BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
Commit 85b8eac59b8c5bd9c7eb9afdb64357ce1aa2e803 added support to ensure
that MMIO is only performed against the un-encrypted memory. If MMIO
is performed against encrypted memory, a #GP is raised.
The AmdSevDxe uses the functions provided
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
Use the SEV-SNP AP Creation NAE event to create and launch APs under
SEV-SNP. This capability will be advertised in the SEV Hypervisor
Feature Support PCD (PcdSevEsHypervisorFeatures).
Cc: Michael Roth
Cc: Eric Dong
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
Now that OvmfPkg supports version 2 of the GHCB specification, bump the
protocol version.
Cc: Michael Roth
Cc: Ray Ni
Cc: Rahul Kumar
Cc: Eric Dong
Cc: James Bottomley
Cc: Min Xu
Cc: Jiewen Yao
Cc: Tom Lendacky
Cc: Jordan Justen
When SEV-SNP is active, the CPUID and Secrets memory range contains the
information that is used during the VM boot. The content need to be persist
across the kexec boot. Mark the memory range as Reserved in the EFI map
so that guest OS or firmware does not use the range as a system RAM.
Cc:
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
Now that both the secrets and cpuid pages are reserved in the HOB,
extract the location details through fixed PCD and make it available
to the guest OS through the configuration table.
Cc: Michael Roth
Cc: James Bottomley
Cc: Min Xu
Cc:
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
Version 2 of the GHCB specification added the support to query the
hypervisor feature bitmap. The feature bitmap provide information
such as whether to use the AP create VmgExit or use the AP jump table
approach to create the APs. The
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
The MemEncryptSev{Set,Clear}PageEncMask() functions are used to set or
clear the memory encryption attribute in the page table. When SEV-SNP
is active, we also need to change the page state in the RMP table so that
it is in sync with the
The SetMemoryEncDec() is used by the higher level routines to set or clear
the page encryption mask for system RAM and Mmio address. When SEV-SNP is
active, in addition to set/clear page mask it also updates the RMP table.
The RMP table updates are required for the system RAM address and not
the
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
An SEV-SNP guest requires that the physical address of the GHCB must
be registered with the hypervisor before using it. See the GHCB
specification section 2.3.2 for more details.
Cc: Michael Roth
Cc: Eric Dong
Cc: Ray Ni
Cc: Rahul Kumar
From: Michael Roth
During AP bringup, just after switching to long mode, APs will do some
cpuid calls to verify that the extended topology leaf (0xB) is available
so they can fetch their x2 APIC IDs from it. In the case of SEV-ES,
these cpuid instructions must be handled by direct use of the
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
Previous commit introduced a generic confidential computing PCD that can
determine whether AMD SEV-ES is enabled. Update the MpInitLib to drop the
PcdSevEsIsEnabled in favor of PcdConfidentialComputingAttr.
Cc: Michael Roth
Cc: Ray Ni
Cc:
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
Version 2 of the GHCB specification added a new VMGEXIT that the guest
could use for querying the hypervisor features. One of the immediate
users for it will be an AP creation code. When SEV-SNP is enabled, the
guest can use the newly added
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
While initializing APs, the MpInitLib may need to know whether the
guest is running with active AMD SEV or Intel TDX memory encryption.
Add a new ConfidentialComputingGuestAttr PCD that can be used to query
the memory encryption attribute.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
The MpInitLib uses the ConfidentialComputingAttr PCD to determine whether
AMD SEV is active so that it can use the VMGEXITs defined in the GHCB
specification to create APs.
Cc: Michael Roth
Cc: Ray Ni
Cc: Rahul Kumar
Cc: Eric Dong
Cc:
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
When SEV-SNP is active, a memory region mapped encrypted in the page
table must be validated before access. There are two approaches that
can be taken to validate the system RAM detected during the PEI phase:
1) Validate on-demand
OR
2)
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
The initial page built during the SEC phase is used by the
MemEncryptSevSnpValidateSystemRam() for the system RAM validation. The
page validation process requires using the PVALIDATE instruction; the
instruction accepts a virtual address of
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
The VMM launch sequence should have pre-validated all the data pages used
in the Reset vector. The range does not cover the data pages used during
the SEC phase (mainly PEI and DXE firmware volume decompression memory).
When SEV-SNP is
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
The SEV-SNP guest requires that GHCB GPA must be registered before using.
See the GHCB specification section 2.3.2 for more details.
Cc: Michael Roth
Cc: James Bottomley
Cc: Min Xu
Cc: Jiewen Yao
Cc: Tom Lendacky
Cc: Jordan Justen
Cc:
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
Virtual Machine Privilege Level (VMPL) feature in the SEV-SNP
architecture allows a guest VM to divide its address space into four
levels. The level can be used to provide the hardware isolated
abstraction layers with a VM. The VMPL0 is the
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
The MemEncryptSevSnpPreValidateSystemRam() is used for pre-validating the
system RAM. As the boot progress, each phase validates a fixed region of
the RAM. In the PEI phase, the PlatformPei detects all the available RAM
and calls to
From: Michael Roth
SEV-SNP firmware allows a special guest page to be populated with
guest CPUID values so that they can be validated against supported
host features before being loaded into encrypted guest memory to be
used instead of hypervisor-provided values [1].
Add handling for this in
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
The SEV-SNP guest requires that GHCB GPA must be registered before using.
See the GHCB specification section 2.3.2 for more details.
Cc: Michael Roth
Cc: James Bottomley
Cc: Min Xu
Cc: Jiewen Yao
Cc: Tom Lendacky
Cc: Jordan Justen
Cc:
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
Many of the integrity guarantees of SEV-SNP are enforced through the
Reverse Map Table (RMP). Each RMP entry contains the GPA at which a
particular page of DRAM should be mapped. The guest can request the
hypervisor to add pages in the RMP
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
Create a function that can be used to determine if VM is running as an
SEV-SNP guest.
Cc: Michael Roth
Cc: James Bottomley
Cc: Min Xu
Cc: Jiewen Yao
Cc: Tom Lendacky
Cc: Jordan Justen
Cc: Ard Biesheuvel
Cc: Erdem Aktas
Cc: Gerd
From: Michael Roth
CPUID instructions are issued during early boot to do things like probe
for SEV support. Currently these are handled by a minimal #VC handler
that uses the MSR-based GHCB protocol to fetch the CPUID values from
the hypervisor. When SEV-SNP is enabled, use the
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
An SEV-SNP guest requires that private memory (aka pages mapped encrypted)
must be validated before being accessed.
The validation process consist of the following sequence:
1) Set the memory encryption attribute in the page table (aka
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
Platform features and capabilities are traditionally discovered via the
CPUID instruction. Hypervisors typically trap and emulate the CPUID
instruction for a variety of reasons. There are some cases where incorrect
CPUID information can
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
In preparation for SEV-SNP support move clearing of the GHCB memory from
the ResetVector/AmdSev.asm to SecMain/AmdSev.c. The GHCB page is not
accessed until SevEsProtocolCheck() switch to full GHCB. So, the move
does not make any changes in
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
During the SNP guest launch sequence, a special secrets page needs to be
inserted by the VMM. The PSP will populate the page; it will contain the
VM Platform Communication Key (VMPCKs) used by the guest to send and
receive secure messages to
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
Move all the SEV specific function in AmdSev.c.
No functional change intended.
Cc: Michael Roth
Cc: James Bottomley
Cc: Min Xu
Cc: Jiewen Yao
Cc: Tom Lendacky
Cc: Jordan Justen
Cc: Ard Biesheuvel
Cc: Erdem Aktas
Cc: Gerd Hoffmann
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
The OvmfPkgX86 build reserves memory regions in MEMFD. The memory regions
get accessed in the SEC phase. AMD SEV-SNP require that the guest's
private memory be accepted or validated before access.
Introduce a Guided metadata structure that
---
Hi Ray,
Thanks for your reviews and continuous support; I have updated a couple of
patches
to address your comment. As I said in my previous reply, I will working on a
follow-up series to group some of those Sev
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
Move all the SEV specific function in AmdSev.c.
No functional change intended.
Cc: Eric Dong
Cc: Ray Ni
Cc: Rahul Kumar
Cc: Michael Roth
Cc: James Bottomley
Cc: Min Xu
Cc: Jiewen Yao
Cc: Tom Lendacky
Cc: Jordan Justen
Cc: Ard
On Fri, Nov 12, 2021 at 16:16:01 +, Michael D Kinney wrote:
> Hi Andrew and Leif,
>
> Do you approve this patch for edk2-stable202111?
I'm fine with that one.
Regards,
Leif
> Thanks,
>
> Mike
>
>
> > -Original Message-
> > From: Gerd Hoffmann
> > Sent: Friday, November 12,
Hi Andrew and Leif,
Do you approve this patch for edk2-stable202111?
Thanks,
Mike
> -Original Message-
> From: Gerd Hoffmann
> Sent: Friday, November 12, 2021 2:04 AM
> To: Kinney, Michael D
> Cc: devel@edk2.groups.io; Ard Biesheuvel ; Yao,
> Jiewen
> Subject: Re: [Patch
On 11/11/21 7:53 PM, Ni, Ray wrote:
3 comments:
--- a/UefiCpuPkg/Library/MpInitLib/MpLib.h
+++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h
@@ -224,6 +224,7 @@ typedef struct {
BOOLEAN SevEsIsEnabled;
BOOLEAN SevSnpIsEnabled;
UINTN GhcbBase;
Hi Ray,
Thanks you for all your comments.
On 11/11/21 7:48 PM, Ni, Ray wrote:
1 comment:
Can you please group the SevEsIsEnabled/SevSnpIsEnabled to a "2 boolean" struct
or
just one UINT8 field "SevEsEnable"?
I think using the SevEsEnabled will create a bit more confusion. I can
certainly
On 11/11/21 8:09 PM, Ni, Ray wrote:
Acked-by: Ray Ni
thanks!
3 comments:
1. It seems to me that the latest SevSnp doesn't need much special handling in
AP waking up flow.
Is there a plan to drop the old SevEs so that the MpInitLib logic can
have a chance to be back to normal?
Adds PrintFormatter function to the FADT flags field.
Prints indivisual flag name along with flag value.
Cc: Ray Ni
Cc: Zhichao Gao
Cc: Sami Mujawar
Signed-off-by: Abdul Lateef Attar
---
ShellPkg/Library/UefiShellAcpiViewCommandLib/Parsers/Fadt/FadtParser.c | 208
+++-
1
Hi,
Please help review the patch, If you have any concern pls let me know.
-Original Message-
From: Jiang, Xiaolu
Sent: Wednesday, November 10, 2021 11:00 AM
To: devel@edk2.groups.io
Cc: Jiang, Xiaolu ; Feng, Bob C ;
Liming Gao ; Chen, Christine ;
Wu, Yidong
Subject: FW:
[Public]
Hi Heinrich,
Not able to attach the patch to the below Bugzilla link (yet to create
an account).
Hence attaching the patch with this mail.
Also find the reference branch link below.
https://github.com/abdattar/edk2-test/tree/X64_GCC_Compilation_fix
Thanks
AbduL
-Original
On Fri, 2021-11-12 at 01:27 +, Ni, Ray wrote:
[...]
> > +
> > + return (CurrentAttr == Attr);
>
> 2. I guess a "BOOLEAN" type cast is needed.
It shouldn't. Unless there's a major screw up in the way BOOLEAN works
in the UEFI API, all logic operations should already be of type BOOLEAN
and
On 11/11/21 7:27 PM, Ni, Ray wrote:
> 2 minor comments.
>
>> + switch (Attr) {
>> +case CCAttrAmdSev:
>> + return CurrentAttr >= CCAttrAmdSev;
>> +case CCAttrAmdSevEs:
>> + return CurrentAttr >= CCAttrAmdSevEs;
>> +case CCAttrAmdSevSnp:
>> + return CurrentAttr ==
https://github.com/tianocore/edk2/pull/2203 is created.
> -Original Message-
> From: Sheng, W
> Sent: Friday, November 12, 2021 1:12 PM
> To: Ni, Ray ; devel@edk2.groups.io
> Cc: Dong, Eric ; Kumar, Rahul1
> Subject: RE: [PATCH v4] UefiCpuPkg/PiSmmCpuDxeSmm: Use SMM Interrupt Shadow
>
Gao,
>
>INF UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
>
> + INF
> MdeModulePkg/Universal/ReportStatusCodeRouter/RuntimeDxe/ReportStatusCodeRouterRuntimeDxe.inf
>
> + INF
> MdeModulePkg/Universal/StatusCodeHandler/RuntimeDxe/StatusCodeHandlerRuntimeDxe.inf
Sorry I might not
On Thu, Nov 11, 2021 at 11:49:23AM -0800, Michael D Kinney wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3731
>
> Fix VS2019 NOOPT build issues with OvmfPkg/Microvm/MicrovmX64.dsc
> by fixing typecast of MICROVM_GED_MMIO_BASE_REGS to a VOID *.
>
> Cc: Gerd Hoffmann
> Cc: Ard
Hi Min,
Thank you for all the updates. This patch series looks good to me.
Regards,
Sami Mujawar
On 11/11/2021, 00:23, "Min Xu" wrote:
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3625
If Confidential Computing (Cc) firmware supports measurement and an
event is created,
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3729
Put ReportStatusCodeRouterRuntimeDxe and StatusCodeHandlerRuntimeDxe in
DXE Apriori list to enable DEBUG() via serial port through
PeiDxeDebugLibReportStatusCode DebugLib instance as early as possible.
Signed-off-by: Gao Cheng
Cc: Guo
48 matches
Mail list logo