[RFC v3 02/15] OvmfPkg/ResetVector: Set C-bit when building initial page table

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: Brijesh Singh <brijesh.ksingh@gmail.com>
To: edk2-devel@lists.01.org, lersek@redhat.com, jordan.l.justen@intel.com
Cc: jiewen.yao@intel.com, leo.duran@amd.com, star.zeng@intel.com,
	liming.gao@intel.com, ard.biesheuvel@linaro.org,
	brijesh.singh@amd.com, William.Tambe@amd.com,
	thomas.lendacky@amd.com
Subject: [RFC v3 02/15] OvmfPkg/ResetVector: Set C-bit when building initial page table
Date: Tue, 25 Apr 2017 12:34:11 -0400	[thread overview]
Message-ID: <1493138064-7816-3-git-send-email-brijesh.ksingh@gmail.com> (raw)
In-Reply-To: <1493138064-7816-1-git-send-email-brijesh.ksingh@gmail.com>

From: Brijesh Singh <brijesh.singh@amd.com>

SEV guest VMs have the concept of private and shared memory. Private
memory is encrypted with the guest-specific key, while shared memory
may be encrypted with hypervisor key. Certain types of memory (namely
instruction pages and guest page tables) are always treated as private
memory by the hardware. The C-bit in PTE indicate whether the page is
private or shared. The C-bit position for the PTE can be obtained from
CPUID Fn8000_001F[EBX].

When SEV is active, the BIOS is encrypted by the Qemu launch sequence,
we must set the C-bit when building the page table.


Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 OvmfPkg/ResetVector/Ia32/PageTables64.asm | 70 +++++++++++++++++++-
 1 file changed, 69 insertions(+), 1 deletion(-)

diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
index 6201cad1f5dc..3d4b04844cdf 100644
--- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
+++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
@@ -37,9 +37,60 @@ BITS    32
                        PAGE_READ_WRITE + \
                        PAGE_PRESENT)
 
+; Check if Secure Encrypted Virtualization (SEV) feature is enabled
+;
+; If SEV is enabled then EAX will be at least 32
+; If SEV is disabled then EAX will be zero.
+;
+CheckSevFeature:
+    ; CPUID will clobber EBX, ECX, EDX, save these registers
+    push  ebx
+    push  ecx
+    push  edx
+
+    ; Check if we have a valid (0x8000_001F) CPUID leaf
+    mov       eax, 0x80000000
+    cpuid
+
+    ; This check should fail on Intel or Non SEV AMD CPUs and in future if
+    ; Intel CPUs supports this CPUID leaf then we are guranteed to have exact
+    ; same bit definition.
+    cmp       eax, 0x8000001f
+    jl        NoSev
+
+    ; Check for memory encryption feature:
+    ;  CPUID  Fn8000_001F[EAX] - Bit 1
+    ;
+    mov       eax,  0x8000001f
+    cpuid
+    bt        eax, 1
+    jnc       NoSev
+
+    ; Check if memory encryption is enabled
+    ;  MSR_0xC0010131 - Bit 0 (SEV enabled)
+    mov       ecx, 0xc0010131
+    rdmsr
+    bt        eax, 0
+    jnc       NoSev
+
+    ; Get pte bit position to enable memory encryption
+    ; CPUID Fn8000_001F[EBX] - Bits 5:0
+    ;
+    mov       eax, ebx
+    and       eax, 0x3f
+    jmp       SevExit
+
+NoSev:
+    xor       eax, eax
+
+SevExit:
+    pop       edx
+    pop       ecx
+    pop       ebx
+    OneTimeCallRet CheckSevFeature
 
 ;
-; Modified:  EAX, ECX
+; Modified:  EAX, ECX, EDX
 ;
 SetCr3ForPageTables64:
 
@@ -60,18 +111,34 @@ clearPageTablesMemoryLoop:
     mov     dword[ecx * 4 + PT_ADDR (0) - 4], eax
     loop    clearPageTablesMemoryLoop
 
+    OneTimeCall   CheckSevFeature
+    xor     edx, edx
+    test    eax, eax
+    jz      SevNotActive
+
+    ; If SEV is enabled, Memory encryption bit is always above 31
+    sub     eax, 32
+    bts     edx, eax
+
+SevNotActive:
+
     ;
     ; Top level Page Directory Pointers (1 * 512GB entry)
     ;
     mov     dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR
+    mov     dword[PT_ADDR (4)], edx
 
     ;
     ; Next level Page Directory Pointers (4 * 1GB entries => 4GB)
     ;
     mov     dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR
+    mov     dword[PT_ADDR (0x1004)], edx
     mov     dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR
+    mov     dword[PT_ADDR (0x100C)], edx
     mov     dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR
+    mov     dword[PT_ADDR (0x1014)], edx
     mov     dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR
+    mov     dword[PT_ADDR (0x101C)], edx
 
     ;
     ; Page Table Entries (2048 * 2MB entries => 4GB)
@@ -83,6 +150,7 @@ pageTableEntriesLoop:
     shl     eax, 21
     add     eax, PAGE_2M_PDE_ATTR
     mov     [ecx * 8 + PT_ADDR (0x2000 - 8)], eax
+    mov     [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx
     loop    pageTableEntriesLoop
 
     ;
-- 
2.7.4

next prev parent reply	other threads:[~2017-04-25 16:36 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-25 16:34 [RFC v3 00/15] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2017-04-25 16:34 ` [RFC v3 01/15] UefiCpuPkg: Define AMD Memory Encryption specific CPUID and MSR Brijesh Singh
2017-04-25 16:34 ` Brijesh Singh [this message]
2017-04-25 16:34 ` [RFC v3 03/15] OvmfPkg: Update dsc to use IoLib from BaseIoLibIntrinsicSev.inf Brijesh Singh
2017-04-25 16:34 ` [RFC v3 04/15] OvmfPkg/BaseMemcryptSevLib: Add SEV helper library Brijesh Singh
2017-04-25 16:34 ` [RFC v3 05/15] OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled Brijesh Singh
2017-04-25 16:34 ` [RFC v3 06/15] OvmfPkg/DxeBmDmaLib: Import DxeBmDmaLib package Brijesh Singh
2017-04-25 16:34 ` [RFC v3 07/15] OvmfPkg/BmDmaLib: Add SEV support Brijesh Singh
2017-04-25 16:34 ` [RFC v3 08/15] OvmfPkg/QemuFwCfgLib: Provide Pei and Dxe specific library Brijesh Singh
2017-04-25 16:34 ` [RFC v3 09/15] OvmfPkg/QemuFwCfgLib: Prepare for SEV support Brijesh Singh
2017-04-25 16:34 ` [RFC v3 10/15] OvmfPkg/QemuFwCfgLib: Implement SEV internal function for SEC phase Brijesh Singh
2017-04-25 16:34 ` [RFC v3 11/15] OvmfPkg/QemuFwCfgLib: Implement SEV internal functions for PEI phase Brijesh Singh
2017-04-25 16:34 ` [RFC v3 12/15] OvmfPkg/QemuFwCfgLib: Implement SEV internal function for Dxe phase Brijesh Singh
2017-04-25 16:34 ` [RFC v3 13/15] OvmfPkg/QemuFwCfgLib: Add option to dynamic alloc FW_CFG_DMA Access Brijesh Singh
2017-04-25 16:34 ` [RFC v3 14/15] OvmfPkg/QemuFwCfgLib: Add SEV support Brijesh Singh
2017-04-25 16:34 ` [RFC v3 15/15] OvmfPkg/AmdSevDxe: Add AmdSevDxe driver Brijesh Singh

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:6201cad1f5d dfblob:3d4b04844cd )
 OR (
bs:"[RFC v3 02/15] OvmfPkg/ResetVector: Set C-bit when building initial page table" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1493138064-7816-3-git-send-email-brijesh.ksingh@gmail.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox