From: Jordan Justen <jordan.l.justen@intel.com>
To: Brijesh Singh <brijesh.singh@amd.com>, edk2-devel@lists.01.org
Cc: Thomas.Lendacky@amd.com, leo.duran@amd.com,
Brijesh Singh <brijesh.singh@amd.com>,
Laszlo Ersek <lersek@redhat.com>
Subject: Re: [PATCH v6 02/17] OvmfPkg/ResetVector: Set C-bit when building initial page table
Date: Thu, 01 Jun 2017 01:09:42 -0700 [thread overview]
Message-ID: <149630458212.10663.10638866666677653585@jljusten-skl> (raw)
In-Reply-To: <1495809845-32472-3-git-send-email-brijesh.singh@amd.com>
On 2017-05-26 07:43:50, Brijesh Singh wrote:
> SEV guest VMs have the concept of private and shared memory. Private
> memory is encrypted with the guest-specific key, while shared memory
> may be encrypted with hypervisor key. Certain types of memory (namely
> instruction pages and guest page tables) are always treated as private
> memory by the hardware. The C-bit in PTE indicate whether the page is
> private or shared. The C-bit position for the PTE can be obtained from
> CPUID Fn8000_001F[EBX].
>
> When SEV is active, the BIOS is encrypted by the Qemu launch sequence,
> we must set the C-bit when building the page table.
>
>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Tom Lendacky <Thomas.Lendacky@amd.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
> ---
> OvmfPkg/ResetVector/Ia32/PageTables64.asm | 70 +++++++++++++++++++-
> 1 file changed, 69 insertions(+), 1 deletion(-)
>
> diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> index 6201cad1f5dc..3d4b04844cdf 100644
> --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm
> @@ -37,9 +37,60 @@ BITS 32
> PAGE_READ_WRITE + \
> PAGE_PRESENT)
>
> +; Check if Secure Encrypted Virtualization (SEV) feature is enabled
> +;
> +; If SEV is enabled then EAX will be at least 32
> +; If SEV is disabled then EAX will be zero.
> +;
> +CheckSevFeature:
> + ; CPUID will clobber EBX, ECX, EDX, save these registers
> + push ebx
> + push ecx
> + push edx
I don't think we have a stack set up in this code, which is why
OneTimeCall/OneTimeCallRet is used. I'm wondering how this is working
at all.
I don't think we have a stack until OvmfPkg/Sec/*/SecEntry.nasm.
More below...
> +
> + ; Check if we have a valid (0x8000_001F) CPUID leaf
> + mov eax, 0x80000000
> + cpuid
> +
> + ; This check should fail on Intel or Non SEV AMD CPUs and in future if
> + ; Intel CPUs supports this CPUID leaf then we are guranteed to have exact
> + ; same bit definition.
> + cmp eax, 0x8000001f
> + jl NoSev
> +
> + ; Check for memory encryption feature:
> + ; CPUID Fn8000_001F[EAX] - Bit 1
> + ;
> + mov eax, 0x8000001f
> + cpuid
> + bt eax, 1
> + jnc NoSev
> +
> + ; Check if memory encryption is enabled
> + ; MSR_0xC0010131 - Bit 0 (SEV enabled)
> + mov ecx, 0xc0010131
> + rdmsr
> + bt eax, 0
> + jnc NoSev
> +
> + ; Get pte bit position to enable memory encryption
> + ; CPUID Fn8000_001F[EBX] - Bits 5:0
> + ;
> + mov eax, ebx
> + and eax, 0x3f
> + jmp SevExit
> +
> +NoSev:
> + xor eax, eax
> +
> +SevExit:
> + pop edx
> + pop ecx
> + pop ebx
> + OneTimeCallRet CheckSevFeature
>
> ;
> -; Modified: EAX, ECX
> +; Modified: EAX, ECX, EDX
Maybe you can add EBX here as well and call CheckSevFeature earlier?
You'd need to make sure we are not trying to preserve anything in
EBX/EDX in the other VTF-0 code that calls this.
If that gets unworkable, then we could setup a tiny temp stack in RAM
near where we are putting the page tables.
