Re: [PATCH v12 07/46] MdePkg/BaseLib: Add support for the VMGEXIT instruction

["Laszlo Ersek" <lersek@redhat.com>]

On 07/28/20 09:39, Gao, Liming wrote:
> This error is reported from nasm compiler. My nasm compiler version is
> 2.11.08. It may be a little old. 2.12 should be fine.
>
> This change also requires to update
> edk2\BaseTools\Conf\tools_def.template and mention nasm compiler
> version.

"tools_def.template" says:

  NASM 2.10 or later for use with the GCC toolchain family

Bumping the NASM requirement from 2.10 to 2.12 will rule out:

- Debian "jessie" (oldoldstable),
- Ubuntu "xenial" (16.04 LTS),
- and RHEL7,

as build hosts.

Debian "jessie" is no longer supported (LTS ended in June 2020), but
Ubuntu "xenial" and RHEL7 are still supported by their vendors.

I seem to recall that it was me to recommend "BITS 64" in front of "rep
vmmcall" in the IA32 NASM source file:

  https://edk2.groups.io/g/devel/message/48292
  http://mid.mail-archive.com/e8a8e21e-4045-1b2b-f959-13fbe00132d9@redhat.com

I don't understand why my testing worked back then, and now it doesn't.
(IOW, I can also reproduce the error that Liming reported!) It's likely
because I didn't specify the elf32 output format back then.

Indeed: the following command fails:

> "nasm" \
>   -I"$WORKSPACE"/MdePkg/Library/BaseLib/Ia32/ \
>   -I"$WORKSPACE"/MdePkg/Library/BaseLib/Ia32/ \
>   -I"$WORKSPACE"/MdePkg/Library/BaseLib/ \
>   -I"$WORKSPACE"/Build/OvmfIa32/NOOPT_GCC48/IA32/MdePkg/Library/BaseLib/BaseLib/DEBUG/ \
>   -I"$WORKSPACE"/MdePkg/ \
>   -I"$WORKSPACE"/MdePkg/Include/ \
>   -I"$WORKSPACE"/MdePkg/Test/UnitTest/Include/ \
>   -I"$WORKSPACE"/MdePkg/Include/Ia32/ \
>   -f elf32 \
>   -o "$WORKSPACE"/Build/OvmfIa32/NOOPT_GCC48/IA32/MdePkg/Library/BaseLib/BaseLib/OUTPUT/Ia32/VmgExit.obj \
>   "$WORKSPACE"/Build/OvmfIa32/NOOPT_GCC48/IA32/MdePkg/Library/BaseLib/BaseLib/OUTPUT/Ia32/VmgExit.iii

but if I remove "-f elf32", it completes fine. :(

The AMD manual says about VMGEXIT:

> The VMGEXIT opcode is only valid within a guest when run with SEV-ES
> mode active. If the guest is not run with SEV-ES mode active, the
> VMGEXIT opcode will be treated as a VMMCALL opcode and will behave
> exactly like a VMMCALL.

VMGEXIT is a SEV-ES-only form of guest-host communication. SEV-ES mode
depends on SEV. A SEV guest can only interact with the host (= decrypt
its pages for the host to access) if the guest is executing in long
mode.

So does it even make sense to *attempt* implementing AsmVmgExit()
"correctly" for IA32?

I don't want to complicate the build dependencies in this series
further, so I won't suggest that we simply *not* implement AsmVmgExit()
for IA32 at all. (Purely from a BaseLib perspective, this would be a
valid approach, but then call sites would have to be *build-time*
restricted to X64 too. The call sites *are* already restricted to X64,
AIUI, but that happens at runtime (= dynamic checks), not at build
time.)

So here's what I suggest: implement AsmVmgExit() for IA32 in the C
language, namely as a call to CpuBreakpoint().

I wouldn't like to tighten the NASM version requirement for *all* of
edk2, for the sake of building a BaseLib primitive for IA32 that we
never *call* on IA32.

Thanks,
Laszlo

>
> Thanks
> Liming
> -----Original Message-----
> From: Tom Lendacky <thomas.lendacky@amd.com>
> Sent: 2020t7\b28å 12:08
> To: Gao, Liming <liming.gao@intel.com>; devel@edk2.groups.io
> Cc: Brijesh Singh <brijesh.singh@amd.com>; Ard Biesheuvel <ard.biesheuvel@arm.com>; Dong, Eric <eric.dong@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek <lersek@redhat.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Ni, Ray <ray.ni@intel.com>
> Subject: Re: [PATCH v12 07/46] MdePkg/BaseLib: Add support for the VMGEXIT instruction
>
> On 7/27/20 8:34 PM, Gao, Liming wrote:
>> Tom:
>
> Hi Liming,
>
>>    I meet with GCC failure on this patch. Can you help check it? If nasm doesn't support the vmmcall instruction in 32-bit mode, you have to use inline assembly to support it.
>
> What version of GCC are you using. I was able to successfully build the
> Ia32 version with my GCC level. The Ia32 version uses a trick to do switch to 64-bit just to encode the instruction. Looks like that doesn't work with your version of GCC.
>
> I can probably switch to defining the instruction as bytes. Let me look into that and possibly send you a patch to test.
>
> Thanks,
> Tom
>
>>
>> Edk2/Build/IntelFsp2Pkg/DEBUG_GCC5/IA32/MdePkg/Library/BaseLib/BaseLib
>> /OUTPUT/Ia32/VmgExit.iii:33: error: elf32 output format does not
>> support 64-bit code
>> GNUmakefile:741: recipe for target
>>
>> Thanks
>> Liming
>> -----Original Message-----
>> From: Tom Lendacky <thomas.lendacky@amd.com>
>> Sent: 2020t7\b27å 23:26
>> To: devel@edk2.groups.io
>> Cc: Brijesh Singh <brijesh.singh@amd.com>; Ard Biesheuvel
>> <ard.biesheuvel@arm.com>; Dong, Eric <eric.dong@intel.com>; Justen,
>> Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek
>> <lersek@redhat.com>; Gao, Liming <liming.gao@intel.com>; Kinney,
>> Michael D <michael.d.kinney@intel.com>; Ni, Ray <ray.ni@intel.com>
>> Subject: [PATCH v12 07/46] MdePkg/BaseLib: Add support for the VMGEXIT
>> instruction
>>
>> From: Tom Lendacky <thomas.lendacky@amd.com>
>>
>> BZ:
>> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D2198&amp;data=02%7C01%7Cthoma
>> s.lendacky%40amd.com%7C77c8250cd9e14f2929a008d832965726%7C3dd8961fe488
>> 4e608e11a82d994e183d%7C0%7C0%7C637314968570901400&amp;sdata=6zqseI3tVm
>> aw351w9mfEymMnDcjDzjvcBrhARU6r3Ho%3D&amp;reserved=0
>>
>> VMGEXIT is a new instruction used for Hypervisor/Guest communication when running as an SEV-ES guest. A VMGEXIT will cause an automatic exit (AE) to occur, resulting in a #VMEXIT with an exit code value of 0x403.
>>
>> Provide the necessary support to execute the VMGEXIT instruction, which is "rep; vmmcall".
>>
>> Cc: Michael D Kinney <michael.d.kinney@intel.com>
>> Cc: Liming Gao <liming.gao@intel.com>
>> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
>> ---
>>   MdePkg/Library/BaseLib/BaseLib.inf       |  2 ++
>>   MdePkg/Include/Library/BaseLib.h         | 14 +++++++++
>>   MdePkg/Library/BaseLib/Ia32/VmgExit.nasm | 37 ++++++++++++++++++++++++  MdePkg/Library/BaseLib/X64/VmgExit.nasm  | 32 ++++++++++++++++++++
>>   4 files changed, 85 insertions(+)
>>   create mode 100644 MdePkg/Library/BaseLib/Ia32/VmgExit.nasm
>>   create mode 100644 MdePkg/Library/BaseLib/X64/VmgExit.nasm
>>
>> diff --git a/MdePkg/Library/BaseLib/BaseLib.inf
>> b/MdePkg/Library/BaseLib/BaseLib.inf
>> index 3b93b5db8d24..3b85c56c3c03 100644
>> --- a/MdePkg/Library/BaseLib/BaseLib.inf
>> +++ b/MdePkg/Library/BaseLib/BaseLib.inf
>> @@ -184,6 +184,7 @@ [Sources.Ia32]
>>     Ia32/DisableCache.nasm| GCC
>>     Ia32/RdRand.nasm
>>     Ia32/XGetBv.nasm
>> +  Ia32/VmgExit.nasm
>>
>>     Ia32/DivS64x64Remainder.c
>>     Ia32/InternalSwitchStack.c | MSFT
>> @@ -317,6 +318,7 @@ [Sources.X64]
>>     X64/DisablePaging64.nasm
>>     X64/RdRand.nasm
>>     X64/XGetBv.nasm
>> +  X64/VmgExit.nasm
>>     ChkStkGcc.c  | GCC
>>
>>   [Sources.EBC]
>> diff --git a/MdePkg/Include/Library/BaseLib.h
>> b/MdePkg/Include/Library/BaseLib.h
>> index 7edf0051a0a0..04fb329eaabb 100644
>> --- a/MdePkg/Include/Library/BaseLib.h
>> +++ b/MdePkg/Include/Library/BaseLib.h
>> @@ -7848,6 +7848,20 @@ AsmXGetBv (
>>     );
>>
>>
>> +/**
>> +  Executes a VMGEXIT instruction (VMMCALL with a REP prefix)
>> +
>> +  Executes a VMGEXIT instruction. This function is only available on
>> + IA-32 and  x64.
>> +
>> +**/
>> +VOID
>> +EFIAPI
>> +AsmVmgExit (
>> +  VOID
>> +  );
>> +
>> +
>>   /**
>>     Patch the immediate operand of an IA32 or X64 instruction such that the byte,
>>     word, dword or qword operand is encoded at the end of the
>> instruction's diff --git a/MdePkg/Library/BaseLib/Ia32/VmgExit.nasm
>> b/MdePkg/Library/BaseLib/Ia32/VmgExit.nasm
>> new file mode 100644
>> index 000000000000..a4b37385cc7a
>> --- /dev/null
>> +++ b/MdePkg/Library/BaseLib/Ia32/VmgExit.nasm
>> @@ -0,0 +1,37 @@
>> +;--------------------------------------------------------------------
>> +--
>> +--------
>> +;
>> +; Copyright (C) 2020, Advanced Micro Devices, Inc. All rights
>> +reserved.<BR> ; SPDX-License-Identifier: BSD-2-Clause-Patent ; ;
>> +Module
>> +Name:
>> +;
>> +;   VmgExit.Asm
>> +;
>> +; Abstract:
>> +;
>> +;   AsmVmgExit function
>> +;
>> +; Notes:
>> +;
>> +;--------------------------------------------------------------------
>> +--
>> +--------
>> +
>> +    SECTION .text
>> +
>> +;--------------------------------------------------------------------
>> +--
>> +--------
>> +; VOID
>> +; EFIAPI
>> +; AsmVmgExit (
>> +;   VOID
>> +;   );
>> +;--------------------------------------------------------------------
>> +--
>> +--------
>> +global ASM_PFX(AsmVmgExit)
>> +ASM_PFX(AsmVmgExit):
>> +;
>> +; NASM doesn't support the vmmcall instruction in 32-bit mode, so
>> +work around ; this by temporarily switching to 64-bit mode.
>> +;
>> +BITS    64
>> +    rep     vmmcall
>> +BITS    32
>> +    ret
>> +
>> diff --git a/MdePkg/Library/BaseLib/X64/VmgExit.nasm
>> b/MdePkg/Library/BaseLib/X64/VmgExit.nasm
>> new file mode 100644
>> index 000000000000..26f034593c67
>> --- /dev/null
>> +++ b/MdePkg/Library/BaseLib/X64/VmgExit.nasm
>> @@ -0,0 +1,32 @@
>> +;--------------------------------------------------------------------
>> +--
>> +--------
>> +;
>> +; Copyright (C) 2020, Advanced Micro Devices, Inc. All rights
>> +reserved.<BR> ; SPDX-License-Identifier: BSD-2-Clause-Patent ; ;
>> +Module
>> +Name:
>> +;
>> +;   VmgExit.Asm
>> +;
>> +; Abstract:
>> +;
>> +;   AsmVmgExit function
>> +;
>> +; Notes:
>> +;
>> +;--------------------------------------------------------------------
>> +--
>> +--------
>> +
>> +    DEFAULT REL
>> +    SECTION .text
>> +
>> +;--------------------------------------------------------------------
>> +--
>> +--------
>> +; VOID
>> +; EFIAPI
>> +; AsmVmgExit (
>> +;   VOID
>> +;   );
>> +;--------------------------------------------------------------------
>> +--
>> +--------
>> +global ASM_PFX(AsmVmgExit)
>> +ASM_PFX(AsmVmgExit):
>> +    rep     vmmcall
>> +    ret
>> +
>> --
>> 2.27.0
>>
>