From: Brijesh Singh <brijesh.singh@amd.com>
To: <edk2-devel@lists.01.org>, <lersek@redhat.com>,
<jordan.l.justen@intel.com>
Cc: <Thomas.Lendacky@amd.com>, <leo.duran@amd.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Jiewen Yao <jiewen.yao@intel.com>
Subject: [PATCH v5 06/14] OvmfPkg:AmdSevDxe: Add AmdSevDxe driver
Date: Mon, 22 May 2017 11:23:04 -0400 [thread overview]
Message-ID: <1495466592-21641-7-git-send-email-brijesh.singh@amd.com> (raw)
In-Reply-To: <1495466592-21641-1-git-send-email-brijesh.singh@amd.com>
When SEV is enabled, the MMIO memory range must be mapped as unencrypted
(i.e C-bit cleared).
We need to clear the C-bit for MMIO GCD entries in order to cover the
ranges that were added during the PEI phase (through memory resource
descriptor HOBs). Additionally, the NonExistent ranges are processed
in order to cover, in advance, MMIO ranges added later in the DXE phase
by various device drivers, via the appropriate DXE memory space services.
The approach is not transparent for later addition of system memory ranges
to the GCD memory space map. (Such ranges should be encrypted.) OVMF does
not do such a thing at the moment, so this approach should be OK.
The driver is being added to the APRIORI DXE file so that, we clear the
C-bit from MMIO regions before any driver accesses it.
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Leo Duran <leo.duran@amd.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Suggested-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
---
OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
OvmfPkg/OvmfPkgX64.dsc | 1 +
OvmfPkg/OvmfPkgIa32X64.fdf | 2 +
OvmfPkg/OvmfPkgX64.fdf | 2 +
OvmfPkg/AmdSevDxe/AmdSevDxe.inf | 43 ++++++++++++
OvmfPkg/AmdSevDxe/AmdSevDxe.c | 71 ++++++++++++++++++++
6 files changed, 120 insertions(+)
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index ef245635224c..daf2faadea35 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -822,6 +822,7 @@ [Components.X64]
!endif
OvmfPkg/PlatformDxe/Platform.inf
+ OvmfPkg/AmdSevDxe/AmdSevDxe.inf
!if $(SMM_REQUIRE) == TRUE
OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 0a693f2772a7..6189088da86c 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -820,6 +820,7 @@ [Components]
!endif
OvmfPkg/PlatformDxe/Platform.inf
+ OvmfPkg/AmdSevDxe/AmdSevDxe.inf
!if $(SMM_REQUIRE) == TRUE
OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 5233314139bc..12871860d001 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -190,6 +190,7 @@ [FV.DXEFV]
APRIORI DXE {
INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
+ INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf
!if $(SMM_REQUIRE) == FALSE
INF OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
!endif
@@ -351,6 +352,7 @@ [FV.DXEFV]
INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
INF OvmfPkg/PlatformDxe/Platform.inf
+INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf
!if $(SMM_REQUIRE) == TRUE
INF OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 36150101e784..ae6e66a1c08d 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -190,6 +190,7 @@ [FV.DXEFV]
APRIORI DXE {
INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
+ INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf
!if $(SMM_REQUIRE) == FALSE
INF OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
!endif
@@ -351,6 +352,7 @@ [FV.DXEFV]
INF OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
INF OvmfPkg/PlatformDxe/Platform.inf
+INF OvmfPkg/AmdSevDxe/AmdSevDxe.inf
!if $(SMM_REQUIRE) == TRUE
INF OvmfPkg/SmmAccess/SmmAccess2Dxe.inf
diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
new file mode 100644
index 000000000000..41635a57a454
--- /dev/null
+++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
@@ -0,0 +1,43 @@
+#/** @file
+#
+# Driver clears the encryption attribute from MMIO regions when SEV is enabled
+#
+# Copyright (c) 2017, AMD Inc. All rights reserved.<BR>
+#
+# This program and the accompanying materials
+# are licensed and made available under the terms and conditions of the BSD
+# License which accompanies this distribution. The full text of the license may
+# be found at http://opensource.org/licenses/bsd-license.php
+#
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+#
+#**/
+
+[Defines]
+ INF_VERSION = 1.25
+ BASE_NAME = AmdSevDxe
+ FILE_GUID = 2ec9da37-ee35-4de9-86c5-6d9a81dc38a7
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ ENTRY_POINT = AmdSevDxeEntryPoint
+
+[Sources]
+ AmdSevDxe.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ OvmfPkg/OvmfPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ UefiLib
+ UefiDriverEntryPoint
+ UefiBootServicesTableLib
+ DxeServicesTableLib
+ DebugLib
+ MemEncryptSevLib
+
+[Depex]
+ TRUE
diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
new file mode 100644
index 000000000000..c483ae1419fd
--- /dev/null
+++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
@@ -0,0 +1,71 @@
+/** @file
+
+ AMD Sev Dxe driver. The driver runs in APRIORI phase and clears C-bit from
+ MMIO and NonExistent Memory space when SEV is enabled.
