From: "Brijesh Singh" <brijesh.singh@amd.com>
To: devel@edk2.groups.io
Cc: James Bottomley <jejb@linux.ibm.com>, Min Xu <min.m.xu@intel.com>,
Jiewen Yao <jiewen.yao@intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Jordan Justen <jordan.l.justen@intel.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
Erdem Aktas <erdemaktas@google.com>,
Michael Roth <Michael.Roth@amd.com>,
Gerd Hoffmann <kraxel@redhat.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Michael Roth <michael.roth@amd.com>
Subject: [PATCH v6 04/29] OvmfPkg/ResetVector: invalidate the GHCB page
Date: Wed, 1 Sep 2021 11:16:21 -0500 [thread overview]
Message-ID: <20210901161646.24763-5-brijesh.singh@amd.com> (raw)
In-Reply-To: <20210901161646.24763-1-brijesh.singh@amd.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3275
The GHCB page is part of a pre-validated memory range specified through
the SnpBootBlock GUID. When SEV-SNP is active, the GHCB page is
pre-validated by the hyperivosr during the SNP guest creation. On boot,
the reset vector maps the GHCB page as un-encrypted in the initial page
table. Just clearing the encryption attribute from the page table is not
enough. To maintain the security guarantees, the page must be invalidated.
The page invalidation consists of two steps:
1. Use the PVALIDATE instruction to clear Validated Bit from the RMP table.
2. Use the Page State Change VMGEXIT to ask hypervisor to change the page
state to shared in the RMP table.
Cc: Michael Roth <michael.roth@amd.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
OvmfPkg/ResetVector/Ia32/AmdSev.asm | 137 ++++++++++++++++++++++++++++
1 file changed, 137 insertions(+)
diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32/AmdSev.asm
index 250ac8d8b180..0ac78c73c370 100644
--- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm
+++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm
@@ -7,6 +7,8 @@
;
;------------------------------------------------------------------------------
+%include "Nasm.inc"
+
BITS 32
;
@@ -65,6 +67,25 @@ BITS 32
PAGE_READ_WRITE + \
PAGE_PRESENT)
+; SNP page state change failure
+%define TERM_PAGE_STATE_CHANAGE 3
+
+; Hypervisor does not support SEV-SNP feature
+%define TERM_HV_UNSUPPORTED_FEATURE 4
+
+; GHCB SEV Information MSR protocol
+%define GHCB_SEV_INFORMATION_REQUEST 2
+%define GHCB_SEV_INFORMATION_RESPONSE 1
+
+; GHCB Page Invalidate request and response protocol values
+;
+%define GHCB_PAGE_STATE_CHANGE_REQUEST 20
+%define GHCB_PAGE_STATE_CHANGE_RESPONSE 21
+%define GHCB_PAGE_STATE_SHARED 2
+
+; GHCB Hypervisor features MSR protocol
+%define GHCB_HYPERVISOR_FEATURES_REQUEST 128
+%define GHCB_HYPERVISOR_FEATURES_RESPONSE 129
; Macro is used to issue the MSR protocol based VMGEXIT. The caller is
; responsible to populate values in the EDX:EAX registers. After the vmmcall
@@ -183,6 +204,19 @@ clearGhcbMemoryLoop:
mov dword[ecx * 4 + GHCB_BASE - 4], eax
loop clearGhcbMemoryLoop
+ ;
+ ; The page table built above cleared the memory encryption mask from the
+ ; GHCB_BASE (aka made it shared). When SEV-SNP is enabled, to maintain
+ ; the security guarantees, the page state transition from private to
+ ; shared must go through the page invalidation steps. Invalidate the
+ ; memory range before loading the page table below.
+ ;
+ ; NOTE: the invalidation must happen after zeroing the GHCB memory. This
+ ; is because, in the 32-bit mode all the access are considered private.
+ ; The invalidation before the zero'ing will cause a #VC.
+ ;
+ OneTimeCall InvalidateGHCBPage
+
SevClearPageEncMaskForGhcbPageExit:
OneTimeCallRet SevClearPageEncMaskForGhcbPage
@@ -334,6 +368,109 @@ SevExit:
OneTimeCallRet CheckSevFeatures
+; The version 2 of GHCB specification added the support to query the hypervisor
+; features. If the GHCB version is >=2 then read the hypervisor features and
+; verify that SEV-SNP feature is supported.
+;
+CheckSnpHypervisorFeatures:
+ ; Get the SEV Information
+ xor eax, eax
+ xor edx, edx
+
+ VmgExit GHCB_SEV_INFORMATION_REQUEST, GHCB_SEV_INFORMATION_RESPONSE
+
+ ;
+ ; SEV Information Response GHCB MSR
+ ; GHCB_MSR[63:48] = Maximum protocol version
+ ; GHCB_MSR[47:32] = Minimum protocol version
+ ;
+ shr edx, 16
+ cmp edx, 2
+ jl SevSnpUnsupportedFeature
+
+ ; Get the hypervisor features
+ xor eax, eax
+ xor edx, edx
+
+ VmgExit GHCB_HYPERVISOR_FEATURES_REQUEST, GHCB_HYPERVISOR_FEATURES_RESPONSE
+
+ ;
+ ; Hypervisor features reponse
+ ; GHCB_MSR[63:12] = Features bitmap
+ ; BIT0 = SEV-SNP Supported
+ ;
+ shr eax, 12
+ bt eax, 0
+ jnc SevSnpUnsupportedFeature
+
+CheckSnpHypervisorFeaturesDone:
+ OneTimeCallRet CheckSnpHypervisorFeatures
+
+; If its an SEV-SNP guest then use the page state change VMGEXIT to invalidate
+; the GHCB page.
+;
+; Modified: EAX, EBX, ECX, EDX
+;
+InvalidateGHCBPage:
+ ; Check if SEV-SNP is enabled
+ ; MSR_0xC0010131 - Bit 2 (SEV-SNP enabled)
+ mov ecx, SEV_STATUS_MSR
+ rdmsr
+ bt eax, 2
+ jnc InvalidateGHCBPageDone
+
+ ; Verify that SEV-SNP feature is supported by the hypervisor.
+ OneTimeCall CheckSnpHypervisorFeatures
+
+ ; Use PVALIDATE instruction to invalidate the page
+ mov eax, GHCB_BASE
+ mov ecx, 0
+ mov edx, 0
+ PVALIDATE
+
+ ; Save the carry flag to be use later.
+ setc dl
+
+ ; If PVALIDATE fail then abort the launch.
+ cmp eax, 0
+ jne SevSnpPageStateFailureTerminate
+
+ ; Check the carry flag to determine if RMP entry was updated.
+ cmp dl, 0
+ jne SevSnpPageStateFailureTerminate
+
+ ; Ask hypervisor to change the page state to shared using the
+ ; Page State Change VMGEXIT.
+ ;
+ ; Setup GHCB MSR
+ ; GHCB_MSR[55:52] = Page Operation
+ ; GHCB_MSR[51:12] = Guest Physical Frame Number
+ ;
+ mov eax, (GHCB_BASE >> 12)
+ shl eax, 12
+ mov edx, (GHCB_PAGE_STATE_SHARED << 20)
+
+ VmgExit GHCB_PAGE_STATE_CHANGE_REQUEST, GHCB_PAGE_STATE_CHANGE_RESPONSE
+
+ ;
+ ; Response GHCB MSR
+ ; GHCB_MSR[63:12] = Error code
+ ;
+ cmp edx, 0
+ jnz SevSnpPageStateFailureTerminate
+
+InvalidateGHCBPageDone:
+ OneTimeCallRet InvalidateGHCBPage
+
+; Terminate the SEV-SNP guest due to the page state change failure
+SevSnpPageStateFailureTerminate:
+ TerminateVmgExit TERM_PAGE_STATE_CHANAGE
+
+; Terminate the SEV-SNP guest because hypervisor does not support
+; the SEV-SNP feature
+SevSnpUnsupportedFeature:
+ TerminateVmgExit TERM_HV_UNSUPPORTED_FEATURE
+
; Start of #VC exception handling routines
;
--
2.17.1
next prev parent reply other threads:[~2021-09-01 16:17 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-01 16:16 [PATCH v6 00/29] Add AMD Secure Nested Paging (SEV-SNP) support Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 01/29] OvmfPkg: reserve SNP secrets page Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 02/29] OvmfPkg: reserve CPUID page for SEV-SNP Brijesh Singh
2021-09-02 8:04 ` Gerd Hoffmann
2021-09-02 12:28 ` Brijesh Singh
2021-09-02 21:17 ` Brijesh Singh
2021-09-03 6:28 ` Gerd Hoffmann
2021-09-03 11:56 ` [edk2-devel] " Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 03/29] OvmfPkg/ResetVector: introduce SEV-SNP boot block GUID Brijesh Singh
2021-09-01 16:16 ` Brijesh Singh [this message]
2021-09-01 16:16 ` [PATCH v6 05/29] OvmfPkg/ResetVector: check the vmpl level Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 06/29] OvmfPkg/ResetVector: pre-validate the data pages used in SEC phase Brijesh Singh
2021-09-02 8:20 ` Gerd Hoffmann
2021-09-06 1:10 ` [edk2-devel] " Min Xu
2021-09-06 12:16 ` Gerd Hoffmann
2021-09-06 13:19 ` Min Xu
2021-09-07 7:07 ` Gerd Hoffmann
2021-09-07 13:27 ` Brijesh Singh
2021-09-08 6:36 ` Min Xu
2021-09-14 3:49 ` Yao, Jiewen
2021-09-16 7:42 ` Gerd Hoffmann
2021-09-01 16:16 ` [PATCH v6 07/29] OvmfPkg/ResetVector: use SEV-SNP-validated CPUID values Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 08/29] UefiCpuPkg: Define the SEV-SNP specific dynamic PCDs Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 09/29] OvmfPkg/MemEncryptSevLib: add MemEncryptSevSnpEnabled() Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 10/29] OvmfPkg/SecMain: move SEV specific routines in AmdSev.c Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 11/29] OvmfPkg/SecMain: register GHCB gpa for the SEV-SNP guest Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 12/29] OvmfPkg/VmgExitLib: use SEV-SNP-validated CPUID values Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 13/29] OvmfPkg/PlatformPei: register GHCB gpa for the SEV-SNP guest Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 14/29] OvmfPkg/AmdSevDxe: do not use extended PCI config space Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 15/29] OvmfPkg/MemEncryptSevLib: add support to validate system RAM Brijesh Singh
2021-09-02 9:50 ` Gerd Hoffmann
2021-09-02 13:34 ` Brijesh Singh
2021-09-03 7:04 ` Gerd Hoffmann
2021-09-01 16:16 ` [PATCH v6 16/29] OvmfPkg/BaseMemEncryptSevLib: skip the pre-validated " Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 17/29] OvmfPkg/MemEncryptSevLib: add support to validate > 4GB memory in PEI phase Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 18/29] OvmfPkg/SecMain: pre-validate the memory used for decompressing Fv Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 19/29] OvmfPkg/PlatformPei: validate the system RAM when SNP is active Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 20/29] OvmfPkg/PlatformPei: set the SEV-SNP enabled PCD Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 21/29] OvmfPkg/PlatformPei: set the Hypervisor Features PCD Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 22/29] MdePkg/GHCB: increase the GHCB protocol max version Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 23/29] UefiCpuPkg/MpLib: add support to register GHCB GPA when SEV-SNP is enabled Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 24/29] UefiCpuPkg/MpInitLib: use BSP to do extended topology check Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 25/29] OvmfPkg/MemEncryptSevLib: change the page state in the RMP table Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 26/29] OvmfPkg/MemEncryptSevLib: skip page state change for Mmio address Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 27/29] OvmfPkg/PlatformPei: mark cpuid and secrets memory reserved in EFI map Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 28/29] OvmfPkg/AmdSev: expose the SNP reserved pages through configuration table Brijesh Singh
2021-09-01 16:16 ` [PATCH v6 29/29] UefiCpuPkg/MpInitLib: Use SEV-SNP AP Creation NAE event to launch APs Brijesh Singh
2021-09-07 2:36 ` [PATCH v6 00/29] Add AMD Secure Nested Paging (SEV-SNP) support Yao, Jiewen
2021-09-08 2:29 ` Min Xu
2021-09-08 6:03 ` Yao, Jiewen
2021-09-08 19:45 ` Brijesh Singh
2021-09-09 0:31 ` Min Xu
2021-09-09 10:51 ` Brijesh Singh
2021-09-09 11:22 ` Gerd Hoffmann
2021-09-09 11:40 ` Brijesh Singh
2021-09-09 11:45 ` [edk2-devel] " Min Xu
2021-09-09 11:55 ` Yao, Jiewen
2021-09-12 22:55 ` Brijesh Singh
2021-09-13 0:33 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210901161646.24763-5-brijesh.singh@amd.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox