From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 64C1D209589D0 for ; Wed, 2 Aug 2017 14:23:09 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BA44F5AFC8; Wed, 2 Aug 2017 21:25:19 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com BA44F5AFC8 Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=lersek@redhat.com Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-47.phx2.redhat.com [10.3.116.47]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6A97617B57; Wed, 2 Aug 2017 21:25:18 +0000 (UTC) From: Laszlo Ersek To: edk2-devel-01 Cc: Ard Biesheuvel , Brijesh Singh , Jordan Justen , Tom Lendacky Date: Wed, 2 Aug 2017 23:24:50 +0200 Message-Id: <20170802212453.19221-10-lersek@redhat.com> In-Reply-To: <20170802212453.19221-1-lersek@redhat.com> References: <20170802212453.19221-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Wed, 02 Aug 2017 21:25:19 +0000 (UTC) Subject: [PATCH 09/12] OvmfPkg/IoMmuDxe: rework setup of "MapInfo->PlainTextAddress" in Map() X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Aug 2017 21:23:09 -0000 There are three issues with the current calculations: - The initial logic that sets up "DmaMemoryTop" and "AllocateType" checks for the BusMasterCommonBuffer64 operation in two places. The inner check for BusMasterCommonBuffer64 will never evaluate to TRUE however, because the outer check excludes BusMasterCommonBuffer64. - In order to lower "DmaMemoryTop" to (SIZE_4GB - 1), the outer check requires that the encrypted (original) buffer cross the 4GB mark. This is wrong: for BusMasterRead[64] and BusMasterWrite[64] operations, we unconditionally need a bounce buffer (a decrypted memory area), and for the 32-bit variants, "DmaMemoryTop" should be lowered regardless of the location of the original (encrypted) buffer. - The current logic would be hard to extend for the in-place decryption that we'll implement in the next patch. Therefore rework the "MapInfo->PlainTextAddress" setup. No functional changes beyond said bugfixes. Cc: Ard Biesheuvel Cc: Brijesh Singh Cc: Jordan Justen Cc: Tom Lendacky Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek --- OvmfPkg/IoMmuDxe/AmdSevIoMmu.c | 156 +++++++++++--------- 1 file changed, 87 insertions(+), 69 deletions(-) diff --git a/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c b/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c index d899b0ab9e41..0a85ee6559e7 100644 --- a/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c +++ b/OvmfPkg/IoMmuDxe/AmdSevIoMmu.c @@ -65,160 +65,178 @@ EFIAPI IoMmuMap ( IN EDKII_IOMMU_PROTOCOL *This, IN EDKII_IOMMU_OPERATION Operation, IN VOID *HostAddress, IN OUT UINTN *NumberOfBytes, OUT EFI_PHYSICAL_ADDRESS *DeviceAddress, OUT VOID **Mapping ) { EFI_STATUS Status; - EFI_PHYSICAL_ADDRESS PhysicalAddress; MAP_INFO *MapInfo; - EFI_PHYSICAL_ADDRESS DmaMemoryTop; EFI_ALLOCATE_TYPE AllocateType; if (HostAddress == NULL || NumberOfBytes == NULL || DeviceAddress == NULL || Mapping == NULL) { return EFI_INVALID_PARAMETER; } // - // Make sure that Operation is valid - // - if ((UINT32) Operation >= EdkiiIoMmuOperationMaximum) { - return EFI_INVALID_PARAMETER; - } - PhysicalAddress = (EFI_PHYSICAL_ADDRESS) (UINTN) HostAddress; - - DmaMemoryTop = (UINTN)-1; - AllocateType = AllocateAnyPages; - - if (((Operation != EdkiiIoMmuOperationBusMasterRead64 && - Operation != EdkiiIoMmuOperationBusMasterWrite64 && - Operation != EdkiiIoMmuOperationBusMasterCommonBuffer64)) && - ((PhysicalAddress + *NumberOfBytes) > SIZE_4GB)) { - // - // If the root bridge or the device cannot handle performing DMA above - // 4GB but any part of the DMA transfer being mapped is above 4GB, then - // map the DMA transfer to a buffer below 4GB. - // - DmaMemoryTop = SIZE_4GB - 1; - AllocateType = AllocateMaxAddress; - - if (Operation == EdkiiIoMmuOperationBusMasterCommonBuffer || - Operation == EdkiiIoMmuOperationBusMasterCommonBuffer64) { - // - // Common Buffer operations can not be remapped. If the common buffer - // if above 4GB, then it is not possible to generate a mapping, so - // return an error. - // - return EFI_UNSUPPORTED; - } - } - - // - // CommandBuffer was allocated by us (AllocateBuffer) and is already in - // unencryted buffer so no need to create bounce buffer - // - if (Operation == EdkiiIoMmuOperationBusMasterCommonBuffer || - Operation == EdkiiIoMmuOperationBusMasterCommonBuffer64) { - *Mapping = NO_MAPPING; - *DeviceAddress = PhysicalAddress; - - return EFI_SUCCESS; - } - - // // Allocate a MAP_INFO structure to remember the mapping when Unmap() is // called later. // MapInfo = AllocatePool (sizeof (MAP_INFO)); if (MapInfo == NULL) { - *NumberOfBytes = 0; - return EFI_OUT_OF_RESOURCES; + Status = EFI_OUT_OF_RESOURCES; + goto Failed; } // - // Initialize the MAP_INFO structure + // Initialize the MAP_INFO structure, except the PlainTextAddress field // MapInfo->Operation = Operation; MapInfo->NumberOfBytes = *NumberOfBytes; MapInfo->NumberOfPages = EFI_SIZE_TO_PAGES (MapInfo->NumberOfBytes); - MapInfo->CryptedAddress = PhysicalAddress; - MapInfo->PlainTextAddress = DmaMemoryTop; + MapInfo->CryptedAddress = (UINTN)HostAddress; // - // Allocate a buffer to map the transfer to. + // In the switch statement below, we point "MapInfo->PlainTextAddress" to the + // plaintext buffer, according to Operation. // - Status = gBS->AllocatePages ( - AllocateType, - EfiBootServicesData, - MapInfo->NumberOfPages, - &MapInfo->PlainTextAddress - ); - if (EFI_ERROR (Status)) { + MapInfo->PlainTextAddress = MAX_ADDRESS; + AllocateType = AllocateAnyPages; + switch (Operation) { + // + // For BusMasterRead[64] and BusMasterWrite[64] operations, a bounce buffer + // is necessary regardless of whether the original (crypted) buffer crosses + // the 4GB limit or not -- we have to allocate a separate plaintext buffer. + // The only variable is whether the plaintext buffer should be under 4GB. + // + case EdkiiIoMmuOperationBusMasterRead: + case EdkiiIoMmuOperationBusMasterWrite: + MapInfo->PlainTextAddress = BASE_4GB - 1; + AllocateType = AllocateMaxAddress; + // + // fall through + // + case EdkiiIoMmuOperationBusMasterRead64: + case EdkiiIoMmuOperationBusMasterWrite64: + // + // Allocate the implicit plaintext bounce buffer. + // + Status = gBS->AllocatePages ( + AllocateType, + EfiBootServicesData, + MapInfo->NumberOfPages, + &MapInfo->PlainTextAddress + ); + if (EFI_ERROR (Status)) { + goto FreeMapInfo; + } + break; + + // + // For BusMasterCommonBuffer[64] operations, a plaintext buffer has been + // allocated already, with AllocateBuffer(). We only check whether the + // address is low enough for the requested operation. + // + case EdkiiIoMmuOperationBusMasterCommonBuffer: + if ((MapInfo->CryptedAddress > BASE_4GB) || + (EFI_PAGES_TO_SIZE (MapInfo->NumberOfPages) > + BASE_4GB - MapInfo->CryptedAddress)) { + // + // CommonBuffer operations cannot be remapped. If the common buffer is + // above 4GB, then it is not possible to generate a mapping, so return an + // error. + // + Status = EFI_UNSUPPORTED; + goto FreeMapInfo; + } + // + // fall through + // + case EdkiiIoMmuOperationBusMasterCommonBuffer64: + // + // The buffer at MapInfo->CryptedAddress comes from AllocateBuffer(), + // and it is already decrypted. + // + MapInfo->PlainTextAddress = MapInfo->CryptedAddress; + + // + // Therefore no mapping is necessary. + // + *DeviceAddress = MapInfo->PlainTextAddress; + *Mapping = NO_MAPPING; FreePool (MapInfo); - *NumberOfBytes = 0; - return Status; + return EFI_SUCCESS; + + default: + // + // Operation is invalid + // + Status = EFI_INVALID_PARAMETER; + goto FreeMapInfo; } // - // Clear the memory encryption mask from the device buffer + // Clear the memory encryption mask on the plaintext buffer. // Status = MemEncryptSevClearPageEncMask ( 0, MapInfo->PlainTextAddress, MapInfo->NumberOfPages, TRUE ); ASSERT_EFI_ERROR(Status); // // If this is a read operation from the Bus Master's point of view, // then copy the contents of the real buffer into the mapped buffer // so the Bus Master can read the contents of the real buffer. // if (Operation == EdkiiIoMmuOperationBusMasterRead || Operation == EdkiiIoMmuOperationBusMasterRead64) { CopyMem ( (VOID *) (UINTN) MapInfo->PlainTextAddress, (VOID *) (UINTN) MapInfo->CryptedAddress, MapInfo->NumberOfBytes ); } // - // The DeviceAddress is the address of the maped buffer below 4GB + // Populate output parameters. // *DeviceAddress = MapInfo->PlainTextAddress; - - // - // Return a pointer to the MAP_INFO structure in Mapping - // *Mapping = MapInfo; DEBUG (( DEBUG_VERBOSE, "%a PlainText 0x%Lx Crypted 0x%Lx Pages 0x%Lx Bytes 0x%Lx\n", __FUNCTION__, MapInfo->PlainTextAddress, MapInfo->CryptedAddress, (UINT64)MapInfo->NumberOfPages, (UINT64)MapInfo->NumberOfBytes )); return EFI_SUCCESS; + +FreeMapInfo: + FreePool (MapInfo); + +Failed: + *NumberOfBytes = 0; + return Status; } /** Completes the Map() operation and releases any corresponding resources. @param This The protocol instance pointer. @param Mapping The mapping value returned from Map(). @retval EFI_SUCCESS The range was unmapped. @retval EFI_INVALID_PARAMETER Mapping is not a value that was returned by Map(). @retval EFI_DEVICE_ERROR The data was not committed to the target system memory. **/ -- 2.13.1.3.g8be5a757fa67