From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (NAM12-MW2-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web10.41.1622070706274569273 for ; Wed, 26 May 2021 16:11:47 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=DceR58eW; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: , mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZmY3KnkoKmJ5eTjdGEUrcz0hkIr/EM2cahotxNTevPAaIUYcEuEogVF0+Nwy44iC9xUDMy7JVmB6G29upf6OZhgJ/t2KpphIsEUSxYmamXRbsQKSMtzrXaGuMwhwmEagYwVP33FClKinnWsxPw3L5PZCYVKKjzENEL+/JMf8W06J9ImZpAmHJZGLF4PZZDEZ3VSPJFxRkMJsFsd3jPTfzGhi8kRujuqufc8/Ie+9UhTNdo/a8fAnWP5N6YyyxFNA1vDQ0P3NE4F7ZOCjsnk25kA1jOjK0i626sH+p6Ii9Xy9jsNWhKe0DmDFTwAq1DEAZLId0/bhU393K+n+CoFsQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3e93D5CJUEglR2wdh1cbHZyo+ozmwbTp9xiugIBDMaA=; b=Ed1nybya1pzEswj9BVo9tUerWVFA1xrqqfrgOsMGlYgvgRR7hUgseHHsp/gliJKS/bgdUbTJ5FUjh3j6TSFQGMkIXtnu6XpcrVYGEs/zPCk85ND3BosHUvRzx/M3Jsugw28OVPUkU6jb0/1vr0dh/xKx4tkkcO/NI+OC0cYJLEKu9Ld3f4JLBQfv7Bv4PKpCab3T/RrUVx+P9XAimsg/oSZsiX8D/0mUMBfD4k5Egtmqrph10xAymkB3iVHB3aVTam9qiyqFwvF0pdhs8vECNzQOhfBVT5xrqoWKLGckg/6dJS7KQv9/HjdGO44tUsQpawq+pPeRkn0p8XYQeOPSTg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3e93D5CJUEglR2wdh1cbHZyo+ozmwbTp9xiugIBDMaA=; b=DceR58eW6pWIT6I3m2bPM7r+NWnG7EMqkHB+Lyzd1ErKIjouQYXhxk7VjxQXSsTPpF5PC8Gdyud3KLkUPxrMVKIZ8OalKLUkbk4MmnXb65orOfmYgz1nrH0Lj4PpuGHthD53f96WewmPNiOAUWOKboHj5lRrkQFGVPgzzHx8oUs= Authentication-Results: linux.ibm.com; dkim=none (message not signed) header.d=none;linux.ibm.com; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.23; Wed, 26 May 2021 23:11:42 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::9898:5b48:a062:db94]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::9898:5b48:a062:db94%6]) with mapi id 15.20.4150.023; Wed, 26 May 2021 23:11:42 +0000 From: "Brijesh Singh" To: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Laszlo Ersek , Erdem Aktas , Eric Dong , Ray Ni , Rahul Kumar , devel@edk2.groups.io CC: Brijesh Singh , Ard Biesheuvel Subject: [PATCH RFC v3 06/22] OvmfPkg: reserve CPUID page for the SEV-SNP guest Date: Wed, 26 May 2021 18:11:02 -0500 Message-ID: <20210526231118.12946-7-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210526231118.12946-1-brijesh.singh@amd.com> References: <20210526231118.12946-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SA0PR11CA0202.namprd11.prod.outlook.com (2603:10b6:806:1bc::27) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA0PR11CA0202.namprd11.prod.outlook.com (2603:10b6:806:1bc::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.21 via Frontend Transport; Wed, 26 May 2021 23:11:41 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: db73885b-4537-4793-5ee6-08d9209b9f4d X-MS-TrafficTypeDiagnostic: SN6PR12MB2718: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: lHcYfG2ptjKIFf9elJVl4ypU4eOp4x/CSMeVnKP03VcD2YEttEhCV9YomNX048YA7gfFkimwtVtn/NJ71Cq5g+uPL3H989G43QcTP/c/N85u5vlY9xDvczQECD/smUxeUzpAoza6pMAdfdoFBaf5owgQyKM+5h+GnMfXqHS5nO6iujpajneBknLVN6e9Ormu6S1csIs2zAFYeE0wZmy+QhcGHTSggt3DzGcRDPsUmlrGD0Wo7BbPB5dOq0yz7hYa/VVs9acqbbYE869MpF+O4Op7B3XFIdH631WWfDCAhHq0Ldj2FVoI2mglT6nOJbEw7iVzGpBbUzHZquWxLvT+GjKV884c8JfhpJVrz5vr1UA826LcYwlhZInRWOnTNtQjfAX0qu5U1a7nkL3Xv0NKx2sjh74DM+9Qf/3W0iqb+I3w9o0DH44ZAiE9SgBQVoYG+3O++ljZWuFy9zA96Lo/FihGoS+YCB6ndXxdHDnje0CPZyumrK3d6Vh350iEj+z7FsL6N827aaFhlMIULnWci63gDoy/a/IMhGeOQ+8mHw+eQO3TNAF5WTPfjAWX2gl/lfnfI8gWw/IBNKgQOVMG3MLcHRPGB5Fr4DvDEALsJPM8oPUA/8OdGWtgeX0HOpLRbPjQzOqyIDfimn/2ZbrJND7HNaqF/WRn+J1iYORqjSLMb2TaJXOW+QhWNdFmrvUPXcyXxM1aFgPeea4bygMrdKq5e18LQVVI2edumqzEaj9rEPvKITISA22Bb7IokXzxUlqH5UNZWyyrJlhtgNf3c+42f96lFbcE7uJkQ5ar7Wg= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(136003)(366004)(346002)(396003)(376002)(6486002)(26005)(2616005)(6666004)(478600001)(956004)(66476007)(36756003)(1076003)(8676002)(7696005)(52116002)(8936002)(44832011)(86362001)(38100700002)(38350700002)(83380400001)(54906003)(2906002)(921005)(4326008)(186003)(66946007)(7416002)(5660300002)(316002)(19627235002)(66556008)(966005)(110136005)(16526019);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?2g9ywZAOmJP9LbWvABplsTv53vBaQlccn8AEkqnTEGwuNIZZgeXKFDbp/GN2?= =?us-ascii?Q?AUuUxNgVxJz8RCgvvxDV1OtuCTk7yhxiXEUBaU2xs/sYNGAyyR3FzTWpnACL?= =?us-ascii?Q?dhK06a+Idd/JMfrRm/wLsh6kdC2SeUmbW54O6fb4OFuWE5b23SqhAYD6Un7/?= =?us-ascii?Q?2b9IXY+oE4qlUlc3Sx1+H8Etcc7X4zPqVO0IWKsdKCGCUwibjooXKqUL40ZW?= =?us-ascii?Q?ldeXv9Qejk1NDcAH/5J0DbjbhFufp+cdp/rsKKl919PCRF6vqh3+oBr5QPsk?= =?us-ascii?Q?S9lcQZ3GFUhp7JXhas5ocF0/fPwWPhfhsrxL6Ihzhrh0dhEDxbX+VjV/Wj0W?= =?us-ascii?Q?xYY6cYwpI8eNYScG1/KIcx/cMWySsTXZgno/xxtfRQQuLDCk8EIBzfenHBOo?= =?us-ascii?Q?P5AZ+B1VjJlJMAwwfosbq1QwVzT6lXJKDhKMJhxbuPH/Jf9Lg8fadF5zSmfo?= =?us-ascii?Q?BkzaerwpTGvo/qE5EH3duUIsuNBzTG8CcMdQ9vOndazjHTNZtB3OBk7vHtsR?= =?us-ascii?Q?HMEp7hWL/UnNqdTvFSDoSseY59ByssdhT07DoJnmIWbv0nK5ReDKPOwl3C2Q?= =?us-ascii?Q?QSeJMKKIjHZxJDWQ7BwL/jV9sQTegHS0co1+ryT7xJdVdctwrBXJjW3MGQoK?= =?us-ascii?Q?a+ynwNB6mNIfmXqONPM8rniaEhI8913aUn/lCpapiXGAD+h/7hTMHQgsZ1Nv?= =?us-ascii?Q?gfJH9s/uiXsTFtTQJAs6DcyepZkzpPy2I+OxUfEzY+Hsb0tmvz05u+57Hoij?= =?us-ascii?Q?CNiJ5a74tkZbRcbh8U8rimvd2Mycp+luG9XBiZE/ZChc93kf7Ao6v3dSQ8qE?= =?us-ascii?Q?UHrtN0OecQOLVMmmadqhUzZT3lDmc/sfOsAV1p+EoPopw372a76eSbmYXo6c?= =?us-ascii?Q?aoR66jvAKQsENwhLgH04uzE8TplYxDfoiT0N1hC3t3XM7wMyfJbayhppLpGk?= =?us-ascii?Q?3In4AiNeMbwELP0Mc0Qme9j9ALLEKOjKb4Wv5eQJXkvInv3kKiGukJ3jHnd0?= =?us-ascii?Q?sNETutA7COjrf1QYmjI5BGyLoVTHZe1Zewnn4bQmVlTy6LUl2WGZlAKzUG5D?= =?us-ascii?Q?970cWfbyuP7fsMVPG5tcvmmnMhj35Gl+yms596/WTQUP6g8S4r6ZPOLQoEz5?= =?us-ascii?Q?9lRe2WaRgpGLes6C4voAOdILL6YOB72g4qDR/kfPYowx6J7ZA380fYFjb3XX?= =?us-ascii?Q?96zGDnHT5k6uK/Xr8bHXujg3jq2tLqr21/3pwjlJw7vG614tJkmIMPFM2UAA?= =?us-ascii?Q?uobf37SFtk8/PutSLmIQGdIIMa0grKleH79coL8ufNixHeG//6OcMJgEujFA?= =?us-ascii?Q?yGT/mEqFkZ9nkQZZ4l4+IJa0?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: db73885b-4537-4793-5ee6-08d9209b9f4d X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2021 23:11:41.6142 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: KBIHaD04D8EkATduZQzg4OQTTGOvQ+FpwwmOVGWZBtJlR1WRuy/R8ySG2SLhO1dtZEWZ7xdr9nyJ5Q39mVfDfg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB2718 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 During the SEV-SNP guest launch sequence, two special pages need to be inserted, the secrets and CPUID. The secrets page, contain the VM platform communication keys. The guest BIOS and/or OS can use this key to communicate with the SEV firmware to get the attestation report. The CPUID page, contain the CPUIDs entries filtered through the AMD-SEV firmware. OvmfPkg already reserves the memory for the Secrets Page in the MEMFD. Extend the MEMFD to reserve the memory for the CPUID page. See SEV-SNP spec for more information on the content layout of the secrets and CPUID page, and how it can be used by the SEV-SNP guest VM. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Cc: Erdem Aktas Signed-off-by: Brijesh Singh --- OvmfPkg/OvmfPkg.dec | 6 ++++++ OvmfPkg/OvmfPkgX64.fdf | 3 +++ OvmfPkg/PlatformPei/PlatformPei.inf | 2 ++ OvmfPkg/ResetVector/ResetVector.inf | 2 ++ OvmfPkg/PlatformPei/MemDetect.c | 12 ++++++++++++ OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm | 18 ++++++++++++++++++ OvmfPkg/ResetVector/ResetVector.nasmb | 2 ++ 7 files changed, 45 insertions(+) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index 6ae733f6e39f..fdb5dacdc7fa 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -321,6 +321,12 @@ [PcdsFixedAtBuild] gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|0x0|UINT32|0x42 gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize|0x0|UINT32|0x43 =20 + ## The base address and size of the SEV-SNP CPUID Area provisioned by th= e + # SEV-SNP firmware. If this is set in the .fdf, the platform + # is responsible for protecting the area from DXE phase overwrites. + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpCpuidBase|0x0|UINT32|0x47 + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpCpuidSize|0x0|UINT32|0x48 + [PcdsDynamic, PcdsDynamicEx] gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent|0|UINT64|2 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfFlashVariablesEnable|FALSE|BOOLEAN|0x1= 0 diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 9126b8eb5014..1300af666c49 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -91,6 +91,9 @@ [FD.MEMFD] 0x00D000|0x001000 gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase|gUefiOvmfPkgTokenSpaceGu= id.PcdSevLaunchSecretSize =20 +0x00E000|0x001000 +gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpCpuidBase|gUefiOvmfPkgTokenSpaceGuid.= PcdOvmfSnpCpuidSize + 0x010000|0x010000 gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase|gUefiOvmfPkgTokenSpace= Guid.PcdOvmfSecPeiTempRamSize =20 diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/Plat= formPei.inf index 3256ccfe88d8..89c8e9627c86 100644 --- a/OvmfPkg/PlatformPei/PlatformPei.inf +++ b/OvmfPkg/PlatformPei/PlatformPei.inf @@ -120,6 +120,8 @@ [FixedPcd] gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiReservedMemoryType gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesCode gEmbeddedTokenSpaceGuid.PcdMemoryTypeEfiRuntimeServicesData + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpCpuidSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBackupSize gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese= tVector.inf index dc38f68919cd..8e52265602c3 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -45,5 +45,7 @@ [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize =20 [FixedPcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpCpuidBase + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSnpCpuidSize gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretSize diff --git a/OvmfPkg/PlatformPei/MemDetect.c b/OvmfPkg/PlatformPei/MemDetec= t.c index c08aa2e45a53..483e92af8219 100644 --- a/OvmfPkg/PlatformPei/MemDetect.c +++ b/OvmfPkg/PlatformPei/MemDetect.c @@ -894,6 +894,18 @@ InitializeRamRegions ( EfiACPIMemoryNVS ); } + + if (MemEncryptSevSnpIsEnabled ()) { + // + // If SEV-SNP is enabled, reserve the CPUID page. The memory range s= hould + // not be treated as a RAM by the guest OS, so, mark it as reserved. + // + BuildMemoryAllocationHob ( + (EFI_PHYSICAL_ADDRESS)(UINTN) PcdGet32 (PcdOvmfSnpCpuidBase), + (UINT64)(UINTN) PcdGet32 (PcdOvmfSnpCpuidSize), + EfiReservedMemoryType + ); + } #endif } =20 diff --git a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm b/OvmfPkg/ResetVe= ctor/Ia16/ResetVectorVtf0.asm index 9c0b5853a46f..05c7e32f46a0 100644 --- a/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm +++ b/OvmfPkg/ResetVector/Ia16/ResetVectorVtf0.asm @@ -47,6 +47,24 @@ TIMES (15 - ((guidedStructureEnd - guidedStructureStart = + 15) % 16)) DB 0 ; guidedStructureStart: =20 +; +; SEV-SNP boot support +; +; sevSnpBlock: +; For the initial boot of SEV-SNP guest, a CPUID page must be reserved b= y +; the BIOS at a RAM area defined by SEV_SNP_CPUID_BASE. A hypervisor wil= l +; locate this information using the SEV-SNP boot block GUID. +; +; GUID (SEV-SNP boot block): bd39c0c2-2f8e-4243-83e8-1b74cebcb7d9 +; +sevSnpBootBlockStart: + DD SNP_CPUID_BASE + DD SNP_CPUID_SIZE + DW sevSnpBootBlockEnd - sevSnpBootBlockStart + DB 0xC2, 0xC0, 0x39, 0xBD, 0x8e, 0x2F, 0x43, 0x42 + DB 0x83, 0xE8, 0x1B, 0x74, 0xCE, 0xBC, 0xB7, 0xD9 +sevSnpBootBlockEnd: + ; ; SEV Secret block ; diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index 5beba3ecb290..36739096e7e1 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -90,5 +90,7 @@ %define SEV_ES_AP_RESET_IP FixedPcdGet32 (PcdSevEsWorkAreaBase) %define SEV_LAUNCH_SECRET_BASE FixedPcdGet32 (PcdSevLaunchSecretBase) %define SEV_LAUNCH_SECRET_SIZE FixedPcdGet32 (PcdSevLaunchSecretSize) + %define SNP_CPUID_BASE FixedPcdGet32 (PcdOvmfSnpCpuidBase) + %define SNP_CPUID_SIZE FixedPcdGet32 (PcdOvmfSnpCpuidSize) %include "Ia16/ResetVectorVtf0.asm" =20 --=20 2.17.1