Re: [edk2-devel] [RFC PATCH 05/28] OvmfPkg: Create GHCB pages for use during Pei and Dxe phase
On 08/22/19 17:24, Lendacky, Thomas wrote:
> On 8/22/19 9:12 AM, Laszlo Ersek wrote:
>> On 08/21/19 23:42, Lendacky, Thomas wrote:
>>> On 8/21/19 9:31 AM, Laszlo Ersek wrote:
On 08/19/19 23:35, Lendacky, Thomas wrote:
> From: Tom Lendacky
>
> Allocate memory for the GHCB pages during SEV initialization for use
> during Pei and Dxe phases. Since the GHCB pages must be mapped as shared
> pages, modify CreateIdentityMappingPageTables() so that pagetable entries
> are created without the encryption bit set.
>
> Signed-off-by: Tom Lendacky
> ---
> UefiCpuPkg/UefiCpuPkg.dec | 4 ++
> OvmfPkg/OvmfPkgX64.dsc| 4 ++
> MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 3 +
> OvmfPkg/PlatformPei/PlatformPei.inf | 2 +
> .../Core/DxeIplPeim/X64/VirtualMemory.h | 12 +++-
> .../Core/DxeIplPeim/Ia32/DxeLoadFunc.c| 4 +-
> .../Core/DxeIplPeim/X64/DxeLoadFunc.c | 11 +++-
> .../Core/DxeIplPeim/X64/VirtualMemory.c | 49 ++
> .../MemEncryptSevLibInternal.c| 1 -
> .../BaseMemEncryptSevLib/X64/VirtualMemory.c | 33 --
> OvmfPkg/PlatformPei/AmdSev.c | 64 +++
> 11 files changed, 164 insertions(+), 23 deletions(-)
Should be split to at least four patches (UefiCpuPkg, MdeModulePkg,
OvmfPkg/BaseMemEncryptSevLib, OvmfPkg/PlatformPei).
In addition, MdeModulePkg content must not depend on UefiCpuPkg content
-- if modules under both packages need to consume a new PCD, then the
PCD should be declared under MdeModulePkg. The rough dependency order is:
- MdePkg (must be self-contained)
- MdeModulePkg (may consume MdePkg)
- UefiCpuPkg (may consume everything above, to my knowledge)
- OvmfPkg (may consume everything above)
>>>
>>> Ok, thanks for the guidance.
>>>
>>> Ideally, I just would like to modify the newly created page tables after
>>> the call to CreateIdentityMappingPageTables() in MdeModulePkg/Core/
>>> DxeIplPeim/Ia32/DxeLoadFunc.c. Is there a preferred way to add a listener
>>> or callback or notification service so that the main changes would be
>>> limited to the OvmfPkg files and would that be acceptable?
>>
>> * https://bugzilla.tianocore.org/show_bug.cgi?id=623
>>
>> Reported on 2017-07-07, resolved as WONTFIX on 2019-07-30 ("no
>> resources").
>>
>> And it's not like patches had not been proposed -- Leo had implemented
>> a notification service --; they were rejected.
>>
>> * https://bugzilla.tianocore.org/show_bug.cgi?id=847
>>
>> Reported on 2018-01-11, marked "not high priority" as of 2019-07-23
>> .
>>
>> I don't know what to tell you. While nobody seems to disagree with the
>> necessity of such a service and/or library, core maintainers have
>> rejected all the code proposals thus far (= "don't do that"). And I'm
>> unaware of any constructive guidance (= "do this instead").
>
> This isn't on the level of a "notify every time something changes" type
> of thing. This is more of a "hey, we built some new pagetables and are
> about to make them active, but before we do have a look and change what
> you think should be changed."
>
> With that, I'd be able to remove the GhcbBase and GhcbSize that is
> propogated on the ToSplit and Split functions.
>
> I'll take a look and see what it would look like and go from there.
Maybe not the same kind of notification pattern (and the event
triggering the notification could be different), but the point is the
same -- the platform would like the core to call it back at various
stages / points of page table manipulation. How we implement that, is
"details" (edk2-specific (and versioned) protocol, provided by the
platform and called by the core; versus separate event groups, signaled
by the core; versus custom lib class, implemented by the platform;
versus custom status codes reported by the core; etc). What's important
is for core maintainers to finally accept that the facility *as such* is
needed.
>
>>
>> I suggest filing a Feature Request BZ for SEV-ES enablement (for
>> OvmfPkg), and referencing that as "dependent bug" in both of the
>> above-mentioned BZs. It might also help to dial in to the APAC/NAMO
>> design / bug triage meeting, and campaign for the feature there.
>
> Yes, I need to file that Feature Request BZ anyway.
Thanks.
Laszlo
>>
>> https://github.com/tianocore/tianocore.github.io/wiki/Bug-Triage
>>
>> I have a bad track record at convincing core maintainers to do what they
>> don't want to do. And I see escalating such problems from email to phone
>> as a work-around, sort of "wear down your opponent by sheer
>> persistence". So I avoid that. But, I've seen the approach work for
>> others, so you might have better luck.
>>
>> (The APAC/NAMO call is also at a bad time for
Re: [edk2-devel] [RFC PATCH 05/28] OvmfPkg: Create GHCB pages for use during Pei and Dxe phase
On 8/22/19 9:12 AM, Laszlo Ersek wrote:
> On 08/21/19 23:42, Lendacky, Thomas wrote:
>> On 8/21/19 9:31 AM, Laszlo Ersek wrote:
>>> On 08/19/19 23:35, Lendacky, Thomas wrote:
From: Tom Lendacky
Allocate memory for the GHCB pages during SEV initialization for use
during Pei and Dxe phases. Since the GHCB pages must be mapped as shared
pages, modify CreateIdentityMappingPageTables() so that pagetable entries
are created without the encryption bit set.
Signed-off-by: Tom Lendacky
---
UefiCpuPkg/UefiCpuPkg.dec | 4 ++
OvmfPkg/OvmfPkgX64.dsc| 4 ++
MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 3 +
OvmfPkg/PlatformPei/PlatformPei.inf | 2 +
.../Core/DxeIplPeim/X64/VirtualMemory.h | 12 +++-
.../Core/DxeIplPeim/Ia32/DxeLoadFunc.c| 4 +-
.../Core/DxeIplPeim/X64/DxeLoadFunc.c | 11 +++-
.../Core/DxeIplPeim/X64/VirtualMemory.c | 49 ++
.../MemEncryptSevLibInternal.c| 1 -
.../BaseMemEncryptSevLib/X64/VirtualMemory.c | 33 --
OvmfPkg/PlatformPei/AmdSev.c | 64 +++
11 files changed, 164 insertions(+), 23 deletions(-)
>>>
>>> Should be split to at least four patches (UefiCpuPkg, MdeModulePkg,
>>> OvmfPkg/BaseMemEncryptSevLib, OvmfPkg/PlatformPei).
>>>
>>> In addition, MdeModulePkg content must not depend on UefiCpuPkg content
>>> -- if modules under both packages need to consume a new PCD, then the
>>> PCD should be declared under MdeModulePkg. The rough dependency order is:
>>>
>>> - MdePkg (must be self-contained)
>>> - MdeModulePkg (may consume MdePkg)
>>> - UefiCpuPkg (may consume everything above, to my knowledge)
>>> - OvmfPkg (may consume everything above)
>>>
>>
>> Ok, thanks for the guidance.
>>
>> Ideally, I just would like to modify the newly created page tables after
>> the call to CreateIdentityMappingPageTables() in MdeModulePkg/Core/
>> DxeIplPeim/Ia32/DxeLoadFunc.c. Is there a preferred way to add a listener
>> or callback or notification service so that the main changes would be
>> limited to the OvmfPkg files and would that be acceptable?
>
> * https://bugzilla.tianocore.org/show_bug.cgi?id=623
>
> Reported on 2017-07-07, resolved as WONTFIX on 2019-07-30 ("no
> resources").
>
> And it's not like patches had not been proposed -- Leo had implemented
> a notification service --; they were rejected.
>
> * https://bugzilla.tianocore.org/show_bug.cgi?id=847
>
> Reported on 2018-01-11, marked "not high priority" as of 2019-07-23
> .
>
> I don't know what to tell you. While nobody seems to disagree with the
> necessity of such a service and/or library, core maintainers have
> rejected all the code proposals thus far (= "don't do that"). And I'm
> unaware of any constructive guidance (= "do this instead").
This isn't on the level of a "notify every time something changes" type
of thing. This is more of a "hey, we built some new pagetables and are
about to make them active, but before we do have a look and change what
you think should be changed."
With that, I'd be able to remove the GhcbBase and GhcbSize that is
propogated on the ToSplit and Split functions.
I'll take a look and see what it would look like and go from there.
>
> I suggest filing a Feature Request BZ for SEV-ES enablement (for
> OvmfPkg), and referencing that as "dependent bug" in both of the
> above-mentioned BZs. It might also help to dial in to the APAC/NAMO
> design / bug triage meeting, and campaign for the feature there.
Yes, I need to file that Feature Request BZ anyway.
Thanks,
Tom
>
> https://github.com/tianocore/tianocore.github.io/wiki/Bug-Triage
>
> I have a bad track record at convincing core maintainers to do what they
> don't want to do. And I see escalating such problems from email to phone
> as a work-around, sort of "wear down your opponent by sheer
> persistence". So I avoid that. But, I've seen the approach work for
> others, so you might have better luck.
>
> (The APAC/NAMO call is also at a bad time for me, in UTC+1 / UTC+2.)
>
> I think the present RFC patches are a good way to re-raise these topics.
>
> Laszlo
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#46216): https://edk2.groups.io/g/devel/message/46216
Mute This Topic: https://groups.io/mt/32966270/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [RFC PATCH 05/28] OvmfPkg: Create GHCB pages for use during Pei and Dxe phase
On 08/21/19 23:42, Lendacky, Thomas wrote:
> On 8/21/19 9:31 AM, Laszlo Ersek wrote:
>> On 08/19/19 23:35, Lendacky, Thomas wrote:
>>> From: Tom Lendacky
>>>
>>> Allocate memory for the GHCB pages during SEV initialization for use
>>> during Pei and Dxe phases. Since the GHCB pages must be mapped as shared
>>> pages, modify CreateIdentityMappingPageTables() so that pagetable entries
>>> are created without the encryption bit set.
>>>
>>> Signed-off-by: Tom Lendacky
>>> ---
>>> UefiCpuPkg/UefiCpuPkg.dec | 4 ++
>>> OvmfPkg/OvmfPkgX64.dsc| 4 ++
>>> MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 3 +
>>> OvmfPkg/PlatformPei/PlatformPei.inf | 2 +
>>> .../Core/DxeIplPeim/X64/VirtualMemory.h | 12 +++-
>>> .../Core/DxeIplPeim/Ia32/DxeLoadFunc.c| 4 +-
>>> .../Core/DxeIplPeim/X64/DxeLoadFunc.c | 11 +++-
>>> .../Core/DxeIplPeim/X64/VirtualMemory.c | 49 ++
>>> .../MemEncryptSevLibInternal.c| 1 -
>>> .../BaseMemEncryptSevLib/X64/VirtualMemory.c | 33 --
>>> OvmfPkg/PlatformPei/AmdSev.c | 64 +++
>>> 11 files changed, 164 insertions(+), 23 deletions(-)
>>
>> Should be split to at least four patches (UefiCpuPkg, MdeModulePkg,
>> OvmfPkg/BaseMemEncryptSevLib, OvmfPkg/PlatformPei).
>>
>> In addition, MdeModulePkg content must not depend on UefiCpuPkg content
>> -- if modules under both packages need to consume a new PCD, then the
>> PCD should be declared under MdeModulePkg. The rough dependency order is:
>>
>> - MdePkg (must be self-contained)
>> - MdeModulePkg (may consume MdePkg)
>> - UefiCpuPkg (may consume everything above, to my knowledge)
>> - OvmfPkg (may consume everything above)
>>
>
> Ok, thanks for the guidance.
>
> Ideally, I just would like to modify the newly created page tables after
> the call to CreateIdentityMappingPageTables() in MdeModulePkg/Core/
> DxeIplPeim/Ia32/DxeLoadFunc.c. Is there a preferred way to add a listener
> or callback or notification service so that the main changes would be
> limited to the OvmfPkg files and would that be acceptable?
* https://bugzilla.tianocore.org/show_bug.cgi?id=623
Reported on 2017-07-07, resolved as WONTFIX on 2019-07-30 ("no
resources").
And it's not like patches had not been proposed -- Leo had implemented
a notification service --; they were rejected.
* https://bugzilla.tianocore.org/show_bug.cgi?id=847
Reported on 2018-01-11, marked "not high priority" as of 2019-07-23
.
I don't know what to tell you. While nobody seems to disagree with the
necessity of such a service and/or library, core maintainers have
rejected all the code proposals thus far (= "don't do that"). And I'm
unaware of any constructive guidance (= "do this instead").
I suggest filing a Feature Request BZ for SEV-ES enablement (for
OvmfPkg), and referencing that as "dependent bug" in both of the
above-mentioned BZs. It might also help to dial in to the APAC/NAMO
design / bug triage meeting, and campaign for the feature there.
https://github.com/tianocore/tianocore.github.io/wiki/Bug-Triage
I have a bad track record at convincing core maintainers to do what they
don't want to do. And I see escalating such problems from email to phone
as a work-around, sort of "wear down your opponent by sheer
persistence". So I avoid that. But, I've seen the approach work for
others, so you might have better luck.
(The APAC/NAMO call is also at a bad time for me, in UTC+1 / UTC+2.)
I think the present RFC patches are a good way to re-raise these topics.
Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#46213): https://edk2.groups.io/g/devel/message/46213
Mute This Topic: https://groups.io/mt/32966270/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [RFC PATCH 05/28] OvmfPkg: Create GHCB pages for use during Pei and Dxe phase
On 8/21/19 9:31 AM, Laszlo Ersek wrote: > On 08/19/19 23:35, Lendacky, Thomas wrote: >> From: Tom Lendacky >> >> Allocate memory for the GHCB pages during SEV initialization for use >> during Pei and Dxe phases. Since the GHCB pages must be mapped as shared >> pages, modify CreateIdentityMappingPageTables() so that pagetable entries >> are created without the encryption bit set. >> >> Signed-off-by: Tom Lendacky >> --- >> UefiCpuPkg/UefiCpuPkg.dec | 4 ++ >> OvmfPkg/OvmfPkgX64.dsc| 4 ++ >> MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 3 + >> OvmfPkg/PlatformPei/PlatformPei.inf | 2 + >> .../Core/DxeIplPeim/X64/VirtualMemory.h | 12 +++- >> .../Core/DxeIplPeim/Ia32/DxeLoadFunc.c| 4 +- >> .../Core/DxeIplPeim/X64/DxeLoadFunc.c | 11 +++- >> .../Core/DxeIplPeim/X64/VirtualMemory.c | 49 ++ >> .../MemEncryptSevLibInternal.c| 1 - >> .../BaseMemEncryptSevLib/X64/VirtualMemory.c | 33 -- >> OvmfPkg/PlatformPei/AmdSev.c | 64 +++ >> 11 files changed, 164 insertions(+), 23 deletions(-) > > Should be split to at least four patches (UefiCpuPkg, MdeModulePkg, > OvmfPkg/BaseMemEncryptSevLib, OvmfPkg/PlatformPei). > > In addition, MdeModulePkg content must not depend on UefiCpuPkg content > -- if modules under both packages need to consume a new PCD, then the > PCD should be declared under MdeModulePkg. The rough dependency order is: > > - MdePkg (must be self-contained) > - MdeModulePkg (may consume MdePkg) > - UefiCpuPkg (may consume everything above, to my knowledge) > - OvmfPkg (may consume everything above) > Ok, thanks for the guidance. Ideally, I just would like to modify the newly created page tables after the call to CreateIdentityMappingPageTables() in MdeModulePkg/Core/ DxeIplPeim/Ia32/DxeLoadFunc.c. Is there a preferred way to add a listener or callback or notification service so that the main changes would be limited to the OvmfPkg files and would that be acceptable? Thanks, Tom > Thanks > Laszlo > >> >> diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec >> index 6ddf0cd22466..4d5a2593cf13 100644 >> --- a/UefiCpuPkg/UefiCpuPkg.dec >> +++ b/UefiCpuPkg/UefiCpuPkg.dec >> @@ -323,5 +323,9 @@ [PcdsDynamic, PcdsDynamicEx] >># @ValidRange 0x8001 | 0 - 1 >>gUefiCpuPkgTokenSpaceGuid.PcdCpuProcTraceOutputScheme|0x0|UINT8|0x6015 >> >> + ## Contains the GHCB page allocation information. >> + gUefiCpuPkgTokenSpaceGuid.PcdGhcbBase|0x0|UINT64|0x6016 >> + gUefiCpuPkgTokenSpaceGuid.PcdGhcbSize|0x0|UINT64|0x6017 >> + >> [UserExtensions.TianoCore."ExtraFiles"] >>UefiCpuPkgExtra.uni >> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc >> index dda8dac18441..d6fc7cdf7da8 100644 >> --- a/OvmfPkg/OvmfPkgX64.dsc >> +++ b/OvmfPkg/OvmfPkgX64.dsc >> @@ -569,6 +569,10 @@ [PcdsDynamicDefault] >># Set memory encryption mask >>gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0 >> >> + # Set GHCB base address for SEV-ES >> + gUefiCpuPkgTokenSpaceGuid.PcdGhcbBase|0x0 >> + gUefiCpuPkgTokenSpaceGuid.PcdGhcbSize|0x0 >> + >> !if $(SMM_REQUIRE) == TRUE >>gUefiOvmfPkgTokenSpaceGuid.PcdQ35TsegMbytes|8 >>gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode|0x01 >> diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf >> b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf >> index abc3217b0179..b994398633e3 100644 >> --- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf >> +++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf >> @@ -52,6 +52,7 @@ [Sources.ARM, Sources.AARCH64] >> [Packages] >>MdePkg/MdePkg.dec >>MdeModulePkg/MdeModulePkg.dec >> + UefiCpuPkg/UefiCpuPkg.dec >> >> [Packages.ARM, Packages.AARCH64] >>ArmPkg/ArmPkg.dec >> @@ -110,6 +111,8 @@ [Pcd.IA32,Pcd.X64] >>gEfiMdeModulePkgTokenSpaceGuid.PcdNullPointerDetectionPropertyMask## >> CONSUMES >>gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPropertyMask ## >> CONSUMES >>gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## >> CONSUMES >> + gUefiCpuPkgTokenSpaceGuid.PcdGhcbBase ## >> CONSUMES >> + gUefiCpuPkgTokenSpaceGuid.PcdGhcbSize ## >> CONSUMES >> >> [Pcd.IA32,Pcd.X64,Pcd.ARM,Pcd.AARCH64] >>gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ## >> SOMETIMES_CONSUMES >> diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf >> b/OvmfPkg/PlatformPei/PlatformPei.inf >> index aed1f64b7c93..f53195e6dda5 100644 >> --- a/OvmfPkg/PlatformPei/PlatformPei.inf >> +++ b/OvmfPkg/PlatformPei/PlatformPei.inf >> @@ -102,6 +102,8 @@ [Pcd] >>gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber >>gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds >>gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize >> + gUefiCpuPkgTokenSpaceGuid.PcdGhcbBase >> + gUefiCpuPkgTokenSpaceGuid.PcdGhcbSize >> >>
Re: [edk2-devel] [RFC PATCH 05/28] OvmfPkg: Create GHCB pages for use during Pei and Dxe phase
On 08/19/19 23:35, Lendacky, Thomas wrote: > From: Tom Lendacky > > Allocate memory for the GHCB pages during SEV initialization for use > during Pei and Dxe phases. Since the GHCB pages must be mapped as shared > pages, modify CreateIdentityMappingPageTables() so that pagetable entries > are created without the encryption bit set. > > Signed-off-by: Tom Lendacky > --- > UefiCpuPkg/UefiCpuPkg.dec | 4 ++ > OvmfPkg/OvmfPkgX64.dsc| 4 ++ > MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 3 + > OvmfPkg/PlatformPei/PlatformPei.inf | 2 + > .../Core/DxeIplPeim/X64/VirtualMemory.h | 12 +++- > .../Core/DxeIplPeim/Ia32/DxeLoadFunc.c| 4 +- > .../Core/DxeIplPeim/X64/DxeLoadFunc.c | 11 +++- > .../Core/DxeIplPeim/X64/VirtualMemory.c | 49 ++ > .../MemEncryptSevLibInternal.c| 1 - > .../BaseMemEncryptSevLib/X64/VirtualMemory.c | 33 -- > OvmfPkg/PlatformPei/AmdSev.c | 64 +++ > 11 files changed, 164 insertions(+), 23 deletions(-) Should be split to at least four patches (UefiCpuPkg, MdeModulePkg, OvmfPkg/BaseMemEncryptSevLib, OvmfPkg/PlatformPei). In addition, MdeModulePkg content must not depend on UefiCpuPkg content -- if modules under both packages need to consume a new PCD, then the PCD should be declared under MdeModulePkg. The rough dependency order is: - MdePkg (must be self-contained) - MdeModulePkg (may consume MdePkg) - UefiCpuPkg (may consume everything above, to my knowledge) - OvmfPkg (may consume everything above) Thanks Laszlo > > diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec > index 6ddf0cd22466..4d5a2593cf13 100644 > --- a/UefiCpuPkg/UefiCpuPkg.dec > +++ b/UefiCpuPkg/UefiCpuPkg.dec > @@ -323,5 +323,9 @@ [PcdsDynamic, PcdsDynamicEx] ># @ValidRange 0x8001 | 0 - 1 >gUefiCpuPkgTokenSpaceGuid.PcdCpuProcTraceOutputScheme|0x0|UINT8|0x6015 > > + ## Contains the GHCB page allocation information. > + gUefiCpuPkgTokenSpaceGuid.PcdGhcbBase|0x0|UINT64|0x6016 > + gUefiCpuPkgTokenSpaceGuid.PcdGhcbSize|0x0|UINT64|0x6017 > + > [UserExtensions.TianoCore."ExtraFiles"] >UefiCpuPkgExtra.uni > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > index dda8dac18441..d6fc7cdf7da8 100644 > --- a/OvmfPkg/OvmfPkgX64.dsc > +++ b/OvmfPkg/OvmfPkgX64.dsc > @@ -569,6 +569,10 @@ [PcdsDynamicDefault] ># Set memory encryption mask >gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0 > > + # Set GHCB base address for SEV-ES > + gUefiCpuPkgTokenSpaceGuid.PcdGhcbBase|0x0 > + gUefiCpuPkgTokenSpaceGuid.PcdGhcbSize|0x0 > + > !if $(SMM_REQUIRE) == TRUE >gUefiOvmfPkgTokenSpaceGuid.PcdQ35TsegMbytes|8 >gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode|0x01 > diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf > b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf > index abc3217b0179..b994398633e3 100644 > --- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf > +++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf > @@ -52,6 +52,7 @@ [Sources.ARM, Sources.AARCH64] > [Packages] >MdePkg/MdePkg.dec >MdeModulePkg/MdeModulePkg.dec > + UefiCpuPkg/UefiCpuPkg.dec > > [Packages.ARM, Packages.AARCH64] >ArmPkg/ArmPkg.dec > @@ -110,6 +111,8 @@ [Pcd.IA32,Pcd.X64] >gEfiMdeModulePkgTokenSpaceGuid.PcdNullPointerDetectionPropertyMask## > CONSUMES >gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPropertyMask ## > CONSUMES >gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## > CONSUMES > + gUefiCpuPkgTokenSpaceGuid.PcdGhcbBase ## > CONSUMES > + gUefiCpuPkgTokenSpaceGuid.PcdGhcbSize ## > CONSUMES > > [Pcd.IA32,Pcd.X64,Pcd.ARM,Pcd.AARCH64] >gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ## > SOMETIMES_CONSUMES > diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf > b/OvmfPkg/PlatformPei/PlatformPei.inf > index aed1f64b7c93..f53195e6dda5 100644 > --- a/OvmfPkg/PlatformPei/PlatformPei.inf > +++ b/OvmfPkg/PlatformPei/PlatformPei.inf > @@ -102,6 +102,8 @@ [Pcd] >gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber >gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds >gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize > + gUefiCpuPkgTokenSpaceGuid.PcdGhcbBase > + gUefiCpuPkgTokenSpaceGuid.PcdGhcbSize > > [FixedPcd] >gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress > diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h > b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h > index 2d0493f109e8..6b7c38a441d6 100644 > --- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h > +++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h > @@ -201,6 +201,8 @@ EnableExecuteDisableBit ( >@param[in, out] PageEntry2M Pointer to 2M page entry. >@param[in] StackBase Stack base address. >@param[in] StackSize
[edk2-devel] [RFC PATCH 05/28] OvmfPkg: Create GHCB pages for use during Pei and Dxe phase
From: Tom Lendacky Allocate memory for the GHCB pages during SEV initialization for use during Pei and Dxe phases. Since the GHCB pages must be mapped as shared pages, modify CreateIdentityMappingPageTables() so that pagetable entries are created without the encryption bit set. Signed-off-by: Tom Lendacky --- UefiCpuPkg/UefiCpuPkg.dec | 4 ++ OvmfPkg/OvmfPkgX64.dsc| 4 ++ MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf | 3 + OvmfPkg/PlatformPei/PlatformPei.inf | 2 + .../Core/DxeIplPeim/X64/VirtualMemory.h | 12 +++- .../Core/DxeIplPeim/Ia32/DxeLoadFunc.c| 4 +- .../Core/DxeIplPeim/X64/DxeLoadFunc.c | 11 +++- .../Core/DxeIplPeim/X64/VirtualMemory.c | 49 ++ .../MemEncryptSevLibInternal.c| 1 - .../BaseMemEncryptSevLib/X64/VirtualMemory.c | 33 -- OvmfPkg/PlatformPei/AmdSev.c | 64 +++ 11 files changed, 164 insertions(+), 23 deletions(-) diff --git a/UefiCpuPkg/UefiCpuPkg.dec b/UefiCpuPkg/UefiCpuPkg.dec index 6ddf0cd22466..4d5a2593cf13 100644 --- a/UefiCpuPkg/UefiCpuPkg.dec +++ b/UefiCpuPkg/UefiCpuPkg.dec @@ -323,5 +323,9 @@ [PcdsDynamic, PcdsDynamicEx] # @ValidRange 0x8001 | 0 - 1 gUefiCpuPkgTokenSpaceGuid.PcdCpuProcTraceOutputScheme|0x0|UINT8|0x6015 + ## Contains the GHCB page allocation information. + gUefiCpuPkgTokenSpaceGuid.PcdGhcbBase|0x0|UINT64|0x6016 + gUefiCpuPkgTokenSpaceGuid.PcdGhcbSize|0x0|UINT64|0x6017 + [UserExtensions.TianoCore."ExtraFiles"] UefiCpuPkgExtra.uni diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index dda8dac18441..d6fc7cdf7da8 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -569,6 +569,10 @@ [PcdsDynamicDefault] # Set memory encryption mask gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0 + # Set GHCB base address for SEV-ES + gUefiCpuPkgTokenSpaceGuid.PcdGhcbBase|0x0 + gUefiCpuPkgTokenSpaceGuid.PcdGhcbSize|0x0 + !if $(SMM_REQUIRE) == TRUE gUefiOvmfPkgTokenSpaceGuid.PcdQ35TsegMbytes|8 gUefiCpuPkgTokenSpaceGuid.PcdCpuSmmSyncMode|0x01 diff --git a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf index abc3217b0179..b994398633e3 100644 --- a/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf +++ b/MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf @@ -52,6 +52,7 @@ [Sources.ARM, Sources.AARCH64] [Packages] MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.dec + UefiCpuPkg/UefiCpuPkg.dec [Packages.ARM, Packages.AARCH64] ArmPkg/ArmPkg.dec @@ -110,6 +111,8 @@ [Pcd.IA32,Pcd.X64] gEfiMdeModulePkgTokenSpaceGuid.PcdNullPointerDetectionPropertyMask## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdHeapGuardPropertyMask ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdCpuStackGuard ## CONSUMES + gUefiCpuPkgTokenSpaceGuid.PcdGhcbBase ## CONSUMES + gUefiCpuPkgTokenSpaceGuid.PcdGhcbSize ## CONSUMES [Pcd.IA32,Pcd.X64,Pcd.ARM,Pcd.AARCH64] gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack ## SOMETIMES_CONSUMES diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf index aed1f64b7c93..f53195e6dda5 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -102,6 +102,8 @@ [Pcd] gUefiCpuPkgTokenSpaceGuid.PcdCpuMaxLogicalProcessorNumber gUefiCpuPkgTokenSpaceGuid.PcdCpuApInitTimeOutInMicroSeconds gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize + gUefiCpuPkgTokenSpaceGuid.PcdGhcbBase + gUefiCpuPkgTokenSpaceGuid.PcdGhcbSize [FixedPcd] gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress diff --git a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h index 2d0493f109e8..6b7c38a441d6 100644 --- a/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h +++ b/MdeModulePkg/Core/DxeIplPeim/X64/VirtualMemory.h @@ -201,6 +201,8 @@ EnableExecuteDisableBit ( @param[in, out] PageEntry2M Pointer to 2M page entry. @param[in] StackBase Stack base address. @param[in] StackSize Stack size. + @param[in] GhcbBase GHCB page area base address. + @param[in] GhcbSize GHCB page area size. **/ VOID @@ -208,7 +210,9 @@ Split2MPageTo4K ( IN EFI_PHYSICAL_ADDRESS PhysicalAddress, IN OUT UINT64 *PageEntry2M, IN EFI_PHYSICAL_ADDRESS StackBase, - IN UINTN StackSize + IN UINTN StackSize, + IN EFI_PHYSICAL_ADDRESS GhcbBase, + IN UINTN GhcbSize ); /** @@ -217,6 +221,8 @@ Split2MPageTo4K ( @param[in] StackBase Stack base address. @param[in] StackSize Stack size. + @param[in] GhcbBase GHCB page area base address. + @param[in]
