From: "Ashish Kalra" <ashish.kalra@amd.com>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: devel@edk2.groups.io, brijesh.singh@amd.com, jejb@linux.ibm.com,
erdemaktas@google.com, jiewen.yao@intel.com, min.m.xu@intel.com,
lersek@redhat.com, jordan.l.justen@intel.com,
ard.biesheuvel@arm.com
Subject: Re: [PATCH v4 1/4] OvmfPkg/MemEncryptHypercallLib: add library to support SEV hypercalls.
Date: Tue, 22 Jun 2021 23:20:20 +0000 [thread overview]
Message-ID: <20210622232020.GA6843@ashkalra_ubuntu_server> (raw)
In-Reply-To: <c71c4db1-5813-6946-f3de-478de0855b77@amd.com>
Hello Tom,
On Tue, Jun 22, 2021 at 05:47:48PM -0500, Tom Lendacky wrote:
...
> > +VOID
> > +EFIAPI
> > +SetMemoryEncDecHypercall3 (
> > + IN PHYSICAL_ADDRESS PhysicalAddress,
> > + IN UINTN Pages,
> > + IN UINTN Mode
> > + )
> > +{
> > + if (MemEncryptSevEsIsEnabled ()) {
> > + MSR_SEV_ES_GHCB_REGISTER Msr;
> > + GHCB *Ghcb;
> > + BOOLEAN InterruptState;
> > + UINT64 Status;
> > +
> > + Msr.GhcbPhysicalAddress = AsmReadMsr64 (MSR_SEV_ES_GHCB);
> > + Ghcb = Msr.Ghcb;
> > +
> > + VmgInit (Ghcb, &InterruptState);
> > +
> > + Ghcb->SaveArea.Rax = KVM_HC_MAP_GPA_RANGE;
> > + GhcbSetRegValid (Ghcb, GhcbRax);
> > + Ghcb->SaveArea.Rbx = PhysicalAddress;
> > + GhcbSetRegValid (Ghcb, GhcbRbx);
> > + Ghcb->SaveArea.Rcx = Pages;
> > + GhcbSetRegValid (Ghcb, GhcbRcx);
> > + Ghcb->SaveArea.Rdx = Mode;
> > + GhcbSetRegValid (Ghcb, GhcbRdx);
> > + Ghcb->SaveArea.Cpl = AsmReadCs() & 0x3;
> > + GhcbSetRegValid (Ghcb, GhcbCpl);
> > +
> > + Status = VmgExit (Ghcb, SVM_EXIT_VMMCALL, 0, 0);
> > + if (Status) {
> > + DEBUG ((DEBUG_ERROR, "SVM_EXIT_VMMCALL failed %lx\n", Status));
> > + }
> > + VmgDone (Ghcb, InterruptState);
> > + } else {
> > + SetMemoryEncDecHypercall3AsmStub (
> > + KVM_HC_MAP_GPA_RANGE,
> > + PhysicalAddress,
> > + Pages,
> > + Mode
> > + );
> > + }
> > +}
>
> You could just issue the VMMCALL and, for SEV-ES, let the VC handler take
> care of this. You would just have to add some smarts to the VC handler to
> compare the hypercall number and add the additional register values. You
> could probably get rid of a level of function calls that way. Thoughts?
>
IIRC, we have already discussed this internally.
Letting the VC handler do it was making it too complicated to add hooks
inside the VmgExitLib, and corresponding updation of MdePkg and UefiCpuPkg
(as described in the email thread below), and at that time
Brijesh had suggested the use of this alternative VmgExit() approach.
Email thread copied below :
...
Well, I does not mean that you should literally use VMMCALL instruction instead you use its corresponding VMGEXIT number.
Something like this:
Status = VmgExit (Ghcb, SVM_EXIT_VMMCALL, 0, 0);
This way, a #VC will not be kicked in and there is no need to hook anything inside the VmgExitLib. Maybe Tom can correct me if that is not acceptable.
-Brijesh
>> I am not able to follow your OVMF patches, could you provide a very high level overview of what exactly you are trying to achieve? Its possible that I am missing something fundamental but why do we care of Hypercall inside the bare metal pkg (e.g MdePkg, UefiCpuPkg)? Why we are needing a Hob etc ? IMO, a Hypercall implementation should be straight forward like what I did the SEV live migration. In case of ES, all you need to use the Ghcb instance to save the register values (rax, rbx, rcx etc) then invoke vmmcall instruction.
>
I need to do this hypercall validation and setup as part of VC# exception's VMMCALL handling,
i.e, in the VmgExitLib code. I need to use a HOB to store/cache hypercalls invoked during SEC
and PEI phase and flush them later at DXE IPL phase. As VmgExitLib code is invoked in SEC and
PEI phases and references MdePkg and UefiCpuPkg, i need to add HypercallLib references in UefiCpuPkg.
Also, i need to verify if Hypercall library interfaces are being invoked during SEC and/or PEI phase,
currently i do it by checking PcdOvmfSecGhcbBase and for accessing that i had to add reference to
it in MdePkg/MdePkg.dec and UefiCpuPkg/UefiCpuPkg.dec, if i can check that the Hypercall library
interfaces are being invoked in SEC/PEI phase using some other mechanism then i can drop this
reference to PcdOvmfSecGhcbBase.
...
Thanks,
Ashish
next prev parent reply other threads:[~2021-06-22 23:20 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-21 13:56 [PATCH v4 0/4] SEV Live Migration support for OVMF Ashish Kalra
2021-06-21 13:56 ` [PATCH v4 1/4] OvmfPkg/MemEncryptHypercallLib: add library to support SEV hypercalls Ashish Kalra
2021-06-22 19:47 ` Brijesh Singh
2021-06-22 19:58 ` Brijesh Singh
2021-06-22 22:47 ` Lendacky, Thomas
2021-06-22 23:20 ` Ashish Kalra [this message]
2021-06-22 23:38 ` Brijesh Singh
2021-06-23 1:47 ` Ashish Kalra
2021-06-23 15:02 ` Ashish Kalra
2021-06-21 13:57 ` [PATCH v4 2/4] OvmfPkg/BaseMemEncryptLib: Support to issue unencrypted hypercall Ashish Kalra
2021-06-22 22:50 ` Lendacky, Thomas
2021-06-21 13:57 ` [PATCH v4 3/4] OvmfPkg/PlatformPei: Mark SEC GHCB page as unencrypted via hypercall Ashish Kalra
2021-06-22 20:35 ` Brijesh Singh
2021-06-21 13:57 ` [PATCH v4 4/4] OvmfPkg/PlatformDxe: Add support for SEV live migration Ashish Kalra
2021-06-22 23:06 ` Lendacky, Thomas
2021-06-24 16:29 ` Ashish Kalra
2021-06-22 17:20 ` [PATCH v4 0/4] SEV Live Migration support for OVMF Laszlo Ersek
2021-06-22 17:45 ` Brijesh Singh
2021-06-22 17:46 ` Ashish Kalra
2021-06-23 13:18 ` [edk2-devel] " Dov Murik
2021-06-23 16:42 ` Laszlo Ersek
2021-06-23 16:49 ` Laszlo Ersek
2021-06-23 17:03 ` Ashish Kalra
2021-06-30 9:11 ` Ashish Kalra
2021-06-30 16:25 ` [edk2-devel] " Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210622232020.GA6843@ashkalra_ubuntu_server \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox