Hi Tom, On 04/30/21 19:01, Laszlo Ersek wrote: > On 04/29/21 19:12, Lendacky, Thomas wrote: >> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3345 >> >> During PEI, the MMIO range for the TPM is marked as encrypted when running >> as an SEV guest. While this isn't an issue for an SEV guest because of >> the way the nested page fault is handled, it does result in an SEV-ES >> guest terminating because of a mitigation check in the #VC handler to >> prevent MMIO to an encrypted address. For an SEV-ES guest, this range >> must be marked as unencrypted. >> >> Create a new x86 PEIM for TPM support that will map the TPM MMIO range as >> unencrypted when SEV-ES is active. The gOvmfTpmMmioAccessiblePpiGuid PPI >> will be unconditionally installed before exiting. The PEIM will exit with >> the EFI_ABORTED status so that the PEIM does not stay resident. This new >> PEIM will depend on the installation of the permanent PEI RAM, by >> PlatformPei, so that in case page table splitting is required during the >> clearing of the encryption bit, the new page table(s) will be allocated >> from permanent PEI RAM. >> >> Update all OVMF Ia32 and X64 build packages to include this new PEIM. >> >> Cc: Laszlo Ersek <ler...@redhat.com> >> Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org> >> Cc: Jordan Justen <jordan.l.jus...@intel.com> >> Cc: Brijesh Singh <brijesh.si...@amd.com> >> Cc: Erdem Aktas <erdemak...@google.com> >> Cc: James Bottomley <j...@linux.ibm.com> >> Cc: Jiewen Yao <jiewen....@intel.com> >> Cc: Min Xu <min.m...@intel.com> >> Cc: Marc-André Lureau <marcandre.lur...@redhat.com> >> Cc: Stefan Berger <stef...@linux.ibm.com> >> Signed-off-by: Tom Lendacky <thomas.lenda...@amd.com> >> --- >> OvmfPkg/AmdSev/AmdSevX64.dsc | 1 + >> OvmfPkg/OvmfPkgIa32.dsc | 1 + >> OvmfPkg/OvmfPkgIa32X64.dsc | 1 + >> OvmfPkg/OvmfPkgX64.dsc | 1 + >> OvmfPkg/AmdSev/AmdSevX64.fdf | 1 + >> OvmfPkg/OvmfPkgIa32.fdf | 1 + >> OvmfPkg/OvmfPkgIa32X64.fdf | 1 + >> OvmfPkg/OvmfPkgX64.fdf | 1 + >> OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPei.inf | 40 +++++++++ >> OvmfPkg/Tcg/TpmMmioSevDecryptPei/TpmMmioSevDecryptPeim.c | 87 >> ++++++++++++++++++++ >> 10 files changed, 135 insertions(+)
[...] > Reviewed-by: Laszlo Ersek <ler...@redhat.com> I'm going to update the subject of this patch: OvmfPkg/TpmMmioSevDecryptPei: Mark TPM MMIO range as unencrypted for SEV-ES (75 chars, which is the longest that PatchCheck.py accepts.) Thanks! Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#74670): https://edk2.groups.io/g/devel/message/74670 Mute This Topic: https://groups.io/mt/82461201/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
