From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (NAM04-BN8-obe.outbound.protection.outlook.com [40.107.100.69]) by mx.groups.io with SMTP id smtpd.web11.1656.1652997748250176431 for ; Thu, 19 May 2022 15:02:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=dGW7UNNm; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.100.69, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ra6u3ntkvmraqRKlRIMr8FVetMpTmlS0zEwmx6fRN/xwtqBtSz1GW7rz6JYoXMAYHgNuQAab6oSzpaS9YD8cEpmeDd+b0E5uuPlV5T/lQlILeEgxpb47GoYOW2NXxR6FQv+pwUqNFK3hdKG7Z1/J59Zy2TABFXPtBytCKOEsZcmmvFiiCt9gs3fmnRRBR2ieN7Wuj5JWve3bhNI9dim8q75E2Wm1WpWplEKPI8HUZOczOOigOAviDhNWMuxGNSD8Pkl/TCywrgRIwrRmgpOuEip8AyR9OrN0jWtWaLTfXrI1AnYJuLh0AWFqQcWTsGDOcypIAO7gf74LcWhLecT+rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/CQiXQDDIattuxWt8FoWPwxHL+v0Uckhiv/ijlv6izc=; b=LcKVmPH4mxOduXwWi4TjLHPw/VPmnFvrg4EJIZRBY/PvM3th/GlroaXRFFmRgkQWU5HszRuouuVgEQDZGufmScG92XscRPJ0doR3zvKoC1VgWx4wdaDB8MViAuHmQHfZLna6rEc46MdxxKRrmPssHwXCv5HO03ClIGoaLKPb+p4AWK9e80iSfwmueDYHbg/T9ILwugh/+XNtk2SlyMH64Pkbw88j22BD4HfgoYVhuWeFpUfiyc/jE4G/aaLY2F8hMFqtbSs02KAZPvJJXnEIqlM0PZORBYrRi0JL7xJs2yHhxYmQ6h3EjT/QA7dQ+iHaOundMjPVUM+cuNd/5QyfLg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/CQiXQDDIattuxWt8FoWPwxHL+v0Uckhiv/ijlv6izc=; b=dGW7UNNmZKr6GwXE9SlGiA2CjjLwMvQjocu+Ao2H9PhPQLBdCoL/IqorapZOWUgrxGw1srXfpqpcTYX+r1WpKrtW05JchNUE4I8s/Vyr2O3dhv9hwR1sjpfJ+bhoJicXSA3NFvz62dYNLtLhukJOXCVldAAM4elkO5c3YWjMqYk= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amd.com; Received: from DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) by DM4PR12MB5360.namprd12.prod.outlook.com (2603:10b6:5:39f::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5273.13; Thu, 19 May 2022 22:02:25 +0000 Received: from DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::db8:5b23:acf0:6f9a]) by DM4PR12MB5229.namprd12.prod.outlook.com ([fe80::db8:5b23:acf0:6f9a%4]) with mapi id 15.20.5273.016; Thu, 19 May 2022 22:02:25 +0000 Message-ID: <14338646-5653-c3d2-8bf4-62b77f46c2d4@amd.com> Date: Thu, 19 May 2022 17:02:22 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1 Subject: Re: [edk2-devel] [PATCH] OvmfPkg: Make an Ia32/X64 hybrid build work with SEV To: Ard Biesheuvel , Liming Gao Cc: edk2-devel-groups-io , Ard Biesheuvel , Jiewen Yao , Jordan Justen , Gerd Hoffmann , Erdem Aktas , James Bottomley , Michael Roth , Min Xu References: <16EFAF988BEBA4A6.18257@groups.io> From: "Lendacky, Thomas" In-Reply-To: X-ClientProxiedBy: BLAPR03CA0054.namprd03.prod.outlook.com (2603:10b6:208:32d::29) To DM4PR12MB5229.namprd12.prod.outlook.com (2603:10b6:5:398::12) Return-Path: Thomas.Lendacky@amd.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a1c51510-31bb-4f5a-5944-08da39e34218 X-MS-TrafficTypeDiagnostic: DM4PR12MB5360:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Ev3fCEn6F5QMc16HCadG5l5htBKURWZdUXZtykWSeouFPHAtGPSNVXN31wYnznAELFCLJ8iefWXn+ghBDg+mZqrqXbCTP2aOytmC2v/5nSfriKNlBzdxp1zez3c+vBfALkg4lfpP5FEwTX7Zw8jqqMdG8deEsPSnCHySwmXmyN9GOBSLZo94xfrIlUSMuJU4TI+x7q1ReONMaVImWTGWw1neMVlMqML4gcJpfqPpQo+mHDf6bQpO1qVA2+K8TRXHCpQGCk8fdiJd1YfBAmJXjiOe3huqFd0AJau/C7wbKF75yJUvSrPwEoRWvgrLPjs46I3Vjm1NtFmtPfdpkk++v1ZZM0q95JcoxIwlVG+VFpVN/82Ej2QyvSUlorcwE8xtw1M7W8inWP1m9n17OhS+y1gX+2Y9mdwU1Ef5Z9xzKF42vzvl6t6iFTZ56XK1yjf8pO6Jj0l+3Zn9Rg4gyArXt26S0+kzuFHQTxDq/KeSOKr6aYS/MK7ERhe900GT3QNIWIUnDjZZ3+L82AHe/1TLqED/ybcT3fmcjE8TxoZlcy4aYEBeIMjO/L2/i4+M1ZOHMRP1fDEFhTPN3cYT9ue25qaDLtQ5rgKs83gSmUzkhpebbFzIY182tb+qvS8MA8JNJpCkduFu3xEh8lUDhQjq+oRS1en3vYLN+Txer3zuupf/JwL7/QuczSxDvyCzFKU5iQqYf7pyjPKOMqHDyAzW3cBNRiHihetmW+amlxgS2VN3ExbiJNpqGQ+9OwPEROiQ X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR12MB5229.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(4636009)(366004)(508600001)(4326008)(66556008)(8676002)(19627235002)(66476007)(66946007)(30864003)(38100700002)(31686004)(36756003)(8936002)(110136005)(86362001)(2616005)(7416002)(6666004)(83380400001)(54906003)(6486002)(53546011)(6506007)(6512007)(31696002)(316002)(2906002)(186003)(5660300002)(26005)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?cE12YVZuaTYwVlA4RkZjdkdNWTV1eEJEYkJGSW9EeVNsOU92TTJ2Unp1TWV4?= =?utf-8?B?eXRIbmluSGVDZllMeElPbUZoZ25WWnRLekhEQnhMWW5wck1pdXBwaVlBVjFt?= =?utf-8?B?TnlnMmgzSEFCakg1aDBSdWxCcTQ4ZFJpTFM2djkvRVcxR20vU085K08zZHZS?= =?utf-8?B?ZzdYMjF1Uk1DZDcvRzNMTGh3Y2ZjQzZWUVMzaUlmVGx5WlJ3am9IV0lBaS9Y?= =?utf-8?B?NnFSa29tcTJmczcycnc0ai9EdkI1MWdYbkZxVGFodzVsRjJnRzc4QzZRUS9O?= =?utf-8?B?OUwvdEhFSFdCdkw5Z3B4M0hvb21GVk91MWFwbGY2eEVHTVlEbWNJQko5NmxP?= =?utf-8?B?dWdjekdOdXVIc3lYYjVWcDFBemJ3TjFoS2l0N0tXcURRTEhvOGlGcElBRTRw?= =?utf-8?B?cVFkSE5SUTVMOVRnbEM1UlZ0ak52WG9ZU3F2Rmk2ZlRhUENEVUwzUUtFcEht?= =?utf-8?B?bHZ6SjduQ1N5MTdHZVlIUExESWVtSlYzZnJrRzJIa3BFckl1SWFlcWtHMWNN?= =?utf-8?B?M3BPcDJVY1dXTTRPUStTa1Vub1pXMHhWNGJVYlI1Ykt4eTd6V0NiNW1nb29P?= =?utf-8?B?Y0hyYVNOOVBqbUtLY0hRSVJRdVpxU3BvYXRaSzJhWnJDK2poaFpTRGtyVmVX?= =?utf-8?B?VCtxR2FCdm5maHJ2cmlXUEVzM3BXL0xNQ09nZ0ZBdTh0ZG96Z3FJUzQ0ZVky?= =?utf-8?B?dXFIZmEwTlRtRVpPdW0vd2lLZ1VzZDhDSGdIcGFIWi9UVzdzdmRYUmFpL2Iw?= =?utf-8?B?T2tkbWg1RHk1NnVFRXM1YWF6MFZFVlhxWm5VRWhOR05VTm5QK29vUSt1NWlj?= =?utf-8?B?aVVXTERKanN2NnR3K2N5TlRkcEMxNWdPRUNXdU1KZzhVTUhmZ0JGQWpHMC9z?= =?utf-8?B?VHdvc1FZMi9ESkloRVdnTzBYOWtXb1h6dE4zRTNuVUVYdlhQN1Q5L2lndldu?= =?utf-8?B?aUhqVmM2VkxIeERMWURpb2Q3cWNZQUNJcFYzMmxTRExEMkN6UVMrRlFZbm1R?= =?utf-8?B?WnVVRWFqTXZKS0d1RFFjNkIzWEY1VnhhZ1JHeER5Nlo4VnlZcVpQOERSMzIx?