When SEV is active, the flash memory range is mapped as unencrypted by AmdSevDxe. Mark the flash memory range with EfiGcdMemoryTypeMemoryMappedIo so that OS maps this memory range as unencrypted.
Cc: Justen Jordan L <[email protected]> Cc: Laszlo Ersek <[email protected]> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Brijesh Singh <[email protected]> --- Hi Laszlo, I have tried marking flash memory range as MMIO for non SEV guest, and everything seems to be working fine but I was not sure if we will break something else in non SEV case. Because of this I have created a new routine which marks the range as MMIO only when SEV is active. .../FvbServicesRuntimeDxe.inf | 1 + .../FwBlockService.c | 69 +++++++++++++++++++++- 2 files changed, 69 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf index d7b4ec06c4e6..1af675852c86 100644 --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf @@ -58,6 +58,7 @@ [LibraryClasses] UefiBootServicesTableLib UefiDriverEntryPoint UefiRuntimeLib + MemEncryptSevLib [Guids] gEfiEventVirtualAddressChangeGuid # ALWAYS_CONSUMED diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c index 558b395dff4a..3aa21466556a 100644 --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockService.c @@ -36,6 +36,7 @@ #include <Library/DxeServicesTableLib.h> #include <Library/MemoryAllocationLib.h> #include <Library/UefiBootServicesTableLib.h> +#include <Library/MemEncryptSevLib.h> #include "FwBlockService.h" #include "QemuFlash.h" @@ -867,6 +868,64 @@ MarkMemoryRangeForRuntimeAccess ( STATIC EFI_STATUS +SevMarkMemoryRangeForRuntimeAccess ( + EFI_PHYSICAL_ADDRESS BaseAddress, + UINTN Length + ) +{ + EFI_STATUS Status; + EFI_GCD_MEMORY_SPACE_DESCRIPTOR GcdDescriptor; + + // + // Mark flash region as runtime memory + // + Status = gDS->RemoveMemorySpace ( + BaseAddress, + Length + ); + + Status = gDS->AddMemorySpace ( + EfiGcdMemoryTypeMemoryMappedIo, + BaseAddress, + Length, + EFI_MEMORY_UC | EFI_MEMORY_RUNTIME + ); + ASSERT_EFI_ERROR (Status); + + Status = gDS->AllocateMemorySpace ( + AllocateAddress, + EfiGcdMemoryTypeMemoryMappedIo, + 0, + EFI_SIZE_TO_PAGES (Length), + &BaseAddress, + gImageHandle, + NULL + ); + ASSERT_EFI_ERROR (Status); + + Status = gDS->GetMemorySpaceDescriptor (BaseAddress, &GcdDescriptor); + ASSERT_EFI_ERROR (Status); + + Status = gDS->SetMemorySpaceAttributes ( + BaseAddress, + Length, + GcdDescriptor.Attributes | EFI_MEMORY_RUNTIME + ); + ASSERT_EFI_ERROR (Status); + + Status = MemEncryptSevClearPageEncMask ( + 0, + BaseAddress, + EFI_SIZE_TO_PAGES (Length), + FALSE + ); + ASSERT_EFI_ERROR (Status); + + return Status; +} + +STATIC +EFI_STATUS InitializeVariableFvHeader ( VOID ) @@ -1091,7 +1150,15 @@ FvbInitialize ( // InstallProtocolInterfaces (FvbDevice); - MarkMemoryRangeForRuntimeAccess (BaseAddress, Length); + // + // When SEV is enabled, mark the flash region as MMIO to hint the OS that + // the memory range need to be mapped as unencrypted. + // + if (MemEncryptSevIsEnabled()) { + SevMarkMemoryRangeForRuntimeAccess (BaseAddress, Length); + } else { + MarkMemoryRangeForRuntimeAccess (BaseAddress, Length); + } // // Set several PCD values to point to flash -- 2.7.4 _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
