From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM04-DM6-obe.outbound.protection.outlook.com (NAM04-DM6-obe.outbound.protection.outlook.com [40.107.102.57]) by mx.groups.io with SMTP id smtpd.web09.26.1616599956611292901 for ; Wed, 24 Mar 2021 08:32:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=RWKRVc/e; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.102.57, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iVI4Tb28D4MTYmZ/jrO8tXMPfObl4r9psKEwqVJXoRG2WeibiyL56ahjAMTSsDgDliqFZVw4DP3iXgdSNF7s/IfkjMxfg2sIccWGqhaPfeyF6bVyqzGC8HVIuxIpQFzwqnVReF981AxcideFnKP9KdfKRXMio+R2VqiTQ4/MbFVngWYzyPbS52TKN6sDSV3aQ2rWrCX52hSTPkFgSVukiR+AikMKidf09iGHuqwBeTqcpyd8Qyohx2IVuKQe+dqO6nwYA18LiRc1Ko7Hl0chiQ/ChVAea4iVoAYLaEVim5hB7vQinvqG3QeJTI9+4dC62fit1ygkLkN7uKX1AVTnyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wvd13ULbTjXJ6PyQ2dKOPWyS6dzODAIlELrslMVuUTc=; b=OANWcTkx9xRvDxq8yJxYazaKhek2WeFm9bOtUI/jN/v3dQoPzoWVt5kJVEn0oXTFxtI2rlJRCANBv6/5VshjyGPFdrtaDh44FeFDTGBKJgg3tC3rOz0r/lsaFBPN8dKbbVOMThp32YNTm1m7D+t85oCy+mkOWXGndkv2Dc1FMR4GKUGZLY6gdZc3ly+PPL8NeAJA/xHpZ5W9VcsRKSM9QI4muW0QtU1MyeWYdVr6oUunZc1UDN2AsSVI4Sctk3/LoSuEpbC92Fqi5vpz3rfl+9unXJSpniVmVE+uV18S8ptzMvEpQT56o1Soqk15/VytaBL5UgzdTuGmqsE5TB5H5A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wvd13ULbTjXJ6PyQ2dKOPWyS6dzODAIlELrslMVuUTc=; b=RWKRVc/eLYcYhoy4Q/0QCcQmqazB4beBhTetY60A5HpDBEg8IC79nLtuu1/DaTtnzBUzxUMeVgMnclCZUxHRDvSNo851pqnLHiVqVhY/Rwex8abgcd7F19klt06Wz2P+533ksnJwgwpgsL1WtJnDvzrCGv44vym+G1AIZjTU8XU= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4430.namprd12.prod.outlook.com (2603:10b6:806:70::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 15:32:33 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::30fb:2d6c:a0bf:2f1d%3]) with mapi id 15.20.3955.027; Wed, 24 Mar 2021 15:32:33 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek Subject: [RFC PATCH 08/19] OvmfPkg: register GHCB gpa for the SEV-SNP guest Date: Wed, 24 Mar 2021 10:32:04 -0500 Message-Id: <20210324153215.17971-9-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210324153215.17971-1-brijesh.singh@amd.com> References: <20210324153215.17971-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9PR11CA0006.namprd11.prod.outlook.com (2603:10b6:806:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18 via Frontend Transport; Wed, 24 Mar 2021 15:32:33 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: 359cca0b-5a26-4ca5-c04a-08d8eeda0b47 X-MS-TrafficTypeDiagnostic: SA0PR12MB4430: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 4Liui1K23BPuw+h2bd3FnOAPKzvnMxkOMLZ3QBwZTFnttNk/y3oVVwJWWQOECBH1rDFE9rdQEupEw0gYLY0qwP4xmk/JQgrdWu7CJ5WaM7UA8Kb/TqU2y02QTUoMSV4/GhAum7gXmLANjZ7YDdfAMufc3WP2hc6cgXpqgHskPU+SMfxCnZ9KU55XqEJgZRt8vDD+zVOEFwxycm79moc4xX7dWgpPteL6wrybqUEaG2LOiAco9Uh69W04J4MWIh8ivrmYWtMW52ahP/IRVxDPXzpxOeQFYB4Y8y4GJ1vdkeqfsMZG8YV3PQghg2Wg2F94HhH6l4PIMbR5C2qpeaCUpcxga5RXbbEO4361QyrzftAZyjUfeJ/n1EXBjiRalwr3A7ajuk/eASjxla/LKhwLFr9+Vgy7GjK2Fz3jLMLX/btG5XFQolEOR9DRfr7tME8faHN7huSr8pOvumT3OrZrZBbHU/gVIfTVhN8U8x0Le2RLrwuYqEOPFAZbajqZpSk2SYFdJa3BwSaKOdDPWC8Z5d/+h1d0z/CKQvtM7NxkgwsH7WkveYoyBeNLtPoNpjJo5BBVmFKIIxdwt7u2i15pzXse0UOsG6c22kbl6dI0MNkP7DsCTScMfu4nUiHY7noOUuEc3fTfuEabThLiVm78CJDGvZZrcxmeIJ30IKybuH0HZxkzCNTpd4ldlMtnB6Mn70PvBcdR2nLmfAcAwc0CddV9OHgPyIZp4dpUkEs3/vkxD1CELpkgfMaaSJQCguRj X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(39860400002)(136003)(376002)(346002)(396003)(2616005)(83380400001)(66476007)(4326008)(44832011)(1076003)(6486002)(2906002)(86362001)(66946007)(478600001)(316002)(66556008)(966005)(16526019)(6666004)(26005)(54906003)(6916009)(186003)(5660300002)(8676002)(7696005)(956004)(8936002)(38100700001)(36756003)(52116002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?xXh0mG2PqqCOIfUFCKrsbWkEHHK+8L+vneuqwTG5lKvEn81hPR91eurCQJNL?= =?us-ascii?Q?eGlNaAZXHyeuZUgZ59zEifjCr1g6Jo25HusLBLlh3klf8Iw3kIc47BYDzJnx?= =?us-ascii?Q?KbfgWd3Ke41ND49LOvWZdLxXTlUzBdMyksgwAUVxKJM+qXbdo4600plmAXCb?= =?us-ascii?Q?s+veM2xOIFBgKBbrhSydL6IO0zyIdEm8PbN33wVSvcu7Cxh+csCjhRQ24vO9?= =?us-ascii?Q?aJ/te4NWne62QCzZaNQI99ldcJSWZATCVbzyAhHyq6Y1XyrKrvuTqmS1cbxL?= =?us-ascii?Q?7OdaVn2CgwQC7cdOKgZfzRuY1n+fXautwWxk97hZiJ0wPPGVo4irU145DaFB?= =?us-ascii?Q?TzzLkkue/IxKM1+yGoizDp4ciN3y4zPCv56lJDEbOEIFZJ3jn025RJUjDjWr?= =?us-ascii?Q?Zln4+dQGCNsHbvAIXNOti0Od6JND0+5IZFt9gF1PIcicl3w0jBX6c5bqgJ65?= =?us-ascii?Q?jGUbRKdUs+4wzFImDQz9IkSGgi048Hp3KdYvaiC81qtTb8QvILVyHt4Amsmw?= =?us-ascii?Q?yMqz6t/fyMEbSkHmlsntE0e085mPgdPHVtR24s76Sl0cPYZrLdOSd+cBZJJb?= =?us-ascii?Q?sAkJKG+W/fvtBYAa4D/BrM6tlXTVI2QoEFSfQlp2mSVUTFvEtJ4XllKS+Zd4?= =?us-ascii?Q?rJvXn42mtWE3nIukwCwFpkHmJ4pmjS3PsGcpo9HMqthLBImgbKHDXZXp7W0e?= =?us-ascii?Q?3RWC/o6jOKhPYe4slV9zKjO7wFgnjVSxuANVM0VEkhH8WXdMWsjK96gtkboI?= =?us-ascii?Q?fLVFc0KYuIydjNXybbtEnFZS0EyOxJCIvrEcuYpHP/FuItTcTJr6DS/u3L+o?= =?us-ascii?Q?Zv2ueAm84N2+gt1chEs6UCzHs9mZhchv3EeAathmkujtE4vWQmzi7QLPV+Mq?= =?us-ascii?Q?8s+UcHIxc+6ilqf+9piJvzWfBUmrFklqrpYgSbB6FnV19SlzeEx96WXkMswi?= =?us-ascii?Q?3GE4cAhNUxlKBufSYsIOKBX86eLIWC6gdSJ+7PWS2omYTHzxrfEW+w843ekD?= =?us-ascii?Q?BL9R2rYeMDhty8IhWK6uUcvzsdyA1wKhSn5rFlZuZ8an7ElGWJB/+ELptIEJ?= =?us-ascii?Q?THsvDxOpOjqaAzKDgWwrDHTHeK5p4cGVxwGpGw6LDu+lCfJdqH8S9s1iXvG6?= =?us-ascii?Q?0fLT2+FKwmB6LluxSMpPcfvEmUs6OlFpzoF6a1RImpVVqGtJK+X++0Mfl+Cn?= =?us-ascii?Q?cePdSouJskkFLM9Q38GMgHyr4Stkoq0IMAg6Tx+Kjc1hAsL74Si/B2RhkSjB?= =?us-ascii?Q?xRvofy1oH/rLaiGRfyfBr0GANdvmB15o2I8y7eM3OFFmvZrP5rr6oUq4pth6?= =?us-ascii?Q?MmMf4/c84w4WIyJGesaCe71Q?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 359cca0b-5a26-4ca5-c04a-08d8eeda0b47 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 15:32:33.4496 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 7xrWq/1oYWM1K9wZMNwzys8sK2tuW9ZXS0Szbe73XFNxChgonwXCShbqGjGZ518Bq+FTLAE8m8NQHnqC1l9SnQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4430 Content-Type: text/plain BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The SEV-SNP guest requires that GHCB GPA must be registered before using. The GHCB GPA can be registred using the GhcbGPARegister(). Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/AmdSev.c | 11 +++ OvmfPkg/PlatformPei/PlatformPei.inf | 2 + OvmfPkg/Sec/SecMain.c | 76 ++++++++++++++++++++ 3 files changed, 89 insertions(+) diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index dddffdebda..95c5ad235f 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -110,6 +111,16 @@ AmdSevEsInitialize ( "SEV-ES is enabled, %lu GHCB backup pages allocated starting at 0x%p\n", (UINT64)GhcbBackupPageCount, GhcbBackupBase)); + if (MemEncryptSevSnpIsEnabled ()) { + // + // SEV-SNP guest requires that GHCB GPA must be registered before using it. + // + GhcbRegister (GhcbBasePa); + + PcdStatus = PcdSetBoolS (PcdSevSnpIsEnabled, TRUE); + ASSERT_RETURN_ERROR (PcdStatus); + } + AsmWriteMsr64 (MSR_SEV_ES_GHCB, GhcbBasePa); // diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf index 6ef77ba7bb..cb6f5ac091 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -52,6 +52,7 @@ BaseLib CacheMaintenanceLib DebugLib + GhcbRegisterLib HobLib IoLib PciLib @@ -110,6 +111,7 @@ gUefiCpuPkgTokenSpaceGuid.PcdCpuBootLogicalProcessorNumber gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled + gUefiCpuPkgTokenSpaceGuid.PcdSevSnpIsEnabled [FixedPcd] gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 9db67e17b2..df6722b546 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -750,6 +750,76 @@ SevEsProtocolFailure ( CpuDeadLoop (); } +/** + Determine if SEV-SNP is active. There is a MemEncryptIsSnpEnabled() in MemEncryptSevLib + but we can not use it because the SEV-SNP check need to be done before the + ProcessLibraryConstructorList() is called. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled + +**/ +STATIC +BOOLEAN +SevSnpIsEnabled ( + VOID + ) +{ + MSR_SEV_STATUS_REGISTER Msr; + + Msr.Uint32 = AsmReadMsr32 (MSR_SEV_STATUS); + + return Msr.Bits.SevSnpBit ? TRUE : FALSE; +} + +/** + The GHCB GPA registeration need to be done before the ProcessLibraryConstructorList() + is called. So use a local implementation instead of including the GhcbRegisterLib. + + */ +STATIC +VOID +SevSnpGhcbRegister ( + UINTN Address + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + MSR_SEV_ES_GHCB_REGISTER CurrentMsr; + EFI_PHYSICAL_ADDRESS GuestFrameNumber; + + GuestFrameNumber = Address >> EFI_PAGE_SHIFT; + + // + // Save the current MSR Value + // + CurrentMsr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // Use the GHCB MSR Protocol to request to register the GPA. + // + Msr.GhcbPhysicalAddress = 0; + Msr.GhcbGpaRegister.Function = GHCB_INFO_GHCB_GPA_REGISTER_REQUEST; + Msr.GhcbGpaRegister.GuestFrameNumber = GuestFrameNumber; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // If hypervisor responded with a different GPA than requested then fail. + // + if ((Msr.GhcbGpaRegister.Function != GHCB_INFO_GHCB_GPA_REGISTER_RESPONSE) || + (Msr.GhcbGpaRegister.GuestFrameNumber != GuestFrameNumber)) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + // + // Restore the MSR + // + AsmWriteMsr64 (MSR_SEV_ES_GHCB, CurrentMsr.GhcbPhysicalAddress); +} + /** Validate the SEV-ES/GHCB protocol level. @@ -791,6 +861,12 @@ SevEsProtocolCheck ( SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); } + if (SevSnpIsEnabled ()) { + // + // SEV-SNP guest requires that GHCB GPA must be registered before using it. + // + SevSnpGhcbRegister (FixedPcdGet32 (PcdOvmfSecGhcbBase)); + } // // SEV-ES protocol checking succeeded, set the initial GHCB address // -- 2.17.1