Re: [edk2-devel] [PATCH 2/2] OvmfPkg/ResetVector: Exclude SEV launch secrets page from pre-validation
On 3/30/22 14:31, Dov Murik wrote: On 30/03/2022 22:27, Brijesh Singh wrote: On 3/30/22 01:04, Dov Murik wrote: On 30/03/2022 8:20, Gerd Hoffmann wrote: Hi, Check if that page is defined; if it is, skip it in the metadata list. In such case, VMM should fill the page with the hashes content, or explicitly update it as a zero page (if kernel hashes are not used). Is it an option to just skip the page unconditionally? I think in the OvmfPkgX64 build the page is not used, so it probably doesn't matter whenever it is included or not, and it would make things a bit less confusing ... Brijesh, What would happen if we change this: %define SNP_SEC_MEM_BASE_DESC_3 (CPUID_BASE + CPUID_SIZE) to: %define SNP_SEC_MEM_BASE_DESC_3 (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)) in OvmfPkg/ResetVector/ResetVector.nasmb ? It means that the page starting at MEMFD_BASE_ADDRESS+0x00F000 (that is, the page that follows the SNP CPUID page) will not be pre-validated by QEMU. Lets look at the OvmfPkgX64.fdf is ... 0x00E000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize 0x01|0x01 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize 0x02|0x0E gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize ... If you change SNP_SEC_MEM_BASE_DESC_3 to start from PcdOvmfPeiMemFvBase then who will validate the range for PcdOvmfSecPeiTempRamBase - PcdOvmfPeiMemFvBase ? The SEC phase (Sec/X64/SecEntry.nasm) uses the PcdOvmfSecPeiTempRamBase. If the memory is not validated prior to use then it will result in #VC (page-not-validated) and crash the guest BIOS boot. Gerd actually wants to change SNP_SEC_MEM_BASE_DESC_3 to start from PcdOvmfSecPeiTempRamBase, which is 0x01. Supposedly no one uses the single page at 0x00F000 . Yes, that should be alright as long as the SNP_SEC_MEM_BASE_DESC_3 start from PcdOvmfSecPeiTempRamBase. In PEI phase, we validate all the unvalidated range. So, as long as SEC phase is not using 800F000 - 801 we should be good. The PEI will validate that page. thanks -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#88270): https://edk2.groups.io/g/devel/message/88270 Mute This Topic: https://groups.io/mt/90092199/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 2/2] OvmfPkg/ResetVector: Exclude SEV launch secrets page from pre-validation
On 3/30/22 01:04, Dov Murik wrote: On 30/03/2022 8:20, Gerd Hoffmann wrote: Hi, Check if that page is defined; if it is, skip it in the metadata list. In such case, VMM should fill the page with the hashes content, or explicitly update it as a zero page (if kernel hashes are not used). Is it an option to just skip the page unconditionally? I think in the OvmfPkgX64 build the page is not used, so it probably doesn't matter whenever it is included or not, and it would make things a bit less confusing ... Brijesh, What would happen if we change this: %define SNP_SEC_MEM_BASE_DESC_3 (CPUID_BASE + CPUID_SIZE) to: %define SNP_SEC_MEM_BASE_DESC_3 (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)) in OvmfPkg/ResetVector/ResetVector.nasmb ? It means that the page starting at MEMFD_BASE_ADDRESS+0x00F000 (that is, the page that follows the SNP CPUID page) will not be pre-validated by QEMU. Lets look at the OvmfPkgX64.fdf is ... 0x00E000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize 0x01|0x01 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize 0x02|0x0E gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize ... If you change SNP_SEC_MEM_BASE_DESC_3 to start from PcdOvmfPeiMemFvBase then who will validate the range for PcdOvmfSecPeiTempRamBase - PcdOvmfPeiMemFvBase ? The SEC phase (Sec/X64/SecEntry.nasm) uses the PcdOvmfSecPeiTempRamBase. If the memory is not validated prior to use then it will result in #VC (page-not-validated) and crash the guest BIOS boot. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#88268): https://edk2.groups.io/g/devel/message/88268 Mute This Topic: https://groups.io/mt/90092199/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: 回复: [edk2-devel] [PATCH 1/1] OvmfPkg/AmdSev: reserve snp pages
Hi Liming, The said PCD is applicable for the SNP. SNP is supported on x86 64-bit only, and most of the development is focused around Qemu/OVMF. In other words, the Bhyve, Xen, and CloudHV do not support the SNP yet. We can revisit it when those HV starts supporting the SNP. thanks Brijesh On 2/16/22 23:13, gaoliming wrote: Gerd and Brijesh: I see six FDF files include AmdSevDxe. But, only CloudHvX64 and OvmfPkgX64 adds reserve snp pages. So, I want to confirm whether others require reserve snp pages. AmdSev\AmdSevX64.fdf Bhyve\BhyveX64.fdf CloudHv\CloudHvX64.fdf OvmfPkgIa32X64.fdf OvmfPkgX64.fdf OvmfXen.fdf Thanks Liming -邮件原件- 发件人: devel@edk2.groups.io 代表 Brijesh Singh via groups.io 发送时间: 2022年2月17日 0:28 收件人: Gerd Hoffmann ; devel@edk2.groups.io 抄送: brijesh.si...@amd.com; Jordan Justen ; James Bottomley ; Pawel Polawski ; Erdem Aktas ; Ard Biesheuvel ; Tom Lendacky ; Min Xu ; Jiewen Yao 主题: Re: [edk2-devel] [PATCH 1/1] OvmfPkg/AmdSev: reserve snp pages On 2/16/22 01:00, Gerd Hoffmann wrote: The SNP patch series updated the OvmfPkgX64 build but forgot the AmdSev variant, resulting in a broken OvmfSevMetadata table. Fixes: cca9cd3dd6bf ("OvmfPkg: reserve CPUID page") Fixes: 707c71a01b9d ("OvmfPkg: reserve SNP secrets page") Signed-off-by: Gerd Hoffmann Thanks Gerd Reviewed-by: Brijesh Singh -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#86833): https://edk2.groups.io/g/devel/message/86833 Mute This Topic: https://groups.io/mt/89203733/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 0/2] SEV BaseMemEncryptLib cleanup
This is the first of cleanup for SEV MemEncryptLib. The library uses the CPUID followed by the MSR read to determine whether SEV is enabled. Now that we have a workarea concept, the logic can be simplified to store the msr status in workarea and use that to build PCDs and then later simply use the PCDs instead of going through the CPUID and RDMSR. The complete branch is available at https://github.com/codomania/edk2/tree/sev-workarea-cleanup The series also fixes one of the issue raised in the bug https://bugzilla.tianocore.org/show_bug.cgi?id=3582 Changes since v1: * Cache the PCD reads so that we can avoid reading PCD while performing the virtual pointer conversion. Brijesh Singh (2): OvmfPkg/ResetVector: cache the SEV status MSR value in workarea OvmfPkg/BaseMemEncryptLib: use the SEV_STATUS MSR value from workarea .../DxeMemEncryptSevLib.inf | 1 + .../PeiMemEncryptSevLib.inf | 1 + .../SecMemEncryptSevLib.inf | 1 + OvmfPkg/Include/WorkArea.h| 12 +- .../DxeMemEncryptSevLibInternal.c | 145 -- .../PeiMemEncryptSevLibInternal.c | 139 ++--- .../SecMemEncryptSevLibInternal.c | 80 +- OvmfPkg/Sec/AmdSev.c | 2 +- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 38 +++-- OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm | 3 +- OvmfPkg/ResetVector/ResetVector.nasmb | 3 + 11 files changed, 194 insertions(+), 231 deletions(-) -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#86829): https://edk2.groups.io/g/devel/message/86829 Mute This Topic: https://groups.io/mt/89295063/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 1/2] OvmfPkg/ResetVector: cache the SEV status MSR value in workarea
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3582 In order to probe the SEV feature the BaseMemEncryptLib and Reset vector reads the SEV_STATUS MSR. Cache the value on the first read in the workarea. In the next patches the value saved in the workarea will be used by the BaseMemEncryptLib. This not only eliminates the extra MSR reads it also helps cleaning up the code in BaseMemEncryptLib. Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/Include/WorkArea.h | 12 +-- OvmfPkg/Sec/AmdSev.c| 2 +- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 38 + OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm | 3 +- OvmfPkg/ResetVector/ResetVector.nasmb | 3 ++ 5 files changed, 39 insertions(+), 19 deletions(-) diff --git a/OvmfPkg/Include/WorkArea.h b/OvmfPkg/Include/WorkArea.h index ce60d97aa886..d982e026def7 100644 --- a/OvmfPkg/Include/WorkArea.h +++ b/OvmfPkg/Include/WorkArea.h @@ -46,12 +46,20 @@ typedef struct _CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER { // any changes must stay in sync with its usage. // typedef struct _SEC_SEV_ES_WORK_AREA { - UINT8 SevEsEnabled; - UINT8 Reserved1[7]; + // + // Hold the SevStatus MSR value read by OvmfPkg/ResetVector/Ia32/AmdSev.c + // + UINT64SevStatusMsrValue; UINT64RandomData; UINT64EncryptionMask; + + // + // Indicator that the VC handler is called. It is used during the SevFeature + // detection in OvmfPkg/ResetVector/Ia32/AmdSev.c + // + UINT8 ReceivedVc; } SEC_SEV_ES_WORK_AREA; // diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c index 499d0c27d8fa..d8fd35650d7d 100644 --- a/OvmfPkg/Sec/AmdSev.c +++ b/OvmfPkg/Sec/AmdSev.c @@ -278,7 +278,7 @@ SevEsIsEnabled ( SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAreaBase); - return (SevEsWorkArea->SevEsEnabled != 0); + return ((SevEsWorkArea->SevStatusMsrValue & BIT1) != 0); } /** diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32/AmdSev.asm index 1f827da3b929..864d68385342 100644 --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm @@ -157,8 +157,9 @@ SevClearPageEncMaskForGhcbPage: jnz SevClearPageEncMaskForGhcbPageExit ; Check if SEV-ES is enabled -cmp byte[SEV_ES_WORK_AREA], 1 -jnz SevClearPageEncMaskForGhcbPageExit +mov ecx, 1 +bt[SEV_ES_WORK_AREA_STATUS_MSR], ecx +jnc SevClearPageEncMaskForGhcbPageExit ; ; The initial GHCB will live at GHCB_BASE and needs to be un-encrypted. @@ -219,12 +220,16 @@ GetSevCBitMaskAbove31Exit: ; If SEV is disabled then EAX will be zero. ; CheckSevFeatures: -; Set the first byte of the workarea to zero to communicate to the SEC -; phase that SEV-ES is not enabled. If SEV-ES is enabled, the CPUID -; instruction will trigger a #VC exception where the first byte of the -; workarea will be set to one or, if CPUID is not being intercepted, -; the MSR check below will set the first byte of the workarea to one. -mov byte[SEV_ES_WORK_AREA], 0 +; +; Clear the workarea, if SEV is enabled then later part of routine +; will populate the workarea fields. +; +movecx, SEV_ES_WORK_AREA_SIZE +moveax, SEV_ES_WORK_AREA +ClearSevEsWorkArea: +movbyte [eax], 0 +inceax +loop ClearSevEsWorkArea ; ; Set up exception handlers to check for SEV-ES @@ -265,6 +270,10 @@ CheckSevFeatures: ; Set the work area header to indicate that the SEV is enabled mov byte[WORK_AREA_GUEST_TYPE], 1 +; Save the SevStatus MSR value in the workarea +mov [SEV_ES_WORK_AREA_STATUS_MSR], eax +mov [SEV_ES_WORK_AREA_STATUS_MSR + 4], edx + ; Check for SEV-ES memory encryption feature: ; CPUID Fn8000_001F[EAX] - Bit 3 ; CPUID raises a #VC exception if running as an SEV-ES guest @@ -280,10 +289,6 @@ CheckSevFeatures: bteax, 1 jnc GetSevEncBit -; Set the first byte of the workarea to one to communicate to the SEC -; phase that SEV-ES is enabled. -mov byte[SEV_ES_WORK_AREA], 1 - GetSevEncBit: ; Get pte bit position to enable memory encryption ; CPUID Fn8000_001F[EBX] - Bits 5:0 @@ -313,7 +318,10 @@ NoSev: ; ; Perform an SEV-ES sanity check by seeing if a #VC exception occurred. ; -cmp byte[SEV_ES_WORK_AREA], 0 +; If SEV-ES is enabled, the CPUID instruction will trigger a #VC exception +; where the RECEIVED_VC offset in the workarea will be set to one. +; +cmp byte[SEV_ES_WORK_AREA_RECEIVED_VC], 0 jzNoSevPass ; @@ -407,9 +415,9 @@ SevEsIdtVmmComm: ; If we're here, then we are an SEV-ES guest and this ; was triggered by a CPUID i
[edk2-devel] [PATCH v2 2/2] OvmfPkg/BaseMemEncryptLib: use the SEV_STATUS MSR value from workarea
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3582 Improve the MemEncryptSev{Es,Snp}IsEnabled() to use the SEV_STATUS MSR value saved in the workarea. Since workarea is valid until the PEI phase, so, for the Dxe phase use the PcdConfidentialComputingGuestAttr to determine which SEV technology is enabled. Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- .../DxeMemEncryptSevLib.inf | 1 + .../PeiMemEncryptSevLib.inf | 1 + .../SecMemEncryptSevLib.inf | 1 + .../DxeMemEncryptSevLibInternal.c | 145 -- .../PeiMemEncryptSevLibInternal.c | 139 ++--- .../SecMemEncryptSevLibInternal.c | 80 +- 6 files changed, 155 insertions(+), 212 deletions(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf index f613bb314f5f..35b7d519d938 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf @@ -58,3 +58,4 @@ [FeaturePcd] [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf index 50c83859d7e7..714da3323765 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf @@ -58,6 +58,7 @@ [FeaturePcd] [FixedPcd] gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf index 939af0a91ea4..284e5acc1177 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf @@ -52,3 +52,4 @@ [LibraryClasses] [FixedPcd] gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c index 15fcd5529587..4aba0075b9e2 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c @@ -16,83 +16,84 @@ #include #include #include +#include -STATIC BOOLEAN mSevStatus= FALSE; -STATIC BOOLEAN mSevEsStatus = FALSE; -STATIC BOOLEAN mSevSnpStatus = FALSE; -STATIC BOOLEAN mSevStatusChecked = FALSE; - +STATIC UINT64 mCurrentAttr= 0; +STATIC BOOLEAN mCurrentAttrRead= FALSE; STATIC UINT64 mSevEncryptionMask = 0; STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE; /** - Reads and sets the status of SEV features. + The function check if the specified Attr is set. - **/ + @param[in] CurrentAttr The current attribute. + @param[in] Attr The attribute to check. + + @retval TRUE The specified Attr is set. + @retval FALSE The specified Attr is not set. + +**/ +STATIC +BOOLEAN +AmdMemEncryptionAttrCheck ( + IN UINT64 CurrentAttr, + IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr + ) +{ + switch (Attr) { +case CCAttrAmdSev: + // + // SEV is automatically enabled if SEV-ES or SEV-SNP is active. + // + return CurrentAttr >= CCAttrAmdSev; +case CCAttrAmdSevEs: + // + // SEV-ES is automatically enabled if SEV-SNP is active. + // + return CurrentAttr >= CCAttrAmdSevEs; +case CCAttrAmdSevSnp: + return CurrentAttr == CCAttrAmdSevSnp; +default: + return FALSE; + } +} + +/** + Check if the specified confidential computing attribute is active. + + @param[in] Attr The attribute to check. + + @retval TRUE The specified Attr is active. + @retval FALSE The specified Attr is not active. + +**/ STATIC -VOID +BOOLEAN EFIAPI -InternalMemEncryptSevStatus ( - VOID +ConfidentialComputingGuestHas ( + IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr ) { - UINT32RegEax; - MSR_SEV_STATUS_REGISTER Msr; - CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax; - BOOLEAN ReadSevMsr; - UINT64EncryptionMask; - - ReadSevMsr = FALSE; - - EncryptionMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask); - if (EncryptionMask != 0) { -// -// The MSR has been read befo
Re: [edk2-devel] [PATCH 1/1] OvmfPkg/AmdSev: reserve snp pages
On 2/16/22 01:00, Gerd Hoffmann wrote: The SNP patch series updated the OvmfPkgX64 build but forgot the AmdSev variant, resulting in a broken OvmfSevMetadata table. Fixes: cca9cd3dd6bf ("OvmfPkg: reserve CPUID page") Fixes: 707c71a01b9d ("OvmfPkg: reserve SNP secrets page") Signed-off-by: Gerd Hoffmann Thanks Gerd Reviewed-by: Brijesh Singh -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#86709): https://edk2.groups.io/g/devel/message/86709 Mute This Topic: https://groups.io/mt/89180886/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH 1/1] OvmfPkg/FvbServicesSmm: use the VmgExitLibNull
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3835 The commit ade62c18f4742301bbef474ac10518bde5972fba caused a boot failure when OVMF is build with SECURE_BOOT/SMM enabled. This happen because the above commit extended the BaseMemEncryptSevLib.inf to include VmgExitLib. The FvbServicesSmm uses the functions provided by the MemEncryptSevLib to clear the memory encryption mask from the page table. It created a dependency, as shown below OvmfPkg/FvbServicesSmm.inf ---> MemEncryptSevLib class ---> "OvmfPkg/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf" instance ---> VmgExitLib ---> "OvmfPkg/VmgExitLib"instance ---> LocalApicLib class ---> UefiCpuPkg/BaseXApicX2ApicLib/BaseXApicX2ApicLib.infinstance ---> TimerLib class ---> "OvmfPkg/AcpiTimerLib/DxeAcpiTimerLib.inf" instance ---> PciLib class ---> "OvmfPkg/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf" instance The LocalApicLib provides a constructor, execution of the constructor causes an exception. The SEV-ES and SEV-SNP do not support the SMM, so skip including the VmgExitLib chain. Use the module override to use the VmgExitLibNull to avoid the inclusion of unneeded LocalApicLib dependency chain in FvbServicesSmm. We ran similar issue for AmdSevDxe driver, see commit 19914edc5a0202cc7830f819ffac7e7b2368166a After the patch, the dependency look like this: OvmfPkg/FvbServicesSmm.inf ---> MemEncryptSevLib class ---> "OvmfPkg/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf" instance ---> VmgExitLib ---> "UefiCpuPkg/Library/VmgExitLibNull"instance Fixes: ade62c18f4742301bbef474ac10518bde5972fba Reported-by: Aaron Young Cc: Dann Frazier Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/CloudHv/CloudHvX64.dsc | 5 - OvmfPkg/OvmfPkgIa32.dsc| 5 - OvmfPkg/OvmfPkgIa32X64.dsc | 5 - OvmfPkg/OvmfPkgX64.dsc | 5 - 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc index 8ac9227c5f50..3172100310b1 100644 --- a/OvmfPkg/CloudHv/CloudHvX64.dsc +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc @@ -906,7 +906,10 @@ [Components] # # Variable driver stack (SMM) # - OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf + OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf { + +VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf + } MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf { diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 29eea82571c5..85abed24c1a7 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -956,7 +956,10 @@ [Components] # # Variable driver stack (SMM) # - OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf + OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf { + +VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf + } MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf { diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 56d3c49ab21a..a9c1daecc1a8 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -974,7 +974,10 @@ [Components.X64] # # Variable driver stack (SMM) # - OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf + OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf { + +VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf + } MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf { diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index f0924c0f9d0a..718399299f57 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -971,7 +971,10 @@ [Components] # # Variable driver stack (SMM) # - OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf + OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf { + +VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf + } MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmm.inf MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf { -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#86684): https://edk2.groups.io/g/devel/message/86684 Mute This Topic: https://groups.io/mt/89162799/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] OvmfPkg VmgExitLib fails to build with CLANG38 (clang 13.0.0)
On 2/2/22 6:16 PM, Rebecca Cran wrote: > On 2/2/22 14:16, Lendacky, Thomas via groups.io wrote: >> This looks like the same error that XCODE5 was complaining about. The >> patch was submitted by Brijesh, but some CI failure occurred. I'm not >> sure how that is possible from a one line patch like that, maybe it >> has something to do with the file in general, excluding the patch? > > No, the patch is wrong: Uncrustify wants the equals signs to line up. > > XssMsr.Uint64 = 0; > + Compacted = FALSE; > > > Should be: > > XssMsr.Uint64 = 0; > + Compacted = FALSE; > > I am a bit occupied with kernel work right now, so feel free to send the patch. Otherwise, I will get the patch out on Monday or Tuesday. -Brijesh -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#86390): https://edk2.groups.io/g/devel/message/86390 Mute This Topic: https://groups.io/mt/88869092/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 0/2] SEV BaseMemEncryptLib cleanup
On 1/21/22 2:04 AM, Gerd Hoffmann via groups.io wrote: On Wed, Jan 19, 2022 at 05:03:30PM -0600, Brijesh Singh wrote: This is the first of cleanup for SEV MemEncryptLib. The library uses the CPUID followed by the MSR read to determine whether SEV is enabled. Now that we have a workarea concept, the logic can be simplified to store the msr status in workarea and use that to build PCDs and then later simply use the PCDs instead of going through the CPUID and RDMSR. The complete branch is available at https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcodomania%2Fedk2%2Ftree%2Fsev-workarea-cleanupdata=04%7C01%7Cbrijesh.singh%40amd.com%7C72f26427ada24f9fc2aa08d9dcb4bc74%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637783491097406747%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=DKsibiI3OYAJkR09fMPCUz0JGyh7ZrGJGj55VmO5%2FsQ%3Dreserved=0 Brijesh Singh (2): OvmfPkg/ResetVector: cache the SEV status MSR value in workarea OvmfPkg/BaseMemEncryptLib: use the SEV_STATUS MSR value from workarea Looks good to me. Acked-by: Gerd Hoffmann I ran into a regression for non-SEV guest, let me work to fix and post v2. -Brijesh -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#86073): https://edk2.groups.io/g/devel/message/86073 Mute This Topic: https://groups.io/mt/88547250/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH 2/2] OvmfPkg/BaseMemEncryptLib: use the SEV_STATUS MSR value from workarea
Improve the MemEncryptSev{Es,Snp}IsEnabled() to use the SEV_STATUS MSR value saved in the workarea. Since workarea is valid until the PEI phase, so, for the Dxe phase use the PcdConfidentialComputingGuestAttr to determine which SEV technology is enabled. Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Signed-off-by: Brijesh Singh --- .../DxeMemEncryptSevLib.inf | 1 + .../PeiMemEncryptSevLib.inf | 1 + .../SecMemEncryptSevLib.inf | 1 + .../DxeMemEncryptSevLibInternal.c | 142 -- .../PeiMemEncryptSevLibInternal.c | 139 ++--- .../SecMemEncryptSevLibInternal.c | 80 +- 6 files changed, 150 insertions(+), 214 deletions(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf index f613bb314f5f..35b7d519d938 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf @@ -58,3 +58,4 @@ [FeaturePcd] [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf index 50c83859d7e7..714da3323765 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf @@ -58,6 +58,7 @@ [FeaturePcd] [FixedPcd] gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf index 939af0a91ea4..284e5acc1177 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf @@ -52,3 +52,4 @@ [LibraryClasses] [FixedPcd] gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c index 15fcd5529587..25768daf5467 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c @@ -16,83 +16,77 @@ #include #include #include - -STATIC BOOLEAN mSevStatus= FALSE; -STATIC BOOLEAN mSevEsStatus = FALSE; -STATIC BOOLEAN mSevSnpStatus = FALSE; -STATIC BOOLEAN mSevStatusChecked = FALSE; +#include STATIC UINT64 mSevEncryptionMask = 0; STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE; /** - Reads and sets the status of SEV features. + The function check if the specified Attr is set. - **/ + @param[in] CurrentAttr The current attribute. + @param[in] Attr The attribute to check. + + @retval TRUE The specified Attr is set. + @retval FALSE The specified Attr is not set. + +**/ +STATIC +BOOLEAN +AmdMemEncryptionAttrCheck ( + IN UINT64 CurrentAttr, + IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr + ) +{ + switch (Attr) { +case CCAttrAmdSev: + // + // SEV is automatically enabled if SEV-ES or SEV-SNP is active. + // + return CurrentAttr >= CCAttrAmdSev; +case CCAttrAmdSevEs: + // + // SEV-ES is automatically enabled if SEV-SNP is active. + // + return CurrentAttr >= CCAttrAmdSevEs; +case CCAttrAmdSevSnp: + return CurrentAttr == CCAttrAmdSevSnp; +default: + return FALSE; + } +} + +/** + Check if the specified confidential computing attribute is active. + + @param[in] Attr The attribute to check. + + @retval TRUE The specified Attr is active. + @retval FALSE The specified Attr is not active. + +**/ STATIC -VOID +BOOLEAN EFIAPI -InternalMemEncryptSevStatus ( - VOID +ConfidentialComputingGuestHas ( + IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr ) { - UINT32RegEax; - MSR_SEV_STATUS_REGISTER Msr; - CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax; - BOOLEAN ReadSevMsr; - UINT64EncryptionMask; - - ReadSevMsr = FALSE; - - EncryptionMask = PcdGet64 (PcdPteMemoryEncryptionAddressOrMask); - if (EncryptionMask != 0) { -// -// The MSR has been read before, so it is safe to read it again and avoid -// having to validate the CPUID information. -// -ReadSevMsr = TRUE; - } else { -// -// Check if memory encryption leaf
[edk2-devel] [PATCH 1/2] OvmfPkg/ResetVector: cache the SEV status MSR value in workarea
In order to probe the SEV feature the BaseMemEncryptLib and Reset vector reads the SEV_STATUS MSR. Cache the value on the first read in the workarea. In the next patches the value saved in the workarea will be used by the BaseMemEncryptLib. This not only eliminates the extra MSR reads it also helps cleaning up the code in BaseMemEncryptLib. Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/Include/WorkArea.h | 12 +-- OvmfPkg/Sec/AmdSev.c| 2 +- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 38 + OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm | 3 +- OvmfPkg/ResetVector/ResetVector.nasmb | 3 ++ 5 files changed, 39 insertions(+), 19 deletions(-) diff --git a/OvmfPkg/Include/WorkArea.h b/OvmfPkg/Include/WorkArea.h index ce60d97aa886..d982e026def7 100644 --- a/OvmfPkg/Include/WorkArea.h +++ b/OvmfPkg/Include/WorkArea.h @@ -46,12 +46,20 @@ typedef struct _CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER { // any changes must stay in sync with its usage. // typedef struct _SEC_SEV_ES_WORK_AREA { - UINT8 SevEsEnabled; - UINT8 Reserved1[7]; + // + // Hold the SevStatus MSR value read by OvmfPkg/ResetVector/Ia32/AmdSev.c + // + UINT64SevStatusMsrValue; UINT64RandomData; UINT64EncryptionMask; + + // + // Indicator that the VC handler is called. It is used during the SevFeature + // detection in OvmfPkg/ResetVector/Ia32/AmdSev.c + // + UINT8 ReceivedVc; } SEC_SEV_ES_WORK_AREA; // diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c index 499d0c27d8fa..d8fd35650d7d 100644 --- a/OvmfPkg/Sec/AmdSev.c +++ b/OvmfPkg/Sec/AmdSev.c @@ -278,7 +278,7 @@ SevEsIsEnabled ( SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *)FixedPcdGet32 (PcdSevEsWorkAreaBase); - return (SevEsWorkArea->SevEsEnabled != 0); + return ((SevEsWorkArea->SevStatusMsrValue & BIT1) != 0); } /** diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32/AmdSev.asm index 1f827da3b929..864d68385342 100644 --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm @@ -157,8 +157,9 @@ SevClearPageEncMaskForGhcbPage: jnz SevClearPageEncMaskForGhcbPageExit ; Check if SEV-ES is enabled -cmp byte[SEV_ES_WORK_AREA], 1 -jnz SevClearPageEncMaskForGhcbPageExit +mov ecx, 1 +bt[SEV_ES_WORK_AREA_STATUS_MSR], ecx +jnc SevClearPageEncMaskForGhcbPageExit ; ; The initial GHCB will live at GHCB_BASE and needs to be un-encrypted. @@ -219,12 +220,16 @@ GetSevCBitMaskAbove31Exit: ; If SEV is disabled then EAX will be zero. ; CheckSevFeatures: -; Set the first byte of the workarea to zero to communicate to the SEC -; phase that SEV-ES is not enabled. If SEV-ES is enabled, the CPUID -; instruction will trigger a #VC exception where the first byte of the -; workarea will be set to one or, if CPUID is not being intercepted, -; the MSR check below will set the first byte of the workarea to one. -mov byte[SEV_ES_WORK_AREA], 0 +; +; Clear the workarea, if SEV is enabled then later part of routine +; will populate the workarea fields. +; +movecx, SEV_ES_WORK_AREA_SIZE +moveax, SEV_ES_WORK_AREA +ClearSevEsWorkArea: +movbyte [eax], 0 +inceax +loop ClearSevEsWorkArea ; ; Set up exception handlers to check for SEV-ES @@ -265,6 +270,10 @@ CheckSevFeatures: ; Set the work area header to indicate that the SEV is enabled mov byte[WORK_AREA_GUEST_TYPE], 1 +; Save the SevStatus MSR value in the workarea +mov [SEV_ES_WORK_AREA_STATUS_MSR], eax +mov [SEV_ES_WORK_AREA_STATUS_MSR + 4], edx + ; Check for SEV-ES memory encryption feature: ; CPUID Fn8000_001F[EAX] - Bit 3 ; CPUID raises a #VC exception if running as an SEV-ES guest @@ -280,10 +289,6 @@ CheckSevFeatures: bteax, 1 jnc GetSevEncBit -; Set the first byte of the workarea to one to communicate to the SEC -; phase that SEV-ES is enabled. -mov byte[SEV_ES_WORK_AREA], 1 - GetSevEncBit: ; Get pte bit position to enable memory encryption ; CPUID Fn8000_001F[EBX] - Bits 5:0 @@ -313,7 +318,10 @@ NoSev: ; ; Perform an SEV-ES sanity check by seeing if a #VC exception occurred. ; -cmp byte[SEV_ES_WORK_AREA], 0 +; If SEV-ES is enabled, the CPUID instruction will trigger a #VC exception +; where the RECEIVED_VC offset in the workarea will be set to one. +; +cmp byte[SEV_ES_WORK_AREA_RECEIVED_VC], 0 jzNoSevPass ; @@ -407,9 +415,9 @@ SevEsIdtVmmComm: ; If we're here, then we are an SEV-ES guest and this ; was triggered by a CPUID instruction ; -; Set the first byte of the workarea to one to c
[edk2-devel] [PATCH 0/2] SEV BaseMemEncryptLib cleanup
This is the first of cleanup for SEV MemEncryptLib. The library uses the CPUID followed by the MSR read to determine whether SEV is enabled. Now that we have a workarea concept, the logic can be simplified to store the msr status in workarea and use that to build PCDs and then later simply use the PCDs instead of going through the CPUID and RDMSR. The complete branch is available at https://github.com/codomania/edk2/tree/sev-workarea-cleanup Brijesh Singh (2): OvmfPkg/ResetVector: cache the SEV status MSR value in workarea OvmfPkg/BaseMemEncryptLib: use the SEV_STATUS MSR value from workarea .../DxeMemEncryptSevLib.inf | 1 + .../PeiMemEncryptSevLib.inf | 1 + .../SecMemEncryptSevLib.inf | 1 + OvmfPkg/Include/WorkArea.h| 12 +- .../DxeMemEncryptSevLibInternal.c | 142 -- .../PeiMemEncryptSevLibInternal.c | 139 ++--- .../SecMemEncryptSevLibInternal.c | 80 +- OvmfPkg/Sec/AmdSev.c | 2 +- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 38 +++-- OvmfPkg/ResetVector/Ia32/Flat32ToFlat64.asm | 3 +- OvmfPkg/ResetVector/ResetVector.nasmb | 3 + 11 files changed, 189 insertions(+), 233 deletions(-) -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#85834): https://edk2.groups.io/g/devel/message/85834 Mute This Topic: https://groups.io/mt/88547250/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 1/1] OvmfPkg/VmgExitLib: Fix uninitialized variable warning
[AMD Official Use Only] I did ran uncrustify before submitting the patch. I am wondering if CI is reporting for some other issue in that file. I will look at it tomorrow. -Brijesh From: devel@edk2.groups.io on behalf of Rebecca Cran via groups.io Sent: Monday, December 13, 2021 8:41 PM To: devel@edk2.groups.io ; jiewen@intel.com ; Singh, Brijesh Cc: James Bottomley ; Xu, Min M ; Lendacky, Thomas ; Justen, Jordan L ; Ard Biesheuvel ; Aktas, Erdem ; Roth, Michael ; Gerd Hoffmann ; Rebecca Cran Subject: Re: [edk2-devel] [PATCH 1/1] OvmfPkg/VmgExitLib: Fix uninitialized variable warning The error is: ERROR - /home/vsts/work/1/s/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c ERROR - --->Test Failed: Uncrustify Coding Standard Test NO-TARGET returned 1 >From what I can see, there's no report of the actual error here, so you have >to setup Uncrustify locally to see what changes it wants to make. For instructions on setting up Uncrustify, see https://github.com/makubacki/tianocore.github.io/blob/add_uncrustify_instructions/EDK-II-Code-Formatting.md<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmakubacki%2Ftianocore.github.io%2Fblob%2Fadd_uncrustify_instructions%2FEDK-II-Code-Formatting.md=04%7C01%7Cbrijesh.singh%40amd.com%7C7ecf1a179d074ef3f37508d9beab5348%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637750465337231937%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=Sl05dDDFzzZvpvzJp%2Bw5DWE81ocuy%2BYC4VfNxffyq5c%3D=0> . Given the change, I expect the indentation of the equals sign is wrong. -- Rebecca Cran On 12/13/21 7:34 PM, Yao, Jiewen wrote: Hey Brijesh CI fails - https://github.com/tianocore/edk2/pull/2301<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftianocore%2Fedk2%2Fpull%2F2301=04%7C01%7Cbrijesh.singh%40amd.com%7C7ecf1a179d074ef3f37508d9beab5348%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637750465337241935%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=914Gty%2BcMcmasiuDAUXdQr78gmU71%2FqL5mVcsbfrrSQ%3D=0> Would you please take a look? Please remember to submit patch after you run CI next time. -Original Message- From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <mailto:devel@edk2.groups.io> On Behalf Of Yao, Jiewen Sent: Tuesday, December 14, 2021 10:11 AM To: Brijesh Singh <mailto:brijesh.si...@amd.com>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: James Bottomley <mailto:j...@linux.ibm.com>; Xu, Min M <mailto:min.m...@intel.com>; Tom Lendacky <mailto:thomas.lenda...@amd.com>; Justen, Jordan L <mailto:jordan.l.jus...@intel.com>; Ard Biesheuvel <mailto:ardb+tianoc...@kernel.org>; Aktas, Erdem <mailto:erdemak...@google.com>; Michael Roth <mailto:michael.r...@amd.com>; Gerd Hoffmann <mailto:kra...@redhat.com>; Rebecca Cran <mailto:rebe...@bsdio.com> Subject: Re: [edk2-devel] [PATCH 1/1] OvmfPkg/VmgExitLib: Fix uninitialized variable warning Reviewed-by: Jiewen Yao <mailto:jiewen@intel.com> -Original Message- From: Brijesh Singh <mailto:brijesh.si...@amd.com> Sent: Tuesday, December 14, 2021 3:39 AM To: devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: James Bottomley <mailto:j...@linux.ibm.com>; Xu, Min M <mailto:min.m...@intel.com>; Yao, Jiewen <mailto:jiewen@intel.com>; Tom Lendacky <mailto:thomas.lenda...@amd.com>; Justen, Jordan L <mailto:jordan.l.jus...@intel.com>; Ard Biesheuvel <mailto:ardb+tianoc...@kernel.org>; Aktas, Erdem <mailto:erdemak...@google.com>; Michael Roth <mailto:michael.r...@amd.com>; Gerd Hoffmann <mailto:kra...@redhat.com>; Brijesh Singh <mailto:brijesh.si...@amd.com>; Rebecca Cran <mailto:rebe...@bsdio.com> Subject: [PATCH 1/1] OvmfPkg/VmgExitLib: Fix uninitialized variable warning The XCODE5 reported the below warning OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c:1895:12: note: uninitialized use occurs here Compacted ^ Initialize the 'Compacted' variable to fix the warning. Fixes: d2b998fbdca4 (OvmfPkg/VmgExitLib: use SEV-SNP-validated CPUID values) Cc: James Bottomley <mailto:j...@linux.ibm.com> Cc: Min Xu <mailto:min.m...@intel.com> Cc: Jiewen Yao <mailto:jiewen@intel.com> Cc: Tom Lendacky <mailto:thomas.lenda...@amd.com> Cc: Jordan Justen <mailto:jordan.l.jus...@intel.com> Cc: Ard Biesheuvel <mailto:ardb+tianoc...@kernel.org> Cc: Erdem Aktas <mailto:erdemak...@google.com> Cc: Gerd Hoffmann <mailto:kra...@redhat.com> Cc: Rebecca Cran <mailto:rebe...@bsdio.com> Cc: Michael Roth <mailto:michael.r...@amd.com> Signed-off-by: Brijesh Singh <mailto:brijesh.si...@amd.com> --- OvmfPkg/Library
[edk2-devel] [PATCH 1/1] OvmfPkg/VmgExitLib: Fix uninitialized variable warning
The XCODE5 reported the below warning OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c:1895:12: note: uninitialized use occurs here Compacted ^ Initialize the 'Compacted' variable to fix the warning. Fixes: d2b998fbdca4 (OvmfPkg/VmgExitLib: use SEV-SNP-validated CPUID values) Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Cc: Rebecca Cran Cc: Michael Roth Signed-off-by: Brijesh Singh --- OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 1 + 1 file changed, 1 insertion(+) diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c index a40a31f7c275..ff367411cc59 100644 --- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c +++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c @@ -1872,6 +1872,7 @@ GetCpuidFw ( UINT32 XSaveSize; XssMsr.Uint64 = 0; +Compacted = FALSE; if (EcxIn == 1) { /* * The PPR and APM aren't clear on what size should be encoded in -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84756): https://edk2.groups.io/g/devel/message/84756 Mute This Topic: https://groups.io/mt/87705849/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] Building OvmfPkgX64.dsc with XCODE5 (Apple clang 12.0.5) fails in VmgExitLib
On 12/13/21 11:48 AM, Rebecca Cran wrote: I tried building OvmfPkg/OvmfPkgX64.dsc with XCODE5 (with Apple Clang 12.0.5 from XCode 13.1) and it failed with the following error: /Users/bcran/src/uefi/edk2/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c:1875:9: error: variable 'Compacted' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] if (EcxIn == 1) { ^~ /Users/bcran/src/uefi/edk2/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c:1895:12: note: uninitialized use occurs here Compacted ^ /Users/bcran/src/uefi/edk2/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c:1875:5: note: remove the 'if' if its condition is always true if (EcxIn == 1) { ^~~~ /Users/bcran/src/uefi/edk2/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c:1871:37: note: initialize the variable 'Compacted' to silence this warning BOOLEAN Compacted; ^ = '\0' Thanks for reporting, I will submit a patch sooner to resolve this warning. -Brijesh -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84755): https://edk2.groups.io/g/devel/message/84755 Mute This Topic: https://groups.io/mt/87703341/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 32/32] UefiCpuPkg/MpInitLib: Use SEV-SNP AP Creation NAE event to launch APs
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Use the SEV-SNP AP Creation NAE event to create and launch APs under SEV-SNP. This capability will be advertised in the SEV Hypervisor Feature Support PCD (PcdSevEsHypervisorFeatures). Cc: Michael Roth Cc: Eric Dong Cc: Ray Ni Cc: Rahul Kumar Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Ray Ni Acked-by: Gerd Hoffmann Signed-off-by: Tom Lendacky Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 3 + UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 3 + UefiCpuPkg/Library/MpInitLib/MpLib.h | 44 +++ UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 13 +- UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c| 70 + UefiCpuPkg/Library/MpInitLib/MpLib.c | 59 ++-- UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c | 263 ++ 7 files changed, 433 insertions(+), 22 deletions(-) create mode 100644 UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c create mode 100644 UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf index de705bc54bb4..e1cd0b350008 100644 --- a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf @@ -22,9 +22,11 @@ [Defines] # [Sources.IA32] + Ia32/AmdSev.c Ia32/MpFuncs.nasm [Sources.X64] + X64/AmdSev.c X64/MpFuncs.nasm [Sources.common] @@ -73,6 +75,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ## SOMETIMES_CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApStatusCheckIntervalInMicroSeconds ## CONSUMES + gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## SOMETIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## CONSUMES diff --git a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf index b7e15ee023f0..5facf4db9499 100644 --- a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf @@ -22,9 +22,11 @@ [Defines] # [Sources.IA32] + Ia32/AmdSev.c Ia32/MpFuncs.nasm [Sources.X64] + X64/AmdSev.c X64/MpFuncs.nasm [Sources.common] @@ -64,6 +66,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ## SOMETIMES_CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## SOMETIMES_CONSUMES + gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## CONSUMES gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONSUMES diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h index be67cd88ec46..7d84a56fbc51 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -15,6 +15,7 @@ #include #include +#include #include #include #include @@ -150,6 +151,7 @@ typedef struct { UINT8 PlatformId; UINT64MicrocodeEntryAddr; UINT32MicrocodeRevision; + SEV_ES_SAVE_AREA *SevEsSaveArea; } CPU_AP_DATA; // @@ -294,6 +296,7 @@ struct _CPU_MP_DATA { BOOLEANSevEsIsEnabled; BOOLEANSevSnpIsEnabled; + BOOLEANUseSevEsAPMethod; UINTN SevEsAPBuffer; UINTN SevEsAPResetStackStart; CPU_MP_DATA*NewCpuMpData; @@ -799,4 +802,45 @@ FillExchangeInfoDataSevEs ( IN volatile MP_CPU_EXCHANGE_INFO *ExchangeInfo ); +/** + Issue RMPADJUST to adjust the VMSA attribute of an SEV-SNP page. + + @param[in] PageAddress + @param[in] VmsaPage + + @return RMPADJUST return value +**/ +UINT32 +SevSnpRmpAdjust ( + IN EFI_PHYSICAL_ADDRESS PageAddress, + IN BOOLEAN VmsaPage + ); + +/** + Create an SEV-SNP AP save area (VMSA) for use in running the vCPU. + + @param[in] CpuMpDataPointer to CPU MP Data + @param[in] CpuData Pointer to CPU AP Data + @param[in] ApicId APIC ID of the vCPU +**/ +VOID +SevSnpCreateSaveArea ( + IN CPU_MP_DATA *CpuMpData, + IN CPU_AP_DATA *CpuData, + UINT32 ApicId + ); + +/** + Create SEV-SNP APs. + + @param[in] CpuMpDataPointer to CPU MP Data + @param[in] ProcessorNumber The handle number of specified processor + (-1 for all APs) +**/ +VOID +SevSnpCreateAP ( + IN CPU_MP_DATA *CpuMpData, + IN INTN
[edk2-devel] [PATCH v14 21/32] OvmfPkg/PlatformPei: set PcdConfidentialComputingAttr when SEV is active
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The MpInitLib uses the ConfidentialComputingAttr PCD to determine whether AMD SEV is active so that it can use the VMGEXITs defined in the GHCB specification to create APs. Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Suggested-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/AmdSev/AmdSevX64.dsc| 3 +++ OvmfPkg/OvmfPkgIa32.dsc | 3 +++ OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++ OvmfPkg/OvmfPkgX64.dsc | 3 +++ OvmfPkg/PlatformPei/PlatformPei.inf | 1 + OvmfPkg/PlatformPei/AmdSev.c| 15 +++ 6 files changed, 28 insertions(+) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index 2997929faa05..8f5876341e26 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -575,6 +575,9 @@ [PcdsDynamicDefault] gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 + # Set ConfidentialComputing defaults + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0 + !if $(TPM_ENABLE) == TRUE gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} !endif diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 1dc069e42420..dbcfa5ab52ce 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -651,6 +651,9 @@ [PcdsDynamicDefault] gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01 gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01 + # Set ConfidentialComputing defaults + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0 + [PcdsDynamicHii] !if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index a766457e6bc6..e4597e7f03da 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -659,6 +659,9 @@ [PcdsDynamicDefault] gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} !endif + # Set ConfidentialComputing defaults + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0 + [PcdsDynamicDefault.X64] # IPv4 and IPv6 PXE Boot support. gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 97b7cb40ff88..08837bf8ec97 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -662,6 +662,9 @@ [PcdsDynamicDefault] gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01 gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01 + # Set ConfidentialComputing defaults + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0 + [PcdsDynamicHii] !if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf index 67eb7aa7166b..bada5ea14439 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -106,6 +106,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr [FixedPcd] gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index a0f9178ed6e9..c60a153a059e 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -20,6 +20,7 @@ #include #include #include +#include #include "Platform.h" @@ -345,4 +346,18 @@ AmdSevInitialize ( // Check and perform SEV-ES initialization if required. // AmdSevEsInitialize (); + + // + // Set the Confidential computing attr PCD to communicate which SEV + // technology is active. + // + if (MemEncryptSevSnpIsEnabled ()) { +PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevSnp); + } else if (MemEncryptSevEsIsEnabled ()) { +PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevEs); + } else { +PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSev); + } + + ASSERT_RETURN_ERROR (PcdStatus); } -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84570): https://edk2.groups.io/g/devel/message/84570 Mute This Topic: https://groups.io/mt/87605570/21656 Group Own
[edk2-devel] [PATCH v14 24/32] OvmfPkg/PlatformPei: set the Hypervisor Features PCD
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Version 2 of the GHCB specification added the support to query the hypervisor feature bitmap. The feature bitmap provide information such as whether to use the AP create VmgExit or use the AP jump table approach to create the APs. The MpInitLib will use the PcdGhcbHypervisorFeatures to determine which method to use for creating the AP. Query the hypervisor feature and set the PCD accordingly. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/PlatformPei.inf | 2 ++ OvmfPkg/PlatformPei/AmdSev.c| 55 + 2 files changed, 57 insertions(+) diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf index bada5ea14439..3c05b550e4bd 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -62,6 +62,7 @@ [LibraryClasses] MtrrLib MemEncryptSevLib PcdLib + VmgExitLib [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase @@ -107,6 +108,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr + gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures [FixedPcd] gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index c60a153a059e..9b71f7cf2fab 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -24,6 +24,12 @@ #include "Platform.h" +STATIC +UINT64 +GetHypervisorFeature ( + VOID + ); + /** Initialize SEV-SNP support if running as an SEV-SNP guest. @@ -36,11 +42,21 @@ AmdSevSnpInitialize ( { EFI_PEI_HOB_POINTERS Hob; EFI_HOB_RESOURCE_DESCRIPTOR *ResourceHob; + UINT64 HvFeatures; + EFI_STATUS PcdStatus; if (!MemEncryptSevSnpIsEnabled ()) { return; } + // + // Query the hypervisor feature using the VmgExit and set the value in the + // hypervisor features PCD. + // + HvFeatures = GetHypervisorFeature (); + PcdStatus = PcdSet64S (PcdGhcbHypervisorFeatures, HvFeatures); + ASSERT_RETURN_ERROR (PcdStatus); + // // Iterate through the system RAM and validate it. // @@ -91,6 +107,45 @@ SevEsProtocolFailure ( CpuDeadLoop (); } +/** + Get the hypervisor features bitmap + +**/ +STATIC +UINT64 +GetHypervisorFeature ( + VOID + ) +{ + UINT64Status; + GHCB *Ghcb; + MSR_SEV_ES_GHCB_REGISTER Msr; + BOOLEAN InterruptState; + UINT64Features; + + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + Ghcb= Msr.Ghcb; + + // + // Initialize the GHCB + // + VmgInit (Ghcb, ); + + // + // Query the Hypervisor Features. + // + Status = VmgExit (Ghcb, SVM_EXIT_HYPERVISOR_FEATURES, 0, 0); + if ((Status != 0)) { +SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + Features = Ghcb->SaveArea.SwExitInfo2; + + VmgDone (Ghcb, InterruptState); + + return Features; +} + /** This function can be used to register the GHCB GPA. -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84569): https://edk2.groups.io/g/devel/message/84569 Mute This Topic: https://groups.io/mt/87605567/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 31/32] OvmfPkg/AmdSev: expose the SNP reserved pages through configuration table
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Now that both the secrets and cpuid pages are reserved in the HOB, extract the location details through fixed PCD and make it available to the guest OS through the configuration table. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 1 + OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 7 .../Guid/ConfidentialComputingSevSnpBlob.h| 33 +++ OvmfPkg/AmdSevDxe/AmdSevDxe.c | 23 + 4 files changed, 64 insertions(+) create mode 100644 OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index c22b846cd663..769bef0ffa12 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -124,6 +124,7 @@ [Guids] gQemuKernelLoaderFsMediaGuid = {0x1428f772, 0xb64a, 0x441e, {0xb8, 0xc3, 0x9e, 0xbd, 0xd7, 0xf8, 0x93, 0xc7}} gGrubFileGuid = {0xb5ae312c, 0xbc8a, 0x43b1, {0x9c, 0x62, 0xeb, 0xb8, 0x26, 0xdd, 0x5d, 0x07}} gConfidentialComputingSecretGuid = {0xadf956ad, 0xe98c, 0x484c, {0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47}} + gConfidentialComputingSevSnpBlobGuid = {0x067b1f5f, 0xcf26, 0x44c5, {0x85, 0x54, 0x93, 0xd7, 0x77, 0x91, 0x2d, 0x42}} [Ppis] # PPI whose presence in the PPI database signals that the TPM base address diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf index 0676fcc5b6a4..9acf860cf25e 100644 --- a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf +++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf @@ -42,6 +42,13 @@ [FeaturePcd] [FixedPcd] gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize + +[Guids] + gConfidentialComputingSevSnpBlobGuid [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId diff --git a/OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h b/OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h new file mode 100644 index ..b328310fd0c2 --- /dev/null +++ b/OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h @@ -0,0 +1,33 @@ +/** @file + UEFI Configuration Table for exposing the SEV-SNP launch blob. + + Copyright (c) 2021, Advanced Micro Devices Inc. All right reserved. + + SPDX-License-Identifier: BSD-2-Clause-Patent + **/ + +#ifndef CONFIDENTIAL_COMPUTING_SEV_SNP_BLOB_H_ +#define CONFIDENTIAL_COMPUTING_SEV_SNP_BLOB_H_ + +#include + +#define CONFIDENTIAL_COMPUTING_SNP_BLOB_GUID\ + { 0x067b1f5f, \ +0xcf26, \ +0x44c5, \ +{ 0x85, 0x54, 0x93, 0xd7, 0x77, 0x91, 0x2d, 0x42 }, \ + } + +typedef struct { + UINT32Header; + UINT16Version; + UINT16Reserved1; + UINT64SecretsPhysicalAddress; + UINT32SecretsSize; + UINT64CpuidPhysicalAddress; + UINT32CpuidLSize; +} CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION; + +extern EFI_GUID gConfidentialComputingSevSnpBlobGuid; + +#endif diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c index be26dde71f9d..662d3c4ccb0f 100644 --- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c +++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c @@ -17,8 +17,20 @@ #include #include #include +#include +#include #include +STATIC CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION mSnpBootDxeTable = { + SIGNATURE_32 ('A','M', 'D', 'E'), + 1, + 0, + (UINT64)(UINTN)FixedPcdGet32 (PcdOvmfSnpSecretsBase), + FixedPcdGet32 (PcdOvmfSnpSecretsSize), + (UINT64)(UINTN)FixedPcdGet32 (PcdOvmfCpuidBase), + FixedPcdGet32 (PcdOvmfCpuidSize), +}; + EFI_STATUS EFIAPI AmdSevDxeEntryPoint ( @@ -135,5 +147,16 @@ AmdSevDxeEntryPoint ( } } + // + // If its SEV-SNP active guest then install the CONFIDENTIAL_COMPUTING_SEV_SNP_BLOB. + // It contains the location for both the Secrets and CPUID page. + // + if (MemEncryptSevSnpIsEnabled ()) { +return gBS->InstallConfigurationTable ( + , + + ); + } + return EFI_SUCCESS; } -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84568): https://edk2.groups.io/g/devel/message/84568 Mute This Topic: https://groups.io/mt/87605566/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 29/32] OvmfPkg/MemEncryptSevLib: skip page state change for Mmio address
The SetMemoryEncDec() is used by the higher level routines to set or clear the page encryption mask for system RAM and Mmio address. When SEV-SNP is active, in addition to set/clear page mask it also updates the RMP table. The RMP table updates are required for the system RAM address and not the Mmio address. Add a new parameter in SetMemoryEncDec() to tell whether the specified address is Mmio. If its Mmio then skip the page state change in the RMP table. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- .../X64/PeiDxeVirtualMemory.c | 20 --- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c index 814f814035fa..b9c0a5b25ac0 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c @@ -671,6 +671,7 @@ InternalMemEncryptSevCreateIdentityMap1G ( @param[in] ModeSet or Clear mode @param[in] CacheFlush Flush the caches before applying the encryption mask + @param[in] MmioThe physical address specified is Mmio @retval RETURN_SUCCESS The attributes were cleared for the memory region. @@ -686,7 +687,8 @@ SetMemoryEncDec ( INPHYSICAL_ADDRESS PhysicalAddress, INUINTN Length, INMAP_RANGE_MODEMode, - INBOOLEAN CacheFlush + INBOOLEAN CacheFlush, + INBOOLEAN Mmio ) { PAGE_MAP_AND_DIRECTORY_POINTER *PageMapLevel4Entry; @@ -709,14 +711,15 @@ SetMemoryEncDec ( DEBUG (( DEBUG_VERBOSE, -"%a:%a: Cr3Base=0x%Lx Physical=0x%Lx Length=0x%Lx Mode=%a CacheFlush=%u\n", +"%a:%a: Cr3Base=0x%Lx Physical=0x%Lx Length=0x%Lx Mode=%a CacheFlush=%u Mmio=%u\n", gEfiCallerBaseName, __FUNCTION__, Cr3BaseAddress, PhysicalAddress, (UINT64)Length, (Mode == SetCBit) ? "Encrypt" : "Decrypt", -(UINT32)CacheFlush +(UINT32)CacheFlush, +(UINT32)Mmio )); // @@ -758,7 +761,7 @@ SetMemoryEncDec ( // // The InternalSetPageState() is used for setting the page state in the RMP table. // - if ((Mode == ClearCBit) && MemEncryptSevSnpIsEnabled ()) { + if (!Mmio && (Mode == ClearCBit) && MemEncryptSevSnpIsEnabled ()) { InternalSetPageState (PhysicalAddress, EFI_SIZE_TO_PAGES (Length), SevSnpPageShared, FALSE); } @@ -996,7 +999,8 @@ InternalMemEncryptSevSetMemoryDecrypted ( PhysicalAddress, Length, ClearCBit, - TRUE + TRUE, + FALSE ); } @@ -1029,7 +1033,8 @@ InternalMemEncryptSevSetMemoryEncrypted ( PhysicalAddress, Length, SetCBit, - TRUE + TRUE, + FALSE ); } @@ -1062,6 +1067,7 @@ InternalMemEncryptSevClearMmioPageEncMask ( PhysicalAddress, Length, ClearCBit, - FALSE + FALSE, + TRUE ); } -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84566): https://edk2.groups.io/g/devel/message/84566 Mute This Topic: https://groups.io/mt/87605564/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 28/32] OvmfPkg/MemEncryptSevLib: change the page state in the RMP table
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The MemEncryptSev{Set,Clear}PageEncMask() functions are used to set or clear the memory encryption attribute in the page table. When SEV-SNP is active, we also need to change the page state in the RMP table so that it is in sync with the memory encryption attribute change. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- .../X64/PeiDxeVirtualMemory.c | 34 +++ 1 file changed, 34 insertions(+) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c index f1485722f7cf..814f814035fa 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c @@ -17,6 +17,7 @@ #include #include "VirtualMemory.h" +#include "SnpPageStateChange.h" STATIC BOOLEAN mAddressEncMaskChecked = FALSE; STATIC UINT64 mAddressEncMask; @@ -693,10 +694,12 @@ SetMemoryEncDec ( PAGE_MAP_AND_DIRECTORY_POINTER *PageDirectoryPointerEntry; PAGE_TABLE_1G_ENTRY *PageDirectory1GEntry; PAGE_TABLE_ENTRY*PageDirectory2MEntry; + PHYSICAL_ADDRESSOrigPhysicalAddress; PAGE_TABLE_4K_ENTRY *PageTableEntry; UINT64 PgTableMask; UINT64 AddressEncMask; BOOLEAN IsWpEnabled; + UINTN OrigLength; RETURN_STATUS Status; // @@ -749,6 +752,22 @@ SetMemoryEncDec ( Status = EFI_SUCCESS; + // + // To maintain the security gurantees we must set the page to shared in the RMP + // table before clearing the memory encryption mask from the current page table. + // + // The InternalSetPageState() is used for setting the page state in the RMP table. + // + if ((Mode == ClearCBit) && MemEncryptSevSnpIsEnabled ()) { +InternalSetPageState (PhysicalAddress, EFI_SIZE_TO_PAGES (Length), SevSnpPageShared, FALSE); + } + + // + // Save the specified length and physical address (we need it later). + // + OrigLength = Length; + OrigPhysicalAddress = PhysicalAddress; + while (Length != 0) { // // If Cr3BaseAddress is not specified then read the current CR3 @@ -922,6 +941,21 @@ SetMemoryEncDec ( // CpuFlushTlb (); + // + // SEV-SNP requires that all the private pages (i.e pages mapped encrypted) must be + // added in the RMP table before the access. + // + // The InternalSetPageState() is used for setting the page state in the RMP table. + // + if ((Mode == SetCBit) && MemEncryptSevSnpIsEnabled ()) { +InternalSetPageState ( + OrigPhysicalAddress, + EFI_SIZE_TO_PAGES (OrigLength), + SevSnpPagePrivate, + FALSE + ); + } + Done: // // Restore page table write protection, if any. -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84565): https://edk2.groups.io/g/devel/message/84565 Mute This Topic: https://groups.io/mt/87605563/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 30/32] OvmfPkg/PlatformPei: mark cpuid and secrets memory reserved in EFI map
When SEV-SNP is active, the CPUID and Secrets memory range contains the information that is used during the VM boot. The content need to be persist across the kexec boot. Mark the memory range as Reserved in the EFI map so that guest OS or firmware does not use the range as a system RAM. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/PlatformPei.inf | 4 OvmfPkg/PlatformPei/Platform.h | 5 + OvmfPkg/PlatformPei/AmdSev.c| 31 + OvmfPkg/PlatformPei/MemDetect.c | 2 ++ 4 files changed, 42 insertions(+) diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf index 3c05b550e4bd..1c56ba275835 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -111,6 +111,8 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures [FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIMemoryNVS gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIReclaimMemory @@ -121,6 +123,8 @@ [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable diff --git a/OvmfPkg/PlatformPei/Platform.h b/OvmfPkg/PlatformPei/Platform.h index 357b3d4095c3..24e4da4e1d93 100644 --- a/OvmfPkg/PlatformPei/Platform.h +++ b/OvmfPkg/PlatformPei/Platform.h @@ -104,6 +104,11 @@ AmdSevInitialize ( extern EFI_BOOT_MODE mBootMode; +VOID +SevInitializeRam ( + VOID + ); + extern BOOLEAN mS3Supported; extern UINT8 mPhysMemAddressWidth; diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 9b71f7cf2fab..fb7e21ec140f 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -416,3 +416,34 @@ AmdSevInitialize ( ASSERT_RETURN_ERROR (PcdStatus); } + +/** + The function performs SEV specific region initialization. + + **/ +VOID +SevInitializeRam ( + VOID + ) +{ + if (MemEncryptSevSnpIsEnabled ()) { +// +// If SEV-SNP is enabled, reserve the Secrets and CPUID memory area. +// +// This memory range is given to the PSP by the hypervisor to populate +// the information used during the SNP VM boots, and it need to persist +// across the kexec boots. Mark it as EfiReservedMemoryType so that +// the guest firmware and OS does not use it as a system memory. +// +BuildMemoryAllocationHob ( + (EFI_PHYSICAL_ADDRESS)(UINTN)PcdGet32 (PcdOvmfSnpSecretsBase), + (UINT64)(UINTN)PcdGet32 (PcdOvmfSnpSecretsSize), + EfiReservedMemoryType + ); +BuildMemoryAllocationHob ( + (EFI_PHYSICAL_ADDRESS)(UINTN)PcdGet32 (PcdOvmfCpuidBase), + (UINT64)(UINTN)PcdGet32 (PcdOvmfCpuidSize), + EfiReservedMemoryType + ); + } +} diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c index 3f59a1ac79f6..738ed0c208ae 100644 --- a/OvmfPkg/PlatformPei/MemDetect.c +++ b/OvmfPkg/PlatformPei/MemDetect.c @@ -871,6 +871,8 @@ InitializeRamRegions ( { QemuInitializeRam (); + SevInitializeRam (); + if (mS3Supported && (mBootMode != BOOT_ON_S3_RESUME)) { // // This is the memory range that will be used for PEI on S3 resume -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84567): https://edk2.groups.io/g/devel/message/84567 Mute This Topic: https://groups.io/mt/87605565/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 27/32] UefiCpuPkg/MpInitLib: use BSP to do extended topology check
From: Michael Roth During AP bringup, just after switching to long mode, APs will do some cpuid calls to verify that the extended topology leaf (0xB) is available so they can fetch their x2 APIC IDs from it. In the case of SEV-ES, these cpuid instructions must be handled by direct use of the GHCB MSR protocol to fetch the values from the hypervisor, since a #VC handler is not yet available due to the AP's stack not being set up yet. For SEV-SNP, rather than relying on the GHCB MSR protocol, it is expected that these values would be obtained from the SEV-SNP CPUID table instead. The actual x2 APIC ID (and 8-bit APIC IDs) would still be fetched from hypervisor using the GHCB MSR protocol however, so introducing support for the SEV-SNP CPUID table in that part of the AP bring-up code would only be to handle the checks/validation of the extended topology leaf. Rather than introducing all the added complexity needed to handle these checks via the CPUID table, instead let the BSP do the check in advance, since it can make use of the #VC handler to avoid the need to scan the SNP CPUID table directly, and add a flag in ExchangeInfo to communicate the result of this check to APs. Cc: Eric Dong Cc: Ray Ni Cc: Rahul Kumar Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Acked-by: Ray Ni Suggested-by: Brijesh Singh Signed-off-by: Michael Roth Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/MpLib.h | 11 UefiCpuPkg/Library/MpInitLib/AmdSev.c| 21 +++ UefiCpuPkg/Library/MpInitLib/MpLib.c | 7 + UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 1 + UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm | 27 5 files changed, 67 insertions(+) diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h index 56de3bfb1ccf..be67cd88ec46 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -224,6 +224,7 @@ typedef struct { BOOLEANSevEsIsEnabled; BOOLEANSevSnpIsEnabled; UINTN GhcbBase; + BOOLEANExtTopoAvail; } MP_CPU_EXCHANGE_INFO; #pragma pack() @@ -788,4 +789,14 @@ ConfidentialComputingGuestHas ( CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr ); +/** + The function fills the exchange data for the AP. + + @param[in] ExchangeInfo The pointer to CPU Exchange Data structure +**/ +VOID +FillExchangeInfoDataSevEs ( + IN volatile MP_CPU_EXCHANGE_INFO *ExchangeInfo + ); + #endif diff --git a/UefiCpuPkg/Library/MpInitLib/AmdSev.c b/UefiCpuPkg/Library/MpInitLib/AmdSev.c index 0e3c6e231077..b4a344ee6b33 100644 --- a/UefiCpuPkg/Library/MpInitLib/AmdSev.c +++ b/UefiCpuPkg/Library/MpInitLib/AmdSev.c @@ -243,3 +243,24 @@ SevEsPlaceApHlt ( MpInitLibSevEsAPReset (Ghcb, CpuMpData); } + +/** + The function fills the exchange data for the AP. + + @param[in] ExchangeInfo The pointer to CPU Exchange Data structure +**/ +VOID +FillExchangeInfoDataSevEs ( + IN volatile MP_CPU_EXCHANGE_INFO *ExchangeInfo + ) +{ + UINT32 StdRangeMax; + + AsmCpuid (CPUID_SIGNATURE, , NULL, NULL, NULL); + if (StdRangeMax >= CPUID_EXTENDED_TOPOLOGY) { +CPUID_EXTENDED_TOPOLOGY_EBX ExtTopoEbx; + +AsmCpuid (CPUID_EXTENDED_TOPOLOGY, NULL, , NULL, NULL); +ExchangeInfo->ExtTopoAvail = !!ExtTopoEbx.Bits.LogicalProcessors; + } +} diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c index 44a011ba75de..b73a6e9a0ffc 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.c +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c @@ -900,6 +900,13 @@ FillExchangeInfoData ( ExchangeInfo->SevSnpIsEnabled = CpuMpData->SevSnpIsEnabled; ExchangeInfo->GhcbBase= (UINTN)CpuMpData->GhcbBase; + // + // Populate SEV-ES specific exchange data. + // + if (ExchangeInfo->SevSnpIsEnabled) { +FillExchangeInfoDataSevEs (ExchangeInfo); + } + // // Get the BSP's data of GDT and IDT // diff --git a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc index 01668638f245..aba53f57201c 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc +++ b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc @@ -94,6 +94,7 @@ struc MP_CPU_EXCHANGE_INFO .SevEsIsEnabled: CTYPE_BOOLEAN 1 .SevSnpIsEnabled CTYPE_BOOLEAN 1 .GhcbBase: CTYPE_UINTN 1 + .ExtTopoAvail: CTYPE_BOOLEAN 1 endstruc MP_CPU_EXCHANGE_INFO_OFFSET equ (SwitchToRealProcEnd - RendezvousFunnelProcStart) diff --git a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm index 0034920b2f6b..8bb1161fa0f7 100644 --- a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm +++ b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm @@ -118,6 +118,32 @@ SevEsGetApicId: or rax, rdx
[edk2-devel] [PATCH v14 25/32] MdePkg/GHCB: increase the GHCB protocol max version
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Now that OvmfPkg supports version 2 of the GHCB specification, bump the protocol version. Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Ray Ni Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- MdePkg/Include/Register/Amd/Ghcb.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MdePkg/Include/Register/Amd/Ghcb.h b/MdePkg/Include/Register/Amd/Ghcb.h index e7626a2c138b..dab396f3ede8 100644 --- a/MdePkg/Include/Register/Amd/Ghcb.h +++ b/MdePkg/Include/Register/Amd/Ghcb.h @@ -24,7 +24,7 @@ #define VC_EXCEPTION 29 #define GHCB_VERSION_MIN 1 -#define GHCB_VERSION_MAX 1 +#define GHCB_VERSION_MAX 2 #define GHCB_STANDARD_USAGE 0 -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84563): https://edk2.groups.io/g/devel/message/84563 Mute This Topic: https://groups.io/mt/87605560/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 26/32] UefiCpuPkg/MpLib: add support to register GHCB GPA when SEV-SNP is enabled
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 An SEV-SNP guest requires that the physical address of the GHCB must be registered with the hypervisor before using it. See the GHCB specification section 2.3.2 for more details. Cc: Michael Roth Cc: Eric Dong Cc: Ray Ni Cc: Rahul Kumar Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Acked-by: Ray Ni Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/MpLib.h | 2 + UefiCpuPkg/Library/MpInitLib/MpLib.c | 12 +++-- UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 1 + UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm | 54 4 files changed, 64 insertions(+), 5 deletions(-) diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h index a84df60519ed..56de3bfb1ccf 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -222,6 +222,7 @@ typedef struct { // BOOLEANEnable5LevelPaging; BOOLEANSevEsIsEnabled; + BOOLEANSevSnpIsEnabled; UINTN GhcbBase; } MP_CPU_EXCHANGE_INFO; @@ -291,6 +292,7 @@ struct _CPU_MP_DATA { BOOLEANWakeUpByInitSipiSipi; BOOLEANSevEsIsEnabled; + BOOLEANSevSnpIsEnabled; UINTN SevEsAPBuffer; UINTN SevEsAPResetStackStart; CPU_MP_DATA*NewCpuMpData; diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c index 64fddb497e1e..44a011ba75de 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.c +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c @@ -896,8 +896,9 @@ FillExchangeInfoData ( ExchangeInfo->Enable5LevelPaging = (BOOLEAN)(Cr4.Bits.LA57 == 1); DEBUG ((DEBUG_INFO, "%a: 5-Level Paging = %d\n", gEfiCallerBaseName, ExchangeInfo->Enable5LevelPaging)); - ExchangeInfo->SevEsIsEnabled = CpuMpData->SevEsIsEnabled; - ExchangeInfo->GhcbBase = (UINTN)CpuMpData->GhcbBase; + ExchangeInfo->SevEsIsEnabled = CpuMpData->SevEsIsEnabled; + ExchangeInfo->SevSnpIsEnabled = CpuMpData->SevSnpIsEnabled; + ExchangeInfo->GhcbBase= (UINTN)CpuMpData->GhcbBase; // // Get the BSP's data of GDT and IDT @@ -1847,9 +1848,10 @@ MpInitLibInitialize ( CpuMpData->CpuData = (CPU_AP_DATA *)(CpuMpData + 1); CpuMpData->CpuInfoInHob = (UINT64)(UINTN)(CpuMpData->CpuData + MaxLogicalProcessorNumber); InitializeSpinLock (>MpLock); - CpuMpData->SevEsIsEnabled = ConfidentialComputingGuestHas (CCAttrAmdSevEs); - CpuMpData->SevEsAPBuffer = (UINTN)-1; - CpuMpData->GhcbBase = PcdGet64 (PcdGhcbBase); + CpuMpData->SevEsIsEnabled = ConfidentialComputingGuestHas (CCAttrAmdSevEs); + CpuMpData->SevSnpIsEnabled = ConfidentialComputingGuestHas (CCAttrAmdSevSnp); + CpuMpData->SevEsAPBuffer = (UINTN)-1; + CpuMpData->GhcbBase= PcdGet64 (PcdGhcbBase); // // Make sure no memory usage outside of the allocated buffer. diff --git a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc index 2e9368a374a4..01668638f245 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc +++ b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc @@ -92,6 +92,7 @@ struc MP_CPU_EXCHANGE_INFO .ModeHighSegment: CTYPE_UINT16 1 .Enable5LevelPaging: CTYPE_BOOLEAN 1 .SevEsIsEnabled: CTYPE_BOOLEAN 1 + .SevSnpIsEnabled CTYPE_BOOLEAN 1 .GhcbBase: CTYPE_UINTN 1 endstruc diff --git a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm index 0ccafe25eca4..0034920b2f6b 100644 --- a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm +++ b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm @@ -15,6 +15,57 @@ %define SIZE_4KB0x1000 +RegisterGhcbGpa: +; +; Register GHCB GPA when SEV-SNP is enabled +; +leaedi, [esi + MP_CPU_EXCHANGE_INFO_FIELD (SevSnpIsEnabled)] +cmpbyte [edi], 1; SevSnpIsEnabled +jneRegisterGhcbGpaDone + +; Save the rdi and rsi to used for later comparison +push rdi +push rsi +movedi, eax +movesi, edx +or eax, 18 ; Ghcb registration request +wrmsr +rep vmmcall +rdmsr +movr12, rax +andr12, 0fffh +cmpr12, 19 ; Ghcb registration response +jneGhcbGpaRegisterFailure + +; Verify that GPA is not changed +andeax, 0f000h +cmpedi, eax +jneGhcbGpaRegisterFailure +cmpesi, edx +jneGhcbGpaRegisterFailure +poprsi +poprdi +jmpRegisterGhcbGpaDone + +; +; Request the guest termination +; +GhcbGpaRegisterFailure: +xoredx, edx +
[edk2-devel] [PATCH v14 23/32] UefiCpuPkg: add PcdGhcbHypervisorFeatures
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Version 2 of the GHCB specification added a new VMGEXIT that the guest could use for querying the hypervisor features. One of the immediate users for it will be an AP creation code. When SEV-SNP is enabled, the guest can use the newly added AP_CREATE VMGEXIT to create the APs. The MpInitLib will check the hypervisor feature, and if AP_CREATE is available, it will use it. See GHCB spec version 2 for more details on the VMGEXIT. Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Ray Ni Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- UefiCpuPkg/UefiCpuPkg.dec | 5 + 1 file changed, 5 insertions(+) diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec index 62acb291f309..7de66fde674c 100644 --- a/UefiCpuPkg/UefiCpuPkg.dec +++ b/UefiCpuPkg/UefiCpuPkg.dec @@ -396,5 +396,10 @@ [PcdsDynamic, PcdsDynamicEx] # @Prompt SEV-ES Status gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled|FALSE|BOOLEAN|0x6016 + ## This dynamic PCD contains the hypervisor features value obtained through the GHCB HYPERVISOR + # features VMGEXIT defined in the version 2 of GHCB spec. + # @Prompt GHCB Hypervisor Features + gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures|0x0|UINT64|0x6018 + [UserExtensions.TianoCore."ExtraFiles"] UefiCpuPkgExtra.uni -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84561): https://edk2.groups.io/g/devel/message/84561 Mute This Topic: https://groups.io/mt/87605558/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 22/32] UefiCpuPkg/MpInitLib: use PcdConfidentialComputingAttr to check SEV status
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Previous commit introduced a generic confidential computing PCD that can determine whether AMD SEV-ES is enabled. Update the MpInitLib to drop the PcdSevEsIsEnabled in favor of PcdConfidentialComputingAttr. Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Acked-by: Ray Ni Suggested-by: Jiewen Yao Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 2 +- UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 2 +- UefiCpuPkg/Library/MpInitLib/MpLib.h | 13 UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 6 +- UefiCpuPkg/Library/MpInitLib/MpLib.c | 73 ++- UefiCpuPkg/Library/MpInitLib/PeiMpLib.c | 4 +- 6 files changed, 90 insertions(+), 10 deletions(-) diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf index 6e510aa89120..de705bc54bb4 100644 --- a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf @@ -73,7 +73,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ## SOMETIMES_CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApStatusCheckIntervalInMicroSeconds ## CONSUMES - gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## SOMETIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## CONSUMES + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONSUMES diff --git a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf index 2cbd9b8b8acc..b7e15ee023f0 100644 --- a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf @@ -63,9 +63,9 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuMicrocodePatchRegionSize ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ## SOMETIMES_CONSUMES - gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## SOMETIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## CONSUMES + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONSUMES [Ppis] gEdkiiPeiShadowMicrocodePpiGuid## SOMETIMES_CONSUMES diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h index 16b4d76d019b..a84df60519ed 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -33,6 +33,7 @@ #include #include #include +#include #include #include @@ -773,4 +774,16 @@ SevEsPlaceApHlt ( CPU_MP_DATA *CpuMpData ); +/** + Check if the specified confidential computing attribute is active. + + @retval TRUE The specified Attr is active. + @retval FALSE The specified Attr is not active. +**/ +BOOLEAN +EFIAPI +ConfidentialComputingGuestHas ( + CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr + ); + #endif diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c b/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c index 9d9206d20915..02bc9c2bd2c4 100644 --- a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c @@ -93,7 +93,7 @@ GetWakeupBuffer ( EFI_PHYSICAL_ADDRESS StartAddress; EFI_MEMORY_TYPE MemoryType; - if (PcdGetBool (PcdSevEsIsEnabled)) { + if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { MemoryType = EfiReservedMemoryType; } else { MemoryType = EfiBootServicesData; @@ -107,7 +107,7 @@ GetWakeupBuffer ( // LagacyBios driver depends on CPU Arch protocol which guarantees below // allocation runs earlier than LegacyBios driver. // - if (PcdGetBool (PcdSevEsIsEnabled)) { + if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { // // SEV-ES Wakeup buffer should be under 0x88000 and under any previous one // @@ -125,7 +125,7 @@ GetWakeupBuffer ( ASSERT_EFI_ERROR (Status); if (EFI_ERROR (Status)) { StartAddress = (EFI_PHYSICAL_ADDRESS)-1; - } else if (PcdGetBool (PcdSevEsIsEnabled)) { + } else if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { // // Next SEV-ES wakeup buffer allocation must be below this allocation // diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c index 34555c069331..64fddb497e1e 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.c +++ b/UefiCpuPkg/Library
[edk2-devel] [PATCH v14 20/32] MdePkg: Define ConfidentialComputingGuestAttr
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 While initializing APs, the MpInitLib may need to know whether the guest is running with active AMD SEV or Intel TDX memory encryption. Add a new ConfidentialComputingGuestAttr PCD that can be used to query the memory encryption attribute. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Ray Ni Suggested-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- MdePkg/MdePkg.dec | 4 +++ .../Include/ConfidentialComputingGuestAttr.h | 25 +++ 2 files changed, 29 insertions(+) create mode 100644 MdePkg/Include/ConfidentialComputingGuestAttr.h diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index 8b18415b107a..cd903c35d2ff 100644 --- a/MdePkg/MdePkg.dec +++ b/MdePkg/MdePkg.dec @@ -2396,5 +2396,9 @@ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] # @Prompt FSB Clock. gEfiMdePkgTokenSpaceGuid.PcdFSBClock|2|UINT32|0x000c + ## This dynamic PCD indicates the memory encryption attribute of the guest. + # @Prompt Memory encryption attribute + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0|UINT64|0x002e + [UserExtensions.TianoCore."ExtraFiles"] MdePkgExtra.uni diff --git a/MdePkg/Include/ConfidentialComputingGuestAttr.h b/MdePkg/Include/ConfidentialComputingGuestAttr.h new file mode 100644 index ..6a1301801519 --- /dev/null +++ b/MdePkg/Include/ConfidentialComputingGuestAttr.h @@ -0,0 +1,25 @@ +/** @file +Definitions for Confidential Computing Attribute + +Copyright (c) 2021 AMD Inc. All rights reserved. +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef CONFIDENTIAL_COMPUTING_GUEST_ATTR_H_ +#define CONFIDENTIAL_COMPUTING_GUEST_ATTR_H_ + +typedef enum { + /* The guest is running with memory encryption disabled. */ + CCAttrNotEncrypted = 0, + + /* The guest is running with AMD SEV memory encryption enabled. */ + CCAttrAmdSev= 0x100, + CCAttrAmdSevEs = 0x101, + CCAttrAmdSevSnp = 0x102, + + /* The guest is running with Intel TDX memory encryption enabled. */ + CCAttrIntelTdx = 0x200, +} CONFIDENTIAL_COMPUTING_GUEST_ATTR; + +#endif -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84559): https://edk2.groups.io/g/devel/message/84559 Mute This Topic: https://groups.io/mt/87605547/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 19/32] OvmfPkg/PlatformPei: validate the system RAM when SNP is active
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 When SEV-SNP is active, a memory region mapped encrypted in the page table must be validated before access. There are two approaches that can be taken to validate the system RAM detected during the PEI phase: 1) Validate on-demand OR 2) Validate before access On-demand = If memory is not validated before access, it will cause a #VC exception with the page-not-validated error code. The VC exception handler can perform the validation steps. The pages that have been validated will need to be tracked to avoid the double validation scenarios. The range of memory that has not been validated will need to be communicated to the OS through the recently introduced unaccepted memory type https://github.com/microsoft/mu_basecore/pull/66, so that OS can validate those ranges before using them. Validate before access == Since the PEI phase detects all the available system RAM, use the MemEncryptSevSnpValidateSystemRam() function to pre-validate the system RAM in the PEI phase. For now, choose option 2 due to the dependency and the complexity of the on-demand validation. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/AmdSev.c | 42 1 file changed, 42 insertions(+) diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index f66e0a7f4a10..a0f9178ed6e9 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -23,6 +23,40 @@ #include "Platform.h" +/** + Initialize SEV-SNP support if running as an SEV-SNP guest. + +**/ +STATIC +VOID +AmdSevSnpInitialize ( + VOID + ) +{ + EFI_PEI_HOB_POINTERS Hob; + EFI_HOB_RESOURCE_DESCRIPTOR *ResourceHob; + + if (!MemEncryptSevSnpIsEnabled ()) { +return; + } + + // + // Iterate through the system RAM and validate it. + // + for (Hob.Raw = GetHobList (); !END_OF_HOB_LIST (Hob); Hob.Raw = GET_NEXT_HOB (Hob)) { +if ((Hob.Raw != NULL) && (GET_HOB_TYPE (Hob) == EFI_HOB_TYPE_RESOURCE_DESCRIPTOR)) { + ResourceHob = Hob.ResourceDescriptor; + + if (ResourceHob->ResourceType == EFI_RESOURCE_SYSTEM_MEMORY) { +MemEncryptSevSnpPreValidateSystemRam ( + ResourceHob->PhysicalStart, + EFI_SIZE_TO_PAGES ((UINTN)ResourceHob->ResourceLength) + ); + } +} + } +} + /** Handle an SEV-SNP/GHCB protocol check failure. @@ -243,6 +277,14 @@ AmdSevInitialize ( return; } + // + // Check and perform SEV-SNP initialization if required. This need to be + // done before the GHCB page is made shared in the AmdSevEsInitialize(). This + // is because the system RAM must be validated before it is made shared. + // The AmdSevSnpInitialize() validates the system RAM. + // + AmdSevSnpInitialize (); + // // Set Memory Encryption Mask PCD // -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84558): https://edk2.groups.io/g/devel/message/84558 Mute This Topic: https://groups.io/mt/87605546/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 18/32] OvmfPkg/SecMain: validate the memory used for decompressing Fv
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The VMM launch sequence should have pre-validated all the data pages used in the Reset vector. The range does not cover the data pages used during the SEC phase (mainly PEI and DXE firmware volume decompression memory). When SEV-SNP is active, the memory must be pre-validated before the access. Add support to pre-validate the memory range from SnpSecPreValidatedStart to SnpSecPreValidatedEnd. This should be sufficent to enter into the PEI phase. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 4 .../PeiMemEncryptSevLib.inf | 2 ++ OvmfPkg/Sec/SecMain.inf | 3 +++ OvmfPkg/Sec/AmdSev.h | 23 +++ .../X64/PeiSnpSystemRamValidate.c | 5 OvmfPkg/Sec/AmdSev.c | 22 +- OvmfPkg/Sec/SecMain.c | 5 OvmfPkg/FvmainCompactScratchEnd.fdf.inc | 5 8 files changed, 68 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index bc14cf2ed403..c22b846cd663 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -364,6 +364,10 @@ [PcdsFixedAtBuild] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|0|UINT32|0x60 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize|0|UINT32|0x61 + ## The range of memory that is validated by the SEC phase. + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedStart|0|UINT32|0x62 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd|0|UINT32|0x63 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf index 49d5bd1beff1..50c83859d7e7 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf @@ -60,3 +60,5 @@ [FixedPcd] gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedStart diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf index 41dcdba1209a..95cf0025e100 100644 --- a/OvmfPkg/Sec/SecMain.inf +++ b/OvmfPkg/Sec/SecMain.inf @@ -52,6 +52,7 @@ [LibraryClasses] PeCoffExtraActionLib ExtractGuidedSectionLib LocalApicLib + MemEncryptSevLib CpuExceptionHandlerLib [Ppis] @@ -74,6 +75,8 @@ [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedStart + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire diff --git a/OvmfPkg/Sec/AmdSev.h b/OvmfPkg/Sec/AmdSev.h index c0b1ca96183d..dffd2ceb9656 100644 --- a/OvmfPkg/Sec/AmdSev.h +++ b/OvmfPkg/Sec/AmdSev.h @@ -68,4 +68,27 @@ SevEsIsEnabled ( VOID ); +/** + Validate System RAM used for decompressing the PEI and DXE firmware volumes + when SEV-SNP is active. The PCDs SecValidatedStart and SecValidatedEnd are + set in OvmfPkg/FvmainCompactScratchEnd.fdf.inc. + +**/ +VOID +SecValidateSystemRam ( + VOID + ); + +/** + Determine if SEV-SNP is active. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled + +**/ +BOOLEAN +SevSnpIsEnabled ( + VOID + ); + #endif diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c index 0e3eba3c5121..497016544482 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c @@ -29,6 +29,11 @@ STATIC SNP_PRE_VALIDATED_RANGE mPreValidatedRange[] = { FixedPcdGet32 (PcdOvmfSecPageTablesBase), FixedPcdGet32 (PcdOvmfPeiMemFvBase), }, + // The below range is pre-validated by the Sec/SecMain.c + { +FixedPcdGet32 (PcdOvmfSecValidatedStart), +FixedPcdGet32 (PcdOvmfSecValidatedEnd) + }, }; STATIC diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c index aa655fd9cbae..499d0c27d8fa 100644 --- a/OvmfPkg/Sec/AmdSev.c +++ b/OvmfPkg/Sec/AmdSev.c @@ -55,7 +55,6 @@ SevEsProtocolFailure ( @retval FALSE SEV-SNP is not enabled **/ -STATIC BOOLEAN SevSnpIsEnabled ( VOID @@ -281,3 +280,24 @@ SevEsIsEnabled ( return (SevEsWorkArea->SevEsEnabled != 0); } + +/** + Validate System
[edk2-devel] [PATCH v14 17/32] OvmfPkg/MemEncryptSevLib: add support to validate > 4GB memory in PEI phase
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The initial page built during the SEC phase is used by the MemEncryptSevSnpValidateSystemRam() for the system RAM validation. The page validation process requires using the PVALIDATE instruction; the instruction accepts a virtual address of the memory region that needs to be validated. If hardware encounters a page table walk failure (due to page-not-present) then it raises #GP. The initial page table built in SEC phase address up to 4GB. Add an internal function to extend the page table to cover > 4GB. The function builds 1GB entries in the page table for access > 4GB. This will provide the support to call PVALIDATE instruction for the virtual address > 4GB in PEI phase. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- .../BaseMemEncryptSevLib/X64/VirtualMemory.h | 24 .../X64/PeiDxeVirtualMemory.c | 114 ++ .../X64/PeiSnpSystemRamValidate.c | 22 3 files changed, 160 insertions(+) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h index 93e3d08589d7..ffc7430b2243 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h @@ -144,4 +144,28 @@ InternalMemEncryptSevClearMmioPageEncMask ( IN UINTN Length ); +/** + Create 1GB identity mapping for the specified virtual address range. + + The function is preliminary used by the SEV-SNP page state change + APIs to build the page table required before issuing the PVALIDATE + instruction. The function must be removed after the EDK2 core is + enhanced to do the lazy validation. + + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use + current CR3) + @param[in] VirtualAddress Virtual address + @param[in] Length Length of virtual address range + + @retval RETURN_INVALID_PARAMETERNumber of pages is zero. + +**/ +RETURN_STATUS +EFIAPI +InternalMemEncryptSevCreateIdentityMap1G ( + INPHYSICAL_ADDRESS Cr3BaseAddress, + INPHYSICAL_ADDRESS PhysicalAddress, + INUINTN Length + ); + #endif diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c index bbc48ff6d879..f1485722f7cf 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c @@ -536,6 +536,120 @@ EnableReadOnlyPageWriteProtect ( AsmWriteCr0 (AsmReadCr0 () | BIT16); } +RETURN_STATUS +EFIAPI +InternalMemEncryptSevCreateIdentityMap1G ( + INPHYSICAL_ADDRESS Cr3BaseAddress, + INPHYSICAL_ADDRESS PhysicalAddress, + INUINTN Length + ) +{ + PAGE_MAP_AND_DIRECTORY_POINTER *PageMapLevel4Entry; + PAGE_TABLE_1G_ENTRY *PageDirectory1GEntry; + UINT64 PgTableMask; + UINT64 AddressEncMask; + BOOLEAN IsWpEnabled; + RETURN_STATUS Status; + + // + // Set PageMapLevel4Entry to suppress incorrect compiler/analyzer warnings. + // + PageMapLevel4Entry = NULL; + + DEBUG (( +DEBUG_VERBOSE, +"%a:%a: Cr3Base=0x%Lx Physical=0x%Lx Length=0x%Lx\n", +gEfiCallerBaseName, +__FUNCTION__, +Cr3BaseAddress, +PhysicalAddress, +(UINT64)Length +)); + + if (Length == 0) { +return RETURN_INVALID_PARAMETER; + } + + // + // Check if we have a valid memory encryption mask + // + AddressEncMask = InternalGetMemEncryptionAddressMask (); + if (!AddressEncMask) { +return RETURN_ACCESS_DENIED; + } + + PgTableMask = AddressEncMask | EFI_PAGE_MASK; + + // + // Make sure that the page table is changeable. + // + IsWpEnabled = IsReadOnlyPageWriteProtected (); + if (IsWpEnabled) { +DisableReadOnlyPageWriteProtect (); + } + + Status = EFI_SUCCESS; + + while (Length) { +// +// If Cr3BaseAddress is not specified then read the current CR3 +// +if (Cr3BaseAddress == 0) { + Cr3BaseAddress = AsmReadCr3 (); +} + +PageMapLevel4Entry = (VOID *)(Cr3BaseAddress & ~PgTableMask); +PageMapLevel4Entry += PML4_OFFSET (PhysicalAddress); +if (!PageMapLevel4Entry->Bits.Present) { + DEBUG (( +DEBUG_ERROR, +"%a:%a: bad PML4 for Physical=0x%Lx\n", +gEfiCallerBaseName, +__FUNCTION__, +PhysicalAddress +)); + Status = RETURN_NO_MAPPING; + goto Done; +} + +PageDirectory1GEntry = (VOID *)( + (PageMapLe
[edk2-devel] [PATCH v14 16/32] OvmfPkg/BaseMemEncryptSevLib: skip the pre-validated system RAM
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The MemEncryptSevSnpPreValidateSystemRam() is used for pre-validating the system RAM. As the boot progress, each phase validates a fixed region of the RAM. In the PEI phase, the PlatformPei detects all the available RAM and calls to pre-validate the detected system RAM. While validating the system RAM in PEI phase, we must skip previously validated system RAM to avoid the double validation. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- .../PeiMemEncryptSevLib.inf | 2 + .../X64/PeiSnpSystemRamValidate.c | 67 ++- 2 files changed, 68 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf index 0402e49a1028..49d5bd1beff1 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf @@ -58,3 +58,5 @@ [FeaturePcd] [FixedPcd] gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c index bc891c2636d6..2d2136f8054c 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c @@ -14,6 +14,46 @@ #include "SnpPageStateChange.h" +typedef struct { + UINT64StartAddress; + UINT64EndAddress; +} SNP_PRE_VALIDATED_RANGE; + +STATIC SNP_PRE_VALIDATED_RANGE mPreValidatedRange[] = { + // The below address range was part of the SEV OVMF metadata, and range + // should be pre-validated by the Hypervisor. + { +FixedPcdGet32 (PcdOvmfSecPageTablesBase), +FixedPcdGet32 (PcdOvmfPeiMemFvBase), + }, +}; + +STATIC +BOOLEAN +DetectPreValidatedOverLap ( + INPHYSICAL_ADDRESS StartAddress, + INPHYSICAL_ADDRESS EndAddress, + OUT SNP_PRE_VALIDATED_RANGE *OverlapRange + ) +{ + UINTN i; + + // + // Check if the specified address range exist in pre-validated array. + // + for (i = 0; i < ARRAY_SIZE (mPreValidatedRange); i++) { +if ((mPreValidatedRange[i].StartAddress < EndAddress) && +(StartAddress < mPreValidatedRange[i].EndAddress)) +{ + OverlapRange->StartAddress = mPreValidatedRange[i].StartAddress; + OverlapRange->EndAddress = mPreValidatedRange[i].EndAddress; + return TRUE; +} + } + + return FALSE; +} + /** Pre-validate the system RAM when SEV-SNP is enabled in the guest VM. @@ -28,9 +68,34 @@ MemEncryptSevSnpPreValidateSystemRam ( IN UINTN NumPages ) { + PHYSICAL_ADDRESS EndAddress; + SNP_PRE_VALIDATED_RANGE OverlapRange; + if (!MemEncryptSevSnpIsEnabled ()) { return; } - InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); + EndAddress = BaseAddress + EFI_PAGES_TO_SIZE (NumPages); + + while (BaseAddress < EndAddress) { +// +// Check if the range overlaps with the pre-validated ranges. +// +if (DetectPreValidatedOverLap (BaseAddress, EndAddress, )) { + // Validate the non-overlap regions. + if (BaseAddress < OverlapRange.StartAddress) { +NumPages = EFI_SIZE_TO_PAGES (OverlapRange.StartAddress - BaseAddress); + +InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); + } + + BaseAddress = OverlapRange.EndAddress; + continue; +} + +// Validate the remaining pages. +NumPages = EFI_SIZE_TO_PAGES (EndAddress - BaseAddress); +InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); +BaseAddress = EndAddress; + } } -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84555): https://edk2.groups.io/g/devel/message/84555 Mute This Topic: https://groups.io/mt/87605542/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 13/32] OvmfPkg/AmdSevDxe: do not use extended PCI config space
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Commit 85b8eac59b8c5bd9c7eb9afdb64357ce1aa2e803 added support to ensure that MMIO is only performed against the un-encrypted memory. If MMIO is performed against encrypted memory, a #GP is raised. The AmdSevDxe uses the functions provided by the MemEncryptSevLib to clear the memory encryption mask from the page table. If the MemEncryptSevLib is extended to include VmgExitLib then depedency chain will look like this: OvmfPkg/AmdSevDxe/AmdSevDxe.inf -> MemEncryptSevLibclass -> "OvmfPkg/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf" instance -> VmgExitLib class -> "OvmfPkg/VmgExitLib"instance -> LocalApicLibclass -> "UefiCpuPkg/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf" instance -> TimerLibclass -> "OvmfPkg/AcpiTimerLib/DxeAcpiTimerLib.inf" instance -> PciLib class -> "OvmfPkg/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf"instance -> PciExpressLib class -> "MdePkg/BasePciExpressLib/BasePciExpressLib.inf" instance The LocalApicLib provides a constructor that gets called before the AmdSevDxe can clear the memory encryption mask from the MMIO regions. When running under the Q35 machine type, the call chain looks like this: AcpiTimerLibConstructor () [AcpiTimerLib] PciRead32 () [DxePciLibI440FxQ35] PciExpressRead32 () [PciExpressLib] The PciExpressRead32 () reads the MMIO region. The MMIO regions are not yet mapped un-encrypted, so the check introduced in the commit 85b8eac59b8c5bd9c7eb9afdb64357ce1aa2e803 raises a #GP. The AmdSevDxe driver does not require the access to the extended PCI config space. Accessing a normal PCI config space, via IO port should be sufficent. Use the module-scope override to make the AmdSevDxe use the BasePciLib instead of BasePciExpressLib so that PciRead32 () uses the IO ports instead of the extended config space. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Suggested-by: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/AmdSev/AmdSevX64.dsc | 5 - OvmfPkg/Bhyve/BhyveX64.dsc | 5 - OvmfPkg/OvmfPkgIa32X64.dsc | 5 - OvmfPkg/OvmfPkgX64.dsc | 5 - OvmfPkg/OvmfXen.dsc | 5 - 5 files changed, 20 insertions(+), 5 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index 5ee54451169b..2997929faa05 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -816,7 +816,10 @@ [Components] !endif OvmfPkg/PlatformDxe/Platform.inf - OvmfPkg/AmdSevDxe/AmdSevDxe.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { + +PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + } OvmfPkg/IoMmuDxe/IoMmuDxe.inf # diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc index d8fe607d1cf7..f45634996247 100644 --- a/OvmfPkg/Bhyve/BhyveX64.dsc +++ b/OvmfPkg/Bhyve/BhyveX64.dsc @@ -790,7 +790,10 @@ [Components] !endif OvmfPkg/PlatformDxe/Platform.inf - OvmfPkg/AmdSevDxe/AmdSevDxe.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { + +PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + } OvmfPkg/IoMmuDxe/IoMmuDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 71227d1b709a..13d9a1f111bc 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -969,7 +969,10 @@ [Components.X64] !endif OvmfPkg/PlatformDxe/Platform.inf - OvmfPkg/AmdSevDxe/AmdSevDxe.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { + +PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + } OvmfPkg/IoMmuDxe/IoMmuDxe.inf !if $(SMM_REQUIRE) == TRUE diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 52f7598cf1c7..97b7cb40ff88 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -967,7 +967,10 @@ [Components] !endif OvmfPkg/PlatformDxe/Platform.inf - OvmfPkg/AmdSevDxe/AmdSevDxe.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { + +PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + } OvmfPkg/IoMmuDxe/IoMmuDxe.inf !if $(SMM_REQUIRE) == TRUE diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc index a31519e356b7..383cb03d2a14 100644 --- a/OvmfPkg/OvmfXen.dsc +++ b/OvmfPkg/OvmfXen.dsc @@ -729,7 +729,10 @@ [Components] } OvmfPkg/PlatformDxe/Platform.inf - OvmfPkg/AmdSevDxe/AmdSevDxe.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { + +PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + } OvmfPkg/IoMmuDxe/IoMmuDxe.inf # -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this
[edk2-devel] [PATCH v14 15/32] OvmfPkg/MemEncryptSevLib: add function to check the VMPL0
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Virtual Machine Privilege Level (VMPL) feature in the SEV-SNP architecture allows a guest VM to divide its address space into four levels. The level can be used to provide the hardware isolated abstraction layers with a VM. The VMPL0 is the highest privilege, and VMPL3 is the least privilege. Certain operations must be done by the VMPL0 software, such as: * Validate or invalidate memory range (PVALIDATE instruction) * Allocate VMSA page (RMPADJUST instruction when VMSA=1) The initial SEV-SNP support assumes that the guest is running on VMPL0. Let's add function in the MemEncryptSevLib that can be used for checking whether guest is booted under the VMPL0. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- .../X64/SnpPageStateChange.h | 5 ++ .../X64/SecSnpSystemRamValidate.c | 46 +++ .../X64/SnpPageStateChangeInternal.c | 1 - 3 files changed, 51 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h index b396f0ffbd75..43319cc9ed17 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h @@ -27,4 +27,9 @@ InternalSetPageState ( IN BOOLEAN UseLargeEntry ); +VOID +SnpPageStateFailureTerminate ( + VOID + ); + #endif diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c index bc891c2636d6..7797febb8ac6 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c @@ -14,6 +14,43 @@ #include "SnpPageStateChange.h" +// +// The variable used for the VMPL check. +// +STATIC UINT8 gVmpl0Data[4096]; + +/** + The function checks whether SEV-SNP guest is booted under VMPL0. + + @retval TRUE The guest is booted under VMPL0 + @retval FALSE The guest is not booted under VMPL0 + **/ +STATIC +BOOLEAN +SevSnpIsVmpl0 ( + VOID + ) +{ + UINT64 Rdx; + EFI_STATUS Status; + + // + // There is no straightforward way to query the current VMPL level. + // The simplest method is to use the RMPADJUST instruction to change + // a page permission to a VMPL level-1, and if the guest kernel is + // launched at a level <= 1, then RMPADJUST instruction will return + // an error. + // + Rdx = 1; + + Status = AsmRmpAdjust ((UINT64)gVmpl0Data, 0, Rdx); + if (EFI_ERROR (Status)) { +return FALSE; + } + + return TRUE; +} + /** Pre-validate the system RAM when SEV-SNP is enabled in the guest VM. @@ -32,5 +69,14 @@ MemEncryptSevSnpPreValidateSystemRam ( return; } + // + // The page state change uses the PVALIDATE instruction. The instruction + // can be run on VMPL-0 only. If its not VMPL-0 guest then terminate + // the boot. + // + if (!SevSnpIsVmpl0 ()) { +SnpPageStateFailureTerminate (); + } + InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); } diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c index 9c552ef5c7b1..d11aafae8472 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c @@ -42,7 +42,6 @@ MemoryStateToGhcbOp ( return Cmd; } -STATIC VOID SnpPageStateFailureTerminate ( VOID -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84554): https://edk2.groups.io/g/devel/message/84554 Mute This Topic: https://groups.io/mt/87605541/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 14/32] OvmfPkg/MemEncryptSevLib: add support to validate system RAM
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Many of the integrity guarantees of SEV-SNP are enforced through the Reverse Map Table (RMP). Each RMP entry contains the GPA at which a particular page of DRAM should be mapped. The guest can request the hypervisor to add pages in the RMP table via the Page State Change VMGEXIT defined in the GHCB specification section 2.5.1 and 4.1.6. Inside each RMP entry is a Validated flag; this flag is automatically cleared to 0 by the CPU hardware when a new RMP entry is created for a guest. Each VM page can be either validated or invalidated, as indicated by the Validated flag in the RMP entry. Memory access to a private page that is not validated generates a #VC. A VM can use the PVALIDATE instruction to validate the private page before using it. During the guest creation, the boot ROM memory is pre-validated by the AMD-SEV firmware. The MemEncryptSevSnpValidateSystemRam() can be called during the SEC and PEI phase to validate the detected system RAM. One of the fields in the Page State Change NAE is the RMP page size. The page size input parameter indicates that either a 4KB or 2MB page should be used while adding the RMP entry. During the validation, when possible, the MemEncryptSevSnpValidateSystemRam() will use the 2MB entry. A hypervisor backing the memory may choose to use the different page size in the RMP entry. In those cases, the PVALIDATE instruction should return SIZEMISMATCH. If a SIZEMISMATCH is detected, then validate all 512-pages constituting a 2MB region. Upon completion, the PVALIDATE instruction sets the rFLAGS.CF to 0 if instruction changed the RMP entry and to 1 if the instruction did not change the RMP entry. The rFlags.CF will be 1 only when a memory region is already validated. We should not double validate a memory as it could lead to a security compromise. If double validation is detected, terminate the boot. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkgIa32.dsc | 1 + OvmfPkg/OvmfPkgIa32X64.dsc| 1 + .../DxeMemEncryptSevLib.inf | 3 + .../PeiMemEncryptSevLib.inf | 3 + .../SecMemEncryptSevLib.inf | 3 + OvmfPkg/Include/Library/MemEncryptSevLib.h| 14 + .../X64/SnpPageStateChange.h | 30 ++ .../Ia32/MemEncryptSevLib.c | 17 + .../X64/DxeSnpSystemRamValidate.c | 40 +++ .../X64/PeiSnpSystemRamValidate.c | 36 +++ .../X64/SecSnpSystemRamValidate.c | 36 +++ .../X64/SnpPageStateChangeInternal.c | 301 ++ 12 files changed, 485 insertions(+) create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 6a5be97c059d..1dc069e42420 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -266,6 +266,7 @@ [LibraryClasses.common.SEC] !else CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf !endif + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf [LibraryClasses.common.PEI_CORE] HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 13d9a1f111bc..a766457e6bc6 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -270,6 +270,7 @@ [LibraryClasses.common.SEC] !else CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf !endif + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf [LibraryClasses.common.PEI_CORE] HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf index f2e162d68076..f613bb314f5f 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf @@ -34,8 +34,10 @@ [Sources] PeiDxeMemEncryptSevLibInternal.c [Sources.X64] + X64/DxeSnpSystemRamValidate.c X64/MemEncryptSevLib.c X64/PeiDxeVirtualMemory.c + X64/SnpPageStateChangeInternal.c X64/VirtualMemory.c X64/VirtualMemory.h @@ -49,6 +51,7 @@ [LibraryClasses] DebugLib MemoryAllocationLib PcdLib + VmgExitLib [FeaturePcd
[edk2-devel] [PATCH v14 12/32] OvmfPkg/PlatformPei: register GHCB gpa for the SEV-SNP guest
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The SEV-SNP guest requires that GHCB GPA must be registered before using. See the GHCB specification section 2.3.2 for more details. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/AmdSev.c | 88 1 file changed, 88 insertions(+) diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 3991edfd1e82..f66e0a7f4a10 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -19,9 +19,90 @@ #include #include #include +#include #include "Platform.h" +/** + Handle an SEV-SNP/GHCB protocol check failure. + + Notify the hypervisor using the VMGEXIT instruction that the SEV-SNP guest + wishes to be terminated. + + @param[in] ReasonCode Reason code to provide to the hypervisor for the + termination request. + +**/ +STATIC +VOID +SevEsProtocolFailure ( + IN UINT8 ReasonCode + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + + // + // Use the GHCB MSR Protocol to request termination by the hypervisor + // + Msr.GhcbPhysicalAddress = 0; + Msr.GhcbTerminate.Function = GHCB_INFO_TERMINATE_REQUEST; + Msr.GhcbTerminate.ReasonCodeSet = GHCB_TERMINATE_GHCB; + Msr.GhcbTerminate.ReasonCode= ReasonCode; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + ASSERT (FALSE); + CpuDeadLoop (); +} + +/** + + This function can be used to register the GHCB GPA. + + @param[in] Address The physical address to be registered. + +**/ +STATIC +VOID +GhcbRegister ( + IN EFI_PHYSICAL_ADDRESS Address + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + MSR_SEV_ES_GHCB_REGISTER CurrentMsr; + + // + // Save the current MSR Value + // + CurrentMsr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // Use the GHCB MSR Protocol to request to register the GPA. + // + Msr.GhcbPhysicalAddress = Address & ~EFI_PAGE_MASK; + Msr.GhcbGpaRegister.Function = GHCB_INFO_GHCB_GPA_REGISTER_REQUEST; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // If hypervisor responded with a different GPA than requested then fail. + // + if ((Msr.GhcbGpaRegister.Function != GHCB_INFO_GHCB_GPA_REGISTER_RESPONSE) || + ((Msr.GhcbPhysicalAddress & ~EFI_PAGE_MASK) != Address)) + { +SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + // + // Restore the MSR + // + AsmWriteMsr64 (MSR_SEV_ES_GHCB, CurrentMsr.GhcbPhysicalAddress); +} + /** Initialize SEV-ES support if running as an SEV-ES guest. @@ -115,6 +196,13 @@ AmdSevEsInitialize ( GhcbBackupBase )); + // + // SEV-SNP guest requires that GHCB GPA must be registered before using it. + // + if (MemEncryptSevSnpIsEnabled ()) { +GhcbRegister (GhcbBasePa); + } + AsmWriteMsr64 (MSR_SEV_ES_GHCB, GhcbBasePa); // -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84552): https://edk2.groups.io/g/devel/message/84552 Mute This Topic: https://groups.io/mt/87605536/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 11/32] OvmfPkg/VmgExitLib: use SEV-SNP-validated CPUID values
From: Michael Roth SEV-SNP firmware allows a special guest page to be populated with guest CPUID values so that they can be validated against supported host features before being loaded into encrypted guest memory to be used instead of hypervisor-provided values [1]. Add handling for this in the CPUID #VC handler and use it whenever SEV-SNP is enabled. To do so, existing CPUID handling via VmgExit is moved to a helper, GetCpuidHyp(), and a new helper that uses the CPUID page to do the lookup, GetCpuidFw(), is used instead when SNP is enabled. For cases where SNP CPUID lookups still rely on fetching specific CPUID fields from hypervisor, GetCpuidHyp() is used there as well. [1]: SEV SNP Firmware ABI Specification, Rev. 0.8, 8.13.2.6 Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Michael Roth Signed-off-by: Brijesh Singh --- OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf | 2 + OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 3 + OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 499 +- 3 files changed, 481 insertions(+), 23 deletions(-) diff --git a/OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf b/OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf index e6f6ea7972fd..78207fa0f9c9 100644 --- a/OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf +++ b/OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf @@ -42,4 +42,6 @@ [LibraryClasses] [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf b/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf index c66c68726cdb..7963670e7d30 100644 --- a/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf +++ b/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf @@ -38,3 +38,6 @@ [LibraryClasses] LocalApicLib MemEncryptSevLib +[Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c index 81a93968c85e..a40a31f7c275 100644 --- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c +++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c @@ -17,6 +17,7 @@ #include #include "VmgExitVcHandler.h" +// #include // // Instruction execution mode definition @@ -130,6 +131,31 @@ UINT64 SEV_ES_INSTRUCTION_DATA *InstructionData ); +// +// SEV-SNP Cpuid table entry/function +// +typedef PACKED struct { + UINT32EaxIn; + UINT32EcxIn; + UINT64Unused; + UINT64Unused2; + UINT32Eax; + UINT32Ebx; + UINT32Ecx; + UINT32Edx; + UINT64Reserved; +} SEV_SNP_CPUID_FUNCTION; + +// +// SEV-SNP Cpuid page format +// +typedef PACKED struct { + UINT32Count; + UINT32Reserved1; + UINT64Reserved2; + SEV_SNP_CPUID_FUNCTIONfunction[0]; +} SEV_SNP_CPUID_INFO; + /** Return a pointer to the contents of the specified register. @@ -1514,10 +1540,402 @@ InvdExit ( return VmgExit (Ghcb, SVM_EXIT_INVD, 0, 0); } +/** + Fetch CPUID leaf/function via hypervisor/VMGEXIT. + + @param[in, out] Ghcb Pointer to the Guest-Hypervisor Communication + Block + @param[in] EaxInEAX input for cpuid instruction + @param[in] EcxInECX input for cpuid instruction + @param[in] Xcr0In XCR0 at time of cpuid instruction + @param[in, out] Eax Pointer to store leaf's EAX value + @param[in, out] Ebx Pointer to store leaf's EBX value + @param[in, out] Ecx Pointer to store leaf's ECX value + @param[in, out] Edx Pointer to store leaf's EDX value + @param[in, out] Status Pointer to store status from VMGEXIT (always 0 + unless return value indicates failure) + @param[in, out] Unsupported Pointer to store indication of unsupported + VMGEXIT (always false unless return value + indicates failure) + + @retval TRUE CPUID leaf fetch successfully. + @retval FALSEError occurred while fetching CPUID leaf. Callers + should Status and Unsupported and handle + accordingly if they indicate a more precise + error condition. + +**/ +STATIC +BOOLEAN +GetCpuidHyp ( + IN OUT GHCB *Ghcb, + IN UINT32 EaxIn, + IN UINT32 EcxIn, + IN UINT64 XCr0, + IN OUT UINT32 *Eax, + IN OUT UINT32 *Ebx, + IN OUT UINT32 *Ecx, + IN OUT UINT32 *Edx, + IN OUT UINT64 *Status, + IN OUT BOOLEAN *UnsupportedExit + ) +{ + *UnsupportedExit = FALSE; + Ghcb->SaveAre
[edk2-devel] [PATCH v14 10/32] OvmfPkg/SecMain: register GHCB gpa for the SEV-SNP guest
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The SEV-SNP guest requires that GHCB GPA must be registered before using. See the GHCB specification section 2.3.2 for more details. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/Sec/AmdSev.c | 119 +++ 1 file changed, 119 insertions(+) diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c index 0828d090feaf..aa655fd9cbae 100644 --- a/OvmfPkg/Sec/AmdSev.c +++ b/OvmfPkg/Sec/AmdSev.c @@ -48,6 +48,104 @@ SevEsProtocolFailure ( CpuDeadLoop (); } +/** + Determine if SEV-SNP is active. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled + +**/ +STATIC +BOOLEAN +SevSnpIsEnabled ( + VOID + ) +{ + MSR_SEV_STATUS_REGISTER Msr; + + // + // Read the SEV_STATUS MSR to determine whether SEV-SNP is active. + // + Msr.Uint32 = AsmReadMsr32 (MSR_SEV_STATUS); + + // + // Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) + // + if (Msr.Bits.SevSnpBit) { +return TRUE; + } + + return FALSE; +} + +/** + Register the GHCB GPA + +*/ +STATIC +VOID +SevSnpGhcbRegister ( + EFI_PHYSICAL_ADDRESS Address + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + + // + // Use the GHCB MSR Protocol to request to register the GPA. + // + Msr.GhcbPhysicalAddress = Address & ~EFI_PAGE_MASK; + Msr.GhcbGpaRegister.Function = GHCB_INFO_GHCB_GPA_REGISTER_REQUEST; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // If hypervisor responded with a different GPA than requested then fail. + // + if ((Msr.GhcbGpaRegister.Function != GHCB_INFO_GHCB_GPA_REGISTER_RESPONSE) || + ((Msr.GhcbPhysicalAddress & ~EFI_PAGE_MASK) != Address)) + { +SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } +} + +/** + Verify that Hypervisor supports the SNP feature. + + */ +STATIC +BOOLEAN +HypervisorSnpFeatureCheck ( + VOID + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + UINT64Features; + + // + // Use the GHCB MSR Protocol to query the hypervisor capabilities + // + Msr.GhcbPhysicalAddress = 0; + Msr.GhcbHypervisorFeatures.Function = GHCB_HYPERVISOR_FEATURES_REQUEST; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + + Features = RShiftU64 (Msr.GhcbPhysicalAddress, 12); + + if ((Msr.GhcbHypervisorFeatures.Function != GHCB_HYPERVISOR_FEATURES_RESPONSE) || + (!(Features & GHCB_HV_FEATURES_SNP))) + { +return FALSE; + } + + return TRUE; +} + /** Validate the SEV-ES/GHCB protocol level. @@ -89,6 +187,27 @@ SevEsProtocolCheck ( SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); } + // + // We cannot use the MemEncryptSevSnpIsEnabled () because the + // ProcessLibraryConstructorList () is not called yet. + // + if (SevSnpIsEnabled ()) { +// +// Check if hypervisor supports the SNP feature +// +if (!HypervisorSnpFeatureCheck ()) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); +} + +// +// Unlike the SEV-ES guest, the SNP requires that GHCB GPA must be +// registered with the Hypervisor before the use. This can be done +// using the new VMGEXIT defined in the GHCB v2. Register the GPA +// before it is used. +// +SevSnpGhcbRegister ((EFI_PHYSICAL_ADDRESS)(UINTN)FixedPcdGet32 (PcdOvmfSecGhcbBase)); + } + // // SEV-ES protocol checking succeeded, set the initial GHCB address // -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84549): https://edk2.groups.io/g/devel/message/84549 Mute This Topic: https://groups.io/mt/87605531/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 09/32] OvmfPkg/MemEncryptSevLib: add MemEncryptSevSnpEnabled()
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Create a function that can be used to determine if VM is running as an SEV-SNP guest. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/Include/Library/MemEncryptSevLib.h| 12 + .../DxeMemEncryptSevLibInternal.c | 27 +++ .../PeiMemEncryptSevLibInternal.c | 27 +++ .../SecMemEncryptSevLibInternal.c | 19 + 4 files changed, 85 insertions(+) diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h index e1ec161d2159..3c77d71df754 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -47,6 +47,18 @@ typedef enum { MemEncryptSevAddressRangeError, } MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE; +/** + Returns a boolean to indicate whether SEV-SNP is enabled + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ); + /** Returns a boolean to indicate whether SEV-ES is enabled. diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c index 4fee7b2ab345..15fcd5529587 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c @@ -19,6 +19,7 @@ STATIC BOOLEAN mSevStatus= FALSE; STATIC BOOLEAN mSevEsStatus = FALSE; +STATIC BOOLEAN mSevSnpStatus = FALSE; STATIC BOOLEAN mSevStatusChecked = FALSE; STATIC UINT64 mSevEncryptionMask = 0; @@ -82,11 +83,37 @@ InternalMemEncryptSevStatus ( if (Msr.Bits.SevEsBit) { mSevEsStatus = TRUE; } + +// +// Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) +// +if (Msr.Bits.SevSnpBit) { + mSevSnpStatus = TRUE; +} } mSevStatusChecked = TRUE; } +/** + Returns a boolean to indicate whether SEV-SNP is enabled. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ) +{ + if (!mSevStatusChecked) { +InternalMemEncryptSevStatus (); + } + + return mSevSnpStatus; +} + /** Returns a boolean to indicate whether SEV-ES is enabled. diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c index c4aa74a0a2dd..d68ff08c3ea6 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c @@ -19,6 +19,7 @@ STATIC BOOLEAN mSevStatus= FALSE; STATIC BOOLEAN mSevEsStatus = FALSE; +STATIC BOOLEAN mSevSnpStatus = FALSE; STATIC BOOLEAN mSevStatusChecked = FALSE; STATIC UINT64 mSevEncryptionMask = 0; @@ -82,11 +83,37 @@ InternalMemEncryptSevStatus ( if (Msr.Bits.SevEsBit) { mSevEsStatus = TRUE; } + +// +// Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) +// +if (Msr.Bits.SevSnpBit) { + mSevSnpStatus = TRUE; +} } mSevStatusChecked = TRUE; } +/** + Returns a boolean to indicate whether SEV-SNP is enabled. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ) +{ + if (!mSevStatusChecked) { +InternalMemEncryptSevStatus (); + } + + return mSevSnpStatus; +} + /** Returns a boolean to indicate whether SEV-ES is enabled. diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c index b5b365641499..5d912b2a4a5e 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c @@ -62,6 +62,25 @@ InternalMemEncryptSevStatus ( return ReadSevMsr ? AsmReadMsr32 (MSR_SEV_STATUS) : 0; } +/** + Returns a boolean to indicate whether SEV-SNP is enabled. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ) +{ + MSR_SEV_STATUS_REGISTER Msr; + + Msr.Uint32 = InternalMemEncryptSevStatus (); + + return Msr.Bits.SevSnpBit ? TRUE : FALSE; +} + /** Returns a boolean to indicate whether SEV-ES is enabled. -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84548): https://edk2.groups.io/g/devel/message/84548 Mute This Topic: https://groups.io/mt/87605530/21656 Group
[edk2-devel] [PATCH v14 08/32] OvmfPkg/ResetVector: use SEV-SNP-validated CPUID values
From: Michael Roth CPUID instructions are issued during early boot to do things like probe for SEV support. Currently these are handled by a minimal #VC handler that uses the MSR-based GHCB protocol to fetch the CPUID values from the hypervisor. When SEV-SNP is enabled, use the firmware-validated CPUID values from the CPUID page instead [1]. [1]: SEV SNP Firmware ABI Specification, Rev. 0.8, 8.13.2.6 Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Michael Roth Signed-off-by: Brijesh Singh --- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 80 +++-- 1 file changed, 75 insertions(+), 5 deletions(-) diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32/AmdSev.asm index 48d9178168b0..1f827da3b929 100644 --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm @@ -34,6 +34,18 @@ BITS32 %define GHCB_CPUID_REGISTER_SHIFT 30 %define CPUID_INSN_LEN 2 +; #VC handler offsets/sizes for accessing SNP CPUID page +; +%define SNP_CPUID_ENTRY_SZ 48 +%define SNP_CPUID_COUNT 0 +%define SNP_CPUID_ENTRY16 +%define SNP_CPUID_ENTRY_EAX_IN 0 +%define SNP_CPUID_ENTRY_ECX_IN 4 +%define SNP_CPUID_ENTRY_EAX24 +%define SNP_CPUID_ENTRY_EBX28 +%define SNP_CPUID_ENTRY_ECX32 +%define SNP_CPUID_ENTRY_EDX36 + %define SEV_GHCB_MSR0xc0010130 %define SEV_STATUS_MSR 0xc0010131 @@ -335,11 +347,61 @@ SevEsIdtNotCpuid: TerminateVmgExit TERM_VC_NOT_CPUID iret -; -; Total stack usage for the #VC handler is 44 bytes: -; - 12 bytes for the exception IRET (after popping error code) -; - 32 bytes for the local variables. -; +; Use the SNP CPUID page to handle the cpuid lookup +; +; Modified: EAX, EBX, ECX, EDX +; +; Relies on the stack setup/usage in #VC handler: +; +;On entry, +; [esp + VC_CPUID_FUNCTION] contains EAX input to cpuid instruction +; +;On return, stores corresponding results of CPUID lookup in: +; [esp + VC_CPUID_RESULT_EAX] +; [esp + VC_CPUID_RESULT_EBX] +; [esp + VC_CPUID_RESULT_ECX] +; [esp + VC_CPUID_RESULT_EDX] +; +SnpCpuidLookup: +mov eax, [esp + VC_CPUID_FUNCTION] +mov ebx, [CPUID_BASE + SNP_CPUID_COUNT] +mov ecx, CPUID_BASE + SNP_CPUID_ENTRY +; Zero these out now so we can simply return if lookup fails +mov dword[esp + VC_CPUID_RESULT_EAX], 0 +mov dword[esp + VC_CPUID_RESULT_EBX], 0 +mov dword[esp + VC_CPUID_RESULT_ECX], 0 +mov dword[esp + VC_CPUID_RESULT_EDX], 0 + +SnpCpuidCheckEntry: +cmp ebx, 0 +je VmmDoneSnpCpuid +cmp dword[ecx + SNP_CPUID_ENTRY_EAX_IN], eax +jne SnpCpuidCheckEntryNext +; As with SEV-ES handler we assume requested CPUID sub-leaf/index is 0 +cmp dword[ecx + SNP_CPUID_ENTRY_ECX_IN], 0 +je SnpCpuidEntryFound + +SnpCpuidCheckEntryNext: +dec ebx +add ecx, SNP_CPUID_ENTRY_SZ +jmp SnpCpuidCheckEntry + +SnpCpuidEntryFound: +mov eax, [ecx + SNP_CPUID_ENTRY_EAX] +mov [esp + VC_CPUID_RESULT_EAX], eax +mov eax, [ecx + SNP_CPUID_ENTRY_EBX] +mov [esp + VC_CPUID_RESULT_EBX], eax +mov eax, [ecx + SNP_CPUID_ENTRY_EDX] +mov [esp + VC_CPUID_RESULT_ECX], eax +mov eax, [ecx + SNP_CPUID_ENTRY_ECX] +mov [esp + VC_CPUID_RESULT_EDX], eax +jmp VmmDoneSnpCpuid + +; +; Total stack usage for the #VC handler is 44 bytes: +; - 12 bytes for the exception IRET (after popping error code) +; - 32 bytes for the local variables. +; SevEsIdtVmmComm: ; ; If we're here, then we are an SEV-ES guest and this @@ -367,6 +429,13 @@ SevEsIdtVmmComm: ; Save the CPUID function being requested mov [esp + VC_CPUID_FUNCTION], eax +; If SEV-SNP is enabled, use the CPUID page to handle the CPUID +; instruction. +mov ecx, SEV_STATUS_MSR +rdmsr +bt eax, 2 +jc SnpCpuidLookup + ; The GHCB CPUID protocol uses the following mapping to request ; a specific register: ; 0 => EAX, 1 => EBX, 2 => ECX, 3 => EDX @@ -424,6 +493,7 @@ VmmDone: mov ecx, SEV_GHCB_MSR wrmsr +VmmDoneSnpCpuid: mov eax, [esp + VC_CPUID_RESULT_EAX] mov ebx, [esp + VC_CPUID_RESULT_EBX] mov ecx, [esp + VC_CPUID_RESULT_ECX] -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84547): https://edk2.groups.io/g/devel/message/84547 Mute This Topic: https://groups.io/mt/87605529/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 07/32] OvmfPkg/ResetVector: pre-validate the data pages used in SEC phase
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 An SEV-SNP guest requires that private memory (aka pages mapped encrypted) must be validated before being accessed. The validation process consist of the following sequence: 1) Set the memory encryption attribute in the page table (aka C-bit). Note: If the processor is in non-PAE mode, then all the memory accesses are considered private. 2) Add the memory range as private in the RMP table. This can be performed using the Page State Change VMGEXIT defined in the GHCB specification. 3) Use the PVALIDATE instruction to set the Validated Bit in the RMP table. During the guest creation time, the VMM encrypts the OVMF_CODE.fd using the SEV-SNP firmware provided LAUNCH_UPDATE_DATA command. In addition to encrypting the content, the command also validates the memory region. This allows us to execute the code without going through the validation sequence. During execution, the reset vector need to access some data pages (such as page tables, SevESWorkarea, Sec stack). The data pages are accessed as private memory. The data pages are not part of the OVMF_CODE.fd, so they were not validated during the guest creation. There are two approaches we can take to validate the data pages before the access: a) Enhance the OVMF reset vector code to validate the pages as described above (go through step 2 - 3). OR b) Validate the pages during the guest creation time. The SEV firmware provides a command which can be used by the VMM to validate the pages without affecting the measurement of the launch. Approach #b seems much simpler; it does not require any changes to the OVMF reset vector code. Update the OVMF metadata with the list of regions that must be pre-validated by the VMM before the boot. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/ResetVector/ResetVector.inf | 1 + OvmfPkg/ResetVector/ResetVector.nasmb | 13 + OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 15 +++ 3 files changed, 29 insertions(+) diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf index 1c5d84184ed7..a4154ca90c28 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -57,6 +57,7 @@ [Pcd] [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb index fbaeab5f5168..cc364748b592 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -107,6 +107,19 @@ %define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize)) %define CPUID_BASE (FixedPcdGet32 (PcdOvmfCpuidBase)) %define CPUID_SIZE (FixedPcdGet32 (PcdOvmfCpuidSize)) + %define SNP_SEC_MEM_BASE_DESC_1 (FixedPcdGet32 (PcdOvmfSecPageTablesBase)) + %define SNP_SEC_MEM_SIZE_DESC_1 (FixedPcdGet32 (PcdOvmfSecGhcbBase) - SNP_SEC_MEM_BASE_DESC_1) + ; + ; The PcdOvmfSecGhcbBase reserves two GHCB pages. The first page is used + ; as GHCB shared page and second is used for bookkeeping to support the + ; nested GHCB in SEC phase. The bookkeeping page is mapped private. The VMM + ; does not need to validate the shared page but it need to validate the + ; bookkeeping page. + ; + %define SNP_SEC_MEM_BASE_DESC_2 (GHCB_BASE + 0x1000) + %define SNP_SEC_MEM_SIZE_DESC_2 (SEV_SNP_SECRETS_BASE - SNP_SEC_MEM_BASE_DESC_2) + %define SNP_SEC_MEM_BASE_DESC_3 (CPUID_BASE + CPUID_SIZE) + %define SNP_SEC_MEM_SIZE_DESC_3 (FixedPcdGet32 (PcdOvmfPeiMemFvBase) - SNP_SEC_MEM_BASE_DESC_3) %include "X64/IntelTdxMetadata.asm" %include "Ia32/Flat32ToFlat64.asm" diff --git a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm index 0cc12ad3473f..d03fc6d45175 100644 --- a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm +++ b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm @@ -43,6 +43,16 @@ _DescriptorSev: DD OVMF_SEV_METADATA_VERSION ; Version DD (OvmfSevGuidedStructureEnd - _DescriptorSev - 16) / 12 ; Number of sections +; Region need to be pre-validated by the hypervisor +PreValidate1: + DD SNP_SEC_MEM_BASE_DESC_1 + DD SNP_SEC_MEM_SIZE_DESC_1 + DD OVMF_SECTION_TYPE_SNP_SEC_MEM +PreValidate2: + DD SNP_SEC_MEM_BASE_DESC_2 + DD SNP_SEC_MEM_SIZE_DESC_2 + DD OVMF_SECTION_TYPE_SNP_SEC_MEM + ; SEV-SNP Secrets page SevSnpSecrets: DD SEV_SNP_SECRETS_BASE @@ -55,5 +65,10 @@ CpuidSec: DD CPUID_SIZE DD OVMF_SECTION_TYPE_CPUID +; Region need
[edk2-devel] [PATCH v14 06/32] OvmfPkg: reserve CPUID page
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Platform features and capabilities are traditionally discovered via the CPUID instruction. Hypervisors typically trap and emulate the CPUID instruction for a variety of reasons. There are some cases where incorrect CPUID information can potentially lead to a security issue. The SEV-SNP firmware provides a feature to filter the CPUID results through the PSP. The filtered CPUID values are saved on a special page for the guest to consume. Reserve a page in MEMFD that will contain the results of filtered CPUID values. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 7 +++ OvmfPkg/OvmfPkgX64.fdf | 3 +++ OvmfPkg/ResetVector/ResetVector.inf | 2 ++ OvmfPkg/ResetVector/ResetVector.nasmb | 2 ++ OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 16 5 files changed, 30 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index deb285fd62c5..bc14cf2ed403 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -357,6 +357,13 @@ [PcdsFixedAtBuild] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|0|UINT32|0x58 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize|0|UINT32|0x59 + ## The base address and size of a CPUID Area that contains the hypervisor + # provided CPUID results. In the case of SEV-SNP, the CPUID results are + # filtered by the SEV-SNP firmware. If this is set in the .fdf, the + # platform is responsible to reserve this area from DXE phase overwrites. + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|0|UINT32|0x60 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize|0|UINT32|0x61 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 1313c7f016bf..e94b433e7b28 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -91,6 +91,9 @@ [FD.MEMFD] 0x00D000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize +0x00E000|0x001000 +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize + 0x01|0x01 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf index fcbc25d0ce3d..1c5d84184ed7 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -55,6 +55,8 @@ [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdBfvRawDataSize [FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb index 4e685ef23684..fbaeab5f5168 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -105,6 +105,8 @@ %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) %define SEV_SNP_SECRETS_BASE (FixedPcdGet32 (PcdOvmfSnpSecretsBase)) %define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize)) + %define CPUID_BASE (FixedPcdGet32 (PcdOvmfCpuidBase)) + %define CPUID_SIZE (FixedPcdGet32 (PcdOvmfCpuidSize)) %include "X64/IntelTdxMetadata.asm" %include "Ia32/Flat32ToFlat64.asm" diff --git a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm index 2bc7790bd808..0cc12ad3473f 100644 --- a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm +++ b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm @@ -17,6 +17,16 @@ BITS 64 ; AMD SEV-SNP specific sections %define OVMF_SECTION_TYPE_SNP_SECRETS 0x2 +; +; The section contains the hypervisor pre-populated CPUID values. +; In the case of SEV-SNP, the CPUID values are filtered and measured by +; the SEV-SNP firmware. +; The CPUID format is documented in SEV-SNP firmware spec 0.9 section 7.1 +; (CPUID function structure). +; +%define OVMF_SECTION_TYPE_CPUID 0x3 + + ALIGN 16 TIMES (15 - ((OvmfSevGuidedStructureEnd - OvmfSevGuidedStructureStart + 15) % 16)) DB 0 @@ -39,5 +49,11 @@ SevSnpSecrets: DD SEV_SNP_SECRETS_SIZE DD OVMF_SECTION_TYPE_SNP_SECRETS +; CPUID values +CpuidSec: + DD CPUID_BASE + DD CPUID_SIZE + DD OVMF_SECTION_TYPE_CPUID + OvmfSevGuidedStructureEnd: ALIGN 16 -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/
[edk2-devel] [PATCH v14 05/32] OvmfPkg: reserve SNP secrets page
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 During the SNP guest launch sequence, a special secrets page needs to be inserted by the VMM. The PSP will populate the page; it will contain the VM Platform Communication Key (VMPCKs) used by the guest to send and receive secure messages to the PSP. The purpose of the secrets page in the SEV-SNP is different from the one used in SEV guests. In SEV, the secrets page contains the guest owner's private data after the remote attestation. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 7 +++ OvmfPkg/OvmfPkgX64.fdf | 3 +++ OvmfPkg/ResetVector/ResetVector.inf | 2 ++ OvmfPkg/ResetVector/ResetVector.nasmb | 2 ++ OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 9 + 5 files changed, 23 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 340d83f794d0..deb285fd62c5 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -350,6 +350,13 @@ [PcdsFixedAtBuild] gUefiOvmfPkgTokenSpaceGuid.PcdBfvRawDataOffset|0|UINT32|0x56 gUefiOvmfPkgTokenSpaceGuid.PcdBfvRawDataSize|0|UINT32|0x57 + ## The base address and size of the SEV-SNP Secrets Area that contains + # the VM platform communication key used to send and recieve the + # messages to the PSP. If this is set in the .fdf, the platform + # is responsible to reserve this area from DXE phase overwrites. + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|0|UINT32|0x58 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize|0|UINT32|0x59 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index b6cc3cabdd69..1313c7f016bf 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -88,6 +88,9 @@ [FD.MEMFD] 0x00C000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize +0x00D000|0x001000 +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize + 0x01|0x01 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf index 320e5f2c6527..fcbc25d0ce3d 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -59,3 +59,5 @@ [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb index d847794feadb..4e685ef23684 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -103,6 +103,8 @@ %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 8) %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 16) %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) + %define SEV_SNP_SECRETS_BASE (FixedPcdGet32 (PcdOvmfSnpSecretsBase)) + %define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize)) %include "X64/IntelTdxMetadata.asm" %include "Ia32/Flat32ToFlat64.asm" diff --git a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm index 9d8c3e8194a4..2bc7790bd808 100644 --- a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm +++ b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm @@ -14,6 +14,9 @@ BITS 64 ; The section must be accepted or validated by the VMM before the boot %define OVMF_SECTION_TYPE_SNP_SEC_MEM 0x1 +; AMD SEV-SNP specific sections +%define OVMF_SECTION_TYPE_SNP_SECRETS 0x2 + ALIGN 16 TIMES (15 - ((OvmfSevGuidedStructureEnd - OvmfSevGuidedStructureStart + 15) % 16)) DB 0 @@ -30,5 +33,11 @@ _DescriptorSev: DD OVMF_SEV_METADATA_VERSION ; Version DD (OvmfSevGuidedStructureEnd - _DescriptorSev - 16) / 12 ; Number of sections +; SEV-SNP Secrets page +SevSnpSecrets: + DD SEV_SNP_SECRETS_BASE + DD SEV_SNP_SECRETS_SIZE + DD OVMF_SECTION_TYPE_SNP_SECRETS + OvmfSevGuidedStructureEnd: ALIGN 16 -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84544): https://edk2.groups.io/g/devel/message/84544 Mute This Topic: https://groups.io/mt/87605525/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: http
[edk2-devel] [PATCH v14 04/32] OvmfPkg/ResetVector: introduce SEV metadata descriptor for VMM use
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The OvmfPkgX86 build reserves memory regions in MEMFD. The memory regions get accessed in the SEC phase. AMD SEV-SNP require that the guest's private memory be accepted or validated before access. Introduce a Guided metadata structure that describes the reserved memory regions. The VMM can locate the metadata structure by iterating through the reset vector guid and process the areas based on the platform specific requirements. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 14 OvmfPkg/ResetVector/ResetVector.nasmb| 1 + OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 34 3 files changed, 49 insertions(+) create mode 100644 OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm index dee2e3f9de31..12f2cedd6767 100644 --- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm +++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm @@ -64,6 +64,20 @@ tdxMetadataOffsetStart: DB 0x86, 0x5e, 0x46, 0x85, 0xa7, 0xbf, 0x8e, 0xc2 tdxMetadataOffsetEnd: +; +; SEV metadata descriptor +; +; Provide the start offset of the metadata blob within the OVMF binary. + +; GUID : dc886566-984a-4798-A75e-5585a7bf67cc +; +OvmfSevMetadataOffsetStart: + DD (fourGigabytes - OvmfSevMetadataGuid) + DW OvmfSevMetadataOffsetEnd - OvmfSevMetadataOffsetStart + DB 0x66, 0x65, 0x88, 0xdc, 0x4a, 0x98, 0x98, 0x47 + DB 0xA7, 0x5e, 0x55, 0x85, 0xa7, 0xbf, 0x67, 0xcc +OvmfSevMetadataOffsetEnd: + %endif ; SEV Hash Table Block diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb index 87effedb9c60..d847794feadb 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -109,6 +109,7 @@ %include "Ia32/AmdSev.asm" %include "Ia32/PageTables64.asm" %include "Ia32/IntelTdx.asm" +%include "X64/OvmfSevMetadata.asm" %endif %include "Ia16/Real16ToFlat32.asm" diff --git a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm new file mode 100644 index ..9d8c3e8194a4 --- /dev/null +++ b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm @@ -0,0 +1,34 @@ +;- +; @file +; OVMF metadata for the AMD SEV confidential computing guests +; +; Copyright (c) 2021, AMD Inc. All rights reserved. +; +; SPDX-License-Identifier: BSD-2-Clause-Patent +;- + +BITS 64 + +%define OVMF_SEV_METADATA_VERSION 1 + +; The section must be accepted or validated by the VMM before the boot +%define OVMF_SECTION_TYPE_SNP_SEC_MEM 0x1 + +ALIGN 16 + +TIMES (15 - ((OvmfSevGuidedStructureEnd - OvmfSevGuidedStructureStart + 15) % 16)) DB 0 + +OvmfSevGuidedStructureStart: +; +; OvmfSev metadata descriptor +; +OvmfSevMetadataGuid: + +_DescriptorSev: + DB 'A','S','E','V'; Signature + DD OvmfSevGuidedStructureEnd - _DescriptorSev ; Length + DD OVMF_SEV_METADATA_VERSION ; Version + DD (OvmfSevGuidedStructureEnd - _DescriptorSev - 16) / 12 ; Number of sections + +OvmfSevGuidedStructureEnd: + ALIGN 16 -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84543): https://edk2.groups.io/g/devel/message/84543 Mute This Topic: https://groups.io/mt/87605524/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 03/32] OvmfPkg/ResetVector: move clearing GHCB in SecMain
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 In preparation for SEV-SNP support move clearing of the GHCB memory from the ResetVector/AmdSev.asm to SecMain/AmdSev.c. The GHCB page is not accessed until SevEsProtocolCheck() switch to full GHCB. So, the move does not make any changes in the code flow or logic. The move will simplify the SEV-SNP support. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/Sec/AmdSev.c| 2 +- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 6 -- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c index 27fd24fc137e..0828d090feaf 100644 --- a/OvmfPkg/Sec/AmdSev.c +++ b/OvmfPkg/Sec/AmdSev.c @@ -96,7 +96,7 @@ SevEsProtocolCheck ( AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); Ghcb = Msr.Ghcb; - SetMem (Ghcb, sizeof (*Ghcb), 0); + SetMem (Ghcb, FixedPcdGet32 (PcdOvmfSecGhcbSize), 0); // // Set the version to the maximum that can be supported diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32/AmdSev.asm index 250ac8d8b180..48d9178168b0 100644 --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm @@ -177,12 +177,6 @@ pageTableEntries4kLoop: mov ecx, (GHCB_BASE & 0x1F_) >> 12 mov [ecx * 8 + GHCB_PT_ADDR + 4], strict dword 0 -mov ecx, GHCB_SIZE / 4 -xor eax, eax -clearGhcbMemoryLoop: -mov dword[ecx * 4 + GHCB_BASE - 4], eax -loopclearGhcbMemoryLoop - SevClearPageEncMaskForGhcbPageExit: OneTimeCallRet SevClearPageEncMaskForGhcbPage -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84542): https://edk2.groups.io/g/devel/message/84542 Mute This Topic: https://groups.io/mt/87605523/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v14 02/32] UefiCpuPkg/MpInitLib: move SEV specific routines in AmdSev.c
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Move all the SEV specific function in AmdSev.c. No functional change intended. Cc: Eric Dong Cc: Ray Ni Cc: Rahul Kumar Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Reviewed-by: Ray Ni Acked-by: Gerd Hoffmann Suggested-by: Jiewen Yao Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 1 + UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 1 + UefiCpuPkg/Library/MpInitLib/MpLib.h | 37 ++- UefiCpuPkg/Library/MpInitLib/AmdSev.c | 245 ++ UefiCpuPkg/Library/MpInitLib/MpLib.c | 224 +--- UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm | 119 + UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 100 ++- 7 files changed, 421 insertions(+), 306 deletions(-) create mode 100644 UefiCpuPkg/Library/MpInitLib/AmdSev.c create mode 100644 UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf index d34419c2a524..6e510aa89120 100644 --- a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf @@ -28,6 +28,7 @@ [Sources.X64] X64/MpFuncs.nasm [Sources.common] + AmdSev.c MpEqu.inc DxeMpLib.c MpLib.c diff --git a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf index 36fcb96b5852..2cbd9b8b8acc 100644 --- a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf @@ -28,6 +28,7 @@ [Sources.X64] X64/MpFuncs.nasm [Sources.common] + AmdSev.c MpEqu.inc PeiMpLib.c MpLib.c diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h index a647772088d9..16b4d76d019b 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -34,6 +34,9 @@ #include #include +#include +#include + #include #define WAKEUP_AP_SIGNAL SIGNATURE_32 ('S', 'T', 'A', 'P') @@ -321,7 +324,7 @@ typedef struct { from long mode to real mode. **/ typedef -VOID + VOID (EFIAPI AP_RESET)( IN UINTNBufferStart, IN UINT16 Code16, @@ -346,7 +349,7 @@ extern EFI_GUID mCpuInitMpLibHobGuid; @param[in] PmCodeSegment Protected mode code segment value. **/ typedef -VOID + VOID (EFIAPI *ASM_RELOCATE_AP_LOOP)( IN BOOLEAN MwaitSupport, IN UINTN ApTargetCState, @@ -740,4 +743,34 @@ PlatformShadowMicrocode ( IN OUT CPU_MP_DATA *CpuMpData ); +/** + Allocate the SEV-ES AP jump table buffer. + + @param[in, out] CpuMpData The pointer to CPU MP Data structure. +**/ +VOID +AllocateSevEsAPMemory ( + IN OUT CPU_MP_DATA *CpuMpData + ); + +/** + Program the SEV-ES AP jump table buffer. + + @param[in] SipiVector The SIPI vector used for the AP Reset +**/ +VOID +SetSevEsJumpTable ( + IN UINTN SipiVector + ); + +/** + The function puts the AP in halt loop. + + @param[in] CpuMpData The pointer to CPU MP Data structure. +**/ +VOID +SevEsPlaceApHlt ( + CPU_MP_DATA *CpuMpData + ); + #endif diff --git a/UefiCpuPkg/Library/MpInitLib/AmdSev.c b/UefiCpuPkg/Library/MpInitLib/AmdSev.c new file mode 100644 index ..0e3c6e231077 --- /dev/null +++ b/UefiCpuPkg/Library/MpInitLib/AmdSev.c @@ -0,0 +1,245 @@ +/** @file + CPU MP Initialize helper function for AMD SEV. + + Copyright (c) 2021, AMD Inc. All rights reserved. + + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "MpLib.h" +#include + +/** + Get Protected mode code segment with 16-bit default addressing + from current GDT table. + + @return Protected mode 16-bit code segment value. +**/ +STATIC +UINT16 +GetProtectedMode16CS ( + VOID + ) +{ + IA32_DESCRIPTOR GdtrDesc; + IA32_SEGMENT_DESCRIPTOR *GdtEntry; + UINTNGdtEntryCount; + UINT16 Index; + + Index = (UINT16)-1; + AsmReadGdtr (); + GdtEntryCount = (GdtrDesc.Limit + 1) / sizeof (IA32_SEGMENT_DESCRIPTOR); + GdtEntry = (IA32_SEGMENT_DESCRIPTOR *)GdtrDesc.Base; + for (Index = 0; Index < GdtEntryCount; Index++) { +if ((GdtEntry->Bits.L == 0) && +(GdtEntry->Bits.DB == 0) && +(GdtEntry->Bits.Type > 8)) +{ + break; +} + +GdtEntry++; + } + + ASSERT (Index != GdtEntryCount); + return Index * 8; +} + +/** + Get Protected mode code segment with 32-bit default addressing + from current GDT table. + + @return Protected mode 32-bit code segment value. +**/ +STATIC +UINT16 +GetProtectedMode32CS ( + VOID + ) +{ + IA32_DESCRIPTOR GdtrDesc; + IA32_SEGMENT_DESCRIPTOR *GdtEntry; + UINTNGdtEntryCount; + UINT16 Index; + + Index = (UINT16)-1; + AsmReadGdtr (
[edk2-devel] [PATCH v14 01/32] OvmfPkg/SecMain: move SEV specific routines in AmdSev.c
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Move all the SEV specific function in AmdSev.c. No functional change intended. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/Sec/SecMain.inf | 2 + OvmfPkg/Sec/AmdSev.h| 71 + OvmfPkg/Sec/AmdSev.c| 164 OvmfPkg/Sec/SecMain.c | 156 +- 4 files changed, 239 insertions(+), 154 deletions(-) create mode 100644 OvmfPkg/Sec/AmdSev.h create mode 100644 OvmfPkg/Sec/AmdSev.c diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf index ea4b9611f52d..41dcdba1209a 100644 --- a/OvmfPkg/Sec/SecMain.inf +++ b/OvmfPkg/Sec/SecMain.inf @@ -23,6 +23,8 @@ [Defines] [Sources] SecMain.c + AmdSev.c + AmdSev.h [Sources.IA32] Ia32/SecEntry.nasm diff --git a/OvmfPkg/Sec/AmdSev.h b/OvmfPkg/Sec/AmdSev.h new file mode 100644 index ..c0b1ca96183d --- /dev/null +++ b/OvmfPkg/Sec/AmdSev.h @@ -0,0 +1,71 @@ +/** @file + File defines the Sec routines for the AMD SEV + + Copyright (c) 2021, Advanced Micro Devices, Inc. All rights reserved. + + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef _AMD_SEV_SEC_INTERNAL_H__ +#define _AMD_SEV_SEC_INTERNAL_H__ + +/** + Handle an SEV-ES/GHCB protocol check failure. + + Notify the hypervisor using the VMGEXIT instruction that the SEV-ES guest + wishes to be terminated. + + @param[in] ReasonCode Reason code to provide to the hypervisor for the + termination request. + +**/ +VOID +SevEsProtocolFailure ( + IN UINT8 ReasonCode + ); + +/** + Validate the SEV-ES/GHCB protocol level. + + Verify that the level of SEV-ES/GHCB protocol supported by the hypervisor + and the guest intersect. If they don't intersect, request termination. + +**/ +VOID +SevEsProtocolCheck ( + VOID + ); + +/** + Determine if the SEV is active. + + During the early booting, GuestType is set in the work area. Verify that it + is an SEV guest. + + @retval TRUE SEV is enabled + @retval FALSE SEV is not enabled + +**/ +BOOLEAN +IsSevGuest ( + VOID + ); + +/** + Determine if SEV-ES is active. + + During early booting, SEV-ES support code will set a flag to indicate that + SEV-ES is enabled. Return the value of this flag as an indicator that SEV-ES + is enabled. + + @retval TRUE SEV-ES is enabled + @retval FALSE SEV-ES is not enabled + +**/ +BOOLEAN +SevEsIsEnabled ( + VOID + ); + +#endif diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c new file mode 100644 index ..27fd24fc137e --- /dev/null +++ b/OvmfPkg/Sec/AmdSev.c @@ -0,0 +1,164 @@ +/** @file + File defines the Sec routines for the AMD SEV + + Copyright (c) 2021, Advanced Micro Devices, Inc. All rights reserved. + + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include + +#include "AmdSev.h" + +/** + Handle an SEV-ES/GHCB protocol check failure. + + Notify the hypervisor using the VMGEXIT instruction that the SEV-ES guest + wishes to be terminated. + + @param[in] ReasonCode Reason code to provide to the hypervisor for the + termination request. + +**/ +VOID +SevEsProtocolFailure ( + IN UINT8 ReasonCode + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + + // + // Use the GHCB MSR Protocol to request termination by the hypervisor + // + Msr.GhcbPhysicalAddress = 0; + Msr.GhcbTerminate.Function = GHCB_INFO_TERMINATE_REQUEST; + Msr.GhcbTerminate.ReasonCodeSet = GHCB_TERMINATE_GHCB; + Msr.GhcbTerminate.ReasonCode= ReasonCode; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + ASSERT (FALSE); + CpuDeadLoop (); +} + +/** + Validate the SEV-ES/GHCB protocol level. + + Verify that the level of SEV-ES/GHCB protocol supported by the hypervisor + and the guest intersect. If they don't intersect, request termination. + +**/ +VOID +SevEsProtocolCheck ( + VOID + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + GHCB *Ghcb; + + // + // Use the GHCB MSR Protocol to obtain the GHCB SEV-ES Information for + // protocol checking + // + Msr.GhcbPhysicalAddress = 0; + Msr.GhcbInfo.Function = GHCB_INFO_SEV_INFO_GET; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + + if (Msr.GhcbInfo.Function != GHCB_INFO_SEV_INFO) { +SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + if (Msr.GhcbProtocol.SevEsProtocolMin > Msr.GhcbProtocol.SevEsProtocolMax) { +SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); + } + + if ((Msr.GhcbProtocol.SevEsProtocolMin > GHCB_VERSION_MAX) || + (Msr.GhcbProtocol.SevEsProtocolMax &l
[edk2-devel] [PATCH v14 00/32] Add AMD Secure Nested Paging (SEV-SNP) support
the GhcbGpa library and call the VmgExit directly to register GHCB GPA. * Install the CC blob config table from AmdSevDxe instead of extending the AmdSev/SecretsDxe for it. * Add the separate PCDs for the SNP Secrets. Changes since v2: * Add support for the AP creation. * Use the module-scoping override to make AmdSevDxe use the IO port for PCI reads. * Use the reserved memory type for CPUID and Secrets page. * Changes since v1: * Drop the interval tree support to detect the pre-validated overlap region. * Use an array to keep track of pre-validated regions. * Add support to query the Hypervisor feature and verify that SNP feature is supported. * Introduce MemEncryptSevClearMmioPageEncMask() to clear the C-bit from MMIO ranges. * Pull the SevSecretDxe and SevSecretPei into OVMF package build. * Extend the SevSecretDxe to expose confidential computing blob location through EFI configuration table. Brijesh Singh (28): OvmfPkg/SecMain: move SEV specific routines in AmdSev.c UefiCpuPkg/MpInitLib: move SEV specific routines in AmdSev.c OvmfPkg/ResetVector: move clearing GHCB in SecMain OvmfPkg/ResetVector: introduce SEV metadata descriptor for VMM use OvmfPkg: reserve SNP secrets page OvmfPkg: reserve CPUID page OvmfPkg/ResetVector: pre-validate the data pages used in SEC phase OvmfPkg/MemEncryptSevLib: add MemEncryptSevSnpEnabled() OvmfPkg/SecMain: register GHCB gpa for the SEV-SNP guest OvmfPkg/PlatformPei: register GHCB gpa for the SEV-SNP guest OvmfPkg/AmdSevDxe: do not use extended PCI config space OvmfPkg/MemEncryptSevLib: add support to validate system RAM OvmfPkg/MemEncryptSevLib: add function to check the VMPL0 OvmfPkg/BaseMemEncryptSevLib: skip the pre-validated system RAM OvmfPkg/MemEncryptSevLib: add support to validate > 4GB memory in PEI phase OvmfPkg/SecMain: validate the memory used for decompressing Fv OvmfPkg/PlatformPei: validate the system RAM when SNP is active MdePkg: Define ConfidentialComputingGuestAttr OvmfPkg/PlatformPei: set PcdConfidentialComputingAttr when SEV is active UefiCpuPkg/MpInitLib: use PcdConfidentialComputingAttr to check SEV status UefiCpuPkg: add PcdGhcbHypervisorFeatures OvmfPkg/PlatformPei: set the Hypervisor Features PCD MdePkg/GHCB: increase the GHCB protocol max version UefiCpuPkg/MpLib: add support to register GHCB GPA when SEV-SNP is enabled OvmfPkg/MemEncryptSevLib: change the page state in the RMP table OvmfPkg/MemEncryptSevLib: skip page state change for Mmio address OvmfPkg/PlatformPei: mark cpuid and secrets memory reserved in EFI map OvmfPkg/AmdSev: expose the SNP reserved pages through configuration table Michael Roth (3): OvmfPkg/ResetVector: use SEV-SNP-validated CPUID values OvmfPkg/VmgExitLib: use SEV-SNP-validated CPUID values UefiCpuPkg/MpInitLib: use BSP to do extended topology check Tom Lendacky (1): UefiCpuPkg/MpInitLib: Use SEV-SNP AP Creation NAE event to launch APs MdePkg/MdePkg.dec | 4 + OvmfPkg/OvmfPkg.dec | 19 + UefiCpuPkg/UefiCpuPkg.dec | 5 + OvmfPkg/AmdSev/AmdSevX64.dsc | 8 +- OvmfPkg/Bhyve/BhyveX64.dsc| 5 +- OvmfPkg/OvmfPkgIa32.dsc | 4 + OvmfPkg/OvmfPkgIa32X64.dsc| 9 +- OvmfPkg/OvmfPkgX64.dsc| 8 +- OvmfPkg/OvmfXen.dsc | 5 +- OvmfPkg/OvmfPkgX64.fdf| 6 + OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 7 + .../DxeMemEncryptSevLib.inf | 3 + .../PeiMemEncryptSevLib.inf | 7 + .../SecMemEncryptSevLib.inf | 3 + OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf | 2 + OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 3 + OvmfPkg/PlatformPei/PlatformPei.inf | 7 + OvmfPkg/ResetVector/ResetVector.inf | 5 + OvmfPkg/Sec/SecMain.inf | 5 + UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 6 +- UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 6 +- .../Include/ConfidentialComputingGuestAttr.h | 25 + MdePkg/Include/Register/Amd/Ghcb.h| 2 +- .../Guid/ConfidentialComputingSevSnpBlob.h| 33 ++ OvmfPkg/Include/Library/MemEncryptSevLib.h| 26 + .../X64/SnpPageStateChange.h | 35 ++ .../BaseMemEncryptSevLib/X64/VirtualMemory.h | 24 + OvmfPkg/PlatformPei/Platform.h| 5 + OvmfPkg/Sec/AmdSev.h | 94 UefiCpuPkg/Library/MpInitLib/MpLib.h | 107 +++- OvmfPkg/AmdSevDxe/AmdSevDxe.c | 23 + .../DxeMemEncryptSevLibInternal.c | 27 + .../Ia32/MemEncryptSevLib.c | 17 + .../PeiMemEncryptSevLibInternal.c | 27 + .../SecMemEncryptSevLibInternal.c | 19 + .../X64/DxeSnpSystemRamValidate.c | 40 ++ .../X6
Re: [edk2-devel] EDK2 CI build error "Uncrustify Coding Standard"
On 12/8/21 8:39 AM, Brijesh Singh wrote: ... OvmfPkg Example: git ls-files OvmfPkg/*.c OvmfPkg/*.h :!BaseTools/* | .pytool\Plugin\UncrustifyCheck\mu-uncrustify-release_extdep\Windows-x86\uncrustify.exe -c .pytool\Plugin\UncrustifyCheck\uncrustify.cfg -F - --replace --no-backup --if-changed Thanks for the detail, I just did a pull and now I see the uncrustify cfg files. I followed your above command on my Ubuntu desktop and getting the below unknown symbol, is this a known issue ? brijesh@sbrijesh-desktop:~/workdir/snp-edk2$ git ls-files OvmfPkg/Sec/AmdSev.c | uncrustify -c .pytool/Plugin/UncrustifyCheck/uncrustify.cfg -F - --replace --no-backup --if-changed .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:73: unknown symbol 'nl_func_call_args_multi_line_ignore_closures' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:79: unknown symbol 'indent_func_call_edk2_style' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:120: unknown symbol 'sp_do_brace_open' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:134: unknown symbol 'sp_before_vardef_square' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:178: unknown symbol 'sp_brace_close_while' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:184: unknown symbol 'sp_before_square_asm_block' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:205: unknown symbol 'sp_while_paren_open' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:229: unknown symbol 'indent_func_def_param_paren_pos_threshold' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:270: unknown symbol 'align_edk2_style' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:323: unknown symbol 'cmt_align_doxygen_javadoc_tags' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:406: unknown symbol 'nl_before_whole_file_ifdef' Parsing: OvmfPkg/Sec/AmdSev.c as language C brijesh@sbrijesh-desktop:~/workdir/snp-edk2$ brijesh@sbrijesh-desktop:~/workdir/snp-edk2$ uncrustify --version Uncrustify-0.69.0_f I did submitted PR after above uncurstify run but the CI still didn't like it. Do we need to have specific version of uncrustify ? Reading through the "Add Uncrustify formatting overview" email it seems we need to use a edk2 forked version of uncrustify [1]. With this now I dont get any error. [1] https://dev.azure.com/projectmu/Uncrustify/_packaging?_a=package=mu_uncrustify=mu-uncrustify-release=73.0.3=NuGet thanks -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84517): https://edk2.groups.io/g/devel/message/84517 Mute This Topic: https://groups.io/mt/87573134/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] EDK2 CI build error "Uncrustify Coding Standard"
Hi Mike, On 12/7/21 3:02 PM, Kinney, Michael D wrote: Hi Brijesh, Yes. Your branch can be rebased on top of edk2/master after uncrustify changes. You have added new c/h files, so those files need to be run through uncrustify locally and your patch updated with those formatting changes. The following command updates every c/h file except BaseTools locally. git ls-files *.c *.h :!BaseTools/* | .pytool\Plugin\UncrustifyCheck\mu-uncrustify-release_extdep\Windows-x86\uncrustify.exe -c .pytool\Plugin\UncrustifyCheck\uncrustify.cfg -F - --replace --no-backup --if-changed If you know the package you are working on, the following one will work faster. git ls-files *.c *.h :!BaseTools/* | .pytool\Plugin\UncrustifyCheck\mu-uncrustify-release_extdep\Windows-x86\uncrustify.exe -c .pytool\Plugin\UncrustifyCheck\uncrustify.cfg -F - --replace --no-backup --if-changed OvmfPkg Example: git ls-files OvmfPkg/*.c OvmfPkg/*.h :!BaseTools/* | .pytool\Plugin\UncrustifyCheck\mu-uncrustify-release_extdep\Windows-x86\uncrustify.exe -c .pytool\Plugin\UncrustifyCheck\uncrustify.cfg -F - --replace --no-backup --if-changed Thanks for the detail, I just did a pull and now I see the uncrustify cfg files. I followed your above command on my Ubuntu desktop and getting the below unknown symbol, is this a known issue ? brijesh@sbrijesh-desktop:~/workdir/snp-edk2$ git ls-files OvmfPkg/Sec/AmdSev.c | uncrustify -c .pytool/Plugin/UncrustifyCheck/uncrustify.cfg -F - --replace --no-backup --if-changed .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:73: unknown symbol 'nl_func_call_args_multi_line_ignore_closures' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:79: unknown symbol 'indent_func_call_edk2_style' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:120: unknown symbol 'sp_do_brace_open' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:134: unknown symbol 'sp_before_vardef_square' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:178: unknown symbol 'sp_brace_close_while' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:184: unknown symbol 'sp_before_square_asm_block' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:205: unknown symbol 'sp_while_paren_open' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:229: unknown symbol 'indent_func_def_param_paren_pos_threshold' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:270: unknown symbol 'align_edk2_style' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:323: unknown symbol 'cmt_align_doxygen_javadoc_tags' .pytool/Plugin/UncrustifyCheck/uncrustify.cfg:406: unknown symbol 'nl_before_whole_file_ifdef' Parsing: OvmfPkg/Sec/AmdSev.c as language C brijesh@sbrijesh-desktop:~/workdir/snp-edk2$ brijesh@sbrijesh-desktop:~/workdir/snp-edk2$ uncrustify --version Uncrustify-0.69.0_f I did submitted PR after above uncurstify run but the CI still didn't like it. Do we need to have specific version of uncrustify ? -Brijesh You do have to use the .pytool stuart commands to setup your environment so uncrustify tool is installed automatically. This also allows you to run all the EDK II CI tests locally if you want to check and fix issues before submitting a PR. https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftianocore%2Fedk2%2Fblob%2Fmaster%2F.pytool%2FReadme.md%23running-ci-locallydata=04%7C01%7Cbrijesh.singh%40amd.com%7Cb303a189de3446c5c52108d9b9c4e760%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C63774507763478%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=OnGmCqMIEwmrZmn48M6MwErLyB60ORfN7CUceS%2BhPmI%3Dreserved=0 You can also use git filter-branch to uncrustify a more complex patch series. That is in the email thread and will be included in the Wiki. Best regards, Mike -Original Message- From: devel@edk2.groups.io On Behalf Of Michael Kubacki Sent: Tuesday, December 7, 2021 12:50 PM To: devel@edk2.groups.io; brijesh.si...@amd.com Subject: Re: [edk2-devel] EDK2 CI build error "Uncrustify Coding Standard" Hi Brijesh, A Tianocore wiki article is being prepared but the background and instructions for what to do were sent in this mail regarding the hard freeze being lifted - https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F84458data=04%7C01%7Cbrijesh.singh%40amd.com%7Cb303a189de3446c5c52108d9b9c4e760%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637745077635009974%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=LRtAPIFef6zlz6x0YNqpM9Hn5WIjFP1C0moMZFO9TWA%3Dreserved=0. Do you have questions after reading through that? Thanks, Michael On 12/7/2021 2:52 PM, Brijesh Singh via groups.io wrote: Hi All, I am rebasing the SNP series and encountering the error like below from the CI. I am not sure what I am missing. For testing purpose, I just tried one commit and CI Windows build complains about this. This is the same patch which passed all t
[edk2-devel] EDK2 CI build error "Uncrustify Coding Standard"
Hi All, I am rebasing the SNP series and encountering the error like below from the CI. I am not sure what I am missing. For testing purpose, I just tried one commit and CI Windows build complains about this. This is the same patch which passed all the CI. Any idea what I maybe missing ? WARNING - A file header template is not specified in the config file. WARNING - A function header template is not specified in the config file. ERROR - /home/vsts/work/1/s/OvmfPkg/Sec/AmdSev.c ERROR - /home/vsts/work/1/s/OvmfPkg/Sec/AmdSev.h ERROR - --->Test Failed: Uncrustify Coding Standard Test NO-TARGET returned 2 My patch does add the two files and they are listed in .inf. -Brijesh -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84461): https://edk2.groups.io/g/devel/message/84461 Mute This Topic: https://groups.io/mt/87573134/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v13 00/32] Add AMD Secure Nested Paging (SEV-SNP) support
Hi Gerd and Jiewen, Now that all the patches are ack'ed by Ray, can we plan to merge this series ? -Brijesh On 11/12/21 11:39 AM, Brijesh Singh via groups.io wrote: --- Hi Ray, Thanks for your reviews and continuous support; I have updated a couple of patches to address your comment. As I said in my previous reply, I will working on a follow-up series to group some of those Sev specific variables in CpuData. I hope that is okay with you. thanks BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 SEV-SNP builds upon existing SEV and SEV-ES functionality while adding new hardware-based memory protections. SEV-SNP adds strong memory integrity protection to help prevent malicious hypervisor-based attacks like data replay, memory re-mapping and more in order to create an isolated memory encryption environment. This series provides the basic building blocks to support booting the SEV-SNP VMs, it does not cover all the security enhancement introduced by the SEV-SNP such as interrupt protection. Many of the integrity guarantees of SEV-SNP are enforced through a new structure called the Reverse Map Table (RMP). Adding a new page to SEV-SNP VM requires a 2-step process. First, the hypervisor assigns a page to the guest using the new RMPUPDATE instruction. This transitions the page to guest-invalid. Second, the guest validates the page using the new PVALIDATE instruction. The SEV-SNP VMs can use the new "Page State Change Request NAE" defined in the GHCB specification to ask hypervisor to add or remove page from the RMP table. Each page assigned to the SEV-SNP VM can either be validated or unvalidated, as indicated by the Validated flag in the page's RMP entry. There are two approaches that can be taken for the page validation: Pre-validation and Lazy Validation. Under pre-validation, the pages are validated prior to first use. And under lazy validation, pages are validated when first accessed. An access to a unvalidated page results in a #VC exception, at which time the exception handler may validate the page. Lazy validation requires careful tracking of the validated pages to avoid validating the same GPA more than once. The recently introduced "Unaccepted" memory type can be used to communicate the unvalidated memory ranges to the Guest OS. At this time we only support the pre-validation. OVMF detects all the available system RAM in the PEI phase. When SEV-SNP is enabled, the memory is validated before it is made available to the EDK2 core. Now that series contains all the basic support required to launch SEV-SNP guest. We are still missing the Interrupt security feature provided by the SNP. The feature will be added after the base support is accepted. Additional resources - SEV-SNP whitepaper https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf APM 2: https://www.amd.com/system/files/TechDocs/24593.pdf (section 15.36) The complete source is available at https://github.com/AMDESE/ovmf/tree/snp-v13 GHCB spec: https://developer.amd.com/wp-content/resources/56421.pdf SEV-SNP firmware specification: https://www.amd.com/system/files/TechDocs/56860.pdf Change since v12: * MpLib: Add comment to clarify that SEV-SNP enabled implicitly means SEV and SEV-ES are active. * MpLib: Move the extended topology initialization in AmdSev.c Change since v11: * rebase to the latest * fix the UefiCpuPkg PCD definition patch header. Change since v10: * fix 'unresolved external symbol __allshl' link error when building I32 for VS2017. Changes since v9: * Move CCAttrs Pcd define in MdePkg * Add comment to indicate that allocating the identity map PT is temporary until we get lazy validation Changes since v8: * drop the generic metadata and make it specific to SEV. Changes since v7: * Move SEV specific changes in MpLib in AmdSev file * Update the GHCB register function to not restore the GHCB MSR because we were already in the MSR protocol mode. * Drop the SNP name from PcdSnpSecPreValidate. * Add new section for GHCB memory in the OVMF metadata. Change since v6: * Drop the SNP boot block GUID and switch to using the Metadata guided structure proposed by Min in TDX series. * Exclude the GHCB page from the pre-validated region. It simplifies the reset vector code where we do not need to unvalidate the GHCB page. * Now that GHCB page is not validated so move the VMPL check from reset vector code to the MemEncryptSevLib on the first page validation. * Introduce the ConfidentialComputingGuestAttr PCD to communicate which memory encryption is active so that MpInitLib can make use of it. * Drop the SEVES specific PCD as the information can be communicated via the Confidenti
[edk2-devel] [PATCH 1/1] OvmfPkg/MemEncryptSevLib: Check the guest type before EsWorkarea access
The commit 80e67af9afca added support for a generic workarea concept. The workarea header contains the information of the guest type. The header is populated by ResetVector code during the guest detection. Currently, the InternalMemEncryptSevStatus() reads the EsWorkArea to determine the C-bit position. The EsWorkArea PCD is valid only for the SEV guest type. Add a check of the guest type before accessing the EsWorkArea PCD. Fixes: 80e67af9afca ("OvmfPkg: introduce a common work area") Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Cc: Qi Zhou Signed-off-by: Brijesh Singh --- .../DxeMemEncryptSevLib.inf | 2 + .../PeiMemEncryptSevLib.inf | 2 + .../SecMemEncryptSevLib.inf | 2 + .../PeiMemEncryptSevLibInternal.c | 50 +++- .../SecMemEncryptSevLibInternal.c | 58 ++- 5 files changed, 110 insertions(+), 4 deletions(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf index f2e162d68076..03b66b986f1f 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf @@ -54,4 +54,6 @@ [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire [Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf index 03a78c32df28..16dd4d9d8b77 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf @@ -54,4 +54,6 @@ [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire [FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf index 279c38bfbc2c..a933cb33a9cb 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf @@ -48,4 +48,6 @@ [LibraryClasses] PcdLib [FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c index e2fd109d120f..db4249ec0d7d 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c @@ -24,6 +24,52 @@ STATIC BOOLEAN mSevStatusChecked = FALSE; STATIC UINT64 mSevEncryptionMask = 0; STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE; +/** + Determine if the SEV is active. + + During the early booting, GuestType is set in the work area. Verify that it + is an SEV guest. + + @retval TRUE SEV is enabled + @retval FALSE SEV is not enabled + + **/ +STATIC +BOOLEAN +IsSevGuest ( + VOID + ) +{ + OVMF_WORK_AREA *WorkArea; + + // + // Ensure that the size of the Confidential Computing work area header + // is same as what is provided through a fixed PCD. + // + ASSERT ((UINTN) FixedPcdGet32 (PcdOvmfConfidentialComputingWorkAreaHeader) == + sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER)); + + WorkArea = (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase); + + return ((WorkArea != NULL) && (WorkArea->Header.GuestType == GUEST_TYPE_AMD_SEV)); +} + +STATIC +SEC_SEV_ES_WORK_AREA * +GetSevEsWorkArea ( + VOID + ) +{ + // + // Before accessing the Es workarea lets verify that its SEV guest + // + if (!IsSevGuest()) { +return NULL; + } + + return (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); +} + /** Reads and sets the status of SEV features. @@ -43,7 +89,7 @@ InternalMemEncryptSevStatus ( ReadSevMsr = FALSE; - SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); + SevEsWorkArea = GetSevEsWorkArea (); if (SevEsWorkArea != NULL && SevEsWorkArea->EncryptionMask != 0) { // // The MSR has been read before, so it is safe to read it again and avoid @@ -139,7 +185,7 @@ MemEncryptSevGetEncryptionMask ( if (!mSevEncryptionMaskSaved) { SEC_SEV_ES_WORK_AREA *SevEsWorkArea; -SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); +SevEsWorkArea = GetSevEsWorkArea (); if (SevEsWorkArea != N
Re: [edk2-devel] [PATCH] OvmfPkg/MemEncryptSevLib: check CPUID when read msr during PEI phase
On 11/30/21 9:51 AM, Gerd Hoffmann wrote: > Hi, > >> What is missing in the original patch set is that now with the common work >> area we need to check the Guest Type before accessing the SevEs workarea >> type. I have a patch in my wip to cleanup the SEV feature detection check >> and patiently waiting for the SEV-SNP series to land so that I can submit >> other patches. > Can you prepare a version of the fix which does not depend on the snp > series and can be applied to edk2-stable202111? Ack. > thanks, > Gerd > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84166): https://edk2.groups.io/g/devel/message/84166 Mute This Topic: https://groups.io/mt/87301748/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH] OvmfPkg/MemEncryptSevLib: check CPUID when read msr during PEI phase
On 11/29/21 1:04 PM, Tom Lendacky wrote: On 11/25/21 7:12 AM, qi zhou wrote: From 5b10265fa5c7b5ca728b4f18488089de6535ed28 Mon Sep 17 00:00:00 2001 From: Qi Zhou Date: Thu, 25 Nov 2021 20:25:55 +0800 Subject: [PATCH] OvmfPkg/MemEncryptSevLib: check CPUID when read msr during PEI phase Tested on Intel Platform, It is like 'SEV-ES work area' can be modified by os(Windows etc), and will not restored on reboot, the SevEsWorkArea->EncryptionMask may have a random value after reboot. then it may casue fail on reboot. The msr bits already cached by mSevStatusChecked, there is no need to try cache again in PEI phase. Signed-off-by: Qi Zhou --- .../PeiMemEncryptSevLibInternal.c | 55 +++ 1 file changed, 19 insertions(+), 36 deletions(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c index e2fd109d12..0819f50669 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c @@ -38,49 +38,32 @@ InternalMemEncryptSevStatus ( UINT32 RegEax; MSR_SEV_STATUS_REGISTER Msr; CPUID_MEMORY_ENCRYPTION_INFO_EAX Eax; - BOOLEAN ReadSevMsr; - SEC_SEV_ES_WORK_AREA *SevEsWorkArea; - ReadSevMsr = FALSE; - - SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); - if (SevEsWorkArea != NULL && SevEsWorkArea->EncryptionMask != 0) { - // - // The MSR has been read before, so it is safe to read it again and avoid - // having to validate the CPUID information. + // + // Check if memory encryption leaf exist + // + AsmCpuid (CPUID_EXTENDED_FUNCTION, , NULL, NULL, NULL); + if (RegEax >= CPUID_MEMORY_ENCRYPTION_INFO) { What is missing in the original patch set is that now with the common work area we need to check the Guest Type before accessing the SevEs workarea type. I have a patch in my wip to cleanup the SEV feature detection check and patiently waiting for the SEV-SNP series to land so that I can submit other patches. You need something like IsSevGuest() before accessing the SevEs workarea, see how its done for the SEC. https://github.com/AMDESE/ovmf/blob/snp-v13/OvmfPkg/Sec/AmdSev.c#L234 In my WIP I am moving that to common BaseMemEncryptLib. thanks This now defeats the purpose of the workarea the already validated CPUID information. This CPUID information will now require validating. Wouldn't the best thing be to clear the workarea in the early boot code? Thanks, Tom // - ReadSevMsr = TRUE; - } else { + // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported) // - // Check if memory encryption leaf exist - // - AsmCpuid (CPUID_EXTENDED_FUNCTION, , NULL, NULL, NULL); - if (RegEax >= CPUID_MEMORY_ENCRYPTION_INFO) { + AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, , NULL, NULL, NULL); + + if (Eax.Bits.SevBit) { // - // CPUID Fn8000_001F[EAX] Bit 1 (Sev supported) + // Check MSR_0xC0010131 Bit 0 (Sev Enabled) // - AsmCpuid (CPUID_MEMORY_ENCRYPTION_INFO, , NULL, NULL, NULL); - - if (Eax.Bits.SevBit) { - ReadSevMsr = TRUE; + Msr.Uint32 = AsmReadMsr32 (MSR_SEV_STATUS); + if (Msr.Bits.SevBit) { + mSevStatus = TRUE; } - } - } - - if (ReadSevMsr) { - // - // Check MSR_0xC0010131 Bit 0 (Sev Enabled) - // - Msr.Uint32 = AsmReadMsr32 (MSR_SEV_STATUS); - if (Msr.Bits.SevBit) { - mSevStatus = TRUE; - } - // - // Check MSR_0xC0010131 Bit 1 (Sev-Es Enabled) - // - if (Msr.Bits.SevEsBit) { - mSevEsStatus = TRUE; + // + // Check MSR_0xC0010131 Bit 1 (Sev-Es Enabled) + // + if (Msr.Bits.SevEsBit) { + mSevEsStatus = TRUE; + } } } -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#84135): https://edk2.groups.io/g/devel/message/84135 Mute This Topic: https://groups.io/mt/87301748/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v13 00/32] Add AMD Secure Nested Paging (SEV-SNP) support
Hi Edk2 Maintainers, The SNP support development finished almost two months ago. I have addressed all the feedback from the Ovmf maintainer, and the patches are ready to be merged. We are waiting for UefiCpuPkg maintainers to ack the patches as it touches a few areas in the EDK2 core. As defined, I've been following the edk2 process; I have kept sending the gentle ping one after another every other week without results. As a contributor, I am not sure what I am missing. Can I ask ovmf maintainer to reach out directly to UefiCpuPkg maintainer to understand what is blocking? Other cleanups/optimization depends on this series; I would like to keep improving the code and make OVMF ready for the confidential computing use case and not be discouraged by the lack of responses. Thanks Brijesh On 11/26/21 9:21 AM, Brijesh Singh via groups.io wrote: Hi Ray, Can you please ack the remaining patches so that it can be merged? thanks On 11/12/21 11:39 AM, Brijesh Singh wrote: --- Hi Ray, Thanks for your reviews and continuous support; I have updated a couple of patches to address your comment. As I said in my previous reply, I will working on a follow-up series to group some of those Sev specific variables in CpuData. I hope that is okay with you. thanks BZ: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D3275data=04%7C01%7Cbrijesh.singh%40amd.com%7C12c8f5b9e6e74f316eb808d9b0f079b0%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637735371437948485%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=MaxkCh6bBq%2BxjR3c7YBaczFmSBNlp6CJfsM6UKEl%2BdE%3Dreserved=0 SEV-SNP builds upon existing SEV and SEV-ES functionality while adding new hardware-based memory protections. SEV-SNP adds strong memory integrity protection to help prevent malicious hypervisor-based attacks like data replay, memory re-mapping and more in order to create an isolated memory encryption environment. This series provides the basic building blocks to support booting the SEV-SNP VMs, it does not cover all the security enhancement introduced by the SEV-SNP such as interrupt protection. Many of the integrity guarantees of SEV-SNP are enforced through a new structure called the Reverse Map Table (RMP). Adding a new page to SEV-SNP VM requires a 2-step process. First, the hypervisor assigns a page to the guest using the new RMPUPDATE instruction. This transitions the page to guest-invalid. Second, the guest validates the page using the new PVALIDATE instruction. The SEV-SNP VMs can use the new "Page State Change Request NAE" defined in the GHCB specification to ask hypervisor to add or remove page from the RMP table. Each page assigned to the SEV-SNP VM can either be validated or unvalidated, as indicated by the Validated flag in the page's RMP entry. There are two approaches that can be taken for the page validation: Pre-validation and Lazy Validation. Under pre-validation, the pages are validated prior to first use. And under lazy validation, pages are validated when first accessed. An access to a unvalidated page results in a #VC exception, at which time the exception handler may validate the page. Lazy validation requires careful tracking of the validated pages to avoid validating the same GPA more than once. The recently introduced "Unaccepted" memory type can be used to communicate the unvalidated memory ranges to the Guest OS. At this time we only support the pre-validation. OVMF detects all the available system RAM in the PEI phase. When SEV-SNP is enabled, the memory is validated before it is made available to the EDK2 core. Now that series contains all the basic support required to launch SEV-SNP guest. We are still missing the Interrupt security feature provided by the SNP. The feature will be added after the base support is accepted. Additional resources - SEV-SNP whitepaper https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.amd.com%2Fsystem%2Ffiles%2FTechDocs%2FSEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdfdata=04%7C01%7Cbrijesh.singh%40amd.com%7C12c8f5b9e6e74f316eb808d9b0f079b0%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637735371437948485%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=IscTAPfML8wT7L37UY7xZWLU7sINgvcw3dTAn1ge0I8%3Dreserved=0 APM 2: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.amd.com%2Fsystem%2Ffiles%2FTechDocs%2F24593.pdfdata=04%7C01%7Cbrijesh.singh%40amd.com%7C12c8f5b9e6e74f316eb808d9b0f079b0%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637735371437948485%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC
Re: [edk2-devel] [PATCH v13 00/32] Add AMD Secure Nested Paging (SEV-SNP) support
Hi Ray, Can you please ack the remaining patches so that it can be merged? thanks On 11/12/21 11:39 AM, Brijesh Singh wrote: > --- > Hi Ray, > > Thanks for your reviews and continuous support; I have updated a couple of > patches > to address your comment. As I said in my previous reply, I will working on a > follow-up series to group some of those Sev specific variables in CpuData. > > I hope that is okay with you. > > thanks > > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 > > SEV-SNP builds upon existing SEV and SEV-ES functionality while adding > new hardware-based memory protections. SEV-SNP adds strong memory integrity > protection to help prevent malicious hypervisor-based attacks like data > replay, memory re-mapping and more in order to create an isolated memory > encryption environment. > > This series provides the basic building blocks to support booting the SEV-SNP > VMs, it does not cover all the security enhancement introduced by the SEV-SNP > such as interrupt protection. > > Many of the integrity guarantees of SEV-SNP are enforced through a new > structure called the Reverse Map Table (RMP). Adding a new page to SEV-SNP > VM requires a 2-step process. First, the hypervisor assigns a page to the > guest using the new RMPUPDATE instruction. This transitions the page to > guest-invalid. Second, the guest validates the page using the new PVALIDATE > instruction. The SEV-SNP VMs can use the new "Page State Change Request NAE" > defined in the GHCB specification to ask hypervisor to add or remove page > from the RMP table. > > Each page assigned to the SEV-SNP VM can either be validated or unvalidated, > as indicated by the Validated flag in the page's RMP entry. There are two > approaches that can be taken for the page validation: Pre-validation and > Lazy Validation. > > Under pre-validation, the pages are validated prior to first use. And under > lazy validation, pages are validated when first accessed. An access to a > unvalidated page results in a #VC exception, at which time the exception > handler may validate the page. Lazy validation requires careful tracking of > the validated pages to avoid validating the same GPA more than once. The > recently introduced "Unaccepted" memory type can be used to communicate the > unvalidated memory ranges to the Guest OS. > > At this time we only support the pre-validation. OVMF detects all the > available > system RAM in the PEI phase. When SEV-SNP is enabled, the memory is validated > before it is made available to the EDK2 core. > > Now that series contains all the basic support required to launch SEV-SNP > guest. We are still missing the Interrupt security feature provided by the > SNP. The feature will be added after the base support is accepted. > > Additional resources > - > SEV-SNP whitepaper > https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf > > APM 2: https://www.amd.com/system/files/TechDocs/24593.pdf (section 15.36) > > The complete source is available at > https://github.com/AMDESE/ovmf/tree/snp-v13 > > GHCB spec: > https://developer.amd.com/wp-content/resources/56421.pdf > > SEV-SNP firmware specification: > https://www.amd.com/system/files/TechDocs/56860.pdf > > Change since v12: > * MpLib: Add comment to clarify that SEV-SNP enabled implicitly means SEV > and SEV-ES are active. > * MpLib: Move the extended topology initialization in AmdSev.c > > Change since v11: > * rebase to the latest > * fix the UefiCpuPkg PCD definition patch header. > > Change since v10: > * fix 'unresolved external symbol __allshl' link error when building I32 for > VS2017. > > Changes since v9: > * Move CCAttrs Pcd define in MdePkg > * Add comment to indicate that allocating the identity map PT is temporary > until we get lazy validation > > Changes since v8: > * drop the generic metadata and make it specific to SEV. > > Changes since v7: > * Move SEV specific changes in MpLib in AmdSev file > * Update the GHCB register function to not restore the GHCB MSR because >we were already in the MSR protocol mode. > * Drop the SNP name from PcdSnpSecPreValidate. > * Add new section for GHCB memory in the OVMF metadata. > > Change since v6: > * Drop the SNP boot block GUID and switch to using the Metadata guided > structure >proposed by Min in TDX series. > * Exclude the GHCB page from the pre-validated region. It simplifies the > reset >
Re: [edk2-devel] [PATCH] OvmfPkg/AmdSev/SecretPei: Mark SEV launch secret area as reserved
On 11/18/21 5:31 AM, Dov Murik wrote: Mark the SEV launch secret MEMFD area as reserved, which will allow the guest OS to use it during the lifetime of the OS, without creating copies of the sensitive content. Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Gerd Hoffmann Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Cc: Tom Lendacky Cc: Tobin Feldman-Fitzthum Signed-off-by: Dov Murik --- OvmfPkg/AmdSev/SecretPei/SecretPei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OvmfPkg/AmdSev/SecretPei/SecretPei.c b/OvmfPkg/AmdSev/SecretPei/SecretPei.c index db94c26b54d1..6bf1a55dea64 100644 --- a/OvmfPkg/AmdSev/SecretPei/SecretPei.c +++ b/OvmfPkg/AmdSev/SecretPei/SecretPei.c @@ -19,7 +19,7 @@ InitializeSecretPei ( BuildMemoryAllocationHob ( PcdGet32 (PcdSevLaunchSecretBase), ALIGN_VALUE (PcdGet32 (PcdSevLaunchSecretSize), EFI_PAGE_SIZE), -EfiBootServicesData +EfiReservedMemoryType ); return EFI_SUCCESS; Reviewed-by: Brijesh Singh thanks -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83913): https://edk2.groups.io/g/devel/message/83913 Mute This Topic: https://groups.io/mt/87140890/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 13/32] OvmfPkg/AmdSevDxe: do not use extended PCI config space
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Commit 85b8eac59b8c5bd9c7eb9afdb64357ce1aa2e803 added support to ensure that MMIO is only performed against the un-encrypted memory. If MMIO is performed against encrypted memory, a #GP is raised. The AmdSevDxe uses the functions provided by the MemEncryptSevLib to clear the memory encryption mask from the page table. If the MemEncryptSevLib is extended to include VmgExitLib then depedency chain will look like this: OvmfPkg/AmdSevDxe/AmdSevDxe.inf -> MemEncryptSevLibclass -> "OvmfPkg/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf" instance -> VmgExitLib class -> "OvmfPkg/VmgExitLib"instance -> LocalApicLibclass -> "UefiCpuPkg/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf" instance -> TimerLibclass -> "OvmfPkg/AcpiTimerLib/DxeAcpiTimerLib.inf" instance -> PciLib class -> "OvmfPkg/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf"instance -> PciExpressLib class -> "MdePkg/BasePciExpressLib/BasePciExpressLib.inf" instance The LocalApicLib provides a constructor that gets called before the AmdSevDxe can clear the memory encryption mask from the MMIO regions. When running under the Q35 machine type, the call chain looks like this: AcpiTimerLibConstructor () [AcpiTimerLib] PciRead32 () [DxePciLibI440FxQ35] PciExpressRead32 () [PciExpressLib] The PciExpressRead32 () reads the MMIO region. The MMIO regions are not yet mapped un-encrypted, so the check introduced in the commit 85b8eac59b8c5bd9c7eb9afdb64357ce1aa2e803 raises a #GP. The AmdSevDxe driver does not require the access to the extended PCI config space. Accessing a normal PCI config space, via IO port should be sufficent. Use the module-scope override to make the AmdSevDxe use the BasePciLib instead of BasePciExpressLib so that PciRead32 () uses the IO ports instead of the extended config space. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Suggested-by: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/AmdSev/AmdSevX64.dsc | 5 - OvmfPkg/Bhyve/BhyveX64.dsc | 5 - OvmfPkg/OvmfPkgIa32X64.dsc | 5 - OvmfPkg/OvmfPkgX64.dsc | 5 - OvmfPkg/OvmfXen.dsc | 5 - 5 files changed, 20 insertions(+), 5 deletions(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index 5ee54451169b..2997929faa05 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -816,7 +816,10 @@ [Components] !endif OvmfPkg/PlatformDxe/Platform.inf - OvmfPkg/AmdSevDxe/AmdSevDxe.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { + +PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + } OvmfPkg/IoMmuDxe/IoMmuDxe.inf # diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc index d8fe607d1cf7..f45634996247 100644 --- a/OvmfPkg/Bhyve/BhyveX64.dsc +++ b/OvmfPkg/Bhyve/BhyveX64.dsc @@ -790,7 +790,10 @@ [Components] !endif OvmfPkg/PlatformDxe/Platform.inf - OvmfPkg/AmdSevDxe/AmdSevDxe.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { + +PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + } OvmfPkg/IoMmuDxe/IoMmuDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 71227d1b709a..13d9a1f111bc 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -969,7 +969,10 @@ [Components.X64] !endif OvmfPkg/PlatformDxe/Platform.inf - OvmfPkg/AmdSevDxe/AmdSevDxe.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { + +PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + } OvmfPkg/IoMmuDxe/IoMmuDxe.inf !if $(SMM_REQUIRE) == TRUE diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 52f7598cf1c7..97b7cb40ff88 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -967,7 +967,10 @@ [Components] !endif OvmfPkg/PlatformDxe/Platform.inf - OvmfPkg/AmdSevDxe/AmdSevDxe.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { + +PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + } OvmfPkg/IoMmuDxe/IoMmuDxe.inf !if $(SMM_REQUIRE) == TRUE diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc index a31519e356b7..383cb03d2a14 100644 --- a/OvmfPkg/OvmfXen.dsc +++ b/OvmfPkg/OvmfXen.dsc @@ -729,7 +729,10 @@ [Components] } OvmfPkg/PlatformDxe/Platform.inf - OvmfPkg/AmdSevDxe/AmdSevDxe.inf + OvmfPkg/AmdSevDxe/AmdSevDxe.inf { + +PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf + } OvmfPkg/IoMmuDxe/IoMmuDxe.inf # -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this
[edk2-devel] [PATCH v13 32/32] UefiCpuPkg/MpInitLib: Use SEV-SNP AP Creation NAE event to launch APs
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Use the SEV-SNP AP Creation NAE event to create and launch APs under SEV-SNP. This capability will be advertised in the SEV Hypervisor Feature Support PCD (PcdSevEsHypervisorFeatures). Cc: Michael Roth Cc: Eric Dong Cc: Ray Ni Cc: Rahul Kumar Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Ray Ni Acked-by: Gerd Hoffmann Signed-off-by: Tom Lendacky Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 3 + UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 3 + UefiCpuPkg/Library/MpInitLib/MpLib.h | 44 +++ UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 12 +- UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c| 70 + UefiCpuPkg/Library/MpInitLib/MpLib.c | 51 ++-- UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c | 261 ++ 7 files changed, 425 insertions(+), 19 deletions(-) create mode 100644 UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c create mode 100644 UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf index de705bc54bb4..e1cd0b350008 100644 --- a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf @@ -22,9 +22,11 @@ [Defines] # [Sources.IA32] + Ia32/AmdSev.c Ia32/MpFuncs.nasm [Sources.X64] + X64/AmdSev.c X64/MpFuncs.nasm [Sources.common] @@ -73,6 +75,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ## SOMETIMES_CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApStatusCheckIntervalInMicroSeconds ## CONSUMES + gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## SOMETIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## CONSUMES diff --git a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf index b7e15ee023f0..5facf4db9499 100644 --- a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf @@ -22,9 +22,11 @@ [Defines] # [Sources.IA32] + Ia32/AmdSev.c Ia32/MpFuncs.nasm [Sources.X64] + X64/AmdSev.c X64/MpFuncs.nasm [Sources.common] @@ -64,6 +66,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ## SOMETIMES_CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## SOMETIMES_CONSUMES + gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## CONSUMES gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONSUMES diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h index c5887ff6f647..2e4b5c0f6e87 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -15,6 +15,7 @@ #include #include +#include #include #include #include @@ -150,6 +151,7 @@ typedef struct { UINT8 PlatformId; UINT64 MicrocodeEntryAddr; UINT32 MicrocodeRevision; + SEV_ES_SAVE_AREA *SevEsSaveArea; } CPU_AP_DATA; // @@ -294,6 +296,7 @@ struct _CPU_MP_DATA { BOOLEANSevEsIsEnabled; BOOLEANSevSnpIsEnabled; + BOOLEANUseSevEsAPMethod; UINTN SevEsAPBuffer; UINTN SevEsAPResetStackStart; CPU_MP_DATA*NewCpuMpData; @@ -800,5 +803,46 @@ FillExchangeInfoDataSevEs ( IN volatile MP_CPU_EXCHANGE_INFO*ExchangeInfo ); +/** + Issue RMPADJUST to adjust the VMSA attribute of an SEV-SNP page. + + @param[in] PageAddress + @param[in] VmsaPage + + @return RMPADJUST return value +**/ +UINT32 +SevSnpRmpAdjust ( + IN EFI_PHYSICAL_ADDRESS PageAddress, + IN BOOLEAN VmsaPage + ); + +/** + Create an SEV-SNP AP save area (VMSA) for use in running the vCPU. + + @param[in] CpuMpDataPointer to CPU MP Data + @param[in] CpuData Pointer to CPU AP Data + @param[in] ApicId APIC ID of the vCPU +**/ +VOID +SevSnpCreateSaveArea ( + IN CPU_MP_DATA *CpuMpData, + IN CPU_AP_DATA *CpuData, + UINT32 ApicId + ); + +/** + Create SEV-SNP APs. + + @param[in] CpuMpDataPointer to CPU MP Data + @param[in] ProcessorNumber
[edk2-devel] [PATCH v13 25/32] MdePkg/GHCB: increase the GHCB protocol max version
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Now that OvmfPkg supports version 2 of the GHCB specification, bump the protocol version. Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Ray Ni Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- MdePkg/Include/Register/Amd/Ghcb.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MdePkg/Include/Register/Amd/Ghcb.h b/MdePkg/Include/Register/Amd/Ghcb.h index 8c5f46e4bb53..071aae0c9e09 100644 --- a/MdePkg/Include/Register/Amd/Ghcb.h +++ b/MdePkg/Include/Register/Amd/Ghcb.h @@ -24,7 +24,7 @@ #define VC_EXCEPTION 29 #define GHCB_VERSION_MIN 1 -#define GHCB_VERSION_MAX 1 +#define GHCB_VERSION_MAX 2 #define GHCB_STANDARD_USAGE 0 -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83729): https://edk2.groups.io/g/devel/message/83729 Mute This Topic: https://groups.io/mt/87011905/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 30/32] OvmfPkg/PlatformPei: mark cpuid and secrets memory reserved in EFI map
When SEV-SNP is active, the CPUID and Secrets memory range contains the information that is used during the VM boot. The content need to be persist across the kexec boot. Mark the memory range as Reserved in the EFI map so that guest OS or firmware does not use the range as a system RAM. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/PlatformPei.inf | 4 OvmfPkg/PlatformPei/Platform.h | 5 + OvmfPkg/PlatformPei/AmdSev.c| 31 + OvmfPkg/PlatformPei/MemDetect.c | 2 ++ 4 files changed, 42 insertions(+) diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf index 3c05b550e4bd..1c56ba275835 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -111,6 +111,8 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures [FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIMemoryNVS gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIReclaimMemory @@ -121,6 +123,8 @@ [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable diff --git a/OvmfPkg/PlatformPei/Platform.h b/OvmfPkg/PlatformPei/Platform.h index 8b1d270c2b0b..4169019b4c07 100644 --- a/OvmfPkg/PlatformPei/Platform.h +++ b/OvmfPkg/PlatformPei/Platform.h @@ -102,6 +102,11 @@ AmdSevInitialize ( VOID ); +VOID +SevInitializeRam ( + VOID + ); + extern EFI_BOOT_MODE mBootMode; extern BOOLEAN mS3Supported; diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 7da6370113f0..e71c601aa716 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -410,3 +410,34 @@ AmdSevInitialize ( ASSERT_RETURN_ERROR (PcdStatus); } + +/** + The function performs SEV specific region initialization. + + **/ +VOID +SevInitializeRam ( + VOID + ) +{ + if (MemEncryptSevSnpIsEnabled ()) { +// +// If SEV-SNP is enabled, reserve the Secrets and CPUID memory area. +// +// This memory range is given to the PSP by the hypervisor to populate +// the information used during the SNP VM boots, and it need to persist +// across the kexec boots. Mark it as EfiReservedMemoryType so that +// the guest firmware and OS does not use it as a system memory. +// +BuildMemoryAllocationHob ( + (EFI_PHYSICAL_ADDRESS)(UINTN) PcdGet32 (PcdOvmfSnpSecretsBase), + (UINT64)(UINTN) PcdGet32 (PcdOvmfSnpSecretsSize), + EfiReservedMemoryType + ); +BuildMemoryAllocationHob ( + (EFI_PHYSICAL_ADDRESS)(UINTN) PcdGet32 (PcdOvmfCpuidBase), + (UINT64)(UINTN) PcdGet32 (PcdOvmfCpuidSize), + EfiReservedMemoryType + ); + } +} diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c index d736b85e0d90..058bb394f0df 100644 --- a/OvmfPkg/PlatformPei/MemDetect.c +++ b/OvmfPkg/PlatformPei/MemDetect.c @@ -821,6 +821,8 @@ InitializeRamRegions ( { QemuInitializeRam (); + SevInitializeRam (); + if (mS3Supported && mBootMode != BOOT_ON_S3_RESUME) { // // This is the memory range that will be used for PEI on S3 resume -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83730): https://edk2.groups.io/g/devel/message/83730 Mute This Topic: https://groups.io/mt/87011909/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 31/32] OvmfPkg/AmdSev: expose the SNP reserved pages through configuration table
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Now that both the secrets and cpuid pages are reserved in the HOB, extract the location details through fixed PCD and make it available to the guest OS through the configuration table. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 1 + OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 7 .../Guid/ConfidentialComputingSevSnpBlob.h| 33 +++ OvmfPkg/AmdSevDxe/AmdSevDxe.c | 23 + 4 files changed, 64 insertions(+) create mode 100644 OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index c22b846cd663..769bef0ffa12 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -124,6 +124,7 @@ [Guids] gQemuKernelLoaderFsMediaGuid = {0x1428f772, 0xb64a, 0x441e, {0xb8, 0xc3, 0x9e, 0xbd, 0xd7, 0xf8, 0x93, 0xc7}} gGrubFileGuid = {0xb5ae312c, 0xbc8a, 0x43b1, {0x9c, 0x62, 0xeb, 0xb8, 0x26, 0xdd, 0x5d, 0x07}} gConfidentialComputingSecretGuid = {0xadf956ad, 0xe98c, 0x484c, {0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47}} + gConfidentialComputingSevSnpBlobGuid = {0x067b1f5f, 0xcf26, 0x44c5, {0x85, 0x54, 0x93, 0xd7, 0x77, 0x91, 0x2d, 0x42}} [Ppis] # PPI whose presence in the PPI database signals that the TPM base address diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf index 0676fcc5b6a4..9acf860cf25e 100644 --- a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf +++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf @@ -42,6 +42,13 @@ [FeaturePcd] [FixedPcd] gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize + +[Guids] + gConfidentialComputingSevSnpBlobGuid [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId diff --git a/OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h b/OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h new file mode 100644 index ..c98e7a1dcccd --- /dev/null +++ b/OvmfPkg/Include/Guid/ConfidentialComputingSevSnpBlob.h @@ -0,0 +1,33 @@ + /** @file + UEFI Configuration Table for exposing the SEV-SNP launch blob. + + Copyright (c) 2021, Advanced Micro Devices Inc. All right reserved. + + SPDX-License-Identifier: BSD-2-Clause-Patent + **/ + +#ifndef CONFIDENTIAL_COMPUTING_SEV_SNP_BLOB_H_ +#define CONFIDENTIAL_COMPUTING_SEV_SNP_BLOB_H_ + +#include + +#define CONFIDENTIAL_COMPUTING_SNP_BLOB_GUID\ + { 0x067b1f5f, \ +0xcf26, \ +0x44c5, \ +{ 0x85, 0x54, 0x93, 0xd7, 0x77, 0x91, 0x2d, 0x42 }, \ + } + +typedef struct { + UINT32 Header; + UINT16 Version; + UINT16 Reserved1; + UINT64 SecretsPhysicalAddress; + UINT32 SecretsSize; + UINT64 CpuidPhysicalAddress; + UINT32 CpuidLSize; +} CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION; + +extern EFI_GUID gConfidentialComputingSevSnpBlobGuid; + +#endif diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c index c66c4e9b9272..6e1ba35e02b8 100644 --- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c +++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c @@ -17,8 +17,20 @@ #include #include #include +#include +#include #include +STATIC CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION mSnpBootDxeTable = { + SIGNATURE_32('A','M','D','E'), + 1, + 0, + (UINT64)(UINTN) FixedPcdGet32 (PcdOvmfSnpSecretsBase), + FixedPcdGet32 (PcdOvmfSnpSecretsSize), + (UINT64)(UINTN) FixedPcdGet32 (PcdOvmfCpuidBase), + FixedPcdGet32 (PcdOvmfCpuidSize), +}; + EFI_STATUS EFIAPI AmdSevDxeEntryPoint ( @@ -130,5 +142,16 @@ AmdSevDxeEntryPoint ( } } + // + // If its SEV-SNP active guest then install the CONFIDENTIAL_COMPUTING_SEV_SNP_BLOB. + // It contains the location for both the Secrets and CPUID page. + // + if (MemEncryptSevSnpIsEnabled ()) { +return gBS->InstallConfigurationTable ( + , + + ); + } + return EFI_SUCCESS; } -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83731): https://edk2.groups.io/g/devel/message/83731 Mute This Topic: https://groups.io/mt/87011910/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 24/32] OvmfPkg/PlatformPei: set the Hypervisor Features PCD
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Version 2 of the GHCB specification added the support to query the hypervisor feature bitmap. The feature bitmap provide information such as whether to use the AP create VmgExit or use the AP jump table approach to create the APs. The MpInitLib will use the PcdGhcbHypervisorFeatures to determine which method to use for creating the AP. Query the hypervisor feature and set the PCD accordingly. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/PlatformPei.inf | 2 ++ OvmfPkg/PlatformPei/AmdSev.c| 56 + 2 files changed, 58 insertions(+) diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf index bada5ea14439..3c05b550e4bd 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -62,6 +62,7 @@ [LibraryClasses] MtrrLib MemEncryptSevLib PcdLib + VmgExitLib [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase @@ -107,6 +108,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr + gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures [FixedPcd] gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index c447753075b1..7da6370113f0 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -24,6 +24,12 @@ #include "Platform.h" +STATIC +UINT64 +GetHypervisorFeature ( + VOID + ); + /** Initialize SEV-SNP support if running as an SEV-SNP guest. @@ -36,11 +42,22 @@ AmdSevSnpInitialize ( { EFI_PEI_HOB_POINTERS Hob; EFI_HOB_RESOURCE_DESCRIPTOR *ResourceHob; + UINT64HvFeatures; + EFI_STATUSPcdStatus; if (!MemEncryptSevSnpIsEnabled ()) { return; } + // + // Query the hypervisor feature using the VmgExit and set the value in the + // hypervisor features PCD. + // + HvFeatures = GetHypervisorFeature (); + PcdStatus = PcdSet64S (PcdGhcbHypervisorFeatures, HvFeatures); + ASSERT_RETURN_ERROR (PcdStatus); + + // // Iterate through the system RAM and validate it. // @@ -91,6 +108,45 @@ SevEsProtocolFailure ( CpuDeadLoop (); } +/** + Get the hypervisor features bitmap + +**/ +STATIC +UINT64 +GetHypervisorFeature ( + VOID + ) +{ + UINT64 Status; + GHCB*Ghcb; + MSR_SEV_ES_GHCB_REGISTERMsr; + BOOLEAN InterruptState; + UINT64 Features; + + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + Ghcb = Msr.Ghcb; + + // + // Initialize the GHCB + // + VmgInit (Ghcb, ); + + // + // Query the Hypervisor Features. + // + Status = VmgExit (Ghcb, SVM_EXIT_HYPERVISOR_FEATURES, 0, 0); + if ((Status != 0)) { +SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + Features = Ghcb->SaveArea.SwExitInfo2; + + VmgDone (Ghcb, InterruptState); + + return Features; +} + /** This function can be used to register the GHCB GPA. -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83725): https://edk2.groups.io/g/devel/message/83725 Mute This Topic: https://groups.io/mt/87011900/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 28/32] OvmfPkg/MemEncryptSevLib: change the page state in the RMP table
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The MemEncryptSev{Set,Clear}PageEncMask() functions are used to set or clear the memory encryption attribute in the page table. When SEV-SNP is active, we also need to change the page state in the RMP table so that it is in sync with the memory encryption attribute change. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- .../X64/PeiDxeVirtualMemory.c | 34 +++ 1 file changed, 34 insertions(+) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c index f146f6d61cc5..56db1e4b6ecf 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c @@ -17,6 +17,7 @@ #include #include "VirtualMemory.h" +#include "SnpPageStateChange.h" STATIC BOOLEAN mAddressEncMaskChecked = FALSE; STATIC UINT64 mAddressEncMask; @@ -695,10 +696,12 @@ SetMemoryEncDec ( PAGE_MAP_AND_DIRECTORY_POINTER *PageDirectoryPointerEntry; PAGE_TABLE_1G_ENTRY*PageDirectory1GEntry; PAGE_TABLE_ENTRY *PageDirectory2MEntry; + PHYSICAL_ADDRESS OrigPhysicalAddress; PAGE_TABLE_4K_ENTRY*PageTableEntry; UINT64 PgTableMask; UINT64 AddressEncMask; BOOLEANIsWpEnabled; + UINTN OrigLength; RETURN_STATUS Status; // @@ -751,6 +754,22 @@ SetMemoryEncDec ( Status = EFI_SUCCESS; + // + // To maintain the security gurantees we must set the page to shared in the RMP + // table before clearing the memory encryption mask from the current page table. + // + // The InternalSetPageState() is used for setting the page state in the RMP table. + // + if ((Mode == ClearCBit) && MemEncryptSevSnpIsEnabled ()) { +InternalSetPageState (PhysicalAddress, EFI_SIZE_TO_PAGES (Length), SevSnpPageShared, FALSE); + } + + // + // Save the specified length and physical address (we need it later). + // + OrigLength = Length; + OrigPhysicalAddress = PhysicalAddress; + while (Length != 0) { // @@ -923,6 +942,21 @@ SetMemoryEncDec ( // CpuFlushTlb(); + // + // SEV-SNP requires that all the private pages (i.e pages mapped encrypted) must be + // added in the RMP table before the access. + // + // The InternalSetPageState() is used for setting the page state in the RMP table. + // + if ((Mode == SetCBit) && MemEncryptSevSnpIsEnabled ()) { +InternalSetPageState ( + OrigPhysicalAddress, + EFI_SIZE_TO_PAGES (OrigLength), + SevSnpPagePrivate, + FALSE + ); + } + Done: // // Restore page table write protection, if any. -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83727): https://edk2.groups.io/g/devel/message/83727 Mute This Topic: https://groups.io/mt/87011902/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 29/32] OvmfPkg/MemEncryptSevLib: skip page state change for Mmio address
The SetMemoryEncDec() is used by the higher level routines to set or clear the page encryption mask for system RAM and Mmio address. When SEV-SNP is active, in addition to set/clear page mask it also updates the RMP table. The RMP table updates are required for the system RAM address and not the Mmio address. Add a new parameter in SetMemoryEncDec() to tell whether the specified address is Mmio. If its Mmio then skip the page state change in the RMP table. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- .../X64/PeiDxeVirtualMemory.c | 20 --- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c index 56db1e4b6ecf..0bb86d768017 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c @@ -673,6 +673,7 @@ InternalMemEncryptSevCreateIdentityMap1G ( @param[in] ModeSet or Clear mode @param[in] CacheFlush Flush the caches before applying the encryption mask + @param[in] MmioThe physical address specified is Mmio @retval RETURN_SUCCESS The attributes were cleared for the memory region. @@ -688,7 +689,8 @@ SetMemoryEncDec ( INPHYSICAL_ADDRESS PhysicalAddress, INUINTNLength, INMAP_RANGE_MODE Mode, - INBOOLEAN CacheFlush + INBOOLEAN CacheFlush, + INBOOLEAN Mmio ) { PAGE_MAP_AND_DIRECTORY_POINTER *PageMapLevel4Entry; @@ -711,14 +713,15 @@ SetMemoryEncDec ( DEBUG (( DEBUG_VERBOSE, -"%a:%a: Cr3Base=0x%Lx Physical=0x%Lx Length=0x%Lx Mode=%a CacheFlush=%u\n", +"%a:%a: Cr3Base=0x%Lx Physical=0x%Lx Length=0x%Lx Mode=%a CacheFlush=%u Mmio=%u\n", gEfiCallerBaseName, __FUNCTION__, Cr3BaseAddress, PhysicalAddress, (UINT64)Length, (Mode == SetCBit) ? "Encrypt" : "Decrypt", -(UINT32)CacheFlush +(UINT32)CacheFlush, +(UINT32)Mmio )); // @@ -760,7 +763,7 @@ SetMemoryEncDec ( // // The InternalSetPageState() is used for setting the page state in the RMP table. // - if ((Mode == ClearCBit) && MemEncryptSevSnpIsEnabled ()) { + if (!Mmio && (Mode == ClearCBit) && MemEncryptSevSnpIsEnabled ()) { InternalSetPageState (PhysicalAddress, EFI_SIZE_TO_PAGES (Length), SevSnpPageShared, FALSE); } @@ -998,7 +1001,8 @@ InternalMemEncryptSevSetMemoryDecrypted ( PhysicalAddress, Length, ClearCBit, - TRUE + TRUE, + FALSE ); } @@ -1031,7 +1035,8 @@ InternalMemEncryptSevSetMemoryEncrypted ( PhysicalAddress, Length, SetCBit, - TRUE + TRUE, + FALSE ); } @@ -1064,6 +1069,7 @@ InternalMemEncryptSevClearMmioPageEncMask ( PhysicalAddress, Length, ClearCBit, - FALSE + FALSE, + TRUE ); } -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83728): https://edk2.groups.io/g/devel/message/83728 Mute This Topic: https://groups.io/mt/87011904/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 26/32] UefiCpuPkg/MpLib: add support to register GHCB GPA when SEV-SNP is enabled
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 An SEV-SNP guest requires that the physical address of the GHCB must be registered with the hypervisor before using it. See the GHCB specification section 2.3.2 for more details. Cc: Michael Roth Cc: Eric Dong Cc: Ray Ni Cc: Rahul Kumar Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/MpLib.h | 2 + UefiCpuPkg/Library/MpInitLib/MpLib.c | 2 + UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 1 + UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm | 54 4 files changed, 59 insertions(+) diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h index 2107f3f705a2..45bc1de23e3c 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -222,6 +222,7 @@ typedef struct { // BOOLEAN Enable5LevelPaging; BOOLEAN SevEsIsEnabled; + BOOLEAN SevSnpIsEnabled; UINTN GhcbBase; } MP_CPU_EXCHANGE_INFO; @@ -291,6 +292,7 @@ struct _CPU_MP_DATA { BOOLEANWakeUpByInitSipiSipi; BOOLEANSevEsIsEnabled; + BOOLEANSevSnpIsEnabled; UINTN SevEsAPBuffer; UINTN SevEsAPResetStackStart; CPU_MP_DATA*NewCpuMpData; diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c index b6c8a1a04d9f..315172fb937a 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.c +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c @@ -889,6 +889,7 @@ FillExchangeInfoData ( DEBUG ((DEBUG_INFO, "%a: 5-Level Paging = %d\n", gEfiCallerBaseName, ExchangeInfo->Enable5LevelPaging)); ExchangeInfo->SevEsIsEnabled = CpuMpData->SevEsIsEnabled; + ExchangeInfo->SevSnpIsEnabled = CpuMpData->SevSnpIsEnabled; ExchangeInfo->GhcbBase= (UINTN) CpuMpData->GhcbBase; // @@ -1817,6 +1818,7 @@ MpInitLibInitialize ( CpuMpData->CpuInfoInHob = (UINT64) (UINTN) (CpuMpData->CpuData + MaxLogicalProcessorNumber); InitializeSpinLock(>MpLock); CpuMpData->SevEsIsEnabled = ConfidentialComputingGuestHas (CCAttrAmdSevEs); + CpuMpData->SevSnpIsEnabled = ConfidentialComputingGuestHas (CCAttrAmdSevSnp); CpuMpData->SevEsAPBuffer = (UINTN) -1; CpuMpData->GhcbBase = PcdGet64 (PcdGhcbBase); diff --git a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc index 2e9368a374a4..01668638f245 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc +++ b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc @@ -92,6 +92,7 @@ struc MP_CPU_EXCHANGE_INFO .ModeHighSegment: CTYPE_UINT16 1 .Enable5LevelPaging: CTYPE_BOOLEAN 1 .SevEsIsEnabled: CTYPE_BOOLEAN 1 + .SevSnpIsEnabled CTYPE_BOOLEAN 1 .GhcbBase: CTYPE_UINTN 1 endstruc diff --git a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm index 0ccafe25eca4..0034920b2f6b 100644 --- a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm +++ b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm @@ -15,6 +15,57 @@ %define SIZE_4KB0x1000 +RegisterGhcbGpa: +; +; Register GHCB GPA when SEV-SNP is enabled +; +leaedi, [esi + MP_CPU_EXCHANGE_INFO_FIELD (SevSnpIsEnabled)] +cmpbyte [edi], 1; SevSnpIsEnabled +jneRegisterGhcbGpaDone + +; Save the rdi and rsi to used for later comparison +push rdi +push rsi +movedi, eax +movesi, edx +or eax, 18 ; Ghcb registration request +wrmsr +rep vmmcall +rdmsr +movr12, rax +andr12, 0fffh +cmpr12, 19 ; Ghcb registration response +jneGhcbGpaRegisterFailure + +; Verify that GPA is not changed +andeax, 0f000h +cmpedi, eax +jneGhcbGpaRegisterFailure +cmpesi, edx +jneGhcbGpaRegisterFailure +poprsi +poprdi +jmpRegisterGhcbGpaDone + +; +; Request the guest termination +; +GhcbGpaRegisterFailure: +xoredx, edx +moveax, 256 ; GHCB terminate +wrmsr +rep vmmcall + +; We should not return from the above terminate request, but if we do +; then enter into the hlt loop. +DoHltLoop: +cli +hlt +jmpDoHltLoop + +RegisterGhcbGpaDone: +OneTimeCallRetRegisterGhcbGpa + ; ; The function checks whether SEV-ES is enabled, if enabled ; then setup the GHCB page. @@ -39,6 +90,9 @@ SevEsSetupGhcb: movrdx, rax shrrdx, 32 mov
[edk2-devel] [PATCH v13 27/32] UefiCpuPkg/MpInitLib: use BSP to do extended topology check
From: Michael Roth During AP bringup, just after switching to long mode, APs will do some cpuid calls to verify that the extended topology leaf (0xB) is available so they can fetch their x2 APIC IDs from it. In the case of SEV-ES, these cpuid instructions must be handled by direct use of the GHCB MSR protocol to fetch the values from the hypervisor, since a #VC handler is not yet available due to the AP's stack not being set up yet. For SEV-SNP, rather than relying on the GHCB MSR protocol, it is expected that these values would be obtained from the SEV-SNP CPUID table instead. The actual x2 APIC ID (and 8-bit APIC IDs) would still be fetched from hypervisor using the GHCB MSR protocol however, so introducing support for the SEV-SNP CPUID table in that part of the AP bring-up code would only be to handle the checks/validation of the extended topology leaf. Rather than introducing all the added complexity needed to handle these checks via the CPUID table, instead let the BSP do the check in advance, since it can make use of the #VC handler to avoid the need to scan the SNP CPUID table directly, and add a flag in ExchangeInfo to communicate the result of this check to APs. Cc: Eric Dong Cc: Ray Ni Cc: Rahul Kumar Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Suggested-by: Brijesh Singh Signed-off-by: Michael Roth Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/MpLib.h | 11 UefiCpuPkg/Library/MpInitLib/AmdSev.c| 21 +++ UefiCpuPkg/Library/MpInitLib/MpLib.c | 7 + UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 1 + UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm | 27 5 files changed, 67 insertions(+) diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h index 45bc1de23e3c..c5887ff6f647 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -224,6 +224,7 @@ typedef struct { BOOLEAN SevEsIsEnabled; BOOLEAN SevSnpIsEnabled; UINTN GhcbBase; + BOOLEAN ExtTopoAvail; } MP_CPU_EXCHANGE_INFO; #pragma pack() @@ -789,5 +790,15 @@ ConfidentialComputingGuestHas ( CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr ); +/** + The function fills the exchange data for the AP. + + @param[in] ExchangeInfo The pointer to CPU Exchange Data structure +**/ +VOID +FillExchangeInfoDataSevEs ( + IN volatile MP_CPU_EXCHANGE_INFO*ExchangeInfo + ); + #endif diff --git a/UefiCpuPkg/Library/MpInitLib/AmdSev.c b/UefiCpuPkg/Library/MpInitLib/AmdSev.c index 7dbf117c2b71..db02d059512c 100644 --- a/UefiCpuPkg/Library/MpInitLib/AmdSev.c +++ b/UefiCpuPkg/Library/MpInitLib/AmdSev.c @@ -237,3 +237,24 @@ SevEsPlaceApHlt ( MpInitLibSevEsAPReset (Ghcb, CpuMpData); } + +/** + The function fills the exchange data for the AP. + + @param[in] ExchangeInfo The pointer to CPU Exchange Data structure +**/ +VOID +FillExchangeInfoDataSevEs ( + IN volatile MP_CPU_EXCHANGE_INFO*ExchangeInfo + ) +{ + UINT32 StdRangeMax; + + AsmCpuid (CPUID_SIGNATURE, , NULL, NULL, NULL); + if (StdRangeMax >= CPUID_EXTENDED_TOPOLOGY) { +CPUID_EXTENDED_TOPOLOGY_EBX ExtTopoEbx; + +AsmCpuid (CPUID_EXTENDED_TOPOLOGY, NULL, , NULL, NULL); +ExchangeInfo->ExtTopoAvail = !!ExtTopoEbx.Bits.LogicalProcessors; + } +} diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c index 315172fb937a..b13ba3075273 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.c +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c @@ -892,6 +892,13 @@ FillExchangeInfoData ( ExchangeInfo->SevSnpIsEnabled = CpuMpData->SevSnpIsEnabled; ExchangeInfo->GhcbBase= (UINTN) CpuMpData->GhcbBase; + // + // Populate SEV-ES specific exchange data. + // + if (ExchangeInfo->SevSnpIsEnabled) { +FillExchangeInfoDataSevEs (ExchangeInfo); + } + // // Get the BSP's data of GDT and IDT // diff --git a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc index 01668638f245..aba53f57201c 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc +++ b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc @@ -94,6 +94,7 @@ struc MP_CPU_EXCHANGE_INFO .SevEsIsEnabled: CTYPE_BOOLEAN 1 .SevSnpIsEnabled CTYPE_BOOLEAN 1 .GhcbBase: CTYPE_UINTN 1 + .ExtTopoAvail: CTYPE_BOOLEAN 1 endstruc MP_CPU_EXCHANGE_INFO_OFFSET equ (SwitchToRealProcEnd - RendezvousFunnelProcStart) diff --git a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm index 0034920b2f6b..8bb1161fa0f7 100644 --- a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm +++ b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm @@ -118,6 +118,32 @@ SevEsGetApicId: or rax, rd
[edk2-devel] [PATCH v13 22/32] UefiCpuPkg/MpInitLib: use PcdConfidentialComputingAttr to check SEV status
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Previous commit introduced a generic confidential computing PCD that can determine whether AMD SEV-ES is enabled. Update the MpInitLib to drop the PcdSevEsIsEnabled in favor of PcdConfidentialComputingAttr. Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Suggested-by: Jiewen Yao Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 2 +- UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 2 +- UefiCpuPkg/Library/MpInitLib/MpLib.h | 13 UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 6 +- UefiCpuPkg/Library/MpInitLib/MpLib.c | 73 ++- UefiCpuPkg/Library/MpInitLib/PeiMpLib.c | 4 +- 6 files changed, 90 insertions(+), 10 deletions(-) diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf index 6e510aa89120..de705bc54bb4 100644 --- a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf @@ -73,7 +73,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ## SOMETIMES_CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApStatusCheckIntervalInMicroSeconds ## CONSUMES - gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## SOMETIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## CONSUMES + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONSUMES diff --git a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf index 2cbd9b8b8acc..b7e15ee023f0 100644 --- a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf @@ -63,9 +63,9 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuMicrocodePatchRegionSize ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ## SOMETIMES_CONSUMES - gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## SOMETIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## CONSUMES + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONSUMES [Ppis] gEdkiiPeiShadowMicrocodePpiGuid## SOMETIMES_CONSUMES diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h index 3d4446df8ce6..2107f3f705a2 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -33,6 +33,7 @@ #include #include #include +#include #include #include @@ -774,5 +775,17 @@ SevEsPlaceApHlt ( CPU_MP_DATA*CpuMpData ); +/** + Check if the specified confidential computing attribute is active. + + @retval TRUE The specified Attr is active. + @retval FALSE The specified Attr is not active. +**/ +BOOLEAN +EFIAPI +ConfidentialComputingGuestHas ( + CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr + ); + #endif diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c b/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c index 93fc63bf93e3..657a73dca05e 100644 --- a/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpLib.c @@ -93,7 +93,7 @@ GetWakeupBuffer ( EFI_PHYSICAL_ADDRESSStartAddress; EFI_MEMORY_TYPE MemoryType; - if (PcdGetBool (PcdSevEsIsEnabled)) { + if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { MemoryType = EfiReservedMemoryType; } else { MemoryType = EfiBootServicesData; @@ -107,7 +107,7 @@ GetWakeupBuffer ( // LagacyBios driver depends on CPU Arch protocol which guarantees below // allocation runs earlier than LegacyBios driver. // - if (PcdGetBool (PcdSevEsIsEnabled)) { + if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { // // SEV-ES Wakeup buffer should be under 0x88000 and under any previous one // @@ -124,7 +124,7 @@ GetWakeupBuffer ( ASSERT_EFI_ERROR (Status); if (EFI_ERROR (Status)) { StartAddress = (EFI_PHYSICAL_ADDRESS) -1; - } else if (PcdGetBool (PcdSevEsIsEnabled)) { + } else if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { // // Next SEV-ES wakeup buffer allocation must be below this allocation // diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c index 890945bc5994..b6c8a1a04d9f 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.c +++ b/UefiCpuPkg/Library
[edk2-devel] [PATCH v13 23/32] UefiCpuPkg: add PcdGhcbHypervisorFeatures
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Version 2 of the GHCB specification added a new VMGEXIT that the guest could use for querying the hypervisor features. One of the immediate users for it will be an AP creation code. When SEV-SNP is enabled, the guest can use the newly added AP_CREATE VMGEXIT to create the APs. The MpInitLib will check the hypervisor feature, and if AP_CREATE is available, it will use it. See GHCB spec version 2 for more details on the VMGEXIT. Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Ray Ni Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- UefiCpuPkg/UefiCpuPkg.dec | 5 + 1 file changed, 5 insertions(+) diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec index 62acb291f309..7de66fde674c 100644 --- a/UefiCpuPkg/UefiCpuPkg.dec +++ b/UefiCpuPkg/UefiCpuPkg.dec @@ -396,5 +396,10 @@ [PcdsDynamic, PcdsDynamicEx] # @Prompt SEV-ES Status gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled|FALSE|BOOLEAN|0x6016 + ## This dynamic PCD contains the hypervisor features value obtained through the GHCB HYPERVISOR + # features VMGEXIT defined in the version 2 of GHCB spec. + # @Prompt GHCB Hypervisor Features + gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures|0x0|UINT64|0x6018 + [UserExtensions.TianoCore."ExtraFiles"] UefiCpuPkgExtra.uni -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83723): https://edk2.groups.io/g/devel/message/83723 Mute This Topic: https://groups.io/mt/87011896/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 20/32] MdePkg: Define ConfidentialComputingGuestAttr
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 While initializing APs, the MpInitLib may need to know whether the guest is running with active AMD SEV or Intel TDX memory encryption. Add a new ConfidentialComputingGuestAttr PCD that can be used to query the memory encryption attribute. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Ray Ni Suggested-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- MdePkg/MdePkg.dec | 4 +++ .../Include/ConfidentialComputingGuestAttr.h | 25 +++ 2 files changed, 29 insertions(+) create mode 100644 MdePkg/Include/ConfidentialComputingGuestAttr.h diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index 8b18415b107a..cd903c35d2ff 100644 --- a/MdePkg/MdePkg.dec +++ b/MdePkg/MdePkg.dec @@ -2396,5 +2396,9 @@ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] # @Prompt FSB Clock. gEfiMdePkgTokenSpaceGuid.PcdFSBClock|2|UINT32|0x000c + ## This dynamic PCD indicates the memory encryption attribute of the guest. + # @Prompt Memory encryption attribute + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0|UINT64|0x002e + [UserExtensions.TianoCore."ExtraFiles"] MdePkgExtra.uni diff --git a/MdePkg/Include/ConfidentialComputingGuestAttr.h b/MdePkg/Include/ConfidentialComputingGuestAttr.h new file mode 100644 index ..495b0df0ac33 --- /dev/null +++ b/MdePkg/Include/ConfidentialComputingGuestAttr.h @@ -0,0 +1,25 @@ +/** @file +Definitions for Confidential Computing Attribute + +Copyright (c) 2021 AMD Inc. All rights reserved. +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef CONFIDENTIAL_COMPUTING_GUEST_ATTR_H_ +#define CONFIDENTIAL_COMPUTING_GUEST_ATTR_H_ + +typedef enum { + /* The guest is running with memory encryption disabled. */ + CCAttrNotEncrypted = 0, + + /* The guest is running with AMD SEV memory encryption enabled. */ + CCAttrAmdSev = 0x100, + CCAttrAmdSevEs= 0x101, + CCAttrAmdSevSnp = 0x102, + + /* The guest is running with Intel TDX memory encryption enabled. */ + CCAttrIntelTdx= 0x200, +} CONFIDENTIAL_COMPUTING_GUEST_ATTR; + +#endif -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83720): https://edk2.groups.io/g/devel/message/83720 Mute This Topic: https://groups.io/mt/87011890/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 21/32] OvmfPkg/PlatformPei: set PcdConfidentialComputingAttr when SEV is active
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The MpInitLib uses the ConfidentialComputingAttr PCD to determine whether AMD SEV is active so that it can use the VMGEXITs defined in the GHCB specification to create APs. Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Suggested-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/AmdSev/AmdSevX64.dsc| 3 +++ OvmfPkg/OvmfPkgIa32.dsc | 3 +++ OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++ OvmfPkg/OvmfPkgX64.dsc | 3 +++ OvmfPkg/PlatformPei/PlatformPei.inf | 1 + OvmfPkg/PlatformPei/AmdSev.c| 15 +++ 6 files changed, 28 insertions(+) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index 2997929faa05..8f5876341e26 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -575,6 +575,9 @@ [PcdsDynamicDefault] gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x00 + # Set ConfidentialComputing defaults + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0 + !if $(TPM_ENABLE) == TRUE gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} !endif diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 1dc069e42420..dbcfa5ab52ce 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -651,6 +651,9 @@ [PcdsDynamicDefault] gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01 gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01 + # Set ConfidentialComputing defaults + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0 + [PcdsDynamicHii] !if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index a766457e6bc6..e4597e7f03da 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -659,6 +659,9 @@ [PcdsDynamicDefault] gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} !endif + # Set ConfidentialComputing defaults + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0 + [PcdsDynamicDefault.X64] # IPv4 and IPv6 PXE Boot support. gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 97b7cb40ff88..08837bf8ec97 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -662,6 +662,9 @@ [PcdsDynamicDefault] gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01 gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01 + # Set ConfidentialComputing defaults + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0 + [PcdsDynamicHii] !if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf index 67eb7aa7166b..bada5ea14439 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -106,6 +106,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr [FixedPcd] gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index e1504831bec0..c447753075b1 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -20,6 +20,7 @@ #include #include #include +#include #include "Platform.h" @@ -338,4 +339,18 @@ AmdSevInitialize ( // Check and perform SEV-ES initialization if required. // AmdSevEsInitialize (); + + // + // Set the Confidential computing attr PCD to communicate which SEV + // technology is active. + // + if (MemEncryptSevSnpIsEnabled ()) { +PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevSnp); + } else if (MemEncryptSevEsIsEnabled ()) { +PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSevEs); + } else { +PcdStatus = PcdSet64S (PcdConfidentialComputingGuestAttr, CCAttrAmdSev); + } + ASSERT_RETURN_ERROR (PcdStatus); + } -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83721): https://edk2.groups.io/g/devel/message/83721 Mute This Topic: https://groups.io/mt/87011891/21656 Group Own
[edk2-devel] [PATCH v13 19/32] OvmfPkg/PlatformPei: validate the system RAM when SNP is active
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 When SEV-SNP is active, a memory region mapped encrypted in the page table must be validated before access. There are two approaches that can be taken to validate the system RAM detected during the PEI phase: 1) Validate on-demand OR 2) Validate before access On-demand = If memory is not validated before access, it will cause a #VC exception with the page-not-validated error code. The VC exception handler can perform the validation steps. The pages that have been validated will need to be tracked to avoid the double validation scenarios. The range of memory that has not been validated will need to be communicated to the OS through the recently introduced unaccepted memory type https://github.com/microsoft/mu_basecore/pull/66, so that OS can validate those ranges before using them. Validate before access == Since the PEI phase detects all the available system RAM, use the MemEncryptSevSnpValidateSystemRam() function to pre-validate the system RAM in the PEI phase. For now, choose option 2 due to the dependency and the complexity of the on-demand validation. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/AmdSev.c | 42 1 file changed, 42 insertions(+) diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index ba69f581893b..e1504831bec0 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -23,6 +23,40 @@ #include "Platform.h" +/** + Initialize SEV-SNP support if running as an SEV-SNP guest. + +**/ +STATIC +VOID +AmdSevSnpInitialize ( + VOID + ) +{ + EFI_PEI_HOB_POINTERS Hob; + EFI_HOB_RESOURCE_DESCRIPTOR *ResourceHob; + + if (!MemEncryptSevSnpIsEnabled ()) { +return; + } + + // + // Iterate through the system RAM and validate it. + // + for (Hob.Raw = GetHobList (); !END_OF_HOB_LIST (Hob); Hob.Raw = GET_NEXT_HOB (Hob)) { +if (Hob.Raw != NULL && GET_HOB_TYPE (Hob) == EFI_HOB_TYPE_RESOURCE_DESCRIPTOR) { + ResourceHob = Hob.ResourceDescriptor; + + if (ResourceHob->ResourceType == EFI_RESOURCE_SYSTEM_MEMORY) { +MemEncryptSevSnpPreValidateSystemRam ( + ResourceHob->PhysicalStart, + EFI_SIZE_TO_PAGES ((UINTN) ResourceHob->ResourceLength) + ); + } +} + } +} + /** Handle an SEV-SNP/GHCB protocol check failure. @@ -236,6 +270,14 @@ AmdSevInitialize ( return; } + // + // Check and perform SEV-SNP initialization if required. This need to be + // done before the GHCB page is made shared in the AmdSevEsInitialize(). This + // is because the system RAM must be validated before it is made shared. + // The AmdSevSnpInitialize() validates the system RAM. + // + AmdSevSnpInitialize (); + // // Set Memory Encryption Mask PCD // -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83718): https://edk2.groups.io/g/devel/message/83718 Mute This Topic: https://groups.io/mt/87011887/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 17/32] OvmfPkg/MemEncryptSevLib: add support to validate > 4GB memory in PEI phase
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The initial page built during the SEC phase is used by the MemEncryptSevSnpValidateSystemRam() for the system RAM validation. The page validation process requires using the PVALIDATE instruction; the instruction accepts a virtual address of the memory region that needs to be validated. If hardware encounters a page table walk failure (due to page-not-present) then it raises #GP. The initial page table built in SEC phase address up to 4GB. Add an internal function to extend the page table to cover > 4GB. The function builds 1GB entries in the page table for access > 4GB. This will provide the support to call PVALIDATE instruction for the virtual address > 4GB in PEI phase. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- .../BaseMemEncryptSevLib/X64/VirtualMemory.h | 24 .../X64/PeiDxeVirtualMemory.c | 115 ++ .../X64/PeiSnpSystemRamValidate.c | 22 3 files changed, 161 insertions(+) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h index 21bbbd1c4f9c..9e5cdae25245 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/VirtualMemory.h @@ -143,4 +143,28 @@ InternalMemEncryptSevClearMmioPageEncMask ( IN PHYSICAL_ADDRESSPhysicalAddress, IN UINTN Length ); + +/** + Create 1GB identity mapping for the specified virtual address range. + + The function is preliminary used by the SEV-SNP page state change + APIs to build the page table required before issuing the PVALIDATE + instruction. The function must be removed after the EDK2 core is + enhanced to do the lazy validation. + + @param[in] Cr3BaseAddress Cr3 Base Address (if zero then use + current CR3) + @param[in] VirtualAddress Virtual address + @param[in] Length Length of virtual address range + + @retval RETURN_INVALID_PARAMETERNumber of pages is zero. + +**/ +RETURN_STATUS +EFIAPI +InternalMemEncryptSevCreateIdentityMap1G ( + INPHYSICAL_ADDRESS Cr3BaseAddress, + INPHYSICAL_ADDRESS PhysicalAddress, + INUINTN Length + ); #endif diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c index c696745f9d26..f146f6d61cc5 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c @@ -536,6 +536,121 @@ EnableReadOnlyPageWriteProtect ( AsmWriteCr0 (AsmReadCr0() | BIT16); } +RETURN_STATUS +EFIAPI +InternalMemEncryptSevCreateIdentityMap1G ( + INPHYSICAL_ADDRESS Cr3BaseAddress, + INPHYSICAL_ADDRESS PhysicalAddress, + INUINTN Length + ) +{ + PAGE_MAP_AND_DIRECTORY_POINTER *PageMapLevel4Entry; + PAGE_TABLE_1G_ENTRY*PageDirectory1GEntry; + UINT64 PgTableMask; + UINT64 AddressEncMask; + BOOLEANIsWpEnabled; + RETURN_STATUS Status; + + // + // Set PageMapLevel4Entry to suppress incorrect compiler/analyzer warnings. + // + PageMapLevel4Entry = NULL; + + DEBUG (( +DEBUG_VERBOSE, +"%a:%a: Cr3Base=0x%Lx Physical=0x%Lx Length=0x%Lx\n", +gEfiCallerBaseName, +__FUNCTION__, +Cr3BaseAddress, +PhysicalAddress, +(UINT64)Length +)); + + if (Length == 0) { +return RETURN_INVALID_PARAMETER; + } + + // + // Check if we have a valid memory encryption mask + // + AddressEncMask = InternalGetMemEncryptionAddressMask (); + if (!AddressEncMask) { +return RETURN_ACCESS_DENIED; + } + + PgTableMask = AddressEncMask | EFI_PAGE_MASK; + + + // + // Make sure that the page table is changeable. + // + IsWpEnabled = IsReadOnlyPageWriteProtected (); + if (IsWpEnabled) { +DisableReadOnlyPageWriteProtect (); + } + + Status = EFI_SUCCESS; + + while (Length) + { +// +// If Cr3BaseAddress is not specified then read the current CR3 +// +if (Cr3BaseAddress == 0) { + Cr3BaseAddress = AsmReadCr3(); +} + +PageMapLevel4Entry = (VOID*) (Cr3BaseAddress & ~PgTableMask); +PageMapLevel4Entry += PML4_OFFSET(PhysicalAddress); +if (!PageMapLevel4Entry->Bits.Present) { + DEBUG (( +DEBUG_ERROR, +"%a:%a: bad PML4 for Physical=0x%Lx\n", +gEfiCallerBaseName, +__FUNCTION__, +PhysicalAddress +)); + Status = RETURN_NO_MAPPING; + goto Done; +} + +PageDirectory1GEntry = (VOID *)( +
[edk2-devel] [PATCH v13 18/32] OvmfPkg/SecMain: validate the memory used for decompressing Fv
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The VMM launch sequence should have pre-validated all the data pages used in the Reset vector. The range does not cover the data pages used during the SEC phase (mainly PEI and DXE firmware volume decompression memory). When SEV-SNP is active, the memory must be pre-validated before the access. Add support to pre-validate the memory range from SnpSecPreValidatedStart to SnpSecPreValidatedEnd. This should be sufficent to enter into the PEI phase. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 4 .../PeiMemEncryptSevLib.inf | 2 ++ OvmfPkg/Sec/SecMain.inf | 3 +++ OvmfPkg/Sec/AmdSev.h | 23 +++ .../X64/PeiSnpSystemRamValidate.c | 5 OvmfPkg/Sec/AmdSev.c | 22 +- OvmfPkg/Sec/SecMain.c | 5 OvmfPkg/FvmainCompactScratchEnd.fdf.inc | 5 8 files changed, 68 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index bc14cf2ed403..c22b846cd663 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -364,6 +364,10 @@ [PcdsFixedAtBuild] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|0|UINT32|0x60 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize|0|UINT32|0x61 + ## The range of memory that is validated by the SEC phase. + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedStart|0|UINT32|0x62 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd|0|UINT32|0x63 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf index 49d5bd1beff1..50c83859d7e7 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf @@ -60,3 +60,5 @@ [FixedPcd] gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedStart diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf index 9523a8ea6c8f..282e60a2764f 100644 --- a/OvmfPkg/Sec/SecMain.inf +++ b/OvmfPkg/Sec/SecMain.inf @@ -51,6 +51,7 @@ [LibraryClasses] PeCoffExtraActionLib ExtractGuidedSectionLib LocalApicLib + MemEncryptSevLib CpuExceptionHandlerLib [Ppis] @@ -73,6 +74,8 @@ [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedStart + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecValidatedEnd [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire diff --git a/OvmfPkg/Sec/AmdSev.h b/OvmfPkg/Sec/AmdSev.h index adad96d23189..411bbedae4cf 100644 --- a/OvmfPkg/Sec/AmdSev.h +++ b/OvmfPkg/Sec/AmdSev.h @@ -69,4 +69,27 @@ SevEsIsEnabled ( VOID ); +/** + Validate System RAM used for decompressing the PEI and DXE firmware volumes + when SEV-SNP is active. The PCDs SecValidatedStart and SecValidatedEnd are + set in OvmfPkg/FvmainCompactScratchEnd.fdf.inc. + +**/ +VOID +SecValidateSystemRam ( + VOID + ); + +/** + Determine if SEV-SNP is active. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled + +**/ +BOOLEAN +SevSnpIsEnabled ( + VOID + ); + #endif diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c index ee8b5bc8011f..d3ed8edecb03 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c @@ -29,6 +29,11 @@ STATIC SNP_PRE_VALIDATED_RANGE mPreValidatedRange[] = { FixedPcdGet32 (PcdOvmfSecPageTablesBase), FixedPcdGet32 (PcdOvmfPeiMemFvBase), }, + // The below range is pre-validated by the Sec/SecMain.c + { +FixedPcdGet32 (PcdOvmfSecValidatedStart), +FixedPcdGet32 (PcdOvmfSecValidatedEnd) + }, }; STATIC diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c index 58f054ea4418..c419f7a8a7c2 100644 --- a/OvmfPkg/Sec/AmdSev.c +++ b/OvmfPkg/Sec/AmdSev.c @@ -55,7 +55,6 @@ SevEsProtocolFailure ( @retval FALSE SEV-SNP is not enabled **/ -STATIC BOOLEAN SevSnpIsEnabled ( VOID @@ -276,3 +275,24 @@ SevEsIsEnabled ( return (SevEsWorkArea->SevEsEnabled != 0); } + +/** + Validate System RAM u
