From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=104.47.40.88; helo=nam03-co1-obe.outbound.protection.outlook.com; envelope-from=brijesh.singh@amd.com; receiver=edk2-devel@lists.01.org Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0088.outbound.protection.outlook.com [104.47.40.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 4223F22402E18 for ; Wed, 28 Feb 2018 08:09:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector1-amd-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=vap63n8QP9GZFrCj1aLHvpKAUhXmYXuvrAh4430zm28=; b=g8Ua7sDggp6bzPWL1H8WNAR985RJSqrIQDfyesM1jU0KWyYcOCiw/VcA++WshElFV67aGTs6meW2uczExBAOIbmqNV1F+/th75S5E/pfOU4osCVZGWdmzfOa0YygdTOr3y7+lkMIZs/7N48sTjwM1REi8o3UClDURDaeCPR5bK0= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=brijesh.singh@amd.com; Received: from wsp141597wss.amd.com (165.204.78.1) by SN1PR12MB0158.namprd12.prod.outlook.com (2a01:111:e400:5144::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.527.15; Wed, 28 Feb 2018 16:15:25 +0000 From: Brijesh Singh To: edk2-devel@lists.01.org Cc: Tom Lendacky , Paolo Bonzini , Michael Kinney , Brijesh Singh , Jordan Justen , Laszlo Ersek , Ard Biesheuvel Date: Wed, 28 Feb 2018 10:14:15 -0600 Message-Id: <20180228161415.28723-3-brijesh.singh@amd.com> X-Mailer: git-send-email 2.14.3 In-Reply-To: <20180228161415.28723-1-brijesh.singh@amd.com> References: <20180228161415.28723-1-brijesh.singh@amd.com> MIME-Version: 1.0 X-Originating-IP: [165.204.78.1] X-ClientProxiedBy: SN4PR0501CA0079.namprd05.prod.outlook.com (2603:10b6:803:22::17) To SN1PR12MB0158.namprd12.prod.outlook.com (2a01:111:e400:5144::17) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 75fa38a6-cced-43a9-7400-08d57ec679d0 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(2017052603307)(7153060)(7193020); SRVR:SN1PR12MB0158; X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0158; 3:j+8ReqT80eopGTGibo6Xxa1H3EZkxb/ff6JfIEeIziMaU59o9WzaDI/1Nby86dsIUSlgV+T0Pa5MLHaDJFiJDINrUCg36VmnsojJHSN3RtY7g0cQgWjnbQepGH0KgWnIUCgTpybZs5f9BgxcWs9E2Jex8jOqJrgag6xjuBwf7GqIK6K7VTOLioSBFz4+U37rBktC4MnAaMK/ZAT9bWhSp3+ugKZYIW29VM7AloxeiPe1JQmKaSujzK15Fr91UjH6; 25:VOjt/QmDj2xz9dojD4D9j1oetuO7jDAKBnYaaGfxkO6YfwjnyVAOCw28gZaamlPVTI531jXoT/PvWIYIE2ENiQrJe4FNZ7BVTnmY85KBf4Vmtb5E2f42khLWcalqqVL9m6hOHtQKNnMndLkQbc+7RTaWVRa0MC6p+wS3vsxs3acuf8ubMnkbZwiyN0Q8n166onMDk3+k/kYITZGil2DYT5oWcMu9YZRG4zC9O7Dzf64RpAPF9UK6pnTPLRn+EDnNOBy35rhPzVoD1zSWOBdkSRV4l9oMfwFnsm3m3BvHnrSK1xGJDwFE8pxnGePHdVn0B395ThtV6zT+lAHQgEH/8g==; 31:PLRRVcFkbqWvkj0+A7/Do0/mfaLHXmvvptKd4Zm3DWYtOmwdS1/8/HuR16icGQAwYoJS3ltciDc5qabiGM5cd5TBQjoMq7ATCqAwW++hDBluktpGz5HihJ9pKmCHFmnlyGXxXq9cw43kFXh34KUlPVH3pezdSuVREhFghf3sr7ASWE4WhIVjIA52D2fbF5sBFP5fECHV8zZXmoGfmn/wJ4UGW0XYQm4SoJAEuZGmkKo= X-MS-TrafficTypeDiagnostic: SN1PR12MB0158: X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0158; 20:Xt9C/39jDsjGaNBsDqzZWbFAitTz5B0kS185M6A+f58Wj2lWRMw3Z+CXOaAWkOhFrzzmwR+/KN3wKpTObGramj3/fVGR1dGtiGYc+EWY+Jg372SeNLCULdC9FPOVixutkH59Et8mqJR7/m2gH1vwGDXaUq0J1/EuRrMuqMRsc14wJJtQrvHX06qDNJnTrLSuwawvoquqvdmiQzT4leXyFKA6Eg68oPbv9Eole4aveHEnhPxEQNwjuz6JhdT4/HdmD4yfQYCwFupxd2HvW+rUYqB0tbGye/pkGkNmdjdNFgB+YdMNgQTBK2a9k5J2MSlYTCPJ5BEcoGX6iTss+Sr9jsWM9Lo+9cMpjFp6d0AAfd+CPuUaGWPQPeCIIs1Jkn7653uwJo6wKxOHmJ/l6qRliaMZaodJMByGrG73kxZg3AJxFaydf4+9VyjE+KSw/nS6IVinOyziSSQpsNyo673mfPocuWdYig/EoUAsDWkFXM5Ew5WWOHD2aG8w62ZCPime; 4:zOkn7JpXBHNtqnJj5Apj5Y0r8LhwTHo44GEE4YsbuHi7kw4TPOUj8gXpFHjZ93VSbnbGJL5unmYxFovEOT2X90I1hSoERDIx3dLF22DqL1VRIQ07RaPUzPz+jlLinLQFw9vDpuPqTZ7y4pPo/xZCR5abE87GGIZckbeDcAVDI9EH+NDxXxiPiXNQIwN63IVOH2NLxLYo/aA1pR2BQINQYE+TxlYAv+zEozhuqLik4zDzoMh6ksPRrl30G6Nu6rQFTYgnD+T6UFyJx7xRkwPyB71SyYYjuyZKTCHSD+79BfV3p3Jfsp0ujIj5sC/0Ft449OSuyG/FNzTeJJsFiKxtWg6Z+Bvwdac3PusRwvlpMlc= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(767451399110)(228905959029699); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(8211001083)(6040501)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(3231220)(944501161)(52105095)(10201501046)(6055026)(6041288)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123560045)(6072148)(201708071742011); SRVR:SN1PR12MB0158; BCL:0; PCL:0; RULEID:; SRVR:SN1PR12MB0158; X-Forefront-PRVS: 0597911EE1 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(39380400002)(396003)(376002)(366004)(39860400002)(346002)(199004)(189003)(53416004)(25786009)(3846002)(305945005)(47776003)(386003)(26005)(8936002)(8676002)(106356001)(2361001)(7736002)(2351001)(81166006)(66066001)(81156014)(59450400001)(50226002)(16526019)(54906003)(316002)(16586007)(86362001)(6116002)(4326008)(1076002)(186003)(2906002)(53936002)(6486002)(97736004)(2950100002)(6916009)(6666003)(50466002)(76176011)(7696005)(52116002)(478600001)(36756003)(48376002)(51416003)(68736007)(105586002)(5660300001)(213903007); DIR:OUT; SFP:1101; SCL:1; SRVR:SN1PR12MB0158; H:wsp141597wss.amd.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received-SPF: None (protection.outlook.com: amd.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; SN1PR12MB0158; 23:c0m1wUhqBZyGASDvL0hFj9C4JBEuQggxTq00Sy57r?= =?us-ascii?Q?3jb0G/3/f2wxUtZT/JIqlSUVwHSSJCFUCypG7LT3SavY1FjhwbZXobcDbVox?= =?us-ascii?Q?xxrmtymkaz8v60qJ7qpmEIn2aIv+kYRp1SIzCVc7ZW4j6bqy1vKSYoHOZ9zO?= =?us-ascii?Q?lum02HBhwKoAa8oxx3QoU6qKHNzJEpNViweA/URlWANjPkPA3UZtCeTXATpf?= =?us-ascii?Q?7xv3acGwQ3q68eGo9jqK3QS3pnB9AoEOvndUHhdnwp1IiUg3WmnNOVtU30+S?= =?us-ascii?Q?CCRnEay6lzQvB52io1nXTJ1G3ebRwSWdB3b3c5f4rrVgKrJgKjbQe9vBk2DE?= =?us-ascii?Q?AcD7vUbwZLlvFUtukm7hFzWtdtNLHpmGNiFZXHlN4j3Leb17ihMIic8lBSgv?= =?us-ascii?Q?f5WtIKaAz+D5zM/rZRJI3ChhZhFAd3aIdHApZogSxqPsqgqFJfqNvP3YiG/Q?= =?us-ascii?Q?Ygp6OAZqyStPuwsOY04AjT97ZOsWvTCLdMEKOnp6Zmkxcu0waLx7GwCMXUY6?= =?us-ascii?Q?4/qgrq65Lrv/jVOYi9NTyrAgrPR5Qtk3TVhZ7IbQb2R7m/ZJSLEjQl39FIbl?= =?us-ascii?Q?2Ob7CnLJDn634WCYBB1oK6/5nNZKiNzlhYbIdOTnn/SSA8JjpVRd7/JXMP0z?= =?us-ascii?Q?BcAEJBOjQpJ0wvAcj+rpoffv8hG9GGswJ9qKnVN7I0ghqznTpl6FMNLcuIc4?= =?us-ascii?Q?h7M6067SpSwLlrY0wE3mTNbBGDJo6A1e0XGJygnetsrGIh0VPMTAP2RXTW/m?= =?us-ascii?Q?GpmTiVkkrv+a5Z5IYSS4PYwCbHiAxWAemworexiWLokedw2mc6dsIhHsaKHe?= =?us-ascii?Q?J0yb5VGYgsjXOPpZiFeiyfUYbh+N0+HNu3X+BbRKS09bPvNDR+2sjgBcpdp4?= =?us-ascii?Q?D+KJVFjHH8jHgiddIEeMRzUk8uPEwco7fwtF1D5RBd7b8ES37d+hsTEcc65E?= =?us-ascii?Q?fimLrYyiHedu7LUPMYb584MhLj9dFIUYYtk4aOYFjKESwJqjaAhQ23GkC6zG?= =?us-ascii?Q?q6c49qa85iS2qGuaHCWGn7NGqlZ+12/uApOVSDXkI65jDrzphMzDfenPPyJ5?= =?us-ascii?Q?4tOAKGHo+29cl/RqWECmQcx8kQkzbriH2L7n4it294Hk7dQWvyiZbXGr+BAD?= =?us-ascii?Q?FAWgGQI+VvBQpGnVEgfsC4B/hZc8e5NcfAID+G9m1fK+LKRquMYD11ppOfcw?= =?us-ascii?Q?Gulw1THmjY8R2yqibpCmbeR24Q+wFtkW2FTjx0KmtphNNOcY70OKFP28g=3D?= =?us-ascii?Q?=3D?= X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0158; 6:HIEy9BgtCd4SKp0NNUCiWs8cAPSpUjJO+uO6gc8tgnhpOuEupq6ZnLZ/nSpbCN1G/FDqqkTir1QBMIsdA7tDBjmly4TsW+e/BnYaW36Nd6dGynhXa/YZOb2pb/vC3iRpMisH3vhlyQwZ3GsPQKITVuo8SDvKA5U9xF7nQhiYa7PVB8DCXzmFbE7BvEb3LB1cJ3B0JClClflau2i9VoYVPlNlUZ7xgpUBwi5H+It0gL13faW/vg8w6dhibMK9K+Wsa9fL5MiXGWm6FfkaW7i3aVJprO9NqheyFntvAPH3Aak6hqlhg1mrlZsKPt0iL8RtGU6S8tOv9nfSYWRT2bjgDKEFM1dzbdFzooKyCP+gwcs=; 5:5CqKckwzj2Ca6P/mnEVJHQGiQ+J2hoHaSNBsz5ZHipaEtcQh7F3IyAqz5Xgd8YBcinrOHgNNmGVequasIYRVLXGeDlYba2sEKcDSCK2UwI4lN2j12aqhEZHMwQ0pXpcBTJTN7nXQDOrW8NSw4Dpm1TPBy19JMRQtKY8dkwNLweY=; 24:/ot9C53MiZvGs3QhZHI3HnThrqb+XqrgeUaFMP8NmlpipzxG3HMbjT8RAh6q1lBvaI5Gpsc1jXG94qFzEIW6NaukrrezbzGXmUnTRKRLBu4=; 7:SX/c724Mo8jFx1iCWg6e8J6MtoD4fssf6J8OHIRy73hngKc7h5fGYEBU/cOIhz6XvuMsYOLuGDmbvGTxjZBLqbg0tO6n0GCdu6CSWd9WhPjChLI4Z66UTsqCuvRcPzIahx12HFzPGvhKeriCy499eFLSdSeSPr6c2XluWpebrzFCXwq6D6Dix4n2FT0f79Xvwkta4JUzge7UD/toWQ67Cg2jtYAGbN8JyGm1yLPFEr45MjqkKRhwDo2RWHFvhJ7i SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0158; 20:1B2eZmLV+JHySVILEmwkJdoUstDQyuG5eAAVFLEnMRiIArPvkMBQx4v7ipnEDD2nTe/FuiUT80hU8ENe7whw8GxHPy4Ma8S38MNaN7w1+I94SUb8JMYv3sXLtcWF6Hn5SxfuzRf+2Qo+0or/SrgeMuH6iLpNN+VPmX2jIOKVRK7pQjMhwuECnCx5TN4yUpPfa82b04F2vzhMpMtpvpmeR8SCd+w7axOam6nd0YL/ezuqsss9vuI5do4kCnLcPluq X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Feb 2018 16:15:25.2934 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 75fa38a6-cced-43a9-7400-08d57ec679d0 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB0158 Subject: [PATCH v2 2/2] OvmfPkg/QemuFlashFvbServicesRuntimeDxe: Clear C-bit when SEV is active X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Feb 2018 16:09:19 -0000 Content-Type: text/plain Commit:24e4ad7 (OvmfPkg: Add AmdSevDxe driver) added a driver which runs early in DXE phase and clears the C-bit from all MMIO regions (including Qemu Flash). When SMM is enabled, we build two sets of page tables; first page table is used when executing code in non SMM mode (SMM-less-pgtable) and second page table is used when we are executing code in SMM mode (SMM-pgtable). During boot time, AmdSevDxe driver clears the C-bit from the SMM-less-pgtable. But when SMM is enabled, Qemu Flash services are used from SMM mode. In this patch we explicitly clear the C-bit from Qemu flash MMIO range before we probe the flash. When OVMF is built with SMM_REQUIRE then call to initialize the flash services happen after the SMM-pgtable is created and processor is serving the first SMI. At this time we will have access to the SMM-pgtable. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Brijesh Singh --- OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf | 1 + OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.h | 7 +++++ OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c | 12 +++++++ OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c | 33 ++++++++++++++++++++ OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c | 6 ++++ 5 files changed, 59 insertions(+) diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf index ba2d3679a46d..d365e27cbe59 100644 --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FvbServicesSmm.inf @@ -53,6 +53,7 @@ [LibraryClasses] DevicePathLib DxeServicesTableLib MemoryAllocationLib + MemEncryptSevLib PcdLib SmmServicesTableLib UefiBootServicesTableLib diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.h b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.h index 8d83dca7a52c..6c4099c140e8 100644 --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.h +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.h @@ -88,5 +88,12 @@ QemuFlashConvertPointers ( VOID ); +VOID +BeforeFlashProbe ( + EFI_PHYSICAL_ADDRESS BaseAddress, + UINTN FdBlockSize, + UINTN FdBlockCount + ); + #endif diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c index 63b308658e36..a4614de3c901 100644 --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceDxe.c @@ -155,3 +155,15 @@ InstallVirtualAddressChangeHandler ( ); ASSERT_EFI_ERROR (Status); } + +VOID +BeforeFlashProbe ( + EFI_PHYSICAL_ADDRESS BaseAddress, + UINTN FdBlockSize, + UINTN FdBlockCount + ) +{ + // + // Do nothing + // +} diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c index e0617f2503a2..a6cad5af223b 100644 --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/FwBlockServiceSmm.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -67,3 +68,35 @@ InstallVirtualAddressChangeHandler ( // Nothing. // } + +VOID +BeforeFlashProbe ( + EFI_PHYSICAL_ADDRESS BaseAddress, + UINTN FdBlockSize, + UINTN FdBlockCount + ) +{ + EFI_STATUS Status; + + ASSERT (FeaturePcdGet (PcdSmmSmramRequire)); + + if (!MemEncryptSevIsEnabled()) { + return; + } + + // + // When SEV is enabled, AmdSevDxe runs early in DXE phase and clears the C-bit + // from the MMIO space (including flash ranges) but the driver runs in non SMM + // context hence it cleared the flash ranges from non SMM page table. + // When SMM is enabled, the flash services are accessed from the SMM mode + // hence we explicitly clear the C-bit on flash ranges from SMM page table. + // + + Status = MemEncryptSevClearPageEncMask ( + 0, + BaseAddress, + EFI_SIZE_TO_PAGES (FdBlockSize * FdBlockCount), + FALSE + ); + ASSERT_EFI_ERROR (Status); +} diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c index 5677b5ee119c..f63e11723415 100644 --- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c +++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c @@ -244,6 +244,12 @@ QemuFlashInitialize ( ASSERT(PcdGet32 (PcdOvmfFirmwareFdSize) % mFdBlockSize == 0); mFdBlockCount = PcdGet32 (PcdOvmfFirmwareFdSize) / mFdBlockSize; + // + // execute platform specific hooks before probing the flash + // + BeforeFlashProbe ((EFI_PHYSICAL_ADDRESS)(UINTN) mFlashBase, + mFdBlockSize, mFdBlockCount); + if (!QemuFlashDetected ()) { ASSERT (!FeaturePcdGet (PcdSmmSmramRequire)); return EFI_WRITE_PROTECTED; -- 2.14.3