From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM04-MW2-obe.outbound.protection.outlook.com (NAM04-MW2-obe.outbound.protection.outlook.com [40.107.101.73]) by mx.groups.io with SMTP id smtpd.web10.23700.1671641288863121386 for ; Wed, 21 Dec 2022 08:48:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=V2UWy8tM; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.101.73, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NXuilWb5X7W9tUiGKBf4Hyu9nFPs3bepSuwK8/0keLWwBbjAIEFJZ12V3OXuamJp9UdLdGSAA1xuAjy5D5QuXLYEFNE9u7WrvIUbUMAOWw5YvwEvwSRBzeCCOVPrm2GxeamYLh1l2wbQZvirYERXDqm2MYymqQK7fdnjI4dyFreg287544YySgI+9Uf0LrCF9Ms8U/Hd0WT7v1zPyFoC7dHALc2de0n1XnQ0ZAYcoBELOH5F+XJAvyRy5FWUbcWRgEIkFNl4d37PPlqbHkvVYYm6sC34/M/nfjvg4ciEFhYG9qvMjfYmpwL2Tp3Q6CtxFFoCIj+dFQBHc8NH53uWTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=sMDZmc1xKZZyFr2BjaBcXdyNBhSYJURRub0eFirN9zA=; b=AR57ycFwYL2ydajGg6IROZkvExSE4Sebu8kIPcNHWfsuvU6TWpoyxJ0cWdBOjb1ICTEmad0Tqdg1JrqcdGkTWPYAQJL+azRoPksNY6/HBT/E8DDdE3+XVwgnth2bLYa25lZp3yZjWCxNZhSyagJP7HLm/sdrvnLnl1lIWLb7AEIpdkQ3RJmPF7FE0MU3Y63SLcwDCOLUs/LoIqXq55BM9cxeXQ8Zw/AC1lZk7LvRwI0ABQYKp4KmSJAarwPENAwciBIjZHeDHNz11/L9eNJ4ZcufXQtQhEoTFqIJw16RN7qC9rRJTk/2KwYj7zwzQAk2TJ2dJnFqZyHH7SHc9Ui0KA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sMDZmc1xKZZyFr2BjaBcXdyNBhSYJURRub0eFirN9zA=; b=V2UWy8tMWyWd44rSBeJakRwSgbqq3V90XKjDGi/0e1evoE4dTj1dknMW5Y7Vni0CVswNi7ZFevIX9066IZL6k2Y1/kMmi+qiaZDf4l3Vy9vn/pgVlmjLOPtDom4e9eDi0dN8V1OK3SbswF4umjR7g2alssgCL7cEk1YY928Pq94= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amd.com; Received: from DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) by CY8PR12MB7315.namprd12.prod.outlook.com (2603:10b6:930:51::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5924.16; Wed, 21 Dec 2022 16:48:05 +0000 Received: from DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::8200:4042:8db4:63d7]) by DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::8200:4042:8db4:63d7%3]) with mapi id 15.20.5924.016; Wed, 21 Dec 2022 16:48:05 +0000 Message-ID: <0f3bc82f-0a84-f2f1-6172-cea8da40cc5d@amd.com> Date: Wed, 21 Dec 2022 10:48:03 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2 Subject: Re: [PATCH 1/4] OvmfPkg/AmdSevDxe: Allocate SEV-SNP CC blob as EfiACPIReclaimMemory To: Michael Roth , devel@edk2.groups.io Cc: ray.ni@intel.com, Dov Murik References: <20221221160651.182143-1-michael.roth@amd.com> <20221221160651.182143-2-michael.roth@amd.com> From: "Lendacky, Thomas" In-Reply-To: <20221221160651.182143-2-michael.roth@amd.com> X-ClientProxiedBy: SA0PR11CA0005.namprd11.prod.outlook.com (2603:10b6:806:d3::10) To DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) Return-Path: Thomas.Lendacky@amd.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM4PR12MB5229:EE_|CY8PR12MB7315:EE_ X-MS-Office365-Filtering-Correlation-Id: 940042f9-8748-4de7-f0b0-08dae37321d4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: U0rUyxBOFWqZXUAX3ebL7fIBufpTVaQ44Y1TUc9pJNO26vji/oML4qMXeMicFAMNTeHz1obIAsQurTVPKaBXIEq4DCRQuLTri7Tt1cDueWANCg7IKrcJPGN49O8proUjecTdEHu5/hm4apncU3bdtDR5Mmi6iCg7gNBFGweHswQlMfvnhCuN3eEwfdVM3SRYDG+vo0YdgKc6VgzznMGl1L9LO7M8JsRqTPHO5hdAo3LxEnxSLCKaZ0X1PSFBOME0Brk4o15JcaEh8bJ03BCt5NFB33n1V0VZVkGsJgY6BlZ6tM01ZDV3QaK4J3VW2XwtTRJbVlG1otWDZKJ9IH/tq89Ua4Ube/Rmrae+QJhV6WUGwaLs/ifuKpteaV0Xh8DlusCyy+GL4oeCy5CUGIayOUk6Dhu5fVPwMNQr8KgdbqENIGzgZj0TWrIMSPSBjLpVmN+wEuhMp9ktFzIl6euL4ANdKuOG0d5VkfRoqW1n2W1wJ2XsS+1C138hKdXaxjZFX/67CNJu6t0sSG6B1fIS3CEIrmj1OTy/aUlG8RYP3oi4QIWzBGIIXsIf1kIXFbtL9ViTqpJwmBLqLJpC+gtKOapWQNvsz0B6xT+Rkded/DLt+HGITJVX4DIF3zIa79vHfEZBzZD/IfXhhPyHEzUZmTCuZK8t/uWve6LyBf2yPw+QhIyW5CbUQOtr+Eci9LjkXBpSu160Jr6zIKOt17FMQtnqmjieKFjATzQKNrscaPTWgNNKXPLJtrM+efVMP7V+93LBFsx5PQLsE1Fk4ycB/A== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR12MB5229.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(4636009)(346002)(366004)(376002)(396003)(136003)(39860400002)(451199015)(86362001)(66946007)(66476007)(4326008)(8676002)(316002)(31696002)(5660300002)(2616005)(8936002)(36756003)(66556008)(6512007)(6506007)(53546011)(41300700001)(186003)(26005)(83380400001)(38100700002)(6486002)(478600001)(2906002)(31686004)(145603002)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?VGhKNnp5cTlaRkZkK3ZDMC83cy9YaFdEaVpTYjVsU3V1Wk9ZN3hVTENQemFD?= =?utf-8?B?OGFna25wYitiWm9ZUjIzWWQwUFBzUkZaczFTUHlraUZ4cGhoTmovMDF4Vnlu?= =?utf-8?B?RmVwdEtmamh3NjJUaU13MUlWa0t6U3hBeUZXN0YzR1J6eUFmdW9IaTVQWUNu?= =?utf-8?B?YlR4TmplNTl1c25QRUQ0S0JRTE5kU2xwYnBBMFI5RnplLzhxM0JaT3NaMFFk?= =?utf-8?B?ai9Kcjl3aG8rUzU2QnRHelM0bFBBK3crWEVEV3NyejJKT3BQbFB0VmVGWDFo?= =?utf-8?B?WUpISVJFMVdyc0xDblUyNWJJcjVwbjByTktSUlNON3UrbUh6Z05ocVdSTDh4?= =?utf-8?B?eHFBV0NhZXFNcUVwNzN1NzJUR0lKeTNmQzBRWHZpSVoycnV0ejZJWXFOK2M3?= =?utf-8?B?dUNsNkVURjFNdnp1WFpDaHZMQVNETW40Vjhyby9WNnF3Y2dLelpydFk4L0s2?= =?utf-8?B?NHpMUjhtQkhNZC9ETmx3SVJPanJMbmNkNFlRT2NFLzZlWGZEWmp6MWcyRHdq?= =?utf-8?B?WVR6QVhsRzhzNFRYM1RuZm9EY1hRQ1Y4RW5LNm81Q2pESWM3Ti9saXBBdURl?= =?utf-8?B?QkRKSEtvaEtlTzEwWVNDU2p5ZHFMZURDakpjaGNSYUtINHZRd1ExVXdDRzRU?= =?utf-8?B?SVh0ZDR3SUgwWWxyZHJTR1pzY0piNi96UVJmbEFkekFERXVsVlJ4d3EvNDFE?= =?utf-8?B?N2N4YjluRm55Y3o2K2NkbUt4UlFFNnIvd21IdE4wakNyZkZ6S2lIeHlJL3I3?= =?utf-8?B?RFFUWGM2eXIxY3lYc1lqdmc2TGdTY3VNQk1NT2M1eHlaWXpKMFVIMkROZCtW?= =?utf-8?B?MHNMcU9SWW10Zkp6N2lTZFdScE9NMDhiQXl5MUFmY05PWDZiNy93VEVuUVJX?= =?utf-8?B?NUtNd3d2ekUrREVXZDJWN3lNWFB4S2laUVM5NFRQNGYwaUExbHg5TnU1Uml5?= =?utf-8?B?SkViam9YZTNOeElLaEwyVmZaVlVwZGJOWUk3bDlJNkYyNnJyOVNSWmJod3dL?= =?utf-8?B?eXBIYk1PQ0pCMnJzOXU4Um9TS2dDNE04QkFmY2hjTEUzM3gzb2Z1WU5sQlVh?= =?utf-8?B?ZTFVYWVLWGtnSkwvb0ZNZVBQZFQ1c2hBck1PVDBmSVBtZUV6c3ZHUklId0s0?= =?utf-8?B?OHdyOUh3aGtzRVYyS09wNmlFTXVzYmQzdDlObjAzTm43U3hjYkZ4dFh5L09F?= =?utf-8?B?dDgxbmVRWlBTT2d6eXVjejVYN2NVQ1I5c2lmYllMMkhCNGkzNkVuSlNBVmV5?= =?utf-8?B?YStMTStnYkRMYUNlMnZmYS9rV1NxUEdIOEIzV1RtdnVobmY4R0hWMjhqZHNR?= =?utf-8?B?TDdjNk85NHBhUEhIRTF6eUtSTFM0b3RyOW5TelYvVHY2SHJIRFlhanBoNHNl?= =?utf-8?B?UlhMR05mY1ZGSXJUWmNMM3JmZGpPR1BKSkxtcG1jcHpuZVRvTVhmRCtoODVX?= =?utf-8?B?cGw5MkVYZlE1d3VJSDhZUlpJL2lnNUhoYzJ3MGhBemduMS9Qdng2MURpUXMy?= =?utf-8?B?OElVQnlzRllJbEgzMGRZU0NqSHZKRGRmSitWaDZyTHlKbFQ4dW8wQTlYek9W?= =?utf-8?B?dG4xWTVZQml4VmhveXY1UzlnRjhqYTZWNjN4c0JneVdXWmh1NEYrOVlhRGNs?= =?utf-8?B?SW1NK0huYzFPbnh5cVZobzBmUGh4NVFKeEtnMGtXekhSZU1ZNmpGNkh1VG45?= =?utf-8?B?SUt1Z0RuMnVoZHBLYkNaYVRFMEdWWDVOeW13M28vaUVuOHRqUTJHaVpueWdx?= =?utf-8?B?THNzR0ZwZnhaUGROZ2hVeU8xa0xlajYzNHRHVG8vU2ZNQ04xaHd2YmJXb0Zu?= =?utf-8?B?Ym9DM3lwSHJzNmRJU0lZQ3NIOGV5bVNYb2x0akxxWjBNeDVpUmd2Z2prWE1k?= =?utf-8?B?WEl4ZmNIYUx0REFQbHd2cWhtY2VJSUorcUgzaXUrZHRuRDRRWUxMYlc0aDhX?= =?utf-8?B?TVRjOHQrTnRReng3UldZRTdvMjZXRDc1QVllMy9VazdueUFSRE5vNWdSQTF3?= =?utf-8?B?bHB6cjU5Nkl4VnIwNTFZRHhxYWkrRzBuWXgvUTdtYWc3Uk9yUEJSbVNldER2?= =?utf-8?B?eUI0Z1BOOHZpSy8wV0VYa01ERnhhZG5vR0RTTE9EdmxJY3A1b2pwQUVmYTBa?= =?utf-8?Q?7lbXCCZ1xKQ4N9VbqD1kgci26?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 940042f9-8748-4de7-f0b0-08dae37321d4 X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Dec 2022 16:48:05.6412 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: yDoXzJIsi5qwhEegEVU+2cfs5f5g1rfMS3kgVI8NZpDaF4IGQ7/QzfCxNcNW//IzlqcopqhxrWpiiRklbOwIjQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY8PR12MB7315 Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 12/21/22 10:06, Michael Roth wrote: > The SEV-SNP Confidential Computing blob contains metadata that should > remain accessible for the life of the guest. Allocate it as > EfiACPIReclaimMemory to ensure the memory isn't overwritten by the guest > operating system later. > > Reported-by: Dov Murik > Suggested-by: Dov Murik > Signed-off-by: Michael Roth Reviewed-by: Tom Lendacky > --- > OvmfPkg/AmdSevDxe/AmdSevDxe.c | 62 +++++++++++++++++++++++++++-------- > 1 file changed, 48 insertions(+), 14 deletions(-) > > diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c > index 662d3c4ccb..8dfda961d7 100644 > --- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c > +++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c > @@ -21,15 +21,36 @@ > #include > #include > > -STATIC CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION mSnpBootDxeTable = { > - SIGNATURE_32 ('A', 'M', 'D', 'E'), > - 1, > - 0, > - (UINT64)(UINTN)FixedPcdGet32 (PcdOvmfSnpSecretsBase), > - FixedPcdGet32 (PcdOvmfSnpSecretsSize), > - (UINT64)(UINTN)FixedPcdGet32 (PcdOvmfCpuidBase), > - FixedPcdGet32 (PcdOvmfCpuidSize), > -}; > +STATIC > +EFI_STATUS > +AllocateConfidentialComputingBlob ( > + OUT CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION **CcBlobPtr > + ) > +{ > + EFI_STATUS Status; > + CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION *CcBlob; > + > + Status = gBS->AllocatePool ( > + EfiACPIReclaimMemory, > + sizeof (CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION), > + (VOID **)&CcBlob > + ); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + CcBlob->Header = SIGNATURE_32 ('A', 'M', 'D', 'E'); > + CcBlob->Version = 1; > + CcBlob->Reserved1 = 0; > + CcBlob->SecretsPhysicalAddress = (UINT64)(UINTN)FixedPcdGet32 (PcdOvmfSnpSecretsBase); > + CcBlob->SecretsSize = FixedPcdGet32 (PcdOvmfSnpSecretsSize); > + CcBlob->CpuidPhysicalAddress = (UINT64)(UINTN)FixedPcdGet32 (PcdOvmfCpuidBase); > + CcBlob->CpuidLSize = FixedPcdGet32 (PcdOvmfCpuidSize); > + > + *CcBlobPtr = CcBlob; > + > + return EFI_SUCCESS; > +} > > EFI_STATUS > EFIAPI > @@ -38,10 +59,11 @@ AmdSevDxeEntryPoint ( > IN EFI_SYSTEM_TABLE *SystemTable > ) > { > - EFI_STATUS Status; > - EFI_GCD_MEMORY_SPACE_DESCRIPTOR *AllDescMap; > - UINTN NumEntries; > - UINTN Index; > + EFI_STATUS Status; > + EFI_GCD_MEMORY_SPACE_DESCRIPTOR *AllDescMap; > + UINTN NumEntries; > + UINTN Index; > + CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION *SnpBootDxeTable; > > // > // Do nothing when SEV is not enabled > @@ -147,6 +169,18 @@ AmdSevDxeEntryPoint ( > } > } > > + Status = AllocateConfidentialComputingBlob (&SnpBootDxeTable); > + if (EFI_ERROR (Status)) { > + DEBUG (( > + DEBUG_ERROR, > + "%a: AllocateConfidentialComputingBlob(): %r\n", > + __FUNCTION__, > + Status > + )); > + ASSERT (FALSE); > + CpuDeadLoop (); > + } > + > // > // If its SEV-SNP active guest then install the CONFIDENTIAL_COMPUTING_SEV_SNP_BLOB. > // It contains the location for both the Secrets and CPUID page. > @@ -154,7 +188,7 @@ AmdSevDxeEntryPoint ( > if (MemEncryptSevSnpIsEnabled ()) { > return gBS->InstallConfigurationTable ( > &gConfidentialComputingSevSnpBlobGuid, > - &mSnpBootDxeTable > + SnpBootDxeTable > ); > } >