From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com [40.107.220.64]) by mx.groups.io with SMTP id smtpd.web12.14897.1624902215592079336 for ; Mon, 28 Jun 2021 10:43:35 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=Ic1WLqdx; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.220.64, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OrDh8lzWvog4LzMex/oNrLEs99xoarbHvs2bfEQE0RhwTb8y9mOaAm6jzbfDDET9u/IX/WImBTaaoGlvFGxQ/YN9+8JVgB0rTq4sn2e6N7JbobBRDjD1wh9uIIW/s/TzzxZosZfATxznKHNE9aEvuFJQGrNFvHeCjUMccNojDMjMfYWBdpvWYD/JugT2qyvZmaDxw0NY6TJpinxBrNDVpFEtFq46sxo10npC2bmCZ0i4LUGDXmz4UZXf5D8BjGGvvJc1VRBXwX4bqe0LYQTSVrVT1HaqLYmoVw+DQeAA+ReV01CVesMwi6yrRudHN3u8wlq2gzyr9qRK4qEgSxutnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WVGp0Oa2Zfjw4vyKQPpZbKR8L1k0ZEJkZuoTYYbozfI=; b=enshCOTpwwLQTaQhxHQ93vR3n9zQXp87ykYzI979EdP0ACNe6bB0+T/g/nuuXj1cqigGWJ4G2k9Cq8f7xSyVETJ0nRBbqwOQ4qJ/ukPw0B5CHau8SXTqwoW9gGGui3bHLmbx2r/fZorUPO54w/r/D/AEOxkNgqlB3v2PdFhBeW2yb9/cFy5jDSlGiipaWW1ASlX0bl/rVQyWPKVPsDofpcdWrsH2UcycCBcTvhY26Co5oeqiGpWuofar8/SsK3gbfZMNTJouJLUW66hjliw5zNWgrI98cc86dpyfLg8IvwJu1Qkm5qq+x1oDslHD1petFmx1TGU77+4mV7MeErQnNw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WVGp0Oa2Zfjw4vyKQPpZbKR8L1k0ZEJkZuoTYYbozfI=; b=Ic1WLqdx6n4Oc43Nrrks5MxlsmW7CJya8Td67gKtFa065dUFSln0YXKjVvAaVu/INO5ZsnTWJUsUy/OztjbGZQ792uH14vGBpx9jQpoJs9VD8MyqhXAQqzC02FsWh+hgc4Clz5mXY3xu6st9z8b2TWAgJ6rv74NuxsKCQz/O+sE= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from DM6PR12MB2714.namprd12.prod.outlook.com (2603:10b6:5:42::18) by DM6PR12MB4172.namprd12.prod.outlook.com (2603:10b6:5:212::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.19; Mon, 28 Jun 2021 17:43:34 +0000 Received: from DM6PR12MB2714.namprd12.prod.outlook.com ([fe80::7df8:b0cd:fe1b:ae7b]) by DM6PR12MB2714.namprd12.prod.outlook.com ([fe80::7df8:b0cd:fe1b:ae7b%5]) with mapi id 15.20.4264.026; Mon, 28 Jun 2021 17:43:34 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek , Erdem Aktas , Eric Dong , Ray Ni , Rahul Kumar , Michael D Kinney , Liming Gao , Zhiguang Liu , Michael Roth , Brijesh Singh Subject: [RFC PATCH v4 11/27] OvmfPkg/SecMain: register GHCB gpa for the SEV-SNP guest Date: Mon, 28 Jun 2021 12:42:07 -0500 Message-ID: <20210628174223.1302-12-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210628174223.1302-1-brijesh.singh@amd.com> References: <20210628174223.1302-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SN4PR0601CA0020.namprd06.prod.outlook.com (2603:10b6:803:2f::30) To DM6PR12MB2714.namprd12.prod.outlook.com (2603:10b6:5:42::18) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SN4PR0601CA0020.namprd06.prod.outlook.com (2603:10b6:803:2f::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.19 via Frontend Transport; Mon, 28 Jun 2021 17:43:33 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f3542c6e-ba6f-4a91-9bb7-08d93a5c403a X-MS-TrafficTypeDiagnostic: DM6PR12MB4172: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: iPCPDOLk13xrbs/eiwSsxi2lZ3sgJ4ShNEo+WvTQMIKZ4CtDSaHC2+ySNu6/EoF5dwPP9BnDBmI/+ZJlRkbx+rfC/TIDI72AIle0UqSuEzF8ObqUSWy08J+PvwcWu2zMEb+lIzvuOJIzLsOzD5lso+hHKMw367KQc+EAb2v8X3tSUMX5Y6vcpiNUpcI24zaL9/w+40LYu54vhiBvV/fgmoplhnoJvuAP3QNBZjvToI4wuS2a7neEGRbjfpGnLzN2p2S0VeJnhjnLFzJcE6SOChGlyKLpUDW8dKn1cpuOU83/vPuVWqtWNSaFgB/74Z622HCteqqY5dQu9eJGlzLQub5kxP6ZnFoc3c0FcKrLHB1P2PjE6afJazq100RiIDb5S9xvBCIjr9nL/rZQZEGYLnSkgrAWICldF+IOQ9CHqjBfrSxfDw/n+BS5W/TimS1QrXDfNT2WAO03PBw0mn34aF4uqEXXWyKZFbT0gDtbW39n6kxJk4n1dlDP/mkJ0iRFzxbEFNT1y9YcqExXOnhA5lfWCLnb3xHZeoYsR/Ky4OKe8I7Ojy8gAXJG5jbjt7UwG2gVWwnYBvBF5NARcXUo2YiAEwMWS2ZPJuVrg6vDhkG37kZYWUmchGluFUQmTWLo2IdHfV1DMv8EEfFQUXdVIxdSmN2cb5c6Qm33k5eAZN8vf20N73v0c2SdbYiXiUogz7MgZq8CULgl5ZqIpd7R4Ocg/83obBKr98uWnUCzzk+9RzjzP1DAoPeO/KeswdV43wseLKQ8W0HB45+7Kchy5pXacrcSR9osRDN7320oDpA07Kjn6+hSTwmnBihQ3KUsnyzFtywiOue/FvMHMp3ovw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR12MB2714.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(136003)(376002)(346002)(39860400002)(396003)(8676002)(66476007)(66556008)(66946007)(966005)(5660300002)(1076003)(6666004)(8936002)(38350700002)(38100700002)(4326008)(478600001)(52116002)(2616005)(316002)(956004)(6916009)(7416002)(86362001)(54906003)(2906002)(7696005)(83380400001)(16526019)(36756003)(186003)(26005)(6486002)(44832011);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?vu4wcEW6T4NDE+3sRWkjGEKrFCV6gDLrpbyJIA2U3chodhP6WgyRdQtLYWGv?= =?us-ascii?Q?JFdXP1W2yZpNmZx+F4CyLoG0nWiC9VCVVF09IW7itDyPO7R/caPKM9ecvq8F?= =?us-ascii?Q?36TJk514LKjqu89hFW2fYdioHFzjH+rHY4MiFndWb23qmdtGwvShn5ZnWS9D?= =?us-ascii?Q?Ynahq/Qn56IMGeh+ZVWhnaLkn134Z8PFjoSewj7Iu/ac/XAvnJ3A2y6/RuAF?= =?us-ascii?Q?I9Sx43iuIH90wPrTqn12SPPhWVVO28VttZUyoqGho/8zbZ35LxjwNKROPJ7n?= =?us-ascii?Q?E2dWOwGNqVofM0L2kMHEnm6ARE+CJEx0hN+nBnghi9qNXlx+be7tu3p8V3+e?= =?us-ascii?Q?l6IDlv4sW8Ld1IZiKUVZebuDtbNJ7+IOvDUOz53JlFPiCzpDFW9/iV/5iNX9?= =?us-ascii?Q?AhwqTeT9zjz0YH+9EVv+4gOsJqz+IJe+lDTZRWftjk7xFVa3H6Lx1HKEQ82w?= =?us-ascii?Q?vtPqXqiWVlP3gdGoGtv1WDCz6adJ2Gi95wmkzC/K/0rujKOeQ8rvRr/BE6y5?= =?us-ascii?Q?ZPnhVOy2qLxrhYgAbpBKZ2Ay8mLPZTwuJqxnS45fzvcpgzRaOsnwg78dK/Ez?= =?us-ascii?Q?mZgsKZ3YT7nhR3auY7xZuvZMvUeWI/9ssRI0kkHspo7gSztWhJ46lUcudyWM?= =?us-ascii?Q?Oy/U0Vn8WJnEyLprlHLavi87YaHXxOKGp6Z7Tb/JJIgR2wgycTutfpFX+iSK?= =?us-ascii?Q?yNuokYtphydnz0D0UlnM4a8ewxw513+/4N4RmKL5Ph3TkcntyRdYH0mZ4mKJ?= =?us-ascii?Q?BO133mx0+0VMv3jslcaJ4nkHozqOnVE9l4Z/lApO4Ghi3hQeE7RSeGool8l7?= =?us-ascii?Q?PcxbDLA99ekfiKxADtIP4ABeljZ7mxUlt+HJNje6IGu8V7xYSDrYCnqzGb1F?= =?us-ascii?Q?EZtI4DDVzkXspQFc2pyUvCShtg6Bsnunn/0t6F9Kp7IKiRVXxtsjC549acic?= =?us-ascii?Q?OvGrG8gvN/kxDxAFGc9YJEfkSyXUF8MhAnVeHI7oLRaQ+6mymQaP+rDCQKjK?= =?us-ascii?Q?lUDWOULF8NTcVJWGz8pJJQp2ZKZGTisHAzkEaMaEUoZtALKr4Meo9RHIOImv?= =?us-ascii?Q?W8ZXXQuhegesAPbP1Je2k1uPab+nqFhrJywgdNO/1o9p2tkgKnqNWL/uGfOi?= =?us-ascii?Q?/c0CLRTfDNXp9Zu6HxiuZOARrv4VpLAlfxUhS3nKbxSFKEkanM8pDBjSbCA0?= =?us-ascii?Q?DBVDvRbBLyGDGQhfzna0f1qnRUhevLlJ+/Ckkp5Oi33vFTV7vrAoYt5tYSh4?= =?us-ascii?Q?Y01l34ivsgQmoC9xp3w3darEx/VK+ppn2ZZUo0awU0tuzvnYEFfV9MqUYX03?= =?us-ascii?Q?K2G/hQt/xhN80TVa9kNQuWMD?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: f3542c6e-ba6f-4a91-9bb7-08d93a5c403a X-MS-Exchange-CrossTenant-AuthSource: DM6PR12MB2714.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jun 2021 17:43:34.0439 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Hk9M4wk901oF7+GpvoT5n0VkuptBnty78F1YZFoz2i+ezoJk9XHEL2S42mONrqGCSkk1yyEb9Nx7Xi3Y/aQrUw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4172 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The SEV-SNP guest requires that GHCB GPA must be registered before using. See the GHCB specification section 2.3.2 for more details. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Cc: Erdem Aktas Signed-off-by: Brijesh Singh --- OvmfPkg/Sec/SecMain.c | 84 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 9db67e17b2aa..c10441ddf472 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -750,6 +750,79 @@ SevEsProtocolFailure ( CpuDeadLoop (); } =20 +/** + Determine if SEV-SNP is active. + + @retval TRUE SEV-SNP is enabled + @retval FALSE SEV-SNP is not enabled + +**/ +STATIC +BOOLEAN +SevSnpIsEnabled ( + VOID + ) +{ + MSR_SEV_STATUS_REGISTER Msr; + + // + // Read the SEV_STATUS MSR to determine whether SEV-SNP is active. + // + Msr.Uint32 =3D AsmReadMsr32 (MSR_SEV_STATUS); + + // + // Check MSR_0xC0010131 Bit 2 (Sev-Snp Enabled) + // + if (Msr.Bits.SevSnpBit) { + return TRUE; + } + + return FALSE; +} + +STATIC +VOID +SevSnpGhcbRegister ( + UINTN Address + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + MSR_SEV_ES_GHCB_REGISTER CurrentMsr; + EFI_PHYSICAL_ADDRESS GuestFrameNumber; + + GuestFrameNumber =3D Address >> EFI_PAGE_SHIFT; + + // + // Save the current MSR Value + // + CurrentMsr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // Use the GHCB MSR Protocol to request to register the GPA. + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbGpaRegister.Function =3D GHCB_INFO_GHCB_GPA_REGISTER_REQUEST; + Msr.GhcbGpaRegister.GuestFrameNumber =3D GuestFrameNumber; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + // + // If hypervisor responded with a different GPA than requested then fail= . + // + if ((Msr.GhcbGpaRegister.Function !=3D GHCB_INFO_GHCB_GPA_REGISTER_RESPO= NSE) || + (Msr.GhcbGpaRegister.GuestFrameNumber !=3D GuestFrameNumber)) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + // + // Restore the MSR + // + AsmWriteMsr64 (MSR_SEV_ES_GHCB, CurrentMsr.GhcbPhysicalAddress); +} + /** Validate the SEV-ES/GHCB protocol level. =20 @@ -791,6 +864,17 @@ SevEsProtocolCheck ( SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); } =20 + // + // We cannot use the MemEncryptSevSnpIsEnabled () because the + // ProcessLibraryConstructorList () is not called yet. + // + if (SevSnpIsEnabled ()) { + // + // SEV-SNP guest requires that GHCB GPA must be registered before usin= g it. + // + SevSnpGhcbRegister (FixedPcdGet32 (PcdOvmfSecGhcbBase)); + } + // // SEV-ES protocol checking succeeded, set the initial GHCB address // --=20 2.17.1