From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-DM6-obe.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com [40.107.93.78]) by mx.groups.io with SMTP id smtpd.web11.1555.1606894183847880637 for ; Tue, 01 Dec 2020 23:29:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@amdcloud.onmicrosoft.com header.s=selector2-amdcloud-onmicrosoft-com header.b=0rmAuPYZ; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.93.78, mailfrom: ashish.kalra@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YKDSohYzzbGdqlBAcRDmsHl9BfUoZgMsKD5Sbr4B9LvjomcQiMn44y7fmrpG20r+k+3ee1tpsvSQ9MaPzCKVLpW40e4u5QXy8BIIr0lAPGtP9hcJCwDMlMWAuXdiZayKlVQ6YSJG9Dle8qmCZ/iqqobVL/hJlLJhvNsvFlN5lHkWJTA1MX9jCX8vmFfOnokIWfxBC0498Df+sdgMUC427Zv2k0nhVilR/9WrJzaDo83FW0MK53Yl+T3yPAknCuVT7GDSrOPCi88yHltf8hO+lmX8Q1LEnQpuJ9k5wK4OfrmERkL78wBodTbGL0pUWz/zdtr6eD6XTk/uec7pJJgd3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yuxl4X3K0mvoOJBHm3tW9GaLTLl2DRvyrBgnnfWnNTg=; b=NR+AUWUmTnKHzVPUXB5jjibf3IxaJ/dItB3tVWH4ejgTVvoXP1aGA23VRJx2WjBjeILF5r8ZkHUtsaVM8UJ86T49to9YT9ykmvmGHx3Y/qrvI0nIcjtvvzlLc89gbZo3hZIcb42+ektKG1bV/8TPlDWvOczeX57RFtJbIKyiAyXJGVDLqPlIEYsIbhmybbxIrU2XPxz//yAsQ2V9EYu5yb0oNLs3blni2QUBXoUZJSTVe+5Bx8Nq7HKGnWTsqX6AJcYSBxKrj7P0n4GsXllsbJmbmvgKuYY3HffOZhZLNdIqY+oq3Y4rrVXNzKVq9ftO7yW5ku+CU7Mw8MTlYuC9aw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amdcloud.onmicrosoft.com; s=selector2-amdcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yuxl4X3K0mvoOJBHm3tW9GaLTLl2DRvyrBgnnfWnNTg=; b=0rmAuPYZnp50NS8pBGcHoQe8ri7UTnNfYTFior/f+bKmLdC+hRAKqckWUmo/KFF0tgXaG+qOywDfP+aYXIwPczxea0MsqpBkXO6ijZG8c3bq/FsqNGCs88AwnXtbOrF2PtPyH4kQVipqOKWAHjiWTKThC5YnG9hdSAaZ5TEXyNY= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2767.namprd12.prod.outlook.com (2603:10b6:805:75::23) by SA0PR12MB4511.namprd12.prod.outlook.com (2603:10b6:806:95::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.17; Wed, 2 Dec 2020 07:29:42 +0000 Received: from SN6PR12MB2767.namprd12.prod.outlook.com ([fe80::d8f2:fde4:5e1d:afec]) by SN6PR12MB2767.namprd12.prod.outlook.com ([fe80::d8f2:fde4:5e1d:afec%3]) with mapi id 15.20.3611.025; Wed, 2 Dec 2020 07:29:42 +0000 From: Ashish Kalra To: devel@edk2.groups.io Cc: dovmurik@linux.vnet.ibm.com, brijesh.singh@amd.com, tobin@ibm.com, Jon.Grimm@amd.com, Thomas.Lendacky@amd.com, jejb@linux.ibm.com, frankeh@us.ibm.com, dgilbert@redhat.com, lersek@redhat.com, jordan.l.justen@intel.com, ard.biesheuvel@arm.com Subject: [PATCH v1 1/2] OvmfPkg/MemEncryptHypercallLib: add library to support SEV hypercalls. Date: Wed, 2 Dec 2020 07:29:31 +0000 Message-Id: <20201202072931.12618-1-Ashish.Kalra@amd.com> X-Mailer: git-send-email 2.17.1 X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA0PR11CA0107.namprd11.prod.outlook.com (2603:10b6:806:d1::22) To SN6PR12MB2767.namprd12.prod.outlook.com (2603:10b6:805:75::23) Return-Path: Ashish.Kalra@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from ashkalra_ubuntu_server.amd.com (165.204.77.1) by SA0PR11CA0107.namprd11.prod.outlook.com (2603:10b6:806:d1::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.17 via Frontend Transport; Wed, 2 Dec 2020 07:29:41 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 1b253221-509d-4148-7f23-08d8969408c0 X-MS-TrafficTypeDiagnostic: SA0PR12MB4511: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: hFFyez+jmmz185qcp0s8kqMUxCFxUnD21nnKMLDZZ9EXdN6Qscf6cY2b0VTqXzKeBgzLKP3JkZ/8gJe79yOMsfPciBs0ZDtO63SgAG74h+OGwAUiMWcustz2kse/a5p+MolyyaY59Az2TnFg3AmW54KhGb/HGft+fQQz6wh4f21kvOO5LXC9o4+1pIhhCV6hSQMrcwaUkFUaZ4TN+dzPekxJJg89VLor8cdGacgKWHbVd7NtS7M1qyYYv3DzrrJU0Jx8FqN/tAdE2naSy5zEnZ1eYnhDH8a/HmO2IxPhmx36ms1eZz4b+mfcys6XGjabScT2w6yAMhx7CFrt8yBk5w== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2767.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(136003)(39860400002)(346002)(376002)(396003)(186003)(66556008)(4326008)(66476007)(66946007)(478600001)(6916009)(2906002)(52116002)(6666004)(19627235002)(7696005)(83380400001)(26005)(6486002)(86362001)(2616005)(16526019)(956004)(8936002)(5660300002)(8676002)(36756003)(1076003)(316002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?p1g1GCZ2fyGXTzctCsi1q3qI7Kir+mIL4G7N+iqL6r9o9EjGMvCcgtVrXeAv?= =?us-ascii?Q?4tN2Yp4rXjV2+fd2wktnXGkzrdqM3/P2lulC8pAC7tq8e3T9JZhrIz6IT1iy?= =?us-ascii?Q?Zd5Fx1XJ1PI0DbJdTf+GoENsXBJfOZPKXcFl4ZYwJMXH9Rcd/brHIbb7hkNn?= =?us-ascii?Q?v2xMHM+ZZ2khJBoInF3GbXQbYO5P8XcSvMQN+1V9ZVJ2wGDwDgYCT2j/+JLv?= =?us-ascii?Q?uccB5k2qV1swsq3L19nfPM0U5I8KGWIWqSOM0qRVz+TDTqUKfDikBiXp7Wtp?= =?us-ascii?Q?NTpKSbgRWd2IZhI9p5ci9lEmqnS+LWQBclEa8wdRP4YEFRukVrXJjOCDwfuF?= =?us-ascii?Q?DOCB/k6Tg/uL+8I09CSgAYhNjXB4mfjUjvrgLdKQj76QV0oM/aG95v16JQuk?= =?us-ascii?Q?gFtTErvQBt0HME/rRUQEIH9gBoonArTyp9rtda+xjdvJj8yG1VSZ2muXaduA?= =?us-ascii?Q?/ntPJs0V7kOG9thZALMeBZBgDSmyEIhhXxyI17npiIPjnO03mgoXCs3AOsQk?= =?us-ascii?Q?eKiwQE4jR9R0MhiEithWlFPmA4Pcd56OUusZ7bIrJ+Gh25QDSPIIE8zQcRqz?= =?us-ascii?Q?fhE4xG+p3hH1rY30tfd8nURgYDIbAJivcrID92MlADsPL3IUj25bcLaR3vI8?= =?us-ascii?Q?AEyLBafxmbL9CP69zDfc6nUxRlqDST1n/NwBSB6gPZWVkv5jvdwf3cIxgOlg?= =?us-ascii?Q?h5jmmZT5qbzcK/2r6Oe+/swbjeCrX45H1YzdfE4RiKG3qiiB5UDG+BGgsXz5?= =?us-ascii?Q?qFXe8Om1qhBfQDgOT4pDCZjuMjWYqB+pzPlik8fbIMS0kvVjXeSdeptyqhVv?= =?us-ascii?Q?AICe/4sqN5/LYWJPM53/YmIiydEKwLjfsFvc58SSBnu5cSftP1SbE3hv8PYP?= =?us-ascii?Q?iZy6c5FpEn20Qy24oR+mlBeigzkq/k0remRmvKn8yhL0CVOtCTEOWwn2PBe5?= =?us-ascii?Q?+Oip4V0hfkc0+QhREymEA7ANYUrliOOXMSjy1C4lwQatD57PFSte9CCRabCB?= =?us-ascii?Q?T1bA?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1b253221-509d-4148-7f23-08d8969408c0 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2767.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Dec 2020 07:29:42.0673 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: wby8qplIEfteZWE6pog+GXZIoBGpRsS1n2xeWm9CKUlRs3ri9YtXy86+zK/5UmWpWID+GBBIDFnpJzo70zSs7A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4511 Content-Type: text/plain From: Ashish Kalra Add SEV and SEV-ES hypercall abstraction library to support SEV Page encryption/decryption status hypercalls for SEV and SEV-ES guests. Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Signed-off-by: Ashish Kalra --- OvmfPkg/OvmfPkgX64.dsc | 1 + OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf | 39 ++++++++ OvmfPkg/Include/Library/MemEncryptHypercallLib.h | 37 +++++++ OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.c | 105 ++++++++++++++++++++ OvmfPkg/Library/MemEncryptHypercallLib/X64/AsmHelperStub.nasm | 39 ++++++++ 5 files changed, 221 insertions(+) diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index e59ae05b73..97c31c7586 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -174,6 +174,7 @@ VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/BaseMemEncryptSevLib.inf + MemEncryptHypercallLib|OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf !if $(SMM_REQUIRE) == FALSE LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf !endif diff --git a/OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf b/OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf new file mode 100644 index 0000000000..1936fe5b37 --- /dev/null +++ b/OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.inf @@ -0,0 +1,39 @@ +## @file +# Library provides the hypervisor helper functions for SEV guest +# +# Copyright (c) 2020 Advanced Micro Devices. All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +# +## + +[Defines] + INF_VERSION = 1.25 + BASE_NAME = MemEncryptHypercallLib + FILE_GUID = 86f2501e-f128-45f3-91c4-3cff31656ca8 + MODULE_TYPE = BASE + VERSION_STRING = 1.0 + LIBRARY_CLASS = MemEncryptHypercallLib|SEC PEI_CORE PEIM DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_DRIVER + +# +# The following information is for reference only and not required by the build +# tools. +# +# VALID_ARCHITECTURES = IA32 X64 +# + +[Packages] + MdeModulePkg/MdeModulePkg.dec + MdePkg/MdePkg.dec + UefiCpuPkg/UefiCpuPkg.dec + OvmfPkg/OvmfPkg.dec + +[Sources.X64] + MemEncryptHypercallLib.c + X64/AsmHelperStub.nasm + +[LibraryClasses] + BaseLib + DebugLib + VmgExitLib diff --git a/OvmfPkg/Include/Library/MemEncryptHypercallLib.h b/OvmfPkg/Include/Library/MemEncryptHypercallLib.h new file mode 100644 index 0000000000..cd46a7f2b3 --- /dev/null +++ b/OvmfPkg/Include/Library/MemEncryptHypercallLib.h @@ -0,0 +1,37 @@ +/** @file + + Define Secure Encrypted Virtualization (SEV) hypercall library. + + Copyright (c) 2020, AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef _MEM_ENCRYPT_HYPERCALL_LIB_H_ +#define _MEM_ENCRYPT_HYPERCALL_LIB_H_ + +#include + +#define SEV_PAGE_ENC_HYPERCALL 12 + +/** + This hyercall is used to notify hypervisor when a page is marked as + 'decrypted' (i.e C-bit removed). + + @param[in] PhysicalAddress The physical address that is the start address + of a memory region. + @param[in] Length The length of memory region + @param[in] Mode SetCBit or ClearCBit + +**/ + +VOID +EFIAPI +SetMemoryEncDecHypercall3 ( + IN UINTN PhysicalAddress, + IN UINTN Length, + IN UINTN Mode + ); + +#endif diff --git a/OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.c b/OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.c new file mode 100644 index 0000000000..f1136b7d36 --- /dev/null +++ b/OvmfPkg/Library/MemEncryptHypercallLib/MemEncryptHypercallLib.c @@ -0,0 +1,105 @@ +/** @file + + Secure Encrypted Virtualization (SEV) hypercall helper library + + Copyright (c) 2020, AMD Incorporated. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +// +// Interface exposed by the ASM implementation of the core hypercall +// +// + +VOID +EFIAPI +SetMemoryEncDecHypercall3AsmStub ( + IN UINTN HypercallNum, + IN UINTN PhysicalAddress, + IN UINTN Length, + IN UINTN Mode + ); + +/** + This function returns the current CPU privilege level, implemented + in ASM helper stub. + +**/ + +UINT8 +EFIAPI +GetCurrentCpuPrivilegeLevel ( + VOID + ); + +STATIC +VOID +GhcbSetRegValid ( + IN OUT GHCB *Ghcb, + IN GHCB_REGISTER Reg + ) +{ + UINT32 RegIndex; + UINT32 RegBit; + + RegIndex = Reg / 8; + RegBit = Reg & 0x07; + + Ghcb->SaveArea.ValidBitmap[RegIndex] |= (1 << RegBit); +} + +VOID +EFIAPI +SetMemoryEncDecHypercall3 ( + IN PHYSICAL_ADDRESS PhysicalAddress, + IN UINTN Pages, + IN UINTN Mode + ) +{ + if (MemEncryptSevEsIsEnabled ()) { + MSR_SEV_ES_GHCB_REGISTER Msr; + GHCB *Ghcb; + BOOLEAN InterruptState; + UINT64 Status; + + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + Ghcb = Msr.Ghcb; + + VmgInit (Ghcb, &InterruptState); + + Ghcb->SaveArea.Rax = SEV_PAGE_ENC_HYPERCALL; + GhcbSetRegValid (Ghcb, GhcbRax); + Ghcb->SaveArea.Rbx = PhysicalAddress; + GhcbSetRegValid (Ghcb, GhcbRbx); + Ghcb->SaveArea.Rcx = Pages; + GhcbSetRegValid (Ghcb, GhcbRcx); + Ghcb->SaveArea.Rdx = Mode; + GhcbSetRegValid (Ghcb, GhcbRdx); + Ghcb->SaveArea.Cpl = GetCurrentCpuPrivilegeLevel(); + GhcbSetRegValid (Ghcb, GhcbCpl); + + Status = VmgExit (Ghcb, SVM_EXIT_VMMCALL, 0, 0); + if (Status) { + DEBUG ((DEBUG_ERROR, "SVM_EXIT_VMMCALL failed %lx\n", Status)); + } + VmgDone (Ghcb, InterruptState); + } else { + SetMemoryEncDecHypercall3AsmStub ( + SEV_PAGE_ENC_HYPERCALL, + PhysicalAddress, + Pages, + Mode); + } +} diff --git a/OvmfPkg/Library/MemEncryptHypercallLib/X64/AsmHelperStub.nasm b/OvmfPkg/Library/MemEncryptHypercallLib/X64/AsmHelperStub.nasm new file mode 100644 index 0000000000..5d8a7aa85a --- /dev/null +++ b/OvmfPkg/Library/MemEncryptHypercallLib/X64/AsmHelperStub.nasm @@ -0,0 +1,39 @@ +DEFAULT REL +SECTION .text + +; VOID +; EFIAPI +; SetMemoryEncDecHypercall3AsmStub ( +; IN UINT HypercallNum, +; IN INTN Arg1, +; IN INTN Arg2, +; IN INTN Arg3 +; ); +global ASM_PFX(SetMemoryEncDecHypercall3AsmStub) +ASM_PFX(SetMemoryEncDecHypercall3AsmStub): + ; UEFI calling conventions require RBX to + ; be nonvolatile/callee-saved. + push rbx + ; Copy HypercallNumber to rax + mov rax, rcx + ; Copy Arg1 to the register expected by KVM + mov rbx, rdx + ; Copy Arg2 to register expected by KVM + mov rcx, r8 + ; Copy Arg2 to register expected by KVM + mov rdx, r9 + ; Call VMMCALL + vmmcall + pop rbx + ret + +; UINT8 +; EFIAPI +; GetCurrentCpuPrivilegeLevel ( +; VOID +; ); +global ASM_PFX(GetCurrentCpuPrivilegeLevel) +ASM_PFX(GetCurrentCpuPrivilegeLevel): + mov ax, cs + and al, 0x3 + ret -- 2.17.1