From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.86]) by mx.groups.io with SMTP id smtpd.web11.296.1628196153424961839 for ; Thu, 05 Aug 2021 13:42:34 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=sQbmdpyx; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.223.86, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IFQU8YHVCWin9cQOzEzyl6b17yfhZCvE1VNolY1T8e1p4H1UUTSVW/RVlkjiTsv3eKSNwHIIf74rW7ykqac8GKMKaBvd4Ix2GUS4JVFhLsXlTytkQJsSKXahgD+IOgA0H4tbzTM/p4KwM0CBMldmm7R6+XaJrC7MmZ7YA/A3y3xTLDCy2NtNkZvyu2rQhz86S6rR47Bb78ARv4H3kaVInXFG8nqXqwenDkzMtW7hj1FIjb0QBS9fBopn2tAzgiDtX0uOYCzftfTbdNsqZ5FLwAtWXPSF4s354XBM3jSG/4N/i0GOx4KM6mPpG9lAEkguEoqh2dhaSITNLv7bBMleBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GwVtVbL27i+qrb3Z42N2ULWY8ovAL4SHRnYM+sAxrLs=; b=jmyETQMUre6zCMtx9CVUNj9ICHLlGKLL8HhbWNsmQHWlmW33iq+mWGxtkVkuiPix4K28AY8ROpLUhDwvsr3bT1Q6agSyMdwB1E1ohMsNS70uutbvSOGPF1fL8Q2DAdXvBHZTA54M4yrZ1wODpdMQQc1mmSNVPyb0Et/f0fSzH/8RcSJFEMVc+9NeGTVopNOWuePnDP57aFyrdaQVdB56w6yC9y5Uv/hNnCUvg8nwavohov9ZScq7f0AZxhTvI90rd6U3N3Nkqr6IgKbG5p3hK4g/3qbkOsHfxFQ7CAu9m3djH9K69ULHsYkdmHL5oJlVkUn1WmHtYehl1W4eDAb3Hg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GwVtVbL27i+qrb3Z42N2ULWY8ovAL4SHRnYM+sAxrLs=; b=sQbmdpyxPrRsEDBwHfeWRdV732wF/1GCKCjWpqzXydlZm+GEjcTxTVTkkpvODZmlfuZ+rLsoka8ukvxpDq5JqX7Gqq2GDqWUc9GumO47Ya9mgf2oOlssmRm+pRvgx7HbPlueMfCRkxcXmlczRmaFgBt/ADdmNrd4wrqvfGGr1UM= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SN6PR12MB4751.namprd12.prod.outlook.com (2603:10b6:805:df::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.15; Thu, 5 Aug 2021 20:42:31 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::a8a9:2aac:4fd1:88fa%3]) with mapi id 15.20.4394.017; Thu, 5 Aug 2021 20:42:31 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Brijesh Singh Subject: [PATCH v2 2/3] OvmfPkg/ResetVector: update SEV support to use new work area format Date: Thu, 5 Aug 2021 15:42:13 -0500 Message-ID: <20210805204214.27792-3-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210805204214.27792-1-brijesh.singh@amd.com> References: <20210805204214.27792-1-brijesh.singh@amd.com> X-ClientProxiedBy: SN4PR0501CA0001.namprd05.prod.outlook.com (2603:10b6:803:40::14) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SN4PR0501CA0001.namprd05.prod.outlook.com (2603:10b6:803:40::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.5 via Frontend Transport; Thu, 5 Aug 2021 20:42:29 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b3c8dda4-a63d-42b2-fb9f-08d958518ae7 X-MS-TrafficTypeDiagnostic: SN6PR12MB4751: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7219; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: j8SpDOV+MvgTKpkRUCri/3Ir8YS57NTsuZj+tPQ6LacTe/upeTcL8JHv8wbE2g8Gi++eyY2+/GUD/RgIOclkiF72xz8D5g4oM7OxCsa9MrIYt2VxOvpM2BtSbtO+/ybo/pz1avm/9vnIaU7u8WrGmVzEF3WEhtNGz2QPp/kIBJwIdT0NH0jHUSXPPLuExKALb3kc9SwQnYlLb14qghkOze/M/jbuYJxOObIogRcP58cQsmhOPKn0uHg+P3QO6qziPgyRfZqm/+lkgU44wCHAubHdahXb2Gdua2pHTzfw7P1TOKxiTU9/I0fl8Qh6o3bwjh2A8i1CPFczh3bQs2lIx9oi5mFimYdmICb0WzC4CdKeLGsp7locRyRrks1vEZfQQhjpkw8PEEONvZieWUSWqJQzY7BEKVaHgRbAAnL8RsaXXmRurcWCLLKzmmLiAacAkNyLQSylfhgeVSmtadQOZgM1WTUHwVS1CMdoROqFEl7M6mCRwUeIcUQC/BdvzdLgYd4Dv1A1V9PdQwK4lpiBxZjaVeg9f1FFPOG5EufpEfxs6uFW/QVwk9G5vPmjXxuLV4QJDNrtlPx3eM/mcFVZTne18Oy5ReSID5sCExJusB11ore2W8OSzwlB9rls5pkg9wjECf4TzcYKMTzs/JkfiOTVs5H1EKZt1rEklOzsKBZvmsBdoQGmNckZbt5jEC0j/kUgeZ0MrVHmXvEottXVEPUqD5ZH0rkiJlidrSbGWqt9ztDNs4cQmE8ZIEzXAW6gg6xTkCmL0A52bZX0Zh2m/nHQTXvv/VAQljo7YW+c3po= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(396003)(376002)(366004)(136003)(39860400002)(36756003)(186003)(8676002)(956004)(2616005)(5660300002)(6486002)(6666004)(2906002)(316002)(54906003)(15650500001)(83380400001)(26005)(86362001)(66556008)(52116002)(38350700002)(7696005)(6916009)(4326008)(38100700002)(44832011)(66946007)(478600001)(8936002)(1076003)(19627235002)(966005)(66476007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?eZ5KFo7/SJPwXGLcI3toGUOWwthK7QTy40cU1ZSW+WLn8vpmBbcPzxisIST2?= =?us-ascii?Q?9RizCml6BBJfGHcmJAfTaYvKWqXncmhsi51NjvJ0kH1CR40Mh6Tb3+Rwy+BC?= =?us-ascii?Q?t6nzGgHOGVQIAQDy6bPGlvf9xbFICw5PUysMLiyvA6pLR+ETqaf5OmDDCzxk?= =?us-ascii?Q?JjqL7HEyrEiz6X0IKF0mDTLNxb0mvs/TbRcD5Y3OGVAVqtaBYxjtqrrZm5O/?= =?us-ascii?Q?V+dVy8o/9FQdFmDaOiF/lMKXZMjNI3ZLPrW5VSJqEuWA4cdjNlbnBmF6GXqs?= =?us-ascii?Q?NZEykXKg+N1E7QH4T0THsUiPq6hu5UJHAkOJ9EMX+T7S5+nTQ7nHOAosv4QT?= =?us-ascii?Q?puBs6fPv4U+1S6SNmVQccQJv5/edxrQ51m7UVsqtzEZxV2JAUe0/DIHIL8u1?= =?us-ascii?Q?OdBeDSv0Zfq0upiqA0cb45LINjsEiJzlg2xzAafH6GMw8UMTQ2iRXZDBmtnj?= =?us-ascii?Q?8jhTwvGE/qZ2lsy9xB7RVOHvStPAKtjMDCHSeo5VC6v/mmSKsTaUTkrAgYm9?= =?us-ascii?Q?9ddAS4w3Vvux3JWNjsTuhLI1JZe6y/xqAS8jarBTMYVCk0WAWI82gr8p3BOT?= =?us-ascii?Q?eiRUnwDWu3ztt9vvrejcd6BO99ZlvHo1n73CzOcuNvQOl8h8y7dvl0r5olEF?= =?us-ascii?Q?pv3k57V/TE/AWM4Puk10r016qDCUccRs97GP6sSk0Yx/RPLw/Q8icLAXWNKX?= =?us-ascii?Q?1TRWBoZUQ+gh+IiIBEB77+ON7dUReIduyea1aItakNF1NxndlDUKFmvfCafV?= =?us-ascii?Q?iRJ7WDqCwv/u/SMpqlF8uksqQ5fM4+kqa55HlhJJUrSIlTDNa51Hstm/2yZw?= =?us-ascii?Q?m55pgQneOWgtYsHwWjg0R+/XAFSle2oRqK+1atK54H/gouJOjm7F4RA/gM1K?= =?us-ascii?Q?NSmz913HyTyEc6QSbHOObT0XG3fiH/yTg7MQ6FY41eBitVSbCEj0aEPs3LMx?= =?us-ascii?Q?/fvsTEMW3bf9hA+Qp7ytad93W1rVj7Csqx0/bIYn9mYh8tTeafYdfRQPG6LE?= =?us-ascii?Q?HbhfhDG+5vlVj+kvIxPQULmDH0GyXlTaFMk5UUT40nDMTOl5Ajbi7qcB/don?= =?us-ascii?Q?Z5+/l3qFyniIRdZjN1wJ7IUxjAUbWedjJDr+cY8LJnAgM0y0BYLTzv3uP25t?= =?us-ascii?Q?RTfyuH9iwfxQJvUOBD7eDvTNxjt9QocjsjRHJ73QgMx0Li1/NNM86o4ykKJC?= =?us-ascii?Q?5LZTYZRY6TGYY1epDolRCkoGchpUG+Kup8tcMN3sn1k8UhmM3x2DHkmPV+uY?= =?us-ascii?Q?rrGwmNbfSZuUFzzAEXumn/zKCds6h1bk/LbaajWplMMOOUoKUId1sVkdHeEj?= =?us-ascii?Q?Fxm+1+51kYdijsAvCo2CHxK2?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: b3c8dda4-a63d-42b2-fb9f-08d958518ae7 X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Aug 2021 20:42:29.6789 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: CduovCpQMUf96+7tcwmHZnaqlOI0mGHq/sbEIJbje1mcYc9ouoEVZffasshGqT0kXJIJ5NWivA04gQTTnZ2pQg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR12MB4751 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3429 Update the SEV support to switch to using the newer work area format. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Signed-off-by: Brijesh Singh --- OvmfPkg/ResetVector/ResetVector.inf | 1 + OvmfPkg/Sec/SecMain.inf | 2 ++ OvmfPkg/Sec/SecMain.c | 32 ++++++++++++++++++++++- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 8 ++++++ OvmfPkg/ResetVector/Ia32/PageTables64.asm | 4 +++ OvmfPkg/ResetVector/ResetVector.nasmb | 1 + 6 files changed, 47 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese= tVector.inf index d028c92d8cfa..6ec9cca40c3a 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -34,6 +34,7 @@ [BuildOptions] *_*_X64_NASMB_FLAGS =3D -I$(WORKSPACE)/UefiCpuPkg/ResetVector/Vtf0/ =20 [Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecGhcbSize diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf index 7f78dcee2772..b650345770f2 100644 --- a/OvmfPkg/Sec/SecMain.inf +++ b/OvmfPkg/Sec/SecMain.inf @@ -56,6 +56,7 @@ [Ppis] gEfiTemporaryRamSupportPpiGuid # PPI ALWAYS_PRODUCED =20 [Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfPeiMemFvSize @@ -70,6 +71,7 @@ [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdGuidedExtractHandlerTableSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDecompressionScratchEnd gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader =20 [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 9db67e17b2aa..27a1a4af0e4a 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -807,6 +807,36 @@ SevEsProtocolCheck ( Ghcb->GhcbUsage =3D GHCB_STANDARD_USAGE; } =20 +/** + Determine if the SEV is active. + + During the early booting, GuestType is set in the work area. Verify that = it + is an SEV guest. + + @retval TRUE SEV is enabled + @retval FALSE SEV is not enabled + +**/ +STATIC +BOOLEAN +IsSevGuest ( + VOID + ) +{ + OVMF_WORK_AREA *WorkArea; + + // + // Ensure that the size of the Confidential Computing work area header + // is same as what is provided through a fixed PCD. + // + ASSERT ((UINTN) FixedPcdGet32 (PcdOvmfConfidentialComputingWorkAreaHeade= r) =3D=3D + sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER)); + + WorkArea =3D (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase); + + return ((WorkArea !=3D NULL) && (WorkArea->Header.GuestType =3D=3D GUEST= _TYPE_AMD_SEV)); +} + /** Determine if SEV-ES is active. =20 @@ -828,7 +858,7 @@ SevEsIsEnabled ( =20 SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAr= eaBase); =20 - return ((SevEsWorkArea !=3D NULL) && (SevEsWorkArea->SevEsEnabled !=3D 0= )); + return (((IsSevGuest()) && SevEsWorkArea !=3D NULL) && (SevEsWorkArea->S= evEsEnabled !=3D 0)); } =20 VOID diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32= /AmdSev.asm index aa95d06eaddb..87d81b01e263 100644 --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm @@ -171,6 +171,9 @@ CheckSevFeatures: bt eax, 0 jnc NoSev =20 + ; Set the work area header to indicate that the SEV is enabled + mov byte[WORK_AREA_GUEST_TYPE], 1 + ; Check for SEV-ES memory encryption feature: ; CPUID Fn8000_001F[EAX] - Bit 3 ; CPUID raises a #VC exception if running as an SEV-ES guest @@ -257,6 +260,11 @@ SevExit: IsSevEsEnabled: xor eax, eax =20 + ; During CheckSevFeatures, the WORK_AREA_GUEST_TYPE is set + ; to 1 if SEV is enabled. + cmp byte[WORK_AREA_GUEST_TYPE], 1 + jne SevEsDisabled + ; During CheckSevFeatures, the SEV_ES_WORK_AREA was set to 1 if ; SEV-ES is enabled. cmp byte[SEV_ES_WORK_AREA], 1 diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVecto= r/Ia32/PageTables64.asm index eacdb69ddb9f..f688909f1c7d 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -42,6 +42,10 @@ BITS 32 ; SetCr3ForPageTables64: =20 + ; Clear the WorkArea header. The SEV probe routines will populate the + ; work area when detected. + mov byte[WORK_AREA_GUEST_TYPE], 0 + OneTimeCall CheckSevFeatures xor edx, edx test eax, eax diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index acec46a32450..d1d800c56745 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -72,6 +72,7 @@ %define GHCB_PT_ADDR (FixedPcdGet32 (PcdOvmfSecGhcbPageTableBase)) %define GHCB_BASE (FixedPcdGet32 (PcdOvmfSecGhcbBase)) %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize)) + %define WORK_AREA_GUEST_TYPE (FixedPcdGet32 (PcdOvmfWorkAreaBase)) %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase)) %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + = 8) %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) = + 16) --=20 2.17.1