From: Jordan Justen <jordan.l.justen@intel.com>
To: Brijesh Singh <brijesh.ksingh@gmail.com>,
edk2-devel@lists.01.org, lersek@redhat.com
Cc: Thomas.Lendacky@amd.com, leo.duran@amd.com, brijesh.sing@amd.com
Subject: Re: [RFC PATCH v1 1/5] OvmfPkg/ResetVector: Set memory encryption when SEV is active
Date: Wed, 08 Mar 2017 10:38:15 -0800 [thread overview]
Message-ID: <148899829524.16179.6226467722763003659@jljusten-skl> (raw)
In-Reply-To: <148884285589.29188.3336162059588227554.stgit@brijesh-build-machine>
On 2017-03-06 15:27:35, Brijesh Singh wrote:
> SEV guest VMs have the concept of private and shared memory. Private
> memory is encrypted with the guest-specific key, while shared memory
> may be encrypted with hypervisor key. The C-bit (encryption attribute)
> in PTE indicates whether the page is private or shared.
>
> If SEV is active, set the memory encryption attribute while building
> the page table.
>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> ---
> OvmfPkg/ResetVector/Ia32/PageTables64.asm | 52 +++++++++++++++++++++++++++++
> 1 file changed, 52 insertions(+)
>
> diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> index 6201cad..eaf9732 100644
> --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> @@ -26,6 +26,7 @@ BITS 32
> %define PAGE_GLOBAL 0x0100
> %define PAGE_2M_MBO 0x080
> %define PAGE_2M_PAT 0x01000
> +%define KVM_FEATURE_SEV 0x08
>
> %define PAGE_2M_PDE_ATTR (PAGE_2M_MBO + \
> PAGE_ACCESSED + \
> @@ -37,6 +38,33 @@ BITS 32
> PAGE_READ_WRITE + \
> PAGE_PRESENT)
>
> +; Check if Secure Encrypted Virtualization (SEV) feature
> +; is enabled in KVM
> +;
> +; If SEV is enabled, then EAX will contain Memory encryption bit position
> +;
> +CheckKVMSEVFeature:
Code style would be CheckKvmSevFeature.
-Jordan
> + ; Check for SEV feature
> + ; CPUID KVM_FEATURE - Bit 8
> + mov eax, 0x40000001
> + cpuid
> + bt eax, KVM_FEATURE_SEV
> + jnc NoSev
> +
> + ; Get memory encryption information
> + ; CPUID Fn8000_001F[EBX] - Bits 5:0
> + ;
> + mov eax, 0x8000001f
> + cpuid
> + mov eax, ebx
> + and eax, 0x3f
> + jmp SevExit
> +
> +NoSev:
> + xor eax, eax
> +
> +SevExit:
> + OneTimeCallRet CheckKVMSEVFeature
>
> ;
> ; Modified: EAX, ECX
> @@ -60,18 +88,41 @@ clearPageTablesMemoryLoop:
> mov dword[ecx * 4 + PT_ADDR (0) - 4], eax
> loop clearPageTablesMemoryLoop
>
> + ; Check if it SEV-enabled Guest
> + ;
> + OneTimeCall CheckKVMSEVFeature
> + xor edx, edx
> + test eax, eax
> + jz SevNotActive
> +
> + ; If SEV is enabled, Memory encryption bit is always above 31
> + mov ebx, 32
> + sub ebx, eax
> + bts edx, eax
> +
> +SevNotActive:
> +
> + ;
> ;
> ; Top level Page Directory Pointers (1 * 512GB entry)
> ;
> + ; edx contain the memory encryption bit mask, must be applied
> + ; to upper 31 bit on 64-bit address
> + ;
> mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR
> + mov dword[PT_ADDR (4)], edx
>
> ;
> ; Next level Page Directory Pointers (4 * 1GB entries => 4GB)
> ;
> mov dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR
> + mov dword[PT_ADDR (0x1004)], edx
> mov dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR
> + mov dword[PT_ADDR (0x100C)], edx
> mov dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR
> + mov dword[PT_ADDR (0x1004)], edx
> mov dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR
> + mov dword[PT_ADDR (0x100C)], edx
>
> ;
> ; Page Table Entries (2048 * 2MB entries => 4GB)
> @@ -83,6 +134,7 @@ pageTableEntriesLoop:
> shl eax, 21
> add eax, PAGE_2M_PDE_ATTR
> mov [ecx * 8 + PT_ADDR (0x2000 - 8)], eax
> + mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx
> loop pageTableEntriesLoop
>
> ;
>
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
next prev parent reply other threads:[~2017-03-08 18:38 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-06 23:27 [RFC PATCH v1 0/5] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2017-03-06 23:27 ` [RFC PATCH v1 1/5] OvmfPkg/ResetVector: Set memory encryption when SEV is active Brijesh Singh
[not found] ` <3ec1cf2d-952d-97fa-108d-a6c70e613277@amd.com>
2017-03-07 16:34 ` Brijesh Singh
2017-03-07 16:35 ` Laszlo Ersek
2017-03-08 18:38 ` Jordan Justen [this message]
2017-03-08 18:42 ` Brijesh Singh
2017-03-06 23:27 ` [RFC PATCH v1 2/5] OvmfPkg/MemcryptSevLib: Add SEV helper library Brijesh Singh
2017-03-07 17:06 ` Laszlo Ersek
2017-03-07 19:14 ` Brijesh Singh
2017-03-07 22:08 ` Laszlo Ersek
2017-03-07 22:36 ` Brijesh Singh
2017-03-08 8:40 ` Laszlo Ersek
2017-03-17 2:02 ` Brijesh Singh
2017-03-17 10:29 ` Laszlo Ersek
2017-03-17 14:08 ` Brijesh Singh
2017-03-08 14:56 ` Duran, Leo
2017-03-08 15:19 ` Laszlo Ersek
2017-03-06 23:27 ` [RFC PATCH v1 3/5] OvmfPkg/PlatformPei: Initialize SEV support Brijesh Singh
2017-03-07 17:08 ` Laszlo Ersek
2017-03-07 19:17 ` Brijesh Singh
2017-03-06 23:27 ` [RFC PATCH v1 4/5] OvmfPkg/BaseIoLibIntrinsic: import BaseIoLibIntrinsic package Brijesh Singh
2017-03-07 17:20 ` Laszlo Ersek
2017-03-07 20:06 ` Jordan Justen
2017-03-07 22:18 ` Laszlo Ersek
2017-03-08 15:41 ` Gao, Liming
2017-03-08 16:26 ` Brijesh Singh
2017-03-09 1:43 ` Gao, Liming
2017-03-08 18:58 ` Jordan Justen
2017-03-09 1:48 ` Gao, Liming
2017-03-09 15:36 ` Duran, Leo
2017-03-09 16:36 ` Laszlo Ersek
2017-03-06 23:28 ` [RFC PATCH v1 5/5] OvmfPkg/BaseIoLibIntrinsic: Unroll String I/O when SEV is active Brijesh Singh
[not found] ` <5a66f334-27e1-3b49-150e-c01209ecb2f6@amd.com>
2017-03-07 18:43 ` Brijesh Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=148899829524.16179.6226467722763003659@jljusten-skl \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox