From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-it0-x241.google.com (mail-it0-x241.google.com [IPv6:2607:f8b0:4001:c0b::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id B3B0980333 for ; Mon, 6 Mar 2017 15:27:37 -0800 (PST) Received: by mail-it0-x241.google.com with SMTP id w185so11363317ita.3 for ; Mon, 06 Mar 2017 15:27:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:cc:date:message-id:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=NhFE9VUwdBHZlRBOozeZMhxftUbqETgHBmjfPRfJVPw=; b=D1jWM3vlxZLRZPnJDbLZqu+m8a54QlSzQMzRlgp3VOMJKClmIJWUvBUvhpy0S6VzsE NeQQ8AWORk/0tucXzIpTkU7Ehp2EOkbB4OMo/Ms9cIWvXi0DjacxRKLL4Jn6NIUzWGZA zULe3woTxBSIz2fN311p5ZZErdqPVSgvqBKz2sq16MmR3y9QOJ9fFXYVHkoP4CDxtrF4 NTidn6bVAflOtxahi+hK5kp4Mc0/7B0r0APXWU8KPpg7Ca7nvtWNRR/RkgR+ZkZL3uvp 5PHlX0XR9hUgPLcUGPANE/i/IVBN//yejhF2KiP/OUagNPOgA0JtJlgoFSlDQWQwXy3y o7rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:cc:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=NhFE9VUwdBHZlRBOozeZMhxftUbqETgHBmjfPRfJVPw=; b=BGsDvmmU3VVGbqcqqye0nFmbZOYJGdu8UIg/1Kdir2236oaGapKQHOvz3YB08DeOOM rUkNqVpLqwhgSRn5/T6a2ldyMrB0LYJsD7Dl24tVRAOJdAfGsFBd1t71bFghap16PJ6/ nB/+PIR3mMuNTaZQvVqxw5CmScwNMoQ1yDHDoBBYO7Cgt+DXDDPR2TvYrlvLCzjKvjWC QkRGfSmI276B7f5XLJdvne25pZmTrJg1+L5Mijr5wM60TeF8YFIodwAcZ/lJ4Z8wnpoH Vu8TPlNjRXC4Q2VJDBAmevHiSX7Lz0KGzLbiXEK/P1wj5HphiluDY41vhGKb8fGFszet A+sQ== X-Gm-Message-State: AMke39lHtoYJT3i4PmCLBKT0XhyOmFxJDoAMUj7thBVkt9QPzUg9Omg9EJQs7oFmvab1DQ== X-Received: by 10.36.91.67 with SMTP id g64mr15943269itb.20.1488842857086; Mon, 06 Mar 2017 15:27:37 -0800 (PST) Received: from [127.0.1.1] ([165.204.77.1]) by smtp.gmail.com with ESMTPSA id b15sm9337856ioj.34.2017.03.06.15.27.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Mar 2017 15:27:36 -0800 (PST) From: Brijesh Singh X-Google-Original-From: Brijesh Singh To: jordan.l.justen@intel.com, edk2-devel@ml01.01.org, lersek@redhat.com Cc: Thomas.Lendacky@amd.com, leo.duran@amd.com, brijesh.sing@amd.com Date: Mon, 06 Mar 2017 18:27:35 -0500 Message-ID: <148884285589.29188.3336162059588227554.stgit@brijesh-build-machine> In-Reply-To: <148884284887.29188.7643544710695103939.stgit@brijesh-build-machine> References: <148884284887.29188.7643544710695103939.stgit@brijesh-build-machine> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Subject: [RFC PATCH v1 1/5] OvmfPkg/ResetVector: Set memory encryption when SEV is active X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Mar 2017 23:27:37 -0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit SEV guest VMs have the concept of private and shared memory. Private memory is encrypted with the guest-specific key, while shared memory may be encrypted with hypervisor key. The C-bit (encryption attribute) in PTE indicates whether the page is private or shared. If SEV is active, set the memory encryption attribute while building the page table. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Brijesh Singh --- OvmfPkg/ResetVector/Ia32/PageTables64.asm | 52 +++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm index 6201cad..eaf9732 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -26,6 +26,7 @@ BITS 32 %define PAGE_GLOBAL 0x0100 %define PAGE_2M_MBO 0x080 %define PAGE_2M_PAT 0x01000 +%define KVM_FEATURE_SEV 0x08 %define PAGE_2M_PDE_ATTR (PAGE_2M_MBO + \ PAGE_ACCESSED + \ @@ -37,6 +38,33 @@ BITS 32 PAGE_READ_WRITE + \ PAGE_PRESENT) +; Check if Secure Encrypted Virtualization (SEV) feature +; is enabled in KVM +; +; If SEV is enabled, then EAX will contain Memory encryption bit position +; +CheckKVMSEVFeature: + ; Check for SEV feature + ; CPUID KVM_FEATURE - Bit 8 + mov eax, 0x40000001 + cpuid + bt eax, KVM_FEATURE_SEV + jnc NoSev + + ; Get memory encryption information + ; CPUID Fn8000_001F[EBX] - Bits 5:0 + ; + mov eax, 0x8000001f + cpuid + mov eax, ebx + and eax, 0x3f + jmp SevExit + +NoSev: + xor eax, eax + +SevExit: + OneTimeCallRet CheckKVMSEVFeature ; ; Modified: EAX, ECX @@ -60,18 +88,41 @@ clearPageTablesMemoryLoop: mov dword[ecx * 4 + PT_ADDR (0) - 4], eax loop clearPageTablesMemoryLoop + ; Check if it SEV-enabled Guest + ; + OneTimeCall CheckKVMSEVFeature + xor edx, edx + test eax, eax + jz SevNotActive + + ; If SEV is enabled, Memory encryption bit is always above 31 + mov ebx, 32 + sub ebx, eax + bts edx, eax + +SevNotActive: + + ; ; ; Top level Page Directory Pointers (1 * 512GB entry) ; + ; edx contain the memory encryption bit mask, must be applied + ; to upper 31 bit on 64-bit address + ; mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR + mov dword[PT_ADDR (4)], edx ; ; Next level Page Directory Pointers (4 * 1GB entries => 4GB) ; mov dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR + mov dword[PT_ADDR (0x1004)], edx mov dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR + mov dword[PT_ADDR (0x100C)], edx mov dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR + mov dword[PT_ADDR (0x1004)], edx mov dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR + mov dword[PT_ADDR (0x100C)], edx ; ; Page Table Entries (2048 * 2MB entries => 4GB) @@ -83,6 +134,7 @@ pageTableEntriesLoop: shl eax, 21 add eax, PAGE_2M_PDE_ATTR mov [ecx * 8 + PT_ADDR (0x2000 - 8)], eax + mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx loop pageTableEntriesLoop ;