0uQsI6U+OK6AErq4AuBlIuM=; b=IRQ1CYk0OV/GtMNF7ul8pYf+qeKZ8sIcW7eS+r8lGk63t5ZTHBy/AtRvtmX7v6LsPQedF5Qg2EqQRncESzzyZdNI+tYBPaeA5ixB9Pl9+l97l0WMZPdcZrSzkyXZiBqigVEftqBov33MRhah5WfHwj2p3bAXCZzlnSOIchz96H8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+87679+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1647564391044571.4002121520854; Thu, 17 Mar 2022 17:46:31 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 84FqYY1788612xvea1G6avM0; Thu, 17 Mar 2022 17:46:30 -0700 X-Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web09.4305.1647564386903029587 for ; Thu, 17 Mar 2022 17:46:30 -0700 X-IronPort-AV: E=McAfee;i="6200,9189,10289"; a="281817792" X-IronPort-AV: E=Sophos;i="5.90,190,1643702400"; d="scan'208";a="281817792" X-Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Mar 2022 17:46:29 -0700 X-IronPort-AV: E=Sophos;i="5.90,190,1643702400"; d="scan'208";a="541602523" X-Received: from mxu9-mobl1.ccr.corp.intel.com ([10.249.172.84]) by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Mar 2022 17:46:26 -0700 From: "Min Xu" To: devel@edk2.groups.io Cc: Min Xu , Michael D Kinney , Liming Gao , Zhiguang Liu , Brijesh Singh , Erdem Aktas , James Bottomley , Jiewen Yao , Tom Lendacky , Gerd Hoffmann Subject: [edk2-devel] [PATCH V9 03/47] MdePkg: Introduce basic Tdx functions in BaseLib Date: Fri, 18 Mar 2022 08:45:21 +0800 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,min.m.xu@intel.com X-Gm-Message-State: BZ7o0jqt7NtHFyuKkUL4cAZGx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1647564390; bh=FvVEOBCgZmF3p4iMDqIe2rAq1wRKTrbrBh9cruYDZO0=; h=Cc:Date:From:Reply-To:Subject:To; b=g8x6JaqpkGjRSuiQ1PJMZ8o+38DL/1+pX0WCz4nPeIfcZzmEyiuWPuG65XFJ3u6Sv70 U9rda0E0y1SxSnKplZNF/Q1a3F7J+fu9e9j/aNuum4uyM6jT6VbagJw79HYQ4SMc9I7X+ Wc++I8jAuKjeM/Yw5/Z6jRHBEDelnQEODg8= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1647564391331100013 Content-Type: text/plain; charset="utf-8" RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3429 Introduce basic Tdx functions in BaseLib: - TdCall () - TdVmCall () - TdIsEnabled () Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Tom Lendacky Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Reviewed-by: Liming Gao Signed-off-by: Min Xu --- MdePkg/Include/Library/BaseLib.h | 66 +++++++++++ MdePkg/Library/BaseLib/BaseLib.inf | 4 + MdePkg/Library/BaseLib/IntelTdxNull.c | 83 +++++++++++++ MdePkg/Library/BaseLib/X64/TdCall.nasm | 85 +++++++++++++ MdePkg/Library/BaseLib/X64/TdProbe.c | 63 ++++++++++ MdePkg/Library/BaseLib/X64/TdVmcall.nasm | 145 +++++++++++++++++++++++ 6 files changed, 446 insertions(+) create mode 100644 MdePkg/Library/BaseLib/IntelTdxNull.c create mode 100644 MdePkg/Library/BaseLib/X64/TdCall.nasm create mode 100644 MdePkg/Library/BaseLib/X64/TdProbe.c create mode 100644 MdePkg/Library/BaseLib/X64/TdVmcall.nasm diff --git a/MdePkg/Include/Library/BaseLib.h b/MdePkg/Include/Library/Base= Lib.h index 6aa0d972186e..9d58a7c4ad13 100644 --- a/MdePkg/Include/Library/BaseLib.h +++ b/MdePkg/Include/Library/BaseLib.h @@ -4759,6 +4759,72 @@ SpeculationBarrier ( VOID ); =20 +#if defined (MDE_CPU_X64) || defined (MDE_CPU_IA32) + +/** + The TDCALL instruction causes a VM exit to the Intel TDX module. It is + used to call guest-side Intel TDX functions, either local or a TD exit + to the host VMM, as selected by Leaf. + + @param[in] Leaf Leaf number of TDCALL instruction + @param[in] Arg1 Arg1 + @param[in] Arg2 Arg2 + @param[in] Arg3 Arg3 + @param[in,out] Results Returned result of the Leaf function + + @return 0 A successful call + @return Other See individual leaf functions +**/ +UINTN +EFIAPI +TdCall ( + IN UINT64 Leaf, + IN UINT64 Arg1, + IN UINT64 Arg2, + IN UINT64 Arg3, + IN OUT VOID *Results + ); + +/** + TDVMALL is a leaf function 0 for TDCALL. It helps invoke services from t= he + host VMM to pass/receive information. + + @param[in] Leaf Number of sub-functions + @param[in] Arg1 Arg1 + @param[in] Arg2 Arg2 + @param[in] Arg3 Arg3 + @param[in] Arg4 Arg4 + @param[in,out] Results Returned result of the sub-function + + @return 0 A successful call + @return Other See individual sub-functions + +**/ +UINTN +EFIAPI +TdVmCall ( + IN UINT64 Leaf, + IN UINT64 Arg1, + IN UINT64 Arg2, + IN UINT64 Arg3, + IN UINT64 Arg4, + IN OUT VOID *Results + ); + +/** + Probe if TD is enabled. + + @return TRUE TD is enabled. + @return FALSE TD is not enabled. +**/ +BOOLEAN +EFIAPI +TdIsEnabled ( + VOID + ); + +#endif + #if defined (MDE_CPU_X64) // // The page size for the PVALIDATE instruction diff --git a/MdePkg/Library/BaseLib/BaseLib.inf b/MdePkg/Library/BaseLib/Ba= seLib.inf index cebda3b210c1..16b7ac391705 100644 --- a/MdePkg/Library/BaseLib/BaseLib.inf +++ b/MdePkg/Library/BaseLib/BaseLib.inf @@ -210,6 +210,7 @@ X86RdRand.c X86PatchInstruction.c X86SpeculationBarrier.c + IntelTdxNull.c =20 [Sources.X64] X64/Thunk16.nasm @@ -293,6 +294,9 @@ X64/ReadCr0.nasm| MSFT X64/ReadEflags.nasm| MSFT =20 + X64/TdCall.nasm + X64/TdVmcall.nasm + X64/TdProbe.c =20 X64/Non-existing.c Math64.c diff --git a/MdePkg/Library/BaseLib/IntelTdxNull.c b/MdePkg/Library/BaseLib= /IntelTdxNull.c new file mode 100644 index 000000000000..ec95470bd43e --- /dev/null +++ b/MdePkg/Library/BaseLib/IntelTdxNull.c @@ -0,0 +1,83 @@ +/** @file + + Null stub of TdxLib + + Copyright (c) 2021, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include + +/** + The TDCALL instruction causes a VM exit to the Intel TDX module. It is + used to call guest-side Intel TDX functions, either local or a TD exit + to the host VMM, as selected by Leaf. + Leaf functions are described at + + @param[in] Leaf Leaf number of TDCALL instruction + @param[in] Arg1 Arg1 + @param[in] Arg2 Arg2 + @param[in] Arg3 Arg3 + @param[in,out] Results Returned result of the Leaf function + + @return EFI_SUCCESS + @return Other See individual leaf functions +**/ +UINTN +EFIAPI +TdCall ( + IN UINT64 Leaf, + IN UINT64 Arg1, + IN UINT64 Arg2, + IN UINT64 Arg3, + IN OUT VOID *Results + ) +{ + return EFI_UNSUPPORTED; +} + +/** + TDVMALL is a leaf function 0 for TDCALL. It helps invoke services from t= he + host VMM to pass/receive information. + + @param[in] Leaf Number of sub-functions + @param[in] Arg1 Arg1 + @param[in] Arg2 Arg2 + @param[in] Arg3 Arg3 + @param[in] Arg4 Arg4 + @param[in,out] Results Returned result of the sub-function + + @return EFI_SUCCESS + @return Other See individual sub-functions + +**/ +UINTN +EFIAPI +TdVmCall ( + IN UINT64 Leaf, + IN UINT64 Arg1, + IN UINT64 Arg2, + IN UINT64 Arg3, + IN UINT64 Arg4, + IN OUT VOID *Results + ) +{ + return EFI_UNSUPPORTED; +} + +/** + Probe if TD is enabled. + + @return TRUE TD is enabled. + @return FALSE TD is not enabled. +**/ +BOOLEAN +EFIAPI +TdIsEnabled ( + ) +{ + return FALSE; +} diff --git a/MdePkg/Library/BaseLib/X64/TdCall.nasm b/MdePkg/Library/BaseLi= b/X64/TdCall.nasm new file mode 100644 index 000000000000..e8a094b0eb3f --- /dev/null +++ b/MdePkg/Library/BaseLib/X64/TdCall.nasm @@ -0,0 +1,85 @@ +;-------------------------------------------------------------------------= ----- +;* +;* Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.
+;* SPDX-License-Identifier: BSD-2-Clause-Patent +;* +;* +;-------------------------------------------------------------------------= ----- + +DEFAULT REL +SECTION .text + +%macro tdcall 0 + db 0x66,0x0f,0x01,0xcc +%endmacro + +%macro tdcall_push_regs 0 + push rbp + mov rbp, rsp + push r15 + push r14 + push r13 + push r12 + push rbx + push rsi + push rdi +%endmacro + +%macro tdcall_pop_regs 0 + pop rdi + pop rsi + pop rbx + pop r12 + pop r13 + pop r14 + pop r15 + pop rbp +%endmacro + +%define number_of_regs_pushed 8 +%define number_of_parameters 4 + +; +; Keep these in sync for push_regs/pop_regs, code below +; uses them to find 5th or greater parameters +; +%define first_variable_on_stack_offset \ + ((number_of_regs_pushed * 8) + (number_of_parameters * 8) + 8) +%define second_variable_on_stack_offset \ + ((first_variable_on_stack_offset) + 8) + +; TdCall ( +; UINT64 Leaf, // Rcx +; UINT64 P1, // Rdx +; UINT64 P2, // R8 +; UINT64 P3, // R9 +; UINT64 Results, // rsp + 0x28 +; ) +global ASM_PFX(TdCall) +ASM_PFX(TdCall): + tdcall_push_regs + + mov rax, rcx + mov rcx, rdx + mov rdx, r8 + mov r8, r9 + + tdcall + + ; exit if tdcall reports failure. + test rax, rax + jnz .exit + + ; test if caller wanted results + mov r12, [rsp + first_variable_on_stack_offset ] + test r12, r12 + jz .exit + mov [r12 + 0 ], rcx + mov [r12 + 8 ], rdx + mov [r12 + 16], r8 + mov [r12 + 24], r9 + mov [r12 + 32], r10 + mov [r12 + 40], r11 +.exit: + tdcall_pop_regs + ret diff --git a/MdePkg/Library/BaseLib/X64/TdProbe.c b/MdePkg/Library/BaseLib/= X64/TdProbe.c new file mode 100644 index 000000000000..b893c0a004d5 --- /dev/null +++ b/MdePkg/Library/BaseLib/X64/TdProbe.c @@ -0,0 +1,63 @@ +/** @file + + Copyright (c) 2020-2021, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include + +/** + Probe if TD is enabled. + + @return TRUE TD is enabled. + @return FALSE TD is not enabled. +**/ +BOOLEAN +EFIAPI +TdIsEnabled ( + ) +{ + UINT32 Eax; + UINT32 Ebx; + UINT32 Ecx; + UINT32 Edx; + UINT32 LargestEax; + BOOLEAN TdEnabled; + CPUID_VERSION_INFO_ECX CpuIdVersionInfoEcx; + + TdEnabled =3D FALSE; + + do { + AsmCpuid (CPUID_SIGNATURE, &LargestEax, &Ebx, &Ecx, &Edx); + + if ( (Ebx !=3D CPUID_SIGNATURE_GENUINE_INTEL_EBX) + || (Edx !=3D CPUID_SIGNATURE_GENUINE_INTEL_EDX) + || (Ecx !=3D CPUID_SIGNATURE_GENUINE_INTEL_ECX)) + { + break; + } + + AsmCpuid (CPUID_VERSION_INFO, NULL, NULL, &CpuIdVersionInfoEcx.Uint32,= NULL); + if (CpuIdVersionInfoEcx.Bits.ParaVirtualized =3D=3D 0) { + break; + } + + if (LargestEax < CPUID_GUESTTD_RUNTIME_ENVIRONMENT) { + break; + } + + AsmCpuidEx (CPUID_GUESTTD_RUNTIME_ENVIRONMENT, 0, &Eax, &Ebx, &Ecx, &E= dx); + if ( (Ebx !=3D CPUID_GUESTTD_SIGNATURE_GENUINE_INTEL_EBX) + || (Edx !=3D CPUID_GUESTTD_SIGNATURE_GENUINE_INTEL_EDX) + || (Ecx !=3D CPUID_GUESTTD_SIGNATURE_GENUINE_INTEL_ECX)) + { + break; + } + + TdEnabled =3D TRUE; + } while (FALSE); + + return TdEnabled; +} diff --git a/MdePkg/Library/BaseLib/X64/TdVmcall.nasm b/MdePkg/Library/Base= Lib/X64/TdVmcall.nasm new file mode 100644 index 000000000000..5ecc10b17193 --- /dev/null +++ b/MdePkg/Library/BaseLib/X64/TdVmcall.nasm @@ -0,0 +1,145 @@ +;-------------------------------------------------------------------------= ----- +;* +;* Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.
+;* SPDX-License-Identifier: BSD-2-Clause-Patent +;* +;* +;-------------------------------------------------------------------------= ----- + +DEFAULT REL +SECTION .text + +%define TDVMCALL_EXPOSE_REGS_MASK 0xffec +%define TDVMCALL 0x0 + +%macro tdcall 0 + db 0x66,0x0f,0x01,0xcc +%endmacro + +%macro tdcall_push_regs 0 + push rbp + mov rbp, rsp + push r15 + push r14 + push r13 + push r12 + push rbx + push rsi + push rdi +%endmacro + +%macro tdcall_pop_regs 0 + pop rdi + pop rsi + pop rbx + pop r12 + pop r13 + pop r14 + pop r15 + pop rbp +%endmacro + +%define number_of_regs_pushed 8 +%define number_of_parameters 4 + +; +; Keep these in sync for push_regs/pop_regs, code below +; uses them to find 5th or greater parameters +; +%define first_variable_on_stack_offset \ + ((number_of_regs_pushed * 8) + (number_of_parameters * 8) + 8) +%define second_variable_on_stack_offset \ + ((first_variable_on_stack_offset) + 8) + +%macro tdcall_regs_preamble 2 + mov rax, %1 + + xor rcx, rcx + mov ecx, %2 + + ; R10 =3D 0 (standard TDVMCALL) + + xor r10d, r10d + + ; Zero out unused (for standard TDVMCALL) registers to avoid leaking + ; secrets to the VMM. + + xor ebx, ebx + xor esi, esi + xor edi, edi + + xor edx, edx + xor ebp, ebp + xor r8d, r8d + xor r9d, r9d +%endmacro + +%macro tdcall_regs_postamble 0 + xor ebx, ebx + xor esi, esi + xor edi, edi + + xor ecx, ecx + xor edx, edx + xor r8d, r8d + xor r9d, r9d + xor r10d, r10d + xor r11d, r11d +%endmacro + +;-------------------------------------------------------------------------= ----- +; 0 =3D> RAX =3D TDCALL leaf +; M =3D> RCX =3D TDVMCALL register behavior +; 1 =3D> R10 =3D standard vs. vendor +; RDI =3D> R11 =3D TDVMCALL function / nr +; RSI =3D R12 =3D p1 +; RDX =3D> R13 =3D p2 +; RCX =3D> R14 =3D p3 +; R8 =3D> R15 =3D p4 + +; UINT64 +; EFIAPI +; TdVmCall ( +; UINT64 Leaf, // Rcx +; UINT64 P1, // Rdx +; UINT64 P2, // R8 +; UINT64 P3, // R9 +; UINT64 P4, // rsp + 0x28 +; UINT64 *Val // rsp + 0x30 +; ) +global ASM_PFX(TdVmCall) +ASM_PFX(TdVmCall): + tdcall_push_regs + + mov r11, rcx + mov r12, rdx + mov r13, r8 + mov r14, r9 + mov r15, [rsp + first_variable_on_stack_offset ] + + tdcall_regs_preamble TDVMCALL, TDVMCALL_EXPOSE_REGS_MASK + + tdcall + + ; ignore return dataif TDCALL reports failure. + test rax, rax + jnz .no_return_data + + ; Propagate TDVMCALL success/failure to return value. + mov rax, r10 + + ; Retrieve the Val pointer. + mov r9, [rsp + second_variable_on_stack_offset ] + test r9, r9 + jz .no_return_data + + ; On success, propagate TDVMCALL output value to output param + test rax, rax + jnz .no_return_data + mov [r9], r11 +.no_return_data: + tdcall_regs_postamble + + tdcall_pop_regs + + ret --=20 2.29.2.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#87679): https://edk2.groups.io/g/devel/message/87679 Mute This Topic: https://groups.io/mt/89858997/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-