+
+ Copyright (c) 2017, AMD Inc. All rights reserved.<BR>
+
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD
+ License which accompanies this distribution. The full text of the license may
+ be found at http://opensource.org/licenses/bsd-license.php
+
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <PiDxe.h>
+
+#include <Library/BaseLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/DxeServicesTableLib.h>
+#include <Library/MemEncryptSevLib.h>
+
+EFI_STATUS
+EFIAPI
+AmdSevDxeEntryPoint (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_STATUS Status;
+ EFI_GCD_MEMORY_SPACE_DESCRIPTOR *AllDescMap;
+ UINTN NumEntries;
+ UINTN Index;
+
+ //
+ // Do nothing when SEV is not enabled
+ //
+ if (!MemEncryptSevIsEnabled ()) {
+ return EFI_UNSUPPORTED;
+ }
+
+ //
+ // Iterate through the GCD map and clear the C-bit from MMIO and NonExistent
+ // memory space. The NonExistent memory space will be used for mapping the MMIO
+ // space added later (eg PciRootBridge). By clearing both known MMIO and NonExistent
+ // memory space can gurantee that current and furture MMIO adds will have
+ // C-bit cleared.
+ //
+ Status = gDS->GetMemorySpaceMap (&NumEntries, &AllDescMap);
+ if (Status == EFI_SUCCESS) {
+ for (Index = 0; Index < NumEntries; Index++) {
+ CONST EFI_GCD_MEMORY_SPACE_DESCRIPTOR *Desc;
+
+ Desc = &AllDescMap[Index];
+ if (Desc->GcdMemoryType == EfiGcdMemoryTypeMemoryMappedIo ||
+ Desc->GcdMemoryType == EfiGcdMemoryTypeNonExistent) {
+ Status = MemEncryptSevClearPageEncMask (0, Desc->BaseAddress, EFI_SIZE_TO_PAGES(Desc->Length), FALSE);
+ ASSERT_EFI_ERROR(Status);
+ }
+ }
+
+ FreePool (AllDescMap);
+ }
+
+ return EFI_SUCCESS;
+}
--
2.7.4
next prev parent reply other threads:[~2017-05-22 15:23 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-22 15:22 [PATCH v5 00/14] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2017-05-22 15:22 ` [PATCH v5 01/14] UefiCpuPkg: Define AMD Memory Encryption specific CPUID and MSR Brijesh Singh
2017-05-22 15:23 ` [PATCH v5 02/14] OvmfPkg/ResetVector: Set C-bit when building initial page table Brijesh Singh
2017-05-22 15:23 ` [PATCH v5 03/14] OvmfPkg: Update dsc to use IoLib from BaseIoLibIntrinsicSev.inf Brijesh Singh
2017-05-22 15:23 ` [PATCH v5 04/14] OvmfPkg/BaseMemcryptSevLib: Add SEV helper library Brijesh Singh
2017-05-24 13:06 ` Laszlo Ersek
2017-05-24 13:23 ` Brijesh Singh
2017-05-24 22:12 ` Brijesh Singh
2017-05-25 15:10 ` Laszlo Ersek
2017-05-25 18:23 ` Brijesh Singh
2017-05-22 15:23 ` [PATCH v5 05/14] OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled Brijesh Singh
2017-05-22 15:23 ` Brijesh Singh [this message]
2017-05-24 14:17 ` [PATCH v5 06/14] OvmfPkg:AmdSevDxe: Add AmdSevDxe driver Laszlo Ersek
2017-05-22 15:23 ` [PATCH v5 07/14] OvmfPkg:IoMmuDxe: Add IoMmuDxe driver Brijesh Singh
2017-05-24 15:09 ` Laszlo Ersek
2017-05-25 17:58 ` Laszlo Ersek
2017-05-25 18:56 ` Jordan Justen
2017-05-25 19:58 ` Laszlo Ersek
2017-05-22 15:23 ` [PATCH v5 08/14] OvmfPkg/QemuFwCfgLib: Provide Pei and Dxe specific library Brijesh Singh
2017-05-22 15:23 ` [PATCH v5 09/14] OvmfPkg/QemuFwCfgLib: Prepare for SEV support Brijesh Singh
2017-05-22 15:23 ` [PATCH v5 10/14] OvmfPkg/QemuFwCfgLib: Implement SEV internal function for SEC phase Brijesh Singh
2017-05-24 13:17 ` Laszlo Ersek
2017-05-22 15:23 ` [PATCH v5 11/14] OvmfPkg/QemuFwCfgLib: Implement SEV internal functions for PEI phase Brijesh Singh
2017-05-22 15:23 ` [PATCH v5 12/14] OvmfPkg/QemuFwCfgLib: Implement SEV internal function for Dxe phase Brijesh Singh
2017-05-24 13:45 ` Laszlo Ersek
2017-05-22 15:23 ` [PATCH v5 13/14] OvmfPkg/QemuFwCfgLib: Add option to dynamic alloc FW_CFG_DMA Access Brijesh Singh
2017-05-22 15:23 ` [PATCH v5 14/14] OvmfPkg/QemuFwCfgLib: Add SEV support Brijesh Singh
2017-05-24 13:55 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1495466592-21641-7-git-send-email-brijesh.singh@amd.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox