From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <brijesh.ksingh@gmail.com>
Received: from mail-oi0-x244.google.com (mail-oi0-x244.google.com
 [IPv6:2607:f8b0:4003:c06::244])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 437C221951C82
 for <edk2-devel@lists.01.org>; Tue, 25 Apr 2017 09:36:27 -0700 (PDT)
Received: by mail-oi0-x244.google.com with SMTP id a3so31964800oii.3
 for <edk2-devel@lists.01.org>; Tue, 25 Apr 2017 09:36:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=1CDrr2KdHRuJlk1aIvh6L5gFRgruW+yf7bDWSmlf8dI=;
 b=Zas/IjULJrS8uK1DRQm8If1ocs8djpNZu1Xr9diCKgfgH4HOsDXW00le3dxRpJdeGV
 ORNejhmK0jbzrW+JMv1t+x3jsiQ0c6+ij2Pk4nmJ39wlgDLqRWbqed23e+UMZBQrnSCW
 sjeMXUllae3OK+TML470Wly+DU5yM9Ze5CQREOntiFDum7oX5Psce+0Gj2cGD7mWvKw6
 gwoor79o8SOL7oijusmuGfWCs1KHmByH2mfSINji7niueO2BR/9ogvVU8fQ4OCt669vf
 dXYCjlAg6U/ILhA+dF268K5qD/DnEMImPABNzMjygF0kowURtYeKzBn2iCk4ugIhCFBm
 g6Jg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=1CDrr2KdHRuJlk1aIvh6L5gFRgruW+yf7bDWSmlf8dI=;
 b=CW9rO82kgprO163KUEZTjyNdwnG5MB0lCE3b8HBkGxojHxn7Hq5dzi6xoXeuZfK2wD
 Kb8/T4GJq2vcLWWn/NUEebgKfXK8Rz4xjRLS4gCJl2ah0AwJX3DwILuBDW05CoH0rt+x
 zYDtV7i1ubIoWn97EnHe5OcV2k4iiOe1MNdeCwRCeOt69XW2znmI6pqB6cvF1RS3Z3tS
 Sw2czBvfu39O1GwSPU435DxLWIQgr1nfxJfP7OqPI8g687UtjIIDWR1Ibmoxzncyhml/
 AZr8CgI3FxIE9Aq3qwNkaNwYLmOUObCkN1BRLi0v3UW96Ata15Xkj+Kyq8FNrIEBSq3v
 ubkw==
X-Gm-Message-State: AN3rC/5KlNdIiQYWodCnFoA73v/cTPqJPFg7OxZ7fMEJfLSHG1vaCi1n
 AGBZdijVacdbJg==
X-Received: by 10.157.14.171 with SMTP id 40mr16805005otj.193.1493138186520;
 Tue, 25 Apr 2017 09:36:26 -0700 (PDT)
Received: from brijesh-build-machine.amd.com ([165.204.77.1])
 by smtp.gmail.com with ESMTPSA id j17sm9666356ota.24.2017.04.25.09.36.25
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Tue, 25 Apr 2017 09:36:26 -0700 (PDT)
From: Brijesh Singh <brijesh.ksingh@gmail.com>
To: edk2-devel@lists.01.org,
	lersek@redhat.com,
	jordan.l.justen@intel.com
Cc: jiewen.yao@intel.com, leo.duran@amd.com, star.zeng@intel.com,
 liming.gao@intel.com, ard.biesheuvel@linaro.org, brijesh.singh@amd.com,
 William.Tambe@amd.com, thomas.lendacky@amd.com
Date: Tue, 25 Apr 2017 12:34:24 -0400
Message-Id: <1493138064-7816-16-git-send-email-brijesh.ksingh@gmail.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1493138064-7816-1-git-send-email-brijesh.ksingh@gmail.com>
References: <1493138064-7816-1-git-send-email-brijesh.ksingh@gmail.com>
Subject: [RFC v3 15/15] OvmfPkg/AmdSevDxe: Add AmdSevDxe driver
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Apr 2017 16:36:27 -0000

From: Brijesh Singh <brijesh.singh@amd.com>

When SEV is enabled, the MMIO memory range must be mapped as unencrypted
(i.e C-bit cleared). The patch adds a DXE driver that runs early in boot
and clears the memory encryption attribute from MMIO and NonExistent
memory ranges. By clearing the C-bit from NonExistent memory space will
gurantee that any MMIO adds done later (e.g PciHostBridge) will be
mapped as unencrypted .


Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 OvmfPkg/OvmfPkgIa32X64.dsc      |  1 +
 OvmfPkg/OvmfPkgX64.dsc          |  1 +
 OvmfPkg/OvmfPkgIa32X64.fdf      |  2 +
 OvmfPkg/OvmfPkgX64.fdf          |  2 +
 OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 43 +++++++++++++
 OvmfPkg/AmdSevDxe/AmdSevDxe.c   | 67 ++++++++++++++++++++
 6 files changed, 116 insertions(+)

diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index da7b8d398462..311f152fca0a 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -805,6 +805,7 @@ [Components.X64]
 !endif
 
   OvmfPkg/PlatformDxe/Platform.inf
+  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
 
 !if $(SMM_REQUIRE) == TRUE
   OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 8bf7cf8e75a6..70f700373f20 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -803,6 +803,7 @@ [Components]
 !endif
 
   OvmfPkg/PlatformDxe/Platform.inf
+  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
 
 !if $(SMM_REQUIRE) == TRUE
   OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 5233314139bc..12871860d001 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -190,6 +190,7 @@ [FV.DXEFV]
 APRIORI DXE {
   INF  MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
   INF  MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
+  INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
 !if $(SMM_REQUIRE) == FALSE
   INF  OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
 !endif
@@ -351,6 +352,7 @@ [FV.DXEFV]
 INF  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
 INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 INF  OvmfPkg/PlatformDxe/Platform.inf
+INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
 
 !if $(SMM_REQUIRE) == TRUE
 INF  OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 36150101e784..ae6e66a1c08d 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -190,6 +190,7 @@ [FV.DXEFV]
 APRIORI DXE {
   INF  MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
   INF  MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
+  INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
 !if $(SMM_REQUIRE) == FALSE
   INF  OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
 !endif
@@ -351,6 +352,7 @@ [FV.DXEFV]
 INF  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
 INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 INF  OvmfPkg/PlatformDxe/Platform.inf
+INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
 
 !if $(SMM_REQUIRE) == TRUE
 INF  OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
new file mode 100644
index 000000000000..633387f6d2c7
--- /dev/null
+++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
@@ -0,0 +1,43 @@
+#/** @file
+#
+#  AmdSevDxe driver clears the C-bit from MMIO region
+#
+#  Copyright (c) 2017, AMD Inc. All rights reserved.<BR>
+#
+#  This program and the accompanying materials
+#  are licensed and made available under the terms and conditions of the BSD
+#  License which accompanies this distribution.  The full text of the license may
+#  be found at http://opensource.org/licenses/bsd-license.php
+#
+#  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+#
+#**/
+
+[Defines]
+  INF_VERSION                    = 1.25
+  BASE_NAME                      = AmdSevDxe
+  FILE_GUID                      = 2ec9da37-ee35-4de9-86c5-6d9a81dc38a7
+  MODULE_TYPE                    = DXE_DRIVER
+  VERSION_STRING                 = 1.0
+  ENTRY_POINT                    = AmdSevDxeEntryPoint
+
+[Sources]
+  AmdSevDxe.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  OvmfPkg/OvmfPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  DebugLib
+  DxeServicesTableLib
+  MemEncryptSevLib
+  UefiBootServicesTableLib
+  UefiDriverEntryPoint
+  UefiLib
+
+[Depex]
+  TRUE
diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
new file mode 100644
index 000000000000..4c863ff604dc
--- /dev/null
+++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
@@ -0,0 +1,67 @@
+/** @file
+
+  The driver runs early in DXE phase and clears C-bit from MMIO memory space.
+
+  Copyright (c) 2017, AMD Inc. All rights reserved.<BR>
+
+  This program and the accompanying materials
+  are licensed and made available under the terms and conditions of the BSD
+  License which accompanies this distribution.  The full text of the license may
+  be found at http://opensource.org/licenses/bsd-license.php
+
+  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <PiDxe.h>
+
+#include <Library/BaseLib.h>
+#include <Library/UefiLib.h>
+#include <Library/DebugLib.h>
+#include <Library/UefiDriverEntryPoint.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/DxeServicesTableLib.h>
+#include <Library/MemEncryptSevLib.h>
+
+EFI_STATUS
+EFIAPI
+AmdSevDxeEntryPoint (
+  IN EFI_HANDLE         ImageHandle,
+  IN EFI_SYSTEM_TABLE   *SystemTable
+  )
+{
+  EFI_GCD_MEMORY_SPACE_DESCRIPTOR  *AllDescMap;
+  UINTN                            NumEntries;
+  UINTN                            Index;
+  EFI_STATUS                       Status;
+
+  //
+  // Do nothing when SEV is not enabled
+  //
+  if (!MemEncryptSevIsEnabled ()) {
+    return EFI_SUCCESS;
+  }
+
+  //
+  // Iterate through the GCD map and clear the C-bit from MMIO and NonExistent
+  // memory space. The NonExistent memory space will be used for mapping the MMIO
+  // space added later (eg PciRootBridge). By clearing both known NonExistent
+  // memory space can gurantee that any MMIO added later will have C-bit cleared.
+  //
+  Status = gDS->GetMemorySpaceMap (&NumEntries, &AllDescMap);
+  if (Status == EFI_SUCCESS) {
+    for (Index = 0; Index < NumEntries; Index++) {
+      CONST EFI_GCD_MEMORY_SPACE_DESCRIPTOR *Desc;
+
+      Desc = &AllDescMap[Index];
+      if (Desc->GcdMemoryType == EfiGcdMemoryTypeMemoryMappedIo ||
+          Desc->GcdMemoryType == EfiGcdMemoryTypeNonExistent) {
+        Status = MemEncryptSevClearPageEncMask (Desc->BaseAddress, EFI_SIZE_TO_PAGES(Desc->Length), FALSE);
+        ASSERT_EFI_ERROR(Status);
+      }
+    }
+  }
+
+  return Status;
+}
-- 
2.7.4