From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.61])
 by mx.groups.io with SMTP id smtpd.web10.176.1630513061970038126
 for <devel@edk2.groups.io>;
 Wed, 01 Sep 2021 09:17:42 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=li8FLqvP;
 spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.237.61, mailfrom: brijesh.singh@amd.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=dfINlF7X0vEjTDB5ygPOLuTpK89rKZdj2fPZCF3AhJj+HYfrxj6ihhSmdKybtaOy37nUtYHVJWgSMhM3e0q9pDnAIeWIXjGRcSdXFsGhb6LbJC7o1RiBhMg5zXjOvg9RnBMO8qb6Ia2K/NqeOhtuOFsIkoCQYiX9kj2aRD7OzX3/wHRd5d62RLsisSmW1q3t3WR7RnQIcP8ktBj8BBqnvzyafm4Fzdpdb9dxJj8d2KfEiHubGQYySe/gEMSIZ3VC+of8Z+9X2jf3bXUwe/G6SUWjrxP1exXAp6cCxn5xs4eO70/md9GYlG3V21CBaveDh7N0IrKU1/ZvCJCwCaAGPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=vhd6JnEFli9Rx+3hlidDyEJOyC2cK1IzmNdbAescQz0=;
 b=m+bFf3hU+YGUBHGYSHW+XvsUuLf+mP8kKGCuWwYCjtV8TwDAE+TiQU68cEnPV1CVseGmPHNJKe1xdaoNeGYGJqz3eTYg9wFCn0TpACJ87cl9gewl2lJy54mjG/MzjPjOBvKzIyZW+qNmCBMwKpKiHcN50M0MyNb0XrDRH85w7r6UyrzbvNvuhUJ7teqqKQAVoj+tY+smerH1D8x7za34G8CfnrLzRo4vWUk1Shyt7YiuIZMhkAaT37g7d13izufXEXMUrkjfihEtpJIYrpeGoeRx2USMfHARaitqzMjwz7usBR99WQmHWE590LiLaiNmfFXWEtZP7r9ZX/GW5fthZQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass
 header.d=amd.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=vhd6JnEFli9Rx+3hlidDyEJOyC2cK1IzmNdbAescQz0=;
 b=li8FLqvPoTtf03aAJiYxgd4yENO+XRwub5knWr/ZzeEmVNkf2aixhdeEQMzBXvhQRgOY2bdwzONJHWdxcM7jCQhxLZ/MQmWrNATYMB0orCQxUr+dsEubmDLvRq4T8L/+SRblBfGjzIkH9THJvJb6plntSNt3ZkHp4qo9UxmgNvk=
Authentication-Results: edk2.groups.io; dkim=none (message not signed)
 header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com;
Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22)
 by SA0PR12MB4415.namprd12.prod.outlook.com (2603:10b6:806:70::17) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.17; Wed, 1 Sep
 2021 16:17:37 +0000
Received: from SN6PR12MB2718.namprd12.prod.outlook.com
 ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com
 ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4457.025; Wed, 1 Sep 2021
 16:17:37 +0000
From: "Brijesh Singh" <brijesh.singh@amd.com>
To: devel@edk2.groups.io
CC: James Bottomley <jejb@linux.ibm.com>,
	Min Xu <min.m.xu@intel.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Ard Biesheuvel <ardb+tianocore@kernel.org>,
	Erdem Aktas <erdemaktas@google.com>,
	Michael Roth <Michael.Roth@amd.com>,
	Gerd Hoffmann <kraxel@redhat.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	Michael Roth <michael.roth@amd.com>
Subject: [PATCH v6 05/29] OvmfPkg/ResetVector: check the vmpl level
Date: Wed,  1 Sep 2021 11:16:22 -0500
Message-ID: <20210901161646.24763-6-brijesh.singh@amd.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210901161646.24763-1-brijesh.singh@amd.com>
References: <20210901161646.24763-1-brijesh.singh@amd.com>
X-ClientProxiedBy: SN4PR0501CA0062.namprd05.prod.outlook.com
 (2603:10b6:803:41::39) To SN6PR12MB2718.namprd12.prod.outlook.com
 (2603:10b6:805:6f::22)
Return-Path: brijesh.singh@amd.com
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SN4PR0501CA0062.namprd05.prod.outlook.com (2603:10b6:803:41::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.12 via Frontend Transport; Wed, 1 Sep 2021 16:17:37 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 1bffdcd7-a4cf-4bcf-222a-08d96d6403ab
X-MS-TrafficTypeDiagnostic: SA0PR12MB4415:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: 
	<SA0PR12MB4415643DCE98E154B598662AE5CD9@SA0PR12MB4415.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	IO7r2a0I2NRz9erqaAP6RZLpSqmJbB4tZa7LmqBb81RFLun4rvwLpFhTSko2ZExGbX4YrGVzFf9nPJFwXaBvEjRN6TK73GhiZ3mW2luiP1HJu0htr8CyBsskq4JR6s4ONRthLlN87l37DYiD0IzszFLEcSHovjZIEZ/rRjU9yhfyVDz1Mqtlau9rM6HR+r9xRIqIMQLio6iP4IRp6bo4GdIn+C82iAyqT1xubnJJ+mCbXaVaHSjfKLDDQKic1XCXs5ThcOs+NpDioR14NK6Jr6B+2ZZONVeui4uM6DzNY/b1YB20bbdt/QPOf3zrdF/FD1m6IrOHsxuiKMPfP/SE6c8ZJybDHqlirK3QN9BVgbkmAyDdVXfbcb+UkEqZgDyYCFab3EYZ1zC7LnjQEWr7U/FJJxuWeyY+yc9hkfV5YPWuSx3j4+C47jkY97/J6ca1PPQZHnO+dO8SwWg1KPM8GQzsyj1CxwSzcWQyeR/38D49xXyVUzk4w7j9yVdQtMWCrWIe/+uVDZ6xofTTb72BRNA3QS+3eHryxgv3Kvh8YZCkriu0tf25eEGds8OW4O6xjZlR3tGNuw/R5rV1wWX3Wix6+iI2RFu3l0D/2I2I7k6eqBi09mrf/bIEfaw+Xq4pkYEuRsIfQKesGp6bfjxlPhbqUWLCdG9gZJoOofgDeLAkB5NTwKBViYs12l5GA71Z4CQlttAcj11tANgjAb7jIeQ6FCwMFpN7BkUq87x66H886PGKKl6CkLOu5Yp2/0r3VZYAfOq/cL0vaOQMoK+hSA1eCdZ68CLJcbqJqx699ws=
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(39860400002)(376002)(136003)(396003)(346002)(366004)(66476007)(1076003)(83380400001)(6916009)(2906002)(8936002)(8676002)(186003)(26005)(66946007)(86362001)(19627235002)(66556008)(316002)(478600001)(966005)(44832011)(2616005)(54906003)(6486002)(5660300002)(36756003)(956004)(4326008)(6666004)(7696005)(52116002)(38350700002)(38100700002);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	=?us-ascii?Q?mIQ9VzWee4VcqWGPnk92jDzbJW8n2nFOMDNMSSnirzWZk0F3PyBJLUkCz5Tp?=
 =?us-ascii?Q?CJTUVnfAYTZWlskTjwx96wkq/HqaHmuNeEu0mTYIbjQOe88XESyjx0EUYx6X?=
 =?us-ascii?Q?N0JcbkvSty8CpNu/4svipXOls4fP0rQFbQAMazUg8LaUBjRmMC81XYKhwQCk?=
 =?us-ascii?Q?2PVIIii7RF9N7zp0tr/bnRAVsmT2dxYDk9lfsGIfFH3Lr5elJN18H3Qpi7FG?=
 =?us-ascii?Q?lNm6M8ffszMNaPni71aRJw6mMz1SDw6FCgjFAub8jRFbQruGH9oJE6X41k1w?=
 =?us-ascii?Q?uvhyAgT0aDjhlYh8JDrraH/g3bINeLLozC4Ie2fpR7xDwAH9ne0NLHQ7YE3P?=
 =?us-ascii?Q?3mopPBkRkyH+/CAW8m1c/3cD1T9g8oI6OfGoBfAc+KJa/7wvi3iZ9s+B7uPx?=
 =?us-ascii?Q?w59qPqikhHysNjuSEgaEwBqgVc2yCgCgmAlkLYBx+H/2gZ0+FOEuENgpoBat?=
 =?us-ascii?Q?YTILr6Vj2W62AZ6RmK23qo9eSg/N1Pmo7ocxMc9YWo8nUu2EoBp6TySu8Srz?=
 =?us-ascii?Q?fYP75JZDn133EXIFxVaI59y16rfr90ae2Vt80R/aD+UTmjvjA0s/u9e8JAj2?=
 =?us-ascii?Q?n5zQGxogg3diEWe+oWBRXiiKRBfe+FQXfl4EYqV4xy8WLTk3dlgiO5c8ScPm?=
 =?us-ascii?Q?SpjZPQ0n6bscK+n/z+Cmf5yxpRPpW38zk+scmFcyjEXQ/KQ0RA5j8w+wp/Bb?=
 =?us-ascii?Q?AtglalnPBSM5H+YkrJgFDtdVOXLXo9wYrL/mlhuyUUBTjlm4fZ5et5rY8fWe?=
 =?us-ascii?Q?ioAD2OFTB+F28o0Y0D03B34MMRQc7FR9G1FqspzngqXi1pNl83FCcDDmNgGE?=
 =?us-ascii?Q?Pr0aFEOFCxHmtbV78jdEzxjFi4lDMljdP9WNObF6oz49CnZ5y+E/14VGQkaL?=
 =?us-ascii?Q?nh81IYueevHtTpmygQGCHM56yufKr+NlXqfRtCkdDwjmPUQ3kfMFnoj+IvT2?=
 =?us-ascii?Q?xxwoJ2jNova86MfniP3dT3xYxGG5Ja0Flnu5p23ckuXJvmYRbEuhzzUwBJp6?=
 =?us-ascii?Q?6i9Q1CeIP5i6RPOTfdANKV1KjvcAS3zfjIOgP85ZXyVwBi+TfEc2h6ZHUcA+?=
 =?us-ascii?Q?6PPAi34pJxRgy938yWyhEdvPSo1/jAHUpKWLgjoD5gJkjBwpcsdZmMaL3R82?=
 =?us-ascii?Q?eEFYZK4743nodLUC4ns7bbFfNw86huY5posyRS2hYX18mgkAdWmZisnZ8c/X?=
 =?us-ascii?Q?8HN4InH0mjhMez+Y1gZHvhDHoattw6Rt7TDTA7Z7gtLailnHAsb6pyCjgVFh?=
 =?us-ascii?Q?sSJzgD81LSWjEV2Vzo8MdhPtt7+wu8maTCRhk1Ke8G+S1oEPjKvtJVBr1JkT?=
 =?us-ascii?Q?BxDI4ToEdZJHF9aVWTIu4giX?=
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1bffdcd7-a4cf-4bcf-222a-08d96d6403ab
X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Sep 2021 16:17:37.7678
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: bZ3prS6XRY+Hv+lwv30X42WIPoUxZw4U85MxMNhJI+GwJPSowrXtfSvvbM9oBW3KF1tghJ+fgCWbP35b345TyQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4415
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275

Virtual Machine Privilege Level (VMPL) is an optional feature in the
SEV-SNP architecture, which allows a guest VM to divide its address space
into four levels. The level can be used to provide the hardware isolated
abstraction layers with a VM. The VMPL0 is the highest privilege, and
VMPL3 is the least privilege. Certain operations must be done by the VMPL0
software, such as:

* Validate or invalidate memory range (PVALIDATE instruction)
* Allocate VMSA page (RMPADJUST instruction when VMSA=3D1)

The initial SEV-SNP support assumes that it's running on VMPL0. Let's add
a check to make sure that we are running at VMPL0 before continuing the
boot. There is no easy method to query the current VMPL level. One simple
approach is to call PVALIDATE instruction and if the instruction causes
a #GP then its SEV-SNP guest is not booted under VMPL0. See the AMD APL
volume 3 (PVALIDATE) for additional information on the PVALIDATE.

Cc: Michael Roth <michael.roth@amd.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Erdem Aktas <erdemaktas@google.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 OvmfPkg/ResetVector/Ia32/AmdSev.asm | 90 ++++++++++++++++++++++++++++-
 1 file changed, 88 insertions(+), 2 deletions(-)

diff --git a/OvmfPkg/ResetVector/Ia32/AmdSev.asm b/OvmfPkg/ResetVector/Ia32=
/AmdSev.asm
index 0ac78c73c370..2386b15c0ce0 100644
--- a/OvmfPkg/ResetVector/Ia32/AmdSev.asm
+++ b/OvmfPkg/ResetVector/Ia32/AmdSev.asm
@@ -73,6 +73,12 @@ BITS    32
 ; Hypervisor does not support SEV-SNP feature
 %define TERM_HV_UNSUPPORTED_FEATURE 4
=20
+; SEV-SNP guest is not launched at VMPL-0
+%define TERM_SNP_NOT_VMPL0          5
+
+; The #VC is not for PVALIDATE
+%define TERM_VC_NOT_PVALIDATE       6
+
 ; GHCB SEV Information MSR protocol
 %define GHCB_SEV_INFORMATION_REQUEST        2
 %define GHCB_SEV_INFORMATION_RESPONSE       1
@@ -236,6 +242,25 @@ GetSevCBitMaskAbove31:
 GetSevCBitMaskAbove31Exit:
     OneTimeCallRet GetSevCBitMaskAbove31
=20
+; Check whether we're booted under the VMPL-0.
+;
+; There is no straightforward way to query the current VMPL level. The sim=
plest
+; method is to use the PVALIDATE instruction to change the page state. If =
its
+; not a VMPL-0 guest then PVALIDATE will cause #GP.
+;
+CheckSnpVmpl0:
+    ; This routine is part of the ROM, and should have been validated by t=
he SNP
+    ; guest launch sequence. So its safe to re-validate the page containin=
g
+    ; this routine.
+    mov     eax, ADDR_OF(CheckSnpVmpl0)
+    mov     ecx, 0
+    mov     edx, 1
+    PVALIDATE
+
+    ; We will reach here only if we are running at VMPL-0.
+
+    OneTimeCallRet    CheckSnpVmpl0
+
 ; Check if Secure Encrypted Virtualization (SEV) features are enabled.
 ;
 ; Register usage is tight in this routine, so multiple calls for the
@@ -293,6 +318,17 @@ CheckSevFeatures:
     ; Set the work area header to indicate that the SEV is enabled
     mov     byte[WORK_AREA_GUEST_TYPE], 1
=20
+    ; Check if we're SEV-SNP guest and booted under VMPL-0.
+    ;
+    ; This check should happen here because the PVALIDATE instruction
+    ; used in the check will cause an exception. The IDT is active
+    ; during the CheckSevFeatures only.
+    ;
+    bt        eax, 2
+    jnc       SkipCheckSnpVmpl0
+    OneTimeCall     CheckSnpVmpl0
+
+SkipCheckSnpVmpl0:
     ; Check for SEV-ES memory encryption feature:
     ; CPUID  Fn8000_001F[EAX] - Bit 3
     ;   CPUID raises a #VC exception if running as an SEV-ES guest
@@ -471,6 +507,37 @@ SevSnpPageStateFailureTerminate:
 SevSnpUnsupportedFeature:
     TerminateVmgExit   TERM_HV_UNSUPPORTED_FEATURE
=20
+
+; Start handling of #GP exception handling routines
+;
+SevEsIdtNotPvalidate:
+    TerminateVmgExit TERM_VC_NOT_PVALIDATE
+    iret
+
+SevSnpGpException:
+    ;
+    ; If we're here, then its an SEV-SNP guest and it was due to
+    ; PVALIDATE instruction.
+    ;
+    ; Verify that its an PVALIDATE instruction
+    ; The exception stack looks like this:
+    ;     +---------+
+    ;     | ....    |
+    ;     | eip     |
+    ;     | err code|
+    ;     +---------+
+    pop     ebx
+    pop     ebx
+    mov     ecx, [ebx]
+    cmp     ecx, 0xff010ff2       ; Compare EIP with PVALIDATE menomics
+    jne     SevEsIdtNotPvalidate
+
+    ; The #GP was triggered by the PVALIDATE instruction, this will happen
+    ; only when we're not running at VMPL-0
+    ;
+    TerminateVmgExit TERM_SNP_NOT_VMPL0
+    iret
+
 ; Start of #VC exception handling routines
 ;
=20
@@ -600,15 +667,34 @@ ALIGN   16
 ;
 IDT_BASE:
 ;
-; Vectors 0 - 28 (No handlers)
+; Vectors 0 - 12 (No handlers)
 ;
-%rep 29
+%rep 13
     dw      0                                    ; Offset low bits 15..0
     dw      0x10                                 ; Selector
     db      0                                    ; Reserved
     db      0x8E                                 ; Gate Type (IA32_IDT_GAT=
E_TYPE_INTERRUPT_32)
     dw      0                                    ; Offset high bits 31..16
 %endrep
+;
+; Vector 13 (GP Exception)
+;
+    dw      (ADDR_OF(SevSnpGpException) & 0xffff)  ; Offset low bits 15..0
+    dw      0x10                                 ; Selector
+    db      0                                    ; Reserved
+    db      0x8E                                 ; Gate Type (IA32_IDT_GAT=
E_TYPE_INTERRUPT_32)
+    dw      (ADDR_OF(SevSnpGpException) >> 16)   ; Offset high bits 31..16
+;
+; Vectors 14 - 28 (No handlers)
+;
+%rep 15
+    dw      0                                    ; Offset low bits 15..0
+    dw      0x10                                 ; Selector
+    db      0                                    ; Reserved
+    db      0x8E                                 ; Gate Type (IA32_IDT_GAT=
E_TYPE_INTERRUPT_32)
+    dw      0                                    ; Offset high bits 31..16
+%endrep
+
 ;
 ; Vector 29 (VMM Communication Exception)
 ;
--=20
2.17.1