From: Tom Lendacky
Under SEV-ES, a VMMCALL intercept generates a #VC exception. VMGEXIT must
be used to allow the hypervisor to handle this intercept.
Signed-off-by: Tom Lendacky
---
.../X64/AMDSevVcCommon.c | 35 +++
1 file changed, 35 insertions(+)
diff
From: Tom Lendacky
Currently, the OVMF code relies on the hypervisor to enable the cache
support on the processor in order to improve the boot speed. However,
with SEV-ES, the hypervisor is not allowed to change the CR0 register
to enable caching.
Update the OVMF Sec support to enable caching
From: Tom Lendacky
Create a function that can be used to determine if the VM is running
as an SEV-ES guest.
Signed-off-by: Tom Lendacky
---
OvmfPkg/Include/Library/MemEncryptSevLib.h| 12 +++
.../MemEncryptSevLibInternal.c| 77 ---
2 files changed, 62
From: Tom Lendacky
Under SEV-ES, a MWAIT/MWAITX intercept generates a #VC exception.
VMGEXIT must be used to allow the hypervisor to handle this intercept.
Signed-off-by: Tom Lendacky
---
.../X64/AMDSevVcCommon.c | 29 +++
1 file changed, 29 insertions(+)
From: Tom Lendacky
Under SEV-ES, a RDTSCP intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Signed-off-by: Tom Lendacky
---
.../X64/AMDSevVcCommon.c | 34 +++
1 file changed, 34 insertions(+)
diff
From: Tom Lendacky
Under SEV-ES, a INVD intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Signed-off-by: Tom Lendacky
---
.../X64/AMDSevVcCommon.c | 22 +++
1 file changed, 22 insertions(+)
diff
From: Tom Lendacky
Under SEV-ES, a MSR_PROT intercept generates a #VC exception. VMGEXIT must
be used to allow the hypervisor to handle this intercept.
Add support to construct the required GHCB values to support an MSR_PROT
NAE event. Parse the instruction that generated the #VC exception to
From: Tom Lendacky
Allocate memory for the GHCB pages during SEV initialization for use
during Pei and Dxe phases. Since the GHCB pages must be mapped as shared
pages, modify CreateIdentityMappingPageTables() so that pagetable entries
are created without the encryption bit set.
Signed-off-by:
From: Tom Lendacky
VMGEXIT is a new instruction used for Hypervisor/Guest communication when
running as an SEV-ES guest. A VMGEXIT will cause an automatic exit (AE)
to occur, resulting in a #VMEXIT with an exit code value of 0x403.
To support VMGEXIT, define the VMGEXIT assember routine to
From: Tom Lendacky
An SEV-ES guest will generate a #VC exception when it encounters a
non-automatic exit (NAE) event. It is expected that the #VC exception
handler will communicate with the hypervisor using the GHCB to handle
the NAE event.
Update the Pei and Dxe exception handling support to
From: Tom Lendacky
Add base support to handle #VC exceptions. This includes a stub routine
to invoke when a #VC exception occurs and special checks in the common
exception handlers to invoke the #VC exception handler routine.
Signed-off-by: Tom Lendacky
---
.../DxeCpuExceptionHandlerLib.inf
From: Tom Lendacky
This patch series provides support for running EDK2/OVMF under SEV-ES.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume 2: System
From: Tom Lendacky
A GHCB page is needed during the Sec phase, so this new page must be
created. Since the GHCB must be marked as an un-encrypted, or shared,
page, an additional pagetable page is required so break down the 2MB
region where the GHCB page lives into 4K pagetable entries.
only be invoked when it is known that SEV-ES is active.
Thanks,
Tom
>
> Thanks,
> Ray
>
>> -Original Message-
>> From: Lendacky, Thomas
>> Sent: Monday, August 19, 2019 2:36 PM
>> To: devel@edk2.groups.io
>> Cc: Justen, Jordan L ; Laszlo Ersek
From: Tom Lendacky
Under SEV-ES, a DR7 read or write intercept generates a #VC exception.
The #VC handler must provide special support to the guest for this. On
a DR7 write, the #VC handler must cache the value and issue a VMGEXIT
to notify the hypervisor of the write. However, the #VC handler
From: Tom Lendacky
A per-CPU implementation for holding values specific to a CPU when
running as an SEV-ES guest, specifically to hold the Debug Register
value. Allocate an extra page immediately after the GHCB page for each
AP.
Using the page after the GHCB ensures that it is unique per AP.
From: Tom Lendacky
When running as an SEV-ES guest in 32-bit mode, it is not possible to
perform a CPUID instruction because it will require communicating with
the hypervisor using the GHCB. However, writes to the GHCB when in
32-bit mode will be will be encrypted and thus not able to be read
From: Tom Lendacky
Typically, an AP is booted using the INIT-SIPI-SIPI sequence. This
sequence is intercepted by the hypervisor, which sets the AP's registers
to the values requested by the sequence. At that point, the hypervisor can
start the AP, which will then begin execution at the
From: Tom Lendacky
When starting APs in an SMP configuration, the AP needs to know if it is
running as an SEV-ES guest in order to assign a GHCB page.
Add a field to the CPU_MP_DATA structure that will indicate if SEV-ES is
active. This new field is set during MP library initialization with the
From: Tom Lendacky
Add support to the #VC exception handler to handle string IO. This
requires expanding the IO instruction parsing to recognize string based
IO instructions as well as preparing an un-encrypted buffer to be used
to transfer (either to or from the guest) the string contents for
From: Tom Lendacky
Under SEV-ES, a WBINVD intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Signed-off-by: Tom Lendacky
---
.../X64/AMDSevVcCommon.c | 22 +++
1 file changed, 22 insertions(+)
diff
From: Tom Lendacky
Under SEV-ES, a MONITOR/MONITORX intercept generates a #VC exception.
VMGEXIT must be used to allow the hypervisor to handle this intercept.
Signed-off-by: Tom Lendacky
---
.../X64/AMDSevVcCommon.c | 31 +++
1 file changed, 31
From: Tom Lendacky
Introduce a finalization routine to the MP library. This routine is
used at the end of UEFI before transferring control to the OS and allows
for SEV-ES related AP state and information to be communicated to the OS.
The APs will be parked using VMGEXIT AP Reset Hold and the
From: Tom Lendacky
Under SEV-ES, a CPUID intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Add support to construct the required GHCB values to support a CPUID NAE
event. Additionally, CPUID 0x_000d requires XCR0 to be supplied in
From: Tom Lendacky
An SEV-ES guest will generate a #VC exception when it encounters a
non-automatic exit (NAE) event. It is expected that the #VC exception
handler will communicate with the hypervisor using the GHCB to handle
the NAE event.
NAE events can occur during the Sec phase, so
From: Tom Lendacky
Under SEV-ES, a RDPMC intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Signed-off-by: Tom Lendacky
---
.../X64/AMDSevVcCommon.c | 33 +++
1 file changed, 33 insertions(+)
diff
From: Tom Lendacky
Under SEV-ES, a NPF intercept for an NPT entry with a reserved bit set
generates a #VC exception. This condition is assumed to be an MMIO access.
VMGEXIT must be used to allow the hypervisor to handle this intercept.
Add support to construct the required GHCB values to
From: Tom Lendacky
The SEV support will clear the C-bit from non-RAM areas. The early GDT
lives in a non-RAM area, so when an exception occurs (like a #VC) the GDT
will be read as un-encrypted even though it is encrypted. This will result
in a failure to be able to handle the exception.
Move
From: Tom Lendacky
Under SEV-ES, a RDTSC intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Signed-off-by: Tom Lendacky
---
.../X64/AMDSevVcCommon.c | 30 +++
1 file changed, 30 insertions(+)
diff
From: Tom Lendacky
Under SEV-ES, a IOIO_PROT intercept generates a #VC exception. VMGEXIT
must be used to allow the hypervisor to handle this intercept.
Add support to construct the required GHCB values to support a IOIO_PROT
NAE event. Parse the instruction that generated the #VC exception,
On 8/21/19 9:21 AM, Laszlo Ersek wrote:
> On 08/19/19 23:35, Lendacky, Thomas wrote:
>> From: Tom Lendacky
>>
>> Currently, the OVMF code relies on the hypervisor to enable the cache
>> support on the processor in order to improve the boot speed. However,
>
On 8/21/19 9:25 AM, Laszlo Ersek via Groups.Io wrote:
> On 08/19/19 23:35, Lendacky, Thomas wrote:
>> From: Tom Lendacky
>>
>> A GHCB page is needed during the Sec phase, so this new page must be
>> created. Since the GHCB must be marked as an un-encrypted, or sha
On 8/21/19 9:31 AM, Laszlo Ersek wrote:
> On 08/19/19 23:35, Lendacky, Thomas wrote:
>> From: Tom Lendacky
>>
>> Allocate memory for the GHCB pages during SEV initialization for use
>> during Pei and Dxe phases. Since the GHCB pages must be mapped
On 8/22/19 9:12 AM, Laszlo Ersek wrote:
> On 08/21/19 23:42, Lendacky, Thomas wrote:
>> On 8/21/19 9:31 AM, Laszlo Ersek wrote:
>>> On 08/19/19 23:35, Lendacky, Thomas wrote:
>>>> From: Tom Lendacky
>>>>
>>>> Allocate memory for the GHCB p
On 9/19/19 2:52 PM, Lendacky, Thomas wrote:
> From: Tom Lendacky
>
> This patch series provides support for running EDK2/OVMF under SEV-ES.
I wanted to provide the full series so that everyone can see what is
involved with the support.
Providing multiple, smaller series of patc
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
A per-CPU implementation for holding values specific to a CPU when
running as an SEV-ES guest, specifically to hold the Debug Register
value. Allocate an extra page immediately after the GHCB page for each
AP.
Using the
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
During BSP startup, the reset vector code will issue a CPUID instruction
while in 32-bit mode. When running as an SEV-ES guest, this will trigger
a #VC exception.
Add exception handling support to the early reset vector
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
A GHCB page is needed during the Sec phase, so this new page must be
created. Since the GHCB must be marked as an un-encrypted, or shared,
page, an additional pagetable page is required to break down the 2MB
region
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Allocate memory for the GHCB pages during SEV initialization for use
during Pei and Dxe phases. The GHCB page(s) must be shared pages, so
clear the encryption mask from the current page table entries. Upon
successful
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
GHCB pages must be mapped as shared pages, so modify the process of
creating identity mapped pagetable entries so that GHCB entries are
created without the encryption bit set.
Cc: Jian J Wang
Cc: Hao A Wu
Cc: Dandan
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
To support issuing a VMGEXIT instruction, create a library that can be
used to perform GHCB and VMGEXIT related operations and to issue the
actual VMGEXIT instruction when using the GHCB.
Cc: Eric Dong
Cc: Ray Ni
Cc:
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
For SEV-ES, the GHCB page address is stored in the GHCB MSR register
(0xc0010130). Define the register and the format used for register
during GHCB protocol negotiation.
Cc: Michael D Kinney
Cc: Liming Gao
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
The SEV support will clear the C-bit from non-RAM areas. The early GDT
lives in a non-RAM area, so when an exception occurs (like a #VC) the GDT
will be read as un-encrypted even though it is encrypted. This will result
From: Tom Lendacky
Protect the memory used by an SEV-ES guest when S3 is supported. This
includes the page table used to break down the 2MB page that contains
the GHCB so that it can be marked un-encrypted, as well as the GHCB
area.
Regarding the lifecycle of the GHCB-related memory areas:
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
VMGEXIT is a new instruction used for Hypervisor/Guest communication when
running as an SEV-ES guest. A VMGEXIT will cause an automatic exit (AE)
to occur, resulting in a #VMEXIT with an exit code value of 0x403.
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a RDPMC intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
An SEV-ES guest will generate a #VC exception when it encounters a
non-automatic exit (NAE) event. It is expected that the #VC exception
handler will communicate with the hypervisor using the GHCB to handle
the NAE
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a MSR_PROT intercept generates a #VC exception. VMGEXIT must
be used to allow the hypervisor to handle this intercept.
Add support to construct the required GHCB values to support an MSR_PROT
NAE event.
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a IOIO_PROT intercept generates a #VC exception. VMGEXIT
must be used to allow the hypervisor to handle this intercept.
Add support to construct the required GHCB values to support a IOIO_PROT
NAE event.
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a CPUID intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Add support to construct the required GHCB values to support a CPUID NAE
event.
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
The GHCB is used by an SEV-ES guest for communicating between the guest
and the hypervisor. Create the GHCB definition as defined by the GHCB
protocol definition.
Cc: Michael D Kinney
Cc: Liming Gao
Signed-off-by: Tom
From: Tom Lendacky
This patch series provides support for running EDK2/OVMF under SEV-ES.
Secure Encrypted Virtualization - Encrypted State (SEV-ES) expands on the
SEV support to protect the guest register state from the hypervisor. See
"AMD64 Architecture Programmer's Manual Volume 2: System
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Create a function that can be used to determine if the VM is running
as an SEV-ES guest.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Signed-off-by: Tom Lendacky
---
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Three new PCDs are needed to support SEV-ES under OVMF:
- PcdSevEsActive: BOOLEAN value used to indicate if SEV-ES is active
- PcdGhcbBase:UINT64 value that is the base address of the GHCB
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Add support to the #VC exception handler to handle string IO. This
requires expanding the IO instruction parsing to recognize string based
IO instructions as well as preparing an un-encrypted buffer to be used
to
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Currently, the OVMF code relies on the hypervisor to enable the cache
support on the processor in order to improve the boot speed. However,
with SEV-ES, the hypervisor is not allowed to change the CR0 register
to enable
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a NPF intercept for an NPT entry with a reserved bit set
generates a #VC exception. This condition is assumed to be an MMIO access.
VMGEXIT must be used to allow the hypervisor to handle this intercept.
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
The SEC phase of OVMF will need access to the MemEncryptSevLib library,
so make the library available during SEC.
Cc: Jordan Justen
Cc: Laszlo Ersek
Cc: Ard Biesheuvel
Signed-off-by: Tom Lendacky
---
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a RDTSC intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Add base support to handle #VC exceptions. This includes a stub routine
to invoke when a #VC exception occurs and special checks in the common
exception handlers to invoke the #VC exception handler routine.
Cc: Eric
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a WBINVD intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
When SEV-ES is active, then SEV is also active. Add support to the SEV
initialization function to also check for SEV-ES being active. If SEV-ES
is active, set the SEV-ES active PCD (PcdSevEsActive).
Cc: Jordan Justen
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a INVD intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a RDTSCP intercept generates a #VC exception. VMGEXIT must be
used to allow the hypervisor to handle this intercept.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
When starting APs in an SMP configuration, the AP needs to know if it is
running as an SEV-ES guest in order to assign a GHCB page.
Add a field to the CPU_MP_DATA structure that will indicate if SEV-ES is
active. This
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Typically, an AP is booted using the INIT-SIPI-SIPI sequence. This
sequence is intercepted by the hypervisor, which sets the AP's registers
to the values requested by the sequence. At that point, the hypervisor can
start
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
A hypervisor is not allowed to update an SEV-ES guests register state,
so when booting an SEV-ES guest AP, the hypervisor is not allowed to
set the RIP to the guest requested value. Instead, an SEV-ES AP must be
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Expand the CPU protocol to include a finalization function that can be
used to perform any final AP processing or AP environment setup before
transferring control over to an OS.
Cc: Michael D Kinney
Cc: Liming Gao
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a MONITOR/MONITORX intercept generates a #VC exception.
VMGEXIT must be used to allow the hypervisor to handle this intercept.
Cc: Eric Dong
Cc: Ray Ni
Cc: Laszlo Ersek
Signed-off-by: Tom Lendacky
---
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a DR7 read or write intercept generates a #VC exception.
The #VC handler must provide special support to the guest for this. On
a DR7 write, the #VC handler must cache the value and issue a VMGEXIT
to
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
A hypervisor is not allowed to update an SEV-ES guests register state,
so when booting an SEV-ES guest AP, the hypervisor is not allowed to
set the RIP to the guest requested value. Instead an SEV-ES AP must be
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
SEV-ES guest AP boot support needs to transition from 64-bit long mode
into 16-bit real mode. This will require a 16-bit code segment descriptor.
Reserve one of the spare segment descriptors (0x28) for this purpose.
Cc:
From: Tom Lendacky
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
Under SEV-ES, a CPUID instruction requires the current value of the XCR0
register. In order to retrieve that value, the XGETBV instruction needs
to be executed.
Provide the necessary support to execute the XGETBV
On 9/26/19 3:17 AM, Laszlo Ersek wrote:
> On 09/19/19 21:52, Lendacky, Thomas wrote:
>> From: Tom Lendacky
>>
>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
>>
>> A per-CPU implementation for holding values specific to a CPU when
>> running a
On 9/26/19 3:00 AM, Laszlo Ersek wrote:
> Hi Tom,
>
> On 09/19/19 21:52, Lendacky, Thomas wrote:
>> From: Tom Lendacky
>>
>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
>>
>> Allocate memory for the GHCB pages during SEV initialization for use
?
Thanks,
Tom
>
> Thanks,
> Eric
>
>> -Original Message-
>> From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of
>> Lendacky, Thomas
>> Sent: Saturday, September 21, 2019 3:25 AM
>> To: devel@edk2.groups.io
>> Cc: Justen, Jorda
On 9/24/19 6:59 AM, Laszlo Ersek wrote:
> On 09/19/19 21:52, Lendacky, Thomas wrote:
>> From: Tom Lendacky
>>
>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
>>
>> When SEV-ES is active, then SEV is also active. Add support to the SEV
>> initializ
On 10/2/19 5:23 AM, Laszlo Ersek wrote:
> After the discussion elsewhere in this patch thread, which related to
> commit messages, and patch order in the series, I can make a few coding
> style comments on the patch. (No change to functionality.)
>
> On 09/19/19 21:52, Lendack
On 10/2/19 6:51 AM, Laszlo Ersek wrote:
> A few more comments:
>
> On 09/19/19 21:52, Lendacky, Thomas wrote:
>> From: Tom Lendacky
>>
>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
>>
>> A per-CPU implementation for holding values specific to a
On 10/2/19 7:05 AM, Laszlo Ersek via Groups.Io wrote:
> On 09/19/19 21:52, Lendacky, Thomas wrote:
>> From: Tom Lendacky
>>
>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
>>
>> The SEV support will clear the C-bit from non-RAM areas. The early GDT
&g
On 10/2/19 9:54 AM, Laszlo Ersek wrote:
> On 09/19/19 21:53, Lendacky, Thomas wrote:
>> From: Tom Lendacky
>>
>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
>>
>> A hypervisor is not allowed to update an SEV-ES guests register state,
>
On 10/2/19 10:26 AM, Laszlo Ersek wrote:
> On 10/02/19 17:15, Laszlo Ersek wrote:
>> Adding Phil.
>>
>> I'm looking at this patch only because one thing caught my attention in
>> the previous one, "OvmfPkg: Add support for SEV-ES AP reset vector
>> re-directi
On 10/2/19 7:30 AM, Laszlo Ersek via Groups.Io wrote:
> On 10/02/19 14:24, Laszlo Ersek wrote:
>> On 09/19/19 21:52, Lendacky, Thomas wrote:
>>> From: Tom Lendacky
>>>
>>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
>>&g
On 9/30/19 1:52 PM, Laszlo Ersek via Groups.Io wrote:
> On 09/26/19 16:00, Lendacky, Thomas wrote:
>> On 9/26/19 3:00 AM, Laszlo Ersek wrote:
>>> Hi Tom,
>>>
>>> On 09/19/19 21:52, Lendacky, Thomas wrote:
>>>> From: Tom Lendacky
>>>>
On 9/30/19 2:12 PM, Laszlo Ersek wrote:
> On 09/26/19 16:00, Lendacky, Thomas wrote:
>> On 9/26/19 3:00 AM, Laszlo Ersek wrote:
>>> Hi Tom,
>>>
>>> On 09/19/19 21:52, Lendacky, Thomas wrote:
>>>> From: Tom Lendacky
>>>>
On 9/30/19 2:29 PM, Laszlo Ersek via Groups.Io wrote:
> On 09/24/19 20:57, Lendacky, Thomas wrote:
>> On 9/24/19 8:42 AM, Laszlo Ersek wrote:
>>> On 09/19/19 21:52, Lendacky, Thomas wrote:
>
>>>> +; Issue VMGEXIT (rep; vmmcall)
>>>> +db
On 9/24/19 8:42 AM, Laszlo Ersek wrote:
> On 09/19/19 21:52, Lendacky, Thomas wrote:
>> From: Tom Lendacky
>>
>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
>>
>> During BSP startup, the reset vector code will issue a CPUID instruction
>> while
On 11/22/19 10:06 AM, Laszlo Ersek wrote:
On 11/21/19 23:49, Tom Lendacky wrote:
On 11/21/19 1:27 PM, Laszlo Ersek wrote:
On 11/20/19 21:06, Lendacky, Thomas wrote:
+; sevEsResetBlock:
+; For the initial boot of an AP under SEV-ES, the "reset" RIP must be
+; programmed to th
On 11/22/19 6:52 AM, Laszlo Ersek wrote:
On 11/21/19 21:46, Tom Lendacky wrote:
On 11/21/19 6:06 AM, Laszlo Ersek wrote:
On 11/20/19 21:06, Lendacky, Thomas wrote:
BZ:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2198data=02
On 11/22/19 3:10 PM, Laszlo Ersek wrote:
On 11/22/19 17:30, Tom Lendacky wrote:
On 11/22/19 6:52 AM, Laszlo Ersek wrote:
On 11/21/19 21:46, Tom Lendacky wrote:
On 11/21/19 6:06 AM, Laszlo Ersek wrote:
On 11/20/19 21:06, Lendacky, Thomas wrote:
@@ -737,6 +738,21 @@ SecCoreStartupWithStack
On 11/21/19 5:15 AM, Laszlo Ersek via Groups.Io wrote:
> On 11/20/19 21:06, Lendacky, Thomas wrote:
>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
>>
>> To support issuing a VMGEXIT instruction, create a library that can be
>> used to perform GHCB and
pec defined PPIs and protocols are allowed in MdePkg.
Thanks for the heads up on this. Lets see if there's any feedback over
email or in the design meeting over what would be the best approach to
take and go from there.
Thanks,
Tom
>
> Regards,
> Nate
>
> -Original Message
On 11/21/19 6:31 AM, Laszlo Ersek via Groups.Io wrote:
> On 11/20/19 21:06, Lendacky, Thomas wrote:
>> The flash detection routine will attempt to determine how the flash
>> device behaves (e.g. ROM, RAM, Flash). But when SEV-ES is enabled and
>> the flash device behaves as
On 11/21/19 6:06 AM, Laszlo Ersek wrote:
> On 11/20/19 21:06, Lendacky, Thomas wrote:
>> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2198
>>
>> An SEV-ES guest will generate a #VC exception when it encounters a
>> non-automatic exit (NAE) event. It is expe
On 11/21/19 1:27 PM, Laszlo Ersek wrote:
> On 11/20/19 21:06, Lendacky, Thomas wrote:
>> BZ:
>> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2198data=02%7C01%7Cthomas.lendacky%40amd.com%7C0b8d41fe61b5434f0
On 12/10/19 2:09 AM, Ni, Ray wrote:
> Tom,
> I may not in the discuss mailing list. Liming forwarded your request to me.
> Sorry I acked so late.
>
> This week's open design meeting is vacant. Is that still your plan to use
> this week's open design meeting to discuss SEV-ES?
Yes, I would like
protocol for registering the jump page, I can leave the GHCB MSR
in tact. Just a concept at the moment, but it may be possible.
Thanks,
Tom
>
>> -Original Message-
>> From: Lendacky, Thomas
>> Sent: Friday, September 20, 2019 3:53 AM
>> To: devel@edk2.groups.io
&g
On 12/10/19 9:04 PM, Ni, Ray wrote:
> Can you please have your slides ready in
>
On 12/12/19 12:54 AM, Ni, Ray wrote:
>> + // Allocate GHCB and per-CPU variable pages.
>> + //
>> + GhcbPageCount = mMaxCpuCount * 2;
>> + GhcbBase = AllocatePages (GhcbPageCount);
>> + ASSERT (GhcbBase != NULL);
>> +
>> + GhcbBasePa = (PHYSICAL_ADDRESS)(UINTN) GhcbBase;
>> +
>> +
On 12/12/19 12:53 AM, Ni, Ray wrote:
> Tom,
> Why all DR registers are not pushed to stack in VC handler?
> I thought only DR7 pushing is skipped.
It was probably just to be on the safe side in case the hypervisor didn't
remove the intercept for them. And since none of the other debug registers
1 - 100 of 1184 matches
Mail list logo