From: "Lendacky, Thomas" <thomas.lendacky@amd.com>
To: Ashish Kalra <Ashish.Kalra@amd.com>, devel@edk2.groups.io
Cc: dovmurik@linux.vnet.ibm.com, brijesh.singh@amd.com,
tobin@ibm.com, jejb@linux.ibm.com, jordan.l.justen@intel.com,
ard.biesheuvel@arm.com, erdemaktas@google.com,
jiewen.yao@intel.com, min.m.xu@intel.com
Subject: Re: [PATCH v6 1/6] OvmfPkg/BaseMemEncryptLib: Detect SEV live migration feature.
Date: Mon, 9 Aug 2021 08:41:27 -0500 [thread overview]
Message-ID: <172fa9d6-6edb-41b1-c827-03b04d964469@amd.com> (raw)
In-Reply-To: <812023de6c20a9d8fc62a561cedefb93640effab.1627906232.git.ashish.kalra@amd.com>
On 8/2/21 7:31 AM, Ashish Kalra wrote:
> From: Ashish Kalra <ashish.kalra@amd.com>
>
> Add support to check if we are running inside KVM HVM and
> KVM HVM supports SEV Live Migration feature.
>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>
> ---
> OvmfPkg/Include/Library/MemEncryptSevLib.h | 27 ++++++++++
> OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c | 39 +++++++++++++++
> OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.c | 52 ++++++++++++++++++++
> OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c | 39 +++++++++++++++
> OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c | 18 +++++++
> 5 files changed, 175 insertions(+)
>
> diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h
> index 76d06c206c..59f694fb8a 100644
> --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h
> +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h
> @@ -90,6 +90,18 @@ MemEncryptSevIsEnabled (
> VOID
> );
>
> +/**
> + Returns a boolean to indicate whether SEV live migration is enabled.
> +
> + @retval TRUE SEV live migration is enabled
> + @retval FALSE SEV live migration is not enabled
> +**/
> +BOOLEAN
> +EFIAPI
> +MemEncryptSevLiveMigrationIsEnabled (
> + VOID
> + );
> +
> /**
> This function clears memory encryption bit for the memory region specified by
> BaseAddress and NumPages from the current page table context.
> @@ -222,4 +234,19 @@ MemEncryptSevClearMmioPageEncMask (
> IN UINTN NumPages
> );
>
> +#define KVM_FEATURE_MIGRATION_CONTROL BIT17
> +
> +/**
> + Figures out if we are running inside KVM HVM and
> + KVM HVM supports SEV Live Migration feature.
> +
> + @retval TRUE SEV live migration is supported.
> + @retval FALSE SEV live migration is not supported.
> +**/
> +BOOLEAN
> +EFIAPI
> +KvmDetectSevLiveMigrationFeature(
> + VOID
> + );
> +
I don't think KvmDetectSevLiveMigrationFeature() should be in
OvmfPkg/Include/Library/MemEncryptSevLib.h since it isn't called except as
a helper by InternalDetectSevLiveMigrationFeature(). You should probably
create a new PeiDxeMemEncryptSevLibInternal.h header file for that
function that lives in OvmfPkg/Library/BaseMemEncryptSevLib.
> #endif // _MEM_ENCRYPT_SEV_LIB_H_
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
> index 2816f859a0..ead754cd7b 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLibInternal.c
> @@ -20,6 +20,8 @@
> STATIC BOOLEAN mSevStatus = FALSE;
> STATIC BOOLEAN mSevEsStatus = FALSE;
> STATIC BOOLEAN mSevStatusChecked = FALSE;
> +STATIC BOOLEAN mSevLiveMigrationStatus = FALSE;
> +STATIC BOOLEAN mSevLiveMigrationStatusChecked = FALSE;
>
> STATIC UINT64 mSevEncryptionMask = 0;
> STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE;
> @@ -87,6 +89,24 @@ InternalMemEncryptSevStatus (
> mSevStatusChecked = TRUE;
> }
>
> +/**
> + Figures out if we are running inside KVM HVM and
> + KVM HVM supports SEV Live Migration feature.
> +**/
> +STATIC
> +VOID
> +EFIAPI
> +InternalDetectSevLiveMigrationFeature(
> + VOID
> + )
> +{
> + if (KvmDetectSevLiveMigrationFeature()) {
Add a space before the "()"
> + mSevLiveMigrationStatus = TRUE;
> + }
> +
> + mSevLiveMigrationStatusChecked = TRUE;
> +}
> +
> /**
> Returns a boolean to indicate whether SEV-ES is enabled.
>
> @@ -125,6 +145,25 @@ MemEncryptSevIsEnabled (
> return mSevStatus;
> }
>
> +/**
> + Returns a boolean to indicate whether SEV live migration is enabled.
> +
> + @retval TRUE SEV live migration is enabled
> + @retval FALSE SEV live migration is not enabled
> +**/
> +BOOLEAN
> +EFIAPI
> +MemEncryptSevLiveMigrationIsEnabled (
> + VOID
> + )
> +{
> + if (!mSevLiveMigrationStatusChecked) {
> + InternalDetectSevLiveMigrationFeature ();
> + }
> +
> + return mSevLiveMigrationStatus;
> +}
> +
> /**
> Returns the SEV encryption mask.
>
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.c
> index b4a9f464e2..d7fc973134 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiDxeMemEncryptSevLibInternal.c
> @@ -61,3 +61,55 @@ MemEncryptSevLocateInitialSmramSaveStateMapPages (
>
> return RETURN_SUCCESS;
> }
> +
> +/**
> + Figures out if we are running inside KVM HVM and
> + KVM HVM supports SEV Live Migration feature.
> +
> + @retval TRUE SEV live migration is supported.
> + @retval FALSE SEV live migration is not supported.
> +**/
> +BOOLEAN
> +EFIAPI
> +KvmDetectSevLiveMigrationFeature(
Add a space before the "("
> + VOID
> + )
> +{
> + CHAR8 Signature[13];
> + UINT32 mKvmLeaf;
> + UINT32 RegEax, RegEbx, RegEcx, RegEdx;
Coding style requires these to be four separate declarations.
> +
> + Signature[12] = '\0';
> + for (mKvmLeaf = 0x40000000; mKvmLeaf < 0x40010000; mKvmLeaf += 0x100) {
I still really don't understand the need for the CPUID loop. KVM only ever
programs CPUID function 0x40000000, right?
> + AsmCpuid (
> + mKvmLeaf,
> + NULL,
> + (UINT32 *) &Signature[0],
> + (UINT32 *) &Signature[4],
> + (UINT32 *) &Signature[8]);
> +
> + if (AsciiStrCmp (Signature, "KVMKVMKVM") == 0) {
> + DEBUG ((
> + DEBUG_INFO,
> + "%a: KVM Detected, signature = %a\n",
> + __FUNCTION__,
> + Signature
> + ));
> +
> + RegEax = mKvmLeaf + 1;
> + RegEcx = 0;
> + AsmCpuid (mKvmLeaf + 1, &RegEax, &RegEbx, &RegEcx, &RegEdx);
> + if ((RegEax & KVM_FEATURE_MIGRATION_CONTROL) != 0) {
> + DEBUG ((
> + DEBUG_INFO,
> + "%a: SEV Live Migration feature supported\n",
> + __FUNCTION__
> + ));
> +
> + return TRUE;
> + }
> + }
> + }
> +
> + return FALSE;
> +}
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
> index e2fd109d12..9db6c2ef71 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
> @@ -20,6 +20,8 @@
> STATIC BOOLEAN mSevStatus = FALSE;
> STATIC BOOLEAN mSevEsStatus = FALSE;
> STATIC BOOLEAN mSevStatusChecked = FALSE;
> +STATIC BOOLEAN mSevLiveMigrationStatus = FALSE;
> +STATIC BOOLEAN mSevLiveMigrationStatusChecked = FALSE;
>
> STATIC UINT64 mSevEncryptionMask = 0;
> STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE;
> @@ -87,6 +89,24 @@ InternalMemEncryptSevStatus (
> mSevStatusChecked = TRUE;
> }
>
> +/**
> + Figures out if we are running inside KVM HVM and
> + KVM HVM supports SEV Live Migration feature.
> +**/
> +STATIC
> +VOID
> +EFIAPI
> +InternalDetectSevLiveMigrationFeature(
Add a space before "("
> + VOID
> + )
> +{
> + if (KvmDetectSevLiveMigrationFeature()) {
Add a space before "()"
Thanks,
Tom
> + mSevLiveMigrationStatus = TRUE;
> + }
> +
> + mSevLiveMigrationStatusChecked = TRUE;
> +}
> +
> /**
> Returns a boolean to indicate whether SEV-ES is enabled.
>
> @@ -125,6 +145,25 @@ MemEncryptSevIsEnabled (
> return mSevStatus;
> }
>
> +/**
> + Returns a boolean to indicate whether SEV live migration is enabled.
> +
> + @retval TRUE SEV live migration is enabled
> + @retval FALSE SEV live migration is not enabled
> +**/
> +BOOLEAN
> +EFIAPI
> +MemEncryptSevLiveMigrationIsEnabled (
> + VOID
> + )
> +{
> + if (!mSevLiveMigrationStatusChecked) {
> + InternalDetectSevLiveMigrationFeature ();
> + }
> +
> + return mSevLiveMigrationStatus;
> +}
> +
> /**
> Returns the SEV encryption mask.
>
> diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
> index 56d8f3f318..d9f7befcd2 100644
> --- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
> +++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
> @@ -100,6 +100,24 @@ MemEncryptSevIsEnabled (
> return Msr.Bits.SevBit ? TRUE : FALSE;
> }
>
> +/**
> + Returns a boolean to indicate whether SEV live migration is enabled.
> +
> + @retval TRUE SEV live migration is enabled
> + @retval FALSE SEV live migration is not enabled
> +**/
> +BOOLEAN
> +EFIAPI
> +MemEncryptSevLiveMigrationIsEnabled (
> + VOID
> + )
> +{
> + //
> + // Not used in SEC phase.
> + //
> + return FALSE;
> +}
> +
> /**
> Returns the SEV encryption mask.
>
>
next prev parent reply other threads:[~2021-08-09 13:41 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1627906232.git.ashish.kalra@amd.com>
2021-08-02 12:31 ` [PATCH v6 1/6] OvmfPkg/BaseMemEncryptLib: Detect SEV live migration feature Ashish Kalra
2021-08-09 13:41 ` Lendacky, Thomas [this message]
2021-08-09 14:37 ` Ashish Kalra
2021-08-10 6:05 ` [edk2-devel] " Gerd Hoffmann
2021-08-10 13:04 ` Lendacky, Thomas
2021-08-02 12:31 ` [PATCH v6 2/6] OvmfPkg/BaseMemEncryptLib: Hypercall API for page encryption state change Ashish Kalra
2021-08-09 14:19 ` Lendacky, Thomas
2021-08-02 12:32 ` [PATCH v6 3/6] OvmfPkg/BaseMemEncryptLib: Invoke page encryption state change hypercall Ashish Kalra
2021-08-02 12:32 ` [PATCH v6 4/6] OvmfPkg/VmgExitLib: Encryption state change hypercall support in VC handler Ashish Kalra
2021-08-02 12:33 ` [PATCH v6 5/6] OvmfPkg/PlatformPei: Mark SEC GHCB page as unencrypted via hypercall Ashish Kalra
2021-08-02 12:33 ` [PATCH v6 6/6] OvmfPkg/AmdSevDxe: Add support for SEV live migration Ashish Kalra
2021-08-09 14:29 ` Lendacky, Thomas
2021-08-10 11:13 ` Ashish Kalra
2021-08-10 13:06 ` Lendacky, Thomas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=172fa9d6-6edb-41b1-c827-03b04d964469@amd.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox