From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 1BCE0941A2E for ; Wed, 24 Apr 2024 14:05:25 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=P4wQJ+wuHq/qSJotXz4vzYYk9aF+MbFN8QxOZw0omx0=; c=relaxed/simple; d=groups.io; h=Message-ID:Date:User-Agent:To:Cc:References:From:Subject:In-Reply-To:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20240206; t=1713967524; v=1; b=tSEsA5hsXCOXFbnUuGsJtabPmznXe8IslDHx/ITi8i7qLqdixyfmlx4He5w8EFkXBxcJU8oc z0itR1LkwiBzVAS/coiUrqC9nk9dFpWWv7SU4YG0RKL5CE4vnTLXZzew+DKEt8vcxwFYDZpTA3V vphF2IeGdzksbzSXParaZrK4cPXZMdQFP02mW6Kx33XiahAlERrIm0JfT3/WVtGYjsYMGNf1Dk4 +RNU9XEBwGGOF12tzKk7PMMk5gg05jzeJHT2JCker+tJ429jTRx9zkMDuyQtK3/mT0bwAI4ExK7 R7nK7lpAf28ECdbMOAyDhmpy6c2vXXPMjOtrnWuoC2BJQ== X-Received: by 127.0.0.2 with SMTP id jms8YY7687511xSAlklmnZJO; Wed, 24 Apr 2024 07:05:24 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.68]) by mx.groups.io with SMTP id smtpd.web11.17240.1713967523803345559 for ; Wed, 24 Apr 2024 07:05:23 -0700 X-Received: from BL1PR12MB5732.namprd12.prod.outlook.com (2603:10b6:208:387::17) by MW4PR12MB7240.namprd12.prod.outlook.com (2603:10b6:303:226::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7519.22; Wed, 24 Apr 2024 14:05:20 +0000 X-Received: from BL1PR12MB5732.namprd12.prod.outlook.com ([fe80::bf0:d462:345b:dc52]) by BL1PR12MB5732.namprd12.prod.outlook.com ([fe80::bf0:d462:345b:dc52%7]) with mapi id 15.20.7472.044; Wed, 24 Apr 2024 14:05:20 +0000 Message-ID: <006f3bfc-d7df-f2a9-57fb-378c72e316bd@amd.com> Date: Wed, 24 Apr 2024 09:05:18 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 To: Gerd Hoffmann , Michael Roth Cc: devel@edk2.groups.io, Ard Biesheuvel , Erdem Aktas , Jiewen Yao , Min Xu , Jianyong Wu , Anatol Belski References: <20240423205958.1791780-1-michael.roth@amd.com> From: "Lendacky, Thomas via groups.io" Subject: Re: [edk2-devel] [PATCH] OvmfPkg: Don't make APIC MMIO accesses with encryption bit set In-Reply-To: X-ClientProxiedBy: SN7P220CA0024.NAMP220.PROD.OUTLOOK.COM (2603:10b6:806:123::29) To BL1PR12MB5732.namprd12.prod.outlook.com (2603:10b6:208:387::17) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL1PR12MB5732:EE_|MW4PR12MB7240:EE_ X-MS-Office365-Filtering-Correlation-Id: ed97ad0c-ed15-490c-6f13-08dc6467939a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: =?utf-8?B?NExzZko4ZWszOHJZcTdFME50SnF6UVh0TlpJbDZVVDl4NUh1T0ZSbHBsc2c3?= =?utf-8?B?RTU2OUFNTmZ2b3JGZnBLUXVRVTVvT0Y1OS83eW9MaU9aYlNuRmVPcitGSDZU?= =?utf-8?B?L3A1QlZYVFdtUndpM21uajFDOEt5Q0d4bHVnSm4vOFd4REVkZUhUbHhGWVhK?= =?utf-8?B?c3BWSDJ5WXJ5Q2VsUU9WdnZWQnArSDhWSVBNM0pVYW15ODRRVmtrd3VPTExY?= =?utf-8?B?VHVPQWFVNGpwNHh1N1BBZkJ5SThmOVYvUlU1VENaamhaWHdCb0FZTzFoa0Rs?= =?utf-8?B?dEtmcjd3aytoN3hLcSs0cmRPMGcyT0tyaTZzLzJnL0dmaFJpcml2MHQwL2NH?= =?utf-8?B?VU5aaUpxQktHbXAraDNiOUxOMzNLaHAyenlVb3lFM2swVEY2M1I1eTRqREhL?= =?utf-8?B?WSt4b3MvUXYyUCtNam9wNDlhNHhKQXRmMXR6R2hId2NndzNoR0JMY3BCQ3Ja?= =?utf-8?B?YUVObXBMam9DdjRpUW5KS2tMMXFZODFKYkQ5bWVaNTVaWFMyVjFLNGtHUVFN?= =?utf-8?B?N1BKYWoxU2t1aUV0S2RmbTMxRGJYZnRJeEQvVG5ZSHRaUCtwZncza0VyZ1Z6?= =?utf-8?B?VFAwWmd2SHkxSmt2U3dmRjY5Ri8xYS8vTkFVUDBEdyt5SWVoNDNOZXFxODdr?= =?utf-8?B?R1RpeDE0WVpFdkJBM3JDVzhoeXZrNTNkWHhmVXN6emx4K2ZxQVBKcE9tZ3Rz?= =?utf-8?B?MFlpejV5Q1JkUVVmS2dncXk2S2dwUXpma0FFL1MyK1RuM01MVkRubElvYWZa?= =?utf-8?B?YmtUaGlIRXJ0Rzc1eG5EcHdOMjVvSHBSck15WW9YWC9hUjl6alhCczZLbldu?= =?utf-8?B?YXdFNkczcnVxb09uUXBsL1NWL0F2Y053bjFEWmxFR3hHUjdmZTVnU0xHVzVM?= =?utf-8?B?aGRnQU41V1FqTUlocm9FZk9tMG1vZCtHSHE1YmlKYnM3WXBuQUFJa2JJc2FG?= =?utf-8?B?Nk5ZejZPeGxzOW9KQW1xM0xDTy8wNjFVU3hTNGt2RGZmeUdoUTBiL1BFb2dN?= =?utf-8?B?MlFDUlRQNWErdTRPUzZxTDNOWUxOaC85eUVNRW5RRzM2anJheHZ3Mk5FWDhL?= =?utf-8?B?L1ZaNzhzL0F1cUd0VFl2VHlvL0V4VjhJa1ZtYTJkbGsvU0d4ekl4RzRXcnF0?= =?utf-8?B?cFI1N1lmMzIzWmRBMzRyR2VscXRpRlN1eEdmeEphVENLdHB1TExJQjF1YXE0?= =?utf-8?B?c0VSNVdtK21TZVRja2w4YTY0ZFQrZVB1ZXp2eWQrcHNHNVJQWitpaVhLNy90?= =?utf-8?B?MnAzNUticDJ0Z1QwR1d1RllVZHZyWmp0endxNXZETTFOK2liMHpIOE92NkhD?= =?utf-8?B?eEx5V1hKN09KaWI0NVhiMm1tSktUQW9wK3paalA0bTBnWEFleDJjWGVRN1lH?= =?utf-8?B?UGZxK3Q1RlRXYXJlZG8zWlZERStLVzdJK1NCVU42WkRVVHZuQURRZlNHeldx?= =?utf-8?B?bXBIeExMeG1KYWY3NmVGK1MyaE1Iemx2VXhrOTRjc3NoeUEzTXRDa1E3d2xw?= =?utf-8?B?eHV5bCtvaHdwbVpneUhsMFJIKzBLOStxa3c4YjNlK2VhdjMyaURENXd3bUhl?= =?utf-8?B?ZVJpMmptKzVweCtua3ByTkd1ZyszMFh1cTFiRHVSUjVMTDRYR3FEM2NhcEZx?= =?utf-8?B?U3VTcjZBZUF2RmNqRE9pa2ltOFN1UWRwcnZnbFJidFR1amRua2dmUWxKcXNw?= =?utf-8?B?My9XL0hMRFJiNk1BaG45YzBEZWJvSWc2WGJleElwYW5hRkVJbG84RW1nPT0=?= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?MElHN1cxRkc5WGx1WVllblNyaXdVUEd0UTVhd2YvZGZNZUlsTm1TbGJIMVgv?= =?utf-8?B?cC9XM0JnY2hXSUpXZzQ4L0FBblBWamZBWW4zRFZldytqb2srQkhId0NTWXZT?= =?utf-8?B?ZElXM1BrUzZiQmgxNjR5WVdEV3kvOURTYVloWk9wTDJSV3V5cFArMUVZSi9p?= =?utf-8?B?Nmo3QU5sdjNMZDJoaE1XRmhGOXZYY01QUGVhV3g2UytJeTZIbjVabWxIT0NO?= =?utf-8?B?M3l0Sm5VS09PZFB4ZGc0OFBlU0tpZDV2SVdheUgzR3lCb0tPeDRTVzl1OEUr?= =?utf-8?B?eklLMER4OENYaHlVUVFoaTMwRTNodVU3L3RlbDViaGFjYUh6ajRVby9Zdjcx?= =?utf-8?B?S1ZNb1hSeisxaCtYV1Q2OG4rNytqMFpvYmdXeFF3Nk13S0xQajN3VFgvc3dM?= =?utf-8?B?UU1OdHM5bnE0MVZrMlJCUFo3dFVBazVxTnpxNjBabC9pRDRkVzkrdEFhTmR2?= =?utf-8?B?c21pUlM3Y3BLWU1BTmUreWp6WjMwR3RJZUdIS2x1MnhzWUphUDROdnpsYjAz?= =?utf-8?B?YW9ZQThpZldEcHIxbDlRczZETjFxVHR1aWJiZkE0d3lRNVdrby9rbndoY1kv?= =?utf-8?B?eUNmTUFTYVQxYlJFR3V0Z3U0ZnFPYkJCOXhoQ2NCKzFDNXpIQVYrQkNlK215?= =?utf-8?B?M0FudXNZYU05QnliZC9ONUV3NExRY1hFeHNYdnFrRkVJL0gvZkVLNXhib1Zk?