From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (NAM12-DM6-obe.outbound.protection.outlook.com [40.107.243.57]) by mx.groups.io with SMTP id smtpd.web11.39027.1629208030648607891 for ; Tue, 17 Aug 2021 06:47:10 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=bEUhJpuN; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.243.57, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AATybwakx8fjAive3ONRTwyFvi3T4Ad3CxDlGoLBU2WEl6mCAwyQB87tBTVJGXXl9JqkioRvhYXO5eXtIWrXQWrUAXwct5hqNqStq/GjhDoqHZoMLip4vBeJREa/EjLwHQHRUrFBJq62bjD+6viJjHOuox8tgJytbc7B1UMIaIBmfsjKVIpUmJpT5lo6krpl4BGEI1/bdzd9eyQaouPgpkgYiKkNv5jUZ5Mv/UdbP/0bYI3KI2TntO+t2roEAOJ1O9rexifjzmDr4drIrvWZaErSohzbHGbH2emBIeU3XVnz1m1K1Lcl3lVON9+LFHLb3pGB9GERgfiBwsalgtg6ww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yaRxyLzr5PQGguxoR5PgXkb9je60WAv1H2AsmkqkzQc=; b=YOy+cpdcJzIVreWFwicyjihBkgYhsQuRblOlGi5dqrPIZadL0Y6MGQRFgkU35dMGFvGmWr3t7OLsjy8jANE3FodKA9naSAP1x9vDkKgiupYEUlRrLK+J0lXWLMUaN7XcGpPEJZa3rVt3UrkvIeIA6SDHTaFyQh0s9YuRA4yBYKgXsNLBtb0nhjKy8X2cXIHGuGav/cf/XA+uf9qlCD62Ulpb8CffeNtepG1MLG55bGUjPv+VDKIy+YWzRnThtx49O2/HkRj1UYfWUgHntWeJU9Em26LShu2M6C0eVF7PckVV6I0K1mqj3zY906CRQUWH/jJp1aXAQzCDV4PMZnPu2w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yaRxyLzr5PQGguxoR5PgXkb9je60WAv1H2AsmkqkzQc=; b=bEUhJpuNdz7tXvmIZ2lOaTr1ozwqLPZchTPhtDg7VGObYspemTC5vT2rc3e3wdR5S2ncj0g50IqnTpdJlX0vDCrIXQgykfXbekh+y6aRF408yCg7oetSjHSRqcNgKTeQ+2FDyZ+l/HFzag3e6myYFn7U8jWoEn+wlgnkpiQHQbs= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4384.namprd12.prod.outlook.com (2603:10b6:806:9f::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.15; Tue, 17 Aug 2021 13:47:09 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4415.024; Tue, 17 Aug 2021 13:47:09 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Brijesh Singh Subject: [PATCH v3 2/3] OvmfPkg/ResetVector: update SEV support to use new work area format Date: Tue, 17 Aug 2021 08:46:50 -0500 Message-ID: <20210817134651.20444-3-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210817134651.20444-1-brijesh.singh@amd.com> References: <20210817134651.20444-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA0PR11CA0165.namprd11.prod.outlook.com (2603:10b6:806:1bb::20) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA0PR11CA0165.namprd11.prod.outlook.com (2603:10b6:806:1bb::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.16 via Frontend Transport; Tue, 17 Aug 2021 13:47:08 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 89491a0c-c3a4-41f6-b17a-08d9618581ef X-MS-TrafficTypeDiagnostic: SA0PR12MB4384: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7219; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: PAtnOgwnIFR7hlxOVKqGNlLEhum+bje9N+fXxM8/op7k7VVnqwuMRht/ZmtWc0Noh+dpwCMA0NmsZYeua4sgEmt1S9WN1WRx3KDGzlW5tahrN9Z2Kw/i+n+uaKPx+26iiVHEzFUKeZ0jBhLW8MhwnoiIAFWDVaZABuLm1O8RNSOXpY0eug4+9zGfycfkRFTgom5PRsVbTF83hS84rlAcLVBJSdC+DUHKYxzPt4WEqafmOCPsE8F/5kPbks5PAhhTZnN6unTPgLl2WCJw/s7Z+OO6xSS2zaUii7+ddQ97R1GBDY+mE2TLuCEW5TCj3vVRwV4VA3MYMsKzO3B0JUx6gkpzIdsL7P9FFznjGSt8REgipACUE6pTa+sVRn30pmV3E+T7C3XsqbHTpYCo98yRn1jKAqMPy7JplX9AsaIyRULmyvHBlWudkyGaEARQd5qt1Gb3gZXxQK9rPSrbfYXwIjqhznlIh8NZZ9jl3iMlNu0QJSbYMIgiU4r7UGORjKo+f9hRu/c1Vgul2J7oKaToY4E/KtZsgU836jQKkx/751+ztzx7QAoNbCelJLe0UbNI0Knx6OQH7RtYuUUaviIagEAO6V8OEBSRZzhsgKER1KrAWL1UKwg8qsRzutTm87FaDL485I6nI1UKfRkuqmrfrJ+3ZpT4tSdJGQdT0JBxF07CU11HgTfKkc+Zl0cZauL86V75vINz//K7IUEGae/4BP0KKSJTWtyBPYNfJjQodupI523XNsToLKMJF1DYCOB6uuP1JjnkB2Q1u/54ln0FNRq0J5UGV1AklBADrR4kmwA= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(346002)(39860400002)(376002)(396003)(366004)(52116002)(1076003)(26005)(36756003)(83380400001)(8676002)(86362001)(186003)(8936002)(54906003)(15650500001)(956004)(7696005)(2616005)(966005)(4326008)(6916009)(2906002)(66556008)(66476007)(6666004)(44832011)(19627235002)(38100700002)(38350700002)(66946007)(6486002)(5660300002)(316002)(478600001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?CXoV/eGg/v9StWY8rpzYlEfXEwBPvw9tXC09vWmKASVgyAMERiOFw3Sb+s1+?= =?us-ascii?Q?RpA72ZkqN+waXPdRXXRk5rGM3j8UhzXXM8X9cF/adQQjVJllSKTX+lMTM74O?= =?us-ascii?Q?MUFErAnid52bgq6Q2lUMpnkiBQP/0QwFpmRysYtmJGD7kmlSWbv/8OAeBn2D?= =?us-ascii?Q?TJBbugFNKqUrIFKaw3M1w2JU4V7SAzvJXrLT+1Fx3JPCuH+YwAoDbpQjm3N2?= =?us-ascii?Q?bhX4Djkohjq3WyGUTsr/Zt9c9zEfioLeeMTKMKXqK2WAABkjK/etcRIUo1lQ?= =?us-ascii?Q?ycIegyi004zuVv5B+5s6tNBiqJYcHRP6mKxbeWJvDxyuxYAyCacmandxwJNO?= =?us-ascii?Q?p5BV9x3hYozEr91qtqnjdnxS58va5I+41nkYbmT9QGOeJclgV0q3mw5/k9XP?= =?us-ascii?Q?iLnQ+O/ObjjOQqd9zkhM+4gGbLNtz/kEIbNVHB+qOYZP84jrpGgbk3jrIPzk?= =?us-ascii?Q?OVLfvqK4FqO6N1k1FfXDI0ZLtaCpGKrE60ou2inpB1FL15x3SmtFzjkEmhF0?= =?us-ascii?Q?ebM2Jmw10VUX03KrHaL786rrkexQsoDPYn4PLR5pJWemanJMeGcCHJuJEBdz?= =?us-ascii?Q?tXuMUtXlj0b+rqszu/+b4kKwNDtIinNC3dB1Z6WPVuFluz9fRboeJMSArlgy?= =?us-ascii?Q?kjHYPr/v8sT87hvoVDeMuyVxKUISzbAS/T0xBAdmuv6FtDfF5i6qgPIvzPSC?= =?us-ascii?Q?orPX7ChM7H93kwpr0kUdInrC9Sdg3ZU2vMKYjduKMaqyMc/owu7H7/jpXKZI?= =?us-ascii?Q?TqVfmqfb/SwOopbN6hfGqDKc06CcW3DQaAXtQDKNtY/Hks2s1f0eoZARYFQS?= =?us-ascii?Q?oNJidMwYuNbSRLSolmL8kc63VQAxJ5P4Mc5uJEvs8YKUon2ySB368zi65dBs?= =?us-ascii?Q?BEoKF89eEl8Gy5ToYQxV3apz/447zlXQcy1l1Kd3RaanzrQ+y0JqGeNqptNN?= =?us-ascii?Q?ciQZ5DItSObpX0xvHZCuamC4vwLGEV3HIgrLTflIU1wiEy6ovKCWV8LdvNuV?= =?us-ascii?Q?O1SUDzt/1QXPvB9S5eotTVB+zL9cdsqzI/6K3t/nvmHEnxShc5OK2d0bgO53?= =?us-ascii?Q?d+P6bge8hf88FgCjD0gA+VbcI4D+vDywVDUzcO0Tbgczzqx5XAO7qrtwOhGs?= =?us-ascii?Q?NUTr9hcBR2gIgvyVld5vP2LnzCU8WgfrGMCUxAcCA1Hp5IaldG8DM8CAvSAZ?= =?us-ascii?Q?ZtxmM0cfcn1/wJDHcg27IUsL7+0ruPBUsmR+7bmchlci2CyaFRFjbYkqYAcj?= =?us-ascii?Q?MqpKAAzdpAZtl4Jed4jvAdfe99/uXVvFqpGv7vJWbvpQ4hO/nqqq2cq2o+nW?= =?us-ascii?Q?Km0XkYo0JNUDaGbN1c8LSsq3?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 89491a0c-c3a4-41f6-b17a-08d9618581ef X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Aug 2021 13:47:08.9669 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: lBWtKmP6GQCvmWb1ZYCGGpMEPrm7XEdS2WOtRYkT6xf8PZFqkvK9UOFBJ0xo3zx1SqhKbe76Z96OPHIcjfobAQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4384 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3429 Update the SEV support to switch to using the newer work area format. Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Signed-off-by: Brijesh Singh --- OvmfPkg/ResetVector/ResetVector.inf | 1 + OvmfPkg/Sec/SecMain.inf | 2 ++ OvmfPkg/Sec/SecMain.c | 36 ++++++++++++++++++++++- OvmfPkg/ResetVector/Ia32/AmdSev.asm | 8 +++++ OvmfPkg/ResetVector/Ia32/PageTables64.asm | 4 +++ OvmfPkg/ResetVector/ResetVector.nasmb | 1 + 6 files changed, 51 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/ResetVector/ResetVector.inf b/OvmfPkg/ResetVector/Rese= tVector.inf index d028c92d8cfa..a2520dde5508 100644 --- a/OvmfPkg/ResetVector/ResetVector.inf +++ b/OvmfPkg/ResetVector/ResetVector.inf @@ -43,6 +43,7 @@ [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPageTablesSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamBase gUefiOvmfPkgTokenSpaceGuid.PcdOvmfSecPeiTempRamSize + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase =20 [FixedPcd] gUefiOvmfPkgTokenSpaceGuid.PcdSevLaunchSecretBase diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf index 7f78dcee2772..ea4b9611f52d 100644 --- a/OvmfPkg/Sec/SecMain.inf +++ b/OvmfPkg/Sec/SecMain.inf @@ -70,6 +70,8 @@ [Pcd] gUefiOvmfPkgTokenSpaceGuid.PcdGuidedExtractHandlerTableSize gUefiOvmfPkgTokenSpaceGuid.PcdOvmfDecompressionScratchEnd gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader + gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase =20 [FeaturePcd] gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 9db67e17b2aa..707b0d4bbff4 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -807,6 +807,36 @@ SevEsProtocolCheck ( Ghcb->GhcbUsage =3D GHCB_STANDARD_USAGE; } =20 +/** + Determine if the SEV is active. + + During the early booting, GuestType is set in the work area. Verify that = it + is an SEV guest. + + @retval TRUE SEV is enabled + @retval FALSE SEV is not enabled + +**/ +STATIC +BOOLEAN +IsSevGuest ( + VOID + ) +{ + OVMF_WORK_AREA *WorkArea; + + // + // Ensure that the size of the Confidential Computing work area header + // is same as what is provided through a fixed PCD. + // + ASSERT ((UINTN) FixedPcdGet32 (PcdOvmfConfidentialComputingWorkAreaHeade= r) =3D=3D + sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER)); + + WorkArea =3D (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase); + + return ((WorkArea !=3D NULL) && (WorkArea->Header.GuestType =3D=3D GUEST= _TYPE_AMD_SEV)); +} + /** Determine if SEV-ES is active. =20 @@ -826,9 +856,13 @@ SevEsIsEnabled ( { SEC_SEV_ES_WORK_AREA *SevEsWorkArea; =20 + if (!IsSevGuest()) { + return FALSE; + } + SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAr= eaBase); =20 - return ((SevEsWorkArea !=3D NULL) && (SevEsWorkArea->SevEsEnabled !=3D 0= )); + return (SevEsWorkArea->SevEsEnabled !=3D 0); } =20 VOID diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32= /AmdSev.asm index aa95d06eaddb..87d81b01e263 100644 --- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm +++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm @@ -171,6 +171,9 @@ CheckSevFeatures: bt eax, 0 jnc NoSev =20 + ; Set the work area header to indicate that the SEV is enabled + mov byte[WORK_AREA_GUEST_TYPE], 1 + ; Check for SEV-ES memory encryption feature: ; CPUID Fn8000_001F[EAX] - Bit 3 ; CPUID raises a #VC exception if running as an SEV-ES guest @@ -257,6 +260,11 @@ SevExit: IsSevEsEnabled: xor eax, eax =20 + ; During CheckSevFeatures, the WORK_AREA_GUEST_TYPE is set + ; to 1 if SEV is enabled. + cmp byte[WORK_AREA_GUEST_TYPE], 1 + jne SevEsDisabled + ; During CheckSevFeatures, the SEV_ES_WORK_AREA was set to 1 if ; SEV-ES is enabled. cmp byte[SEV_ES_WORK_AREA], 1 diff --git a/OvmfPkg/ResetVector/Ia32/PageTables64.asm b/OvmfPkg/ResetVecto= r/Ia32/PageTables64.asm index eacdb69ddb9f..f688909f1c7d 100644 --- a/OvmfPkg/ResetVector/Ia32/PageTables64.asm +++ b/OvmfPkg/ResetVector/Ia32/PageTables64.asm @@ -42,6 +42,10 @@ BITS 32 ; SetCr3ForPageTables64: =20 + ; Clear the WorkArea header. The SEV probe routines will populate the + ; work area when detected. + mov byte[WORK_AREA_GUEST_TYPE], 0 + OneTimeCall CheckSevFeatures xor edx, edx test eax, eax diff --git a/OvmfPkg/ResetVector/ResetVector.nasmb b/OvmfPkg/ResetVector/Re= setVector.nasmb index acec46a32450..d1d800c56745 100644 --- a/OvmfPkg/ResetVector/ResetVector.nasmb +++ b/OvmfPkg/ResetVector/ResetVector.nasmb @@ -72,6 +72,7 @@ %define GHCB_PT_ADDR (FixedPcdGet32 (PcdOvmfSecGhcbPageTableBase)) %define GHCB_BASE (FixedPcdGet32 (PcdOvmfSecGhcbBase)) %define GHCB_SIZE (FixedPcdGet32 (PcdOvmfSecGhcbSize)) + %define WORK_AREA_GUEST_TYPE (FixedPcdGet32 (PcdOvmfWorkAreaBase)) %define SEV_ES_WORK_AREA (FixedPcdGet32 (PcdSevEsWorkAreaBase)) %define SEV_ES_WORK_AREA_RDRAND (FixedPcdGet32 (PcdSevEsWorkAreaBase) + = 8) %define SEV_ES_WORK_AREA_ENC_MASK (FixedPcdGet32 (PcdSevEsWorkAreaBase) = + 16) --=20 2.17.1