REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3249

Intel's Trust Domain Extensions (Intel TDX) refers to an Intel technology
that extends Virtual Machines Extensions (VMX) and Multi-Key Total Memory
Encryption (MKTME) with a new kind of virutal machines guest called a 
Trust Domain (TD). A TD is desinged to run in a CPU mode that protects the
confidentiality of TD memory contents and the TD's CPU state from other
software, including the hosting Virtual-Machine Monitor (VMM), unless
explicitly shared by the TD itself.

The patch-sets to support Intel TDX in OvmfPkg is split into several
waves. This is Wave-2 which enables Intel TDX in SEC/PEI phases of
OvmfPkgX64. (This is because Intel TDX is only available on X64).

Note:
As mentioned above the whole TDX Virtual Firmware upstream to EDK2 is
splitted into several waves. Wave-1 is focused on the changes in
OvmfPkg/ResetVector. It is still in review. (Hope we can finish it soon).
Wave-2 is focused on the changes in SEC/PEI phases. To make the review
more efficient we send Wave-2 before the review of Wave-1 is finished.
Wave-2 has little dependencies on Wave-1 except some PCDs definitions.
So reviewers can skip Patch 01-03. Once Wave-1 is done, Wave-2 will be
rebased on the latest code base. Thanks for your understanding.

Patch 01-03 are the patches of Wave-1 (ResetVector phase). They can be
skipped.

Patch 04 - 18 are changes in SEC phase. Also some libraries in these patches
are workable in both SEC and PEI.

Patch 19 - 23 are changes for PEI phase.

Patch 04:
Tdx.h is added in the patch which includes the Intel Trust Domain
Extension definitions.
Detailed information can be found in below document:
https://software.intel.com/content/dam/develop/external/us/en/
documents/tdx-module-1eas-v0.85.039.pdf

Patch 05:
It provides *TdxIsEnabled* to determine Td or Non-Td by a new CPUID
leaf(0x21).

Patch 06:
TdxLib is provided in this patch to wrap the functions which perform the
related Tdx operation.

Patch 07:
TDVF chooses para-virtualized I/O which use the TDG.VP.VMCALL function
to invoke the funtions provided by the host VMM to perform I/O.
BaseIoLibIntrinsicSev.inf is updated to support the I/O in Tdx guest.
Some null stub are also added in BaseIoLibIntrinsic.inf to prevent the
broken of build process.

Patch 08:
In this patch BaseXApicX2ApicLib is updated to support Intel TDX. The
major change is access to MSR because some MSR should be accessed via
explicit requests from the host VMM using TDCALL(TDG.VP.VMCALL).

Patch 09 - 12:
These patches add VmTdExitLib library and add base support to handle #VE
exceptions under the help of VmTdExitLib.

Patch 13:
This patch enable Tdx support in MpInitLib.

Patch 14:
In this patch BSP initialize the temporary stack and then jumps to
SecMain, just as legacy Ovmf does.
APs spin in a modified mailbox loop using initial mailbox structure.
They wait for command to see if the command is for me. If so execute
the command.

Patch 15:
IntelTdx.h is added to define the defitions used by TDX in OvmfPkg.

Patch 16:
In Tdx BSP may issues commands to APs for some task, for example, to
accept pages paralelly. BSP also need to wait until all the APs have
done the task. TdxMailboxLib wraps these common funtions for BSP.

Patch 17:
In this patch EFI_RESOURCE_ATTRIBUTE_ENCRYPTED is added which indicates
the attribute of Physical memory encrypted.

Patch 18:
Now we're ready to update SecMain.c to support Intel TDX. The major
changes of this patch is to accept the private memory described in
Td hoblist. Then TDVF follow the standard OVMF flow and jump to PEI
phase.

Patch 19:
This patch checks Tdx in QemuFwCfgPei to avoid DMA operation. This is
mainly because DMA in TDX guest requires using bounce buffer (which need
to allocate dynamic memory and allocating a PAGE size'd buffer can be
challenge in PEI phase).

Patch 20:
A new function - AllocatePagesWithMemoryType - is added in
PeiMemoryAllocationLib. This is because when doing RelocateMailbox,
the memory of ACPI Nvs need be allocated.

Patch 21:
PcdUse1GPageTable is set to FALSE by default in OvmfPkgX64.dsc. It gives
no chance to support 1G page table. To support 1G page table in TDX this
PCD is set to TRUE in OvmfPkgX64.dsc.

Patch 22:
In TDX IA32_ERER is RO to host VMM. It could not be changed. A new PCD -
PcdIa32EferChangeAllowed - is added in MdeModulePkg.dec and it will be
set to FALSE in Tdx guest.

Patch 23:
Intel TDX has its own requirement in InitializePlatform (PlatformPei).
 - Publish the ram region
 - Relocate mailbox
 - Create PlatformInfoHob

[TDX]: https://software.intel.com/content/dam/develop/external/us/en/
documents/tdx-whitepaper-final9-17.pdf

[TDVF]: https://software.intel.com/content/dam/develop/external/us/en/
documents/tdx-virtual-firmware-design-guide-rev-1.pdf

Code is at https://github.com/mxu9/edk2/tree/tdvf_wave2

Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>

Min Xu (23):
  OvmfPkg: Add Tdx BFV/CFV PCDs and PcdOvmfImageSizeInKb
  OvmfPkg/Sec: Update the check logic in SevEsIsEnabled
  OvmfPkg/ResetVector: Enable Intel TDX in ResetVector of Ovmf
  MdePkg: Add Tdx.h
  MdePkg: Add TdxProbeLib to probe Intel Tdx
  MdePkg: Add TdxLib to wrap Tdx operations
  MdePkg: Update BaseIoLibIntrinsicSev to support Tdx
  UefiCpuPkg: Support TDX in BaseXApicX2ApicLib
  UefiCpuPkg: Add VmTdExitLibNull
  OvmfPkg: Prepare OvmfPkg to use the VmTdExitLib library
  OvmfPkg: Implement library support for VmTdExitLib in Ovmf
  UefiCpuPkg/CpuExceptionHandler: Add base support for the #VE exception
  UefiCpuPkg: Enable Tdx support in MpInitLib
  OvmfPkg: Update SecEntry.nasm to support Tdx
  OvmfPkg: Add IntelTdx.h in OvmfPkg/Include/IndustryStandard
  OvmfPkg: Add TdxMailboxLib
  MdePkg: Add EFI_RESOURCE_ATTRIBUTE_ENCRYPTED in PiHob.h
  OvmfPkg: Enable Tdx in SecMain.c
  OvmfPkg: Check Tdx in QemuFwCfgPei to avoid DMA operation
  MdePkg: Add AllocatePagesWithMemoryType support in
    PeiMemoryAllocationLib
  OvmfPkg: Add PcdUse1GPageTable support for TDX
  MdeModulePkg: EFER should not be changed in TDX
  OvmfPkg: Update PlatformPei to support TDX

 MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf       |   1 +
 .../Core/DxeIplPeim/X64/VirtualMemory.c       |   6 +
 MdeModulePkg/MdeModulePkg.dec                 |   5 +
 MdePkg/Include/IndustryStandard/Tdx.h         | 200 +++++
 MdePkg/Include/Library/MemoryAllocationLib.h  |  21 +
 MdePkg/Include/Library/TdxLib.h               | 167 +++++
 MdePkg/Include/Library/TdxProbeLib.h          |  25 +
 MdePkg/Include/Pi/PiHob.h                     |   8 +
 .../BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf |   2 +
 .../BaseIoLibIntrinsicSev.inf                 |   6 +-
 MdePkg/Library/BaseIoLibIntrinsic/IoLib.c     |  97 ++-
 MdePkg/Library/BaseIoLibIntrinsic/IoLibGcc.c  |  49 +-
 .../BaseIoLibIntrinsic/IoLibInternalTdx.c     | 690 ++++++++++++++++++
 .../BaseIoLibIntrinsic/IoLibInternalTdxNull.c | 499 +++++++++++++
 MdePkg/Library/BaseIoLibIntrinsic/IoLibMsc.c  |  73 +-
 MdePkg/Library/BaseIoLibIntrinsic/IoLibTdx.h  | 411 +++++++++++
 .../BaseIoLibIntrinsic/X64/IoFifoSev.nasm     | 133 ++++
 .../MemoryAllocationLib.c                     |  27 +
 MdePkg/Library/TdxLib/AcceptPages.c           | 136 ++++
 MdePkg/Library/TdxLib/Rtmr.c                  | 118 +++
 MdePkg/Library/TdxLib/TdInfo.c                | 101 +++
 MdePkg/Library/TdxLib/TdxLib.inf              |  39 +
 MdePkg/Library/TdxLib/TdxLibNull.c            | 192 +++++
 MdePkg/Library/TdxLib/X64/Tdcall.nasm         | 120 +++
 MdePkg/Library/TdxLib/X64/Tdvmcall.nasm       | 206 ++++++
 MdePkg/Library/TdxProbeLib/InternalTdxProbe.h |  25 +
 MdePkg/Library/TdxProbeLib/TdProbeNull.c      |  25 +
 MdePkg/Library/TdxProbeLib/TdxProbeLib.c      |  35 +
 MdePkg/Library/TdxProbeLib/TdxProbeLib.inf    |  34 +
 MdePkg/Library/TdxProbeLib/X64/TdProbe.nasm   |  97 +++
 MdePkg/MdePkg.dec                             |   6 +
 MdePkg/MdePkg.dsc                             |   2 +
 OvmfPkg/Include/IndustryStandard/IntelTdx.h   |  77 ++
 OvmfPkg/Include/Library/TdxMailboxLib.h       |  75 ++
 OvmfPkg/Include/TdxCommondefs.inc             |  51 ++
 OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPei.c   |  15 +
 .../Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf  |   1 +
 OvmfPkg/Library/TdxMailboxLib/TdxMailbox.c    | 138 ++++
 .../Library/TdxMailboxLib/TdxMailboxLib.inf   |  52 ++
 .../Library/TdxMailboxLib/TdxMailboxNull.c    |  86 +++
 OvmfPkg/Library/VmTdExitLib/VmTdExitLib.inf   |  41 ++
 .../Library/VmTdExitLib/VmTdExitVeHandler.c   | 515 +++++++++++++
 OvmfPkg/OvmfPkg.dec                           |  27 +
 OvmfPkg/OvmfPkgDefines.fdf.inc                |  10 +
 OvmfPkg/OvmfPkgIa32.dsc                       |   4 +
 OvmfPkg/OvmfPkgIa32X64.dsc                    |   4 +
 OvmfPkg/OvmfPkgX64.dsc                        |   8 +
 OvmfPkg/OvmfXen.dsc                           |   1 +
 OvmfPkg/PlatformPei/FeatureControl.c          |   9 +-
 OvmfPkg/PlatformPei/IntelTdx.c                | 268 +++++++
 OvmfPkg/PlatformPei/IntelTdxNull.c            |  35 +
 OvmfPkg/PlatformPei/MemDetect.c               |  20 +-
 OvmfPkg/PlatformPei/Platform.c                |   2 +
 OvmfPkg/PlatformPei/Platform.h                |  17 +
 OvmfPkg/PlatformPei/PlatformPei.inf           |  14 +
 OvmfPkg/PlatformPei/X64/ApRunLoop.nasm        |  83 +++
 OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm  |  39 +
 OvmfPkg/ResetVector/Ia32/AmdSev.asm           |   7 -
 OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm   |   9 +
 OvmfPkg/ResetVector/Ia32/IntelTdx.asm         | 265 +++++++
 OvmfPkg/ResetVector/Ia32/PageTables64.asm     | 113 ++-
 OvmfPkg/ResetVector/Main.asm                  | 121 +++
 OvmfPkg/ResetVector/ResetVector.inf           |  12 +-
 OvmfPkg/ResetVector/ResetVector.nasmb         |  48 +-
 OvmfPkg/ResetVector/X64/IntelTdxMetadata.asm  | 110 +++
 OvmfPkg/Sec/IntelTdx.c                        | 608 +++++++++++++++
 OvmfPkg/Sec/IntelTdx.h                        |  33 +
 OvmfPkg/Sec/SecMain.c                         |  45 +-
 OvmfPkg/Sec/SecMain.inf                       |   7 +
 OvmfPkg/Sec/X64/SecEntry.nasm                 | 313 ++++++++
 UefiCpuPkg/Include/Library/VmTdExitLib.h      |  47 ++
 .../BaseXApicX2ApicLib/BaseXApicX2ApicLib.c   | 172 ++++-
 .../BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf |   2 +
 .../DxeCpuExceptionHandlerLib.inf             |   1 +
 .../PeiCpuExceptionHandlerLib.inf             |   1 +
 .../PeiDxeSmmCpuException.c                   |  18 +
 .../SecPeiCpuException.c                      |  19 +
 .../SecPeiCpuExceptionHandlerLib.inf          |   1 +
 .../SmmCpuExceptionHandlerLib.inf             |   1 +
 .../Xcode5SecPeiCpuExceptionHandlerLib.inf    |   1 +
 UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf |   5 +
 UefiCpuPkg/Library/MpInitLib/DxeMpLib.c       |  14 +-
 UefiCpuPkg/Library/MpInitLib/MpIntelTdx.h     | 107 +++
 UefiCpuPkg/Library/MpInitLib/MpLib.c          |  26 +
 UefiCpuPkg/Library/MpInitLib/MpLibTdx.c       | 142 ++++
 UefiCpuPkg/Library/MpInitLib/MpLibTdxNull.c   | 117 +++
 UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf |   5 +
 .../Library/MpInitLib/X64/IntelTdcall.nasm    | 120 +++
 .../Library/VmTdExitLibNull/VmTdExitLibNull.c |  37 +
 .../VmTdExitLibNull/VmTdExitLibNull.inf       |  34 +
 UefiCpuPkg/UefiCpuPkg.dec                     |   9 +
 UefiCpuPkg/UefiCpuPkg.dsc                     |   4 +
 92 files changed, 7610 insertions(+), 112 deletions(-)
 create mode 100644 MdePkg/Include/IndustryStandard/Tdx.h
 create mode 100644 MdePkg/Include/Library/TdxLib.h
 create mode 100644 MdePkg/Include/Library/TdxProbeLib.h
 create mode 100644 MdePkg/Library/BaseIoLibIntrinsic/IoLibInternalTdx.c
 create mode 100644 MdePkg/Library/BaseIoLibIntrinsic/IoLibInternalTdxNull.c
 create mode 100644 MdePkg/Library/BaseIoLibIntrinsic/IoLibTdx.h
 create mode 100644 MdePkg/Library/TdxLib/AcceptPages.c
 create mode 100644 MdePkg/Library/TdxLib/Rtmr.c
 create mode 100644 MdePkg/Library/TdxLib/TdInfo.c
 create mode 100644 MdePkg/Library/TdxLib/TdxLib.inf
 create mode 100644 MdePkg/Library/TdxLib/TdxLibNull.c
 create mode 100644 MdePkg/Library/TdxLib/X64/Tdcall.nasm
 create mode 100644 MdePkg/Library/TdxLib/X64/Tdvmcall.nasm
 create mode 100644 MdePkg/Library/TdxProbeLib/InternalTdxProbe.h
 create mode 100644 MdePkg/Library/TdxProbeLib/TdProbeNull.c
 create mode 100644 MdePkg/Library/TdxProbeLib/TdxProbeLib.c
 create mode 100644 MdePkg/Library/TdxProbeLib/TdxProbeLib.inf
 create mode 100644 MdePkg/Library/TdxProbeLib/X64/TdProbe.nasm
 create mode 100644 OvmfPkg/Include/IndustryStandard/IntelTdx.h
 create mode 100644 OvmfPkg/Include/Library/TdxMailboxLib.h
 create mode 100644 OvmfPkg/Include/TdxCommondefs.inc
 create mode 100644 OvmfPkg/Library/TdxMailboxLib/TdxMailbox.c
 create mode 100644 OvmfPkg/Library/TdxMailboxLib/TdxMailboxLib.inf
 create mode 100644 OvmfPkg/Library/TdxMailboxLib/TdxMailboxNull.c
 create mode 100644 OvmfPkg/Library/VmTdExitLib/VmTdExitLib.inf
 create mode 100644 OvmfPkg/Library/VmTdExitLib/VmTdExitVeHandler.c
 create mode 100644 OvmfPkg/PlatformPei/IntelTdx.c
 create mode 100644 OvmfPkg/PlatformPei/IntelTdxNull.c
 create mode 100644 OvmfPkg/PlatformPei/X64/ApRunLoop.nasm
 create mode 100644 OvmfPkg/ResetVector/Ia32/IntelTdx.asm
 create mode 100644 OvmfPkg/ResetVector/Main.asm
 create mode 100644 OvmfPkg/ResetVector/X64/IntelTdxMetadata.asm
 create mode 100644 OvmfPkg/Sec/IntelTdx.c
 create mode 100644 OvmfPkg/Sec/IntelTdx.h
 create mode 100644 UefiCpuPkg/Include/Library/VmTdExitLib.h
 create mode 100644 UefiCpuPkg/Library/MpInitLib/MpIntelTdx.h
 create mode 100644 UefiCpuPkg/Library/MpInitLib/MpLibTdx.c
 create mode 100644 UefiCpuPkg/Library/MpInitLib/MpLibTdxNull.c
 create mode 100644 UefiCpuPkg/Library/MpInitLib/X64/IntelTdcall.nasm
 create mode 100644 UefiCpuPkg/Library/VmTdExitLibNull/VmTdExitLibNull.c
 create mode 100644 UefiCpuPkg/Library/VmTdExitLibNull/VmTdExitLibNull.inf

