From mboxrd@z Thu Jan 1 00:00:00 1970
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com [40.107.220.58])
by mx.groups.io with SMTP id smtpd.web09.610.1624394124231145395
for <devel@edk2.groups.io>;
Tue, 22 Jun 2021 13:35:24 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@amd.com header.s=selector1 header.b=ABvsHvwk;
spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.220.58, mailfrom: brijesh.singh@amd.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=ENWrv3fSGUGhwSes+KqXQMXwOtePfD6wHVw1HjPFTvTLVkNcGE3vP7qMdrVDDYE+FIV8jKIzJpkZ1OF29M+yuJZpQtGmXw5Q07NTUSDvi3GsohKXKxgFcQXv0qqjTdF3XH3jZUULrbkwlU1zsYGeWoigaXpZR3/NFC2CBxz2IIFw61UEA2e2kV5O+1VHogB1XOUkhu2gaguxd7OD4b39Jg5XSabyMkpDRhBprOli/AzQIwrCIWG96wIJvL4pAoXwyFj7G2y5lqc61+Xw//i6GzVNucNR1rfZi4qxej8RkLJUzHYLQEho+9Wek3WI7NDmdiSMIwWzfYRbdpBnOXx3Ng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=irGqyfExQwWJRRcgFADMWZdPyE52A3ox4wB0zRlXVdY=;
b=hYuksoc2ItNeCnngWI/SXUkiFnJPFo6bXqIcdvjlVn9JMtJtswPdFTP/02rgEl1gSC8pWcNmPEMGiG9oj8HDYtz80uUGldckDu3qqw/jYJ1H/zsSu6xzhaZZ9H17lpVS2j0ul+qDM14YNL6Hr6fwd0dDoMkcl5GQW7qNw3LXzPq3ZnXEaEVC1U+Et9GxPk/WtxejkDHgmg5PALaR9VNQFRcCp3dv88lFGhbxZgaUPyBU5IBiUHGSAkMDFsSWLsfsU7RZ4zz0/TX5IWakOGj3+X2TonmpkVwudEVShOIF7/T+6j/4Vj655W47y3SygdM/q6iQsSvY+ctmHoOe7QK7Sg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass
header.d=amd.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=irGqyfExQwWJRRcgFADMWZdPyE52A3ox4wB0zRlXVdY=;
b=ABvsHvwkBomlr3nZQnTs+ewqzq63SNAloRy2gBVV/TzhoByc2cnMTmNCyZLz6GcHimk/kj1qL+IgzsL5FjkIoIVwmJR4edxxxOLCRqOFUFIA8IaqYD4xJVXobN5usxdfNnyJr8Om5qFe/ROs/oOEdXi4BkCvjL83VUjsAL0jevk=
Authentication-Results: arm.com; dkim=none (message not signed)
header.d=none;arm.com; dmarc=none action=none header.from=amd.com;
Received: from BYAPR12MB2711.namprd12.prod.outlook.com (2603:10b6:a03:63::10)
by BYAPR12MB2853.namprd12.prod.outlook.com (2603:10b6:a03:13a::18) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.21; Tue, 22 Jun
2021 20:35:22 +0000
Received: from BYAPR12MB2711.namprd12.prod.outlook.com
([fe80::40e3:aade:9549:4bed]) by BYAPR12MB2711.namprd12.prod.outlook.com
([fe80::40e3:aade:9549:4bed%7]) with mapi id 15.20.4242.023; Tue, 22 Jun 2021
20:35:22 +0000
Cc: brijesh.singh@amd.com, Thomas.Lendacky@amd.com, jejb@linux.ibm.com,
erdemaktas@google.com, jiewen.yao@intel.com, min.m.xu@intel.com,
lersek@redhat.com, jordan.l.justen@intel.com, ard.biesheuvel@arm.com
Subject: Re: [PATCH v4 3/4] OvmfPkg/PlatformPei: Mark SEC GHCB page as unencrypted via hypercall
To: Ashish Kalra <Ashish.Kalra@amd.com>, devel@edk2.groups.io
References: <cover.1624281247.git.ashish.kalra@amd.com>
<f1cdfd9926364f9997d9608ccf015987825ba504.1624281247.git.ashish.kalra@amd.com>
From: "Brijesh Singh" <brijesh.singh@amd.com>
Message-ID: <06c66cab-955a-f1b1-f0f4-ebba8c018f62@amd.com>
Date: Tue, 22 Jun 2021 15:35:19 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
Thunderbird/78.11.0
In-Reply-To: <f1cdfd9926364f9997d9608ccf015987825ba504.1624281247.git.ashish.kalra@amd.com>
X-Originating-IP: [165.204.77.11]
X-ClientProxiedBy: SN4PR0401CA0035.namprd04.prod.outlook.com
(2603:10b6:803:2a::21) To BYAPR12MB2711.namprd12.prod.outlook.com
(2603:10b6:a03:63::10)
Return-Path: brijesh.singh@amd.com
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [172.31.11.236] (165.204.77.11) by SN4PR0401CA0035.namprd04.prod.outlook.com (2603:10b6:803:2a::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.18 via Frontend Transport; Tue, 22 Jun 2021 20:35:20 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4ef909da-eae5-4953-2422-08d935bd41e6
X-MS-TrafficTypeDiagnostic: BYAPR12MB2853:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS:
<BYAPR12MB2853597BF868D9C4437F6368E5099@BYAPR12MB2853.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:7691;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
SRVN8F/5jgkoAF/vy1+H65aBaucZY1jZ37NOQUAKUJEoPxgEIsJ3ef7RjgoYzAblviDQ0ZEWjaj9uXN5xGsnp4A123eC6kwCPru1nOXMBBoC4tHPBrY/PTUbsphDeNrp3hz4viSlRp04gxEdl2HqigtNfCGY1AHAMLq6+0Gx0UInkLmwfVnde8auKasPCtd4j0165R3AnW8x9VDn/wu9G93Y2R46P81gkBJSZcpmcsiChec7dqpw4x7jmYJJA+nW50R1HoOFT/IHH58cpAv+nCArbByIuvH70vvhYqgIpO2rjdSW77zT6461Ia5mJZCI8t6UnNhgg0/DvRfkuZmXh/xlQnimHlMT8GjwzY8Ft+Ab9DR4PyxnrkVJBZbhrQ0BPkrouK1xHm3P24XpwxpFjJnqwAvtFW9a2GJO8L2OyGGSzO9Celfs2RZVHgILKkUYKw29NGe2MpZzrtHizk0L23QmpLnMe5we+tQM60dE6uRrd4zRIhpA/VmhAkKUhTRHozrgFQNUb0WJSuxUawf1gcNuN7lbtzg5ST4JjHdmhDPEmS4TZt2CsCyy6EyU6/qbgqEokRv7tMFbbKU4/6ufORGp9jhxY8R0cmy1nlFKdTyWPooDAs/yamSEYu9xnbJmaYjN9yk0mvyG4jxM1rfH3fqQnx3rOpzBUHqGWue3Ec4v/jj2HJJg9zoKqPtP7Pof61aKQ2YT8bPzzLj2bt3yPbXSBYCIF8TJ5Vixm6RnnRU=
X-Forefront-Antispam-Report:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BYAPR12MB2711.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(376002)(396003)(39860400002)(366004)(136003)(5660300002)(38350700002)(19627235002)(2906002)(66946007)(44832011)(38100700002)(6486002)(2616005)(956004)(66556008)(31696002)(4326008)(478600001)(36756003)(316002)(86362001)(16576012)(53546011)(8676002)(52116002)(83380400001)(16526019)(186003)(26005)(66476007)(8936002)(31686004)(43740500002)(45980500001);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
=?utf-8?B?VVliZXM3TWgyTHBaQnZTV2diRlNycGxTeTc5azZDMHlYSGFUeDEwTFRGdUhw?=
=?utf-8?B?Nkcvd2RtVzgzS3o5a041YkdlOXV3SWtnT01FbkppUDB2K05rMXdFUVhTWHpo?=
=?utf-8?B?V1B1Qm5PWXl1NFgrbDFNOG1rNkI3NHdCbGthK0FWeHJEUDJCaEZCSzY3cTBF?=
=?utf-8?B?N3ppNFRkZ2kyMzZJZDQySk0yeWo4NUpnMlJqdnQvaStJSkNFZWh6bldXRFo5?=
=?utf-8?B?M2FKOSszMEk2V3JDU1Y0TEd2aUxlck5LdmlxNGRMYlMwWUd5dmxMbnlrUkVI?=
=?utf-8?B?MFV4T0VKdVZIazIrRUYrUjZwSW12N04rQzlPcksyS1RneDhhRDcydlhVV3E5?=
=?utf-8?B?c3FkOEFGOXJlcFh6alRXbGczSk1YOXNCdEpqdkplRzdZS2ErTTBtMCtCUkV2?=
=?utf-8?B?MnBaQnlMYTZHTlJlMU5RN3NZcitZdmhHYWJCQk16dCtMTFVaVkdmMk5UVyt5?=
=?utf-8?B?M2hVUlN6dWMyZi90M1dTdU9jYWY3K1BmYWU0NkxYY0pKNzREbGttVitybTFD?=
=?utf-8?B?NkhKWjlwS3hwL01FWElYUjZmMGYvY3VlbVNjMTdFSExkY253cHhldUFYVGxC?=
=?utf-8?B?ellWc2hITlp2Y3kyOVdhczZ0cVVDek5nZ3loeGNNaWw0RHVOdUhJZVFCUVRu?=
=?utf-8?B?ZWxRa1FzSnNwWDh5ZTU3bWJtL1huVS8xY29Md3doMnF6UnZuT3dpcHpuSFVa?=
=?utf-8?B?RU83aWJtWXpIbkg4M2ptbUFtM0pvRmxwb3YvVWE0MXk2SGFVM0xjL2w0dWls?=
=?utf-8?B?a3djd2x4UHljdFcyMk9HeGxLZC9KU2p0RVMyNVgzTmFVTDRPczVLTjByQ1RG?=
=?utf-8?B?M2FONUtpTkJENFpHUis3TUNqQ2tqQ1RXZ3gzMHNFZlMyajhwZVJrL3NvVlhE?=
=?utf-8?B?VDBkZTE4YU04USs2ZS9JTWRaQ0grbGZKTkhBVXlVa0ZQWVpEZzJGNHVDZTds?=
=?utf-8?B?TXowaTZyZDRDQ1RxS2tIQ0V4NWh6ejJNbnpIdW1aY0UzSTZoaXdwenpjZGFZ?=
=?utf-8?B?SWRoNWRsNHlwbEtUakx4UmVzM2NUUEVxL1VZcndzbUJpYURzK29oYi8xM1JB?=
=?utf-8?B?QjJvUkpYMmlYWXNXZnF1OS9mQlBBMUdSS29sdTRHbzV4d3FuZDduZzZEVVgv?=
=?utf-8?B?cHF0djlPNjZmTTRvMmNpNExpM2srcWxPTGtIM1hFZllLU0NwdUZHYXA1RDZp?=
=?utf-8?B?R2dpUnBhTlZGaTEzc2ptWTdlTkErWVJ5VzJYY2RyVFlMS2JPN3NjRDIvdXNi?=
=?utf-8?B?VG4reVlIcjVYZUJZeU5xUU1TRCtIQWtkWXBiQnVGZy9lb2RZeUZSMlp3dXN6?=
=?utf-8?B?ZE9NSlZNbXpMTXhBUmZUbTJiTDh2NWxmSTVFeHFZTVk3SHVqaXpsU0FOUTRi?=
=?utf-8?B?N0o4eitKdStDOGRwOUpnRldPSFZFRmhuaDJKdWNSZHA4dk5MdnpINTh6VU81?=
=?utf-8?B?Nm1TZWJKekp4RHpRSVM3b0lSdlFXS05hZXlOMDArV3dIMVlhVkxrTytSSEhK?=
=?utf-8?B?R0J4OWVhdFlBZ01VM3J6cGJ4TWFlVjl5NjVkRmZuMkpDVWhzOUJnVFRsUEJP?=
=?utf-8?B?V0d3Y2pXMWc4cnpMem1EYlZXQTUraVl5Tk5IeUlJVkIreWEzT3M2c1RiMTBo?=
=?utf-8?B?YmUxUFRpdnh4NFVidlVsemx6NDNBa1lQRHlhV05uaDNYN0JxL2FoMVRZQUxI?=
=?utf-8?B?UTFnYmEwMjNsQkYyczZpSkQ0cE12OWg4RkpsdENrdURaVGU4ZWNuYXBHNVJ2?=
=?utf-8?Q?7roPVhD6prsi0P4xjRo5zxrQAh2fjE940rZyYJp?=
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4ef909da-eae5-4953-2422-08d935bd41e6
X-MS-Exchange-CrossTenant-AuthSource: BYAPR12MB2711.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jun 2021 20:35:22.2157
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: KzXdr0EEJRu05dmlUTevrv2L47R/e4ibKLK5ow50/42zuXK1M8bSmIlfEOKiEX+RBkp5gn8wsQCJQoQE2M12gQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR12MB2853
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
On 6/21/2021 8:57 AM, Ashish Kalra wrote:
> From: Ashish Kalra <ashish.kalra@amd.com>
>
> Mark the SEC GHCB page (that is mapped as unencrypted in
> ResetVector code) in the hypervisor page status tracking.
>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
>
Remove this new line.
> Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>
> ---
> OvmfPkg/PlatformPei/AmdSev.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
> index a8bf610022..3f642ecb06 100644
> --- a/OvmfPkg/PlatformPei/AmdSev.c
> +++ b/OvmfPkg/PlatformPei/AmdSev.c
> @@ -15,6 +15,7 @@
> #include <Library/HobLib.h>
> #include <Library/MemEncryptSevLib.h>
> #include <Library/MemoryAllocationLib.h>
> +#include <Library/MemEncryptHypercallLib.h>
> #include <Library/PcdLib.h>
> #include <PiPei.h>
> #include <Register/Amd/Msr.h>
> @@ -52,6 +53,15 @@ AmdSevEsInitialize (
> PcdStatus = PcdSetBoolS (PcdSevEsIsEnabled, TRUE);
> ASSERT_RETURN_ERROR (PcdStatus);
>
> + //
> + // GHCB_BASE setup during reset-vector needs to be marked as
> + // decrypted in the hypervisor page encryption bitmap.
> + //
> + SetMemoryEncDecHypercall3 (FixedPcdGet32 (PcdOvmfSecGhcbBase),
> + EFI_SIZE_TO_PAGES(FixedPcdGet32 (PcdOvmfSecGhcbSize)),
> + KVM_MAP_GPA_RANGE_DECRYPTED
> + );
> +
Typically we should invoke the HC as soon as the page state is changed in the PTE.
Why we are notifying it too late? Is this because you are trying to avoid asm code
or there is no MSR protocol for VMMCALL NAE ?
I am okay with not notifying in ASM code, but at least we should notify the change
during the ES protocol negotiation and before the GHCB is setup. In other words,
do it inside the SevEsProtocolCheck() [Sec/SecMain.c].
-Brijesh