From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (NAM10-BN7-obe.outbound.protection.outlook.com [40.107.92.56]) by mx.groups.io with SMTP id smtpd.web12.10214.1619783548337545009 for ; Fri, 30 Apr 2021 04:52:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=Pty4hOat; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.92.56, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U7S9iBJ0phKKVZYDkiIlQmZrzgyADZviiD6hOYlif1k+I9Ib60RLCZ/L74Gxa2hhGVKIca0lsjjsgPqueM9dcfHX93itPl7DcoxE+RSpE7hECYip0qtIKUQPlQpVeeIWBu+TSvDiMu4GGxHft9VunBhkfKbfRASmmbPqEj7yrmbyXm1tymu0KuUIPJHpwGhgnQUT18mokUXNI/Bvhr0T7c7iFJF8BR/LNogm+YCMYzJHc+I251WVYi/nehza1Y5son0O9BTMYyaSaKtueunXuCRVb47nxMy6Bnit5lTWZvs1qNWnzoKoZkOT/gve3Rhp7PCvfWxvvcrVyeTC803mTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yOxZSImUfqh599WPEVSRgkbpM7GSsemmVCq/yQ48bys=; b=LZHADrVZVF0mjPFTx3+ZPgjyqA6aEmR2SuUlDj01LyCJEWqzmPD2kSVlf39rnyNmaOtyKbQdAlzgO4zC7uEYG26cnRSwNZqTzmLq++QqGsZZDoOQNujJt6dFpk2ksLiMXMLrZkhdTuJ4V859MZKlcJ5xF7krFpmTStnS8KCh2E00KC3HXMDy9sbXcXXHNY7nUql0X7Z0XEGrlWoKVfJN2Y38hcCb3L1RYwM+sf6t/iCK+rZzs2046rEkXwbIflIvtDsXScR3+tQFyOehaCXRGc9K43E2KkOmMQ13nt05kbMOQogThIjwgy2Rar7ek68EbO1KFFXulwCbRluSfU6VTA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yOxZSImUfqh599WPEVSRgkbpM7GSsemmVCq/yQ48bys=; b=Pty4hOatlNIesAXK/w3Rd5F1bfUdSkBuNn+HSdLW7DU1XJXloX5UM46mAmZH5H2HKcJXT7Lm6/usE/oUpeXsBIhXc9G3+hezHvJs8GunYqxWbWGXYhy3UrIIE2GkmgjhTA7kGA/bTny7YhTjY6sfSAwD59FTP0j+lXKAlB2k36A= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB2783.namprd12.prod.outlook.com (2603:10b6:805:78::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.25; Fri, 30 Apr 2021 11:52:26 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::9898:5b48:a062:db94]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::9898:5b48:a062:db94%6]) with mapi id 15.20.4065.027; Fri, 30 Apr 2021 11:52:26 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek , Erdem Aktas Subject: [PATCH RFC v2 16/28] OvmfPkg/MemEncryptSevLib: Extend Es Workarea to include hv features Date: Fri, 30 Apr 2021 06:51:36 -0500 Message-Id: <20210430115148.22267-17-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210430115148.22267-1-brijesh.singh@amd.com> References: <20210430115148.22267-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA0PR12CA0006.namprd12.prod.outlook.com (2603:10b6:806:6f::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA0PR12CA0006.namprd12.prod.outlook.com (2603:10b6:806:6f::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.27 via Frontend Transport; Fri, 30 Apr 2021 11:52:25 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 15172108-a40f-4f64-a1fe-08d90bce6c6d X-MS-TrafficTypeDiagnostic: SN6PR12MB2783: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5236; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 2JOVrY6PPztbknlysdx/IAgowvqX4RowlsKLbPGznmplXdvm2sxxCVpmUEE65M6N5dWWlv4wnMA0xriAR9HY3568TvYD30zLMzp/uC1WoH4DPFC+wWpNLDFu20vaMQ/c175j4IcSzefgS4QsaLsPD5uJHJ5f5avKHSQsj1atPhh3VXHPc6eaSX88tyOrd+dPhFDsqRTiPREbopEQiJTemRB+P5fwHyskk08KfK8WnTrr+qILKycF4VcZn3Qo4H5n5rGSTn03ua97ITPCmqU0MZo+SQwH3dc79y5AkmUWntF2CMhadgpS1Py3lLx/W5quGTI3rR6h2EjffP6gDgFlZ23GAbnGXOkh6wqAQURdYqb5LNrzN2rNtmFu2YsMb8KmInd6iEAKbJ3zBlqOfZzNl4hJxFEs/LXoHtfpdxFHNBv3UhxE3/m6ZdILQ9qEOjt5ssvR8rR05TwgrKHJFwYlKdPHcV7jc+g0t2F7evE231sX6xLCFrEc5cNi1CmvVlB8IMFWjCtpezhWjoV1HnKyN63EwcMHvKZn6B6AsCvfaCllfFA165NqWPp7SqEKMVPCM86giJULNqt9IL8PzATWgQeOO9d5iPc6oDQOAHUcI+Q0/2ywWDWGmLIpq08kcOrxrwooXVS9djSJz3mNgGA15JN1BkRLlAAzEFwPR2tjZYXxnpu8D/P3qPBrR19fT7pL1XnetIODclK8ah1eCpbdcdmJ7IrkhqhVi12eoDlKCYw= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(396003)(136003)(366004)(376002)(346002)(36756003)(44832011)(16526019)(52116002)(2616005)(956004)(66556008)(26005)(38100700002)(54906003)(966005)(1076003)(66476007)(186003)(7696005)(66946007)(5660300002)(6486002)(38350700002)(6916009)(86362001)(19627235002)(316002)(83380400001)(2906002)(6666004)(8936002)(478600001)(8676002)(4326008);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?a7iO8xPRtKpBqZvNFW72MpBEK8boMasI1fTIUwMGwv/gg+Yd0OwscCrl/il/?= =?us-ascii?Q?kVEH+KwWKdDV+dV7Gw3po9JbkfpQeNPN21JTI8Cy6yvTZZozJeoWmGJGk3ma?= =?us-ascii?Q?RKBYYrsmatn6PDnlsaJXOwqBalBNNegeqMFHvofzoflZdO9RnHdPgDu1KBRR?= =?us-ascii?Q?pTfrM7nBmA4WB/3Um7m6MbSGlVqo7+xQzomwq8Dg+g5p7rXHRFWrHZ7klj5A?= =?us-ascii?Q?tpVNNuuiQsyMl2RWSx+jC4eCKjEZtt1opFnNXmkH/7/UzmZQWojTQzsEx+uE?= =?us-ascii?Q?A2btCLLZMi22TovBB3z35ICsdI/TrWiLycH6iBJeaxfRcdMF3gCP54ddOg4M?= =?us-ascii?Q?132JvN2p1x7YmXDZMh0zWZAa2Vct6bo4aCuNwo9nKKkK3jUklDJhRjeTaNOc?= =?us-ascii?Q?vmGROlq7Y1m/QlD9CtiwTFsfPP+4AzdHVDYT1LeP0YPjzXI+26BVmC0WAVVY?= =?us-ascii?Q?CCt/r1misW4vEFQcLms7JaaXLugS3XARPrwKmMQvVYo1DMX9fLRmr1puAyTk?= =?us-ascii?Q?kR9g4yzO3UpDKFj8t5JE0V9HdITvOkBsE96UgOPmuJ/WEIGCPhVFC+ZoAQsk?= =?us-ascii?Q?bt7cXn8a/lHHxv3j9yr2Q1Qt62ooGnQb5o4U4lWEnPZlTMy5jjgNxYMMisfx?= =?us-ascii?Q?dB/2giu3Jwa4zuIwub6y+9Oq0Ii0JGfEvTuOjkSbhonHFix9InwncN8c3DqL?= =?us-ascii?Q?R6o3WKKy+5Vot+yN+P+P2wHaljwTxh/nAlVHkvlKXj305nOa6eX+CUJtLsjP?= =?us-ascii?Q?7qCZKKwZbWQNWL94OWZqStp4rivEaStu8NpwJ1r6O4LlKFonvflI/Hzvqce1?= =?us-ascii?Q?iUsVhzhk777kAuQDwnOgxXOKorGnfYlUv+a8VBJ/cQ9r6skPbVJCXKLwUSV8?= =?us-ascii?Q?EB8iLT/k2bCmt1ZBmqD+8RURcYEQ28Mkdw85gAXiVrxoa4WUQdPhma1w/LDV?= =?us-ascii?Q?YoUhImByZmP7Gw8GL6Mfew7fDG2+bmQIKHR8d/DbdVDEiQOxKQmGy2uKFycX?= =?us-ascii?Q?CLGF8KY4OSSe5OQdcziT1cG8mGkqdq0ec+RkOpoHswYKEkKy5ijr3+wYhifT?= =?us-ascii?Q?MUkBYmPin5iV4B/MubEPubGE2KQ8xyMZQvQzxqBy/vSxDCa3TC69darN7aKO?= =?us-ascii?Q?n7fPSRDCaF/26iNerH7Q30Q8x2CFzLSKyw+BlLzrXVjdnz/FAOBNtTtr61go?= =?us-ascii?Q?4stRng/hY0f/n8Gs7R9g/lgWRHkARF4qPk7lJMcoAdA3Br7gSusN9bVaQ197?= =?us-ascii?Q?ptzxr+pQnGfLDHVJnMrsWIHnEk9GEwhbekuw8hjSaMJjiLcPkaTGldbCs73h?= =?us-ascii?Q?H6sZHMl/7wtqsAfnOfk+INV1?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 15172108-a40f-4f64-a1fe-08d90bce6c6d X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Apr 2021 11:52:26.1677 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: NOUQAHHwx47vXJVYXlyZXdW32WEI8QXYiaWrupmVP+fbFZJXhe5VE/e7EMIa5ywAuz5ksTO4K1Ea9KqoPyzt5Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2783 Content-Type: text/plain BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The GHCB Version 2 introduces advertisement of features that are supported by the hypervisor. The features value is saved in the SevEs workarea. Save the value in the PCD for the later use. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Cc: Erdem Aktas Signed-off-by: Brijesh Singh --- OvmfPkg/Include/Library/MemEncryptSevLib.h | 2 + OvmfPkg/PlatformPei/AmdSev.c | 26 +++++ OvmfPkg/PlatformPei/PlatformPei.inf | 1 + OvmfPkg/ResetVector/Ia32/PageTables64.asm | 122 ++++++++++++++++++++ OvmfPkg/ResetVector/ResetVector.nasmb | 1 + 5 files changed, 152 insertions(+) diff --git a/OvmfPkg/Include/Library/MemEncryptSevLib.h b/OvmfPkg/Include/Library/MemEncryptSevLib.h index 03e476ef2a..42caa6497b 100644 --- a/OvmfPkg/Include/Library/MemEncryptSevLib.h +++ b/OvmfPkg/Include/Library/MemEncryptSevLib.h @@ -55,6 +55,8 @@ typedef struct _SEC_SEV_ES_WORK_AREA { UINT64 RandomData; UINT64 EncryptionMask; + + UINT64 HypervisorFeatures; } SEC_SEV_ES_WORK_AREA; // diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 67b78fd5fa..81e40e0889 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -43,6 +43,27 @@ AmdSevSnpInitialize ( ASSERT_RETURN_ERROR (PcdStatus); } +/** + + Function to set the PcdHypervisorFeatures. +**/ +STATIC +VOID +AmdSevHypervisorFeatures ( + VOID + ) +{ + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + RETURN_STATUS PcdStatus; + + SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); + + PcdStatus = PcdSet64S (PcdGhcbHypervisorFeatures, SevEsWorkArea->HypervisorFeatures); + ASSERT_RETURN_ERROR (PcdStatus); + + DEBUG ((DEBUG_INFO, "GHCB Hypervisor Features=0x%Lx\n", SevEsWorkArea->HypervisorFeatures)); +} + /** Initialize SEV-ES support if running as an SEV-ES guest. @@ -73,6 +94,11 @@ AmdSevEsInitialize ( PcdStatus = PcdSetBoolS (PcdSevEsIsEnabled, TRUE); ASSERT_RETURN_ERROR (PcdStatus); + // + // Set the hypervisor features PCD. + // + AmdSevHypervisorFeatures (); + // // Allocate GHCB and per-CPU variable pages. // Since the pages must survive across the UEFI to OS transition diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf index 3aef0773b1..89c8e9627c 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -111,6 +111,7 @@ gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize gUefiCpuPkgTokenSpaceGuid.PcdSevEsIsEnabled gUefiCpuPkgTokenSpaceGuid.PcdSevSnpIsEnabled + gUefiCpuPkgTokenSpaceGuid.PcdGhcbHypervisorFeatures [FixedPcd] gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVector/Ia32/PageTables64.asm index 6838cdeec9..6bf4a3524a 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -62,6 +62,16 @@ BITS 32 %define GHCB_CPUID_REGISTER_SHIFT 30 %define CPUID_INSN_LEN 2 +; GHCB SEV Information MSR protocol +%define GHCB_SEV_INFORMATION_REQUEST 2 +%define GHCB_SEV_INFORMATION_RESPONSE 1 + +; GHCB Hypervisor features MSR protocol +%define GHCB_HYPERVISOR_FEATURES_REQUEST 128 +%define GHCB_HYPERVISOR_FEATURES_RESPONSE 129 + +; GHCB request to terminate protocol values +%define GHCB_GENERAL_TERMINATE_REQUEST 255 ; Check if Secure Encrypted Virtualization (SEV) features are enabled. ; @@ -86,6 +96,13 @@ CheckSevFeatures: ; will set it to 1. mov byte[SEV_ES_WORK_AREA_SNP], 0 + ; Set the Hypervisor features field in the workarea to zero to communicate + ; to the hypervisor features to the SEC phase. The hypervisor feature is + ; filled during the call to CheckHypervisorFeatures. + mov eax, 0 + mov dword[SEV_ES_WORK_AREA_HYPERVISOR_FEATURES], eax + mov dword[SEV_ES_WORK_AREA_HYPERVISOR_FEATURES + 4], eax + ; ; Set up exception handlers to check for SEV-ES ; Load temporary RAM stack based on PCDs (see SevEsIdtVmmComm for @@ -225,6 +242,106 @@ IsSevEsEnabled: SevEsDisabled: OneTimeCallRet IsSevEsEnabled +; The version 2 of GHCB specification added the support to query the hypervisor features. +; If the GHCB version is greather than 2 then read the hypervisor features. +; +; Modified: EAX, EBX, ECX, EDX +; +CheckHypervisorFeatures: + ; Get the SEV Information + ; Setup GHCB MSR + ; GHCB_MSR[11:0] = SEV information request + ; + mov edx, 0 + mov eax, GHCB_SEV_INFORMATION_REQUEST + mov ecx, 0xc0010130 + wrmsr + + ; + ; Issue VMGEXIT - NASM doesn't support the vmmcall instruction in 32-bit + ; mode, so work around this by temporarily switching to 64-bit mode. + ; +BITS 64 + rep vmmcall +BITS 32 + + ; + ; SEV Information Response GHCB MSR + ; GHCB_MSR[63:48] = Maximum protocol version + ; GHCB_MSR[47:32] = Minimum protocol version + ; GHCB_MSR[11:0] = SEV information response + ; + mov ecx, 0xc0010130 + rdmsr + and eax, 0xfff + cmp eax, GHCB_SEV_INFORMATION_RESPONSE + jnz TerminateSevGuestLaunch + shr edx, 16 + cmp edx, 2 + jl CheckHypervisorFeaturesDone + + ; Get the hypervisor features + ; Setup GHCB MSR + ; GHCB_MSR[11:0] = Hypervisor features request + ; + mov edx, 0 + mov eax, GHCB_HYPERVISOR_FEATURES_REQUEST + mov ecx, 0xc0010130 + wrmsr + + ; + ; Issue VMGEXIT - NASM doesn't support the vmmcall instruction in 32-bit + ; mode, so work around this by temporarily switching to 64-bit mode. + ; +BITS 64 + rep vmmcall +BITS 32 + + ; + ; Hypervisor features reponse + ; GHCB_MSR[63:12] = Features bitmap + ; GHCB_MSR[11:0] = Hypervisor features response + ; + mov ecx, 0xc0010130 + rdmsr + mov ebx, eax + and eax, 0xfff + cmp eax, GHCB_HYPERVISOR_FEATURES_RESPONSE + jnz TerminateSevGuestLaunch + + shr ebx, 12 + mov dword[SEV_ES_WORK_AREA_HYPERVISOR_FEATURES], ebx + mov dword[SEV_ES_WORK_AREA_HYPERVISOR_FEATURES + 4], edx + + jmp CheckHypervisorFeaturesDone +TerminateSevGuestLaunch: + ; + ; Setup GHCB MSR + ; GHCB_MSR[23:16] = 0 + ; GHCB_MSR[15:12] = 0 + ; GHCB_MSR[11:0] = Terminate Request + ; + mov edx, 0 + mov eax, GHCB_GENERAL_TERMINATE_REQUEST + mov ecx, 0xc0010130 + wrmsr + + ; + ; Issue VMGEXIT - NASM doesn't support the vmmcall instruction in 32-bit + ; mode, so work around this by temporarily switching to 64-bit mode. + ; +BITS 64 + rep vmmcall +BITS 32 + +TerminateSevGuestLaunchHlt: + cli + hlt + jmp TerminateSevGuestLaunchHlt + +CheckHypervisorFeaturesDone: + OneTimeCallRet CheckHypervisorFeatures + ; ; Modified: EAX, EBX, ECX, EDX ; @@ -328,6 +445,11 @@ clearGhcbMemoryLoop: mov dword[ecx * 4 + GHCB_BASE - 4], eax loop clearGhcbMemoryLoop + ; + ; It is SEV-ES guest, query the Hypervisor features + ; + OneTimeCall CheckHypervisorFeatures + SetCr3: ; ; Set CR3 now that the paging structures are available diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/ResetVector.nasmb index 34b900127e..465038e39d 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -76,6 +76,7 @@ %define SEV_ES_WORK_AREA_SNP (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 1) %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 8) %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 16) + %define SEV_ES_WORK_AREA_HYPERVISOR_FEATURES (FixedPcdGet32 (PcdSevEsWorkAreaBase) + 24) %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase) + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) %include "Ia32/Flat32ToFlat64.asm" %include "Ia32/PageTables64.asm" -- 2.17.1