= =?utf-8?B?Ty9SZUl5b056ZFpmbTcvaEZqeTZHc3pXSmFzMXNudkFGcUhqOG9KdGl4R0hs?= =?utf-8?B?eWpPczI0WUw2Y29Wb0ZYUERiRjhZeFFCYlNvRkVvNzhSRnFlcmluN0R5ZDZW?= =?utf-8?B?TnBibDdpdHpnMTZJYll2YlNVd01BOWFucXlqR2lxNGl2OWt0MERlNGtkKzVB?= =?utf-8?B?cGw5am85d1RneUVaTk1CeXlnYnkrY3RiV0pkL3BMTlMveGVZN2YyRy81dXdB?= =?utf-8?B?NVAzRjV2N2ViNy9leXJyUXViQUlIMFF5a0JyZDhJWVVwQ29nMzVGRTdMdyth?= =?utf-8?B?b0c1VUNzSjY4WTBnQWNtdkJMWmpIcEJraDJjeHRtUXlJbTNFaURTQ0ZPNi9P?= =?utf-8?B?NnI1Uk5HbUZLZ3pVODhnVFhnU1YrTVpwVDlZSEpjRENQMkgvUkU1Wm5sSEhO?= =?utf-8?B?NkRkQU91NHQzeGpoVFVNMGlPVXJFTGlXL1ZPVGxjWkVMZm9Pd2JRSG9MWnJk?= =?utf-8?B?S3drOWVseGhlY0RaYVpSZVhVUExFT0c2bE54bW05MHNmY2tvc2VZWDBJR2c0?= =?utf-8?B?cTd0VXJyOGJyNjFQeElhdHJtblFuRDFqZWJIVXBQU0FqY3UxVllmS3RjT3JL?= =?utf-8?B?dGFVT2ZDdytrR3RYZVkwdXB0WUd6YzZRNjAzY0tQTVI4QjRCeFQ5NFNSYy9q?= =?utf-8?B?Yi9ybkt6NlI0ejNyWURyTk9zdXN3UDgrZzZlUDhjTGNPMVk1ejdZOEhJdXo5?= =?utf-8?B?Q2tlQmRjTjlsZGlGd2w1eW9UdzI5Wi9QZ3BCRWRnUkNuaERoU2VmdkhwcThm?= =?utf-8?B?ckUwRjNaVWZXMFA3cmRaR3hpZjRTTWJ5NktGS1B3TytBUUdiWHdWcmdmd0xH?= =?utf-8?B?YStNQXBFcTNPSjlSY2FyaEJiWHI1SUh2U2FRa01XUDJyQjRxQ3Btd0NkUFFo?= =?utf-8?B?M2J2NjBPU1dLaGkydWY0QXRJbGZZWldDUGE1cVZSMldJemhnZkVoTE9TVlhj?= =?utf-8?B?YTZzblp2dWtXTDhyMkQ3MzZGcXkwR01GbHA4aVhFc0RrUWYyTEVhdnd2RjZm?= =?utf-8?B?MmFNb3dCVHMxRFMxWXBPbXI2clczOU9FNDU5YVZBWnlUakpWTDQzdE1zVDk4?= =?utf-8?B?M05xd3BXNkhmN2Zqd0hQOU9xQTBONGhFS0xEY3lzYk1YcU03Y1FodXYxd1ls?= =?utf-8?B?SWtLNmFxQ3RVeWoyTnp5MnBBWjVHLzFsVkhJSk8vNGxzRmJVTzZaZFd6NDRF?= =?utf-8?B?c0xTeWlIWDllN1VZdVczZGhIa3pCdnFkTWpBVFlUSU1rZy9MQW9zQy9QTUVS?= =?utf-8?B?UTFWY0ZTUUwzM1QxYVR1czlGcHd3YmVrMFpwaDRCZmdKNm9EQnlMekl1NW5m?= =?utf-8?B?ekpNdEhmV2hPUFhJOWdueGdlV2Q0UTVGb09iU1dpbGo2QVJFMUpGcEZrdTBS?= =?utf-8?Q?QcHcadHQPfN80CXBFL07jtzpa?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: ed97ad0c-ed15-490c-6f13-08dc6467939a X-MS-Exchange-CrossTenant-AuthSource: BL1PR12MB5732.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Apr 2024 14:05:20.3024 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: kP0XGr9leBG0YVFNc877+KRhU5ekpeCSlN7zcSmEqGwJLlXBXbOCXTscQjRmD8NaFjO36xr46UPZJ/AzeFdnDg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR12MB7240 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Wed, 24 Apr 2024 07:05:23 -0700 Resent-From: thomas.lendacky@amd.com Reply-To: devel@edk2.groups.io,thomas.lendacky@amd.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: Zbbl5FUSvc296XoSSMONUnVhx7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=tSEsA5hs; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io On 4/24/24 06:54, Gerd Hoffmann wrote: > On Tue, Apr 23, 2024 at 03:59:58PM -0500, Michael Roth wrote: >> For the most part, OVMF will clear the encryption bit for MMIO regions, >> but there is currently one known exception during SEC when the APIC >> base address is accessed via MMIO with the encryption bit set for >> SEV-ES/SEV-SNP guests. >=20 > what exactly accesses the lapic that early? InitializedApicTimer() in OvmfPkg/Sec/SecMain.c >=20 >> +/** >> + Map known MMIO regions unencrypted if SEV-ES is active. >> + >> + During early booting, page table entries default to having the encryp= tion bit >> + set for SEV-ES/SEV-SNP guests. In cases where there is MMIO to an add= ress, the >> + encryption bit should be cleared. Clear it here for any known MMIO ac= cesses >> + during SEC, which is currently just the APIC base address. >> + >> +**/ >> +VOID >> +SecMapApicBaseUnencrypted ( >> + VOID >> + ) >> +{ >> + PAGE_MAP_AND_DIRECTORY_POINTER *Level4Entry; >> + PAGE_MAP_AND_DIRECTORY_POINTER *Level3Entry; >> + PAGE_MAP_AND_DIRECTORY_POINTER *Level2Entry; >> + PAGE_TABLE_4K_ENTRY *Level1Entry; >> + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; >> + PHYSICAL_ADDRESS Cr3; >> + UINT64 ApicAddress; >> + UINT64 PgTableMask; >> + UINT32 Level1Page; >> + UINT64 Level1Address; >> + UINT64 Level1Flags; >> + UINTN PteIndex; >> + >> + if (!SevEsIsEnabled ()) { >> + return; >> + } >=20 > That is incompatible with 5-level paging. The current reset vector will > never turn on 5-level paging in case SEV is active because we have more > incompatibilities elsewhere (BaseMemEncryptSevLib IIRC). But still, > it's moving things into the wrong direction ... Agreed. SEV needs to clean up the pagetable manipulation in general in=20 order to support 5-level paging and remove redundant code. That will be=20 a patch series in itself. But without this modification, the SNP support no longer works with the=20 KVM/gmem support that will be upstream. This change gets OVMF SNP=20 support working again. >=20 > Ideally CpuPageTableLib should be used for this. CpuPageTableLib will need to be modified in order for it to be used at=20 this (Sec) stage. In order to work in Sec - either the caller will have=20 to supply a list of pages that can be used if pagetable entries need to=20 be allocated for splits or new entries or by providing some kind of SEC=20 pagetable allocation pool. So it will take significant work to get SEV support updated to using=20 CpuPageTableLib and that's why with this single patch we can get OVMF=20 SNP support working again. Thanks, Tom >=20 > take care, > Gerd >=20 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118215): https://edk2.groups.io/g/devel/message/118215 Mute This Topic: https://groups.io/mt/105698125/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-