From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com []) by mx.groups.io with SMTP id smtpd.web08.14865.1624902207325323447 for ; Mon, 28 Jun 2021 10:43:28 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=Z7i+quTN; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: , mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=a8TDnjWPrAMD3KIVkatG+icbvd+emEsCEtRcZhRaeMATbf9xFUTtVbLei5Zy0wj1XtlETMellX10K4wQQTjFhp9swNCnVq3gVgq4XsIYKXvI4aqDgcGgO4NrAiI+48R8HkpbKu0SbZkXFqXPwDYpIGtpr+UueElPLwVJwbk28gHN91GCbqatBKAIQxwHS0a1DpVWHtwj0LlhMSKrqXKhYo6b3UANMY/ZB52E+BWIGc0fMKTEwWSALoLtZ64WoXFbnLPLUYNjo3qnVQ6IwVu+AUyxIO95DlKvKgXQOXwlZFOCV9wYQ/Vpuiwhn29C5n+vhs8lFbS8OqICDwRDjPiz5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LSvqNuT0TDYhkD3uCrZhTz5JCpcSwLVH2r97WDIr1S4=; b=AhOcRoVOivUgYGXWW7B0itODCMBpeRKMilAh2adJkXrbiQH92fKxR0gTm6MxguzLEawtPb1a/V/9koa+Dyc5/hD0mkQ+2PhykaeFktsdaiZhvDu9Gpc7D/YIgcyCUx5x0EdgXWRcGHJToE0PlxH5/0xXGqOcSrzZ0cBQx/sI8PE3TApLbznvrxq86Dp1Vklf/tpmjnJLkhdC4EpxU1SLXI+1CH05v5MJ37JQeJY1sNvtpTeZPw1lJY90pILvyoXNu8aYpZDgXworQu5bV8Ini0Yd/M3MAAbs+paJAmyQAmr9tZmAxt5EsrUp7E+lbXPL+pazH7tgeMSL4hws5aUUKw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LSvqNuT0TDYhkD3uCrZhTz5JCpcSwLVH2r97WDIr1S4=; b=Z7i+quTNzO6X6IBDEgARvgZ1U4RKk3w/GNT0H5mmfhWHhA5DSIP1X4QtJhL2ZWROS02vWWmQGjt5jS2Z4p1Qz+r34fIGdiF4AR3wzNZfD13TWA5k5ERxAw47CVOVWMPAGoR4Zk+gLaVvLMPBbxnV2vNuDC4PjMFBVpIKP2Mzg0w= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from DM6PR12MB2714.namprd12.prod.outlook.com (2603:10b6:5:42::18) by DM6PR12MB4172.namprd12.prod.outlook.com (2603:10b6:5:212::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.19; Mon, 28 Jun 2021 17:43:21 +0000 Received: from DM6PR12MB2714.namprd12.prod.outlook.com ([fe80::7df8:b0cd:fe1b:ae7b]) by DM6PR12MB2714.namprd12.prod.outlook.com ([fe80::7df8:b0cd:fe1b:ae7b%5]) with mapi id 15.20.4264.026; Mon, 28 Jun 2021 17:43:21 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Laszlo Ersek , Erdem Aktas , Eric Dong , Ray Ni , Rahul Kumar , Michael D Kinney , Liming Gao , Zhiguang Liu , Michael Roth , Brijesh Singh Subject: [RFC PATCH v4 01/27] OvmfPkg/ResetVector: move SEV specific code in a separate file Date: Mon, 28 Jun 2021 12:41:57 -0500 Message-ID: <20210628174223.1302-2-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210628174223.1302-1-brijesh.singh@amd.com> References: <20210628174223.1302-1-brijesh.singh@amd.com> X-Originating-IP: [165.204.77.1] X-ClientProxiedBy: SN4PR0601CA0020.namprd06.prod.outlook.com (2603:10b6:803:2f::30) To DM6PR12MB2714.namprd12.prod.outlook.com (2603:10b6:5:42::18) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SN4PR0601CA0020.namprd06.prod.outlook.com (2603:10b6:803:2f::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.19 via Frontend Transport; Mon, 28 Jun 2021 17:43:20 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: fe1865b9-0ce1-42fe-ae02-08d93a5c38f6 X-MS-TrafficTypeDiagnostic: DM6PR12MB4172: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6108; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: OuaPAmR/aJrttEoU9wQr83QVlkHY6f1HL5gU0S78S0vog8Gre6febXboSIUBM1HzGbenhc6+40HSL1uH7os45ocwKGtv3+UXH0Y2d73iTmrZPMgi+R2uRCBSv9CzHr9f3E5CP4e2ivaJyDmR+Ombif0irRzroNPOBIYUT9FVbOL1midy/UHYGHiJ7HJwEB4S4m1oKvpa5uJyR8GfDdpwfFo22FLEv0cy+uLT6rPBjI3czgyLnX9pk7VH0wituNvl+P4tC45mk5tg3JBSsKyAuTIVCRWchhw6D6/Yqt62GVl6IeW8ZHVUS/wTNEL6LB7u/QIfi0z/ix4swdxdfNglNPBI1KE1EVADKf4SqHfsAmkcWToIVud16QqGkp6NU7N6uGtPrrsjzGgg1F0qIGgRAYSRlVzzOkxtYOhc9KKsM4NMlYe1tORCoU5fZLTOf3qr2gLvtEEncP+jJ7XbyZYYlRWpw78R5cLn6WTB8lUtT8vF+jllYFT/qRaRlLpMh6X0FwCxW8EFNE0ZlVG573v5oZN9bTblAyVBd+W4tMj6CQOGPjWIoTg438RyRb0ZA7fQIMRgxP861mETDhMfWerkamWOMn5BP1/QRDxd/PoygLQlu4I+LUZgv0UhUkiZMYlC1L3Ncd+Tq6PcbdPQepIUirTXWUD0Sy999P6DfEh5Q0JmZ/T/8jkH6R4na2KSZ+lOBBKY/6Ls2ENfPCt/BXwcY2s5oARV8G3S8sX0dVGtbkF2OpB5GhBAaomDatUvCRNXoCctuPTf9bmmSE7xUSXY/nfQqAMfPgnuhyYZrczCEAulIzS0TaPCBzP5jknYrShB X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR12MB2714.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(136003)(376002)(346002)(39860400002)(396003)(19627235002)(8676002)(66476007)(66556008)(66946007)(966005)(5660300002)(1076003)(6666004)(8936002)(30864003)(38350700002)(38100700002)(4326008)(478600001)(52116002)(2616005)(316002)(956004)(6916009)(7416002)(86362001)(54906003)(2906002)(7696005)(83380400001)(16526019)(36756003)(186003)(26005)(6486002)(44832011);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?YHXU59TS/ZXUsuNwYkiWutORNqyAFu8lKD7kfDP8A3WR0qfE9LH4LDLRe7QR?= =?us-ascii?Q?OLR9ivq8ZJzzPoPWPaS8J3gDTVIK/mIPNILRNSUDu4mdJ2++2dU2OCma8j9P?= =?us-ascii?Q?v7f2qEwF4RTIm+dZmHiaa6tmnATp4O9FilyTdOb4YoP7gTI76ScZ/caakHJc?= =?us-ascii?Q?LSQj5F4MNuKf9n/Kf1bQ38osZRftiJOD+HYI97Z4IqgrluJlZVngrh6scMrJ?= =?us-ascii?Q?ZSACj7FzEipOI7lEc4dGDDWDJKkt3mqjIpxfti2Cc6/uZH8dAUAdZiUKbCr2?= =?us-ascii?Q?ui+LnvHge/em56zd/FkH1blFWJ7VcmKtsV1i9+hgfJPPiFQr2gj5OP9TEBG2?= =?us-ascii?Q?KsO/g5qIqU8Lv1v1U3Tu9qU9IkHG2A9iGMcxPELX6KreL7vCyY9ioMvFBnl3?= =?us-ascii?Q?pV6foUW6/sXi4nlBj2vNxu9KbMIYFER9UAfIUim6e6lL9md9uX1BCYpAghmC?= =?us-ascii?Q?Q+XigL8H/lI+p3vkowgrqqQxzs9rTnKQkczNNjIYW4aYjZ69izjuDeN8Q6/e?= =?us-ascii?Q?AX7F/QSIrKvA4Zd4nhENnWMCW7qYVIvh5qSqkTxmkQWMB4nVIFtIvhCnYsCy?= =?us-ascii?Q?O/u6cvzHO0W8Xa+2wvqwunmz+iK9sc5sW/sm8Ylhej5lEGeDHCWJBvLc6N12?= =?us-ascii?Q?46ThI/L3NxlLYbw5hqXumbduzwpJgHiqSLRRGX3VH1AlofqEsABcR6vtdmQN?= =?us-ascii?Q?SdzvtSZDnimvkXUqHNQc1/JwTxSVQS/Z2jSsPUa4v4wkc6RA7XJ1by9s5QIh?= =?us-ascii?Q?bMvNNkKzSIDNRYj/eZl2NYZ2XP9hLW0SB89ShLbsWQ9LIhiU3TBD4yT8topL?= =?us-ascii?Q?lh3XIRLv13bBEIhojY3rW6Aj12oRevEuhWZyz5Ebxz9WlC6e5vJAdmHT7Jfn?= =?us-ascii?Q?rYBOxpjNwEEMT2B7s1KrhB494zt3uj/Y2oZAnl2IwaRXxdgOr+af3yYbQdgU?= =?us-ascii?Q?wDOgmX2Xw07JTa838Om0IXxuQ9zQulRATXPrSR/Fr4S42LoXx2JMhFye6hS+?= =?us-ascii?Q?ojUIXVfe9jMIW5uOozmIpF3sMEf1UeWowBB3EV8VjsC6B2wZs/EqloYUkEdo?= =?us-ascii?Q?EmwsptlT2p06tExhTxMoYVabB/DF8eGLhg7CEqv9A3leXtL+rtCZSpZngbsN?= =?us-ascii?Q?JkOHHrns+XAHVmJUbr7YowpSSnMC+rBViGulMpZw9YHcrtFulfiN2C+GoEin?= =?us-ascii?Q?PTN3jfmOIqZOjqFsCgn2JoN/5KkkJEaAiI/t+GI5uBrzmS82BA06u5v/qwwk?= =?us-ascii?Q?csvowRIYWSzqIwUp740+5fKFlBEfRP9rfWahx/NcGEpPJtk59qhLTnSAC9Rh?= =?us-ascii?Q?uytjZoEiRAmcdSu+hyzs6/Wr?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: fe1865b9-0ce1-42fe-ae02-08d93a5c38f6 X-MS-Exchange-CrossTenant-AuthSource: DM6PR12MB2714.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jun 2021 17:43:21.8397 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: qThkmrIMAAAVEC6Q8VnTTlDOf3pqlqFS4t2F1pXli+71lWZsAkp1QxYdsTpjNzQoXm4F5ttF+IMM0Jyfz2dlwQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4172 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 The PageTables64.asm was created to provide routines to set the CR3 register for 64-bit paging. During the SEV support, it grew to include a lot of the SEV stuff. Before adding more SEV features, let's move all the SEV-specific routines into a separate file. No functionality change intended. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Laszlo Ersek Cc: Erdem Aktas Suggested-by: Laszlo Ersek Signed-off-by: Brijesh Singh --- .../Ia32/{PageTables64.asm =3D> AmdSev.asm} | 140 ------- OvmfPkg/ResetVector/Ia32/PageTables64.asm | 391 ------------------ OvmfPkg/ResetVector/ResetVector.nasmb | 1 + 3 files changed, 1 insertion(+), 531 deletions(-) copy OvmfPkg/ResetVector/Ia32/{PageTables64.asm =3D> AmdSev.asm} (71%) diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVecto= r/Ia32/AmdSev.asm similarity index 71% copy from OvmfPkg/ResetVector/Ia32/PageTables64.asm copy to OvmfPkg/ResetVector/Ia32/AmdSev.asm index 5fae8986d9da..b32dd3b5d656 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm @@ -10,33 +10,6 @@ =20 BITS 32 =20 -%define PAGE_PRESENT 0x01 -%define PAGE_READ_WRITE 0x02 -%define PAGE_USER_SUPERVISOR 0x04 -%define PAGE_WRITE_THROUGH 0x08 -%define PAGE_CACHE_DISABLE 0x010 -%define PAGE_ACCESSED 0x020 -%define PAGE_DIRTY 0x040 -%define PAGE_PAT 0x080 -%define PAGE_GLOBAL 0x0100 -%define PAGE_2M_MBO 0x080 -%define PAGE_2M_PAT 0x01000 - -%define PAGE_4K_PDE_ATTR (PAGE_ACCESSED + \ - PAGE_DIRTY + \ - PAGE_READ_WRITE + \ - PAGE_PRESENT) - -%define PAGE_2M_PDE_ATTR (PAGE_2M_MBO + \ - PAGE_ACCESSED + \ - PAGE_DIRTY + \ - PAGE_READ_WRITE + \ - PAGE_PRESENT) - -%define PAGE_PDP_ATTR (PAGE_ACCESSED + \ - PAGE_READ_WRITE + \ - PAGE_PRESENT) - ; ; SEV-ES #VC exception handler support ; @@ -213,119 +186,6 @@ IsSevEsEnabled: SevEsDisabled: OneTimeCallRet IsSevEsEnabled =20 -; -; Modified: EAX, EBX, ECX, EDX -; -SetCr3ForPageTables64: - - OneTimeCall CheckSevFeatures - xor edx, edx - test eax, eax - jz SevNotActive - - ; If SEV is enabled, C-bit is always above 31 - sub eax, 32 - bts edx, eax - -SevNotActive: - - ; - ; For OVMF, build some initial page tables at - ; PcdOvmfSecPageTablesBase - (PcdOvmfSecPageTablesBase + 0x6000). - ; - ; This range should match with PcdOvmfSecPageTablesSize which is - ; declared in the FDF files. - ; - ; At the end of PEI, the pages tables will be rebuilt into a - ; more permanent location by DxeIpl. - ; - - mov ecx, 6 * 0x1000 / 4 - xor eax, eax -clearPageTablesMemoryLoop: - mov dword[ecx * 4 + PT_ADDR (0) - 4], eax - loop clearPageTablesMemoryLoop - - ; - ; Top level Page Directory Pointers (1 * 512GB entry) - ; - mov dword[PT_ADDR (0)], PT_ADDR (0x1000) + PAGE_PDP_ATTR - mov dword[PT_ADDR (4)], edx - - ; - ; Next level Page Directory Pointers (4 * 1GB entries =3D> 4GB) - ; - mov dword[PT_ADDR (0x1000)], PT_ADDR (0x2000) + PAGE_PDP_ATTR - mov dword[PT_ADDR (0x1004)], edx - mov dword[PT_ADDR (0x1008)], PT_ADDR (0x3000) + PAGE_PDP_ATTR - mov dword[PT_ADDR (0x100C)], edx - mov dword[PT_ADDR (0x1010)], PT_ADDR (0x4000) + PAGE_PDP_ATTR - mov dword[PT_ADDR (0x1014)], edx - mov dword[PT_ADDR (0x1018)], PT_ADDR (0x5000) + PAGE_PDP_ATTR - mov dword[PT_ADDR (0x101C)], edx - - ; - ; Page Table Entries (2048 * 2MB entries =3D> 4GB) - ; - mov ecx, 0x800 -pageTableEntriesLoop: - mov eax, ecx - dec eax - shl eax, 21 - add eax, PAGE_2M_PDE_ATTR - mov [ecx * 8 + PT_ADDR (0x2000 - 8)], eax - mov [(ecx * 8 + PT_ADDR (0x2000 - 8)) + 4], edx - loop pageTableEntriesLoop - - OneTimeCall IsSevEsEnabled - test eax, eax - jz SetCr3 - - ; - ; The initial GHCB will live at GHCB_BASE and needs to be un-encrypted= . - ; This requires the 2MB page for this range be broken down into 512 4K= B - ; pages. All will be marked encrypted, except for the GHCB. - ; - mov ecx, (GHCB_BASE >> 21) - mov eax, GHCB_PT_ADDR + PAGE_PDP_ATTR - mov [ecx * 8 + PT_ADDR (0x2000)], eax - - ; - ; Page Table Entries (512 * 4KB entries =3D> 2MB) - ; - mov ecx, 512 -pageTableEntries4kLoop: - mov eax, ecx - dec eax - shl eax, 12 - add eax, GHCB_BASE & 0xFFE0_0000 - add eax, PAGE_4K_PDE_ATTR - mov [ecx * 8 + GHCB_PT_ADDR - 8], eax - mov [(ecx * 8 + GHCB_PT_ADDR - 8) + 4], edx - loop pageTableEntries4kLoop - - ; - ; Clear the encryption bit from the GHCB entry - ; - mov ecx, (GHCB_BASE & 0x1F_FFFF) >> 12 - mov [ecx * 8 + GHCB_PT_ADDR + 4], strict dword 0 - - mov ecx, GHCB_SIZE / 4 - xor eax, eax -clearGhcbMemoryLoop: - mov dword[ecx * 4 + GHCB_BASE - 4], eax - loop clearGhcbMemoryLoop - -SetCr3: - ; - ; Set CR3 now that the paging structures are available - ; - mov eax, PT_ADDR (0) - mov cr3, eax - - OneTimeCallRet SetCr3ForPageTables64 - -; ; Start of #VC exception handling routines ; =20 diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVecto= r/Ia32/PageTables64.asm index 5fae8986d9da..eacdb69ddb9f 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -37,182 +37,6 @@ BITS 32 PAGE_READ_WRITE + \ PAGE_PRESENT) =20 -; -; SEV-ES #VC exception handler support -; -; #VC handler local variable locations -; -%define VC_CPUID_RESULT_EAX 0 -%define VC_CPUID_RESULT_EBX 4 -%define VC_CPUID_RESULT_ECX 8 -%define VC_CPUID_RESULT_EDX 12 -%define VC_GHCB_MSR_EDX 16 -%define VC_GHCB_MSR_EAX 20 -%define VC_CPUID_REQUEST_REGISTER 24 -%define VC_CPUID_FUNCTION 28 - -; #VC handler total local variable size -; -%define VC_VARIABLE_SIZE 32 - -; #VC handler GHCB CPUID request/response protocol values -; -%define GHCB_CPUID_REQUEST 4 -%define GHCB_CPUID_RESPONSE 5 -%define GHCB_CPUID_REGISTER_SHIFT 30 -%define CPUID_INSN_LEN 2 - - -; Check if Secure Encrypted Virtualization (SEV) features are enabled. -; -; Register usage is tight in this routine, so multiple calls for the -; same CPUID and MSR data are performed to keep things simple. -; -; Modified: EAX, EBX, ECX, EDX, ESP -; -; If SEV is enabled then EAX will be at least 32. -; If SEV is disabled then EAX will be zero. -; -CheckSevFeatures: - ; Set the first byte of the workarea to zero to communicate to the SEC - ; phase that SEV-ES is not enabled. If SEV-ES is enabled, the CPUID - ; instruction will trigger a #VC exception where the first byte of the - ; workarea will be set to one or, if CPUID is not being intercepted, - ; the MSR check below will set the first byte of the workarea to one. - mov byte[SEV_ES_WORK_AREA], 0 - - ; - ; Set up exception handlers to check for SEV-ES - ; Load temporary RAM stack based on PCDs (see SevEsIdtVmmComm for - ; stack usage) - ; Establish exception handlers - ; - mov esp, SEV_ES_VC_TOP_OF_STACK - mov eax, ADDR_OF(Idtr) - lidt [cs:eax] - - ; Check if we have a valid (0x8000_001F) CPUID leaf - ; CPUID raises a #VC exception if running as an SEV-ES guest - mov eax, 0x80000000 - cpuid - - ; This check should fail on Intel or Non SEV AMD CPUs. In future if - ; Intel CPUs supports this CPUID leaf then we are guranteed to have ex= act - ; same bit definition. - cmp eax, 0x8000001f - jl NoSev - - ; Check for SEV memory encryption feature: - ; CPUID Fn8000_001F[EAX] - Bit 1 - ; CPUID raises a #VC exception if running as an SEV-ES guest - mov eax, 0x8000001f - cpuid - bt eax, 1 - jnc NoSev - - ; Check if SEV memory encryption is enabled - ; MSR_0xC0010131 - Bit 0 (SEV enabled) - mov ecx, 0xc0010131 - rdmsr - bt eax, 0 - jnc NoSev - - ; Check for SEV-ES memory encryption feature: - ; CPUID Fn8000_001F[EAX] - Bit 3 - ; CPUID raises a #VC exception if running as an SEV-ES guest - mov eax, 0x8000001f - cpuid - bt eax, 3 - jnc GetSevEncBit - - ; Check if SEV-ES is enabled - ; MSR_0xC0010131 - Bit 1 (SEV-ES enabled) - mov ecx, 0xc0010131 - rdmsr - bt eax, 1 - jnc GetSevEncBit - - ; Set the first byte of the workarea to one to communicate to the SEC - ; phase that SEV-ES is enabled. - mov byte[SEV_ES_WORK_AREA], 1 - -GetSevEncBit: - ; Get pte bit position to enable memory encryption - ; CPUID Fn8000_001F[EBX] - Bits 5:0 - ; - and ebx, 0x3f - mov eax, ebx - - ; The encryption bit position is always above 31 - sub ebx, 32 - jns SevSaveMask - - ; Encryption bit was reported as 31 or below, enter a HLT loop -SevEncBitLowHlt: - cli - hlt - jmp SevEncBitLowHlt - -SevSaveMask: - xor edx, edx - bts edx, ebx - - mov dword[SEV_ES_WORK_AREA_ENC_MASK], 0 - mov dword[SEV_ES_WORK_AREA_ENC_MASK + 4], edx - jmp SevExit - -NoSev: - ; - ; Perform an SEV-ES sanity check by seeing if a #VC exception occurred= . - ; - cmp byte[SEV_ES_WORK_AREA], 0 - jz NoSevPass - - ; - ; A #VC was received, yet CPUID indicates no SEV-ES support, something - ; isn't right. - ; -NoSevEsVcHlt: - cli - hlt - jmp NoSevEsVcHlt - -NoSevPass: - xor eax, eax - -SevExit: - ; - ; Clear exception handlers and stack - ; - push eax - mov eax, ADDR_OF(IdtrClear) - lidt [cs:eax] - pop eax - mov esp, 0 - - OneTimeCallRet CheckSevFeatures - -; Check if Secure Encrypted Virtualization - Encrypted State (SEV-ES) feat= ure -; is enabled. -; -; Modified: EAX -; -; If SEV-ES is enabled then EAX will be non-zero. -; If SEV-ES is disabled then EAX will be zero. -; -IsSevEsEnabled: - xor eax, eax - - ; During CheckSevFeatures, the SEV_ES_WORK_AREA was set to 1 if - ; SEV-ES is enabled. - cmp byte[SEV_ES_WORK_AREA], 1 - jne SevEsDisabled - - mov eax, 1 - -SevEsDisabled: - OneTimeCallRet IsSevEsEnabled - ; ; Modified: EAX, EBX, ECX, EDX ; @@ -324,218 +148,3 @@ SetCr3: mov cr3, eax =20 OneTimeCallRet SetCr3ForPageTables64 - -; -; Start of #VC exception handling routines -; - -SevEsIdtNotCpuid: - ; - ; Use VMGEXIT to request termination. - ; 1 - #VC was not for CPUID - ; - mov eax, 1 - jmp SevEsIdtTerminate - -SevEsIdtNoCpuidResponse: - ; - ; Use VMGEXIT to request termination. - ; 2 - GHCB_CPUID_RESPONSE not received - ; - mov eax, 2 - -SevEsIdtTerminate: - ; - ; Use VMGEXIT to request termination. At this point the reason code is - ; located in EAX, so shift it left 16 bits to the proper location. - ; - ; EAX[11:0] =3D> 0x100 - request termination - ; EAX[15:12] =3D> 0x1 - OVMF - ; EAX[23:16] =3D> 0xXX - REASON CODE - ; - shl eax, 16 - or eax, 0x1100 - xor edx, edx - mov ecx, 0xc0010130 - wrmsr - ; - ; Issue VMGEXIT - NASM doesn't support the vmmcall instruction in 32-b= it - ; mode, so work around this by temporarily switching to 64-bit mode. - ; -BITS 64 - rep vmmcall -BITS 32 - - ; - ; We shouldn't come back from the VMGEXIT, but if we do, just loop. - ; -SevEsIdtHlt: - hlt - jmp SevEsIdtHlt - iret - - ; - ; Total stack usage for the #VC handler is 44 bytes: - ; - 12 bytes for the exception IRET (after popping error code) - ; - 32 bytes for the local variables. - ; -SevEsIdtVmmComm: - ; - ; If we're here, then we are an SEV-ES guest and this - ; was triggered by a CPUID instruction - ; - ; Set the first byte of the workarea to one to communicate that - ; a #VC was taken. - mov byte[SEV_ES_WORK_AREA], 1 - - pop ecx ; Error code - cmp ecx, 0x72 ; Be sure it was CPUID - jne SevEsIdtNotCpuid - - ; Set up local variable room on the stack - ; CPUID function : + 28 - ; CPUID request register : + 24 - ; GHCB MSR (EAX) : + 20 - ; GHCB MSR (EDX) : + 16 - ; CPUID result (EDX) : + 12 - ; CPUID result (ECX) : + 8 - ; CPUID result (EBX) : + 4 - ; CPUID result (EAX) : + 0 - sub esp, VC_VARIABLE_SIZE - - ; Save the CPUID function being requested - mov [esp + VC_CPUID_FUNCTION], eax - - ; The GHCB CPUID protocol uses the following mapping to request - ; a specific register: - ; 0 =3D> EAX, 1 =3D> EBX, 2 =3D> ECX, 3 =3D> EDX - ; - ; Set EAX as the first register to request. This will also be used as = a - ; loop variable to request all register values (EAX to EDX). - xor eax, eax - mov [esp + VC_CPUID_REQUEST_REGISTER], eax - - ; Save current GHCB MSR value - mov ecx, 0xc0010130 - rdmsr - mov [esp + VC_GHCB_MSR_EAX], eax - mov [esp + VC_GHCB_MSR_EDX], edx - -NextReg: - ; - ; Setup GHCB MSR - ; GHCB_MSR[63:32] =3D CPUID function - ; GHCB_MSR[31:30] =3D CPUID register - ; GHCB_MSR[11:0] =3D CPUID request protocol - ; - mov eax, [esp + VC_CPUID_REQUEST_REGISTER] - cmp eax, 4 - jge VmmDone - - shl eax, GHCB_CPUID_REGISTER_SHIFT - or eax, GHCB_CPUID_REQUEST - mov edx, [esp + VC_CPUID_FUNCTION] - mov ecx, 0xc0010130 - wrmsr - - ; - ; Issue VMGEXIT - NASM doesn't support the vmmcall instruction in 32-b= it - ; mode, so work around this by temporarily switching to 64-bit mode. - ; -BITS 64 - rep vmmcall -BITS 32 - - ; - ; Read GHCB MSR - ; GHCB_MSR[63:32] =3D CPUID register value - ; GHCB_MSR[31:30] =3D CPUID register - ; GHCB_MSR[11:0] =3D CPUID response protocol - ; - mov ecx, 0xc0010130 - rdmsr - mov ecx, eax - and ecx, 0xfff - cmp ecx, GHCB_CPUID_RESPONSE - jne SevEsIdtNoCpuidResponse - - ; Save returned value - shr eax, GHCB_CPUID_REGISTER_SHIFT - mov [esp + eax * 4], edx - - ; Next register - inc word [esp + VC_CPUID_REQUEST_REGISTER] - - jmp NextReg - -VmmDone: - ; - ; At this point we have all CPUID register values. Restore the GHCB MS= R, - ; set the return register values and return. - ; - mov eax, [esp + VC_GHCB_MSR_EAX] - mov edx, [esp + VC_GHCB_MSR_EDX] - mov ecx, 0xc0010130 - wrmsr - - mov eax, [esp + VC_CPUID_RESULT_EAX] - mov ebx, [esp + VC_CPUID_RESULT_EBX] - mov ecx, [esp + VC_CPUID_RESULT_ECX] - mov edx, [esp + VC_CPUID_RESULT_EDX] - - add esp, VC_VARIABLE_SIZE - - ; Update the EIP value to skip over the now handled CPUID instruction - ; (the CPUID instruction has a length of 2) - add word [esp], CPUID_INSN_LEN - iret - -ALIGN 2 - -Idtr: - dw IDT_END - IDT_BASE - 1 ; Limit - dd ADDR_OF(IDT_BASE) ; Base - -IdtrClear: - dw 0 ; Limit - dd 0 ; Base - -ALIGN 16 - -; -; The Interrupt Descriptor Table (IDT) -; This will be used to determine if SEV-ES is enabled. Upon execution -; of the CPUID instruction, a VMM Communication Exception will occur. -; This will tell us if SEV-ES is enabled. We can use the current value -; of the GHCB MSR to determine the SEV attributes. -; -IDT_BASE: -; -; Vectors 0 - 28 (No handlers) -; -%rep 29 - dw 0 ; Offset low bits 15..0 - dw 0x10 ; Selector - db 0 ; Reserved - db 0x8E ; Gate Type (IA32_IDT_GAT= E_TYPE_INTERRUPT_32) - dw 0 ; Offset high bits 31..16 -%endrep -; -; Vector 29 (VMM Communication Exception) -; - dw (ADDR_OF(SevEsIdtVmmComm) & 0xffff) ; Offset low bits 15..0 - dw 0x10 ; Selector - db 0 ; Reserved - db 0x8E ; Gate Type (IA32_IDT_GAT= E_TYPE_INTERRUPT_32) - dw (ADDR_OF(SevEsIdtVmmComm) >> 16) ; Offset high bits 31..16 -; -; Vectors 30 - 31 (No handlers) -; -%rep 2 - dw 0 ; Offset low bits 15..0 - dw 0x10 ; Selector - db 0 ; Reserved - db 0x8E ; Gate Type (IA32_IDT_GAT= E_TYPE_INTERRUPT_32) - dw 0 ; Offset high bits 31..16 -%endrep -IDT_END: diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index 5fbacaed5f9d..8a3269cfc212 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -77,6 +77,7 @@ %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) = + 16) %define SEV_ES_VC_TOP_OF_STACK (FixedPcdGet32 (PcdOvmfSecPeiTempRamBase)= + FixedPcdGet32 (PcdOvmfSecPeiTempRamSize)) %include "Ia32/Flat32ToFlat64.asm" +%include "Ia32/AmdSev.asm" %include "Ia32/PageTables64.asm" %endif =20 --=20 2.17.1