[edk2-devel] [PATCH v13 10/32] OvmfPkg/SecMain: register GHCB gpa for the SEV-SNP guest
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The SEV-SNP guest requires that GHCB GPA must be registered before using. See the GHCB specification section 2.3.2 for more details. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/Sec/AmdSev.c | 117 +++ 1 file changed, 117 insertions(+) diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c index 7f74e8bfe88e..58f054ea4418 100644 --- a/OvmfPkg/Sec/AmdSev.c +++ b/OvmfPkg/Sec/AmdSev.c @@ -48,6 +48,102 @@ SevEsProtocolFailure ( CpuDeadLoop (); } +/** + Determine if SEV-SNP is active. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled + +**/ +STATIC +BOOLEAN +SevSnpIsEnabled ( + VOID + ) +{ + MSR_SEV_STATUS_REGISTER Msr; + + // + // Read the SEV_STATUS MSR to determine whether SEV-SNP is active. + // + Msr.Uint32 = AsmReadMsr32 (MSR_SEV_STATUS); + + // + // Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) + // + if (Msr.Bits.SevSnpBit) { +return TRUE; + } + + return FALSE; +} + +/** + Register the GHCB GPA + +*/ +STATIC +VOID +SevSnpGhcbRegister ( + EFI_PHYSICAL_ADDRESS Address + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + + // + // Use the GHCB MSR Protocol to request to register the GPA. + // + Msr.GhcbPhysicalAddress = Address & ~EFI_PAGE_MASK; + Msr.GhcbGpaRegister.Function = GHCB_INFO_GHCB_GPA_REGISTER_REQUEST; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // If hypervisor responded with a different GPA than requested then fail. + // + if ((Msr.GhcbGpaRegister.Function != GHCB_INFO_GHCB_GPA_REGISTER_RESPONSE) || + ((Msr.GhcbPhysicalAddress & ~EFI_PAGE_MASK) != Address)) { +SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } +} + +/** + Verify that Hypervisor supports the SNP feature. + + */ +STATIC +BOOLEAN +HypervisorSnpFeatureCheck ( + VOID + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + UINT64Features; + + // + // Use the GHCB MSR Protocol to query the hypervisor capabilities + // + Msr.GhcbPhysicalAddress = 0; + Msr.GhcbHypervisorFeatures.Function = GHCB_HYPERVISOR_FEATURES_REQUEST; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + + Features = RShiftU64 (Msr.GhcbPhysicalAddress, 12); + + if ((Msr.GhcbHypervisorFeatures.Function != GHCB_HYPERVISOR_FEATURES_RESPONSE) || + (!(Features & GHCB_HV_FEATURES_SNP))) { +return FALSE; + } + + return TRUE; +} + /** Validate the SEV-ES/GHCB protocol level. @@ -88,6 +184,27 @@ SevEsProtocolCheck ( SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); } + // + // We cannot use the MemEncryptSevSnpIsEnabled () because the + // ProcessLibraryConstructorList () is not called yet. + // + if (SevSnpIsEnabled ()) { +// +// Check if hypervisor supports the SNP feature +// +if (!HypervisorSnpFeatureCheck ()) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); +} + +// +// Unlike the SEV-ES guest, the SNP requires that GHCB GPA must be +// registered with the Hypervisor before the use. This can be done +// using the new VMGEXIT defined in the GHCB v2. Register the GPA +// before it is used. +// +SevSnpGhcbRegister ((EFI_PHYSICAL_ADDRESS) (UINTN) FixedPcdGet32 (PcdOvmfSecGhcbBase)); + } + // // SEV-ES protocol checking succeeded, set the initial GHCB address // -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83714): https://edk2.groups.io/g/devel/message/83714 Mute This Topic: https://groups.io/mt/87011883/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 15/32] OvmfPkg/MemEncryptSevLib: add function to check the VMPL0
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Virtual Machine Privilege Level (VMPL) feature in the SEV-SNP architecture allows a guest VM to divide its address space into four levels. The level can be used to provide the hardware isolated abstraction layers with a VM. The VMPL0 is the highest privilege, and VMPL3 is the least privilege. Certain operations must be done by the VMPL0 software, such as: * Validate or invalidate memory range (PVALIDATE instruction) * Allocate VMSA page (RMPADJUST instruction when VMSA=1) The initial SEV-SNP support assumes that the guest is running on VMPL0. Let's add function in the MemEncryptSevLib that can be used for checking whether guest is booted under the VMPL0. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- .../X64/SnpPageStateChange.h | 5 ++ .../X64/SecSnpSystemRamValidate.c | 46 +++ .../X64/SnpPageStateChangeInternal.c | 1 - 3 files changed, 51 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h index 8bbdf06468b9..cc1318075523 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h @@ -28,4 +28,9 @@ InternalSetPageState ( IN BOOLEAN UseLargeEntry ); +VOID +SnpPageStateFailureTerminate ( + VOID + ); + #endif diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c index 64aab7f45b6d..3394094a65e5 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c @@ -14,6 +14,43 @@ #include "SnpPageStateChange.h" +// +// The variable used for the VMPL check. +// +STATIC UINT8 gVmpl0Data[4096]; + +/** + The function checks whether SEV-SNP guest is booted under VMPL0. + + @retval TRUE The guest is booted under VMPL0 + @retval FALSE The guest is not booted under VMPL0 + **/ +STATIC +BOOLEAN +SevSnpIsVmpl0 ( + VOID + ) +{ + UINT64 Rdx; + EFI_STATUS Status; + + // + // There is no straightforward way to query the current VMPL level. + // The simplest method is to use the RMPADJUST instruction to change + // a page permission to a VMPL level-1, and if the guest kernel is + // launched at a level <= 1, then RMPADJUST instruction will return + // an error. + // + Rdx = 1; + + Status = AsmRmpAdjust ((UINT64) gVmpl0Data, 0, Rdx); + if (EFI_ERROR (Status)) { +return FALSE; + } + + return TRUE; +} + /** Pre-validate the system RAM when SEV-SNP is enabled in the guest VM. @@ -32,5 +69,14 @@ MemEncryptSevSnpPreValidateSystemRam ( return; } + // + // The page state change uses the PVALIDATE instruction. The instruction + // can be run on VMPL-0 only. If its not VMPL-0 guest then terminate + // the boot. + // + if (!SevSnpIsVmpl0 ()) { +SnpPageStateFailureTerminate (); + } + InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); } diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c index f9ab804a7edc..cffe703de9dd 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c @@ -40,7 +40,6 @@ MemoryStateToGhcbOp ( return Cmd; } -STATIC VOID SnpPageStateFailureTerminate ( VOID -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83716): https://edk2.groups.io/g/devel/message/83716 Mute This Topic: https://groups.io/mt/87011885/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 16/32] OvmfPkg/BaseMemEncryptSevLib: skip the pre-validated system RAM
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The MemEncryptSevSnpPreValidateSystemRam() is used for pre-validating the system RAM. As the boot progress, each phase validates a fixed region of the RAM. In the PEI phase, the PlatformPei detects all the available RAM and calls to pre-validate the detected system RAM. While validating the system RAM in PEI phase, we must skip previously validated system RAM to avoid the double validation. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- .../PeiMemEncryptSevLib.inf | 2 + .../X64/PeiSnpSystemRamValidate.c | 66 ++- 2 files changed, 67 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf index 0402e49a1028..49d5bd1beff1 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf @@ -58,3 +58,5 @@ [FeaturePcd] [FixedPcd] gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesBase diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c index 64aab7f45b6d..cea7ecf96563 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c @@ -14,6 +14,45 @@ #include "SnpPageStateChange.h" +typedef struct { + UINT64StartAddress; + UINT64EndAddress; +} SNP_PRE_VALIDATED_RANGE; + +STATIC SNP_PRE_VALIDATED_RANGE mPreValidatedRange[] = { + // The below address range was part of the SEV OVMF metadata, and range + // should be pre-validated by the Hypervisor. + { +FixedPcdGet32 (PcdOvmfSecPageTablesBase), +FixedPcdGet32 (PcdOvmfPeiMemFvBase), + }, +}; + +STATIC +BOOLEAN +DetectPreValidatedOverLap ( + INPHYSICAL_ADDRESSStartAddress, + INPHYSICAL_ADDRESSEndAddress, + OUT SNP_PRE_VALIDATED_RANGE *OverlapRange + ) +{ + UINTN i; + + // + // Check if the specified address range exist in pre-validated array. + // + for (i = 0; i < ARRAY_SIZE (mPreValidatedRange); i++) { +if ((mPreValidatedRange[i].StartAddress < EndAddress) && +(StartAddress < mPreValidatedRange[i].EndAddress)) { + OverlapRange->StartAddress = mPreValidatedRange[i].StartAddress; + OverlapRange->EndAddress = mPreValidatedRange[i].EndAddress; + return TRUE; +} + } + + return FALSE; +} + /** Pre-validate the system RAM when SEV-SNP is enabled in the guest VM. @@ -28,9 +67,34 @@ MemEncryptSevSnpPreValidateSystemRam ( IN UINTN NumPages ) { + PHYSICAL_ADDRESS EndAddress; + SNP_PRE_VALIDATED_RANGE OverlapRange; + if (!MemEncryptSevSnpIsEnabled ()) { return; } - InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); + EndAddress = BaseAddress + EFI_PAGES_TO_SIZE (NumPages); + + while (BaseAddress < EndAddress) { +// +// Check if the range overlaps with the pre-validated ranges. +// +if (DetectPreValidatedOverLap (BaseAddress, EndAddress, )) { + // Validate the non-overlap regions. + if (BaseAddress < OverlapRange.StartAddress) { +NumPages = EFI_SIZE_TO_PAGES (OverlapRange.StartAddress - BaseAddress); + +InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); + } + + BaseAddress = OverlapRange.EndAddress; + continue; +} + +// Validate the remaining pages. +NumPages = EFI_SIZE_TO_PAGES (EndAddress - BaseAddress); +InternalSetPageState (BaseAddress, NumPages, SevSnpPagePrivate, TRUE); +BaseAddress = EndAddress; + } } -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83715): https://edk2.groups.io/g/devel/message/83715 Mute This Topic: https://groups.io/mt/87011884/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 11/32] OvmfPkg/VmgExitLib: use SEV-SNP-validated CPUID values
From: Michael Roth SEV-SNP firmware allows a special guest page to be populated with guest CPUID values so that they can be validated against supported host features before being loaded into encrypted guest memory to be used instead of hypervisor-provided values [1]. Add handling for this in the CPUID #VC handler and use it whenever SEV-SNP is enabled. To do so, existing CPUID handling via VmgExit is moved to a helper, GetCpuidHyp(), and a new helper that uses the CPUID page to do the lookup, GetCpuidFw(), is used instead when SNP is enabled. For cases where SNP CPUID lookups still rely on fetching specific CPUID fields from hypervisor, GetCpuidHyp() is used there as well. [1]: SEV SNP Firmware ABI Specification, Rev. 0.8, 8.13.2.6 Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Michael Roth Signed-off-by: Brijesh Singh --- OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf | 2 + OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 3 + OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c | 444 -- 3 files changed, 419 insertions(+), 30 deletions(-) diff --git a/OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf b/OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf index e6f6ea7972fd..78207fa0f9c9 100644 --- a/OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf +++ b/OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf @@ -42,4 +42,6 @@ [LibraryClasses] [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf b/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf index c66c68726cdb..7963670e7d30 100644 --- a/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf +++ b/OvmfPkg/Library/VmgExitLib/VmgExitLib.inf @@ -38,3 +38,6 @@ [LibraryClasses] LocalApicLib MemEncryptSevLib +[Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize diff --git a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c index 41b0c8cc5312..7fbd986fb012 100644 --- a/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c +++ b/OvmfPkg/Library/VmgExitLib/VmgExitVcHandler.c @@ -17,6 +17,7 @@ #include #include "VmgExitVcHandler.h" +//#include // // Instruction execution mode definition @@ -130,6 +131,32 @@ UINT64 SEV_ES_INSTRUCTION_DATA *InstructionData ); +// +// SEV-SNP Cpuid table entry/function +// +typedef PACKED struct { + UINT32 EaxIn; + UINT32 EcxIn; + UINT64 Unused; + UINT64 Unused2; + UINT32 Eax; + UINT32 Ebx; + UINT32 Ecx; + UINT32 Edx; + UINT64 Reserved; +} SEV_SNP_CPUID_FUNCTION; + +// +// SEV-SNP Cpuid page format +// +typedef PACKED struct { + UINT32 Count; + UINT32 Reserved1; + UINT64 Reserved2; + SEV_SNP_CPUID_FUNCTION function[0]; +} SEV_SNP_CPUID_INFO; + + /** Return a pointer to the contents of the specified register. @@ -1496,58 +1523,415 @@ InvdExit ( } /** - Handle a CPUID event. + Fetch CPUID leaf/function via hypervisor/VMGEXIT. - Use the VMGEXIT instruction to handle a CPUID event. + @param[in, out] Ghcb Pointer to the Guest-Hypervisor Communication + Block + @param[in] EaxInEAX input for cpuid instruction + @param[in] EcxInECX input for cpuid instruction + @param[in] Xcr0In XCR0 at time of cpuid instruction + @param[in, out] Eax Pointer to store leaf's EAX value + @param[in, out] Ebx Pointer to store leaf's EBX value + @param[in, out] Ecx Pointer to store leaf's ECX value + @param[in, out] Edx Pointer to store leaf's EDX value + @param[in, out] Status Pointer to store status from VMGEXIT (always 0 + unless return value indicates failure) + @param[in, out] Unsupported Pointer to store indication of unsupported + VMGEXIT (always false unless return value + indicates failure) - @param[in, out] Ghcb Pointer to the Guest-Hypervisor Communication - Block - @param[in, out] Regs x64 processor context - @param[in] InstructionData Instruction parsing context - - @retval 0Event handled successfully - @return New exception value to propagate + @retval TRUE CPUID leaf fetch successfully. + @retval FALSEError occurred while fetching CPUID leaf. Callers + should Status and Unsupported and handle + accordingly if they indicate a more precise + error condition. **/ STAT
[edk2-devel] [PATCH v13 12/32] OvmfPkg/PlatformPei: register GHCB gpa for the SEV-SNP guest
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The SEV-SNP guest requires that GHCB GPA must be registered before using. See the GHCB specification section 2.3.2 for more details. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/AmdSev.c | 87 1 file changed, 87 insertions(+) diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index a8bf610022ba..ba69f581893b 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -19,9 +19,89 @@ #include #include #include +#include #include "Platform.h" +/** + Handle an SEV-SNP/GHCB protocol check failure. + + Notify the hypervisor using the VMGEXIT instruction that the SEV-SNP guest + wishes to be terminated. + + @param[in] ReasonCode Reason code to provide to the hypervisor for the + termination request. + +**/ +STATIC +VOID +SevEsProtocolFailure ( + IN UINT8 ReasonCode + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + + // + // Use the GHCB MSR Protocol to request termination by the hypervisor + // + Msr.GhcbPhysicalAddress = 0; + Msr.GhcbTerminate.Function = GHCB_INFO_TERMINATE_REQUEST; + Msr.GhcbTerminate.ReasonCodeSet = GHCB_TERMINATE_GHCB; + Msr.GhcbTerminate.ReasonCode = ReasonCode; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + ASSERT (FALSE); + CpuDeadLoop (); +} + +/** + + This function can be used to register the GHCB GPA. + + @param[in] Address The physical address to be registered. + +**/ +STATIC +VOID +GhcbRegister ( + IN EFI_PHYSICAL_ADDRESS Address + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + MSR_SEV_ES_GHCB_REGISTER CurrentMsr; + + // + // Save the current MSR Value + // + CurrentMsr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // Use the GHCB MSR Protocol to request to register the GPA. + // + Msr.GhcbPhysicalAddress = Address & ~EFI_PAGE_MASK; + Msr.GhcbGpaRegister.Function = GHCB_INFO_GHCB_GPA_REGISTER_REQUEST; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // If hypervisor responded with a different GPA than requested then fail. + // + if ((Msr.GhcbGpaRegister.Function != GHCB_INFO_GHCB_GPA_REGISTER_RESPONSE) || + ((Msr.GhcbPhysicalAddress & ~EFI_PAGE_MASK) != Address)) { +SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + // + // Restore the MSR + // + AsmWriteMsr64 (MSR_SEV_ES_GHCB, CurrentMsr.GhcbPhysicalAddress); +} + /** Initialize SEV-ES support if running as an SEV-ES guest. @@ -109,6 +189,13 @@ AmdSevEsInitialize ( "SEV-ES is enabled, %lu GHCB backup pages allocated starting at 0x%p\n", (UINT64)GhcbBackupPageCount, GhcbBackupBase)); + // + // SEV-SNP guest requires that GHCB GPA must be registered before using it. + // + if (MemEncryptSevSnpIsEnabled ()) { +GhcbRegister (GhcbBasePa); + } + AsmWriteMsr64 (MSR_SEV_ES_GHCB, GhcbBasePa); // -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83711): https://edk2.groups.io/g/devel/message/83711 Mute This Topic: https://groups.io/mt/87011879/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 14/32] OvmfPkg/MemEncryptSevLib: add support to validate system RAM
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Many of the integrity guarantees of SEV-SNP are enforced through the Reverse Map Table (RMP). Each RMP entry contains the GPA at which a particular page of DRAM should be mapped. The guest can request the hypervisor to add pages in the RMP table via the Page State Change VMGEXIT defined in the GHCB specification section 2.5.1 and 4.1.6. Inside each RMP entry is a Validated flag; this flag is automatically cleared to 0 by the CPU hardware when a new RMP entry is created for a guest. Each VM page can be either validated or invalidated, as indicated by the Validated flag in the RMP entry. Memory access to a private page that is not validated generates a #VC. A VM can use the PVALIDATE instruction to validate the private page before using it. During the guest creation, the boot ROM memory is pre-validated by the AMD-SEV firmware. The MemEncryptSevSnpValidateSystemRam() can be called during the SEC and PEI phase to validate the detected system RAM. One of the fields in the Page State Change NAE is the RMP page size. The page size input parameter indicates that either a 4KB or 2MB page should be used while adding the RMP entry. During the validation, when possible, the MemEncryptSevSnpValidateSystemRam() will use the 2MB entry. A hypervisor backing the memory may choose to use the different page size in the RMP entry. In those cases, the PVALIDATE instruction should return SIZEMISMATCH. If a SIZEMISMATCH is detected, then validate all 512-pages constituting a 2MB region. Upon completion, the PVALIDATE instruction sets the rFLAGS.CF to 0 if instruction changed the RMP entry and to 1 if the instruction did not change the RMP entry. The rFlags.CF will be 1 only when a memory region is already validated. We should not double validate a memory as it could lead to a security compromise. If double validation is detected, terminate the boot. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkgIa32.dsc | 1 + OvmfPkg/OvmfPkgIa32X64.dsc| 1 + .../DxeMemEncryptSevLib.inf | 3 + .../PeiMemEncryptSevLib.inf | 3 + .../SecMemEncryptSevLib.inf | 3 + OvmfPkg/Include/Library/MemEncryptSevLib.h| 14 + .../X64/SnpPageStateChange.h | 31 ++ .../Ia32/MemEncryptSevLib.c | 17 + .../X64/DxeSnpSystemRamValidate.c | 40 +++ .../X64/PeiSnpSystemRamValidate.c | 36 +++ .../X64/SecSnpSystemRamValidate.c | 36 +++ .../X64/SnpPageStateChangeInternal.c | 295 ++ 12 files changed, 480 insertions(+) create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChange.h create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/DxeSnpSystemRamValidate.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiSnpSystemRamValidate.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/SecSnpSystemRamValidate.c create mode 100644 OvmfPkg/Library/BaseMemEncryptSevLib/X64/SnpPageStateChangeInternal.c diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 6a5be97c059d..1dc069e42420 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -266,6 +266,7 @@ [LibraryClasses.common.SEC] !else CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf !endif + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf [LibraryClasses.common.PEI_CORE] HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 13d9a1f111bc..a766457e6bc6 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -270,6 +270,7 @@ [LibraryClasses.common.SEC] !else CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf !endif + MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf [LibraryClasses.common.PEI_CORE] HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf index f2e162d68076..f613bb314f5f 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf @@ -34,8 +34,10 @@ [Sources] PeiDxeMemEncryptSevLibInternal.c [Sources.X64] + X64/DxeSnpSystemRamValidate.c X64/MemEncryptSevLib.c X64/PeiDxeVirtualMemory.c + X64/SnpPageStateChangeInternal.c X64/VirtualMemory.c X64/VirtualMemory.h @@ -49,6 +51,7 @@ [LibraryClasses] DebugLib MemoryAllocationLib PcdLib + VmgExitLib [FeaturePcd
[edk2-devel] [PATCH v13 09/32] OvmfPkg/MemEncryptSevLib: add MemEncryptSevSnpEnabled()
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Create a function that can be used to determine if VM is running as an SEV-SNP guest. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/Include/Library/MemEncryptSevLib.h| 12 + .../DxeMemEncryptSevLibInternal.c | 27 +++ .../PeiMemEncryptSevLibInternal.c | 27 +++ .../SecMemEncryptSevLibInternal.c | 19 + 4 files changed, 85 insertions(+) diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h index adc490e466ec..796de62ec2f8 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -47,6 +47,18 @@ typedef enum { MemEncryptSevAddressRangeError, } MEM_ENCRYPT_SEV_ADDRESS_RANGE_STATE; +/** + Returns a boolean to indicate whether SEV-SNP is enabled + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ); + /** Returns a boolean to indicate whether SEV-ES is enabled. diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c index 2816f859a0c4..057129723824 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c @@ -19,6 +19,7 @@ STATIC BOOLEAN mSevStatus = FALSE; STATIC BOOLEAN mSevEsStatus = FALSE; +STATIC BOOLEAN mSevSnpStatus = FALSE; STATIC BOOLEAN mSevStatusChecked = FALSE; STATIC UINT64 mSevEncryptionMask = 0; @@ -82,11 +83,37 @@ InternalMemEncryptSevStatus ( if (Msr.Bits.SevEsBit) { mSevEsStatus = TRUE; } + +// +// Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) +// +if (Msr.Bits.SevSnpBit) { + mSevSnpStatus = TRUE; +} } mSevStatusChecked = TRUE; } +/** + Returns a boolean to indicate whether SEV-SNP is enabled. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ) +{ + if (!mSevStatusChecked) { +InternalMemEncryptSevStatus (); + } + + return mSevSnpStatus; +} + /** Returns a boolean to indicate whether SEV-ES is enabled. diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c index e2fd109d120f..b561f211f577 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c @@ -19,6 +19,7 @@ STATIC BOOLEAN mSevStatus = FALSE; STATIC BOOLEAN mSevEsStatus = FALSE; +STATIC BOOLEAN mSevSnpStatus = FALSE; STATIC BOOLEAN mSevStatusChecked = FALSE; STATIC UINT64 mSevEncryptionMask = 0; @@ -82,11 +83,37 @@ InternalMemEncryptSevStatus ( if (Msr.Bits.SevEsBit) { mSevEsStatus = TRUE; } + +// +// Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) +// +if (Msr.Bits.SevSnpBit) { + mSevSnpStatus = TRUE; +} } mSevStatusChecked = TRUE; } +/** + Returns a boolean to indicate whether SEV-SNP is enabled. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ) +{ + if (!mSevStatusChecked) { +InternalMemEncryptSevStatus (); + } + + return mSevSnpStatus; +} + /** Returns a boolean to indicate whether SEV-ES is enabled. diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c index 56d8f3f3183f..69852779e2ff 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c @@ -62,6 +62,25 @@ InternalMemEncryptSevStatus ( return ReadSevMsr ? AsmReadMsr32 (MSR_SEV_STATUS) : 0; } +/** + Returns a boolean to indicate whether SEV-SNP is enabled. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled +**/ +BOOLEAN +EFIAPI +MemEncryptSevSnpIsEnabled ( + VOID + ) +{ + MSR_SEV_STATUS_REGISTER Msr; + + Msr.Uint32 = InternalMemEncryptSevStatus (); + + return Msr.Bits.SevSnpBit ? TRUE : FALSE; +} + /** Returns a boolean to indicate whether SEV-ES is enabled. -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83710): https://edk2.groups.io/g/devel/message/83710 Mute This Topic: https://groups.io/mt/87011877/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe
[edk2-devel] [PATCH v13 08/32] OvmfPkg/ResetVector: use SEV-SNP-validated CPUID values
From: Michael Roth CPUID instructions are issued during early boot to do things like probe for SEV support. Currently these are handled by a minimal #VC handler that uses the MSR-based GHCB protocol to fetch the CPUID values from the hypervisor. When SEV-SNP is enabled, use the firmware-validated CPUID values from the CPUID page instead [1]. [1]: SEV SNP Firmware ABI Specification, Rev. 0.8, 8.13.2.6 Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Michael Roth Signed-off-by: Brijesh Singh --- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 80 +++-- 1 file changed, 75 insertions(+), 5 deletions(-) diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32/AmdSev.asm index 48d9178168b0..1f827da3b929 100644 --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm @@ -34,6 +34,18 @@ BITS32 %define GHCB_CPUID_REGISTER_SHIFT 30 %define CPUID_INSN_LEN 2 +; #VC handler offsets/sizes for accessing SNP CPUID page +; +%define SNP_CPUID_ENTRY_SZ 48 +%define SNP_CPUID_COUNT 0 +%define SNP_CPUID_ENTRY16 +%define SNP_CPUID_ENTRY_EAX_IN 0 +%define SNP_CPUID_ENTRY_ECX_IN 4 +%define SNP_CPUID_ENTRY_EAX24 +%define SNP_CPUID_ENTRY_EBX28 +%define SNP_CPUID_ENTRY_ECX32 +%define SNP_CPUID_ENTRY_EDX36 + %define SEV_GHCB_MSR0xc0010130 %define SEV_STATUS_MSR 0xc0010131 @@ -335,11 +347,61 @@ SevEsIdtNotCpuid: TerminateVmgExit TERM_VC_NOT_CPUID iret -; -; Total stack usage for the #VC handler is 44 bytes: -; - 12 bytes for the exception IRET (after popping error code) -; - 32 bytes for the local variables. -; +; Use the SNP CPUID page to handle the cpuid lookup +; +; Modified: EAX, EBX, ECX, EDX +; +; Relies on the stack setup/usage in #VC handler: +; +;On entry, +; [esp + VC_CPUID_FUNCTION] contains EAX input to cpuid instruction +; +;On return, stores corresponding results of CPUID lookup in: +; [esp + VC_CPUID_RESULT_EAX] +; [esp + VC_CPUID_RESULT_EBX] +; [esp + VC_CPUID_RESULT_ECX] +; [esp + VC_CPUID_RESULT_EDX] +; +SnpCpuidLookup: +mov eax, [esp + VC_CPUID_FUNCTION] +mov ebx, [CPUID_BASE + SNP_CPUID_COUNT] +mov ecx, CPUID_BASE + SNP_CPUID_ENTRY +; Zero these out now so we can simply return if lookup fails +mov dword[esp + VC_CPUID_RESULT_EAX], 0 +mov dword[esp + VC_CPUID_RESULT_EBX], 0 +mov dword[esp + VC_CPUID_RESULT_ECX], 0 +mov dword[esp + VC_CPUID_RESULT_EDX], 0 + +SnpCpuidCheckEntry: +cmp ebx, 0 +je VmmDoneSnpCpuid +cmp dword[ecx + SNP_CPUID_ENTRY_EAX_IN], eax +jne SnpCpuidCheckEntryNext +; As with SEV-ES handler we assume requested CPUID sub-leaf/index is 0 +cmp dword[ecx + SNP_CPUID_ENTRY_ECX_IN], 0 +je SnpCpuidEntryFound + +SnpCpuidCheckEntryNext: +dec ebx +add ecx, SNP_CPUID_ENTRY_SZ +jmp SnpCpuidCheckEntry + +SnpCpuidEntryFound: +mov eax, [ecx + SNP_CPUID_ENTRY_EAX] +mov [esp + VC_CPUID_RESULT_EAX], eax +mov eax, [ecx + SNP_CPUID_ENTRY_EBX] +mov [esp + VC_CPUID_RESULT_EBX], eax +mov eax, [ecx + SNP_CPUID_ENTRY_EDX] +mov [esp + VC_CPUID_RESULT_ECX], eax +mov eax, [ecx + SNP_CPUID_ENTRY_ECX] +mov [esp + VC_CPUID_RESULT_EDX], eax +jmp VmmDoneSnpCpuid + +; +; Total stack usage for the #VC handler is 44 bytes: +; - 12 bytes for the exception IRET (after popping error code) +; - 32 bytes for the local variables. +; SevEsIdtVmmComm: ; ; If we're here, then we are an SEV-ES guest and this @@ -367,6 +429,13 @@ SevEsIdtVmmComm: ; Save the CPUID function being requested mov [esp + VC_CPUID_FUNCTION], eax +; If SEV-SNP is enabled, use the CPUID page to handle the CPUID +; instruction. +mov ecx, SEV_STATUS_MSR +rdmsr +bt eax, 2 +jc SnpCpuidLookup + ; The GHCB CPUID protocol uses the following mapping to request ; a specific register: ; 0 => EAX, 1 => EBX, 2 => ECX, 3 => EDX @@ -424,6 +493,7 @@ VmmDone: mov ecx, SEV_GHCB_MSR wrmsr +VmmDoneSnpCpuid: mov eax, [esp + VC_CPUID_RESULT_EAX] mov ebx, [esp + VC_CPUID_RESULT_EBX] mov ecx, [esp + VC_CPUID_RESULT_ECX] -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83709): https://edk2.groups.io/g/devel/message/83709 Mute This Topic: https://groups.io/mt/87011876/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 07/32] OvmfPkg/ResetVector: pre-validate the data pages used in SEC phase
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 An SEV-SNP guest requires that private memory (aka pages mapped encrypted) must be validated before being accessed. The validation process consist of the following sequence: 1) Set the memory encryption attribute in the page table (aka C-bit). Note: If the processor is in non-PAE mode, then all the memory accesses are considered private. 2) Add the memory range as private in the RMP table. This can be performed using the Page State Change VMGEXIT defined in the GHCB specification. 3) Use the PVALIDATE instruction to set the Validated Bit in the RMP table. During the guest creation time, the VMM encrypts the OVMF_CODE.fd using the SEV-SNP firmware provided LAUNCH_UPDATE_DATA command. In addition to encrypting the content, the command also validates the memory region. This allows us to execute the code without going through the validation sequence. During execution, the reset vector need to access some data pages (such as page tables, SevESWorkarea, Sec stack). The data pages are accessed as private memory. The data pages are not part of the OVMF_CODE.fd, so they were not validated during the guest creation. There are two approaches we can take to validate the data pages before the access: a) Enhance the OVMF reset vector code to validate the pages as described above (go through step 2 - 3). OR b) Validate the pages during the guest creation time. The SEV firmware provides a command which can be used by the VMM to validate the pages without affecting the measurement of the launch. Approach #b seems much simpler; it does not require any changes to the OVMF reset vector code. Update the OVMF metadata with the list of regions that must be pre-validated by the VMM before the boot. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/ResetVector/ResetVector.inf | 1 + OvmfPkg/ResetVector/ResetVector.nasmb | 13 + OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 15 +++ 3 files changed, 29 insertions(+) diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf index 1c5d84184ed7..a4154ca90c28 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -57,6 +57,7 @@ [Pcd] [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb index fbaeab5f5168..cc364748b592 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -107,6 +107,19 @@ %define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize)) %define CPUID_BASE (FixedPcdGet32 (PcdOvmfCpuidBase)) %define CPUID_SIZE (FixedPcdGet32 (PcdOvmfCpuidSize)) + %define SNP_SEC_MEM_BASE_DESC_1 (FixedPcdGet32 (PcdOvmfSecPageTablesBase)) + %define SNP_SEC_MEM_SIZE_DESC_1 (FixedPcdGet32 (PcdOvmfSecGhcbBase) - SNP_SEC_MEM_BASE_DESC_1) + ; + ; The PcdOvmfSecGhcbBase reserves two GHCB pages. The first page is used + ; as GHCB shared page and second is used for bookkeeping to support the + ; nested GHCB in SEC phase. The bookkeeping page is mapped private. The VMM + ; does not need to validate the shared page but it need to validate the + ; bookkeeping page. + ; + %define SNP_SEC_MEM_BASE_DESC_2 (GHCB_BASE + 0x1000) + %define SNP_SEC_MEM_SIZE_DESC_2 (SEV_SNP_SECRETS_BASE - SNP_SEC_MEM_BASE_DESC_2) + %define SNP_SEC_MEM_BASE_DESC_3 (CPUID_BASE + CPUID_SIZE) + %define SNP_SEC_MEM_SIZE_DESC_3 (FixedPcdGet32 (PcdOvmfPeiMemFvBase) - SNP_SEC_MEM_BASE_DESC_3) %include "X64/IntelTdxMetadata.asm" %include "Ia32/Flat32ToFlat64.asm" diff --git a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm index 0cc12ad3473f..d03fc6d45175 100644 --- a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm +++ b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm @@ -43,6 +43,16 @@ _DescriptorSev: DD OVMF_SEV_METADATA_VERSION ; Version DD (OvmfSevGuidedStructureEnd - _DescriptorSev - 16) / 12 ; Number of sections +; Region need to be pre-validated by the hypervisor +PreValidate1: + DD SNP_SEC_MEM_BASE_DESC_1 + DD SNP_SEC_MEM_SIZE_DESC_1 + DD OVMF_SECTION_TYPE_SNP_SEC_MEM +PreValidate2: + DD SNP_SEC_MEM_BASE_DESC_2 + DD SNP_SEC_MEM_SIZE_DESC_2 + DD OVMF_SECTION_TYPE_SNP_SEC_MEM + ; SEV-SNP Secrets page SevSnpSecrets: DD SEV_SNP_SECRETS_BASE @@ -55,5 +65,10 @@ CpuidSec: DD CPUID_SIZE DD OVMF_SECTION_TYPE_CPUID +; Region need
[edk2-devel] [PATCH v13 06/32] OvmfPkg: reserve CPUID page
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Platform features and capabilities are traditionally discovered via the CPUID instruction. Hypervisors typically trap and emulate the CPUID instruction for a variety of reasons. There are some cases where incorrect CPUID information can potentially lead to a security issue. The SEV-SNP firmware provides a feature to filter the CPUID results through the PSP. The filtered CPUID values are saved on a special page for the guest to consume. Reserve a page in MEMFD that will contain the results of filtered CPUID values. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 7 +++ OvmfPkg/OvmfPkgX64.fdf | 3 +++ OvmfPkg/ResetVector/ResetVector.inf | 2 ++ OvmfPkg/ResetVector/ResetVector.nasmb | 2 ++ OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 16 5 files changed, 30 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index deb285fd62c5..bc14cf2ed403 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -357,6 +357,13 @@ [PcdsFixedAtBuild] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|0|UINT32|0x58 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize|0|UINT32|0x59 + ## The base address and size of a CPUID Area that contains the hypervisor + # provided CPUID results. In the case of SEV-SNP, the CPUID results are + # filtered by the SEV-SNP firmware. If this is set in the .fdf, the + # platform is responsible to reserve this area from DXE phase overwrites. + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|0|UINT32|0x60 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize|0|UINT32|0x61 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 1313c7f016bf..e94b433e7b28 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -91,6 +91,9 @@ [FD.MEMFD] 0x00D000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize +0x00E000|0x001000 +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize + 0x01|0x01 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf index fcbc25d0ce3d..1c5d84184ed7 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -55,6 +55,8 @@ [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdBfvRawDataSize [FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb index 4e685ef23684..fbaeab5f5168 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -105,6 +105,8 @@ %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) %define SEV_SNP_SECRETS_BASE (FixedPcdGet32 (PcdOvmfSnpSecretsBase)) %define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize)) + %define CPUID_BASE (FixedPcdGet32 (PcdOvmfCpuidBase)) + %define CPUID_SIZE (FixedPcdGet32 (PcdOvmfCpuidSize)) %include "X64/IntelTdxMetadata.asm" %include "Ia32/Flat32ToFlat64.asm" diff --git a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm index 2bc7790bd808..0cc12ad3473f 100644 --- a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm +++ b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm @@ -17,6 +17,16 @@ BITS 64 ; AMD SEV-SNP specific sections %define OVMF_SECTION_TYPE_SNP_SECRETS 0x2 +; +; The section contains the hypervisor pre-populated CPUID values. +; In the case of SEV-SNP, the CPUID values are filtered and measured by +; the SEV-SNP firmware. +; The CPUID format is documented in SEV-SNP firmware spec 0.9 section 7.1 +; (CPUID function structure). +; +%define OVMF_SECTION_TYPE_CPUID 0x3 + + ALIGN 16 TIMES (15 - ((OvmfSevGuidedStructureEnd - OvmfSevGuidedStructureStart + 15) % 16)) DB 0 @@ -39,5 +49,11 @@ SevSnpSecrets: DD SEV_SNP_SECRETS_SIZE DD OVMF_SECTION_TYPE_SNP_SECRETS +; CPUID values +CpuidSec: + DD CPUID_BASE + DD CPUID_SIZE + DD OVMF_SECTION_TYPE_CPUID + OvmfSevGuidedStructureEnd: ALIGN 16 -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/
[edk2-devel] [PATCH v13 03/32] OvmfPkg/ResetVector: move clearing GHCB in SecMain
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 In preparation for SEV-SNP support move clearing of the GHCB memory from the ResetVector/AmdSev.asm to SecMain/AmdSev.c. The GHCB page is not accessed until SevEsProtocolCheck() switch to full GHCB. So, the move does not make any changes in the code flow or logic. The move will simplify the SEV-SNP support. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/Sec/AmdSev.c| 2 +- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 6 -- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c index 3b4adaae32c7..7f74e8bfe88e 100644 --- a/OvmfPkg/Sec/AmdSev.c +++ b/OvmfPkg/Sec/AmdSev.c @@ -95,7 +95,7 @@ SevEsProtocolCheck ( AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); Ghcb = Msr.Ghcb; - SetMem (Ghcb, sizeof (*Ghcb), 0); + SetMem (Ghcb, FixedPcdGet32 (PcdOvmfSecGhcbSize), 0); // // Set the version to the maximum that can be supported diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32/AmdSev.asm index 250ac8d8b180..48d9178168b0 100644 --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm @@ -177,12 +177,6 @@ pageTableEntries4kLoop: mov ecx, (GHCB_BASE & 0x1F_) >> 12 mov [ecx * 8 + GHCB_PT_ADDR + 4], strict dword 0 -mov ecx, GHCB_SIZE / 4 -xor eax, eax -clearGhcbMemoryLoop: -mov dword[ecx * 4 + GHCB_BASE - 4], eax -loopclearGhcbMemoryLoop - SevClearPageEncMaskForGhcbPageExit: OneTimeCallRet SevClearPageEncMaskForGhcbPage -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83705): https://edk2.groups.io/g/devel/message/83705 Mute This Topic: https://groups.io/mt/87011871/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 05/32] OvmfPkg: reserve SNP secrets page
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 During the SNP guest launch sequence, a special secrets page needs to be inserted by the VMM. The PSP will populate the page; it will contain the VM Platform Communication Key (VMPCKs) used by the guest to send and receive secure messages to the PSP. The purpose of the secrets page in the SEV-SNP is different from the one used in SEV guests. In SEV, the secrets page contains the guest owner's private data after the remote attestation. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 7 +++ OvmfPkg/OvmfPkgX64.fdf | 3 +++ OvmfPkg/ResetVector/ResetVector.inf | 2 ++ OvmfPkg/ResetVector/ResetVector.nasmb | 2 ++ OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 9 + 5 files changed, 23 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 340d83f794d0..deb285fd62c5 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -350,6 +350,13 @@ [PcdsFixedAtBuild] gUefiOvmfPkgTokenSpaceGuid.PcdBfvRawDataOffset|0|UINT32|0x56 gUefiOvmfPkgTokenSpaceGuid.PcdBfvRawDataSize|0|UINT32|0x57 + ## The base address and size of the SEV-SNP Secrets Area that contains + # the VM platform communication key used to send and recieve the + # messages to the PSP. If this is set in the .fdf, the platform + # is responsible to reserve this area from DXE phase overwrites. + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|0|UINT32|0x58 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize|0|UINT32|0x59 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x10 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index b6cc3cabdd69..1313c7f016bf 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -88,6 +88,9 @@ [FD.MEMFD] 0x00C000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize +0x00D000|0x001000 +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize + 0x01|0x01 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/ResetVector.inf index 320e5f2c6527..fcbc25d0ce3d 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -59,3 +59,5 @@ [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableBase gUefiOvmfPkgTokenSpaceGuid.PcdQemuHashTableSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb index d847794feadb..4e685ef23684 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -103,6 +103,8 @@ %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 8) %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 16) %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) + %define SEV_SNP_SECRETS_BASE (FixedPcdGet32 (PcdOvmfSnpSecretsBase)) + %define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize)) %include "X64/IntelTdxMetadata.asm" %include "Ia32/Flat32ToFlat64.asm" diff --git a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm index 9d8c3e8194a4..2bc7790bd808 100644 --- a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm +++ b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm @@ -14,6 +14,9 @@ BITS 64 ; The section must be accepted or validated by the VMM before the boot %define OVMF_SECTION_TYPE_SNP_SEC_MEM 0x1 +; AMD SEV-SNP specific sections +%define OVMF_SECTION_TYPE_SNP_SECRETS 0x2 + ALIGN 16 TIMES (15 - ((OvmfSevGuidedStructureEnd - OvmfSevGuidedStructureStart + 15) % 16)) DB 0 @@ -30,5 +33,11 @@ _DescriptorSev: DD OVMF_SEV_METADATA_VERSION ; Version DD (OvmfSevGuidedStructureEnd - _DescriptorSev - 16) / 12 ; Number of sections +; SEV-SNP Secrets page +SevSnpSecrets: + DD SEV_SNP_SECRETS_BASE + DD SEV_SNP_SECRETS_SIZE + DD OVMF_SECTION_TYPE_SNP_SECRETS + OvmfSevGuidedStructureEnd: ALIGN 16 -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83706): https://edk2.groups.io/g/devel/message/83706 Mute This Topic: https://groups.io/mt/87011872/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: http
[edk2-devel] [PATCH v13 01/32] OvmfPkg/SecMain: move SEV specific routines in AmdSev.c
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Move all the SEV specific function in AmdSev.c. No functional change intended. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/Sec/SecMain.inf | 1 + OvmfPkg/Sec/AmdSev.h| 72 ++ OvmfPkg/Sec/AmdSev.c| 161 OvmfPkg/Sec/SecMain.c | 153 +- 4 files changed, 236 insertions(+), 151 deletions(-) create mode 100644 OvmfPkg/Sec/AmdSev.h create mode 100644 OvmfPkg/Sec/AmdSev.c diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf index ea4b9611f52d..9523a8ea6c8f 100644 --- a/OvmfPkg/Sec/SecMain.inf +++ b/OvmfPkg/Sec/SecMain.inf @@ -23,6 +23,7 @@ [Defines] [Sources] SecMain.c + AmdSev.c [Sources.IA32] Ia32/SecEntry.nasm diff --git a/OvmfPkg/Sec/AmdSev.h b/OvmfPkg/Sec/AmdSev.h new file mode 100644 index ..adad96d23189 --- /dev/null +++ b/OvmfPkg/Sec/AmdSev.h @@ -0,0 +1,72 @@ +/** @file + File defines the Sec routines for the AMD SEV + + Copyright (c) 2021, Advanced Micro Devices, Inc. All rights reserved. + + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef _AMD_SEV_SEC_INTERNAL_H__ +#define _AMD_SEV_SEC_INTERNAL_H__ + +/** + Handle an SEV-ES/GHCB protocol check failure. + + Notify the hypervisor using the VMGEXIT instruction that the SEV-ES guest + wishes to be terminated. + + @param[in] ReasonCode Reason code to provide to the hypervisor for the + termination request. + +**/ +VOID +SevEsProtocolFailure ( + IN UINT8 ReasonCode + ); + + +/** + Validate the SEV-ES/GHCB protocol level. + + Verify that the level of SEV-ES/GHCB protocol supported by the hypervisor + and the guest intersect. If they don't intersect, request termination. + +**/ +VOID +SevEsProtocolCheck ( + VOID + ); + +/** + Determine if the SEV is active. + + During the early booting, GuestType is set in the work area. Verify that it + is an SEV guest. + + @retval TRUE SEV is enabled + @retval FALSE SEV is not enabled + +**/ +BOOLEAN +IsSevGuest ( + VOID + ); + +/** + Determine if SEV-ES is active. + + During early booting, SEV-ES support code will set a flag to indicate that + SEV-ES is enabled. Return the value of this flag as an indicator that SEV-ES + is enabled. + + @retval TRUE SEV-ES is enabled + @retval FALSE SEV-ES is not enabled + +**/ +BOOLEAN +SevEsIsEnabled ( + VOID + ); + +#endif diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c new file mode 100644 index ..3b4adaae32c7 --- /dev/null +++ b/OvmfPkg/Sec/AmdSev.c @@ -0,0 +1,161 @@ +/** @file + File defines the Sec routines for the AMD SEV + + Copyright (c) 2021, Advanced Micro Devices, Inc. All rights reserved. + + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include + +#include "AmdSev.h" + +/** + Handle an SEV-ES/GHCB protocol check failure. + + Notify the hypervisor using the VMGEXIT instruction that the SEV-ES guest + wishes to be terminated. + + @param[in] ReasonCode Reason code to provide to the hypervisor for the + termination request. + +**/ +VOID +SevEsProtocolFailure ( + IN UINT8 ReasonCode + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + + // + // Use the GHCB MSR Protocol to request termination by the hypervisor + // + Msr.GhcbPhysicalAddress = 0; + Msr.GhcbTerminate.Function = GHCB_INFO_TERMINATE_REQUEST; + Msr.GhcbTerminate.ReasonCodeSet = GHCB_TERMINATE_GHCB; + Msr.GhcbTerminate.ReasonCode = ReasonCode; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + ASSERT (FALSE); + CpuDeadLoop (); +} + +/** + Validate the SEV-ES/GHCB protocol level. + + Verify that the level of SEV-ES/GHCB protocol supported by the hypervisor + and the guest intersect. If they don't intersect, request termination. + +**/ +VOID +SevEsProtocolCheck ( + VOID + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + GHCB *Ghcb; + + // + // Use the GHCB MSR Protocol to obtain the GHCB SEV-ES Information for + // protocol checking + // + Msr.GhcbPhysicalAddress = 0; + Msr.GhcbInfo.Function = GHCB_INFO_SEV_INFO_GET; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + + if (Msr.GhcbInfo.Function != GHCB_INFO_SEV_INFO) { +SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + if (Msr.GhcbProtocol.SevEsProtocolMin > Msr.GhcbProtocol.SevEsProtocolMax) { +SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); + } + + if ((Msr.GhcbProtocol.SevEsProtocolMin > GHCB_VERSION_MAX) || + (Msr.GhcbProtocol.SevEsProtocolMax < GHCB_VERSION_MIN)) { +S
[edk2-devel] [PATCH v13 04/32] OvmfPkg/ResetVector: introduce SEV metadata descriptor for VMM use
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The OvmfPkgX86 build reserves memory regions in MEMFD. The memory regions get accessed in the SEC phase. AMD SEV-SNP require that the guest's private memory be accepted or validated before access. Introduce a Guided metadata structure that describes the reserved memory regions. The VMM can locate the metadata structure by iterating through the reset vector guid and process the areas based on the platform specific requirements. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 14 OvmfPkg/ResetVector/ResetVector.nasmb| 1 + OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm | 34 3 files changed, 49 insertions(+) create mode 100644 OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm index dee2e3f9de31..12f2cedd6767 100644 --- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm +++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm @@ -64,6 +64,20 @@ tdxMetadataOffsetStart: DB 0x86, 0x5e, 0x46, 0x85, 0xa7, 0xbf, 0x8e, 0xc2 tdxMetadataOffsetEnd: +; +; SEV metadata descriptor +; +; Provide the start offset of the metadata blob within the OVMF binary. + +; GUID : dc886566-984a-4798-A75e-5585a7bf67cc +; +OvmfSevMetadataOffsetStart: + DD (fourGigabytes - OvmfSevMetadataGuid) + DW OvmfSevMetadataOffsetEnd - OvmfSevMetadataOffsetStart + DB 0x66, 0x65, 0x88, 0xdc, 0x4a, 0x98, 0x98, 0x47 + DB 0xA7, 0x5e, 0x55, 0x85, 0xa7, 0xbf, 0x67, 0xcc +OvmfSevMetadataOffsetEnd: + %endif ; SEV Hash Table Block diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb index 87effedb9c60..d847794feadb 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -109,6 +109,7 @@ %include "Ia32/AmdSev.asm" %include "Ia32/PageTables64.asm" %include "Ia32/IntelTdx.asm" +%include "X64/OvmfSevMetadata.asm" %endif %include "Ia16/Real16ToFlat32.asm" diff --git a/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm new file mode 100644 index ..9d8c3e8194a4 --- /dev/null +++ b/OvmfPkg/ResetVector/X64/OvmfSevMetadata.asm @@ -0,0 +1,34 @@ +;- +; @file +; OVMF metadata for the AMD SEV confidential computing guests +; +; Copyright (c) 2021, AMD Inc. All rights reserved. +; +; SPDX-License-Identifier: BSD-2-Clause-Patent +;- + +BITS 64 + +%define OVMF_SEV_METADATA_VERSION 1 + +; The section must be accepted or validated by the VMM before the boot +%define OVMF_SECTION_TYPE_SNP_SEC_MEM 0x1 + +ALIGN 16 + +TIMES (15 - ((OvmfSevGuidedStructureEnd - OvmfSevGuidedStructureStart + 15) % 16)) DB 0 + +OvmfSevGuidedStructureStart: +; +; OvmfSev metadata descriptor +; +OvmfSevMetadataGuid: + +_DescriptorSev: + DB 'A','S','E','V'; Signature + DD OvmfSevGuidedStructureEnd - _DescriptorSev ; Length + DD OVMF_SEV_METADATA_VERSION ; Version + DD (OvmfSevGuidedStructureEnd - _DescriptorSev - 16) / 12 ; Number of sections + +OvmfSevGuidedStructureEnd: + ALIGN 16 -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83703): https://edk2.groups.io/g/devel/message/83703 Mute This Topic: https://groups.io/mt/87011869/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v13 00/32] Add AMD Secure Nested Paging (SEV-SNP) support
ove the SEV specific functions from SecMain.c in AmdSev.c * Rebase to the latest code * Add the review feedback from Yao. Change since v4: * Use the correct MSR for the SEV_STATUS * Add VMPL-0 check Change since v3: * ResetVector: move all SEV specific code in AmdSev.asm and add macros to keep the code readable. * Drop extending the EsWorkArea to contain SNP specific state. * Drop the GhcbGpa library and call the VmgExit directly to register GHCB GPA. * Install the CC blob config table from AmdSevDxe instead of extending the AmdSev/SecretsDxe for it. * Add the separate PCDs for the SNP Secrets. Changes since v2: * Add support for the AP creation. * Use the module-scoping override to make AmdSevDxe use the IO port for PCI reads. * Use the reserved memory type for CPUID and Secrets page. * Changes since v1: * Drop the interval tree support to detect the pre-validated overlap region. * Use an array to keep track of pre-validated regions. * Add support to query the Hypervisor feature and verify that SNP feature is supported. * Introduce MemEncryptSevClearMmioPageEncMask() to clear the C-bit from MMIO ranges. * Pull the SevSecretDxe and SevSecretPei into OVMF package build. * Extend the SevSecretDxe to expose confidential computing blob location through EFI configuration table. Brijesh Singh (28): OvmfPkg/SecMain: move SEV specific routines in AmdSev.c UefiCpuPkg/MpInitLib: move SEV specific routines in AmdSev.c OvmfPkg/ResetVector: move clearing GHCB in SecMain OvmfPkg/ResetVector: introduce SEV metadata descriptor for VMM use OvmfPkg: reserve SNP secrets page OvmfPkg: reserve CPUID page OvmfPkg/ResetVector: pre-validate the data pages used in SEC phase OvmfPkg/MemEncryptSevLib: add MemEncryptSevSnpEnabled() OvmfPkg/SecMain: register GHCB gpa for the SEV-SNP guest OvmfPkg/PlatformPei: register GHCB gpa for the SEV-SNP guest OvmfPkg/AmdSevDxe: do not use extended PCI config space OvmfPkg/MemEncryptSevLib: add support to validate system RAM OvmfPkg/MemEncryptSevLib: add function to check the VMPL0 OvmfPkg/BaseMemEncryptSevLib: skip the pre-validated system RAM OvmfPkg/MemEncryptSevLib: add support to validate > 4GB memory in PEI phase OvmfPkg/SecMain: validate the memory used for decompressing Fv OvmfPkg/PlatformPei: validate the system RAM when SNP is active MdePkg: Define ConfidentialComputingGuestAttr OvmfPkg/PlatformPei: set PcdConfidentialComputingAttr when SEV is active UefiCpuPkg/MpInitLib: use PcdConfidentialComputingAttr to check SEV status UefiCpuPkg: add PcdGhcbHypervisorFeatures OvmfPkg/PlatformPei: set the Hypervisor Features PCD MdePkg/GHCB: increase the GHCB protocol max version UefiCpuPkg/MpLib: add support to register GHCB GPA when SEV-SNP is enabled OvmfPkg/MemEncryptSevLib: change the page state in the RMP table OvmfPkg/MemEncryptSevLib: skip page state change for Mmio address OvmfPkg/PlatformPei: mark cpuid and secrets memory reserved in EFI map OvmfPkg/AmdSev: expose the SNP reserved pages through configuration table Michael Roth (3): OvmfPkg/ResetVector: use SEV-SNP-validated CPUID values OvmfPkg/VmgExitLib: use SEV-SNP-validated CPUID values UefiCpuPkg/MpInitLib: use BSP to do extended topology check Tom Lendacky (1): UefiCpuPkg/MpInitLib: Use SEV-SNP AP Creation NAE event to launch APs MdePkg/MdePkg.dec | 4 + OvmfPkg/OvmfPkg.dec | 19 + UefiCpuPkg/UefiCpuPkg.dec | 5 + OvmfPkg/AmdSev/AmdSevX64.dsc | 8 +- OvmfPkg/Bhyve/BhyveX64.dsc| 5 +- OvmfPkg/OvmfPkgIa32.dsc | 4 + OvmfPkg/OvmfPkgIa32X64.dsc| 9 +- OvmfPkg/OvmfPkgX64.dsc| 8 +- OvmfPkg/OvmfXen.dsc | 5 +- OvmfPkg/OvmfPkgX64.fdf| 6 + OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 7 + .../DxeMemEncryptSevLib.inf | 3 + .../PeiMemEncryptSevLib.inf | 7 + .../SecMemEncryptSevLib.inf | 3 + OvmfPkg/Library/VmgExitLib/SecVmgExitLib.inf | 2 + OvmfPkg/Library/VmgExitLib/VmgExitLib.inf | 3 + OvmfPkg/PlatformPei/PlatformPei.inf | 7 + OvmfPkg/ResetVector/ResetVector.inf | 5 + OvmfPkg/Sec/SecMain.inf | 4 + UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 6 +- UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 6 +- .../Include/ConfidentialComputingGuestAttr.h | 25 + MdePkg/Include/Register/Amd/Ghcb.h| 2 +- .../Guid/ConfidentialComputingSevSnpBlob.h| 33 ++ OvmfPkg/Include/Library/MemEncryptSevLib.h| 26 + .../X64/SnpPageStateChange.h | 36 ++ .../BaseMemEncryptSevLib/X64/VirtualMemory.h | 24 + OvmfPkg/PlatformPei/Platform.h| 5 + OvmfPkg/Sec/AmdSev.h | 95 UefiC
[edk2-devel] [PATCH v13 02/32] UefiCpuPkg/MpInitLib: move SEV specific routines in AmdSev.c
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Move all the SEV specific function in AmdSev.c. No functional change intended. Cc: Eric Dong Cc: Ray Ni Cc: Rahul Kumar Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Reviewed-by: Ray Ni Acked-by: Gerd Hoffmann Suggested-by: Jiewen Yao Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 1 + UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 1 + UefiCpuPkg/Library/MpInitLib/MpLib.h | 33 +++ UefiCpuPkg/Library/MpInitLib/AmdSev.c | 239 ++ UefiCpuPkg/Library/MpInitLib/MpLib.c | 218 +--- UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm | 119 + UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 100 ++-- 7 files changed, 413 insertions(+), 298 deletions(-) create mode 100644 UefiCpuPkg/Library/MpInitLib/AmdSev.c create mode 100644 UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf index d34419c2a524..6e510aa89120 100644 --- a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf @@ -28,6 +28,7 @@ [Sources.X64] X64/MpFuncs.nasm [Sources.common] + AmdSev.c MpEqu.inc DxeMpLib.c MpLib.c diff --git a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf index 36fcb96b5852..2cbd9b8b8acc 100644 --- a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf @@ -28,6 +28,7 @@ [Sources.X64] X64/MpFuncs.nasm [Sources.common] + AmdSev.c MpEqu.inc PeiMpLib.c MpLib.c diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h index e88a5355c983..3d4446df8ce6 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -34,6 +34,9 @@ #include #include +#include +#include + #include #define WAKEUP_AP_SIGNAL SIGNATURE_32 ('S', 'T', 'A', 'P') @@ -741,5 +744,35 @@ PlatformShadowMicrocode ( IN OUT CPU_MP_DATA *CpuMpData ); +/** + Allocate the SEV-ES AP jump table buffer. + + @param[in, out] CpuMpData The pointer to CPU MP Data structure. +**/ +VOID +AllocateSevEsAPMemory ( + IN OUT CPU_MP_DATA *CpuMpData + ); + +/** + Program the SEV-ES AP jump table buffer. + + @param[in] SipiVector The SIPI vector used for the AP Reset +**/ +VOID +SetSevEsJumpTable ( + IN UINTN SipiVector + ); + +/** + The function puts the AP in halt loop. + + @param[in] CpuMpData The pointer to CPU MP Data structure. +**/ +VOID +SevEsPlaceApHlt ( + CPU_MP_DATA*CpuMpData + ); + #endif diff --git a/UefiCpuPkg/Library/MpInitLib/AmdSev.c b/UefiCpuPkg/Library/MpInitLib/AmdSev.c new file mode 100644 index ..7dbf117c2b71 --- /dev/null +++ b/UefiCpuPkg/Library/MpInitLib/AmdSev.c @@ -0,0 +1,239 @@ +/** @file + CPU MP Initialize helper function for AMD SEV. + + Copyright (c) 2021, AMD Inc. All rights reserved. + + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "MpLib.h" +#include + +/** + Get Protected mode code segment with 16-bit default addressing + from current GDT table. + + @return Protected mode 16-bit code segment value. +**/ +STATIC +UINT16 +GetProtectedMode16CS ( + VOID + ) +{ + IA32_DESCRIPTOR GdtrDesc; + IA32_SEGMENT_DESCRIPTOR *GdtEntry; + UINTNGdtEntryCount; + UINT16 Index; + + Index = (UINT16) -1; + AsmReadGdtr (); + GdtEntryCount = (GdtrDesc.Limit + 1) / sizeof (IA32_SEGMENT_DESCRIPTOR); + GdtEntry = (IA32_SEGMENT_DESCRIPTOR *) GdtrDesc.Base; + for (Index = 0; Index < GdtEntryCount; Index++) { +if (GdtEntry->Bits.L == 0 && +GdtEntry->Bits.DB == 0 && +GdtEntry->Bits.Type > 8) { + break; +} +GdtEntry++; + } + ASSERT (Index != GdtEntryCount); + return Index * 8; +} + +/** + Get Protected mode code segment with 32-bit default addressing + from current GDT table. + + @return Protected mode 32-bit code segment value. +**/ +STATIC +UINT16 +GetProtectedMode32CS ( + VOID + ) +{ + IA32_DESCRIPTOR GdtrDesc; + IA32_SEGMENT_DESCRIPTOR *GdtEntry; + UINTNGdtEntryCount; + UINT16 Index; + + Index = (UINT16) -1; + AsmReadGdtr (); + GdtEntryCount = (GdtrDesc.Limit + 1) / sizeof (IA32_SEGMENT_DESCRIPTOR); + GdtEntry = (IA32_SEGMENT_DESCRIPTOR *) GdtrDesc.Base; + for (Index = 0; Index < GdtEntryCount; Index++) { +if (GdtEntry->Bits.L == 0 && +GdtEntry->Bits.DB == 1 && +GdtEntry->Bits.Type > 8) { + break; +} +GdtEntry++; + } + ASSERT (Index != GdtEntryCount); + return Index * 8; +} + +/** + Reset an
Re: [edk2-devel] [PATCH v12 27/32] UefiCpuPkg/MpInitLib: use BSP to do extended topology check
On 11/11/21 7:53 PM, Ni, Ray wrote: 3 comments: --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -224,6 +224,7 @@ typedef struct { BOOLEAN SevEsIsEnabled; BOOLEAN SevSnpIsEnabled; UINTN GhcbBase; + BOOLEAN ExtTopoAvail; } MP_CPU_EXCHANGE_INFO; 1. Can you please group all SEV-ES fields together? Please see my request about doing the grouping as a follow up patch. I have some other cleanup bit for SEV which will simplify code a bit and I am thinking to do all of those together. Those might include followings: BOOLEAN SevEsIsEnabled; BOOLEAN SevSnpIsEnabled; UINTN GhcbBase; BOOLEAN ExtTopoAvail; + if (ExchangeInfo->SevSnpIsEnabled) { +AsmCpuid (CPUID_SIGNATURE, , NULL, NULL, NULL); +if (StdRangeMax >= CPUID_EXTENDED_TOPOLOGY) { + CPUID_EXTENDED_TOPOLOGY_EBX ExtTopoEbx; + + AsmCpuid (CPUID_EXTENDED_TOPOLOGY, NULL, , NULL, NULL); + ExchangeInfo->ExtTopoAvail = !!ExtTopoEbx.Bits.LogicalProcessors; +} + } + 2. With the grouping, can you please create a routine such as FillExchangeInfoDataSevEs (...) in AmdSev.c? Yep, I will do in v13. // // Get the BSP's data of GDT and IDT // diff --git a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc index 01668638f245..aba53f57201c 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc +++ b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc @@ -94,6 +94,7 @@ struc MP_CPU_EXCHANGE_INFO .SevEsIsEnabled: CTYPE_BOOLEAN 1 .SevSnpIsEnabled CTYPE_BOOLEAN 1 .GhcbBase: CTYPE_UINTN 1 + .ExtTopoAvail: CTYPE_BOOLEAN 1 endstruc 3. can you please do same group in NASM struct? Same as above, I will do the needful in the follow up patch. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83698): https://edk2.groups.io/g/devel/message/83698 Mute This Topic: https://groups.io/mt/86969151/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v12 26/32] UefiCpuPkg/MpLib: add support to register GHCB GPA when SEV-SNP is enabled
Hi Ray, Thanks you for all your comments. On 11/11/21 7:48 PM, Ni, Ray wrote: 1 comment: Can you please group the SevEsIsEnabled/SevSnpIsEnabled to a "2 boolean" struct or just one UINT8 field "SevEsEnable"? I think using the SevEsEnabled will create a bit more confusion. I can certainly follow up patch to combining the fields in structure after this code is merged. I am thinking is we need is actually pass the full CCAttribute in the CpuMetaData, use that to determine the type of the guest. That will require me looking at Min's TDX series and see what I can do to come up with an approach that works for all CC types and keep the code separate. With that said, if I can get your Ack on what we have then it will be great. thanks Through this way, MpLib.c can know less knowledge of SEV-ES. (I appreciate your effort to group the SEV-ES logic to separate files) BOOLEANSevEsIsEnabled; + BOOLEANSevSnpIsEnabled; UINTN SevEsAPBuffer; UINTN SevEsAPResetStackStart; ExchangeInfo->SevEsIsEnabled = CpuMpData->SevEsIsEnabled; + ExchangeInfo->SevSnpIsEnabled = CpuMpData->SevSnpIsEnabled; ExchangeInfo->GhcbBase= (UINTN) CpuMpData->GhcbBase; InitializeSpinLock(>MpLock); CpuMpData->SevEsIsEnabled = ConfidentialComputingGuestHas (CCAttrAmdSevEs); + CpuMpData->SevSnpIsEnabled = ConfidentialComputingGuestHas (CCAttrAmdSevSnp); CpuMpData->SevEsAPBuffer = (UINTN) -1; .Enable5LevelPaging: CTYPE_BOOLEAN 1 .SevEsIsEnabled: CTYPE_BOOLEAN 1 + .SevSnpIsEnabled CTYPE_BOOLEAN 1 .GhcbBase: CTYPE_UINTN 1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83697): https://edk2.groups.io/g/devel/message/83697 Mute This Topic: https://groups.io/mt/86969147/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v12 32/32] UefiCpuPkg/MpInitLib: Use SEV-SNP AP Creation NAE event to launch APs
On 11/11/21 8:09 PM, Ni, Ray wrote: Acked-by: Ray Ni thanks! 3 comments: 1. It seems to me that the latest SevSnp doesn't need much special handling in AP waking up flow. Is there a plan to drop the old SevEs so that the MpInitLib logic can have a chance to be back to normal? The EPYC3 family supports SEV, SEV-ES and SEV-SNP. The EPYC2 family supports SEV and SEV-ES. The EPYC1 family supports SEV. So, as you can depending on the user platform/configuration, they may boot the VM using the SEV-ES. We may have to keep it around for sometime and see how it goes. [Sources.IA32] + Ia32/AmdSev.c Ia32/MpFuncs.nasm [Sources.X64] + X64/AmdSev.c X64/MpFuncs.nasm 2. I am not sure if it's a good idea that "THREE" files share the same name. Any objections from others? @@ -1056,9 +1057,12 @@ AllocateResetVector ( ); // // The AP reset stack is only used by SEV-ES guests. Do not allocate it -// if SEV-ES is not enabled. +// if SEV-ES is not enabled. An SEV-SNP guest is also considered +// an SEV-ES guest, but uses a different method of AP startup, eliminating +// the need for the allocation. // -if (ConfidentialComputingGuestHas (CCAttrAmdSevEs)) { +if (ConfidentialComputingGuestHas (CCAttrAmdSevEs) && +!ConfidentialComputingGuestHas (CCAttrAmdSevSnp)) { 3. Can you use "CpuMpData->UseSevEsAPMethod" in above if check? -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83696): https://edk2.groups.io/g/devel/message/83696 Mute This Topic: https://groups.io/mt/86969158/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v12 22/32] UefiCpuPkg/MpInitLib: use PcdConfidentialComputingAttr to check SEV status
On 11/11/21 7:27 PM, Ni, Ray wrote: > 2 minor comments. > >> + switch (Attr) { >> +case CCAttrAmdSev: >> + return CurrentAttr >= CCAttrAmdSev; >> +case CCAttrAmdSevEs: >> + return CurrentAttr >= CCAttrAmdSevEs; >> +case CCAttrAmdSevSnp: >> + return CurrentAttr == CCAttrAmdSevSnp; > 1. Can you put comments to explain that the relationship between the three > features? > That can explain why ">=" is used here. > You may use ">=" for SEV-SNP as well, in case AMD invents a more advanced > SEV.:) Sure, I can add a comment. > >> + >> + return (CurrentAttr == Attr); > 2. I guess a "BOOLEAN" type cast is needed. > I can cast it but CI didn't complain about it. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83691): https://edk2.groups.io/g/devel/message/83691 Mute This Topic: https://groups.io/mt/86969148/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v12 20/32] MdePkg: Define ConfidentialComputingGuestAttr
Hi Ray, On 11/11/21 8:00 AM, Ni, Ray wrote: I don't prefer to use a dynamic PCD for passing data. Because developers don't know when this PCD value is finalized (PCD always has a default value). If the value is determined in PEI and consumed in DXE, HOB is a better choice. If the value is determined in PEI and consumed in PEI, PPI is a better choice. (you can use PPI depex) If the value is determined in DXE and consumed in DXE, Protocol is a better choice. (You can use Protocol depex) I wish you had raised your concerns early to avoid going in this PCD direction. The PCD approach was discussed some time back. Both the SEV-SNP and TDX patches are dependent on it. Having said so, if your preference is not to use the PCD, then it can be done after SNP and TDX patches are merged. Jiewen/Min/Gerd thoughts? thanks -Original Message- From: Brijesh Singh Sent: Thursday, November 11, 2021 6:15 AM To: devel@edk2.groups.io Cc: James Bottomley ; Xu, Min M ; Yao, Jiewen ; Tom Lendacky ; Justen, Jordan L ; Ard Biesheuvel ; Erdem Aktas ; Michael Roth ; Gerd Hoffmann ; Kinney, Michael D ; Liming Gao ; Liu, Zhiguang ; Ni, Ray ; Kumar, Rahul1 ; Dong, Eric ; Brijesh Singh ; Michael Roth Subject: [PATCH v12 20/32] MdePkg: Define ConfidentialComputingGuestAttr BZ: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D3275data=04%7C01%7Cbrijesh.singh%40amd.com%7C40483d937fa84cebe69908d9a51b9afd%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637722360254370524%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000sdata=EtT7bzDCZxsMA9sTCqISftp62QbezdoSf4k2eCfZsws%3Dreserved=0 While initializing APs, the MpInitLib may need to know whether the guest is running with active AMD SEV or Intel TDX memory encryption. Add a new ConfidentialComputingGuestAttr PCD that can be used to query the memory encryption attribute. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Cc: Michael Roth Cc: Ray Ni Cc: Rahul Kumar Cc: Eric Dong Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Suggested-by: Jiewen Yao Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- MdePkg/MdePkg.dec | 4 +++ .../Include/ConfidentialComputingGuestAttr.h | 25 +++ 2 files changed, 29 insertions(+) create mode 100644 MdePkg/Include/ConfidentialComputingGuestAttr.h diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index 8b18415b107a..cd903c35d2ff 100644 --- a/MdePkg/MdePkg.dec +++ b/MdePkg/MdePkg.dec @@ -2396,5 +2396,9 @@ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] # @Prompt FSB Clock. gEfiMdePkgTokenSpaceGuid.PcdFSBClock|2|UINT32|0x000c + ## This dynamic PCD indicates the memory encryption attribute of the guest. + # @Prompt Memory encryption attribute + gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr|0|UINT64|0x + 002e + [UserExtensions.TianoCore."ExtraFiles"] MdePkgExtra.uni diff --git a/MdePkg/Include/ConfidentialComputingGuestAttr.h b/MdePkg/Include/ConfidentialComputingGuestAttr.h new file mode 100644 index ..495b0df0ac33 --- /dev/null +++ b/MdePkg/Include/ConfidentialComputingGuestAttr.h @@ -0,0 +1,25 @@ +/** @file +Definitions for Confidential Computing Attribute + +Copyright (c) 2021 AMD Inc. All rights reserved. +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef CONFIDENTIAL_COMPUTING_GUEST_ATTR_H_ +#define CONFIDENTIAL_COMPUTING_GUEST_ATTR_H_ + +typedef enum { + /* The guest is running with memory encryption disabled. */ + CCAttrNotEncrypted = 0, + + /* The guest is running with AMD SEV memory encryption enabled. */ + CCAttrAmdSev = 0x100, + CCAttrAmdSevEs= 0x101, + CCAttrAmdSevSnp = 0x102, + + /* The guest is running with Intel TDX memory encryption enabled. */ + CCAttrIntelTdx= 0x200, +} CONFIDENTIAL_COMPUTING_GUEST_ATTR; + +#endif -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83656): https://edk2.groups.io/g/devel/message/83656 Mute This Topic: https://groups.io/mt/86969144/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v12 32/32] UefiCpuPkg/MpInitLib: Use SEV-SNP AP Creation NAE event to launch APs
From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 Use the SEV-SNP AP Creation NAE event to create and launch APs under SEV-SNP. This capability will be advertised in the SEV Hypervisor Feature Support PCD (PcdSevEsHypervisorFeatures). Cc: Michael Roth Cc: Eric Dong Cc: Ray Ni Cc: Rahul Kumar Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Tom Lendacky Signed-off-by: Brijesh Singh --- UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf | 3 + UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf | 3 + UefiCpuPkg/Library/MpInitLib/MpLib.h | 44 +++ UefiCpuPkg/Library/MpInitLib/DxeMpLib.c | 12 +- UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c| 70 + UefiCpuPkg/Library/MpInitLib/MpLib.c | 51 ++-- UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c | 261 ++ 7 files changed, 425 insertions(+), 19 deletions(-) create mode 100644 UefiCpuPkg/Library/MpInitLib/Ia32/AmdSev.c create mode 100644 UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c diff --git a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf index de705bc54bb4..e1cd0b350008 100644 --- a/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/DxeMpInitLib.inf @@ -22,9 +22,11 @@ [Defines] # [Sources.IA32] + Ia32/AmdSev.c Ia32/MpFuncs.nasm [Sources.X64] + X64/AmdSev.c X64/MpFuncs.nasm [Sources.common] @@ -73,6 +75,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ## SOMETIMES_CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApStatusCheckIntervalInMicroSeconds ## CONSUMES + gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## SOMETIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## CONSUMES diff --git a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf index b7e15ee023f0..5facf4db9499 100644 --- a/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf +++ b/UefiCpuPkg/Library/MpInitLib/PeiMpInitLib.inf @@ -22,9 +22,11 @@ [Defines] # [Sources.IA32] + Ia32/AmdSev.c Ia32/MpFuncs.nasm [Sources.X64] + X64/AmdSev.c X64/MpFuncs.nasm [Sources.common] @@ -64,6 +66,7 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuApLoopMode ## CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdCpuApTargetCstate ## SOMETIMES_CONSUMES gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase ## SOMETIMES_CONSUMES + gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdGhcbBase ## CONSUMES gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONSUMES diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h index c52b6157429b..48f6e933bb36 100644 --- a/UefiCpuPkg/Library/MpInitLib/MpLib.h +++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h @@ -15,6 +15,7 @@ #include #include +#include #include #include #include @@ -150,6 +151,7 @@ typedef struct { UINT8 PlatformId; UINT64 MicrocodeEntryAddr; UINT32 MicrocodeRevision; + SEV_ES_SAVE_AREA *SevEsSaveArea; } CPU_AP_DATA; // @@ -294,6 +296,7 @@ struct _CPU_MP_DATA { BOOLEANSevEsIsEnabled; BOOLEANSevSnpIsEnabled; + BOOLEANUseSevEsAPMethod; UINTN SevEsAPBuffer; UINTN SevEsAPResetStackStart; CPU_MP_DATA*NewCpuMpData; @@ -790,5 +793,46 @@ ConfidentialComputingGuestHas ( CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr ); +/** + Issue RMPADJUST to adjust the VMSA attribute of an SEV-SNP page. + + @param[in] PageAddress + @param[in] VmsaPage + + @return RMPADJUST return value +**/ +UINT32 +SevSnpRmpAdjust ( + IN EFI_PHYSICAL_ADDRESS PageAddress, + IN BOOLEAN VmsaPage + ); + +/** + Create an SEV-SNP AP save area (VMSA) for use in running the vCPU. + + @param[in] CpuMpDataPointer to CPU MP Data + @param[in] CpuData Pointer to CPU AP Data + @param[in] ApicId APIC ID of the vCPU +**/ +VOID +SevSnpCreateSaveArea ( + IN CPU_MP_DATA *CpuMpData, + IN CPU_AP_DATA *CpuData, + UINT32 ApicId + ); + +/** + Create SEV-SNP APs. + + @param[in] CpuMpDataPointer to CPU MP Data + @param[in] ProcessorNumber The handle number
[edk2-devel] [PATCH v12 30/32] OvmfPkg/PlatformPei: mark cpuid and secrets memory reserved in EFI map
When SEV-SNP is active, the CPUID and Secrets memory range contains the information that is used during the VM boot. The content need to be persist across the kexec boot. Mark the memory range as Reserved in the EFI map so that guest OS or firmware does not use the range as a system RAM. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/PlatformPei.inf | 4 OvmfPkg/PlatformPei/Platform.h | 5 + OvmfPkg/PlatformPei/AmdSev.c| 31 + OvmfPkg/PlatformPei/MemDetect.c | 2 ++ 4 files changed, 42 insertions(+) diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf index 3c05b550e4bd..1c56ba275835 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -111,6 +111,8 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures [FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfCpuidSize gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIMemoryNVS gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIReclaimMemory @@ -121,6 +123,8 @@ [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpSecretsSize [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable diff --git a/OvmfPkg/PlatformPei/Platform.h b/OvmfPkg/PlatformPei/Platform.h index 8b1d270c2b0b..4169019b4c07 100644 --- a/OvmfPkg/PlatformPei/Platform.h +++ b/OvmfPkg/PlatformPei/Platform.h @@ -102,6 +102,11 @@ AmdSevInitialize ( VOID ); +VOID +SevInitializeRam ( + VOID + ); + extern EFI_BOOT_MODE mBootMode; extern BOOLEAN mS3Supported; diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 7da6370113f0..e71c601aa716 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -410,3 +410,34 @@ AmdSevInitialize ( ASSERT_RETURN_ERROR (PcdStatus); } + +/** + The function performs SEV specific region initialization. + + **/ +VOID +SevInitializeRam ( + VOID + ) +{ + if (MemEncryptSevSnpIsEnabled ()) { +// +// If SEV-SNP is enabled, reserve the Secrets and CPUID memory area. +// +// This memory range is given to the PSP by the hypervisor to populate +// the information used during the SNP VM boots, and it need to persist +// across the kexec boots. Mark it as EfiReservedMemoryType so that +// the guest firmware and OS does not use it as a system memory. +// +BuildMemoryAllocationHob ( + (EFI_PHYSICAL_ADDRESS)(UINTN) PcdGet32 (PcdOvmfSnpSecretsBase), + (UINT64)(UINTN) PcdGet32 (PcdOvmfSnpSecretsSize), + EfiReservedMemoryType + ); +BuildMemoryAllocationHob ( + (EFI_PHYSICAL_ADDRESS)(UINTN) PcdGet32 (PcdOvmfCpuidBase), + (UINT64)(UINTN) PcdGet32 (PcdOvmfCpuidSize), + EfiReservedMemoryType + ); + } +} diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetect.c index d736b85e0d90..058bb394f0df 100644 --- a/OvmfPkg/PlatformPei/MemDetect.c +++ b/OvmfPkg/PlatformPei/MemDetect.c @@ -821,6 +821,8 @@ InitializeRamRegions ( { QemuInitializeRam (); + SevInitializeRam (); + if (mS3Supported && mBootMode != BOOT_ON_S3_RESUME) { // // This is the memory range that will be used for PEI on S3 resume -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83603): https://edk2.groups.io/g/devel/message/83603 Mute This Topic: https://groups.io/mt/86969153/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v12 29/32] OvmfPkg/MemEncryptSevLib: skip page state change for Mmio address
The SetMemoryEncDec() is used by the higher level routines to set or clear the page encryption mask for system RAM and Mmio address. When SEV-SNP is active, in addition to set/clear page mask it also updates the RMP table. The RMP table updates are required for the system RAM address and not the Mmio address. Add a new parameter in SetMemoryEncDec() to tell whether the specified address is Mmio. If its Mmio then skip the page state change in the RMP table. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- .../X64/PeiDxeVirtualMemory.c | 20 --- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c index 56db1e4b6ecf..0bb86d768017 100644 --- a/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/X64/PeiDxeVirtualMemory.c @@ -673,6 +673,7 @@ InternalMemEncryptSevCreateIdentityMap1G ( @param[in] ModeSet or Clear mode @param[in] CacheFlush Flush the caches before applying the encryption mask + @param[in] MmioThe physical address specified is Mmio @retval RETURN_SUCCESS The attributes were cleared for the memory region. @@ -688,7 +689,8 @@ SetMemoryEncDec ( INPHYSICAL_ADDRESS PhysicalAddress, INUINTNLength, INMAP_RANGE_MODE Mode, - INBOOLEAN CacheFlush + INBOOLEAN CacheFlush, + INBOOLEAN Mmio ) { PAGE_MAP_AND_DIRECTORY_POINTER *PageMapLevel4Entry; @@ -711,14 +713,15 @@ SetMemoryEncDec ( DEBUG (( DEBUG_VERBOSE, -"%a:%a: Cr3Base=0x%Lx Physical=0x%Lx Length=0x%Lx Mode=%a CacheFlush=%u\n", +"%a:%a: Cr3Base=0x%Lx Physical=0x%Lx Length=0x%Lx Mode=%a CacheFlush=%u Mmio=%u\n", gEfiCallerBaseName, __FUNCTION__, Cr3BaseAddress, PhysicalAddress, (UINT64)Length, (Mode == SetCBit) ? "Encrypt" : "Decrypt", -(UINT32)CacheFlush +(UINT32)CacheFlush, +(UINT32)Mmio )); // @@ -760,7 +763,7 @@ SetMemoryEncDec ( // // The InternalSetPageState() is used for setting the page state in the RMP table. // - if ((Mode == ClearCBit) && MemEncryptSevSnpIsEnabled ()) { + if (!Mmio && (Mode == ClearCBit) && MemEncryptSevSnpIsEnabled ()) { InternalSetPageState (PhysicalAddress, EFI_SIZE_TO_PAGES (Length), SevSnpPageShared, FALSE); } @@ -998,7 +1001,8 @@ InternalMemEncryptSevSetMemoryDecrypted ( PhysicalAddress, Length, ClearCBit, - TRUE + TRUE, + FALSE ); } @@ -1031,7 +1035,8 @@ InternalMemEncryptSevSetMemoryEncrypted ( PhysicalAddress, Length, SetCBit, - TRUE + TRUE, + FALSE ); } @@ -1064,6 +1069,7 @@ InternalMemEncryptSevClearMmioPageEncMask ( PhysicalAddress, Length, ClearCBit, - FALSE + FALSE, + TRUE ); } -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83605): https://edk2.groups.io/g/devel/message/83605 Mute This Topic: https://groups.io/mt/86969155/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-