From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com [40.107.220.86]) by mx.groups.io with SMTP id smtpd.web10.4427.1618959319881816979 for ; Tue, 20 Apr 2021 15:55:20 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=qPcFdQUt; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.220.86, mailfrom: thomas.lendacky@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Dvze3jZYx6PmY5btom6aHpNdcZLcYnjHdvSkTq8oIqoM1Mlk3jQojJFWclJ2uKc42wSfBOPgmgQ6yR/gqnAZPNMqFYpVo9AfprTJm0ciFkvAH2gVV6IIE99CbUmkp2PfRaFec+kFfAmQ1KYStF5xHg1aYMSMvZ8IS3AFnN7sU38Y3t3qkc6FJT7gm4oYfZCQFUa14h1Wh5v37wbntZ86UJPaaDCPly9tXEypPylu+fJpNOLtNHvfHADyDJfuVoUBWfd6hhMgI0doe7s6I/zrCTcXRMVcjAv0go/01vx1ZSz9Y21izwyMOdS7L698n9+4qtF3alcV4EG+SWE3G7K0Ww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IV6d+KCFdmfmcxSXfvRENdHZYbY9RcCAXkNcPWojAYQ=; b=IuTobAKCEOwTLM3a6hvc1rDUZD/FAPo544lrefiXRY4CpIhf8ujNSzBY2tMh37Ebm9WxLb8Eaoald7ABIrY9xBTan8C5Qa6b22yPqx1wnRwUKL3pLfFVZXX3wWQ2zRDQXyf3MjX026k3vfWn3JbLq1EfUaUFZ/G66Lo4oocKScItTTKzBFc8AqzfT9meFhgTgfE5GKDUzw8GqQ3fm52aildBok5nrQcjMJi+/CsjBcaJu6hG0Zt8/wQTcSwwxKD1GBTvwWqRKxgyJ84IpHJlCg6n8365m+DrPcsqfZqQKCWqLi42N1E04gLYou+nc4u2ra2zT6H/jiNQC9QyTrd+Iw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IV6d+KCFdmfmcxSXfvRENdHZYbY9RcCAXkNcPWojAYQ=; b=qPcFdQUtcyFoqtHPkBGk2CAnJjIQtPdARDbrEXawZc1yzq5WcEnmGRozzNBXRhGwmwjxQnHZAvzDqeXrgOolZtN+/xlC47fTiqW3OXNh07FaFMgAVKFzdvZriwnpnFwCHcQmOhUEn68NokYrgs4Hq5sYRUKKPpkpq47GbvNG/Gk= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) by DM6PR12MB4337.namprd12.prod.outlook.com (2603:10b6:5:2a9::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.16; Tue, 20 Apr 2021 22:55:18 +0000 Received: from DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::b914:4704:ad6f:aba9]) by DM5PR12MB1355.namprd12.prod.outlook.com ([fe80::b914:4704:ad6f:aba9%12]) with mapi id 15.20.4042.024; Tue, 20 Apr 2021 22:55:18 +0000 From: "Lendacky, Thomas" To: devel@edk2.groups.io CC: Joerg Roedel , Borislav Petkov , Laszlo Ersek , Ard Biesheuvel , Jordan Justen , Brijesh Singh , James Bottomley , Jiewen Yao , Min Xu Subject: [PATCH 3/3] OvmfPkg/PlatformPei: Mark TPM MMIO range as unencrypted for SEV Date: Tue, 20 Apr 2021 17:54:42 -0500 Message-ID: <1f64ca5689ec86c427e4db8c41da598896dca4ba.1618959281.git.thomas.lendacky@amd.com> X-Mailer: git-send-email 2.31.0 In-Reply-To: References: X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SN4PR0501CA0066.namprd05.prod.outlook.com (2603:10b6:803:41::43) To DM5PR12MB1355.namprd12.prod.outlook.com (2603:10b6:3:6e::7) Return-Path: thomas.lendacky@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from tlendack-t1.amd.com (165.204.77.1) by SN4PR0501CA0066.namprd05.prod.outlook.com (2603:10b6:803:41::43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.6 via Frontend Transport; Tue, 20 Apr 2021 22:55:18 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f97f73b0-f9ac-4c16-00c2-08d9044f5ea2 X-MS-TrafficTypeDiagnostic: DM6PR12MB4337: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: x9kVgftWuxx4gRd3/YuJY6kMmeXX30Jf0EBOK2e9m1aSRdUP/FvAnFl/jqiX9/6lKSPtUn5+9BdETaVSvenScWeneP1fBfcPeY5C1eANg0f/o5M7Kg2kWIT67uZZFLJIQ1d8zjttL7+zAI/NPREW7lbX9zP5ILlEYD4X6JJ4l7pzpJTBcSsS06z1tHjq5B6j1icCsevf9pzMtGzH0sU2LS/gZAQ4jk/SM3ahMRev+Xccpw4ByTHo2T+9A9oP/VyoUX58YXb3SmdTYYdZ1oNyCcQKgj+3W+JN9nCyTbBBIdhDpKx3qAbOE+CEpTWG5QJMcmhNynxzUECt6K91dRLf8HNn5by+5+4C9UQqxMQaQ7lSiZBKu/HVvrf41qmHEq9UpQ73/1TfLx2H4nzWWDjS1YjOKz5PXkN21ICA08gagfJA5abcSq6JnVTgnCVGlVsWJ8U7z+IXdI847GM352gJ95HbNDeEH6PwLLS7c8aTrDj9wDRu/xNMPlUKSRkqK9Vst/qaNLaSNan3fN3m46NbM3E50gD8p0W6p+REz5EPLNByEvWQb6oqSd7qGToACn0++wyxJZlZBxdUnn34pN64yK9+bpl/oLaIpV+ZKa//tU60/PyCFslLF66rPeg1Nq+4Unc2WfV3A/QSYRJv+Jq9pp54A005aa28+di/Ibuvdk8vlYTO5FSqqjudPZawxGSWyZCNIU62XyUCgA6NUPcXCyw/Ruw7NrT7IT241GZJBHc= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM5PR12MB1355.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(136003)(376002)(396003)(39860400002)(366004)(316002)(52116002)(83380400001)(186003)(966005)(36756003)(16526019)(4326008)(2616005)(478600001)(7696005)(66556008)(86362001)(54906003)(6666004)(38350700002)(8676002)(956004)(38100700002)(6486002)(2906002)(6916009)(8936002)(26005)(66946007)(66476007)(5660300002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?ddjSondS0l+ejuldS05+dFfcKh9dtbxsFo0wqDmZTknw7uLmdoJrDcp6CvyC?= =?us-ascii?Q?XUa60pG965WUWzJngycA/w8yLmAvipgbxSUcjtkdPFHFNZ2ysbN3IixQuNyj?= =?us-ascii?Q?w3vm2jfVSfi+rDQsFpfg67+2YcAuRhNzZT4U6U7G7Eq1jikNZ10Pxm59lNV1?= =?us-ascii?Q?b3DRxw4WL3JJM6eEnm66RVhCwLVNZ9JndkmbQ3DiMBp/I1CXPtSe7eBiLEsd?= =?us-ascii?Q?pY+O4PILpU1O7mcUmgPys+AZZZyruLYaOfzh3PimuJaVsZT/lp5pNpkZjU8I?= =?us-ascii?Q?i4zYhZ5uq+L5LcghI+FCH2CZ7Bze/uy3T3kxGYk2pihJezHB2/WVCI2Os5tW?= =?us-ascii?Q?0yjB6OV2BTvNEOQqekXKHXAY3gTOQ2f9TazC7jSFxpLtibyIYpzqibV4/Llt?= =?us-ascii?Q?cW5aqGCJMrydgJLCt/5JzypRi+YGkXZXGzoSXKFKsIEL+wgZkeFZdgmKiMnu?= =?us-ascii?Q?HHEXjaSdAof7q/vPKMN9C+8b5iJbCTGCyYbGKocEnrJHFB8DQYgApQNqH+c6?= =?us-ascii?Q?1YMbb2XgaAudvz/4WHrBv1yPlRTzuevmWIe/8gP6LrHSxKeS/RWLWGhBIP3X?= =?us-ascii?Q?uDYE01pvv0HoAv4yUEcue4UC70Q48GQZsG2SiM3m/nL6CbkNYgwNprf99Yxp?= =?us-ascii?Q?Lqvw0yUbympWTEmjby8pUvOK9SY1ol6pucP0in43VMj2WRrLxldU/QFy+CUO?= =?us-ascii?Q?FAmlNoOeDBo3QFLesaI2NAbvWCWYON5Ot9aMLtogmEozKTJjUE3/68x2nG7E?= =?us-ascii?Q?wiiaAhAUbmHD1dCbBN1dRsdVEieOBrJ7EoOcPA2NOOw5EsdmaohceuMC7P96?= =?us-ascii?Q?0wlWFxuzGyokQoc+vLq5B4iItQ9WEPC5OVX+7iCWNcSr5wQCVTgjjtTucnwA?= =?us-ascii?Q?jJEMJxPGpm6kJrkdDzUfpKgrokyMWydd7hqqRFrBw+VMjZqAUdl1B0oJWay8?= =?us-ascii?Q?xSiZB8j4Q8qvdosIEk0ZU9Yrr/igy/ZTjB1xuipmy3xSmEkAuY6DJb/u0Wzm?= =?us-ascii?Q?dIiy1nnAwYd1yJmpIS35xqOdn4Rt5+orqKrgtYmb0gVN1h9qPn+isLO5mHXY?= =?us-ascii?Q?AwnfcwsS5kmZ/BStY8wvrzBumUPNKs6elQfnZOXTcFK/H4c755lly/psaOno?= =?us-ascii?Q?Xqv35kRFEMTRTk7bdjiV1Vo/2/zGTmyO5YjlTGMmmdD73APq6xcHAf299k8Q?= =?us-ascii?Q?uylqtf5PvDq8FEOP+W4V2SrUp76nY2Jo4Htnxy55gVQp/aTjJFpfg0uXRmj+?= =?us-ascii?Q?u6gKO8uixAw7yAcSbR+nSbe1zn9dOoK8/50e0zvOyN6z35ofheS1gMsy6y0t?= =?us-ascii?Q?keAZxpRhn04TLlwtHBQfePbk?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: f97f73b0-f9ac-4c16-00c2-08d9044f5ea2 X-MS-Exchange-CrossTenant-AuthSource: DM5PR12MB1355.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Apr 2021 22:55:18.7518 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: GvAjvQDorhKIe3sXTZ8prxBmvV94GJh/YXHY42E84odnyLzkeC1SKcMpieay8fA6u4DsIh0tEak2kAWqDsGJtA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4337 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable From: Tom Lendacky BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3345 The TPM support in OVMF performs MMIO accesses during the PEI phase. At this point, MMIO ranges have not been marked un-encyrpted, so an SEV-ES guest will fail attempting to perform MMIO to an encrypted address. Read the PcdTpmBaseAddress and mark the specification defined range (0x5000 in length) as un-encrypted, to allow an SEV-ES guest to process the MMIO requests. Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Brijesh Singh Cc: James Bottomley Cc: Jiewen Yao Cc: Min Xu Signed-off-by: Tom Lendacky --- OvmfPkg/PlatformPei/PlatformPei.inf | 1 + OvmfPkg/PlatformPei/AmdSev.c | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/Plat= formPei.inf index 6ef77ba7bb21..de60332e9390 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -113,6 +113,7 @@ [Pcd] =20 [FixedPcd] gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress + gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIMemoryNVS gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiACPIReclaimMemory gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index dddffdebda4b..d524929f9e10 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -141,6 +141,7 @@ AmdSevInitialize ( ) { UINT64 EncryptionMask; + UINT64 TpmBaseAddress; RETURN_STATUS PcdStatus; =20 // @@ -206,6 +207,24 @@ AmdSevInitialize ( } } =20 + // + // PEI TPM support will perform MMIO accesses, be sure this range is not + // marked encrypted. + // + TpmBaseAddress =3D PcdGet64 (PcdTpmBaseAddress); + if (TpmBaseAddress !=3D 0) { + RETURN_STATUS DecryptStatus; + + DecryptStatus =3D MemEncryptSevClearPageEncMask ( + 0, + TpmBaseAddress, + EFI_SIZE_TO_PAGES (0x5000), + FALSE + ); + + ASSERT_RETURN_ERROR (DecryptStatus); + } + // // Check and perform SEV-ES initialization if required. // --=20 2.31.0