From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.83]) by mx.groups.io with SMTP id smtpd.web08.32.1622070708723236284 for ; Wed, 26 May 2021 16:11:48 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=4vFa+Otp; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.223.83, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l7DkibWgJdzQ9RxglFj5JHBv2W3KfC6sFEWFQnsvbjkl5nJ7twPS7RvQ1PqGnOm+iK5/rM9+0+QNH8PY08Jgoh0e+uO9XuSQhN5G0zOn7LAtyNFBZtsVqAq73nOXp0Phrv4Xin8hJjNQv5K7I3qe1RaYfeeBDc5pVOx9GR0bYgbNfnfvGagkUzxP3nojjpIKvQkxTh9Le/S3c6WAPFV3g6Bl9yniGRvP+R5ufxIGn+FZBH+ftFG8AvXJs5osQ+XWmyj5WO7OqsgfTNKtneseJh0F/qsPFgAqWK5QgrzYTSd1WakTBGXTinEapiV9p5wcSS9GB0AnNa4HJkldxlyvpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gZZJpJXOCG0t4thBbKI14/4nJziR3EiQEPoMGduvyZ8=; b=eMk5VhvMOOTS/WiFJYBqlcK60dB+3hFtI9CaUgI+ug2DH3VMURwHbpLdDmRTAzOX4MyqpbrPHIYAUX9Cue9Yo7GQrx71tHOebzT/WKDd881ttIVAcvRDqH6LDDrJdpARGXmp4rbmYevv2WH7Yw2CoofqL+ag4ogFNsdMhheJb8jdCJ+wfSo+AlKTWlzaAAT5Ws9VQdH7jwzOjX+DrH7MQtIH+p+FwjPN9dVQWQ2laMrFu6VRbhI/H/XK7NmvVI/BOdaxUn9R81Udr4+wwWGsUdZcNrp8CKhzZgjXeg4vMR3sKBDbpGjo+lTfuXywOSPXv7c1BbN5OtzC9SzxPQaahw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gZZJpJXOCG0t4thBbKI14/4nJziR3EiQEPoMGduvyZ8=; b=4vFa+Otpbo++o/bDSN5cpvH8ps0pBiJywsq6q9V5jzd9lUbvW9fj/hyGlj48O/UpNF2d0Okr89vPmCjw+INKIMw04Y7guHbEt71ee0i9GLybSKVmWXnKraOAB2bC357cvQD0QKjES4KjqouKQQeyGssdKoRWTqbWmeoWazHuEnc= Authentication-Results: linux.ibm.com; dkim=none (message not signed) header.d=none;linux.ibm.com; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB2782.namprd12.prod.outlook.com (2603:10b6:805:73::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.28; Wed, 26 May 2021 23:11:45 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::9898:5b48:a062:db94]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::9898:5b48:a062:db94%6]) with mapi id 15.20.4150.023; Wed, 26 May 2021 23:11:45 +0000 From: "Brijesh Singh" To: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Laszlo Ersek , Erdem Aktas , Eric Dong , Ray Ni , Rahul Kumar , devel@edk2.groups.io CC: Brijesh Singh , Ard Biesheuvel Subject: [PATCH RFC v3 10/22] OvmfPkg/PlatformPei: register GHCB gpa for the SEV-SNP guest Date: Wed, 26 May 2021 18:11:06 -0500 Message-ID: <20210526231118.12946-11-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210526231118.12946-1-brijesh.singh@amd.com> References: <20210526231118.12946-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA0PR11CA0202.namprd11.prod.outlook.com (2603:10b6:806:1bc::27) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA0PR11CA0202.namprd11.prod.outlook.com (2603:10b6:806:1bc::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.21 via Frontend Transport; Wed, 26 May 2021 23:11:44 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 54e9d86a-4b05-4403-843e-08d9209ba150 X-MS-TrafficTypeDiagnostic: SN6PR12MB2782: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: vvXKbD957MWKjwyZ4b1n2H0TDAPT6iCRc8Gy/aaNfyHErexB1tzIHnoxL9q4NwRRLTWYMWD771Ea4EG/NaAoQUj74NHBxY/xR1t3+LuHFQkCXKgWQM5BC8CMJkMZoHq9FHab4TJGTgIrDswR2KmhpVbRgXK70zjTLsakCMOXLLcieklTmxHTP4i0OrfaDj8bK3JZ7eJA2sI6HrMo0Vha5KUU332uxI9QhgA/3czxtRfIjlVgIPu2CJIPmip6Nn1zW4tkP+NBf8G8z1uAZ1l+IzBRkXiFVm2EY4vBDv/VJNg60wTZg0eeCKnmyamvgpYDyPeK+li3lGdvVGHgigwB6xGrFN36X5NQUWLBw0HLcpvecFxz6p9HLTABMMx9BoDrGzr7yyqf/4qVXpcnkNL3MMCNHgf435GZWOq08xyNJoZ6vu4NdFG5RTJ5FwxSaVjPGzghcs7A9XUsLzuLxqSZqkrkxlJc/pKBTkPZ/7XYtSpzL4jdv5UdIwGNAuonNur08QZmwhYbZMDaXjUcuZVMok87+/UWh4rClw39QcGMOsjX5LXeFvXRskcuFycHn8uQ3b76/r1oLxeU5UiEnxTJc8ijrzpP07XBgjyLdstqXlWq85WVK002hxAbv/hxeEQor22nVs8wrTl1uAGzQVetD1c64kMK5xIxCTMwSRx+vzrz5Q8uhCxp6JszrJ9txgOPymHRPQ+V/FwXS8yrHyDNZHOQd0ihqTbgGFTNXgTiM0D+IMlVsxbvvA0Fel7pOS1NJfHIcSVbyIqkfr0lCOza6NR74otJTB1NbmFyBDKeIig= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(39860400002)(346002)(396003)(376002)(136003)(26005)(316002)(5660300002)(8676002)(83380400001)(186003)(38350700002)(16526019)(478600001)(54906003)(36756003)(4326008)(86362001)(6666004)(7416002)(2616005)(110136005)(44832011)(2906002)(52116002)(66476007)(66556008)(7696005)(921005)(6486002)(8936002)(38100700002)(66946007)(1076003)(956004)(966005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?DC8SWWgkFeoMwzxDuZpUEOGFu7tOu90yQHfZv9rm2YICm5UCKDhvJbvs1GjI?= =?us-ascii?Q?049y4lY6nu1w79kVwzfJPxgCOfI+XsyNAMshD91lzfTCY/D6FiAChbWYwZyT?= =?us-ascii?Q?mKvVrg0K0jTLdnrl5nPUTzp/uWgsG5295GQYOVri056RyKoNQuQprdKW/O0R?= =?us-ascii?Q?n6NOownD+haFgz49rpn7HjBum2b2aDX/RIysuHi5x9E3Wz7gZjslJamJ02LQ?= =?us-ascii?Q?lc5I5JpOl0aVM6gcz3S4Tb6ZbDsJTNPGxyagIuh8KN7IOsHIFDD8E+6SPh/6?= =?us-ascii?Q?854gqL6KbGWcUAruTq8rtWwmYK/jOoYO7MOAooPR1B9G1humGiE0YOu8jAHd?= =?us-ascii?Q?aqDJHoyXqBlbpwdQ4FBmhRhyNUzqvbT7R0uBJNiGH2vMooBAuKU7iEfUYOYS?= =?us-ascii?Q?ry6XJdHL2Z4ewHDjWP7PycPm5X2HItg/HMZA2ELzlezo3MVZfEPjn6VrvjkU?= =?us-ascii?Q?XjwVTOXKIhHNDQEqezLt3t+ZRP2sDIPr5qWrVlnLp/bik+pGBDxBNBSvYd0i?= =?us-ascii?Q?QbiyoyXB1ydt04SUk+ZZSC4GjJohTGTm5Ljq3qnFn84m/+Iw6neSkOcVfmzB?= =?us-ascii?Q?Z00pHihq+KHrfgvtiWjIzlTvwSM0zk9qyzsk13g6DsJsYUxNrtRacrQEid04?= =?us-ascii?Q?WUrJDZb1mFXwMhrzzhzEQry2vsdHywxim+dSV229xSogPaXY04fdGJ6XdQb0?= =?us-ascii?Q?ad4tBEOGeF5ZremcZJ6D9k4HI0r6H9NYpszyW87pk2HTYxfs2kjwqkcGLO8c?= =?us-ascii?Q?Sxnka5pX1HxqeRnNzG3c5161IW9nQ0xzXkDU4bHTItjB8c2Y7lv56IT8JDwv?= =?us-ascii?Q?K6VmaEIgPrLi0kzdOEtkAawIQ9JJ1R7p5gOaGLdIdrWQ5oSkYxzhdpoNmuN/?= =?us-ascii?Q?KY/fa6bA8Nb9x/IUEbfIR+a2A+tfwPS3YgjTB10Xqm1gxGAAG2WXeQ6Uz8Yi?= =?us-ascii?Q?yHCbXQ0AVzVaVJ7hO0Hz7GhnbK/+haADmLUASScJn+tj05DK8HH7kougf81s?= =?us-ascii?Q?oahpt98HNxpH8diCqjUJ4SzMC3eLILmKP2mFIoGcYnWt3veGC4wduuJEAv8l?= =?us-ascii?Q?NV+7wcgC1XQ+hoB9ZbRMhwaM0JbXEj0WWYAEBsobmesySYH3gmrq94tqv29e?= =?us-ascii?Q?s3ZTLkzyL1cpjbfC0qNokJ8XMbL/pQghMSkV3NTPA2ySJb7ZG9O4dO4flghF?= =?us-ascii?Q?Z3TK9yIsLOI3nMfjR6hyLOqhqqFBqhSutKT+pn+U721XisZxkO1+JeSfoB7h?= =?us-ascii?Q?uB0JV/d4j388ade/sXg6nP/mlUPnlBt0uuNzrFemzbMwt/DQYBbp8rywo6SK?= =?us-ascii?Q?Poe3V72EP0y/GPf33jSHuGht?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 54e9d86a-4b05-4403-843e-08d9209ba150 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2021 23:11:44.9493 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: m/2U3wQtFMqesxf3C9hUKPeWhw0NWSvuSG8H0+dAPUqFevARSUMJHxGVK5EGH1mCNEHe+qPepehC+Kt+krZZ2g== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2782 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The SEV-SNP guest requires that GHCB GPA must be registered before using. The GHCB GPA can be registred using the GhcbGPARegister(). Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Cc: Erdem Aktas Signed-off-by: Brijesh Singh --- OvmfPkg/PlatformPei/PlatformPei.inf | 1 + OvmfPkg/PlatformPei/AmdSev.c | 8 +++ OvmfPkg/Sec/SecMain.c | 79 +++++++++++++++++++++++++++++ 3 files changed, 88 insertions(+) diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/Plat= formPei.inf index 89c8e9627c86..e9a10146effd 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -52,6 +52,7 @@ [LibraryClasses] BaseLib CacheMaintenanceLib DebugLib + GhcbRegisterLib HobLib IoLib PciLib diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c index 81e40e0889aa..54b07622b4dd 100644 --- a/OvmfPkg/PlatformPei/AmdSev.c +++ b/OvmfPkg/PlatformPei/AmdSev.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -156,6 +157,13 @@ AmdSevEsInitialize ( "SEV-ES is enabled, %lu GHCB backup pages allocated starting at 0x%p\n= ", (UINT64)GhcbBackupPageCount, GhcbBackupBase)); =20 + if (MemEncryptSevSnpIsEnabled ()) { + // + // SEV-SNP guest requires that GHCB GPA must be registered before usin= g it. + // + GhcbRegister (GhcbBasePa); + } + AsmWriteMsr64 (MSR_SEV_ES_GHCB, GhcbBasePa); =20 // diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 9db67e17b2aa..faa6891cca79 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -750,6 +750,74 @@ SevEsProtocolFailure ( CpuDeadLoop (); } =20 +/** + Determine if SEV-SNP is active. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled + +**/ +STATIC +BOOLEAN +SevSnpIsEnabled ( + VOID + ) +{ + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + + SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAr= eaBase); + + return ((SevEsWorkArea !=3D NULL) && (SevEsWorkArea->SevSnpEnabled !=3D = 0)); +} + +/** + The GHCB GPA registeration need to be done before the ProcessLibraryConst= ructorList() + is called. So use a local implementation instead of including the GhcbReg= isterLib. + + */ +STATIC +VOID +SevSnpGhcbRegister ( + UINTN Address + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + MSR_SEV_ES_GHCB_REGISTER CurrentMsr; + EFI_PHYSICAL_ADDRESS GuestFrameNumber; + + GuestFrameNumber =3D Address >> EFI_PAGE_SHIFT; + + // + // Save the current MSR Value + // + CurrentMsr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // Use the GHCB MSR Protocol to request to register the GPA. + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbGpaRegister.Function =3D GHCB_INFO_GHCB_GPA_REGISTER_REQUEST; + Msr.GhcbGpaRegister.GuestFrameNumber =3D GuestFrameNumber; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // If hypervisor responded with a different GPA than requested then fail= . + // + if ((Msr.GhcbGpaRegister.Function !=3D GHCB_INFO_GHCB_GPA_REGISTER_RESPO= NSE) || + (Msr.GhcbGpaRegister.GuestFrameNumber !=3D GuestFrameNumber)) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + // + // Restore the MSR + // + AsmWriteMsr64 (MSR_SEV_ES_GHCB, CurrentMsr.GhcbPhysicalAddress); +} + /** Validate the SEV-ES/GHCB protocol level. =20 @@ -791,6 +859,17 @@ SevEsProtocolCheck ( SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); } =20 + // + // We cannot use the MemEncryptSevSnpIsEnabled () because the + // ProcessLibraryConstructorList () is not called yet. + // + if (SevSnpIsEnabled ()) { + // + // SEV-SNP guest requires that GHCB GPA must be registered before usin= g it. + // + SevSnpGhcbRegister (FixedPcdGet32 (PcdOvmfSecGhcbBase)); + } + // // SEV-ES protocol checking succeeded, set the initial GHCB address // --=20 2.17.1