-Jordan
> ;
> SetCr3ForPageTables64:
>
> @@ -60,18 +111,34 @@ clearPageTablesMemoryLoop:
> mov dword[ecx * 4 + PT_ADDR (0) - 4], eax
> loop clearPageTablesMemoryLoop
>
> + OneTimeCall CheckSevFeature
> + xor edx, edx
> + test eax, eax
> + jz SevNotActive
> +
> + ; If SEV is enabled, Memory encryption bit is always above 31
> + sub eax, 32
> + bts edx, eax
> +
> +SevNotActive:
> +
> ;
> ; Top level Page Directory Pointers (1 * 512GB entry)
> ;
> mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR
> + mov dword[PT_ADDR (4)], edx
>
> ;
> ; Next level Page Directory Pointers (4 * 1GB entries => 4GB)
> ;
> mov dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR
> + mov dword[PT_ADDR (0x1004)], edx
> mov dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR
> + mov dword[PT_ADDR (0x100C)], edx
> mov dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR
> + mov dword[PT_ADDR (0x1014)], edx
> mov dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR
> + mov dword[PT_ADDR (0x101C)], edx
>
> ;
> ; Page Table Entries (2048 * 2MB entries => 4GB)
> @@ -83,6 +150,7 @@ pageTableEntriesLoop:
> shl eax, 21
> add eax, PAGE_2M_PDE_ATTR
> mov [ecx * 8 + PT_ADDR (0x2000 - 8)], eax
> + mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx
> loop pageTableEntriesLoop
>
> ;
> --
> 2.7.4
>
next prev parent reply other threads:[~2017-06-01 8:08 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-26 14:43 [PATCH v6 00/17] x86: Secure Encrypted Virtualization (AMD) Brijesh Singh
2017-05-26 14:43 ` [PATCH v6 01/17] UefiCpuPkg: Define AMD Memory Encryption specific CPUID and MSR Brijesh Singh
2017-05-26 14:43 ` [PATCH v6 02/17] OvmfPkg/ResetVector: Set C-bit when building initial page table Brijesh Singh
2017-06-01 8:09 ` Jordan Justen [this message]
2017-06-01 13:43 ` Brijesh Singh
2017-05-26 14:43 ` [PATCH v6 03/17] OvmfPkg: Update dsc to use IoLib from BaseIoLibIntrinsicSev.inf Brijesh Singh
2017-05-26 14:43 ` [PATCH v6 04/17] OvmfPkg/BaseMemcryptSevLib: Add SEV helper library Brijesh Singh
2017-05-26 20:54 ` Jordan Justen
2017-05-26 21:06 ` Brijesh Singh
2017-05-27 1:26 ` Yao, Jiewen
2017-05-26 14:43 ` [PATCH v6 05/17] OvmfPkg/PlatformPei: Set memory encryption PCD when SEV is enabled Brijesh Singh
2017-05-26 14:43 ` [PATCH v6 06/17] OvmfPkg: Add AmdSevDxe driver Brijesh Singh
2017-05-26 14:43 ` [PATCH v6 07/17] OvmfPkg: Introduce IoMmuAbsent Protocol GUID Brijesh Singh
2017-05-29 9:07 ` Laszlo Ersek
2017-05-26 14:43 ` [PATCH v6 08/17] OvmfPkg: Add PlatformHasIoMmuLib Brijesh Singh
2017-05-29 9:19 ` Laszlo Ersek
2017-05-26 14:43 ` [PATCH v6 09/17] OvmfPkg: Add IoMmuDxe driver Brijesh Singh
2017-05-29 9:28 ` Laszlo Ersek
2017-05-26 14:43 ` [PATCH v6 10/17] OvmfPkg/QemuFwCfgLib: Provide Pei and Dxe specific library Brijesh Singh
2017-05-26 21:49 ` Jordan Justen
2017-05-26 14:43 ` [PATCH v6 11/17] OvmfPkg/QemuFwCfgLib: Prepare for SEV support Brijesh Singh
2017-05-26 14:44 ` [PATCH v6 12/17] OvmfPkg/QemuFwCfgLib: Implement SEV internal function for SEC phase Brijesh Singh
2017-05-26 14:44 ` [PATCH v6 13/17] OvmfPkg/QemuFwCfgLib: Implement SEV internal functions for PEI phase Brijesh Singh
2017-05-26 14:44 ` [PATCH v6 14/17] OvmfPkg/QemuFwCfgLib: Implement SEV internal function for Dxe phase Brijesh Singh
2017-05-29 9:40 ` Laszlo Ersek
2017-05-26 14:44 ` [PATCH v6 15/17] OvmfPkg/QemuFwCfgLib: Add option to dynamic alloc FW_CFG_DMA Access Brijesh Singh
2017-05-26 14:44 ` [PATCH v6 16/17] OvmfPkg/QemuFwCfgLib: Add SEV support Brijesh Singh
2017-05-26 14:44 ` [PATCH v6 17/17] OvmfPkg: update PciHostBridgeDxe to use PlatformHasIoMmuLib Brijesh Singh
2017-05-29 9:47 ` Laszlo Ersek
2017-05-29 12:13 ` Laszlo Ersek
2017-05-26 21:05 ` [PATCH v6 00/17] x86: Secure Encrypted Virtualization (AMD) Jordan Justen
2017-05-29 11:16 ` Laszlo Ersek
2017-05-29 20:38 ` Jordan Justen
2017-05-29 21:59 ` Brijesh Singh
2017-06-01 7:40 ` Jordan Justen
2017-06-01 9:10 ` Laszlo Ersek
2017-06-01 13:48 ` Andrew Fish
2017-06-01 14:56 ` Laszlo Ersek
2017-06-01 15:01 ` Brijesh Singh
2017-06-01 15:37 ` Andrew Fish
2017-06-05 21:56 ` Brijesh Singh
2017-06-06 1:12 ` Jordan Justen
2017-06-06 2:08 ` Zeng, Star
2017-06-06 3:50 ` Brijesh Singh
2017-06-06 14:54 ` Yao, Jiewen
2017-06-06 15:24 ` Andrew Fish
2017-06-06 15:43 ` Yao, Jiewen
2017-06-06 15:54 ` Duran, Leo
2017-06-06 18:39 ` Laszlo Ersek
2017-06-06 18:38 ` Laszlo Ersek
2017-06-06 18:29 ` Laszlo Ersek
2017-06-06 18:57 ` Duran, Leo
2017-07-05 22:31 ` Brijesh Singh
2017-07-05 23:38 ` Laszlo Ersek
2017-07-06 13:37 ` Brijesh Singh
2017-07-06 16:45 ` Jordan Justen
2017-07-06 20:11 ` Brijesh Singh
2017-07-06 20:40 ` Laszlo Ersek
2017-07-06 21:42 ` Jordan Justen
2017-07-06 21:44 ` Duran, Leo
2017-07-06 21:46 ` Andrew Fish
2017-07-06 21:49 ` Duran, Leo
2017-07-07 5:28 ` Jordan Justen
2017-07-07 18:29 ` Brijesh Singh
2017-07-07 23:10 ` Jordan Justen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=149630458212.10663.10638866666677653585@jljusten-skl \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox