From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-DM6-obe.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com [40.107.93.77]) by mx.groups.io with SMTP id smtpd.web11.850.1631557201895459211 for ; Mon, 13 Sep 2021 11:20:02 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@amd.com header.s=selector1 header.b=roOzQv9B; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: amd.com, ip: 40.107.93.77, mailfrom: brijesh.singh@amd.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OiF1lM15MmlpM+dEAik2cfg1NTMfU6KeL+IQoV3Y25Fr1qA9q/IuMC0e7Gb/XXBhsmTJiZI5114aTpRwU1eE5hkBBKND8a2PX97eIYHzLKRYyKsKsFPUkTscamUiL/tQvNFthR/E6+S1FfCWwzVo3YCqLtfRZ5GDFzepKhIQ7hBX5jEYShA0q3eXOLDVBegrNUp7DdKx7jwtlks3GbB9DJ+wcSCuwmuNSl2Oz3NpTDXEyQU2w+xnfyzZhR/LZbtXNGB9rrbmP0ZKvnzVr1IR454na+VPq+fkHFk8rjIP2FjPzf31SGfUQqcJGQHTpi/jv4JymaDlzaNxSUf7uOy2LQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=+7a3MGZWoQCErxY+GlFeS882vc2uHmC6K2xj2LLFwFU=; b=Angb1iUsPRrrnI7aqxlY9ChpbIvomRh1nhYrS5ocMqU8smh0FtpaIbRt4Iydbnj4SB2/yO7i8oZY99hNXtZnf4UodR2h9RT51g/yDRfpEkOqX3r4fWnGdU66jCx2mu05e4BhyqnHM8dTPcI110/8jIsRH0ID59XyTBoFZNi1Wut+sa3PCnvoYtWKgpIjODS9v23vhhSaU4qusLfhe0RUKf5Gd8RwRsakmgeHYoD7LbBQfUNz5h07bGnGj562hEZQXhFNYsft+35kgZgiDMF4h41KgkT6LGIfoybUXi7cuzTcs8CY5VQdYuqLecvK6NhXdiYgaNwLaZX3MXHPwQZ45Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+7a3MGZWoQCErxY+GlFeS882vc2uHmC6K2xj2LLFwFU=; b=roOzQv9BRL6dMcn+vxje/tVU5nUYcdqs7EmWlnO624u9sBqxBlVNwItn5FIkh4w9TGI3QRU8a9+F9ZR1OmaEP1q2sVBiRrjoXXaedurNo3GT5GgU8AxXAYXFBqg3ZDQjHyDrDp7cpoQOA2QqMIgFd++w7Lj1CFipj/JFt8LRu/U= Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=amd.com; Received: from SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) by SA0PR12MB4557.namprd12.prod.outlook.com (2603:10b6:806:9d::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.17; Mon, 13 Sep 2021 18:19:59 +0000 Received: from SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3]) by SN6PR12MB2718.namprd12.prod.outlook.com ([fe80::78b7:7336:d363:9be3%6]) with mapi id 15.20.4500.019; Mon, 13 Sep 2021 18:19:59 +0000 From: "Brijesh Singh" To: devel@edk2.groups.io CC: James Bottomley , Min Xu , Jiewen Yao , Tom Lendacky , Jordan Justen , Ard Biesheuvel , Erdem Aktas , Michael Roth , Gerd Hoffmann , Brijesh Singh , Michael Roth Subject: [PATCH v7 01/31] OvmfPkg/SecMain: move SEV specific routines in AmdSev.c Date: Mon, 13 Sep 2021 13:19:11 -0500 Message-ID: <20210913181941.23405-2-brijesh.singh@amd.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210913181941.23405-1-brijesh.singh@amd.com> References: <20210913181941.23405-1-brijesh.singh@amd.com> X-ClientProxiedBy: SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) To SN6PR12MB2718.namprd12.prod.outlook.com (2603:10b6:805:6f::22) Return-Path: brijesh.singh@amd.com MIME-Version: 1.0 Received: from sbrijesh-desktop.amd.com (165.204.77.1) by SA9P221CA0012.NAMP221.PROD.OUTLOOK.COM (2603:10b6:806:25::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.14 via Frontend Transport; Mon, 13 Sep 2021 18:19:57 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 99705c14-606f-4e26-ee81-08d976e3180b X-MS-TrafficTypeDiagnostic: SA0PR12MB4557: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: IQH1cgQKyV1KepSUq8BjZBGl3uZc6496hN5gJ7+r+bNApYE9zwyVjKPtg8ayQmZE6rDlF2oEVvps9C+fD2/SDqUjkqbLGZtB3L+Hpr0J/rtqLwnkh94h7JQyZndxrooNtM4f3OSpAknuMDs3Xi4PK8dGABDLpOGdOQHZLikABvtNB/po3dgf02iqGM4Fav9X1R+JtmOjQN0SEXWoPSOn2BxjxmYLGhp9XZkwzX9BJ8vdwJodx0G/JjXhPDDQeNyI4b8sZ56vqAlUf7JPccG9K6ri/zY+Fc+BI2N/I6WWDtp/sREF92bZvXaqP78NeqpgwCOZaz1ilO/2KfIA+/1pSqBpfFRWTd+2cDs+qDs0fiaVuF9ITpNsH7LnUSJT7sJeVtyrAATgHzOji+XW+JvtQZWXGRLxIShhA5t0hdjKk8vghoJCNzfGrsdDYOODulZg9TFfVado1LXINmm/4Gcyh6oVSQTseZJfpcZv+P/tZR92YlTsP2NCjcxB2WfqsGnGih0c2Rjf45pYkHsxIWDS2oJ6yfLCWDBdlkMsfTok/nR2LCngY9oiemg62PqvWF8DHjFVhKF9cfHxAs+1+dqJCDKN0vKK+ORhCA5GTCbTNt8rc8KGq2l9+M+XdS+wR2P4dJBfYPuLHJsJVbkI+9MynWyPALCVCwFwI8wsuLvDVMwMHsZCnzdldULMjrnZe9nMfcy6TYTmbGMksXmq/4llWUHEGoMp7uH3rtCi2KlGyUxENg+AbmVGCvzG9FXf4cuikMHRZ31NFl7FaKk70k1wqF6jucCZ7omBhlHJ1eRMJ+4= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN6PR12MB2718.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(136003)(366004)(346002)(39860400002)(376002)(478600001)(86362001)(7696005)(6916009)(966005)(316002)(52116002)(54906003)(44832011)(83380400001)(38350700002)(66556008)(5660300002)(36756003)(19627235002)(1076003)(4326008)(2906002)(186003)(956004)(26005)(8936002)(8676002)(2616005)(30864003)(6486002)(38100700002)(6666004)(66476007)(66946007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?GBvLXap3aTt9IOOOjiUFcfISDnvTzOpMqeyDTrh8tvShcA1P5KRiOnSknGGr?= =?us-ascii?Q?3AXOhvhDPRrvUW4lqmmVMnkLkUAzaY9DVFGjYyBBZ9JsNlw0PRYFbWiJw7/5?= =?us-ascii?Q?uDzgMBh+YHx30i6rpjPTRjauxbFZzXGBdwsnYbz3q2gDsde6twH61Y4JEj/h?= =?us-ascii?Q?LcThq4o9Hx6Gt3CsrZNGm3A34WFA1X7lnpg3Q/dBOUgG/X9Z4yqJGxHZHdu/?= =?us-ascii?Q?tNAj+85k3inaouaiIiwke93DKVmHQ5oTizTSo6ibSDabYMtIZ6JFDEPnwf1d?= =?us-ascii?Q?uOy1KOC2ZLzQxWbpb6MwbhGI6vbYEJcs9SzSRUAWVuKzO0dPaVCaKMS+thOX?= =?us-ascii?Q?nudCYeS4RFIc767UJPlro6vzB0vYm3fQnLruPZhlw4IK8Zwvooy0zl6JeVmt?= =?us-ascii?Q?SEMCs/erdjWKUVGFG/l2T75XoAq0a5en8ofBeglzogAACBv3hVNvcS7pFXQy?= =?us-ascii?Q?A69kgbBENLJWFxgUFPRQSo+1iDyKKzmGF/BJIKsBmPmN6ynzmv1eZuvJUuLS?= =?us-ascii?Q?HHNjs6RhEVBCnTU8NmLHl/x/AwhiANqP8Ro1VYyimGd/HZIJ33E6ISA1FqTM?= =?us-ascii?Q?wVfmA4TvioDFFhApZcCYPk8nOh1C7jwbRRg1g4bKd2hWxTLjPmmrNmWHrhZt?= =?us-ascii?Q?XgOwRU8+xjxhfUUlqEvGY1haeVL7jdoXiNJDhNkIyGf/zRoFv/BXLmUKO3rY?= =?us-ascii?Q?3OqK2lhLED+XuOVbQwfYEFsOi0OEXAdl9ddPCyN9LYxXcsUKp7phxHdgQOVU?= =?us-ascii?Q?ZA+4IyfV1jbq1XGs/cneuYWyUlRpkxZZEk9r4e4RfO+hXMhF/9aqBBn6lOUX?= =?us-ascii?Q?w/XaaQajmCrZA5Wv5ybGPjK9RlScaJSy6xmI4NI80sOXJgydXNY32UZjH3Zc?= =?us-ascii?Q?j49zgmpPnskW7kIFcu90yQRrejVcHAR/znHTRWxbo2w3ApzCty1qlEtYRNx8?= =?us-ascii?Q?PEYkM9C0oRcSLuOuB1JUSApCk0gl4tVZtv12aZxGjg4kHzloVnJ67Ieqmz9K?= =?us-ascii?Q?obT3Bn1t+2pCDJxZ088QqLJbekYPqKryBUQ5seHbvLI6YrUsHcUSUbhmisLU?= =?us-ascii?Q?CcsDbqqjHl3DiUdzmi/DO4vQERlnlooMulXlJW5xqhjqh7Z7cZkuQ1bJR89L?= =?us-ascii?Q?BWmoIqrlYOfgc5oqNruzRRIUqrM2EcEAec04xGq8fNjdGTkg3HJ41ZhUnLen?= =?us-ascii?Q?KK+QTGtW0DpFX5hV99tISSWg5Ks79qI543Tubpxi5Rl3lrKKKfuOp2e6aKiQ?= =?us-ascii?Q?qGKZ6mRwCvqGUKAXggs5MVPPUjN/wi6pg4m/D6c+3HQbZA/+1yVB6DsK3DL7?= =?us-ascii?Q?9XVsDPbhtgeHoXkUN3KrK4V2?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-Network-Message-Id: 99705c14-606f-4e26-ee81-08d976e3180b X-MS-Exchange-CrossTenant-AuthSource: SN6PR12MB2718.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2021 18:19:59.0550 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Z1Aw6tjOv3ejv+audY/3qVv15vofEmy24lWrQCjXXvg+VGT+H7I+t6Ko5KEtRktE7s0LIyuLSGtbA0GUTXamCg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR12MB4557 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3275 Move all the SEV specific function in AmdSev.c. No functional change intended. Cc: Michael Roth Cc: James Bottomley Cc: Min Xu Cc: Jiewen Yao Cc: Tom Lendacky Cc: Jordan Justen Cc: Ard Biesheuvel Cc: Erdem Aktas Cc: Gerd Hoffmann Acked-by: Jiewen Yao Signed-off-by: Brijesh Singh --- OvmfPkg/Sec/SecMain.inf | 1 + OvmfPkg/Sec/AmdSev.h | 72 ++++++++++++++++++ OvmfPkg/Sec/AmdSev.c | 161 ++++++++++++++++++++++++++++++++++++++++ OvmfPkg/Sec/SecMain.c | 153 +------------------------------------- 4 files changed, 236 insertions(+), 151 deletions(-) create mode 100644 OvmfPkg/Sec/AmdSev.h create mode 100644 OvmfPkg/Sec/AmdSev.c diff --git a/OvmfPkg/Sec/SecMain.inf b/OvmfPkg/Sec/SecMain.inf index ea4b9611f52d..9523a8ea6c8f 100644 --- a/OvmfPkg/Sec/SecMain.inf +++ b/OvmfPkg/Sec/SecMain.inf @@ -23,6 +23,7 @@ [Defines] =20 [Sources] SecMain.c + AmdSev.c =20 [Sources.IA32] Ia32/SecEntry.nasm diff --git a/OvmfPkg/Sec/AmdSev.h b/OvmfPkg/Sec/AmdSev.h new file mode 100644 index 000000000000..adad96d23189 --- /dev/null +++ b/OvmfPkg/Sec/AmdSev.h @@ -0,0 +1,72 @@ +/** @file + File defines the Sec routines for the AMD SEV + + Copyright (c) 2021, Advanced Micro Devices, Inc. All rights reserved. + + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef _AMD_SEV_SEC_INTERNAL_H__ +#define _AMD_SEV_SEC_INTERNAL_H__ + +/** + Handle an SEV-ES/GHCB protocol check failure. + + Notify the hypervisor using the VMGEXIT instruction that the SEV-ES gues= t + wishes to be terminated. + + @param[in] ReasonCode Reason code to provide to the hypervisor for the + termination request. + +**/ +VOID +SevEsProtocolFailure ( + IN UINT8 ReasonCode + ); + + +/** + Validate the SEV-ES/GHCB protocol level. + + Verify that the level of SEV-ES/GHCB protocol supported by the hyperviso= r + and the guest intersect. If they don't intersect, request termination. + +**/ +VOID +SevEsProtocolCheck ( + VOID + ); + +/** + Determine if the SEV is active. + + During the early booting, GuestType is set in the work area. Verify that = it + is an SEV guest. + + @retval TRUE SEV is enabled + @retval FALSE SEV is not enabled + +**/ +BOOLEAN +IsSevGuest ( + VOID + ); + +/** + Determine if SEV-ES is active. + + During early booting, SEV-ES support code will set a flag to indicate th= at + SEV-ES is enabled. Return the value of this flag as an indicator that SE= V-ES + is enabled. + + @retval TRUE SEV-ES is enabled + @retval FALSE SEV-ES is not enabled + +**/ +BOOLEAN +SevEsIsEnabled ( + VOID + ); + +#endif diff --git a/OvmfPkg/Sec/AmdSev.c b/OvmfPkg/Sec/AmdSev.c new file mode 100644 index 000000000000..3b4adaae32c7 --- /dev/null +++ b/OvmfPkg/Sec/AmdSev.c @@ -0,0 +1,161 @@ +/** @file + File defines the Sec routines for the AMD SEV + + Copyright (c) 2021, Advanced Micro Devices, Inc. All rights reserved. + + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include + +#include "AmdSev.h" + +/** + Handle an SEV-ES/GHCB protocol check failure. + + Notify the hypervisor using the VMGEXIT instruction that the SEV-ES gues= t + wishes to be terminated. + + @param[in] ReasonCode Reason code to provide to the hypervisor for the + termination request. + +**/ +VOID +SevEsProtocolFailure ( + IN UINT8 ReasonCode + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + + // + // Use the GHCB MSR Protocol to request termination by the hypervisor + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbTerminate.Function =3D GHCB_INFO_TERMINATE_REQUEST; + Msr.GhcbTerminate.ReasonCodeSet =3D GHCB_TERMINATE_GHCB; + Msr.GhcbTerminate.ReasonCode =3D ReasonCode; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + ASSERT (FALSE); + CpuDeadLoop (); +} + +/** + Validate the SEV-ES/GHCB protocol level. + + Verify that the level of SEV-ES/GHCB protocol supported by the hyperviso= r + and the guest intersect. If they don't intersect, request termination. + +**/ +VOID +SevEsProtocolCheck ( + VOID + ) +{ + MSR_SEV_ES_GHCB_REGISTER Msr; + GHCB *Ghcb; + + // + // Use the GHCB MSR Protocol to obtain the GHCB SEV-ES Information for + // protocol checking + // + Msr.GhcbPhysicalAddress =3D 0; + Msr.GhcbInfo.Function =3D GHCB_INFO_SEV_INFO_GET; + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + AsmVmgExit (); + + Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); + + if (Msr.GhcbInfo.Function !=3D GHCB_INFO_SEV_INFO) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); + } + + if (Msr.GhcbProtocol.SevEsProtocolMin > Msr.GhcbProtocol.SevEsProtocolMa= x) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); + } + + if ((Msr.GhcbProtocol.SevEsProtocolMin > GHCB_VERSION_MAX) || + (Msr.GhcbProtocol.SevEsProtocolMax < GHCB_VERSION_MIN)) { + SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); + } + + // + // SEV-ES protocol checking succeeded, set the initial GHCB address + // + Msr.GhcbPhysicalAddress =3D FixedPcdGet32 (PcdOvmfSecGhcbBase); + AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); + + Ghcb =3D Msr.Ghcb; + SetMem (Ghcb, sizeof (*Ghcb), 0); + + // + // Set the version to the maximum that can be supported + // + Ghcb->ProtocolVersion =3D MIN (Msr.GhcbProtocol.SevEsProtocolMax, GHCB_V= ERSION_MAX); + Ghcb->GhcbUsage =3D GHCB_STANDARD_USAGE; +} + +/** + Determine if the SEV is active. + + During the early booting, GuestType is set in the work area. Verify that = it + is an SEV guest. + + @retval TRUE SEV is enabled + @retval FALSE SEV is not enabled + +**/ +BOOLEAN +IsSevGuest ( + VOID + ) +{ + OVMF_WORK_AREA *WorkArea; + + // + // Ensure that the size of the Confidential Computing work area header + // is same as what is provided through a fixed PCD. + // + ASSERT ((UINTN) FixedPcdGet32 (PcdOvmfConfidentialComputingWorkAreaHeade= r) =3D=3D + sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER)); + + WorkArea =3D (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase); + + return ((WorkArea !=3D NULL) && (WorkArea->Header.GuestType =3D=3D GUEST= _TYPE_AMD_SEV)); +} + +/** + Determine if SEV-ES is active. + + During early booting, SEV-ES support code will set a flag to indicate th= at + SEV-ES is enabled. Return the value of this flag as an indicator that SE= V-ES + is enabled. + + @retval TRUE SEV-ES is enabled + @retval FALSE SEV-ES is not enabled + +**/ +BOOLEAN +SevEsIsEnabled ( + VOID + ) +{ + SEC_SEV_ES_WORK_AREA *SevEsWorkArea; + + if (!IsSevGuest()) { + return FALSE; + } + + SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAr= eaBase); + + return (SevEsWorkArea->SevEsEnabled !=3D 0); +} diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c index 707b0d4bbff4..406e3a25d0cd 100644 --- a/OvmfPkg/Sec/SecMain.c +++ b/OvmfPkg/Sec/SecMain.c @@ -26,12 +26,11 @@ #include #include #include -#include -#include -#include =20 #include =20 +#include "AmdSev.h" + #define SEC_IDT_ENTRY_COUNT 34 =20 typedef struct _SEC_IDT_TABLE { @@ -717,154 +716,6 @@ FindAndReportEntryPoints ( return; } =20 -/** - Handle an SEV-ES/GHCB protocol check failure. - - Notify the hypervisor using the VMGEXIT instruction that the SEV-ES gues= t - wishes to be terminated. - - @param[in] ReasonCode Reason code to provide to the hypervisor for the - termination request. - -**/ -STATIC -VOID -SevEsProtocolFailure ( - IN UINT8 ReasonCode - ) -{ - MSR_SEV_ES_GHCB_REGISTER Msr; - - // - // Use the GHCB MSR Protocol to request termination by the hypervisor - // - Msr.GhcbPhysicalAddress =3D 0; - Msr.GhcbTerminate.Function =3D GHCB_INFO_TERMINATE_REQUEST; - Msr.GhcbTerminate.ReasonCodeSet =3D GHCB_TERMINATE_GHCB; - Msr.GhcbTerminate.ReasonCode =3D ReasonCode; - AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); - - AsmVmgExit (); - - ASSERT (FALSE); - CpuDeadLoop (); -} - -/** - Validate the SEV-ES/GHCB protocol level. - - Verify