-- 
2.29.2.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#79156): https://edk2.groups.io/g/devel/message/79156
Mute This Topic: https://groups.io/mt/84837888/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

  Hi,

> [TDX]: https://software.intel.com/content/dam/develop/external/us/en/
> documents/tdx-whitepaper-final9-17.pdf

So, coming back to this after reading through a bunch of docs and
patches with some high-level questions.  The whitepaper lists two
ovmf configs:

  (1) config-a, supporting normal/sev/tdx with basic features.
  (2) config-b, supporting normal/tdx with more features.

What of this is implemented by this patch series?
config-a?  completely?  parts of it?

The whitepaper also doesn't explain very well why we have two
configurations in the first place.  It describes *what* are the
differences but not *why* they are there.

Apparently some of the additional features supported by config-b
are either more difficult or impossible to implement in config-a.
Is that correct?  Is that explained in more detail somewhere?

thanks,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#80005): https://edk2.groups.io/g/devel/message/80005
Mute This Topic: https://groups.io/mt/84837888/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

On August 31, 2021 6:46 PM, Gerd Hoffmann wrote:
>   Hi,
> 
> > [TDX]: https://software.intel.com/content/dam/develop/external/us/en/
> > documents/tdx-whitepaper-final9-17.pdf
> 
> So, coming back to this after reading through a bunch of docs and patches with
> some high-level questions.  The whitepaper lists two ovmf configs:
> 
>   (1) config-a, supporting normal/sev/tdx with basic features.
>   (2) config-b, supporting normal/tdx with more features.
> 
> What of this is implemented by this patch series?
> config-a?  completely?  parts of it?
Because the total patch-sets for TDVF upstreaming is too big and there are 2 configurations.
So we split the upstreaming into below waves.
                 Config-A          Config-B               Phase
Wave-1        Y                       Y                    ResetVector
Wave-2        Y                       N                      SEC/PEI
Wave-3        Y                       N                        DXE
Wave-4        N                       Y                        SEC (PEI is skipped)
Wave-5        N                       Y                        DXE

So this patch-set is wave-2 and for Config-A (SEC/PEI).

> 
> The whitepaper also doesn't explain very well why we have two configurations
> in the first place.  It describes *what* are the differences but not *why* they are
> there.
The whitepaper describes the TDVF as a standalone image. It is *not* one image.
It can only run on TD guest.
Then came the *One Image* requirement. TDVF should be able to run on Legacy guest, 
Td guest, even SEV guest with ONE image. Things become very complicated. 
See discussion in  https://edk2.groups.io/g/devel/topic/83283616#76022
> 
> Apparently some of the additional features supported by config-b are either
> more difficult or impossible to implement in config-a.
> Is that correct?  Is that explained in more detail somewhere?
It's correct. Some additional features are not supported in Config-A. For example the TD
RTMR based measured boot. 
There are design slides, recorded meetings in below link
https://edk2.groups.io/g/devel/files/Designs/2021/0611
Any questions please let us know. We will try our best to answer/address your concerns. 

Thanks!
Min


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#80048): https://edk2.groups.io/g/devel/message/80048
Mute This Topic: https://groups.io/mt/84837888/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

  Hi,

> Because the total patch-sets for TDVF upstreaming is too big and there are 2 configurations.
> So we split the upstreaming into below waves.
>                  Config-A          Config-B               Phase
> Wave-1        Y                       Y                    ResetVector
> Wave-2        Y                       N                      SEC/PEI
> Wave-3        Y                       N                        DXE
> Wave-4        N                       Y                        SEC (PEI is skipped)
> Wave-5        N                       Y                        DXE
> 
> So this patch-set is wave-2 and for Config-A (SEC/PEI).

Thanks (please add that info to the cover letter in the future).

> > Apparently some of the additional features supported by config-b are either
> > more difficult or impossible to implement in config-a.
> > Is that correct?  Is that explained in more detail somewhere?
> It's correct. Some additional features are not supported in Config-A. For example the TD
> RTMR based measured boot. 

Why is TD RTMR based measured boot not supported in Config-A?

I'm trying to understand why we need Config-B.  Having two variants
with completely different initialization code paths (with/without PEI)
doesn't look like a good plan to me.  I'd rather support everything in
Config-A if possible.

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#80051): https://edk2.groups.io/g/devel/message/80051
Mute This Topic: https://groups.io/mt/84837888/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-