= =?utf-8?B?MjBZQkUvZkhmTVN2alFlR25JWGp1VVNiamJGWmNHNGZReGN1Z0Y2VUNIamlr?= =?utf-8?B?dmNIM3lmMnFKdS9MOVBmUkVJTW5FWlF4VDh5MFl3VDhDRUpEQW9jNFFJbkNw?= =?utf-8?B?MUt3OFNKNUtzdWU3YWJ0ZFVURVpDSm9oVzU4VVQvUjdVRmtlTHE2QWU1NUNq?= =?utf-8?B?ZHQ4ZEorSTZNSTlIY0lsTS9kUXpIUnFpdUluWU9JUDJlcm5DdHE1dGFYa2Zl?= =?utf-8?B?cXJMbmsvLyt3TUNiMmxRMTZDcHRWZmpPM0tsN1BWenFTNElZdUFTR1Vhcmc1?= =?utf-8?B?QzdEZ1JHeElNKzNoaHFXN3h1Lyt0ZThHM1FHS3NFT3BGd0lIVG0vWjBEZXF3?= =?utf-8?B?cnpGenhuZVlGQzBuSXA4ZndTWnlhemlxa05jdlYvRGpoUFIwdVhYb2pyKzhG?= =?utf-8?B?bVByQThnOElHQ2ovRFd3bm50TVNUOWgwcVdFZHZwQm9KRlAwYXRkYVJUYlF6?= =?utf-8?B?VDdIU0lsNzBnSGtJZjY2UU1HM2FyOU0wWDg2SEJCSUJHNFJuVTNmVjFOeDFZ?= =?utf-8?B?bEFxR3BrZFhEdXlkOTM4d25XVnlEeDJKR0YwNFB5bjRSL3U3MFRQdENwWlNO?= =?utf-8?B?TENjbTNoR09uZ2xFZ2dpdDE3V2xtVFFjaVNESHFZbSttSnZKZXNCT0tpNFQ1?= =?utf-8?B?NmplREM4T2lKLzlDMHNOZlk3dk5Relp5bFhGdGJ0UjNFMzdHLzUzQ1NraWFm?= =?utf-8?B?SFZ0WERrcFpMMkk4QXIwYVJRUU1vZnZYcTNNb0xaZEhZSFZPOEVCUUhtZHRG?= =?utf-8?B?aVRFZWRXNG9GeGtibGY2aWQ0anRZa2VneVhWNDQrOWloVUFpaFR3Uy9nUFRp?= =?utf-8?B?N1Z6SlVMQXJjeVF4SFdFL25ieWIvSlpmczJDcFE5VlJzR1hHQ1h5SHhydysz?= =?utf-8?B?Wi8wbjZEMmRXWFVmMmJFczNUNXhzRG8wM2FwN0oyTlpMSVl6UnZwK2lqVkpr?= =?utf-8?B?M2dPdTVPOE8zMmYrZlgwTmt6ZThoTzJ1cGFZWDNtWDVMTXZwOVRrazF4bjZr?= =?utf-8?B?UG1hRURjVlFhdkRkVlJaSFJEeHNYMjIrRlRHM1p3MHFGak11cHpuQ01JT0VI?= =?utf-8?B?MXN2TnFRZ2NkalFSOEE2RHlNczd3SFR4K1YxRGdVZ0pHU2xSdHlKcG9ERmR5?= =?utf-8?B?OXZXWXBUK0hGQktiWWJZTVlDUFRuSCt2YWFmMHIvazgrWmI5dWR6Y3dEd0RC?= =?utf-8?B?OThHYkMveFJUOWtlekliWndmOGpjL0NBVzNUZ1BEbWI3R2IxMnRHUT09?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: a1c51510-31bb-4f5a-5944-08da39e34218 X-MS-Exchange-CrossTenant-AuthSource: DM4PR12MB5229.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 May 2022 22:02:25.7472 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: P15qGv0GsL/BIndq4gORmAnNiuf+Snt1Z7kbob6nk06rrb65nRb01npIu5PqSThbIePtqmKkqLZZ/9OBiNyMzg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB5360 Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Explicitly adding Liming to the To: line for visibility. Thanks, Tom On 5/17/22 11:29, Ard Biesheuvel wrote: > On Tue, 17 May 2022 at 18:26, Tom Lendacky wrote: >> >> On 5/16/22 15:24, Lendacky, Thomas via groups.io wrote: >>> The BaseMemEncryptSevLib functionality was updated to rely on the use of >>> the OVMF/SEV workarea to check for SEV guests. However, this area is only >>> updated when running the X64 OVMF build, not the hybrid Ia32/X64 build. >>> Base SEV support is allowed under the Ia32/X64 build, but it now fails >>> to boot as a result of the change. >>> >>> Update the ResetVector code to check for SEV features when built for >>> 32-bit mode, not just 64-bit mode (requiring updates to both the Ia32 >>> and Ia32X64 fdf files). >> >> So this is a regression and it would be great if it could be applied to >> the 202205 release. Can folks take a look and make sure it looks safe to >> them for applying during hard feature freeze? >> >> If it's ok to be applied now, is there a particular process for applying >> this during hard freeze? >> > > For the change itself: > > Acked-by: Ard Biesheuvel > > and I am fine with taking this during hard freeze, but I'll defer to > Liming to make the final call. > > > >> >>> >>> Fixes: f1d1c337e7c0575da7fd248b2dd9cffc755940df >>> Cc: Ard Biesheuvel >>> Cc: Jiewen Yao >>> Cc: Jordan Justen >>> Cc: Gerd Hoffmann >>> Cc: Erdem Aktas >>> Cc: James Bottomley >>> Cc: Michael Roth >>> Cc: Min Xu >>> Signed-off-by: Tom Lendacky >>> --- >>> OvmfPkg/OvmfPkgIa32.fdf | 11 +++ >>> OvmfPkg/OvmfPkgIa32X64.fdf | 8 +++ >>> OvmfPkg/OvmfPkgX64.fdf | 3 +- >>> OvmfPkg/ResetVector/Ia32/AmdSev.asm | 4 ++ >>> OvmfPkg/ResetVector/Main.asm | 6 ++ >>> OvmfPkg/ResetVector/ResetVector.nasmb | 72 ++++++++++---------- >>> 6 files changed, 67 insertions(+), 37 deletions(-) >>> >>> diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf >>> index 3ab1755749d4..57d13b7130bc 100644 >>> --- a/OvmfPkg/OvmfPkgIa32.fdf >>> +++ b/OvmfPkg/OvmfPkgIa32.fdf >>> @@ -76,6 +76,9 @@ [FD.MEMFD] >>> 0x007000|0x001000 >>> gEfiMdePkgTokenSpaceGuid.PcdGuidedExtractHandlerTableAddress|gUefiOvmfPkgTokenSpaceGuid.PcdGuidedExtractHandlerTableSize >>> >>> +0x008000|0x001000 >>> +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize >>> + >>> 0x010000|0x010000 >>> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize >>> >>> @@ -87,6 +90,14 @@ [FD.MEMFD] >>> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize >>> FV = DXEFV >>> >>> +########################################################################################## >>> +# Set the SEV-ES specific work area PCDs (used for all forms of SEV since the >>> +# the SEV STATUS MSR is now saved in the work area) >>> +# >>> +SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase = $(MEMFD_BASE_ADDRESS) + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader >>> +SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize = gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize - gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader >>> +########################################################################################## >>> + >>> ################################################################################ >>> >>> [FV.SECFV] >>> diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf >>> index e1638fa6ea38..ccde366887a9 100644 >>> --- a/OvmfPkg/OvmfPkgIa32X64.fdf >>> +++ b/OvmfPkg/OvmfPkgIa32X64.fdf >>> @@ -90,6 +90,14 @@ [FD.MEMFD] >>> gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvBase|gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDxeMemFvSize >>> FV = DXEFV >>> >>> +########################################################################################## >>> +# Set the SEV-ES specific work area PCDs (used for all forms of SEV since the >>> +# the SEV STATUS MSR is now saved in the work area) >>> +# >>> +SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase = $(MEMFD_BASE_ADDRESS) + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader >>> +SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize = gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize - gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader >>> +########################################################################################## >>> + >>> ################################################################################ >>> >>> [FV.SECFV] >>> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf >>> index aa9a83032d9b..438806fba8f1 100644 >>> --- a/OvmfPkg/OvmfPkgX64.fdf >>> +++ b/OvmfPkg/OvmfPkgX64.fdf >>> @@ -106,7 +106,8 @@ [FD.MEMFD] >>> FV = DXEFV >>> >>> ########################################################################################## >>> -# Set the SEV-ES specific work area PCDs >>> +# Set the SEV-ES specific work area PCDs (used for all forms of SEV since the >>> +# the SEV STATUS MSR is now saved in the work area) >>> # >>> SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase = $(MEMFD_BASE_ADDRESS) + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader >>> SET gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaSize = gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaSize - gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader >>> diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32/AmdSev.asm >>> index 864d68385342..9350b0406833 100644 >>> --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm >>> +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm >>> @@ -150,6 +150,8 @@ BITS 32 >>> SevEsUnexpectedRespTerminate: >>> TerminateVmgExit TERM_UNEXPECTED_RESP_CODE >>> >>> +%ifdef ARCH_X64 >>> + >>> ; If SEV-ES is enabled then initialize and make the GHCB page shared >>> SevClearPageEncMaskForGhcbPage: >>> ; Check if SEV is enabled >>> @@ -209,6 +211,8 @@ GetSevCBitMaskAbove31: >>> GetSevCBitMaskAbove31Exit: >>> OneTimeCallRet GetSevCBitMaskAbove31 >>> >>> +%endif >>> + >>> ; Check if Secure Encrypted Virtualization (SEV) features are enabled. >>> ; >>> ; Register usage is tight in this routine, so multiple calls for the >>> diff --git a/OvmfPkg/ResetVector/Main.asm b/OvmfPkg/ResetVector/Main.asm >>> index 5cfc0b5c72b1..46cfa87c4c0a 100644 >>> --- a/OvmfPkg/ResetVector/Main.asm >>> +++ b/OvmfPkg/ResetVector/Main.asm >>> @@ -75,6 +75,12 @@ SearchBfv: >>> >>> %ifdef ARCH_IA32 >>> >>> + ; >>> + ; SEV support can be built and run using the Ia32/X64 split environment. >>> + ; Set the OVMF/SEV work area as appropriate. >>> + ; >>> + OneTimeCall CheckSevFeatures >>> + >>> ; >>> ; Restore initial EAX value into the EAX register >>> ; >>> diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb >>> index 9421f4818907..94fbb0a87b37 100644 >>> --- a/OvmfPkg/ResetVector/ResetVector.nasmb >>> +++ b/OvmfPkg/ResetVector/ResetVector.nasmb >>> @@ -47,7 +47,36 @@ >>> %include "Ia32/SearchForBfvBase.asm" >>> %include "Ia32/SearchForSecEntry.asm" >>> >>> -%define WORK_AREA_GUEST_TYPE (FixedPcdGet32 (PcdOvmfWorkAreaBase)) >>> +%define WORK_AREA_GUEST_TYPE (FixedPcdGet32 (PcdOvmfWorkAreaBase)) >>> +%define PT_ADDR(Offset) (FixedPcdGet32 (PcdOvmfSecPageTablesBase) + (Offset)) >>> + >>> +%define GHCB_PT_ADDR (FixedPcdGet32 (PcdOvmfSecGhcbPageTableBase)) >>> +%define GHCB_BASE (FixedPcdGet32 (PcdOvmfSecGhcbBase)) >>> +%define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize)) >>> +%define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase)) >>> +%define SEV_ES_WORK_AREA_SIZE 25 >>> +%define SEV_ES_WORK_AREA_STATUS_MSR (FixedPcdGet32 (PcdSevEsWorkAreaBase)) >>> +%define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 8) >>> +%define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 16) >>> +%define SEV_ES_WORK_AREA_RECEIVED_VC (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 24) >>> +%define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) >>> +%define SEV_SNP_SECRETS_BASE (FixedPcdGet32 (PcdOvmfSnpSecretsBase)) >>> +%define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize)) >>> +%define CPUID_BASE (FixedPcdGet32 (PcdOvmfCpuidBase)) >>> +%define CPUID_SIZE (FixedPcdGet32 (PcdOvmfCpuidSize)) >>> +%define SNP_SEC_MEM_BASE_DESC_1 (FixedPcdGet32 (PcdOvmfSecPageTablesBase)) >>> +%define SNP_SEC_MEM_SIZE_DESC_1 (FixedPcdGet32 (PcdOvmfSecGhcbBase) - SNP_SEC_MEM_BASE_DESC_1) >>> +; >>> +; The PcdOvmfSecGhcbBase reserves two GHCB pages. The first page is used >>> +; as GHCB shared page and second is used for bookkeeping to support the >>> +; nested GHCB in SEC phase. The bookkeeping page is mapped private. The VMM >>> +; does not need to validate the shared page but it need to validate the >>> +; bookkeeping page. >>> +; >>> +%define SNP_SEC_MEM_BASE_DESC_2 (GHCB_BASE + 0x1000) >>> +%define SNP_SEC_MEM_SIZE_DESC_2 (SEV_SNP_SECRETS_BASE - SNP_SEC_MEM_BASE_DESC_2) >>> +%define SNP_SEC_MEM_BASE_DESC_3 (CPUID_BASE + CPUID_SIZE) >>> +%define SNP_SEC_MEM_SIZE_DESC_3 (FixedPcdGet32 (PcdOvmfPeiMemFvBase) - SNP_SEC_MEM_BASE_DESC_3) >>> >>> %ifdef ARCH_X64 >>> #include >>> @@ -94,43 +123,14 @@ >>> %define TDX_WORK_AREA_PGTBL_READY (FixedPcdGet32 (PcdOvmfWorkAreaBase) + 4) >>> %define TDX_WORK_AREA_GPAW (FixedPcdGet32 (PcdOvmfWorkAreaBase) + 8) >>> >>> - %define PT_ADDR(Offset) (FixedPcdGet32 (PcdOvmfSecPageTablesBase) + (Offset)) >>> + %include "X64/IntelTdxMetadata.asm" >>> + %include "Ia32/Flat32ToFlat64.asm" >>> + %include "Ia32/PageTables64.asm" >>> + %include "Ia32/IntelTdx.asm" >>> + %include "X64/OvmfSevMetadata.asm" >>> +%endif >>> >>> - %define GHCB_PT_ADDR (FixedPcdGet32 (PcdOvmfSecGhcbPageTableBase)) >>> - %define GHCB_BASE (FixedPcdGet32 (PcdOvmfSecGhcbBase)) >>> - %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize)) >>> - %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase)) >>> - %define SEV_ES_WORK_AREA_SIZE 25 >>> - %define SEV_ES_WORK_AREA_STATUS_MSR (FixedPcdGet32 (PcdSevEsWorkAreaBase)) >>> - %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 8) >>> - %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 16) >>> - %define SEV_ES_WORK_AREA_RECEIVED_VC (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 24) >>> - %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) >>> - %define SEV_SNP_SECRETS_BASE (FixedPcdGet32 (PcdOvmfSnpSecretsBase)) >>> - %define SEV_SNP_SECRETS_SIZE (FixedPcdGet32 (PcdOvmfSnpSecretsSize)) >>> - %define CPUID_BASE (FixedPcdGet32 (PcdOvmfCpuidBase)) >>> - %define CPUID_SIZE (FixedPcdGet32 (PcdOvmfCpuidSize)) >>> - %define SNP_SEC_MEM_BASE_DESC_1 (FixedPcdGet32 (PcdOvmfSecPageTablesBase)) >>> - %define SNP_SEC_MEM_SIZE_DESC_1 (FixedPcdGet32 (PcdOvmfSecGhcbBase) - SNP_SEC_MEM_BASE_DESC_1) >>> - ; >>> - ; The PcdOvmfSecGhcbBase reserves two GHCB pages. The first page is used >>> - ; as GHCB shared page and second is used for bookkeeping to support the >>> - ; nested GHCB in SEC phase. The bookkeeping page is mapped private. The VMM >>> - ; does not need to validate the shared page but it need to validate the >>> - ; bookkeeping page. >>> - ; >>> - %define SNP_SEC_MEM_BASE_DESC_2 (GHCB_BASE + 0x1000) >>> - %define SNP_SEC_MEM_SIZE_DESC_2 (SEV_SNP_SECRETS_BASE - SNP_SEC_MEM_BASE_DESC_2) >>> - %define SNP_SEC_MEM_BASE_DESC_3 (CPUID_BASE + CPUID_SIZE) >>> - %define SNP_SEC_MEM_SIZE_DESC_3 (FixedPcdGet32 (PcdOvmfPeiMemFvBase) - SNP_SEC_MEM_BASE_DESC_3) >>> - >>> -%include "X64/IntelTdxMetadata.asm" >>> -%include "Ia32/Flat32ToFlat64.asm" >>> %include "Ia32/AmdSev.asm" >>> -%include "Ia32/PageTables64.asm" >>> -%include "Ia32/IntelTdx.asm" >>> -%include "X64/OvmfSevMetadata.asm" >>> -%endif >>> >>> %include "Ia16/Real16ToFlat32.asm" >>> %include "Ia16/Init16.asm"