that the level of SEV-ES/GHCB protocol supported by the hyperviso= r - and the guest intersect. If they don't intersect, request termination. - -**/ -STATIC -VOID -SevEsProtocolCheck ( - VOID - ) -{ - MSR_SEV_ES_GHCB_REGISTER Msr; - GHCB *Ghcb; - - // - // Use the GHCB MSR Protocol to obtain the GHCB SEV-ES Information for - // protocol checking - // - Msr.GhcbPhysicalAddress =3D 0; - Msr.GhcbInfo.Function =3D GHCB_INFO_SEV_INFO_GET; - AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); - - AsmVmgExit (); - - Msr.GhcbPhysicalAddress =3D AsmReadMsr64 (MSR_SEV_ES_GHCB); - - if (Msr.GhcbInfo.Function !=3D GHCB_INFO_SEV_INFO) { - SevEsProtocolFailure (GHCB_TERMINATE_GHCB_GENERAL); - } - - if (Msr.GhcbProtocol.SevEsProtocolMin > Msr.GhcbProtocol.SevEsProtocolMa= x) { - SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); - } - - if ((Msr.GhcbProtocol.SevEsProtocolMin > GHCB_VERSION_MAX) || - (Msr.GhcbProtocol.SevEsProtocolMax < GHCB_VERSION_MIN)) { - SevEsProtocolFailure (GHCB_TERMINATE_GHCB_PROTOCOL); - } - - // - // SEV-ES protocol checking succeeded, set the initial GHCB address - // - Msr.GhcbPhysicalAddress =3D FixedPcdGet32 (PcdOvmfSecGhcbBase); - AsmWriteMsr64 (MSR_SEV_ES_GHCB, Msr.GhcbPhysicalAddress); - - Ghcb =3D Msr.Ghcb; - SetMem (Ghcb, sizeof (*Ghcb), 0); - - // - // Set the version to the maximum that can be supported - // - Ghcb->ProtocolVersion =3D MIN (Msr.GhcbProtocol.SevEsProtocolMax, GHCB_V= ERSION_MAX); - Ghcb->GhcbUsage =3D GHCB_STANDARD_USAGE; -} - -/** - Determine if the SEV is active. - - During the early booting, GuestType is set in the work area. Verify that = it - is an SEV guest. - - @retval TRUE SEV is enabled - @retval FALSE SEV is not enabled - -**/ -STATIC -BOOLEAN -IsSevGuest ( - VOID - ) -{ - OVMF_WORK_AREA *WorkArea; - - // - // Ensure that the size of the Confidential Computing work area header - // is same as what is provided through a fixed PCD. - // - ASSERT ((UINTN) FixedPcdGet32 (PcdOvmfConfidentialComputingWorkAreaHeade= r) =3D=3D - sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER)); - - WorkArea =3D (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase); - - return ((WorkArea !=3D NULL) && (WorkArea->Header.GuestType =3D=3D GUEST= _TYPE_AMD_SEV)); -} - -/** - Determine if SEV-ES is active. - - During early booting, SEV-ES support code will set a flag to indicate th= at - SEV-ES is enabled. Return the value of this flag as an indicator that SE= V-ES - is enabled. - - @retval TRUE SEV-ES is enabled - @retval FALSE SEV-ES is not enabled - -**/ -STATIC -BOOLEAN -SevEsIsEnabled ( - VOID - ) -{ - SEC_SEV_ES_WORK_AREA *SevEsWorkArea; - - if (!IsSevGuest()) { - return FALSE; - } - - SevEsWorkArea =3D (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAr= eaBase); - - return (SevEsWorkArea->SevEsEnabled !=3D 0); -} - VOID EFIAPI SecCoreStartupWithStack ( --=20 2.17.1