From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (NAM10-BN7-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web12.10214.1619783548337545009 for ; Fri, 30 Apr 2021 04:52:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@amd.com header.s=selector1 header.b=VMU4b/NN; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: , mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SmixlN/lszU8vk4C/NjIysOYY+EkFPH4hs9ccMp0BGaalYjkyOEwu63TT+zXi3j6YYGs4tg6LTBXoBD2wobWiCRqDh7YHKnWQIjxXN/bXTT5fFnYT4gdL/s6KGLq/gzCs3Lv+nYTH7i/iJyLDEO/su5dcDU3d6M6Ri9ju4v1XW/1rgQX7EXrza2oXWolEqDKYzmlhE9tfsDxEjtG83W235dyxs90dMQpZ5B6yuQTsjx7x7xn6L7VzhmvG5snMg6Cn2/pr2CUm5Mu+4djcnMyqsM8rc9i9NyqzDLeHraT1eZfXVeizXTHpiqKXQfZKR00+WjP8EvQe0tpQqCYQ5sQig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Kp1ZI7VXktWhJCqnyfDWwUVLAAiWWI0we+IoMq8ybZU=; b=msQAnC9/zAiDucyOV4uB1v8/iCFBaEel/LlnHCB/+CVFyUUdA8x78dsttZ3OnAc499hffzEnh5iDwtqrZksrHttHtkSgL5RHLTPRCJYHCetltCCaqVT7AtvqtFkyx81vTIbExllUGubcrGI8jKhT3Hmr+e87k1/8ENrK8OkIUiDMMFnXCnlohXZrVtIJjflv1LpiseAPeeHD8dcRGGczzBltq0sgfmw2HXRPfXMTZJf7ipinntnHVK0PobnWZwSqNdxzNgOTI885vUQKNZet+2rWOm1Vj1av6qKLkikFhFFljKJT8XinjTHEBpQaz1/A63LnZ1+AZdayYQoRA6Y2IA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Kp1ZI7VXktWhJCqnyfDWwUVLAAiWWI0we+IoMq8ybZU=; b=VMU4b/NNG+HJ8OCWFY74I87JTfHKpcRKeV6HlXj36QwEhxtIcYzdoRna76n50fcos/mn2oe5WUR01nYaaALvuyCuB82ZmA60xq42j5axu7j9xb0yZPidcnl8BYCd+TLo0SbNzDINbX7BY6O0bad3wc9fcmEDvX2xlmhyhSfjJaY= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB2783.namprd12.prod.outlook.com (2603:10b6:805:78::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.25; Fri, 30 Apr 2021 11:52:28 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::9898:5b48:a062:db94]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::9898:5b48:a062:db94%6]) with mapi id 15.20.4065.027; Fri, 30 Apr 2021 11:52:28 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io Cc: Brijesh Singh , James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek , Erdem Aktas Subject: [PATCH RFC v2 19/28] OvmfPkg: register GHCB gpa for the SEV-SNP guest Date: Fri, 30 Apr 2021 06:51:39 -0500 Message-Id: <20210430115148.22267-20-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210430115148.22267-1-brijesh.singh@amd.com> References: <20210430115148.22267-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA0PR12CA0006.namprd12.prod.outlook.com (2603:10b6:806:6f::11) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA0PR12CA0006.namprd12.prod.outlook.com (2603:10b6:806:6f::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.27 via Frontend Transport; Fri, 30 Apr 2021 11:52:27 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ba0e433c-a3fe-4516-968e-08d90bce6d89 X-MS-TrafficTypeDiagnostic: SN6PR12MB2783: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: r3kNdlFcCWRo45iTrGVzf2ZTAL+WdxdUXEikmvi/AhFTnlHS3watIgElV/77AqNaERJnBKz2roMMZaqldN3LjwCGaURHWQDphVfkMTw6Ed7t4Ej+rUzF/XnFyUmNE1qx6GP8V9PUumP3Z/3aJOFDKixTpmWsMIAfRItkaX+F+VohU2E3tgFw9Y2PtHzRQ22kN4NY7W/HnZPtFJ5/KYx0NuJkECHUi0sUuVMMukseSbtliCEhogN5HBxGcAkcTSOBUp7F1yk/QSGgo1DU0EsDpTnw0ApvLRjW88PX7R+fiN5FTACm/Ch+2+PbIoEBiR4q2mp2Zk2hCJBnfadElxyRaMJ0uj34W543NG9RIQnv2YWrEWNBi2E+ExiMuLX/JzKDMW39VSrSCDejYaZZwugYKjWMLfhQlH8FHLciblr2so++EdrlicqJJ7KeFgqaQp4I114d0kYrUQybWRtBFmu9nRawxyljGX+3lzY3wIg8qDjLNj2JeHXMq/PjM3MeVSoeKNNtMgyvwO2Aq2x34Ytq2V3yoOUeHE6S8lDJoDkPi6O2e4tiAcLK2y5tYPOK7t+K0rfF71RqJtBZMPxxxqKOoki/vdCx1dsAQgYU0vgfHtgiRx0umDv2NFAbOxbVoZUkEInYxBmTr/VXjvqGtJlFMv+hc9PIck9Y2G4zJ0wWwQWwgyw3zSSh8u81DdRLQbjeqn97zjpeYt18x+RkRwntgc74O1Xm+csPIFh3tRKnHSE= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(396003)(136003)(366004)(376002)(346002)(36756003)(44832011)(16526019)(52116002)(2616005)(956004)(66556008)(26005)(38100700002)(54906003)(966005)(1076003)(66476007)(186003)(7696005)(66946007)(5660300002)(6486002)(38350700002)(6916009)(86362001)(316002)(83380400001)(2906002)(6666004)(8936002)(478600001)(8676002)(4326008);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?XHOweRLDatikK2y7NhMLuXlHkDBY91FybmUzJ/75giTQRGEwF25ZKEpPlJDK?= =?us-ascii?Q?WsEXDg/wo27e8t+ZV6Kw2RhTyBMy908L4+1IxLYOSEBLGsHEm5TINNbNrxL+?= =?us-ascii?Q?rC4ljVMA0/b+LEN+cjoIt93rEAmjFvzj4Z3dlRCqK7dD+FAix52f8ysryvBT?= =?us-ascii?Q?EbVNdOmckoDm2KJHXJZv4uYNZCppl6BADaqZ+S1Coeroad3iHodXsYfqL+MY?= =?us-ascii?Q?Asgs81Z2quAn8Z/FIKQHf4uLMIMP5eHMNyJ1cfopzeRZ7vdyLAQVnDHNHk6v?= =?us-ascii?Q?HJmyaEmH2h6hgVb9b78S4NivFjVk7h+J6S0NK2rgbZnC1hIW29Z3xq/cKWXz?= =?us-ascii?Q?p3ly3uHTtf8C3c5ygo+2g33qj9KHWcjxAoCBoHhFyiJY/l7wh5ceEZzCiDCg?= =?us-ascii?Q?6g9+zidWaViI3YNhFmNg8VvWbahxthtr4o8IkPuQvxMz9ODVnhbet+Dea5WK?= =?us-ascii?Q?5KHKiS55UObTyd6ac08JLqipgIpdj6imwESRlTRBT7y3BGoOQ+J/A8q8Ly4e?= =?us-ascii?Q?IyLtzQmZNtCJesXPoQv1uFJmhMcrnzlxPUcfuIJZbY4QpmHykDWwC/XaiGZ6?= =?us-ascii?Q?yjpZEzmx+CifQc58Z2MR+uo134Bvma24+C8No8Orx9brfA/rOe7XY4WDopTw?= =?us-ascii?Q?TLccqCv4ea4QiN5mF95D7T9sFdZrIh1+mP1eQ0gnpSVnEAmEOrTrsWIrlHwt?= =?us-ascii?Q?ntu4AhOSulpaLgsqUbfLvlrBk2WtofMZ8LqR2gFKNm7zj9CbyHo9nJHKf1c5?= =?us-ascii?Q?OXAwg0WM4W64fDc5tIdxPeKJN+YdCCwc2one4XhRIgWzkukaFXxXCM8dtZdc?= =?us-ascii?Q?wHYxRmCSzc7zhi6t5+jR9oFPYNibLBdQZ4pEgupSQpq9CzQkUq13VHVx3R3r?= =?us-ascii?Q?Djm7MnJG7DKtv2Qkb09/2paxcicHVPZLG8SA+8j9AtYQFP7qlVw6lWQWkv36?= =?us-ascii?Q?KE36rXGIGQex8r0JdEHfn0Z6ZkTnKGpT2heMfMJlZOSC8MslJccIFRqdWxs3?= =?us-ascii?Q?xmDFzSe1Ev3xvxwmPpppFclaPwWF9BGKy4/bjqMBO8vF97BfWkUnMTFyDNn7?= =?us-ascii?Q?8VafDaPxlebMdow9P51QAkM6q6Rgf/6Rf0i+KfJ64ZI4aBPB27Dv7ezgqbg8?= =?us-ascii?Q?JnNls4a4xaalP9s8f9xA83NlS1RZbTn0FmNAEoWObrDYCGAPC/hM0ym8vor0?= =?us-ascii?Q?o2p+IXn/WcggeuMYHE6EBFjlNkKRdOUf2UjcWj/+bxg7kgrcv+gNwzdLGqDV?= =?us-ascii?Q?9OuIIhEPMr815eBYC/SvrAERR9SHLlQ8gJNM+kwkkixJ931sJvt5raTAbKXB?= =?us-ascii?Q?K3m5e+JK1BlLDCksIi0h6tLU?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: ba0e433c-a3fe-4516-968e-08d90bce6d89 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Apr 2021 11:52:27.9777 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: cB2FZGTz4PRimRGGqOmUiiNvVeKryIrqmlqiM6oCLaZghfuNasH7Che4LFbUhvgg0HNvrSDSyO7M8KVtOU7ofA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2783 Content-Type: text/plain BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275 The SEV-SNP guest requires that GHCB GPA must be registered before using. The GHCB GPA can be registred using the GhcbGPARegister(). Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Cc: Erdem Aktas Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/AmdSev.c | 8 +++ OvmfPkg/PlatformPei/PlatformPei.inf | 1 + OvmfPkg/Sec/SecMain.c | 76 ++++++++++++++++++++ 3 files changed, 85 insertions(+) diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 81e40e0889..54b07622b4 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -156,6 +157,13 @@ AmdSevEsInitialize ( "SEV-ES is enabled, %lu GHCB backup pages allocated starting at 0x%p\n", (UINT64)GhcbBackupPageCount, GhcbBackupBase)); + if (MemEncryptSevSnpIsEnabled ()) { + // + // SEV-SNP guest requires that GHCB GPA must be registered before using it. + // + GhcbRegister (GhcbBasePa); + } + AsmWriteMsr64 (MSR_SEV_ES_GHCB, GhcbBasePa); // diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf index 89c8e9627c..e9a10146ef 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -52,6 +52,7 @@ BaseLib CacheMaintenanceLib DebugLib + GhcbRegisterLib HobLib IoLib PciLib diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 9db67e17b2..7c9650ba8f 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -750,6 +750,76 @@ SevEsProtocolFailure ( CpuDeadLoop (); } +/** + Determine if SEV-SNP is active. There is a MemEncryptIsSnpEnabled() in MemEncryptSevLib + but we can not use it because the SEV-SNP check need to be done before the + ProcessLibraryConstructorList() is called. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled + +**/ +STATIC +BOOLEAN +SevSnpIsEnabled ( + VOID + ) +{ + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + + SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase); + + return ((SevEsWorkArea != NULL) && (SevEsWorkArea->SevSnpEnabled != 0)); +} + +/** + The GHCB GPA registeration need to be done before the ProcessLibraryConstructorList() + is called. So use a local implementation instead of including the GhcbRegisterLib. + + */ +STATIC +VOID +SevSnpGhcbRegister ( + UINTN Address + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + MSR_SEV_ES_GHCB_REGISTER CurrentMsr; + EFI_PHYSICAL_ADDRESS GuestFrameNumber; + + GuestFrameNumber = Address >> EFI_PAGE_SHIFT; + + // + // Save the current MSR Value + // + CurrentMsr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // Use the GHCB MSR Protocol to request to register the GPA. + // + Msr.GhcbPhysicalAddress = 0; + Msr.GhcbGpaRegister.Function = GHCB_INFO_GHCB_GPA_REGISTER_REQUEST; + Msr.GhcbGpaRegister.GuestFrameNumber = GuestFrameNumber; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // If hypervisor responded with a different GPA than requested then fail. + // + if ((Msr.GhcbGpaRegister.Function != GHCB_INFO_GHCB_GPA_REGISTER_RESPONSE) || + (Msr.GhcbGpaRegister.GuestFrameNumber != GuestFrameNumber)) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + // + // Restore the MSR + // + AsmWriteMsr64 (MSR_SEV_ES_GHCB, CurrentMsr.GhcbPhysicalAddress); +} + /** Validate the SEV-ES/GHCB protocol level. @@ -791,6 +861,12 @@ SevEsProtocolCheck ( SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); } + if (SevSnpIsEnabled ()) { + // + // SEV-SNP guest requires that GHCB GPA must be registered before using it. + // + SevSnpGhcbRegister (FixedPcdGet32 (PcdOvmfSecGhcbBase)); + } // // SEV-ES protocol checking succeeded, set the initial GHCB address // -- 2.17.1